Docker基于Centos7构建基础环境之-harbor

发布于 2023-08-18  159 次阅读

背景

通常情况下,docker镜像非常之多,同时又有自己的业务应用需要制作成镜像,然而这些镜像最好是有地方存储,docker官方虽然也提供镜像仓库,但是国内网速大家懂的,当然也提供私仓,无可厚非,而本节我们需要构建一款目前非常流行的镜像仓库Harbor,可视化操作,瞬间高大上。

一、环境准备

​ 准备一台安装好的Docker Centos7虚拟机,并安装好了docker-compose

docker、docker-compose安装不在此赘述,请参考参考资料进行安装

​ 参考资料

1-Kubernetes基于Centos7构建基础环境(一)

2-Kubernetes基于Centos7构建基础环境(二)

服务器名称 服务器域名 说明
base www.yunze.com 部署harbor、nfs等服务

二、总体流程:

  1. 安装docker
  2. 安装docker-compose
  3. 在根目录创建文件夹/yunze/software,将harbor安装资源下载到该文件夹下;
  4. 进入software进行harbor下载;
  5. 解压并迁移
  6. HTTPS配置
  7. 安装并启动Harbor
  8. 访问测试
  9. Harbor仓库镜像上传下载配置

三、安装Harbor

  1. 在根目录创建文件夹/yunze/software,将Harbor安装资源下载到该文件夹下, 目录结构为:
    • 当前Harbor版本为v2.5.6
[root@base /]# ll
/
├── yunze
    ├── software
        └── harbor-offline-installer-v2.5.6.tgz
  1. 解压harbor-offline-installer-v2.5.6.tgz,并将解压后的harbor文件夹上移一层,目录结构为:
    • 通过harbor.yml.tmpl复制一份harbor.yml出来
    • 创建ca文件夹
    • 创建create-ca.sh可执行文件
[root@base software]# tar -xf harbor-offline-installer-v2.5.6.tgz -C ../
[root@base /]# ll
/
├── yunze
    ├── harbor
        ├── common.sh
        ├── harbor.v2.2.2.tar.gz
        ├── harbor.yml.tmpl
        ├── harbor.yml          # 复制出来的文件,预先放到此位置,共后续使用    
        ├── install.sh
        ├── create-ca.sh
        ├── ca
        ├── LICENSE
        └── prepare
    ├── software
        └── harbor-offline-installer-v2.2.2.tgz
  • create-ca.sh文件内容为
#!/bin/bash

# 在该目录下操作生成证书,正好供harbor.yml使用
mkdir -p /yunze/harbor/ca
cd /yunze/harbor/ca

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=hatech/OU=web/CN=www.yunze.com" -key ca.key -out ca.crt
openssl genrsa -out www.yunze.com.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=hatech/OU=web/CN=www.yunze.com" -key www.yunze.com.key -out www.yunze.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.yunze.com
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.yunze.com.csr -out www.yunze.com.crt

openssl x509 -inform PEM -in www.yunze.com.crt -out www.yunze.com.cert

mkdir -p /etc/pki/ca-trust/source/anchors/www.yunze.com.crt
cp www.yunze.com.crt /etc/pki/ca-trust/source/anchors/www.yunze.com.crt
update-ca-trust
  1. 执行./create-ca.sh,最终文件目录如下
[root@base /]# ll
/
├── yunze
    ├── harbor
        ├── common.sh
        ├── harbor.v2.2.2.tar.gz
        ├── harbor.yml.tmpl
        ├── harbor.yml          # 复制出来的文件,预先放到此位置,共后续使用    
        ├── install.sh
        ├── create-ca.sh
        ├── ca
        │   ├── base.yunze.cert
        │   ├── www.yunze.com.crt
        │   ├── www.yunze.com.csr
        │   ├── www.yunze.com.key
        │   ├── ca.crt
        │   ├── ca.key
        │   ├── ca.srl
        │   └── v3.ext
        └── create-ca.sh
        ├── LICENSE
        └── prepare
    ├── software
        └── harbor-offline-installer-v2.2.2.tgz

四、配置HTTPS

  1. 默认情况下harbor工作方式是http,但是这个只能在页面访问,默认harbor推送拉取镜像时走的是https,所以需要配置下https,需要以下文件:
  2. www.yunze.com.crt www.yunze.com.key文件copy/data/certs/ 目录下,如果没有目录请创建
[root@base ca]# mkdir -p /data/certs/
[root@base ca]# cp www.yunze.com.crt www.yunze.com.key /data/certs/

