基于https的harbor部署与升级

Posted 还行少年

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了基于https的harbor部署与升级相关的知识,希望对你有一定的参考价值。

基于https的harbor部署与升级

一、部署harbor

1、安装docker

#永久关闭selinux,需要重启
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

#关闭防火墙并设为开机不自启,然后显示状态
systemctl stop firewalld.service &> /dev/null
systemctl disable firewalld.service &> /dev/null

#配置yum源安装需要的组件
yum install -y yum-utils device-mapper-persistent-data  lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

#查看docker版本
yum list docker-ce --showduplicates

#安装最新的稳定版本
yum install 3:docker-ce-20.10.17-3.el7.x86_64 -y

#配置镜像加速、镜像仓库、docker数据存储路径
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'

  "registry-mirrors": ["https://7w5yqlyj.mirror.aliyuncs.com"],
  "insecure-registries": ["http://docker.hanweb.com"],
  "graph": "/data/dockerdata/docker"  

EOF

#启动docker
sudo systemctl daemon-reload
sudo systemctl start docker
systemctl enable docker

2、配置对Harbor的HTTPS访问(可忽略)

#生成CA证书私钥
openssl genrsa -out ca.key 4096

#生成CA证书
 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key ca.key -out ca.crt

#生成服务器证书私钥
openssl genrsa -out harbor.com.key 4096

#生成证书签名请求
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key harbor.com.key -out harbor.com.csr

#生成 x509 v3 扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.com
DNS.2=harbor
EOF

#使用该v3.ext文件为Harbor主机生成证书
openssl x509 -req -sha512 -days 3650  -extfile v3.ext  -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.com.csr -out harbor.com.crt

#将crt文件转成cert文件供docker使用
openssl x509 -inform PEM -in harbor.com.crt -out harbor.com.cert

#将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中
cp harbor.com.cert harbor.com.key ca.crt /etc/docker/certs.d/harbor.com/

#重启docker
systemctl restart docker

3、安装docker-compose

#下载docker-compose
https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-linux-x86_64

#移动到/usr/loacl/bin下,并赋权
mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

4、安装harbor

#下载安装包
wget https://github.com/goharbor/harbor/releases/download/v1.8.6/harbor-offline-installer-v1.8.6.tgz

#解压
tar xf harbor-offline-installer-v1.8.6.tgz 

#创建harbor数据目录
mkdir /data/harbor

#修改配置文件
grep -v "#" harbor.yml | sed '/^[  ]*$/d'

hostname: harbor.com
http:
  port: 80
https:
  port: 443
  certificate: /data/cert/harbor.com.crt
  private_key: /data/cert/harbor.com.key
harbor_admin_password: Harbor12345
database:
  password: root123
data_volume: /data/harbor
clair: 
  updaters_interval: 12
  http_proxy:
  https_proxy:
  no_proxy: 127.0.0.1,localhost,core,registry
jobservice:
  max_job_workers: 10
chart:
  absolute_url: disabled
log:
  level: info
  rotate_count: 50
  rotate_size: 200M
  location: /var/log/harbor
_version: 1.8.0

#运行安装脚本
 ./install.sh

5、测试

[root@harbor harbor]# docker login https://harbor.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@harbor harbor]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete 
bd054094a037: Pull complete 
c6a00de1ec8a: Pull complete 
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest

[root@harbor harbor]# docker tag cirros:latest harbor.com/public/cirros:test

[root@harbor harbor]# docker push harbor.com/public/cirros:test 
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Pushed 
f0a496d92efa: Pushed 
e52d19c3bee2: Pushed 
test: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

二、harbor小版本升级

1、停止当前harbor实例、并备份

#停止harbor实例
docker-compose ps

#备份harbor
mkdir back_harbor
mv harbor back_harbor/harbor1.8.6

#备份数据库
mkdir /data/harbor1.8.6
cp -r /data/harbor/* /data/harbor1.8.6/

2、安装新版本harbor

#下载新版本安装包
wget https://github.com/goharbor/harbor/releases/download/v1.10.7/harbor-offline-installer-v1.10.7.tgz

#解压安装包
tar xf harbor-offline-installer-v1.10.7.tgz 
cd harbor

#导入新版镜像
docker load -i harbor.v1.10.7.tar.gz

#升级harbor.yml文件
cp -a /opt/back_harbor/harbor1.8.6/harbor.yml /data/
docker run -it --rm  -v  /data/harbor.yml:/harbor-migration/harbor-cfg/harbor.yml goharbor/harbor-migrator:v1.10.7  --cfg up

#使用新harbor.yml启动
cp -a /data/harbor.yml /opt/harbor
./install.sh

3、测试

[root@harbor harbor]# docker rmi harbor.com/public/cirros:test 
Untagged: harbor.com/public/cirros:test
Untagged: harbor.com/public/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22

[root@harbor harbor]# docker pull harbor.com/public/cirros:test
test: Pulling from public/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for harbor.com/public/cirros:test
harbor.com/public/cirros:test

[root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test2
[root@harbor harbor]# docker login harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@harbor harbor]# docker push harbor.com/public/cirros:test2
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Layer already exists 
f0a496d92efa: Layer already exists 
e52d19c3bee2: Layer already exists 
test2: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943

4、回退

#停止harbor
docker-compose down

#删除当前habror实例
cd ..
rm -rf harbor

#恢复旧版本数据库
rm -rf /data/harbor
mv /data/harbor1.8.6 /data/harbor

#重新安装harbor
cd harbor
./install.sh

三、大版本升级

1、停止当前harbor实例、并备份

#停止harbor实例
docker-compose down

#备份harbor
mkdir back_harbor
mv harbor back_harbor/harbor1.10.7

#备份数据库
mkdir /data/harbor1.10.7
cp -r /data/harbor/* /data/harbor1.10.7/

2、安装新版本harbor

#下载新版本安装包
wget https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz

#解压安装包
tar xf harbor-offline-installer-v2.6.0.tgz 
cd harbor

#导入新版镜像
docker load -i harbor.v2.6.0.tar.gz

#升级harbor.yml文件
docker run -it --rm -v /:/hostfs goharbor/prepare:v2.6.0 migrate -i /opt/back_harbor/harbor1.10.7/harbor.yml -o /data/harbor.yml

#使用新harbor.yml启动
cp -a /data/harbor.yml /opt/harbor
./install.sh

3、测试

[root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test3
[root@harbor harbor]# docker login harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@harbor harbor]# docker push harbor.com/public/cirros
harbor.com/public/cirros        harbor.com/public/cirros:test   harbor.com/public/cirros:test2  harbor.com/public/cirros:test3  
[root@harbor harbor]# docker push harbor.com/public/cirros:test3
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Layer already exists 
f0a496d92efa: Layer already exists 
e52d19c3bee2: Layer already exists 
test3: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
[root@harbor harbor]# docker rmi harbor.com/public/cirros:test3
Untagged: harbor.com/public/cirros:test3
[root@harbor harbor]# docker pull harbor.com/public/cirros:test3
test3: Pulling from public/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for harbor.com/public/cirros:test3
harbor.com/public/cirros:test3

以上是关于基于https的harbor部署与升级的主要内容,如果未能解决你的问题,请参考以下文章

基于https的harbor部署与升级

基于共享存储的Harbor高可用-Docker部署方案

Docker-harbor私有仓库的部署与管理

Harbor镜像仓库部署

企业级docker私有仓库harbor在Ubuntu14.04上的部署与使用

Harbor高可用集群设计及部署(实操+视频),基于离线安装方式