部署harbor(centos-7) https連線方式
Harbor是一個用於儲存和分發Docker映象的企業級Registry伺服器
部署指南參考官網:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
硬體要求:
Resource Capacity Description
CPU 2CPU 4CPU is preferred
Mem 4GB 8GB is preferred
Disk 40GB 160GB is preferred
軟體要求
Software Version
Python version 2.7 or higher (自帶)
Docker engine version 1.10 or higher
Docker Compose version 1.6.0 or higher
Openssl latest latest (自帶)
1.安裝docker “docker compose”
安裝docker 參考我的另一篇文章(http://blog.51cto.com/9406836/2314122)
安裝docker compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
2.下載harbor離線安裝包
mkdir /harbor
cd /harbor
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.4.tgz
tar xvf harbor-offline-installer-v1.5.4.tgz
cd harbor
3.生成利用openssl生成祕鑰
3.1 生成自簽證書,以及私鑰。(這一步與下一步有重複,因為我又以CA的身份重新授權了一次)
mkdir /pri
cd /pri
openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 365 -out ca.crt
/C=CN
/ST=GUANGDONG
/L=SZ
/O=example
/OU=Personal
/CN=yourdomain.com
# -newkey 生成私鑰 -node 不加密 -keyout生成私鑰 -x509證書結構檔案 -out生成公鑰 -days有效時間
3.2 編輯證書擴充套件檔案v3.ext(主要目的是新增多域名認證,比如google.com證書下面,可以關聯信任youku.com等證書)
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names] #重點在這,下面可以是你主機名,比如我的主機redhat.example.com
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
3.3 Harbor伺服器(redhat.example.com為例,記得更改hosts)進行證書認證。
生成伺服器私鑰
openssl genrsa -out redhat.example.com.key 2048
生成認證請求(根據小道訊息,CN資訊一定要匹配伺服器主機名)
openssl req -sha512 -new \
-subj "/C=CN/ST=GUANGDONG/L=SZ/O=XXX/OU=XXX/CN=redhat.example.com" \
-key redhat.example.com.key \
-out redhat.example.com.csr
3.4 CA伺服器上進行認證授權(我是同一臺)
cd /pri
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in redhat.example.com.csr \
-out redhat.example.com.crt
3.5 配置安裝證書(harbor證書存放位置)
mkdir -p /data/cert
cp redhat.example.com.csr /data/cert/
cp redhat.example.com.crt /data/cert/
3.6 要為docker伺服器安裝證書,docker伺服器要求證書要是.cert結尾的檔案
openssl x509 -inform PEM -in example.com.crt -out example.com.cert
mkdir -p /etc/docker/certs.d/example.com
cp example.com.cert /etc/docker/certs.d/example.com/
cp example.com.key /etc/docker/certs.d/example.com/
cp ca.crt /etc/docker/certs.d/example.com/
部署後結構如下
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
4.部署harbor
4.1編輯配置檔案
cd /harbor/harbor
vim harbor.cfg
#set hostname
hostname = redhat.example.com
#set ui_url_protocol
ui_url_protocol = https
......
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/redhat.example.com.crt
ssl_cert_key = /data/cert/redhat.example.com.key
4.2預編譯檔案
./prepare
4.3 安裝harbor
./install.sh
4.4 啟動harbor
docker-compose start
#4.5關閉harbor
docker-compose stop
5.web訪問註冊harbor
5.1登陸頁面
https://redhat.example.com(記得新增hosts,記得新增證書信任)
5.2 註冊賬戶
使用者名稱:xxx 密碼:xxx
6.客戶端拉取映象
6.1 首先將自簽證書新增到信任列表
cp ca.crt /usr/local/share/ca-certificates/ca.crt
update-ca-certificates
6.2 重啟docker
systemctl restart docker
6.3 連線登陸harbor
docker login redhat.example.com
使用者名稱:xxx 密碼:xxx
暫時就這麼多,其實我想寫很多我理解的細節,但是怕誤人子弟,所以大家自己去查吧。