安装准备
rpm -ivh /mnt/hgfs/Docker/RPM/epel-release-8-8.el8.noarch.rpm yum install python3-pip pip3 install --upgrade pip pip install -U -i https://pypi.tuna.tsinghua.edu.cn/simple docker-Compose tar -zxvf /mnt/hgfs/Docker/RPM/harbor-offline-installer-v2.1.3-rc1.tgz -C /opt cd /opt/harbor/ cp -p harbor.yml.tmpl harbor.yml
准备https相关
#生成CA证书私钥 ca.key openssl genrsa -out ca.key 4096 #生成CA证书 ca.crt 如是IP,将主机名改为IP openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=inno/OU=Personal/CN=win81.inno.com" -key ca.key -out ca.crt #生成私钥 win81.inno.com.key openssl genrsa -out win81.inno.com.key 4096 #生成证书签名请求(CSR) win81.inno.com.csr 如是IP,将主机名改为IP openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=inno/OU=Personal/CN=win81.inno.com" -key win81.inno.com.key -out win81.inno.com.csr #生成一个x509 v3扩展文件 生成一个x509 v3扩展文件 如是IP,将subjectAltName = IP:192.168.31.200 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=win81.inno.com DNS.2=win81.inno.com DNS.3=win81.inno.com EOF #使用该v3.ext文件为您的Harbor主机生成证书 win81.inno.com.crt openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in win81.inno.com.csr -out win81.inno.com.crt #Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书 openssl x509 -inform PEM -in win81.inno.com.crt -out win81.inno.com.cert #将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹 mkdir -p /etc/docker/certs.d/win81.inno.com/ cp -p win81.inno.com.crt /etc/docker/certs.d/win81.inno.com/ cp -p win81.inno.com.key /etc/docker/certs.d/win81.inno.com/ cp -p ca.crt /etc/docker/certs.d/win81.inno.com/
配置harbor.yml
# Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: win81.inno.com # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/win81.inno.com.crt private_key: /data/cert/win81.inno.com.key # # Uncomment following will enable tls communication between all harbor components # internal_tls: # # set enabled to true means internal tls is enabled # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used external_url: https://win81.inno.com # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: harbor12345 # Harbor DB configuration database: # The password for the root user of Harbor DB. Change this before any production use. password: Harbor12345 # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. max_idle_conns: 50 # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. # Note: the default number of connections is 1024 for postgres of harbor. max_open_conns: 1000 # The default data volume data_volume: /data # Harbor Storage settings by default is using /data dir on local filesystem # Uncomment storage_service setting If you want to using external storage # storage_service: # # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore # # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate. # ca_bundle: # # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss # # for more info about this configuration please refer https://docs.docker.com/registry/configuration/ # filesystem: # maxthreads: 100 # # set disable to true when you want to disable registry redirect # redirect: # disabled: false # Clair configuration clair: # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters. updaters_interval: 12 # Trivy configuration # # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached # in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it # should download a newer version from the Internet or use the cached one. Currently, the database is updated every # 12 hours and published as a new release to GitHub. trivy: # ignoreUnfixed The flag to display only fixed vulnerabilities ignore_unfixed: false # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub # # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. skip_update: false # # insecure The flag to skip verifying registry certificate insecure: false # github_token The GitHub access token to download Trivy DB # # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult # https://developer.github.com/v3/#rate-limiting # # You can create a GitHub token by following the instructions in # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line # # github_token: xxx jobservice: # Maximum number of job workers in job service max_job_workers: 10 notification: # Maximum retry count for webhook job webhook_job_max_retry: 10 chart: # Change the value of absolute_url to enabled can enable absolute url in chart absolute_url: disabled # Log configurations log: # options are debug, info, warning, error, fatal level: info # configs for logs in local storage local: # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. rotate_count: 50 # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G # are all valid. rotate_size: 200M # The directory on your host that store log location: /var/log/harbor # Uncomment following lines to enable external syslog endpoint. # external_endpoint: # # protocol used to transmit log to external endpoint, options is tcp or udp # protocol: tcp # # The host of external endpoint # host: localhost # # Port of external endpoint # port: 5140 #This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY! _version: 2.0.0 # Uncomment external_database if using external database. # external_database: # harbor: # host: harbor_db_host # port: harbor_db_port # db_name: harbor_db_name # username: