ubuntu 14.04/16.04 https 形式安装docker 私有库 harbor

起始目录/root，root 登陆后，直接在该目录进行下面的命令下载harbor 预编译包 0.4.5准备通过域名 reg.server.com 来访问镜像库所以需要在/etc/hosts 文件中加入 192.168.10.90 reg.server.com, IP 镜像服务器的地址。1 生成 CA 证书（注意内容不能乱填）openssl req -newkey

陈sir的知识图谱

3598人浏览 · 2016-11-09 15:55:19

陈sir的知识图谱 · 2016-11-09 15:55:19 发布

起始目录/root，root 登陆后，直接在该目录进行下面的命令

下载harbor 预编译包 0.4.5

准备通过域名 reg.server.com 来访问镜像库所以需要在/etc/hosts 文件中加入 192.168.10.90 reg.server.com, IP 镜像服务器的地址。

1 生成 CA 证书（注意内容不能乱填）

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com
Organizational Unit Name (eg, section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 这里最重要，一定要填写你准备使用的域名
Email Address []:admin@reg.server.com

命令完成后生成ca.crt, ca.key文件

2 然后生成CA 签名，注意文件名称要与你的域名匹配

 openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.server.com.key -out reg.server.com.csr

输入的内容如下

writing new private key to 'reg.server.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com
Organizational Unit Name (eg, section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 必须和域名一致
Email Address []:admin@reg.server.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码留空即可
An optional company name []:

命令完成后生成

reg.server.com.key 和 reg.server.com.csr

3 生成证书

可以查看/etc/ssl/openssl.cnf 配置文件中 ssl 默认的文件夹名称是什么，一般来说，没被改动过的话是demoCA.

3.1 创建文件夹和辅助内容

 mkdir demoCA
  cd demoCA
  touch index.txt
  echo '01' > serial
  cd ..

3.2 签名证书

因为我们生成签名的时候使用的是FQDN 所以需要如下命令

echo subjectAltName = IP:192.168.10.90 > extfile.cnf

openssl ca -in reg.server.com.csr -out reg.server.com.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .

3.3 讲生成的证书加入本机信任

运行3.2 的命令之后，会生成一个01.pem 和 reg.server.com.crt的证书。

cat 01.pem >> reg.server.com.crt

cp ca.crt reg.server.com.crt /usr/local/share/ca-certificates/

update-ca-certificates

4 安装docker（如果在导入信任证书前安装了docker，需要重启docker，命令为 service docker restart

安装方法参见

https://docs.docker.com/engine/installation/linux/ubuntulinux/

5 安装docker compose

安装方法参见

https://docs.docker.com/compose/install/

如果遇到伟大的长城问题。

可以直接爬墙把docker-compose-Linux-x64 文件下载下来。然后chmod +x 就可以了，然后在把这个文件改名为docker-compose 复制到/usr/local/bin 下，就算安装完成。

6 配置harbor

解压安装包

tar -zxvf harbor-offline-installer-0.4.5.tgz

修改 harbor.cfg 文件为

## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = reg.server.com #必须和签名时的域名一致

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https    

#Email account settings for sending out password resetting emails.
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

##The initial password of Harbor admin, only works for the first time when Harbor starts. 
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345   #密码可以随便改

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth

#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server. 
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn
#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
ldap_uid = uid 

#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3 

#The password for the root user of mysql db, change this before any production use.
db_password = root123

#Turn on or off the self-registration feature
self_registration = on

#Determine whether the UI should use compressed js files. 
#For production, set it to on. For development, set it to off.
use_compressed_js = on

#Maximum number of job workers in job service  
max_job_workers = 3 

#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30

#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key 
#for generating token to access the registry. If the value is off, a key/certificate must 
#be supplied for token generation.
customize_crt = on

#Information of your organization for certificate
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com


#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /etc/nginx/cert/reg.server.com.crt       #文件位置不能变，必须是这个位置
ssl_cert_key = /etc/nginx/cert/reg.server.com.key   #文件位置不能变，必须是这个位置

