harbor私有仓库部署

Harbor 简介

    Harbor是构建企业级私有docker镜像的仓库的开源解决方案，它是Docker Registry的更高级封装，它除了提供友好的Web UI界面，角色和用户权限管理，用户操作审计等功能外，它还整合了K8s的插件(Add-ons)仓库，即Helm通过chart方式下载，管理，安装K8s插件，而chartmuseum可以提供存储chart数据的仓库【注:helm就相当于k8s的yum】。另外它还整合了两个开源的安全组件，一个是Notary，另一个是Clair，Notary类似于私有CA中心，而Clair则是容器安全扫描工具，它通过各大厂商提供的CVE漏洞库来获取最新漏洞信息，并扫描用户上传的容器是否存在已知的漏洞信息，这两个安全功能对于企业级私有仓库来说是非常具有意义的。

1. 安装docker

yum -y install docker-ce
 
systemctl  restart docker && systemctl enable docker

要想用其他节点都要添加

cat > /etc/docker/daemon.json <<EOF
 
{
 
  "insecure-registries":["https://hub.wql.com"]　　#仓库域名
 
}
 
EOF
 
mkdir -p /etc/systemd/system/docker.service.d
 
systemctl daemon-reload && systemctl restart docker && systemctl enable docker

2.安装docker编排工具compose

最好自己网站下载，容易报错

下载地址：

curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m`  > /usr/local/bin/docker-compose

https://github.com/docker/compose/releases/tag/1.14.0-rc2

https://github.com/docker/compose/releases/tag/1.25.0-rc4

wget https://github.com/docker/compose/releases/tag/1.14.0-rc2/docker-compose-Linux-x86_64

yum -y install  lrzsz
 
mv  docker-compose  /usr/local/bin
 
Chmod a+x /usr/local/bin/docker-compose

3.安装harbor

下载地址：  Harbor  官方地址： https://github.com/vmware/harbor/releases

包地址：https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-offline-installer-v1.2.0.tgz

tar -zxvf  harbor-offline-installer-v1.2.0.tgz
 
 mv harbor /usr/local/
 
 cd /usr/local/harbor/
 
[root@harbor harbor]# vim harbor.cfg
 
 5 hostname = hub.wql.com 域名
 
 9 ui_url_protocol = https 协议
 
24 ssl_cert = /data/cert/server.crt 　　#创建一下/data/cert 目录
 
 mkdir -p /data/cert

4. 创建证书

cd /data/cert
 
]# openssl genrsa -des3 -out server.key 2048
 
Enter pass phrase for server.key: 这里输入密码，随便填
 
Verifying - Enter pass phrase for server.key:
 
[root@harbor cert]#  openssl req -new -key server.key -out server.csr #创建证书请求
 
Enter pass phrase for server.key: 输入密码

You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [XX]:CN 国家
 
State or Province Name (full name) []:BJ 城市
 
Locality Name (eg, city) [Default City]:BJ 地方
 
Organization Name (eg, company) [Default Company Ltd]:wql 机构
 
Organizational Unit Name (eg, section) []:wql 组织
 
Common Name (eg, your name or your server's hostname) []:hub.wql.com 邮箱
 
Email Address []:wqlong0821@163.com 管理员邮箱
 
Please enter the following 'extra' attributes
 
to be sent with your certificate request
 
A challenge password []: 是否改密码（这里直接回车）
 
An optional company name []:
 


cp server.key server.key.org 备份一下
 
openssl rsa -in server.key.org -out server.key 转换证书（去掉密码）
 
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 签名
 
chmod  a+x * 赋权
 
共4个

5.运行脚本进行安装

cd /usr/local/harbor/
 
./install.sh
 
vim  /etc/hosts
 
192.168.4.10    master01
 
192.168.4.50    node01
 
192.168.4.51    node02
 
192.168.4.53    hub.wql.com

6.验证浏览器访问

https://hub.wql.com/

请注意，默认管理员用户名 / 密码为 admin / Harbor12345

要在/usr/local/harbor/目录

重启harbor
 
./prepare 
 
 docker-compose down 　　//关闭docker-compose
 
 docker-compose up -d 　　//开启docker-compose

7.命令行登录测试

~]# docker login https://hub.wql.com
 
Username: admin　　#用户名
 
Password:　　#密码
 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 
Configure a credential helper to remove this warning.
 
See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
Login Succeeded

8.推送镜像

 把镜像打标签，并上传harbor
 
docker tag   nginx:v1  hub.wql.com/library/nginx:v1
 
docker push   hub.wql.com/library/nginx:v1

下载测试

docker pull hub.wql.com/library/nginx:v1
 
kubectl  run nginx1-deployment --image=hub.wql.com/library/nginx:v1  --port=80 --replicas=1
 
kubectl  get pod
 
kubectl  get pod -o wide
 
 curl 10.244.3.24