openEuler欧拉部署Harbor
环境:
openEuler,安装系统时,默认/home改为/data
自己有ssl通配证书,没有做自签名证书,如需做,看最后一段彩蛋部分
一、下载Harbor
wget https://github.com/goharbor/harbor/releases/download/v2.8.1/harbor-offline-installer-v2.12.1.tgz tar xvf harbor-offline-installer-v2.12.1.tgz mv harbor/ /home二、安装docker-ce
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo yum update指定docker版本号
cd /etc/yum.repos.d/ vim docker-ce.repo修改realserver为指定的版本7
name=Docker CE Stable - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg安装docker-ce
yum install docker-ce -y docker -v docker compsoe -v systemctl start docker systemctl enable docker三、配置Harbor
cd /home/harbor cp harbor.yml.tmpl harbor.ymlvim harbor.yml
http: # port for http, default is 80. If https enabled, this port will redirect to https port port:80 # https related config https: # https port for harbor, default is 443 port:443 # The path of cert and key files for nginx certificate:/home/harbor/cert/server.crt private_key: /home/harbor/cert/server.key四、安装Harbor
授权Harbor本地目录,这个很重要,否则docker启动后,各种不适应。
chmod -R 775 /home/harbor ./prepare ./install.sh docker-compose up -d五、其他
docker-compose down -v 或 docker-compose stop
区别:前者会remove掉容器、image、网络,停的更干净,后者只是停服务
docker login ip
试试
docker log 用不了,可以在 /var/log/harbor(harbor.yml有定义日志路径)下tail看问题。
六、彩蛋:制作SSL本地证书
cd /home/harbor mkdir cert cd cert生成证书颁发机构证书
生成 CA 证书私钥
openssl genrsa -out ca.key 4096
生成 CA 证书
如果您使用 FQDN 连接您的 Harbor 主机,则必须将其指定为公用名称 ( CN) 属性并在密钥和 CSR 文件名中使用它。
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xxx.xxx.xxx.113" \ -key ca.key \ -out ca.crt生成服务器证书
生成私钥openssl genrsa -out harbor.xxxx.com.key 4096
生成证书签名请求 (CSR)
如果您使用 FQDN 连接您的 Harbor 主机,则必须将其指定为公用名称 ( CN) 属性并在密钥和 CSR 文件名中使用它。
openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xxx.xxx.xxx.113" \ -key harbor.xxxx.com.key \ -out harbor.xxxx.com.csr生成 x509 v3 扩展文件 替换DNS条目,第二个DNS写Harbor主机名
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=xxx.xxx.xxx.5 DNS.2=Server-Harbor EOF使用该v3.ext文件为您的 Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in harbor.xxxx.com.csr \ -out harbor.xxxx.com.crt转换harbor.xxxx.com.crt为harbor.xxxx.com.cert, 供 Docker 使用。openssl x509 -inform PEM -in harbor.xxxx.com.crt -out harbor.xxxx.com.cert
将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中。
如果您将默认nginx端口 443 映射到不同的端口,请创建文件夹/etc/docker/certs.d/harbor.xxxx.com:8843或/etc/docker/certs.d/harbor_IP:8843.
mkdir -p /etc/docker/certs.d/xxx.xxx.xxx.113:8843
cp harbor.xxxx.com.cert /etc/docker/certs.d/xxx.xxx.xxx.113:8843
cp harbor.xxxx.com.key /etc/docker/certs.d/xxx.xxx.xxx.113:8843
cp ca.crt /etc/docker/certs.d/xxx.xxx.xxx.113:8843
systemctl restart docker
说明:
/etc/docker/certs.d/ └── harbor.xxxx.com:8843 ├── harbor.xxxx.com.cert <-- Server certificate signed by CA ├── harbor.xxxx.com.key <-- Server key signed by CA └── ca.crt <-- Certificate authority that signed the registry certificatecp harbor.yml.tmpl harbor.yml
mkdir data
编辑配置文件,给出几个重要的选项
vim harbor.yml
hostname: harbor.xxxx.com http: port:8080 https: port:8843 certificate:/home/harbor/cert/harbor.xxxx.com.crt private_key:/home/harbor/cert/harbor.xxxx.com.key harbor_admin_password: Harborxxxx