Docker 下Harbor环境离线安装
次文章为此视频讲解的笔记链接:https://pan.baidu.com/s/1wuOrTa7txX-8maKLDue4ng提取码:rpjg介绍:1、离线安装harbor2、配置harborhttps 相关证书openssl 生成3、利用docker 命令登录harbor4、演示将本地镜像上传到服务器5、将harbor镜像下载并安装到虚拟机中一、离线安装harbor1、镜像下载:https://g
次文章为此视频讲解的笔记
链接:https://pan.baidu.com/s/1wuOrTa7txX-8maKLDue4ng
提取码:rpjg
介绍:
1、离线安装harbor
2、配置harbor https 相关证书openssl 生成
3、对本地CA证书许可
4、利用docker 命令登录harbor,将本地镜像上传到服务器,将harbor镜像下载并安装到虚拟机中
5、送上hostname : 192.168.78.5
一、离线安装harbor
1、镜像下载:https://github.com/goharbor/harbor/releases
我用的是https://github.com/goharbor/harbor/releases/tag/v1.9.3
harbor-offline-installer-v1.9.3.tgz
配置文档 https://goharbor.io/docs/2.0.0/install-config/
2、操作过程
下载harbor-offline-installer-v1.9.3.tgz
[root@localhost ]#wget https://github.com/goharbor/harbor/releases/download/v1.9.3/harbor-offline-installer-v1.9.3.tgz
解压harbor-offline-installer-v1.9.3.tgz
[root@localhost ]# tar zxvf harbor-offline-installer-v1.9.3.tgz
移动到/usr/local/harbur
[root@localhost harbor]# mv ../harbor /usr/local/
[root@localhost harbor]# cd /usr/local/harbor/
配置harbor.yml ,安装harbor很简单,但是需要配置https
[root@localhost ]# ll
drwxr-xr-x 2 root root 100 9月 2 10:01 harbor
-rw-r--r-- 1 root root 634959522 11月 18 2019 harbor-offline-installer-v1.9.3.tgz
[root@localhost ]# cd harbor/
[root@localhost harbor]# ll
-rw-r--r-- 1 root root 638288840 11月 14 2019 harbor.v1.9.3.tar.gz
-rw-r--r-- 1 root root 5805 11月 14 2019 harbor.yml
-rwxr-xr-x 1 root root 5088 11月 14 2019 install.sh
-rw-r--r-- 1 root root 11347 11月 14 2019 LICENSE
-rwxr-xr-x 1 root root 1748 11月 14 2019 prepare
[root@localhost harbor]# vi harbor.yml
#hostname: reg.mydomain.com 如果有域名,就写域名,没有域名就写IP。
hostname: jerry 一定不要有大写字母,因为tag重命名或者bulid镜像不让用大写字母,
这就导致pull不了镜像
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
#port: 80 外网通过什么端口访问harbor
port: 8888
# https related config
# https: 开启https
https:
# # https port for harbor, default is 443
# port: 443 https是需要ssl作为加密,所以443位ssl端口
port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
certificate: /your/certificate/path 证书地址
private_key: /your/private/key/path 证书地址
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 100 for postgres.
