centos7 使用非标准端口 离线安装自签名harbor
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了centos7 使用非标准端口 离线安装自签名harbor相关的知识,希望对你有一定的参考价值。
安装docker,git
yum install docker docker-logrotate -y
安装docker-compose
yum install python-virtualenv -y virtualenv ven_harbor source ven_harbor/bin/activate pip install --upgrade pip pip install docker-compose
下载harbor
wget https://github.com/vmware/harbor/releases/download/0.4.5/harbor-offline-installer-0.4.5.tgz tar xvzf harbor-offline-installer-0.4.5.tgz
生成自签名证书
mkdir ca cd ca openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt # 如果需要使用IP访问,CN可以设置为IP,如: # Common Name (eg, your name or your server‘s hostname) []:192.168.1.100 openssl req -newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key -out yourdomain.com.csr touch /etc/pki/CA/index.txt echo ‘01‘ > /etc/pki/CA/serial openssl ca -in yourdomain.com.csr -out yourdomain.com.crt -cert ca.crt -keyfile ca.key -outdir . # 如果打算使用IP方式访问registry,请将上面命令替换为如下命令,your_ip,为harbor所在的服务器的IP, # 默认情况下,https仅支持域名访问,若使用上面的命令进行签名,执行docker login your_ip,会有如下报错 # Failed to tls handshake with x.x.x.x x509: cannot validate certificate for x.x.x.x because it doesn‘t contain any IP SANs echo subjectAltName = IP:your_ip > extfile.cnf openssl ca -in your_ip.csr -out your_ip.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .
安装harbor
# 编辑 ~/harbor/harbor.cfg hostname = yourdomain.com # 如果使用Ip访问,请修改为IP,如:hostname=192.168.1.100 ui_url_protocol = https harbor_admin_password = Harbor12345 auth_mode = db_auth db_password = root123 ssl_cert = /root/cert/yourdomain.com.crt ssl_cert_key = /root/cert/yourdomain.com.key # 编辑docker-compose.yml proxy: image: library/nginx:1.11.5 restart: always volumes: - ./config/nginx:/etc/nginx ports: - 8000:80 - 4433:443 depends_on: - mysql - registry - ui - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "proxy" # 编辑templates/registry/config.yml,在ui_url后面添加4433 auth: token: issuer: registry-token-issuer realm: $ui_url:4433/service/token rootcertbundle: /etc/registry/root.crt service: token-service # 编辑 templates/nginx/nginx.https.conf,在$$host后面添加4433 server { listen 80; #server_name harbordomain.com; return 301 https://$$host:4433$$request_uri; } # 安装harbor ./install.sh
配置client
将-insecure-registry从docker配置文件中移除,重启docker
复制ca.crt到client
mkdir -p /etc/docker/certs.d/yourdomain.com:4433 cp ca.crt /etc/docker/certs.d/yourdomain.com:4433
创建项目
使用http://yourdomain.com:8000 登录 harbor,会自动重定向到 https://yourdomain.com:4433
创建项目test
将镜像推送到harbor中
docker login yourdomain.com:4433 docker tag centos:7 yourdomain.com:4433/test/centos:7 docker push yourdomain.com:4433/test/centos:7
参考链接:
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
本文出自 “武陵荒草” 博客,请务必保留此出处http://penguintux.blog.51cto.com/3021117/1873025
以上是关于centos7 使用非标准端口 离线安装自签名harbor的主要内容,如果未能解决你的问题,请参考以下文章