Harbor私有映象倉庫(上)
阿新 • • 發佈:2021-11-01
連結:https://pan.baidu.com/s/1MAb0dllUwmoOk7TeVCZOVQ
提取碼:ldt5
複製這段內容後開啟百度網盤手機App,操作更方便哦
1. Harbor簡介
- VMware的開源專案https://github.com/vmware/harbor
- Harbor可幫助使用者迅速搭建企業級的註冊服務。它提供了管理圖形介面,基於角色的訪問控制(Role Based Access Control),映象遠端複製(同步),AD/LDAP整合,以及審計日誌等企業使用者需求的功能,同時還原生支援中文,深受中國使用者的喜愛。
- 該專案自推出以來,在GitHub獲得了超過3300多個star和900多個forks。
1.1 基於角色的訪問控制
使用者與Docker映象倉庫通過“專案”進行組織管理,一個使用者可以對多個映象倉庫在同一名稱空間(project)裡有不同的許可權。
1.2 圖形化使用者介面
使用者可以通過瀏覽器來瀏覽,檢索當前Docker映象倉庫,管理專案和名稱空間
1.3 審計管理
所有針對映象倉庫的操作都可以被記錄追溯,用於審計管理。
1.4 國際化
基於英文與中文語言進行了本地化。可以增加更多的語言支援。
1.5 RESTful API:
提供給管理員對於Harbor更多的操控,使得與其他管理軟體整合變得更容易。
1.6 LDAP認證
1.7 映象複製
基於策略的Docker映象複製功能,可在不同的資料中心,不同的執行環境之間同步映象,並提供友好的管理介面,大大簡化了實際運維中的映象管理工作。
1.8 與Clair整合
與Clair整合,新增漏洞掃描功能。Clair是coreos開源的容器漏洞掃描工具,在容器逐漸普及的今天,容器映象安全問題日益嚴重。Clair是目前少數的開源安全掃描工具。
1.9 Notary簽名工具
Notary是Docker映象的簽名工具,用來保證映象在pull,push和傳輸工程中的一致性和完整性,避免中間人攻擊,避免非法的映象更新和執行。
2. 為Harbor簽發域名證書
openssl是目前最流行的SSL密碼庫工具,提供了一個通用,功能完備的工具套件,用以支援SSL/TLS協議的實現。
官網:https://www.openssl.org/source/
環境準備
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Harbor-master | 192.168.200.16 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
[root@Harbor-master ~]# hostname -I
192.168.200.16
[root@Harbor-master ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@Harbor-master ~]# uname -r
3.10.0-957.12.1.el7.x86_64
官方文件:https://github.com/vmware/harbor/blob/master/docs/configure_https.md
#建立自己的CA證書
[root@Harbor-master ~]# mkdir -p /data/ssl
[root@Harbor-master ~]# cd /data/ssl/
[root@Harbor-master ssl]# which openssl
/usr/bin/openssl
[root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
......++
.....................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:
#生成證書籤名請求
[root@Harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
Generating a 4096 bit RSA private key
...........................................................................................................................................................................................++
............++
writing new private key to 'www.yunjisuan.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server's hostname) []:www.yunjisuan.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#生成登錄檔主機的證書
[root@Harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
Getting CA Private Key
#檢視證書情況
[root@Harbor-master ssl]# ll
總用量 24
-rw-r--r-- 1 root root 2049 7月 24 14:43 ca.crt
-rw-r--r-- 1 root root 3272 7月 24 14:43 ca.key
-rw-r--r-- 1 root root 17 7月 24 14:45 ca.srl
-rw-r--r-- 1 root root 1931 7月 24 14:45 www.yunjisuan.com.crt
-rw-r--r-- 1 root root 1716 7月 24 14:45 www.yunjisuan.com.csr
-rw-r--r-- 1 root root 3272 7月 24 14:45 www.yunjisuan.com.key
3. 信任自簽發的域名證書
由於CA證書是我們自己簽發的Linux作業系統是不信任的,因此我們需要把證書加入到系統的信任證書裡
#將自籤ca證書新增到系統信任
[root@Harbor-master ssl]# pwd
/data/ssl
[root@Harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/
[root@Harbor-master ssl]# ll /etc/pki/ca-trust/source/anchors/
總用量 4
-rw-r--r-- 1 root root 1931 7月 24 14:49 www.yunjisuan.com.crt
#讓系統ca信任設定立刻生效
[root@Harbor-master ssl]# update-ca-trust enable
[root@Harbor-master ssl]# update-ca-trust extract
4.Harbor 1.4 版本配置與安裝
4.1 安裝docker-ce社群版
[root@Harbor-master ssl]# sestatus
SELinux status: disabled
[root@Harbor-master ssl]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@Harbor-master ssl]# rpm -qa yum-utils device-mapper-persistent-data lvm2