max_open_conns: 100
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 1.9.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# clair:
# host: clair_db_host
# port: clair_db_port
# db_name: clair_db_name
# username: clair_db_username
# password: clair_db_password
# ssl_mode: disable
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# host: redis
# port: 6379
# password:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair
components:
- core
- jobservice
- clair
重点注意:一定要重点注意:
一、hostname: jerry 一定不要有大写字母,因为tag重命名或者bulid镜像不让用大写字母, 这就导致pull不了镜像
[root@Jerry harbor]# docker tag 4bb46517cac3 Jerry/jerry/nginx:v1 Error parsing reference: "Jerry/jerry/nginx:v1" is not a valid repository/tag: invalid reference format: repository name must be lowercase
二、harbor.yml 中注意的事项:
# http related config
http: http:前面一定不要有空格,顶格写
# port for http, default is 80. If https enabled, this port will redirect to https port
#port: 80
port: 8888# https related config
# https:
https: https:前面一定不要有空格,顶格写 ,一定一定注意
# # https port for harbor, default is 443
# port: 443 https是需要ssl作为加密,所以443位ssl端口
port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
certificate: /your/certificate/path 证书地址
private_key: /your/private/key/path 证书地址
如果 http: 和https: 没有顶格写,结果是在你制作./install.sh hartbor后,发现 goharbor/nginx-photon:v1.9.3 中的PORTS没有端口映射,导致根本没有加载 http: 无法访问hartbor
在docker-compose.yml 启动脚本中,看到根本没有地址映射
正常的现象:如果http: 加载正常,会有0.0.0.0:8888->8080/tcp, 如果https: 加载正常,会有0.0.0.0:443->8443/tcp
在docker-compose.yml 启动脚本中,看到地址映射
总结:此图为正确标准,其中port: 8888,位置不变,其他的port: 443 certificate: private_key: 最后跟port: 8888对齐,不对齐,具体有没有影响,尚不知道
Linux下配置dns的三种方法
1. HOST 本地DNS解析 vi /etc/hosts eg:23.231.234.33 www.baidu.com
2. 网卡配置文件DNS服务地址 vi /etc/sysconfig/network-scripts/ifcfg-eth0
eg: DSN1='114.114.114.114'
3. 系统默认DNS配置 vi /etc/resolv.conf eg:nameserver 114.114.114.114
系统解析的优先级 1>2>3
域名在/etc/hosts配置
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.207 jerry开启https, 解决两个事,一个是授信再就是非对称加密,所以很安全。什么是授信:授信就得安装证书,一种是证书下载到本地就授信,本地安装证书,可以授信,浏览器开头就不显示 △不安全https://。第二种就是公信力度够高的颁发的证书,不需要安装到本地,直接授信
二、配置harbor https 相关证书openssl 生成
配置ssl: https://goharbor.io/docs/2.0.0/install-config/configure-https/
1、生成证书颁发机构证书
1.1、生成CA证书私钥
[root@localhost harbor]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...............................++
.................................................++
e is 65537 (0x10001)
1.2、生成CA证书。
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
官方文档:
openssl req -x509 -new -nodes -sha512 -days 3650 \ 生成3650天
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
修改:把yourdomain.com 修改为harbor.yml 中hostname: jerry中的jerry。
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=jerry" \
-key ca.key \
-out ca.crt[root@localhost harbor]# cd /usr/local/harbor/
[root@localhost harbor]# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=jerry" \
> -key ca.key \
> -out ca.crt
[root@localhost harbor]#
有可能报错:Can't load /root/.rmd into RNG
解决方案:
[root@localhost harbor]#cd /root
[root@localhost harbor]#openssl rang -writerand .rnd
[root@localhost harbor]# openssl req -x509 -new -nodes -sha512 -days 3650 \
2、生成服务器证书
1.1、生成私钥。
openssl genrsa -out yourdomain.com.key 4096
修改:把yourdomain.com 修改为harbor.yml 中hostname: jerry中的jerry。
[root@localhost harbor]# cd /usr/local/harbor/
[root@localhost harbor]# openssl genrsa -out jerry.key 4096
Generating RSA private key, 4096 bit long modulus
.........................++
.......................................++
