Harbor 2.2.1 CentOS 8.3 安装部署脚本

 容器化  No Responses »
4月 062021
 

Harbor 版本

v2.2.1-b0d63082

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。

#!/bin/bash
#

# https://goharbor.io/docs/2.0.0

# Disable SELinux & firewalld
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config;
setenforce 0;
systemctl disable firewalld;
systemctl stop firewalld;

# Install Docker CE
# https://docs.docker.com/engine/install/centos/
# dnf list docker-ce --showduplicates | sort -r
dnf makecache;
yum install -y yum-utils device-mapper-persistent-data lvm2 iptables;

yum-config-manager \
    --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
dnf makecache;
yum -y install docker-ce-19.03.15 docker-ce-cli-19.03.15 containerd.io;

systemctl enable docker;
systemctl start docker;

# Install Compose on Linux systems
# https://docs.docker.com/compose/install/
curl -L "https://github.com/docker/compose/releases/download/1.28.6/docker-compose-$(uname -s)-$(uname -m)" \
    -o /usr/local/bin/docker-compose;
chmod +x /usr/local/bin/docker-compose;

# Configure HTTPS Access to Harbor
# https://goharbor.io/docs/2.0.0/install-config/configure-https/
openssl genrsa -out ca.key 4096;
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.3.206" \
 -key ca.key \
 -out ca.crt;

openssl genrsa -out 192.168.3.206.key 4096;
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.3.206" \
    -key 192.168.3.206.key \
    -out 192.168.3.206.csr;

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=192.168.3.206
DNS.2=yourdomain
DNS.3=hostname
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 192.168.3.206.csr \
    -out 192.168.3.206.crt;

openssl x509 -inform PEM -in 192.168.3.206.crt -out 192.168.3.206.cert;

mkdir -p /data/cert/;
cp 192.168.3.206.crt /data/cert/;
cp 192.168.3.206.key /data/cert/;

mkdir -p /etc/docker/certs.d/192.168.3.206/;
cp 192.168.3.206.cert /etc/docker/certs.d/192.168.3.206/;
cp 192.168.3.206.key /etc/docker/certs.d/192.168.3.206/;
cp ca.crt /etc/docker/certs.d/192.168.3.206/;
systemctl restart docker;


# Download and Unpack the Installer
# https://github.com/goharbor/harbor/releases
dnf makecache;
dnf -y install wget;
wget https://github.com/goharbor/harbor/releases/download/v2.2.1/harbor-offline-installer-v2.2.1.tgz;

tar xzf harbor-offline-installer-v2.2.1.tgz;
cd harbor;
cp harbor.yml.tmpl harbor.yml;
sed -i 's/^\hostname: reg.mydomain.com/hostname: 192.168.3.206/' harbor.yml;
sed -i 's/^\  certificate: \/your\/certificate\/path/  certificate: \/data\/cert\/192.168.3.206.crt/' harbor.yml;
sed -i 's/^\  private_key: \/your\/private\/key\/path/  private_key: \/data\/cert\/192.168.3.206.key/' harbor.yml;
sed -i 's/^\harbor_admin_password: Harbor12345/harbor_admin_password: Harbor12365/' harbor.yml;

# Run the prepare script to enable HTTPS
./prepare;
# Run the Installer Script
./install.sh;

Harbor 2.2.1 harbor.yml.tmpl 标准配置

 容器化  No Responses »
4月 022021
  
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: reg.mydomain.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /your/certificate/path
  private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 50
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 1000

# The default data volume
data_volume: /data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: false
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false
  # github_token The GitHub access token to download Trivy DB
  #
  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
  # https://developer.github.com/v3/#rate-limiting
  #
  # You can create a GitHub token by following the instructions in
  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
  #
  # github_token: xxx

jobservice:
  # Maximum number of job workers in job service
  max_job_workers: 10

notification:
  # Maximum retry count for webhook job
  webhook_job_max_retry: 10

chart:
  # Change the value of absolute_url to enabled can enable absolute url in chart
  absolute_url: disabled

