CentOS安装Harbor-v1.10.1并与docker集成

CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成,使docker能够登录、推送、拉取Harbor中的镜像。

Harbor是一个开源的可信云本地注册表项目,用于存储、签名和扫描内容。Harbor扩展了开源Docker发行版,增加了用户通常需要的功能,比如安全性、身份和管理。
Harbor经常作为Docker私有云端仓库被企业使用。
Harbor的官方网址是这里:https://github.com/goharbor/harbor

本文介绍CentOS7安装Harbor-v1.10.1并与docker-19.03.6集成的操作全过程。

操作系统、应用及版本信息:

  • Linux:CentOS 7.6
  • Docker : 19.03.6
  • docker-compose version:1.25.4
  • Harbor:v1.10.1

服务器规划示意图:
图1-服务器规划示意图

一、安装docker-compose

Harbor是通过docker-compose来管理镜像的。
所以在Harbor主机安装docker-compose是必须的首要的一步。

$ curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ chmod +x /usr/local/bin/docker-compose
$ ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
$ docker-compose --version
docker-compose version 1.25.4, build 8d51620a

二、Harbor的域名

如果没有域名的话,可以自己定义一个域名,并在Harbor主机和Docker主机通过向/etc/hosts文件添加条目完成自定义域名与Harbor主机IP的映射关系。本文中自定义的域名是harbor.cn,配置如下:

[root@dev110 ~]# more /etc/hosts
...
#### harbor server ############
192.168.100.110  harbor.cn
...

三、生成自签证书

Docker默认通过HTTPS与Harbor通信的,虽然可以改为HTTP方式,但需要修改的配置项会很多,而且也不安全。

有了域名了,配套的CA证书自然是少不了的。

mkdir -p /home/k8s/cert_harbor
cd /home/k8s/cert_harbor

Step1 - 生成根证书私钥(无加密):

openssl genrsa -out ca.key 4096

Step2 - 生成自签名证书(使用已有私钥ca.key自行签发根证书)生成ca.crt

openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.110" \
    -key ca.key \
    -out ca.crt

添加-subj参数可以免去交互过程。

Step1 - 生成服务器端自己域名的key:

openssl genrsa -out harbor.cn.key 4096

Step4 - 生成服务器端自己域名的CSR签名请求:

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=ccx/OU=plat/CN=192.168.100.242" \
    -key harbor.cn.key \
    -out harbor.cn.csr

Step5 - 生成一个 openssl 命令需要的外部配置文件 externalfile.ext
这个文件可以随意命名,但是要记住,后面对的命令还要用到。、
文件内容中主要是subjectAltName这一项
如果配IP就写IP.1=192.168.xxx.xxx
如果配域名就写 DNS.1=xxx.xxx.com

[root@dev110 ~]# cat > vim externalfile.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.cn
EOF

Step6 - 通过外部配置文件 externalfile.ext和 csr 生成 crt:

openssl x509 -req -sha512 -days 3650 -extfile externalfile.ext \
    -CA ca.crt \
    -CAkey ca.key \
    -CAcreateserial \
    -in harbor.cn.csr \
    -out harbor.cn.crt

Step7 - 将服务端的 crt 转换成客户端用的 cert:

openssl x509 -inform PEM -in harbor.cn.crt -out harbor.cn.cert

至此,所有证书文件就创建好了:

[root@dev cert_harbor]# ll
total 32
-rw-r--r-- 1 root root 2017 Feb 23 13:44 ca.crt
-rw-r--r-- 1 root root 3243 Feb 23 13:42 ca.key
-rw-r--r-- 1 root root   17 Feb 23 13:53 ca.srl
-rw-r--r-- 1 root root  232 Feb 23 13:52 externalfile.ext
-rw-r--r-- 1 root root 2049 Feb 23 13:54 harbor.cn.cert
-rw-r--r-- 1 root root 2049 Feb 23 13:53 harbor.cn.crt
-rw-r--r-- 1 root root 1700 Feb 23 13:49 harbor.cn.csr
-rw-r--r-- 1 root root 3247 Feb 23 13:47 harbor.cn.key

四、为各个docker客户端分发证书

将Harbor主机上带域名的.cert.key证书文件拷贝到docker客户端所在主机的/etc/docker/certs.d/xxx.xxx.com/目录下。
下面以192.168.100.111这台docker客户端主机上的操作为例进行介绍。