e is 65537 (0x10001)
[root@localhost harbor]#
1.2、生成证书签名请求(CSR)。
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性,并在密钥和CSR文件名中使用它。
官方文档:
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
修改:把yourdomain.com 修改为harbor.yml 中hostname: jerry中的jerry。
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=jerry" \
-key jerry.key \
-out jerry.csr[root@localhost harbor]# openssl req -sha512 -new \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=jerry" \
> -key jerry.key \
> -out jerry.csr
[root@localhost harbor]#
1.3、生成一个x509 v3扩展文件。
无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域
方法一:如果是域名的方式
官方文档:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
修改:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=jerry 修改为harbor.yml 中hostname: jerry中的jerry。也就是域名
DNS.2=其他的域名
DNS.3=hostname
等等
EOF方式二:harbor.yml 中hostname: 192.168.78.4 添加的是IP
官方文档:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
EOF
修改:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
#subjectAltName = @alt_names
subjectAltName = IP:192.168.78.4
EOF[root@localhost harbor]# cat > v3.ext <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=jerry
> EOF
[root@localhost harbor]#
1.4、使用该v3.ext文件为您的Harbor主机生成证书
官方文档:
将yourdomain.comCRS和CRT文件名中的替换为Harbor主机名。
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt[root@localhost harbor]# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in jerry.csr \
> -out jerry.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=jerry
Getting CA Private Key
[root@localhost harbor]#
3、提供证书给Harbor和Docker
1.1、生成后ca.crt,yourdomain.com.crt和yourdomain.com.key文件,必须将它们提供给港口和码头工人,和重新配置港使用它们
官方文档:
将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
修改:
cp jerry.crt /data/cert/
cp jerry.key /data/cert/
[root@localhost harbor]# mkdir /data/cert/
[root@localhost harbor]# cp jerry.crt /data/cert/
[root@localhost harbor]# cp jerry.key /data/cert/
1.2、转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用。
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。
官方文档:
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
修改:
openssl x509 -inform PEM -in jerry.crt -out jerry.cert
1.3、将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。您必须首先创建适当的文件夹。
如果将默认nginx端口443 映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port。
官方文档:
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
修改:
cp jerry.cert /etc/docker/certs.d/jerry/
cp jerry.key /etc/docker/certs.d/jerry/
cp ca.crt /etc/docker/certs.d/jerry/[root@localhost harbor]# mkdir -p /etc/docker/certs.d/jerry/
[root@localhost harbor]# cp jerry.cert /etc/docker/certs.d/jerry
[root@localhost harbor]# cp jerry.key /etc/docker/certs.d/jerry/
[root@localhost harbor]# cp ca.crt /etc/docker/certs.d/jerry/
4、回到第一步,配置部署或重新配置港口
[root@localhost harbor]# cd /usr/local/harbor
[root@localhost harbor]# ll
-rw-r--r-- 1 root root 2009 9月 2 11:19 ca.crt
-rw-r--r-- 1 root root 3243 9月 2 10:58 ca.key
-rw-r--r-- 1 root root 17 9月 2 11:44 ca.srl
-rw-r--r-- 1 root root 638288840 11月 14 2019 harbor.v1.9.3.tar.gz
-rw-r--r-- 1 root root 5794 9月 2 10:58 harbor.yml
-rwxr-xr-x 1 root root 5088 11月 14 2019 install.sh
-rw-r--r-- 1 root root 2033 9月 2 12:02 Jerry.cert
-rw-r--r-- 1 root root 2033 9月 2 11:44 Jerry.crt
-rw-r--r-- 1 root root 1695 9月 2 11:30 Jerry.csr
-rw-r--r-- 1 root root 3243 9月 2 11:23 Jerry.key
-rw-r--r-- 1 root root 11347 11月 14 2019 LICENSE
-rwxr-xr-x 1 root root 1748 11月 14 2019 prepare
