Harbor是一个用于存储和分发 Docker 镜像的开源注册服务

env

• centos7 2c4g
• docker-v19.03.5
• docker-compose-v2.19.0
• harbor-offline-installer-v2.3.1.tgz

1.download

• https://docs.docker.com/compose/install/

github

• https://github.com/goharbor/harbor/releases

baidu pan

• https://pan.baidu.com/s/11k_eNYbNF6eUwyNDE_W23g?pwd=5u66

2.docker/docker-compose

• 站内搜索：脚本离线部署docker及docker-compose

3.config

3.1untar

mkdir -p /app
tar xf harbor-offline-installer-v2.3.1.tgz -C /app
copy

3.2cets(生成证书)

1.创建certs目录
cd /app/harbor && mkdir certs &&  cd certs

2.Generate a private key
openssl genrsa -out private_key.pem 4096

3.Generate a certificate.
openssl req -new -x509 -key private_key.pem -out root.crt -days 3650

or

openssl req -x509 -new -days 3650 \
  -subj "/C=CN/ST=ZJ/L=HZ/O=Company Ltd/OU=MVPBANG.COM/CN=MVPBANG.COM" \
  -key private_key.pem \
  -out root.crt

[root@c7-100 certs]# openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:MVPBANG.COM
Common Name (eg, your name or your server's hostname) []:MVPBANG.COM
Email Address []:mvpbang@qq.com
copy

3.3修改harbor.yml

1.copy
cp harbor.cfg harbor.cfg-bak
cp harbor.yml.tmpl harbor.yml  //不同版本的名字不同

2.修改harbor.yml文件
[root@c7-100 harbor]# egrep -v '^#|#|^$' harbor.yml
hostname: 172.24.20.100
https:
  port: 443
  certificate: /app/harbor/certs/root.crt
  private_key: /app/harbor/certs/private_key.pem
#登陆账户信息admin/Harbor12345
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
#数据持久化位置
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.3.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
copy

4.install

cd /app/harbor

第一次安装配置
./install.sh --help   //支持部署插件
--with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
--with-clair if needs enable Clair in Harbor  //废弃
--with-trivy if needs enable Trivy in Harbor
--with-chartmuseum if needs enable Chartmuseum in Harbor


./install.sh --with-clair   //enable scanner
./install.sh --with-notary --with-clair

后续修改配置文件
./prepare --with-chartmuseum 
docker-compose up -d

#OK
./install.sh  --with-notary  --with-trivy  --with-chartmuseum

启用特定的功能或组件：
--with-notary: 可能是用来安装或配置 Notary 服务，Notary 是一个用于安全容器镜像的签名和验证系统。
--with-trivy: 可能是用来安装或配置 Trivy 服务，Trivy 是一个简单且全面的容器安全扫描器。
--with-clair: 可能是用来安装或配置 Clair 服务，Clair 是一个漏洞扫描器，用于静态分析容器镜像中的软件包，以检测已知的安全漏洞。

--with-chartmuseum: 可能是用来安装或配置 ChartMuseum 服务，ChartMuseum 是一个 Helm Chart 仓库服务，支持对 Helm Chart 的存储和分发
copy

key/crt分布位置

private_key.pem
root.crt

[root@c7-100 harbor]# cd /data/secret/
[root@c7-100 secret]# ll
drwxr-xr-x 2 10000 10000 42 Aug  7 17:14 cert
drwxr-xr-x 2 root  root  29 Aug  7 13:43 core
drwxr-xr-x 2 root  root  23 Aug  7 13:43 keys
drwxr-xr-x 2 root  root  22 Aug  7 13:43 registry
[root@c7-100 secret]# 

[root@c7-100 secret]# tree .
.
├── cert
│   ├── server.crt
│   └── server.key
├── core  +++++++
│   └── private_key.pem
├── keys
│   └── secretkey
└── registry   +++++++
    └── root.crt
copy

5.harbor up/down manager

docker-compose ps|down|up| up -d
docker-compose start|stop  //在docker-compose.yml目录中执行

docker-compose down -v   //stop && rm
docker-compose up -d
docker-compose logs -f
docker-compose ps

# 查看单个服务日志
docker logs -f harbor-core 
copy

6.配置docker hub地址

每个docker node都需要配置

6.1daemon.json

cat /etc/docker/daemon.json 
{
  "registry-mirrors":["https://172.24.20.100"],
  "insecure-registries":["172.24.20.100"]
}
copy

6.2node ssl可信及push镜像

1.复制证书到节点
mkdir -p /etc/docker/cert.d/172.24.20.100
cp /data/secret/cert/server.crt /etc/docker/cert.d/172.24.20.100/

2.重启docker服务
systemctl daemon-reload && systemctl restart docker

3.登陆harbor及push
docker login https://172.24.20.100
docker push 172.24.20.100/mvpbang/nginx:v1
copy

reference

• https://goharbor.io/docs/2.11.0/install-config/configure-https/