CentOS builds Harbor mirror warehouse (detailed explanation with pictures and texts)

Note: Before building the Harbor mirror warehouse, the virtual machine must first install docker and docker-compose.

The following commands in this article are run as root.

1. Download the Harbor installation package

• Direct download can use the following command:

  wget https: /github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz
  

  If you execute the above command directly inside the virtual machine, the download speed will be very slow, so the shared folder is imported into the virtual machine after downloading from an external host.

2. Unzip

• Enter the following command to decompress:

  tar -xvf harbor-offline-installer-v2.8.2.tgz
  

• Create a new directory and move harborthe files in the directory to this directory. Enter the following commands in sequence:

  mkdir /opt/harbor
  mv harbor/* /opt/harbor
  cd /opt/harbor
  

3. Modify the configuration file

• Make a copy harborof the configuration file and rename it harbor.yml, enter the following command:

  cp -ar harbor.yml.tmpl harbor.yml
  

• Enter the configuration file and enter the following command:

  vim harbor.yml
  

• Modify hostnameand port:

  hostname: 192.168.138.130 # 这里改为虚拟机的 IP
  port: 85 # 开放端口
  # 注释 https 相关部分，从13行开始
  

4. Install Harbor

• After editing the configuration file, harborinstall Harbor in the directory.

• Harbor installation environment preprocessing, enter the following command:

  ./prepare
  

• To install and start Harbor, enter the following command:

  ./install.sh
  

As shown in the figure above, the installation and startup are successful!

• Check whether the installation is successful (it should start 9 containers). Enter the following command:

  docker-compose ps
  

5. Modify the docker configuration

• Enter the configuration file and enter the following command:

  vim /etc/docker/daemon.json
  

• Add the following content to the configuration file (add the Alibaba Cloud mirror download address):

  {
        
        
  "registry-mirrors": ["https://ov31ob13.mirror.aliyuncs.com"]
  }
  

• Restart the docker and harbor containers, and enter the following commands in sequence:

  systemctl restart docker
  docker-compose stop
  docker-compose up -d
  

6. docker login method

• Enter the following command to log in:

  docker login 192.168.138.130:85
  

  Then enter the username (admin) and password (Harbor12345).

• Or just enter the following command to log in:

  docker login -u admin -p Harbor12345 192.168.138.130:85
  

7. Access the Harbor Web Interface

• Enter the following address in your browser:

  http://192.168.138.130:85
  

• Enter the username and password, both of which are default values:

  用户名：admin
  密码：Harbor12345
  

So far, CentOS7 has completed building the Harbor (http) mirror warehouse!

Next, build the Harbor (https) mirror warehouse based on the above operations.

8. Create a certificate

• Create a certificate storage directory under the working directory, and enter the following commands in sequence:

  mkdir ssl
  cd ssl
  

  sslWhen Harbor is configured to access via https , it is operated under the newly created directory.

• sslEnter the following command in the directory :

  openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
  

  Note: After entering this command, press Enter all the way 5 times until the Common Name input appears (because it is a CA, you do not need to enter the IP or domain name): Harbor Cert Root CA Harbor, which is a custom name.

The following is an explanation of the command: This command is used to generate a self-signed root certificate (Root Certificate) using OpenSSL.

• openssl: Indicates to use the OpenSSL command.
• req: Indicates that a certificate signing request (Certificate Signing Request) is generated.
• -newkey rsa:4096: Specifies to generate a new RSA private key, and the key length is 4096 bits.
• -nodes: Specifies not to encrypt the private key when generating it, so that the private key can be used later without a password.
• -sha256: Generate a digest of the certificate using the SHA256 algorithm.
• -keyout ca.key: Specify to save the generated private key as ca.key file.
• -x509: Generate a self-signed root certificate.
• -days 3650: Specifies that the validity period of the generated root certificate is 3650 days (10 years).
• -out ca.crt: Specifies to save the generated root certificate as a ca.crt file.

After executing this command, you will get a private key file named ca.key and a self-signed root certificate file named ca.crt. This root certificate can be used to sign other certificates to establish your own certificate authority (CA) to issue more certificates.

9. Generate certificate

• Generate a certificate signing request. sslEnter the following command in the directory :

  openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.key -out harbor.csr
  

  Note: After entering this command, press Enter all the way 5 times and Common Name appears. Enter the IP or domain name, here is: 192.168.138.130.

As shown in the figure above, the following are the interactive prompts that may be encountered and their corresponding explanations:

• Country Name (2 letter code) [XX]:: Enter the two-letter country code of your country, such as "CN" for China or "US" for the United States.
• State or Province Name (full name) []:: Enter the full name of your province or state.
• Locality Name (eg, city) [Default City]:: Enter the name of your city.
• Organization Name (eg, company) [Default Company Ltd]:: Enter the name of your organization or company.
• Organizational Unit Name (eg, section) []:: Enter the department name of your organization or company, which can be left blank.
• Common Name (eg, your name or your server's hostname) []:: Enter your or your server's hostname. If you are generating a certificate signing request, you can use a descriptive name, or use your server's domain name if available.
• Email Address []:: Enter the email address associated with the certificate, which can be left blank.
• A challenge password []:: Leave it blank, just press the Enter key to continue.
• An optional company name []:: Can be left blank, just press the Enter key to continue.

• Create a new file and sslenter the following command in the directory:

  touch extfile.cnf
  

• Into the file, enter the following command:

  vim extfile.cnf
  

• Once inside that file add the following:

  subjectAltName = @alt_names
  extendedKeyUsage = serverAuth
  [alt_names]
  # 域名，如有多个用DNS.2,DNS.3…来增加
  DNS.1 = xxx.harbor.cn
  DNS.2 = *.harbor.cn
  # IP地址, 服务器的ip
  IP.1 = 192.168.138.130
  IP.2 = 127.0.0.1
  

• sslEnter the following command in the directory :

  openssl x509 -req -days 3650 -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor.crt
  

10. Update configuration

• View the paths where harbor.crtthe and harbor.keyfiles are located, which are needed when configuring files.

• Edit harbor.ymlthe file, you need to pay attention to indentation when modifying the file. The modification is as follows:

  cd harbor
  vim harbor.yml
  

• harborExecute the command to update the configuration in the directory to make the ymlconfiguration file take effect. Enter the following commands in sequence:

  ./prepare
  ./install.sh
  

11. Web login

• Turn off the firewall of the virtual machine before logging in (or allow port 444 when the firewall is turned on). The login address is as follows:

  https://192.168.138.130:444
  

• The user name and password remain unchanged, and are still consistent with the previous Harbor (http).