Harbor
5.1 K8s拉取镜像报http: server gave HTTP response to HTTPS client。1.1 下载 harbor 离线包,我是从一台机器docker save -o将镜像打包之后拿过来的。5.3harbor物理机重启,docker重启导致问题。3.2 docker-compose配置文件修改。1.2 docker-compose二进制文件。3.3 docker添加
·
一、准备工作
注意事项:注意version版本的选择,docker版本是否对应?
Compose file versions and upgrading | Docker Docs
https://docs.docker.com/compose/compose-file/legacy-versions/
- 准备镜像,二进制文件
1.1 下载 harbor 离线包,我是从一台机器docker save -o将镜像打包之后拿过来的
1.2 docker-compose二进制文件
curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
- 配置本地解析
echo "192.168.40.63 qiushi.cn" >> /etc/hosts
二、部署harbor
1.签发CA证书
harbor官网浏览
https://goharbor.io/docs/2.4.0/install-config/configure-https/
[root@qiushi ~]# mkdir ssl && cd ssl
[root@qiushi ssl] cat ssl.sh
# 1. 根证书自签CA私钥
openssl genrsa -out ca.key 4096
# 2. 根证书自签CA crt证书
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \
-key ca.key \
-out ca.crt
#完成签发一对自签CA根密钥,用来给harbor颁发证书
#参数说明:
## C,Country,代表国家
# ST,STate,代表省份
# L,Location,代表城市
# O,Organization,代表组织,公司
# OU,Organization Unit,代表部门
# CN,Common Name,代表服务器域名
# emailAddress,代表联系人邮箱地址。
# 3. 客户端私钥证书
openssl genrsa -out qiushi.cn.key 4096
# 4. 客户端证书申请文件 csr文件
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \
-key qiushi.cn.key \
-out qiushi.cn.csr
# 5. 客户端证书需要签发SAN文件
#v3.ext文本文件,把这些证书签发给哪些目标的域名,harbor域名须选择下面的三个域名之一,签发的证书只对下面三个域名有效
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=qiushi.cn
DNS.2=qiushi2.cn
DNS.3=qiushi3.cn
EOF
# 6. 客户端证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in qiushi.cn.csr \
-out qiushi.cn.crt
cat qiushi.cn.crt ca.crt > qiushi.cn.pem 【把7去掉测试一下,pem文件是包含2个证书的!】
# 7. Docker 守护进程将.crt文件解释为 CA 证书,将.cert文件解释为客户端证书。
openssl x509 -inform PEM -in qiushi.cn.crt -out qiushi.cn.cert
[root@qiushissl]# chmod +x ssl.sh
[root@qiushissl]# ./ssl.sh
[root@qiushissl]# ls
ssl.sh ca.crt ca.key ca.srl v3.ext qiushi.cn.crt qiushi.cn.cert qiushi.cn.csr qiushi.cn.key
2.harbor、docker挂载证书
证书给harbor挂载目录
[root@qiushi ssl]# mkdir /data/{ssl,install} -p
[root@qiushi ssl]# cp qiushi.cn.crt qiushi.cn.key /data/ssl
证书给docker挂载目录
[root@qiushi ssl]# mkdir /etc/docker/certs.d/qiushi.cn/ -p
[root@qiushi ssl]cp ca.crt qiushi.cn.cert qiushi.cn.key /etc/docker/certs.d/qiushi.cn/
3.解压harbor文件,里面包含镜像、harbor.yaml等,docker-compose.yaml要加载
[root@qiushi ~]# tar xzvf harbor-offline-installer-v2.3.0-rc3.tgz -C /data/install/
harbor/harbor.v2.3.0.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
[root@qiushi harbor]# docker load -i harbor.v2.3.0.tar.gz
执行./prepare 加载出可用配置文件docker-compose.yml
[root@qiushi harbor]# ./prepare
prepare base dir is set to /data/install/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@qiushi harbor]# ls
common docker-compose.yml harbor.yaml.bak harbor.yml.tmpl LICENSE
common.sh harbor.v2.3.0.tar.gz harbor.yml install.sh prepare