-rw-r--r-- 1 root root 224 9月 2 11:42 v3.ext
[root@localhost harbor]# vim harbor.yml
#hostname: reg.mydomain.com 如果有域名,就写域名,没有域名就写IP。
hostname: jerry
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
#port: 80 外网通过什么端口访问harbor
port: 8888
# https related config
# https: 开启https
https:
# # https port for harbor, default is 443
# port: 443 https是需要ssl作为加密,所以443位ssl端口
port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
certificate: /data/cert/jerry.crt 证书地址
private_key: /data/cert/jerry.key 证书地址
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
#harbor_admin_password: Harbor12345
harbor_admin_password: 123456 设置登录密码
5、启动harbor
4.1 校验:
运行prepare脚本以启用HTTPS。
Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTPS。该prepare在港的安装包,在同级别的install.sh脚本。
预编译,如果不连接网克罗会失败,但是不影响安装harbor
[root@localhost harbor]# ./prepare
prepare base dir is set to /usr/local/harbor
Unable to find image 'goharbor/prepare:v1.9.3' locally
v1.9.3: Pulling from goharbor/prepare
b950b5dd94ab: Pull complete
b4a43e6420e8: Pull complete
70c5107c831f: Pull complete
yaml.scanner.ScannerError: while scanning a simple key 报错:提示
in "/input/harbor.yml", line 27, column 1 提示27行
could not find expected ':' 找不到预期的:
in "/input/harbor.yml", line 29, column 1
解决方案:
报这个错误是因为harbor.yml
如 port:8081,如果port:8081的键值如果没有用:空格把键值分开,就会报这个错
vim harbor.yml 中
修改27行 harbor_admin_password:123456 为 harbor_admin_password: 123456
4.1.1 ./prepare
[root@localhost harbor]# ./prepare
prepare base dir is set to /usr/local/harbor
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir 代表检出无误
[root@localhost harbor]#
6、安装harbur
方法一1:
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.---- 代表成功
Now you should be able to visit the admin portal at https://jerry. 访问https://jerry.
For more details, please visit https://github.com/goharbor/harbor .
问题:提示Need to install docker-compose
[root@master01 harbor]# ./install.sh
[Step 0]: checking installation environment ... Note: docker version: 18.03.1 ✖ Need to install docker-compose(1.7.1+) by yourself first and run this script again.
解决办法:
方法一: 此方法有效
1、下载
curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose2、提权
chmod +x /usr/local/bin/docker-compose3、创建连接
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose4、测试
docker-compose --version
方法二: 此方法运行后不会报错,但是push 一直提示拒绝访问不知有没有关系
Cent7安装Docker-Compose
Docker-Compose是一个部署多个容器的简单但是非常必要的工具.
安装Docker-Compose之前,请先安装 python-pip
1. 安装 python-pip#先检查linux有没有安装python-pip包 [root@master01 ~]# pip -V bash: pip: 未找到命令... #没有安装 [root@master01 ~]# yum -y install epel-release [root@master01 ~]# yum -y install python-pip #对安装好的pip进行升级 [root@master01 ~]# pip install --upgrade pip2. 安装Docker-Compose
[root@master01 ~]# pip install docker-compose --ignore-installed requests #检查docker-compose 安装 [root@master01 ~]# docker-compose -version docker-compose version 1.23.2, build 1110ad0
都为 health: starting,启动成功 不要访问他
[root@localhost harbor]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d5044bf4b614 goharbor/nginx-photon:v1.9.3 "nginx -g 'daemon of…" 32 minutes ago Up 32 minutes (healthy) 0.0.0.0:8888->8080/tcp, 0.0.0.0:443->8443/tcp nginx
50ac7fb54815 goharbor/harbor-jobservice:v1.9.3 "/harbor/harbor_jobs…" 32 minutes ago Up 32 minutes (healthy) harbor-jobservice
f862a03c232f goharbor/harbor-core:v1.9.3 "/harbor/harbor_core" 32 minutes ago Up 32 minutes (healthy) harbor-core
72dc54a3dac7 goharbor/redis-photon:v1.9.3 "redis-server /etc/r…" 32 minutes ago Up 32 minutes (healthy) 6379/tcp redis
