harbor私有倉庫部署
Harbor簡介
Harbor是構建企業級私有docker映象的倉庫的開源解決方案,它是Docker Registry的更高階封裝,它除了提供友好的Web UI介面,角色和使用者許可權管理,使用者操作審計等功能外,它還整合了K8s的外掛(Add-ons)倉庫,即Helm通過chart方式下載,管理,安裝K8s外掛,而chartmuseum可以提供儲存chart資料的倉庫【注:helm就相當於k8s的yum】。另外它還整合了兩個開源的安全元件,一個是Notary,另一個是Clair,Notary類似於私有CA中心,而Clair則是容器安全掃描工具,它通過各大廠商提供的CVE漏洞庫來獲取最新漏洞資訊,並掃描使用者上傳的容器是否存在已知的漏洞資訊,這兩個安全功能對於企業級私有倉庫來說是非常具有意義的。
1.安裝docker
yum -y install docker-ce
systemctl restart docker && systemctl enable docker
要想用其他節點都要新增
cat > /etc/docker/daemon.json <<EOF { "insecure-registries":["https://hub.wql.com"] #倉庫域名 } EOF mkdir -p /etc/systemd/system/docker.service.d systemctl daemon-reload && systemctl restart docker && systemctl enable docker
2.安裝docker編排工具compose
最好自己網站下載,容易報錯
下載地址:
curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
https://github.com/docker/compose/releases/tag/1.14.0-rc2
https://github.com/docker/compose/releases/tag/1.25.0-rc4
wget https://github.com/docker/compose/releases/tag/1.14.0-rc2/docker-compose-Linux-x86_64
yum -y install lrzsz mv docker-compose /usr/local/bin Chmod a+x /usr/local/bin/docker-compose
3.安裝harbor
下載地址: Harbor 官方地址: https://github.com/vmware/harbor/releases
包地址:https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-offline-installer-v1.2.0.tgz
tar -zxvf harbor-offline-installer-v1.2.0.tgz mv harbor /usr/local/ cd /usr/local/harbor/ [root@harbor harbor]# vim harbor.cfg 5 hostname = hub.wql.com 域名 9 ui_url_protocol = https 協議 24 ssl_cert = /data/cert/server.crt #建立一下/data/cert 目錄 mkdir -p /data/cert
4.建立證書
cd /data/cert ]# openssl genrsa -des3 -out server.key 2048 Enter pass phrase for server.key: 這裡輸入密碼,隨便填 Verifying - Enter pass phrase for server.key:
[root@harbor cert]# openssl req -new -key server.key -out server.csr #建立證書請求 Enter pass phrase for server.key: 輸入密碼
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN 國家 State or Province Name (full name) []:BJ 城市 Locality Name (eg, city) [Default City]:BJ 地方 Organization Name (eg, company) [Default Company Ltd]:wql 機構 Organizational Unit Name (eg, section) []:wql 組織 Common Name (eg, your name or your server's hostname) []:hub.wql.com 郵箱 Email Address []:wqlong0821@163.com 管理員郵箱 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 是否改密碼(這裡直接回車) An optional company name []:
cp server.key server.key.org 備份一下 openssl rsa -in server.key.org -out server.key 轉換證書(去掉密碼) openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 簽名 chmod a+x * 賦權 共4個
5.執行指令碼進行安裝
cd /usr/local/harbor/ ./install.sh vim /etc/hosts 192.168.4.10 master01 192.168.4.50 node01 192.168.4.51 node02 192.168.4.53 hub.wql.com
6.驗證瀏覽器訪問
請注意,默認管理員使用者名稱 / 密碼為 admin / Harbor12345
要在/usr/local/harbor/目錄
重啟harbor ./prepare docker-compose down //關閉docker-compose docker-compose up -d //開啟docker-compose
7.命令列登入測試
~]# docker login https://hub.wql.com Username: admin #使用者名稱 Password: #密碼 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
8.推送映象
把映象打標籤,並上傳harbor docker tag nginx:v1 hub.wql.com/library/nginx:v1 docker push hub.wql.com/library/nginx:v1
下載測試
docker pull hub.wql.com/library/nginx:v1 kubectl run nginx1-deployment --image=hub.wql.com/library/nginx:v1 --port=80 --replicas=1 kubectl get pod kubectl get pod -o wide curl 10.244.3.24