yum-utils-1.1.31-50.el7.noarch
device-mapper-persistent-data-0.7.3-3.el7.x86_64
lvm2-2.02.180-10.el7_6.8.x86_64
[root@Harbor-master ssl]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2424 100 2424 0 0 112 0 0:00:21 0:00:21 --:--:-- 686
[root@Harbor-master ssl]# yum -y install docker-ce
[root@Harbor-master ssl]# systemctl start docker
[root@Harbor-master ssl]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@Harbor-master ssl]# docker version
Client: Docker Engine - Community
Version: 19.03.0
API version: 1.40
Go version: go1.12.5
Git commit: aeac9490dc
Built: Wed Jul 17 18:15:40 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.0
API version: 1.40 (minimum version 1.12)
Go version: go1.12.5
Git commit: aeac9490dc
Built: Wed Jul 17 18:14:16 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.6
GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc:
Version: 1.0.0-rc8
GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f
docker-init:
Version: 0.18.0
GitCommit: fec3683
4.2 下載並安裝harbor私有倉庫
#建立harbor的證書目錄,並複製
[root@Harbor-master ssl]# mkdir -p /etc/ssl/harbor
[root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
[root@Harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
[root@Harbor-master ssl]# ll /etc/ssl/harbor/
總用量 8
-rw-r--r-- 1 root root 1931 7月 24 15:43 www.yunjisuan.com.crt
-rw-r--r-- 1 root root 3272 7月 24 15:43 www.yunjisuan.com.key
#建立harbor下載目錄並下載harbor-offline-installer-v1.5.0.tgz
[root@Harbor-master ~]# mkdir -p /data/install
[root@Harbor-master ~]# cd /data/install/
[root@Harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# ls
harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# tar xf harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# ls
harbor harbor-offline-installer-v1.5.0.tgz
[root@Harbor install]# cd harbor
[root@Harbor harbor]# ll
總用量 854960
drwxr-xr-x 3 root root 23 7月 16 22:29 common #模板目錄
-rw-r--r-- 1 root root 1185 5月 2 23:34 docker-compose.clair.yml
-rw-r--r-- 1 root root 1725 5月 2 23:34 docker-compose.notary.yml
-rw-r--r-- 1 root root 3596 5月 2 23:34 docker-compose.yml
drwxr-xr-x 3 root root 156 5月 2 23:34 ha #harbor高可用配置
-rw-r--r-- 1 root root 6687 5月 2 23:34 harbor.cfg #harbor配置檔案
-rw-r--r-- 1 root root 875401338 5月 2 23:36 harbor.v1.5.0.tar.gz
-rwxr-xr-x 1 root root 5773 5月 2 23:34 install.sh
-rw-r--r-- 1 root root 10771 5月 2 23:34 LICENSE
-rw-r--r-- 1 root root 482 5月 2 23:34 NOTICE
-rwxr-xr-x 1 root root 27379 5月 2 23:34 prepare
[root@Harbor harbor]# cp harbor.cfg{,.bak}
#修改harbor.cfg配置檔案
[root@Harbor harbor]# cat -n harbor.cfg.bak | sed -n '7p;11p;23p;24p;68p'
7 hostname = reg.mydomain.com #要修改成我們證書的域名
11 ui_url_protocol = http #啟用加密傳輸協議https
23 ssl_cert = /data/cert/server.crt #證書的位置
24 ssl_cert_key = /data/cert/server.key #證書金鑰位置
68 harbor_admin_password = Harbor12345 #預設管理員及密碼
#修改成如下配置
[root@Harbor harbor]# cat -n harbor.cfg | sed -n '7p;11p;23p;24p;68p'
7 hostname = www.yunjisuan.com
11 ui_url_protocol = https
23 ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
24 ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
68 harbor_admin_password = Harbor12345
#安裝命令docker-compose(需要1.21版本)
[root@Harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 617 0 617 0 0 519 0 --:--:-- 0:00:01 --:--:-- 519
100 10.3M 100 10.3M 0 0 354k 0 0:00:29 0:00:29 --:--:-- 494k
[root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