74531552cfd1 goharbor/harbor-registryctl:v1.9.3 "/harbor/start.sh" 32 minutes ago Up 32 minutes (healthy) registryctl
b944acf64daf goharbor/harbor-db:v1.9.3 "/docker-entrypoint.…" 32 minutes ago Up 32 minutes (healthy) 5432/tcp harbor-db
c04697ae0a74 goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.9.3 "/entrypoint.sh /etc…" 32 minutes ago Up 32 minutes (healthy) 5000/tcp registry
47fa8e56e1bf goharbor/harbor-portal:v1.9.3 "nginx -g 'daemon of…" 32 minutes ago Up 32 minutes (healthy) 8080/tcp harbor-portal
da4f60074f89 goharbor/harbor-log:v1.9.3 "/bin/sh -c /usr/loc…" 32 minutes ago Up 32 minutes (healthy) 127.0.0.1:1514->10514/tcp 外网机器访问https://jerry.配置域名解析
C:\Windows\System32\drivers\etc\HOSTS
方法二:
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# docker-compose up -d 后台启动,如果容器不存在根据镜像自动创建
其他容器核心命令:
docker-compose ps
docker-compose down -v 停止容器并删除容器
docker-compose start 启动容器,不存在不启动,无法自动创建容器
docker-compose stop 停止
docker-compose stop 查看日志,harbor 日志在/var/logs/harbor/
做授信:
cp jerry.crt /etc/pki/ca-trust/source/anchors/jerry.crt
update-ca-trust
3、对本地CA证书许可
[root@localhost ~]# cd /usr/local/harbor/
[root@localhost harbor]# sz ca.crt 下载CA证书许可
4、利用docker 命令登录harbor,将本地镜像上传到服务器,将harbor镜像下载并安装到虚拟机中
1、创建项目
2、查看推送过程
第一次登录需要账户admin 和密码,第二次登陆不需要,因为密码存在 /root/.docker/config.json 中的"192.168.78.5": { "auth": "YWRtaW46amVycnkxMjM0NTY=" }
[root@localhost harbor]# docker login 192.168.78.5
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@localhost harbor]# cat /root/.docker/config.json
[root@localhost harbor]# docker login 192.168.78.5
[root@localhost harbor]#docker push 192.168.78.5/jerry/hello-world:v1.2
5、送上hostname : 192.168.78.5
vim harbor.yml
hostname: 192.168.78.5
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# # https port for harbor, default is 443
port: 443
# # The path of cert and key files for nginx
certificate: /data/cert/192.168.78.5.crt
private_key: /data/cert/192.168.78.5.key
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.78.5" \
-key ca.key \
-out ca.crt
openssl genrsa -out 192.168.78.5.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.78.5" \
-key 192.168.78.5.key \
-out 192.168.78.5.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.78.5
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168.78.5.csr \
-out 192.168.78.5.crt
mkdir -p /data/cert/
cp 192.168.78.5.crt /data/cert/
cp 192.168.78.5.key /data/cert/
openssl x509 -inform PEM -in 192.168.78.5.crt -out 192.168.78.5.cert
mkdir -p /etc/docker/certs.d/192.168.78.5/
cp 192.168.78.5.cert /etc/docker/certs.d/192.168.78.5/
cp 192.168.78.5.key /etc/docker/certs.d/192.168.78.5/
cp ca.crt /etc/docker/certs.d/192.168.78.5/
vim harbor.yml
hostname: 192.168.78.5
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# # https port for harbor, default is 443
port: 443
# # The path of cert and key files for nginx
certificate: /data/cert/192.168.78.5.crt
private_key: /data/cert/192.168.78.5.key
./prepare
./install.sh
报错缺少docker-compose
curl -L https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
./install.sh
docker ps
cp 192.168.78.5.crt /etc/pki/ca-trust/source/anchors/192.168.78.5.crt
update-ca-trust
docker image ls
docker pull hello-world
docker tag hello-world:latest 192.168.78.5/jerry/hello-world:v1.2
docker login 192.168.78.5
docker push 192.168.78.5/jerry/hello-world:v1.2
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
0
0- 0
已为社区贡献15条内容
所有评论(0)