Harbor 镜像管理专家

Harbor是一个企业级的镜像管理仓库，是VMware主导的一个开源项目（github地址：https://github.com/vmware/harbor）。

部署要求

Harbor会被部署为多个Docker容器，因此可以被部署到任何支持Docker的发行版Linux上。

部署步骤

1. 安装Docker

https://www.cnblogs.com/vincenshen/p/12726919.html

2. 安装Composer

curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

docker-compose --version

3. 下载Harbor安装包并解压到指定目录

https://github.com/goharbor/harbor/releases

mkdir -p /data/app

tar -zxvf harbor-offline-installer-v1.x.x.tgz -C /data/app

4. 生成SSL证书

openssl genrsa -out ca.key 

openssl req -x509 -new -nodes -sha512 -days  \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Bytedance/OU=IT/CN=bytedance.com" \
 -key ca.key \
 -out ca.crt

openssl genrsa -out bytedance.com.key 

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.=yourdomain.com
DNS.=yourdomain
DNS.=hostname
EOF

openssl x509 -req -sha512 -days  \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt

openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert

5. 将证书复制到指定目录

mkdir -p /data/cert
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/

mkdir -p /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/

systemctl restart docker

6. 修改harbor配置文件

# vim /data/app/harbor/harbor.yml

hostname: harbor.xxxx.com
certificate: /data/cert/xxxx.com.crt
private_key: /data/cert/xxxx.com.key
harbor_admin_password: Harbor12345

7. 运行准备脚本

# cd /data/app/harbor/
# ./prepare
prepare base dir is set to /data/app/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

8. 运行安装脚本

# cd /data/app/harbor/
# ./install.sh 

[Step ]: checking if docker is installed ...

Note: docker version: 19.03.

[Step ]: checking docker-compose is installed ...

Note: docker-compose version: 1.25.

[Step ]: loading Harbor images ...
Loaded image: goharbor/harbor-db:v1.10.2
Loaded image: goharbor/notary-server-photon:v1.10.2
Loaded image: goharbor/clair-photon:v1.10.2
Loaded image: goharbor/harbor-portal:v1.10.2
Loaded image: goharbor/harbor-core:v1.10.2
Loaded image: goharbor/harbor-jobservice:v1.10.2
Loaded image: goharbor/harbor-registryctl:v1.10.2
Loaded image: goharbor/redis-photon:v1.10.2
Loaded image: goharbor/nginx-photon:v1.10.2
Loaded image: goharbor/chartmuseum-photon:v1.10.2
Loaded image: goharbor/harbor-log:v1.10.2
Loaded image: goharbor/registry-photon:v1.10.2
Loaded image: goharbor/notary-signer-photon:v1.10.2
Loaded image: goharbor/harbor-migrator:v1.10.2
Loaded image: goharbor/prepare:v1.10.2
Loaded image: goharbor/clair-adapter-photon:v1.10.2

[Step ]: preparing environment ...

[Step ]: preparing harbor configs ...
prepare base dir is set to /data/app/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step ]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating harbor-portal ... done
Creating redis         ... done
Creating registry      ... done
Creating registryctl   ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

9. 验证

# docker-compose ps
      Name                     Command                  State                          Ports
---------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up (healthy)
harbor-db           /docker-entrypoint.sh            Up (healthy)   /tcp
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (healthy)
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:->/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   /tcp
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:->/tcp, 0.0.0.0:->/tcp
redis               redis-server /etc/redis.conf     Up (healthy)   /tcp
registry            /home/harbor/entrypoint.sh       Up (healthy)   /tcp
registryctl         /home/harbor/start.sh            Up (healthy)                                              

10. 浏览器登录

　https://harbor-ip

　用户名: admin  密码：Harbor12345

11. docker cli 登录 harbor

/usr/lib/systemd/system/docker.service中修改ExecStart的启动参数增加：

　　--insecure-registry  harbor.test.com

重启docker

　　systemctl daemon-reload && systemctl restart docker.service

登录harbor

　　docker login -u admin -p Harbor12345 harbor.test.com

参考文档

　　https://goharbor.io/docs/1.10/install-config/