构建自己的镜像仓库（harbor）

Posted 2021-09-25 givenchy_yzl

harbor简介

Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目，包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能，同时针对中国用户的特点，设计镜像复制和中文支持等功能。作为一个企业级私有 Registry 服务器，Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制，镜像全部保存在私有 Registry 中， 确保数据和知识产权在公司内部网络中管控。另外，Harbor 也提供了高级的安全特性，诸如用户管理，访问控制和活动审计等。https://goharbor.io/

harbor 证书有两种：域名版，IP版

#安装docker
# step 1: 安装必要的一些系统工具
[root@harbor ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
[root@harbor ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3
[root@harbor ~]# sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# Step 4: 更新并安装Docker-CE
[root@harbor ~]#  yum makecache fast
[root@harbor ~]# yum -y install docker-ce
# Step 4: 开启Docker服务（设置为开机自启）
[root@harbor cert]# systemctl enable --now docker



[root@harbor ~]# mkdir /opt/cert/
[root@harbor ~]# cd /opt/cert/
[root@harbor cert]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
....................................++
.................................................................................................................................................................................................................++
e is 65537 (0x10001)

[root@harbor cert]#     openssl req -x509 -new -nodes -sha512 -days 3650 \\
     -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.13.16" \\
      -key ca.key \\
      -out ca.crt
[root@harbor cert]#     openssl genrsa -out 192.168.13.16.key 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
............................++

[root@harbor cert]#     openssl req -sha512 -new \\
>         -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.13.16" \\
>         -key 192.168.13.16.key \\
>         -out 192.168.13.16.csr

[root@harbor cert]# cat > v3.ext <<EOF
>     authorityKeyIdentifier=keyid,issuer
>     basicConstraints=CA:FALSE
>     keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
>     extendedKeyUsage = serverAuth
>     subjectAltName = IP:192.168.13.16
> EOF


[root@harbor cert]# openssl x509 -req -sha512 -days 3650 \\
 -extfile v3.ext \\
 -CA ca.crt -CAkey ca.key -CAcreateserial \\
 -in 192.168.13.16.csr \\
 -out 192.168.13.16.crt

2、将证书分配给docker
[root@harbor cert]# openssl x509 -inform PEM -in 192.168.13.16.crt -out 192.168.13.16.cert



[root@harbor cert]# mkdir -pv /etc/docker/certs.d/192.168.13.16/
mkdir: 已创建目录 "/etc/docker/certs.d"
mkdir: 已创建目录 "/etc/docker/certs.d/192.168.13.16/"
[root@harbor cert]# 
[root@harbor cert]# cp 192.168.13.16.cert /etc/docker/certs.d/192.168.13.16/
[root@harbor cert]# cp 192.168.13.16.key /etc/docker/certs.d/192.168.13.16/
[root@harbor cert]# cp ca.crt /etc/docker/certs.d/192.168.13.16/
[root@harbor cert]# systemctl restart docker

[root@harbor cert]# mkdir -p /data/cert 
[root@harbor cert]# cp 192.168.13.16.crt  /data/cert
[root@harbor cert]# cp 192.168.13.16.key /data/cert
[root@harbor cert]# cd /data/cert

4、安装Harbor
# 进入下载目录
cd /opt
 
# 下载
wget https://github.com/goharbor/harbor/releases/download/v2.2.1/harbor-offline-installer-v2.2.1.tgz

[root@harbor /opt]# tar xf harbor-offline-installer-v2.2.1.tgz 

# 进入harbor目录
cd harbor/
 
# 下载docker-composrt
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose 

# 复制一份
[root@harbor /opt/harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor /opt/harbor]# vim harbor.yml
...
hostname: 192.168.13.16
...
certificate: /data/cert/192.168.13.16.crt 
private_key: /data/cert/192.168.13.16.key
...

# 生成harbor配置文件
./prepare

# 安装
./install.sh

#浏览器访问
http://192.168.13.16
默认用户名：admin
密码：Harbor12345