Step1 - 在Docker主机上执行:

 mkdir -p /etc/docker/certs.d/harbor.cn/

Step2、在Harbor主机,执行:

scp ./harbor.cn.cert ./harbor.cn.key root@192.168.100.111:/etc/docker/certs.d/harbor.cn/

Step3、在Docker主机修改 /etc/docker/daemon.json,主要是增加"insecure-registries":["http://harbor.cn"]

[root@dev111 ~]# vim /etc/docker/daemon.json
{
  ...
  "insecure-registries":["http://harbor.cn"],
  ...
}

Step4、重启Docker:

systemctl daemon-reload
systemctl restart docker

五、安装Harbor

前面准备工作做了那么多,现在终于可以进入正题了。
下载&解压:

wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
mkdir -p /home/k8s/harbor
tar -zxvf ./harbor-offline-installer-v1.10.1.tgz /home/k8s/harbor/

查看解压后文件:

[root@dev110 ~]# ll /home/k8s/harbor/
total 662120
-rw-r--r-- 1 root root      3398 Feb 10 14:18 common.sh
-rw-r--r-- 1 root root 677974489 Feb 10 14:19 harbor.v1.10.1.tar.gz
-rw-r--r-- 1 root root      5882 Feb 10 14:18 harbor.yml
-rwxr-xr-x 1 root root      2284 Feb 10 14:18 install.sh
-rw-r--r-- 1 root root     11347 Feb 10 14:18 LICENSE
-rwxr-xr-x 1 root root      1749 Feb 10 14:18 prepare

修改配置文件harbor.yml

[root@dev110 ~] vim /home/k8s/harbor/harbor.yml
hostname: #IP地址或域名
http:
	port: 80
https:
	port: 443
	certificate: /home/k8s/cert_harbor/harbor.cn.crt # 这里是证书信息
	private_key: /home/k8s/cert_harbor/harbor.cn.key # 这里是证书信息
harbor_admin_password: Ccxharbor123 #  根据需要修改Web端admin用户的密码,默认为Harbor12345
database:
	password: Ccxharbor123  #  为harbor内置数据库root用户的密码,默认为root123
data_volumn: /data
log:
    level: info
    location: /var/log/harbor # harbor日志存放路径

先更新参数:

[root@dev110 ~]# cd /home/k8s/harbor
[root@dev110 harbor]# ./prepare

再进行安装:

[root@dev110 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.6
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.4
[Step 2]: loading Harbor images ...
...
这里会很慢,因为要拉取很多镜像
...
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /home/k8s/harbor
Generated configuration file: /config/log/logrotate.conf
...
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[Step 5]: starting Harbor ...
WARNING: The Docker Engine you're using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use `docker stack deploy`.
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry      ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating redis         ... done
Creating registryctl   ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

当你看到Harbor has been installed and started successfully时,我要恭喜你安装成功了。

六、使用Harbor

6.1、访问Harbor WebUI

使用浏览器,通过https://域名https://ip:port两种方式都可以访问Harbor的WebUI。
因为是自签CA证书,浏览器会拦截,需要添加信任即可。
图2-添加浏览器信任之后就会看到Harbor的登录界面了:
图3-Harbor登录页面用户名:admin
密码:即harbor.yml文件中harbor_admin_password参数的值。默认是:Harbor12345

6.2、push镜像:docker ==> harbor

要想将镜像push到Harbor仓库中,必须先要在Harbor中创建自己的项目,即project,当然也可以使用Harbor自带的项目:library
下面看看如何做才能吧nginx镜像推送到Harbor镜像中去。

Step1、docker拉取一个镜像并修改tag:

docker pull nginx
docker tag nginx:latest harbor.cn/library/nginx:latest

Step2、docker login 登录Harbor:

# harbor_user_name - Harbor用户名
# harbor_password - 该Harbor用户的密码
# harbor_domain - Harbor的域名
docker login -u<harbor_user_name> -p<harbor_password> <harbor_domain>

执行命令,及输出:

[root@dev ~]# docker login -uadmin -pHarbor12345 harbor.cn
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

当看到Login Succeeded时,就说明登陆成功了。

下面可以查看docker中保存的登录信息:

