自学内容网 自学内容网

Harbor企业docker私服安装及SSL安全访问配置

基础环境

ubuntu server18

域名配置

sudo vi /etc/hosts

www.node23.com 192.168.43.23

docker安装

一键安装

curl -sSL https://get.daocloud.io/docker | sh

配置docker

vi /etc/docker/daemon.json

{
"registry-mirrors": [
       "https://squpqgby.mirror.aliyuncs.com"
    ],
   "insecure-registries" : ["www.node23.com"],
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}

重启:

systemctl daemon-reload
service docker restart

docker-compose安装

sudo curl -L https://github.com/docker/compose/releases/download/1.20.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Harbor安装

下载:

wget http://kubernetes.cvimer.com/harbor-offline-installer-v1.10.3.tgz

解压:

tar xf harbor-offline-installer-v1.10.3.tgz
cd harbor
#将镜像加载到docker中
docker load -i harbor.v1.10.3.tar.gz

harbor配置

vi harbor.yml,大致更改点参考如下,https先关闭

hostname: www.node23.com
​
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80
​
# https related config
#https:
  # https port for harbor, default is 443
  #  port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  # private_key: /your/private/key/path
harbor_admin_password: nufront
​
# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 100 for postgres.
  max_open_conns: 100
​
# The default data volume
data_volume: /data/harbor

初始登录账号/密码:admin/root123

harbor启动/停止

运行prepare脚本

Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTP和HTTPS

./prepare

利用docker-compose启动和停止Harbor

#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
​
#强制清理
docker system prune -a -f
​
#查看
sudo docker-compose ps

Harbor访问、登录和使用

修改daemon.json,默认http私有仓库不能访问,设置后才可以。修改cgroupdriver是为了消除安装k8s集群时的告警。

vim /etc/docker/daemon.json

{
"registry-mirrors": [
       "https://squpqgby.mirror.aliyuncs.com"
    ],
   "insecure-registries" : ["www.node23.com"],
    "exec-opts": ["native.cgroupdriver=systemd"]
}
# 重启Docker进程
sudo systemctl daemon-reload
sudo service docker restart
​
# 重启Harbor
sudo docker-compose up -d
​
#查看cgroup状态
docker info | grep Cgroup

从Docker客户端登录Harbor,确保所有需要使用harbor的节点都能正常登录

docker login  www.node23.com

注:实际登录过程中出现

Error saving credentials: error storing credentials - err: exit status 1, out: `Failed to execute child process “dbus-launch” (No such file or directory)`

解决参考:authentication - Cannot login to Docker account - Stack Overflow

sudo apt-get update
sudo apt-get install gnupg2 pass

web管理界面访问:http://www.node23.com/

上传镜像

将需要push到远程仓库的镜像进行版本标记

docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

在项目中标记镜像
docker tag SOURCE_IMAGE[:TAG] www.node23.com/library/IMAGE[:TAG]
sudo docker tag hello-world www.node23.com/library/hello-world:1.0.0
推送镜像到当前项目或公开library:
docker push www.node23.com/library/IMAGE[:TAG]
docker push www.node23.com/library/hello-world:1.0.0
拉取镜像
docker pull www.node23.com/boss/hello-world:1.0.0

生产环境中使用

生成Ca证书

cd /home/kangming/cert/
​
#生成CA证书私钥
openssl genrsa -out ca.key 4096
#生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.com" \
-key ca.key \
-out ca.crt

生成服务器证书

证书通常包含一个.crt文件和一个.key文件

生成私钥

openssl genrsa -out www.node23.com.key 4096

生成证书签名请求(CSR)

openssl req -sha512 -new \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.comm" \
-key www.node23.com.key \
-out www.node23.com.csr

生成一个x509 v3扩展文件

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
​
[alt_names]
DNS.1=www.node23.com
DNS.2=*.node*.com
DNS.3=www.test.com
IP.1=192.168.43.23
EOF

使用该v3.ext文件为您的Harbor主机生成证书

openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in www.node23.com.csr \
-out www.node23.com.crt

向Harbor和Docker提供证书

sudo mkdir -p /data/cert
sudo cp www.node23.com.crt /data/cert/
sudo cp www.node23.com.key /data/cert/

转换www.node23.com.crt为www.node23.com.cert,供Docker使用

openssl x509 -inform PEM -in www.node23.com.crt -out www.node23.com.cert
  • 将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。必须首先创建适当的文件夹

sudo mkdir -p /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.cert /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.key /etc/docker/certs.d/www.node23.com:443/
sudo cp ca.crt /etc/docker/certs.d/www.node23.com:443/
  • 重新启动Docker Engine

sudo systemctl restart docker

修改Harbor配置

开启https

cd /home/kangming/harbor/
​
vim harbor.yml
https:
  port: 443
  certificate: /etc/docker/certs.d/www.node23.com:443/www.node23.com.cert
  private_key: /etc/docker/certs.d/www.node23.com:443/www.node23.com.key

启动harbor

./prepare
#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
#查看
sudo docker-compose ps

从Docker客户端登录Harbor

cd /home/kangming/cert/
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo chmod 644 /usr/local/share/ca-certificates/ca.crt && sudo  update-ca-certificates
​
​
# 重启Docker进程
sudo systemctl restart docker
cd /home/kangming/harbor/ 
sudo docker-compose down
sudo docker-compose up -d

登录Harbor

docker login www.node23.com:443

web登录:https://www.node23.com/

另外,将ca.crt证书安装到受信任的根证书机构即可让浏览器承认,显示绿色小箭头。


原文地址:https://blog.csdn.net/u012882823/article/details/140316977

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!