1.docker compose安装
说明:harbor的几个组件是用docker-compose启动和管理的,所以首先安装docker-compose。
参考官方文档:http://www.widuu.com/docker/compose/install.html
curl -L https://github.com/docker/compose/releases/download/1.16.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version
2.openldap安装
说明:如果harbor想用ldap进行统一认证的话,需要事先装个ldap。
参考:https://github.com/osixia/docker-openldap
docker run -p 389:389 --env LDAP_ORGANISATION="My Company" --env LDAP_DOMAIN="cmss.com" --env LDAP_ADMIN_PASSWORD="123456" --env LDAP_CONFIG_PASSWORD="123456" --detach osixia/openldap:1.1.8
3.harbor安装
参考官方文档:https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
离线安装(推荐):
获取软件包:
http://harbor.orientsoft.cn/harbor-v1.4.0/harbor-offline-installer-v1.4.0.tgz
tar -zxvf harbor-offline-installer-v1.4.0.tgz
修改harbor.cfg配置文件
cd harbor
vim harbor.cfg
ldap认证模式:
hostname = dcos1
db_password = 123456
clair_db_password = 123456
harbor_admin_password = 123456
auth_mode = ldap_auth
ldap_url = ldap://dcos1:389
ldap_searchdn = cn=admin,dc=tele,dc=com
ldap_search_pwd = 123456
ldap_basedn = dc=tele,dc=com
ldap_uid = cn
ldap_scope = 3
ldap_timeout = 5
secretkey_path = /dcos/harbor/adminserver/data
db认证模式:
hostname = dcos1
db_password = 123456
clair_db_password = 123456
harbor_admin_password = 123456
auth_mode = db_auth
secretkey_path = /dcos/harbor/adminserver/data
备注:
- secretkey_path必须和docker-compose.yml中设置的相关,不然启动adminserver的时候会报错:“harbor failed to initialize the system: read /etc/adminserver/key: is a directory”
修改docker-compose.yml配置文件:
vim docker-compose.yml
log:
volumes:
- /dcos/harbor/log/harbor/:/var/log/docker/:z
registry:
volumes:
- /dcos/harbor/registry:/storage:z
mysql:
volumes:
- /dcos/harbor/database:/var/lib/mysql:z
adminserver:
volumes:
- /dcos/harbor/adminserver/data/config/:/etc/adminserver/config/:z
- /dcos/harbor/adminserver/data/secretkey:/etc/adminserver/key:z
- /dcos/harbor/adminserver/data/:/data/:z
ui:
volumes:
- /dcos/harbor/ui/secretkey:/etc/ui/key:z
- /dcos/harbor/ui/ca_download/:/etc/ui/ca/:z
- /dcos/harbor/ui/psc/:/etc/ui/token/:z
jobservice:
volumes:
- /dcos/harbor/jobservice/job_logs:/var/log/jobs:z
- /dcos/harbor/jobservice/data/secretkey:/etc/jobservice/key:z
备注:
- /dcos/harbor/adminserver/data/secretkey:/etc/adminserver/key:z,必须和harbor.cfg中设置的相关,不然启动adminserver的时候会报错:“harbor failed to initialize the system: read /etc/adminserver/key: is a directory”
修改docker-compose.clair.yml配置文件(如果需要镜像扫描功能的话):
postgres:
volumes:
- /dcos/harbor/clair/clair-db:/var/lib/postgresql/data
执行prepare脚本:
./prepare或./prepare --with-clair(开启镜像扫描功能) ----会在common中产生运行所需的配置
启动harbor:
./install.sh或./install.sh --with-clair(开启镜像扫描功能)
遇到问题:
假如使用镜像扫描功能的话,如果将clair容器部署在k8s所在节点上会有两个问题:
- k8s节点的docker启动参数设置了iptables=false,以使docker不再操作iptables,只让kube-proxy和calico等操作iptables。这样再用普通bridge(如docker0)启动的这种容器,并没有calico和kube-proxy来给它配置网络和iptables,从容器内是无法通外网的,导致clair是无法连接到外网的CVE库的。github上类似issue:https://github.com/kubernetes-incubator/kubespray/issues/1812
- kargo部署的k8s中docker的启动参数加了docker-dns.conf,内容如下:
[Service]
Environment="DOCKER_DNS_OPTIONS=\
--dns 10.233.0.2 --dns 114.114.114.114 --dns 8.8.8.8 \
--dns-search default.svc.cluster.local --dns-search svc.cluster.local \
--dns-opt ndots:2 --dns-opt timeout:2 --dns-opt attempts:2 \
其中后两行会导致要访问的域名前面自动加上default.svc.cluster.local这些,导致外网域名解析不到。要去掉后两行才行
停止harbor:
docker-compose down
或
docker-compose -f ./docker-compose.yml -f ./docker-compose.clair.yml down(开启镜像扫描时)