修改prepare 源码（此步骤仅仅在 ubuntu 16 中才需要执行）

vim /root/harbor/prepare 在第46 行不兼容python 3.5， ubuntu 16 默认时使用的python 3.5

将原来的 os.makedirs(path, mode=0600) 改为 os.makedirs(path, mode=0o600) 不然会报错。

备份 nginx 配置文件

mv /root/harbor/common/config/nginx/nginx.conf /root/harbor/common/config/nginx/nginx.conf.bak

拷贝 https 的配置文件到 /root/harbor/common/config/nginx/

cp /root/harbor/common/templates/nginx/nginx.https.conf /root/harbor/common/config/nginx/nginx.conf

拷贝证书

cp reg.server.com.crt reg.server.com.key /etc/nginx/cert/ （如果文件夹不存在，手动创建）

cp reg.server.com.crt reg.server.com.key /root/harbor/common/config/nginx/cert/

修改docker-compose.yml 文件

vim /root/harbor/docker-compose.yml

在registry 中添加ports 项，以开放端口给外网

registry:
    image: library/registry:2.5.0
    container_name: registry
    restart: always
    volumes:
      - /data/registry:/storage
      - ./common/config/registry/:/etc/registry/
    ports:
      - 5000:5000 #添加端口开放给外网
    environment:
      - GODEBUG=netdns=cgo
    command:
      ["serve", "/etc/registry/config.yml"]
    depends_on:
      - log
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "registry"

安装harbore

cd /root/harbor

./install.sh

安装完成后运行

docker ps 查看启动的容器，一共有6个

docker login reg.server.com (输入用户名密码，如果能成功登陆就成功了）

过程中遇到的问题

x509: certificate signed by unknown authority

如果遇到这个问题，就是ca.crt 没有导入到本机信任列表中，运行下面命令解决

cp ca.crt /usr/local/share/ca-certificates/

update-ca-certificates

在windows平台下，需要使用docker toolbox 进行研发，docker toolbox 使用boot2docker linux。

在boot2docker linux 中，使用如下领命安装证书

1 启动 Docker Quickstart Terminal

启动之后所在的当前路径是应该是windows下的用户名文件夹c:\users\xxx

2 将ca.crt 放到c:\users\xxx文件夹中通过下面的领命将ca.crt 上传到boot2docker linux 中

docker-machine scp ca.crt default:~

3 使用用户名docker 密码tcuser 登录，然后使用sudo su 切换到root 用户

4 使用如下命令安装证书

cat ca.crt >> /etc/ssl/certs/ca-certificates.crt

5 重启docker

/etc/init.d/docker restart

然后再docker login 就可以登陆了

参考文档

https://github.com/vmware/harbor/blob/master/docs/configure_https.md

https://mritd.me/2016/09/15/Harbor-%E4%BC%81%E4%B8%9A%E7%BA%A7-Docker-Registry-%E7%AC%AC%E4%BA%8C%E5%BC%B9/

向您推荐>>Eolink开发者社区

权威｜前沿｜技术｜干货｜国内首个API全生命周期开发者社区

更多推荐

ELK实现containerd的容器日志采集展示【基于logging的全栈监测】

企业级ELK Stack构建介绍

云原生

深入理解 Mocha 测试框架：从零实现一个 Mocha

前言什么是自动化测试自动化测试在很多团队中都是Devops环节中很难执行起来的一个环节，主要原因在于测试代码的编写工作很难抽象，99%的场景都需要和业务强绑定，而且写测试代码的编写工作量往往比编写实际业务代码的工作量更多。在一些很多业务场景中投入产出比很低，适合写自动化测试的应该是那些中长期业务以及一些诸如组件一样的基础库。自动化测试是个比较大的概念，其中分类也比较多，比如单元测试，端对端测试，集

云原生

(20200916 Solved)docker-compose up创建容器自动退出

问题描述如题，创建容器后自动退出了。并且docker start container无效解决方案原因是缺失了控制终端的配置，需要在docker-compose.yml中增加tty:true ，有时候这样也不行，需要再增加一个command:/bin/bash，命令不一定是这个，需要是一个不会退出的命令，然后用-d后台启动容器。Referencesdocker-compose启动容器后自动退出...