-rw-r--r-- 1 root root 10858808 7月 24 17:30 /usr/local/bin/docker-compose
[root@Harbor-master harbor]# chmod +x /usr/local/bin/docker-compose
[root@Harbor-master harbor]# ll /usr/local/bin/docker-compose
-rwxr-xr-x 1 root root 10858808 7月 24 17:30 /usr/local/bin/docker-compose
[root@Harbor-master harbor]# which docker-compose
/usr/local/bin/docker-compose
[root@Harbor-master harbor]# docker-compose --version
docker-compose version 1.21.2, build a133471
#安裝harbor私有映象倉庫
[root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
#--with-notary啟用映象簽名;--with-clair啟用漏洞掃描
#檢視harbor啟動的映象
[root@Harbor-master harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3b0f60eb2260 vmware/harbor-jobservice:v1.5.0 "/harbor/start.sh" 23 seconds ago Up 15 seconds harbor-jobservice
005954f3ec5c vmware/nginx-photon:v1.5.0 "nginx -g 'daemon of…" 23 seconds ago Up 21 seconds (health: starting) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
e5a4e4d0cf56 vmware/notary-server-photon:v0.5.1-v1.5.0 "/bin/server-start.sh" 23 seconds ago Up 21 seconds notary-server
0ece0afef7a6 vmware/notary-signer-photon:v0.5.1-v1.5.0 "/bin/signer-start.sh" 24 seconds ago Up 22 seconds notary-signer
b7549c31328b vmware/clair-photon:v2.0.1-v1.5.0 "/docker-entrypoint.…" 24 seconds ago Up 18 seconds (health: starting) 6060-6061/tcp clair
1e6d6bb0bbdf vmware/harbor-ui:v1.5.0 "/harbor/start.sh" 24 seconds ago Up 22 seconds (health: starting) harbor-ui
e0fe40b6804a vmware/mariadb-photon:v1.5.0 "/usr/local/bin/dock…" 25 seconds ago Up 23 seconds 3306/tcp notary-db
30331b6c8918 vmware/postgresql-photon:v1.5.0 "/entrypoint.sh post…" 25 seconds ago Up 23 seconds (health: starting) 5432/tcp clair-db
24e4856ac9a3 vmware/harbor-adminserver:v1.5.0 "/harbor/start.sh" 25 seconds ago Up 23 seconds (health: starting) harbor-adminserver
0901a7fa027c vmware/harbor-db:v1.5.0 "/usr/local/bin/dock…" 25 seconds ago Up 23 seconds (health: starting) 3306/tcp harbor-db
1cea792c4656 vmware/redis-photon:v1.5.0 "docker-entrypoint.s…" 25 seconds ago Up 24 seconds 6379/tcp redis
7ea870371dcc vmware/registry-photon:v2.6.2-v1.5.0 "/entrypoint.sh serv…" 25 seconds ago Up 23 seconds (health: starting) 5000/tcp registry
cceb28b45a0d vmware/harbor-log:v1.5.0 "/bin/sh -c /usr/loc…" 25 seconds ago Up 24 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
通過瀏覽器進行訪問測試https://192.168.200.16
專案建立:設定為僅管理員(企業中不會讓註冊使用者隨便建立) 不允許自動註冊
5.映象管理與安全:漏洞掃描和映象簽名
5.1 新增docker國內公有映象源
[root@Harbor-master harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors":[ "https://registry.docker-cn.com" ]
}
[root@Harbor-master harbor]# systemctl daemon-reload
[root@Harbor-master harbor]# systemctl restart docker
5.2 重新啟動Harbor私有映象倉庫
#讓harbor修改過的配置立刻生效
[root@Harbor-master harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
##以下省略若干。。。
#清理所有harbor容器程序
[root@Harbor-master harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-log ... done
WARNING: Found orphan containers (notary-server, notary-signer, clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing harbor-db ... done
Removing redis ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
#後臺啟動所有harbor容器程序
[root@Harbor-master harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
WARNING: Found orphan containers (clair, notary-db, clair-db) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Creating harbor-log ... done