harbor_db_username # password: harbor_db_password # ssl_mode: disable # max_idle_conns: 2 # max_open_conns: 0 # clair: # host: clair_db_host # port: clair_db_port # db_name: clair_db_name # username: clair_db_username # password: clair_db_password # ssl_mode: disable # notary_signer: # host: notary_signer_db_host # port: notary_signer_db_port # db_name: notary_signer_db_name # username: notary_signer_db_username # password: notary_signer_db_password # ssl_mode: disable # notary_server: # host: notary_server_db_host # port: notary_server_db_port # db_name: notary_server_db_name # username: notary_server_db_username # password: notary_server_db_password # ssl_mode: disable # Uncomment external_redis if using external Redis server # external_redis: # # support redis, redis+sentinel # # host for redis: <host_redis>:<port_redis> # # host for redis+sentinel: # # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> # host: redis:6379 # password: # # sentinel_master_set must be set to support redis+sentinel # #sentinel_master_set: # # db_index 0 is for core, it's unchangeable # registry_db_index: 1 # jobservice_db_index: 2 # chartmuseum_db_index: 3 # clair_db_index: 4 # trivy_db_index: 5 # idle_timeout_seconds: 30 # Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert. # uaa: # ca_file: /path/to/ca # Global proxy # Config http proxy for components, e.g. http://my.proxy.com:3128 # Components doesn't need to connect to each others via http proxy. # Remove component from `components` array if want disable proxy # for it. If you want use proxy for replication, MUST enable proxy # for core and jobservice, and set `http_proxy` and `https_proxy`. # Add domain to the `no_proxy` field, when you want disable proxy # for some special registry. proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - clair - trivy
开始配置
/opt/harbor/prepare [root@win81 harbor]# /opt/harbor/install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.2 [Step 1]: checking docker-compose is installed ... Note: docker-compose version: 1.27.4 [Step 2]: loading Harbor images ... Loaded image: goharbor/harbor-portal:v2.1.3 Loaded image: goharbor/harbor-jobservice:v2.1.3 Loaded image: goharbor/redis-photon:v2.1.3 Loaded image: goharbor/notary-server-photon:v2.1.3 Loaded image: goharbor/clair-photon:v2.1.3 Loaded image: goharbor/trivy-adapter-photon:v2.1.3 Loaded image: goharbor/prepare:v2.1.3 Loaded image: goharbor/harbor-registryctl:v2.1.3 Loaded image: goharbor/harbor-log:v2.1.3 Loaded image: goharbor/harbor-db:v2.1.3 Loaded image: goharbor/nginx-photon:v2.1.3 Loaded image: goharbor/chartmuseum-photon:v2.1.3 Loaded image: goharbor/harbor-core:v2.1.3 Loaded image: goharbor/registry-photon:v2.1.3 Loaded image: goharbor/notary-signer-photon:v2.1.3 Loaded image: goharbor/clair-adapter-photon:v2.1.3 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /opt/harbor Clearing the configuration file: /config/portal/nginx.conf Clearing the configuration file: /config/log/logrotate.conf Clearing the configuration file: /config/log/rsyslog_docker.conf Clearing the configuration file: /config/nginx/nginx.conf Clearing the configuration file: /config/core/env Clearing the configuration file: /config/core/app.conf Clearing the configuration file: /config/registry/passwd Clearing the configuration file: /config/registry/config.yml Clearing the configuration file: /config/registryctl/env Clearing the configuration file: /config/registryctl/config.yml Clearing the configuration file: /config/db/env Clearing the configuration file: /config/jobservice/env Clearing the configuration file: /config/jobservice/config.yml Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml loaded secret from file: /data/secret/keys/secretkey Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir Note: stopping existing Harbor instance ... Stopping harbor-jobservice ... done Stopping nginx ... done Stopping harbor-core ... done Stopping harbor-portal ... done Stopping registry ... done Stopping harbor-db ... done Stopping redis ... done Stopping registryctl ... done Stopping harbor-log ... done Removing harbor-jobservice ... done Removing nginx ... done Removing harbor-core ... done Removing harbor-portal ... done Removing registry ... done Removing harbor-db ... done Removing redis ... done Removing registryctl ... done Removing harbor-log ... done Removing network harbor_harbor [Step 5]: starting Harbor ... Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating registryctl ... done Creating harbor-db ... done Creating registry ... done Creating harbor-portal ... done Creating redis ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done â ----Harbor has been installed and started successfully.----
测试访问
https://10.10.10.81/harbor/projects
推送镜像测试
如果服务器要推送代码到harbor, 必须在docker的配置文件的目录 /etc/docker/certs.d/harbor.od.com/ 配置 服务器证书(harbor.od.com.cert),密钥(harbor.od.com.key)和CA文件(ca.crt)
[root@win82 win81.inno.com]# pwd /etc/docker/certs.d/win81.inno.com [root@win82 win81.inno.com]# ls -ltr total 12 -rw-r--r-- 1 root root 2045 Jan 10 16:05 ca.crt -rw------- 1 root root 3243 Jan 10 16:05 win81.inno.com.key -rw-r--r-- 1 root root 2122 Jan 10 16:10 win81.inno.com.cert
参照:https://goharbor.io/docs/1.10/install-config/configure-https/