harbor安装配置
Centos(7.2)
Docker 1.2
Docker-compose 编排工具
一.环境安装:
Docker install:
curl -fsSL https://get.docker.io | bash
Docker-compose install(https://docs.docker.com/compose/install/):
curl -L “https://github.com/docker/compose/releases/download/1.8.1/docker-compose-$(uname -s)-$(uname -m)” -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
参考地址:
https://vmware.github.io/harbor/
https://github.com/vmware/harbor
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
二.部署harbor
- 下载安装包
wget https://github.com/vmware/harbor/releases/download/0.4.5/harbor-online-installer-0.4.5.tgz
tar xvf harbor-online-installer-0.4.5.tgz
解压之后目录结构如下:
其中:
Harbor.cfg 全局配置文件,主要包含了一些常用设置,比如是否开启https等。
install.sh 安装脚本
prepare 是一个python写的预处理脚本,主要用于初始化一些harbor.cfg的相关设置。
docker-compose.yaml 描述了组件之间依赖关系以及配置挂载,数据持久化等设置。
- 配置harbor
Harbor配置参考详解
hostname = reg.mydomain.com #harbor服务器域名
ui_url_protocol = http #UI组件访问协议
email_server = smtp.mydomain.com #email服务器地址
email_server_port = 25 #email 端口
email_username = sample_admin@mydomain.com #email 账户
email_password = abc #email 密码
email_from = admin <sample_admin@mydomain.com> #email发件人
email_ssl = false #是否启用ssl
harbor_admin_password = Harbor12345 #harbor初始化管理员(admin)密码
auth_mode = db_auth #权限管理模型
ldap_url = ldaps://ldap.mydomain.com #ldap地址
ldap_basedn = ou=people,dc=mydomain,dc=com #
ldap_uid = uid #
ldap_scope = 3 #
db_password = root123 #数据库管理员密码
self_registration = on #是否打开自动注册
use_compressed_js = on #是否启用压缩js
max_job_workers = 3 #最大任务数
token_expiration = 30 #token超时
verify_remote_cert = on #是否验证远程证书
customize_crt = on #是否启用自定义证书
3.ssl 证书配置
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com
ssl_cert = /path/to/server.crt
ssl_cert_key = /path/to/server.key
- 关于邮件的配置
qq 邮件需要申请授权码
http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=28&&no=1001256
email_server = smtp.qq.com
email_server_port = 465
email_username = 1218761836@qq.com
email_password = nyexhxqredreggha
email_from = 1218761836@qq.com
email_ssl = true
crt_email = 1218761836@qq.com
- docker-compose 文件配置
version: ’2′
services:
log:
image: vmware/harbor-log:0.4.5
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/
ports:
- 1514:514
registry:
image: library/registry:2.5.0
container_name: registry
restart: always
volumes:
# – /data/registry:/storage
- ./common/config/registry/:/etc/registry/
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
- 配置后端存储oss
https://docs.docker.com/registry/storage-drivers/
vim common/templates/registry/config.yml
version: 0.1
log:
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
oss:
accesskeyid:
accesskeysecret:
region: oss-cn-beijing
endpoint:.vpc100-oss-cn-beijing.aliyuncs.com
bucket:
secure: false
internal: true
delete:
enabled: true
redirect:
disable: false
cache:
blobdescriptor: inmemory
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
http:
addr: 0.0.0.0:5000
debug:
addr: 0.0.0.0:5001
notifications:
endpoints:
- name: harbor
disabled: false
url: http://ui/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
- http 的配置启动
上面配置完毕的话就是一个http 的配置,配置生成./prepare (每次修改配置文件都需要执行这个)
然后./install.sh 安装
- 配置HTTPS
参考文档 https://github.com/vmware/harbor/blob/master/docs/configure_https.md
编辑配置文件,填写证书文件存放路径
vim harbor.cfg
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/harbor/auth/registry.com.crt
ssl_cert_key = /data/harbor/auth/registry.com.key
8.1 创建证书
mkdir /data/harbor/auth/
cd /data/harbor/auth/
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
这里需要注意的是:
这个comm name 要和harbor.cfg 中的hostname 一致。
8.2
openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.com.key -out registry.com.csr
8.3
openssl x509 -req -days 365 -in registry.ljt.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out registry.com.crt、
8.4添加到系统
mkdir /etc/docker/certs.d/registry.com
cp ca.crt /etc/docker/certs.d/registry.com
- 启动
./prepare 更新配置,查看证书配置文件是否一致
./install.sh 启动
docker-compose ps 查看服务状态
- 测试
docker login -u -p registry.com
docker push registry.com/ 镜像名字
使用web 登录就可以管理镜像了,harbor 暂不支持批量删除镜像
https://registry.com
转载请注明:靠谱运维 » harbor 结合OSS 搭建docker企业私有仓库实战