Creating redis ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-adminserver ... done
Creating harbor-ui ... done
Creating nginx ... done
Creating harbor-jobservice ... done
5.3 下載一個公有映象並上傳到harbor
#harbor本地下載一個公有倉庫映象centos:7
[root@Harbor-master install]# docker pull centos:7
#本地對映私有倉庫域名
[root@Harbor-master harbor]# tail -1 /etc/hosts
192.168.200.16 www.yunjisuan.com
#將centos:7映象改名並上傳私有映象倉庫
[root@Harbor-master install]# docker tag centos:7 www.yunjisuan.com/library/centos:7
[root@Harbor-master install]# docker images | grep centos
centos 7 9f38484d220f 4 months ago 202MB
www.yunjisuan.com/library/centos 7 9f38484d220f 4 months ago 202MB
#登陸驗證harbor私有倉庫,並上傳映象
[root@Harbor-master install]# docker login www.yunjisuan.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@Harbor-master install]# docker push www.yunjisuan.com/library/centos:7
The push refers to repository [www.yunjisuan.com/library/centos]
d69483a6face: Pushed
7: digest: sha256:ca58fe458b8d94bc6e3072f1cfbd334855858e05e1fd633aa07cf7f82b048e66 size: 529
#重新啟用漏洞掃描
[root@Harbor-master install]# cd /data/install/harbor
[root@Harbor-master harbor]# ./install.sh --with-notary --with-clair
5.4 登陸瀏覽器檢視映象上傳結果,並掃描漏洞
5.5 設定映象倉庫安全等級
5.6 為docker客戶端下發域名證書
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
#對映harbor私有倉庫域名
[root@Docker-client ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@Docker-client ~]# uname -r
3.10.0-957.12.1.el7.x86_64
[root@Docker-client ~]# hostname -I
192.168.200.17
[root@Docker-client ~]# tail -1 /etc/hosts
192.168.200.16 www.yunjisuan.com
#安裝docker-ce社群版
[root@Docker-client ~]# sestatus
SELinux status: disabled
[root@Docker-client ~]# systemctl stop firewalld
[root@Docker-client ~]# systemctl disable firewalld
[root@Docker-client ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@Docker-client ~]# rpm -qa yum-utils device-mapper-persistent-data lvm2
yum-utils-1.1.31-50.el7.noarch
device-mapper-persistent-data-0.7.3-3.el7.x86_64
lvm2-2.02.180-10.el7_6.8.x86_64
[root@Docker-client ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2424 100 2424 0 0 3925 0 --:--:-- --:--:-- --:--:-- 3922
[root@Docker-client ~]# yum -y install docker-ce
[root@Docker-client ~]# systemctl start docker
[root@Docker-client ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@Docker-client ~]# docker version
Client: Docker Engine - Community
Version: 19.03.0
API version: 1.40
Go version: go1.12.5
Git commit: aeac9490dc
Built: Wed Jul 17 18:15:40 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.0
API version: 1.40 (minimum version 1.12)
Go version: go1.12.5
Git commit: aeac9490dc
Built: Wed Jul 17 18:14:16 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.6
GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc:
Version: 1.0.0-rc8
GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f
docker-init:
Version: 0.18.0
GitCommit: fec3683
#配置國內公有映象源
[root@Docker-client ~]# cat /etc/docker/daemon.json
{
"registry-mirrors":[ "https://registry.docker-cn.com" ]
}
[root@Docker-client ~]# systemctl daemon-reload
[root@Docker-client ~]# systemctl restart docker
#下載mongo公有映象
[root@Docker-client ~]# docker pull mongo
Using default tag: latest
latest: Pulling from library/mongo
f7277927d38a: Pull complete
8d3eac894db4: Pull complete
edf72af6d627: Pull complete
3e4f86211d23: Pull complete
5747135f14d2: Pull complete
f56f2c3793f6: Pull complete
