harbor 结合OSS 搭建docker企业私有仓库实战

docker技术 靠谱运维 1971℃ 0评论

harbor安装配置

Centos(7.2)

Docker 1.2

Docker-compose 编排工具

 

一.环境安装:

Docker  install:

curl -fsSL https://get.docker.io | bash

Docker-compose install(https://docs.docker.com/compose/install/):

curl -L “https://github.com/docker/compose/releases/download/1.8.1/docker-compose-$(uname -s)-$(uname -m)” -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

 

参考地址:

https://vmware.github.io/harbor/

https://github.com/vmware/harbor

https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

二.部署harbor

  1. 下载安装包

wget https://github.com/vmware/harbor/releases/download/0.4.5/harbor-online-installer-0.4.5.tgz

tar xvf harbor-online-installer-0.4.5.tgz

解压之后目录结构如下:

其中:

Harbor.cfg 全局配置文件,主要包含了一些常用设置,比如是否开启https等。

install.sh 安装脚本

prepare  是一个python写的预处理脚本,主要用于初始化一些harbor.cfg的相关设置。

docker-compose.yaml 描述了组件之间依赖关系以及配置挂载,数据持久化等设置。

  1. 配置harbor

Harbor配置参考详解

hostname = reg.mydomain.com                            #harbor服务器域名

ui_url_protocol = http                                 #UI组件访问协议

email_server = smtp.mydomain.com                       #email服务器地址

email_server_port = 25                                 #email 端口

email_username = sample_admin@mydomain.com             #email 账户

email_password = abc                                   #email 密码

email_from = admin <sample_admin@mydomain.com>         #email发件人

email_ssl = false                                      #是否启用ssl

harbor_admin_password = Harbor12345                    #harbor初始化管理员(admin)密码

auth_mode = db_auth                                    #权限管理模型

ldap_url = ldaps://ldap.mydomain.com                   #ldap地址

ldap_basedn = ou=people,dc=mydomain,dc=com             #

ldap_uid = uid                                         #

ldap_scope = 3                                         #

db_password = root123                                  #数据库管理员密码

self_registration = on                                     #是否打开自动注册

use_compressed_js = on                                     #是否启用压缩js

max_job_workers = 3                                        #最大任务数

token_expiration = 30                                      #token超时

verify_remote_cert = on                                    #是否验证远程证书

customize_crt = on                                         #是否启用自定义证书

 

3.ssl 证书配置

crt_country = CN

crt_state = State

crt_location = CN

crt_organization = organization

crt_organizationalunit = organizational unit

crt_commonname = example.com

crt_email = example@example.com

ssl_cert = /path/to/server.crt

ssl_cert_key = /path/to/server.key

 

  1. 关于邮件的配置

qq 邮件需要申请授权码

http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=28&&no=1001256

email_server = smtp.qq.com

email_server_port = 465

email_username = 1218761836@qq.com

email_password = nyexhxqredreggha

email_from = 1218761836@qq.com

email_ssl = true

crt_email = 1218761836@qq.com

 

  1. docker-compose 文件配置

version: ’2′

services:

log:

image: vmware/harbor-log:0.4.5

container_name: harbor-log

restart: always

volumes:

- /var/log/harbor/:/var/log/docker/

ports:

- 1514:514

registry:

image: library/registry:2.5.0

container_name: registry

restart: always

volumes:

# – /data/registry:/storage

- ./common/config/registry/:/etc/registry/

environment:

- GODEBUG=netdns=cgo

command:

["serve", "/etc/registry/config.yml"]

  1. 配置后端存储oss

https://docs.docker.com/registry/storage-drivers/

vim common/templates/registry/config.yml

version: 0.1

log:

level: debug

formatter: text

fields:

service: registry

environment: staging

storage:

oss:

accesskeyid:

accesskeysecret:

region: oss-cn-beijing

endpoint:.vpc100-oss-cn-beijing.aliyuncs.com

bucket:

secure: false

internal: true

delete:

enabled: true

redirect:

disable: false

cache:

blobdescriptor: inmemory

maintenance:

uploadpurging:

enabled: true

age: 168h

interval: 24h

dryrun: false

http:

addr: 0.0.0.0:5000

debug:

addr: 0.0.0.0:5001

notifications:

endpoints:

- name: harbor

disabled: false

url: http://ui/service/notifications

timeout: 3000ms

threshold: 5

backoff: 1s

  1. http 的配置启动

上面配置完毕的话就是一个http 的配置,配置生成./prepare (每次修改配置文件都需要执行这个)

然后./install.sh 安装

  1. 配置HTTPS

参考文档 https://github.com/vmware/harbor/blob/master/docs/configure_https.md

编辑配置文件,填写证书文件存放路径

vim harbor.cfg

#It can be set to https if ssl is enabled on nginx.

ui_url_protocol = https

#The path of cert and key files for nginx, they are applied only the protocol is set to https

ssl_cert = /data/harbor/auth/registry.com.crt

ssl_cert_key = /data/harbor/auth/registry.com.key

8.1 创建证书

mkdir /data/harbor/auth/

cd  /data/harbor/auth/

openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

这里需要注意的是:

这个comm  name 要和harbor.cfg 中的hostname 一致。

8.2

openssl req  -newkey rsa:4096 -nodes -sha256 -keyout registry.com.key -out registry.com.csr

8.3

openssl x509 -req -days 365 -in registry.ljt.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.com.crt、

 

8.4添加到系统

mkdir /etc/docker/certs.d/registry.com

cp ca.crt /etc/docker/certs.d/registry.com

 

 

  1. 启动

./prepare  更新配置,查看证书配置文件是否一致

 

./install.sh  启动

 

docker-compose  ps  查看服务状态

  1. 测试

docker login -u -p  registry.com

docker push registry.com/ 镜像名字

 

 

使用web 登录就可以管理镜像了,harbor 暂不支持批量删除镜像

https://registry.com

 

转载请注明:靠谱运维 » harbor 结合OSS 搭建docker企业私有仓库实战

喜欢 (1)or分享 (0)
发表我的评论
取消评论

表情