[root@dev ~]# cat ~/.docker/config.json 
{
        "auths": {
                "harbor.cn": {
                        "auth": "Y2N4LWRldjpDY3hkZXYxMjM="
                }
        },
        ...
}

Step3、docker推送镜像到Harbor:

# harbor_domain - Harbor的域名
# project_name - Harbor中的项目名称
# image_name - 镜像名称
# image_tag - 镜像tag
docker push <harbor_domain>/<project_name>/<image_name>:<image_tag>

执行命令,及输出:

[root@dev ~]# docker push harbor.cn/library/nginx:latest
The push refers to repository [harbor.cn/library/nginx]
22439467ad99: Pushed 
b4a29beac87c: Pushed 
488dfecc21b1: Pushed 
latest: digest: sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94 size: 948

Step4、登录Harbor查看镜像
在这里插入图片描述

6.3、pull镜像: docker <== harbor

Docker想从Harbor拉取镜像,只需要:

  1. docker login 登录harbor
  2. docker pull时,在镜像名称前加上Harbor的域名,就像这样:
docker pull harbor.cn/library/nginx:latest

七、维护时常用命令

查看harbor:

[root@dev110 ~]# cd /home/k8s/harbor
[root@dev110 harbor]# docker-compose ps
      Name                     Command                  State                          Ports                   
---------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up (healthy)                                              
harbor-db           /docker-entrypoint.sh            Up (healthy)   5432/tcp                                   
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (healthy)                                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp                  
harbor-portal       nginx -g daemon off;             Up (healthy)   8080/tcp                                   
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis               redis-server /etc/redis.conf     Up (healthy)   6379/tcp                                   
registry            /home/harbor/entrypoint.sh       Up (healthy)   5000/tcp                                   
registryctl         /home/harbor/start.sh            Up (healthy)    

停止&开启命令:

docker-compose stop
docker-compose start

想要修改harbor配置时:

docker-compose down -v
vim harbor.yml
./prepare
docker-compose up -d

删除harbors的镜像保留数据库和镜像数据:

docker-compose down -v

删除harbor的数据库和数据,相当于重装:

docker-compose down -v

更多命令可以参考docker-compose命令的帮助:

[root@的dev110 harbor]# docker-compose --help
Define and run multi-container applications with Docker.

Usage:
  docker-compose [-f <arg>...] [options] [COMMAND] [ARGS...]
  docker-compose -h|--help

Options:
  -f, --file FILE             Specify an alternate compose file
                              (default: docker-compose.yml)
  -p, --project-name NAME     Specify an alternate project name
                              (default: directory name)
  --verbose                   Show more output
  --log-level LEVEL           Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
  --no-ansi                   Do not print ANSI control characters
  -v, --version               Print version and exit
  -H, --host HOST             Daemon socket to connect to

  --tls                       Use TLS; implied by --tlsverify
  --tlscacert CA_PATH         Trust certs signed only by this CA
  --tlscert CLIENT_CERT_PATH  Path to TLS certificate file
  --tlskey TLS_KEY_PATH       Path to TLS key file
  --tlsverify                 Use TLS and verify the remote
  --skip-hostname-check       Don't check the daemon's hostname against the
                              name specified in the client certificate
  --project-directory PATH    Specify an alternate working directory
                              (default: the path of the Compose file)
  --compatibility             If set, Compose will attempt to convert keys
                              in v3 files to their non-Swarm equivalent
  --env-file PATH             Specify an alternate environment file

Commands:
  build              Build or rebuild services
  config             Validate and view the Compose file
  create             Create services
  down               Stop and remove containers, networks, images, and volumes
  events             Receive real time events from containers
  exec               Execute a command in a running container
  help               Get help on a command
  images             List images
  kill               Kill containers
  logs               View output from containers
  pause              Pause services
  port               Print the public port for a port binding
  ps                 List containers
  pull               Pull service images
  push               Push service images
  restart            Restart services
  rm                 Remove stopped containers
  run                Run a one-off command
  scale              Set number of containers for a service
  start              Start services
  stop               Stop services
  top                Display the running processes
  unpause            Unpause services
  up                 Create and start containers
  version            Show the Docker-Compose version information
[root@dp-dev-242 harbor]# 
Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