f8b941527f3a: Pull complete
4000e5ef59f4: Pull complete
ad518e2379cf: Pull complete
919225fc3685: Pull complete
45ff8d51e53a: Pull complete
4d3342ddfd7b: Pull complete
26002f176fca: Pull complete
Digest: sha256:7df93c5e2d140beabc39ef225da618df28cc916a5f5f295a41858accc0f46a0b
Status: Downloaded newer image for mongo:latest
docker.io/library/mongo:latest
[root@Docker-client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mongo latest 9c02a5a12c52 18 hours ago 413MB
#為docker客戶端下發域名(在harbor本地執行操作)
#將harbor上自簽發的域名證書www.yunjisuan.com.crt複製到docker客戶端對應目錄下
[root@Harbor-master install]# cd /data/ssl/
[root@Harbor-master ssl]# scp www.yunjisuan.com.crt 192.168.200.17:/etc/pki/ca-trust/source/anchors/
[email protected]'s password:
www.yunjisuan.com.crt 100% 1931 1.6MB/s 00:00
#在docker客戶端上執行操作,讓證書立刻生效
[root@Docker-client ~]# update-ca-trust enable
[root@Docker-client ~]# update-ca-trust extract
#下發證書後必須重啟動docker-client的docker服務
[root@Docker-client ~]# systemctl restart docker
#docker-client登陸harbor倉庫進行登陸驗證
[root@Docker-client ~]# cd /etc/pki/ca-trust/source/anchors/
[root@Docker-client anchors]# ll
總用量 4
-rw-r--r-- 1 root root 1931 7月 24 19:56 www.yunjisuan.com.crt
[root@Docker-client anchors]# docker login www.yunjisuan.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#修改映象的名字並上傳harbor私有倉庫
[root@Docker-client anchors]# docker tag mongo:latest www.yunjisuan.com/library/mongo
[root@Docker-client anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mongo latest 9c02a5a12c52 18 hours ago 413MB
www.yunjisuan.com/library/mongo latest 9c02a5a12c52 18 hours ago 413MB
[root@Docker-client anchors]# docker push www.yunjisuan.com/library/mongo
The push refers to repository [www.yunjisuan.com/library/mongo]
3ea1af4d89d2: Pushed
d1badfd80c45: Pushed
be68547708c3: Pushed
26c9058be51d: Pushed
689158adef1e: Pushed
2ee7e1a20686: Pushed
6a272ecc48d7: Pushed
4ad102c46894: Pushed
b03801a3ccd1: Pushed
e79142719515: Pushed
aeda103e78c9: Pushed
2558e637fbff: Pushed
f749b9b0fb21: Pushed
latest: digest: sha256:7328ced1dd646dd65a20dbf3ae430835ce75ad6cdbfe59c83185ddb719dd5913 size: 3030
瀏覽器登陸harbor進行檢視:https://192.168.200.16
出現漏洞的映象截圖:
5.7 FAQ:問題解答
windows10最新版本預設拒絕非認證的域名證書
如果啟動harbor採用的https加密證書的方式,最新版本windows10瀏覽器訪問的話,預設會直接說“站點不安全,拒絕連線”。 那麼我們可以採用非https的方式啟動harbor
[root@harbor-master ~]# sed -n '11p' /data/install/harbor/harbor.cfg
ui_url_protocol = http
但是我們要是採用非https加密方式啟動harbor的話。最新版本的docker是登陸不了的。這是因為新版本docker預設是以https方式登陸harbor
[root@Harbor-Slave docker]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://www.yunjisuan.com/v2/: dial tcp 192.168.200.74:443: connect: connection refused
為了解決登陸問題,我們需要在/etc/docker/下建立一個daemon.json名字的檔案,加入http方式登陸的harbor域名
[root@Harbor-Slave docker]# cat /etc/docker/daemon.json
{
"insecure-registries":[ "www.yunjisuan.com" ]
}
[root@Harbor-Slave docker]# systemctl restart docker #需要重啟
#然後我們再次登陸harbor
[root@harbor-slave harbor]# docker login -uadmin -pHarbor12345 www.yunjisuan.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded #登陸成功
6. Harbor映象的複製與同步
harbor私有倉庫的主從複製,類似於MySQL,屬於1對多的複製
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| Harbor-slave | 192.168.200.18 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB |
6.1 部署Habor-Slave
再安裝一個harbor私有倉庫作為harbor的從庫,域名為www2.yunjisuan.com
在Harbor-Master和Harbor-Slave上做域名對映
#主Harbor
[root@Harbor-master ~]# tail -2 /etc/hosts