五、修改Harbor配置

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# 此处修改自己本机的域名
hostname: www.yunze.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx

  # certificate: /your/certificate/path
  # private_key: /your/private/key/path
  # 此处配置证书文件
  certificate: /data/certs/www.yunze.com.crt
  private_key: /data/certs/www.yunze.com.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 1000

# The default data volume
data_volume: /data

六、docker配置证书

  1. /etc/docker下,在在其下面创建 certs.d 文件夹
  2. certs.d下创建www.yunze.com机器域名(前提要配置)
[root@base docker]# mkdir -p /etc/docker/certs.d/www.yunze.com
  1. www.yunze.com.cert www.yunze.com.key ca.crt 复制到其其下面
[root@base docker]# cp /yunze/harbor/ca/www.yunze.com.cert /yunze/harbor/ca/www.yunze.com.key /yunze/harbor/ca/ca.crt /etc/docker/certs.d/www.yunze.com/
  1. 重启docker
[root@base docker]# systemctl daemon-reload && systemctl restart docker

七、安装并启动Harbor

  1. 执行./install.sh --with-chartmuseum,进行安装
  2. 安装完成之后会带有Helm Charts标签
[root@base harbor]# ./install.sh --with-chartmuseum

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.6

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.29.2

[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-jobservice:v2.2.2
Loaded image: goharbor/harbor-exporter:v2.2.2
Loaded image: goharbor/nginx-photon:v2.2.2
Loaded image: goharbor/trivy-adapter-photon:v2.2.2
Loaded image: goharbor/prepare:v2.2.2
Loaded image: goharbor/harbor-db:v2.2.2
Loaded image: goharbor/harbor-registryctl:v2.2.2
Loaded image: goharbor/notary-server-photon:v2.2.2
Loaded image: goharbor/notary-signer-photon:v2.2.2
Loaded image: goharbor/redis-photon:v2.2.2
Loaded image: goharbor/registry-photon:v2.2.2
Loaded image: goharbor/chartmuseum-photon:v2.2.2
Loaded image: goharbor/harbor-portal:v2.2.2
Loaded image: goharbor/harbor-core:v2.2.2
Loaded image: goharbor/harbor-log:v2.2.2

[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /hatech/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating registry      ... done
Creating registryctl   ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
✔ ----Harbor has been installed and started successfully.----
[root@base harbor]#
  1. 配置私有仓库harbor地址
    • 增加 "insecure-registries":["http://www.yunze.com"],
    • 如果是kubernetes集群,那中每个节点都需要配置
[root@base harbor]# vi /etc/docker/daemon.json

{
    "registry-mirrors": ["https://1mbc3b4s.mirror.aliyuncs.com"],
    "insecure-registries":["https://www.yunze.com"],
    "exec-opts": ["native.cgroupdriver=systemd"]
}
  1. 登录harbor仓库
    • 登录仓库
    • 下载镜像
    • 镜像打tag
    • 将镜像提交到harbor
[root@base ~]# docker login www.yunze.com
loginnmae: admin
passowd: Hatech12345
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@base ~]#
[root@base ~]# docker pull nginx:1.22.1
[root@base ~]# docker tag nginx:1.22.1  www.yunze.com/library/nginx:1.22.1
[root@base ~]# docker push www.yunze.com/library/nginx:1.22.1
The push refers to repository [www.yunze.com/library/nginx]
809554271323: Pushed
4b1477f6593b: Pushed
d2a2c6ae9358: Pushed
feb3902c2765: Pushed
8d0bea15977f: Pushed
3af14c9a24c9: Pushed
1.22.1: digest: sha256:5bbe9f58a36db5fd0b65a59134c0342b9fc111ef2ade5887ae923ac4d3bafe23 size: 1570
[root@base ~]#
  1. 外部访问测试
    • 将域名配置到其它需要访问的机器,前提是其它机器能够pingharbor服务器
    • 访问地址为https://www.yunze.com
    • 默认登录名称为:admin,登录密码为:Harbor12345
    • 登录进去后可以修改密码(非必须,但最好修改一下)

小技巧

以上所有操作完成之后,在harbor文件夹下有个docker-compose文件,可以通过执行docker-compose stop关闭停止harbor,也可以通过docker-compose up -d后台启动harbor

一沙一世界,一花一天堂。君掌盛无边,刹那成永恒。