基于https的harbor部署与升级
Posted 还行少年
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了基于https的harbor部署与升级相关的知识,希望对你有一定的参考价值。
基于https的harbor部署与升级
一、部署harbor
1、安装docker
#永久关闭selinux,需要重启
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
#关闭防火墙并设为开机不自启,然后显示状态
systemctl stop firewalld.service &> /dev/null
systemctl disable firewalld.service &> /dev/null
#配置yum源安装需要的组件
yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
#查看docker版本
yum list docker-ce --showduplicates
#安装最新的稳定版本
yum install 3:docker-ce-20.10.17-3.el7.x86_64 -y
#配置镜像加速、镜像仓库、docker数据存储路径
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
"registry-mirrors": ["https://7w5yqlyj.mirror.aliyuncs.com"],
"insecure-registries": ["http://docker.hanweb.com"],
"graph": "/data/dockerdata/docker"
EOF
#启动docker
sudo systemctl daemon-reload
sudo systemctl start docker
systemctl enable docker
2、配置对Harbor的HTTPS访问(可忽略)
#生成CA证书私钥
openssl genrsa -out ca.key 4096
#生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key ca.key -out ca.crt
#生成服务器证书私钥
openssl genrsa -out harbor.com.key 4096
#生成证书签名请求
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key harbor.com.key -out harbor.com.csr
#生成 x509 v3 扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.com
DNS.2=harbor
EOF
#使用该v3.ext文件为Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.com.csr -out harbor.com.crt
#将crt文件转成cert文件供docker使用
openssl x509 -inform PEM -in harbor.com.crt -out harbor.com.cert
#将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中
cp harbor.com.cert harbor.com.key ca.crt /etc/docker/certs.d/harbor.com/
#重启docker
systemctl restart docker
3、安装docker-compose
#下载docker-compose
https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-linux-x86_64
#移动到/usr/loacl/bin下,并赋权
mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
4、安装harbor
#下载安装包
wget https://github.com/goharbor/harbor/releases/download/v1.8.6/harbor-offline-installer-v1.8.6.tgz
#解压
tar xf harbor-offline-installer-v1.8.6.tgz
#创建harbor数据目录
mkdir /data/harbor
#修改配置文件
grep -v "#" harbor.yml | sed '/^[ ]*$/d'
hostname: harbor.com
http:
port: 80
https:
port: 443
certificate: /data/cert/harbor.com.crt
private_key: /data/cert/harbor.com.key
harbor_admin_password: Harbor12345
database:
password: root123
data_volume: /data/harbor
clair:
updaters_interval: 12
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,core,registry
jobservice:
max_job_workers: 10
chart:
absolute_url: disabled
log:
level: info
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 1.8.0
#运行安装脚本
./install.sh
5、测试
[root@harbor harbor]# docker login https://harbor.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor harbor]# docker pull cirros
Using default tag: latest
latest: Pulling from library/cirros
d0b405be7a32: Pull complete
bd054094a037: Pull complete
c6a00de1ec8a: Pull complete
Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47
Status: Downloaded newer image for cirros:latest
docker.io/library/cirros:latest
[root@harbor harbor]# docker tag cirros:latest harbor.com/public/cirros:test
[root@harbor harbor]# docker push harbor.com/public/cirros:test
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Pushed
f0a496d92efa: Pushed
e52d19c3bee2: Pushed
test: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
二、harbor小版本升级
1、停止当前harbor实例、并备份
#停止harbor实例
docker-compose ps
#备份harbor
mkdir back_harbor
mv harbor back_harbor/harbor1.8.6
#备份数据库
mkdir /data/harbor1.8.6
cp -r /data/harbor/* /data/harbor1.8.6/
2、安装新版本harbor
#下载新版本安装包
wget https://github.com/goharbor/harbor/releases/download/v1.10.7/harbor-offline-installer-v1.10.7.tgz
#解压安装包
tar xf harbor-offline-installer-v1.10.7.tgz
cd harbor
#导入新版镜像
docker load -i harbor.v1.10.7.tar.gz
#升级harbor.yml文件
cp -a /opt/back_harbor/harbor1.8.6/harbor.yml /data/
docker run -it --rm -v /data/harbor.yml:/harbor-migration/harbor-cfg/harbor.yml goharbor/harbor-migrator:v1.10.7 --cfg up
#使用新harbor.yml启动
cp -a /data/harbor.yml /opt/harbor
./install.sh
3、测试
[root@harbor harbor]# docker rmi harbor.com/public/cirros:test
Untagged: harbor.com/public/cirros:test
Untagged: harbor.com/public/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
[root@harbor harbor]# docker pull harbor.com/public/cirros:test
test: Pulling from public/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for harbor.com/public/cirros:test
harbor.com/public/cirros:test
[root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test2
[root@harbor harbor]# docker login harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor harbor]# docker push harbor.com/public/cirros:test2
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Layer already exists
f0a496d92efa: Layer already exists
e52d19c3bee2: Layer already exists
test2: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
4、回退
#停止harbor
docker-compose down
#删除当前habror实例
cd ..
rm -rf harbor
#恢复旧版本数据库
rm -rf /data/harbor
mv /data/harbor1.8.6 /data/harbor
#重新安装harbor
cd harbor
./install.sh
三、大版本升级
1、停止当前harbor实例、并备份
#停止harbor实例
docker-compose down
#备份harbor
mkdir back_harbor
mv harbor back_harbor/harbor1.10.7
#备份数据库
mkdir /data/harbor1.10.7
cp -r /data/harbor/* /data/harbor1.10.7/
2、安装新版本harbor
#下载新版本安装包
wget https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz
#解压安装包
tar xf harbor-offline-installer-v2.6.0.tgz
cd harbor
#导入新版镜像
docker load -i harbor.v2.6.0.tar.gz
#升级harbor.yml文件
docker run -it --rm -v /:/hostfs goharbor/prepare:v2.6.0 migrate -i /opt/back_harbor/harbor1.10.7/harbor.yml -o /data/harbor.yml
#使用新harbor.yml启动
cp -a /data/harbor.yml /opt/harbor
./install.sh
3、测试
[root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test3
[root@harbor harbor]# docker login harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@harbor harbor]# docker push harbor.com/public/cirros
harbor.com/public/cirros harbor.com/public/cirros:test harbor.com/public/cirros:test2 harbor.com/public/cirros:test3
[root@harbor harbor]# docker push harbor.com/public/cirros:test3
The push refers to repository [harbor.com/public/cirros]
984ad441ec3d: Layer already exists
f0a496d92efa: Layer already exists
e52d19c3bee2: Layer already exists
test3: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
[root@harbor harbor]# docker rmi harbor.com/public/cirros:test3
Untagged: harbor.com/public/cirros:test3
[root@harbor harbor]# docker pull harbor.com/public/cirros:test3
test3: Pulling from public/cirros
Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22
Status: Downloaded newer image for harbor.com/public/cirros:test3
harbor.com/public/cirros:test3
以上是关于基于https的harbor部署与升级的主要内容,如果未能解决你的问题,请参考以下文章