192.168.200.16 www.yunjisuan.com
192.168.200.18 www2.yunjisuan.com
#從Harbor
[root@Harbor-slave ~]# tail -2 /etc/hosts
192.168.200.16 www.yunjisuan.com
192.168.200.18 www2.yunjisuan.com
特別提示:離線方式安裝的Habor容器預設會從LDNS處獲取對應的域名的IP解析,並不找本地的hosts檔案
由於我們是自己是自己設定的域名,因此,需要搭建用於內網解析的LDNS域名解析伺服器
6.2 搭建LDNS域名解析伺服器
| 主機名 | IP | 用途 | 最小資源配比 | 最佳資源配比 |
|---|---|---|---|---|
| Docker-client | 192.168.200.17 | docker客戶端 | ||
| Harbor-master | 192.168.200.16 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| Harbor-slave | 192.168.200.18 | harbor私有映象倉庫 | 2CPU | 4CPU |
| 4GBMEM | 8GB | |||
| LDNS | 192.168.200.19 | 本地DNS |
[root@LDNS ~]# yum -y install bind bind-chroot bind-utils
[root@LDNS ~]# rpm -qa bind bind-chroot bind-utils
bind-chroot-9.9.4-74.el7_6.1.x86_64
bind-9.9.4-74.el7_6.1.x86_64
bind-utils-9.9.4-74.el7_6.1.x86_64
[root@LDNS ~]# cd /etc/
[root@LDNS etc]# cp named.conf{,.bak}
#配置檔案修改成如下所示:
[root@LDNS etc]# cat named.conf
options {
listen-on port 53 { 192.168.200.19; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders { 192.168.200.2; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "yunjisuan.com" IN {
type master;
file "yunjisuan.com.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#檢查配置檔案是否有錯
[root@LDNS etc]# named-checkconf /etc/named.conf
#建立正向解析檔案
[root@LDNS etc]# cd /var/named
[root@LDNS named]# ls
chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@LDNS named]# cp -p named.empty yunjisuan.com.zone
[root@LDNS named]# vim yunjisuan.com.zone
[root@LDNS named]# cat yunjisuan.com.zone
$TTL 1D
@ IN SOA yunjisuan.com. root.ns1.yunjisuan.com. (
20190725 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.yunjisuan.com.
ns1 A 192.168.200.19
www A 192.168.200.16
www2 A 192.168.200.18
#測試正向解析檔案是否有錯
[root@LDNS named]# named-checkzone yunjisuan.com yunjisuan.com.zone
zone yunjisuan.com/IN: loaded serial 20190725
OK
#啟動域名解析服務
[root@LDNS named]# systemctl start named
[root@LDNS named]# ss -antup | grep named
udp UNCONN 0 0 192.168.200.19:53 *:* users:(("named",pid=7085,fd=512))
tcp LISTEN 0 10 192.168.200.19:53 *:* users:(("named",pid=7085,fd=21))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=7085,fd=22))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=7085,fd=23))
#將本地DNS改成自己,進行解析測試
[root@LDNS named]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 192.168.200.19
[root@LDNS named]# nslookup www.baidu.com
Server: 192.168.200.19
Address: 192.168.200.19#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 61.135.169.125
Name: www.a.shifen.com
Address: 61.135.169.121
[root@LDNS named]# nslookup www.yunjisuan.com
Server: 192.168.200.19
Address: 192.168.200.19#53
Name: www.yunjisuan.com
Address: 192.168.200.16
[root@LDNS named]# nslookup www2.yunjisuan.com
Server: 192.168.200.19
Address: 192.168.200.19#53
Name: www2.yunjisuan.com
Address: 192.168.200.18
6.3 構建Harbor主從同步
提示:如果Harbor不是已經繫結的公網域名,那麼必須構建自己的本地LDNS
#修改Harbor-master上的域名解析DNS伺服器為本地構建的LDNS
[root@Harbor-master harbor]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search localdomain
nameserver 192.168.200.19
[root@Harbor-master harbor]# nslookup www2.yunjisuan.com
Server: 192.168.200.19
Address: 192.168.200.19#53
Name: www2.yunjisuan.com
Address: 192.168.200.18
至此,Harbor倉庫主從複製已經構建完畢。
備註:如果勾選了阻止潛在漏洞的選項會影響harbor主從複製
特別提示:如果是harbor經歷過vmware虛擬機器的暫停和恢復。那麼很可能之前能夠訪問的harbor倉庫,恢復後卻不行了。此時,需要重啟dorker程序並重新harbor容器程序。