[root@qiushi harbor]# cp harbor.yml.tmpl harbor.yml
3. 修改配置文件:文件挂载,80映射端口,hostname
3.1 harbor配置文件修改
[root@qiushi ~]# cat /data/install/harbor/harbor.yml
hostname: qiushi.cn
certificate: /data/ssl/qiushi.cn.crt #挂载目录
private_key: /data/ssl/qiushi.cn.key #挂载目录
port: 9999 # 默认不对外暴露80端口
# https port for harbor, default is 443
port: 443
邮件和 ldap 不需要配置,在 harbor 的 web 界面可以配置
其他配置采用默认即可
修改之后保存退出
注: harbor 默认的账号密码: admin/Harbor12345
3.2 docker-compose配置文件修改(先改harbor.yml再加载prepare可以直接生成已修改的)
[root@qiushi ~]# cat /data/install/harbor/docker-compose.yml | grep port
231 proxy:
232 image: goharbor/nginx-photon:v2.3.0
233 container_name: nginx
234 restart: always
251 ports:
252 - 9999:8080 #默认不对外暴露80端口
253 - 443:8443
3.3 docker添加受信任的私有镜像仓库
[root@qiushi ssl]# cat /etc/docker/daemon.json
{
"registry-mirrors":["https://vh3bm52y.mirror.aliyuncs.com","https://registry.dockercn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hubmirror.c.163.com","https://qiushi.cn"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
[root@qiushi ~]# systemctl daemon-reload
[root@qiushi ~]# systemctl restart docker
4.验证HTTPS
使用域名,登录私有镜像仓库
[root@qiushi ~]# ./install.sh
[root@qiushi ~]# docker login qiushi.cn -u admin -p Harbor12345
[root@qiushi ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.0 fa4ecf260b3a 2 years ago 80.7MB
xuegod.cn/test/aa v1 fa4ecf260b3a 2 years ago 80.7MB
[root@qiushi ~]# docker tag goharbor/harbor-exporter:v2.3.0 qiushi.cn/test/test_image:v1
[root@qiushi ~]# docker push qiushi.cn/test/test_image:v1
The push refers to repository [qiushi.cn/test/test_image]
83cea239dd18: Pushed
48f062b756ef: Pushed
3b267db69816: Pushed
230bb4d21843: Pushed
7b63ae3694f2: Pushed
v1: digest: sha256:398f5a2058d77b5c66942f78ab871ce69990d75121b5b7ef3af7283cc73bc7a4 size: 1369
http://192.168.40.63:9999/
https://qiushi.cn
5.配置 harbor 开机启动
vim /etc/rc.local
/usr/local/bin/docker-compose -f /data/install/harbor/docker-compose.yml up -d
6.harbor私有仓库对接K8s
由于非公开需要手动输入账号密码才能拉取镜像,需要把证书配置成secret,挂载到pod中
7.记录问题
7.1 K8s拉取镜像报http: server gave HTTP response to HTTPS client。
需要我们本机的 Docker 客户端维护harbor证书;那么怎么在docker客户端维护好证书呢?
7.1.1 一种方式是在insecure-registries配置项中设置仓库地址,允许访问远程仓库
7.1.2 维护harbor证书,尤其注意docker中的配置,Docker 守护进程将.crt文件解释为 CA 证书,将.cert文件解释为客户端证书。
7.2 推镜像,用非FQDN域名不行
注意harbor.yaml中的hostname
1.主机名改成qiushi.cn
1.1自己做实验可以修改本地解析,或者主机名(k8s中修改主机名有风险)
1.2生产自建dns注册
2.harbor.yaml的hostname也要改
3.有dns注册的话也要改
4改完后../install.sh重装,对装好的habor不影响
7.3 harbor物理机重启,docker重启导致问题
systemctl daemon-reload
systemctl restart docker
cd /data/install/harbor
docker-compose stop
docker-compose start
./install
尝试遍还不行重启
7.4 docker-compose管理容器的优势
自动重启策略
配置高可用harbor参考这篇文章,里面有很多注意事项
https://blog.csdn.net/avatar_2009/article/details/125266411
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)