# Log configurations
log:
  # options are debug, info, warning, error, fatal
  level: info
  # configs for logs in local storage
  local:
    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
    rotate_count: 50
    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
    # are all valid.
    rotate_size: 200M
    # The directory on your host that store log
    location: /var/log/harbor

  # Uncomment following lines to enable external syslog endpoint.
  # external_endpoint:
  #   # protocol used to transmit log to external endpoint, options is tcp or udp
  #   protocol: tcp
  #   # The host of external endpoint
  #   host: localhost
  #   # Port of external endpoint
  #   port: 5140

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.2.0

# Uncomment external_database if using external database.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#     max_idle_conns: 2
#     max_open_conns: 0
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment external_redis if using external Redis server
# external_redis:
#   # support redis, redis+sentinel
#   # host for redis: <host_redis>:<port_redis>
#   # host for redis+sentinel:
#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
#   host: redis:6379
#   password:
#   # sentinel_master_set must be set to support redis+sentinel
#   #sentinel_master_set:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3
#   trivy_db_index: 5
#   idle_timeout_seconds: 30

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

# metric:
#   enabled: false
#   port: 9090
#   path: /metrics

VMware Harbor 1.8.0 版本新特性说明

 未分类  No Responses »
5月 282019
 

https://github.com/goharbor/harbor/releases

Support for OpenID Connect
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, allowing Harbor to verify the identity of users based on the authentication performed by an external authorization server or identity provider.

Robot accounts
Robot accounts can be configured to provide administrators with a token that can be granted appropriate permissions for pulling or pushing images. Harbor users can continue operating Harbor using their enterprise SSO credentials, and use robot accounts for CI/CD systems that perform Docker client commands.

Replication advancements
Harbor new version replication allows you to replicate your Harbor repository to and from non-Harbor registries. Harbor 1.8 expands on the Harbor-to-Harbor replication feature, adding the ability to replicate resources between Harbor and Docker Hub, Docker Registry, and Huawei Registry. This is enabled through both push and pull mode replication.

Additional Features
Harbor 1.8 brings numerous other capabilities for both administrators and end users:

Health check API, showing detailed status and health of all Harbor components.
Support for defining cron-based scheduled tasks in the Harbor UI. Administrators can now use cron strings to define the schedule of a job. Scan, garbage collection and replication jobs are all supported.
API explorer integration. End users can now explore and trigger Harbor’s API via the swagger UI nested inside Harbor’s UI.
Introduce a new master role to project, the role’s permissions are more than developer and less than project admin.
Introduce harbor.yml as the replacement of harbor.cfg and refactor the prepare script to provide more flexibility to the installation process based on docker-compose
Enhancement of the Job Service engine to include webhook events, additional APIs for automation, and numerous bug fixes to improve the stability of the service.
Docker Registry upgraded to v2.7.1.

使用VMware Harbor存取管理容器镜像

 未分类  No Responses »
5月 272019
 

查看本地镜像

[root@client ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@client ~]#

从官方镜像仓库下拉一个CentOS 7.6.1810版本的镜像

[root@client ~]# docker pull centos:7.6.1810
7.6.1810: Pulling from library/centos
ac9208207ada: Pull complete 
Digest: sha256:0baec775bbf3e01cc770d5823c285b291b44ca05bb7c31b8674db5dae1d2aea9
Status: Downloaded newer image for centos:7.6.1810
[root@client ~]#

从官方镜像仓库下拉一个Ubuntu 18.04版本的镜像

[root@client ~]# docker pull ubuntu:18.04
18.04: Pulling from library/ubuntu
6abc03819f3e: Pull complete 
05731e63f211: Pull complete 
0bd67c50d6be: Pull complete 
Digest: sha256:f08638ec7ddc90065187e7eabdfac3c96e5ff0f6b2f1762cf31a4f49b53000a5
Status: Downloaded newer image for ubuntu:18.04
[root@client ~]#

查看本地镜像信息

[root@client ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 18.04 7698f282e524 12 days ago 69.9MB
centos 7.6.1810 f1cb7c7d58b7 2 months ago 202MB
[root@client ~]#

对默认的libarary公共镜像仓库进行存取操作

在项目中标记镜像:
docker tag SOURCE_IMAGE[:TAG] hub.licensebox.cn/library/IMAGE[:TAG]

推送镜像到当前项目:
docker push hub.licensebox.cn/library/IMAGE[:TAG]

查看已经重新打标记的镜像

[root@client ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 18.04 7698f282e524 12 days ago 69.9MB
centos 7.6.1810 f1cb7c7d58b7 2 months ago 202MB
hub.licensebox.cn/library/centos 7.6.1810 f1cb7c7d58b7 2 months ago 202MB
[root@client ~]#

登录镜像仓库未配置证书时的错误提示(自签证书)

[root@client ~]# docker login hub.licensebox.cn
Username: admin
Password: 
Error response from daemon: Get https://hub.licensebox.cn/v2/: x509: certificate signed by unknown authority
[root@client ~]#

建立证书配置目录(注意:必须提供server.cert文件,server.key文件和ca.crt文件)

[root@client ~]# mkdir -p /etc/docker/certs.d/hub.licensebox.cn/
[root@client ~]# mv ca.crt hub.licensebox.cn.key hub.licensebox.cn.cert /etc/docker/certs.d/hub.licensebox.cn/
[root@client ~]# ls /etc/docker/certs.d/hub.licensebox.cn/
ca.crt hub.licensebox.cn.cert hub.licensebox.cn.key
[root@client ~]#

登录自建仓库

[root@client certs.d]# docker login hub.licensebox.cn
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@client certs.d]#

上传

上传完成

[root@client ~]# docker push hub.licensebox.cn/library/centos:7.6.1810
The push refers to repository [hub.licensebox.cn/library/centos]
89169d87dbe2: Pushed 
7.6.1810: digest: sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb size: 529
[root@client ~]#

在VMware Harbor中查看已推送至镜像仓库的镜像

查看审计日志

删除本地镜像

[root@client ~]# docker image rm hub.licensebox.cn/library/centos:7.6.1810
Untagged: hub.licensebox.cn/library/centos:7.6.1810
Untagged: hub.licensebox.cn/library/centos@sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb
[root@client ~]# docker image rm centos:7.6.1810
Untagged: centos:7.6.1810
Untagged: centos@sha256:0baec775bbf3e01cc770d5823c285b291b44ca05bb7c31b8674db5dae1d2aea9
Deleted: sha256:f1cb7c7d58b73eac859c395882eec49d50651244e342cd6c68a5c7809785f427
Deleted: sha256:89169d87dbe2b72ba42bfbb3579c957322baca28e03a1e558076542a1c1b2b4a
[root@client ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 18.04 7698f282e524 12 days ago 69.9MB
[root@client ~]#

尝试拉取之前推送的镜像

[root@client ~]# docker pull hub.licensebox.cn/library/centos:7.6.1810
7.6.1810: Pulling from library/centos
ac9208207ada: Pull complete 
Digest: sha256:747b2de199b6197a26eb1a24d69740d25483995842b2d2f75824095e9d1d19eb
Status: Downloaded newer image for hub.licensebox.cn/library/centos:7.6.1810
[root@client ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu 18.04 7698f282e524 12 days ago 69.9MB
hub.licensebox.cn/library/centos 7.6.1810 f1cb7c7d58b7 2 months ago 202MB
[root@client ~]#

查看日志

登出镜像仓库

[root@client ~]# docker logout hub.licensebox.cn
Removing login credentials for hub.licensebox.cn
[root@client ~]#

作为公开仓库,即使不登录仍然可以访问(拉取)仓库中的镜像

日志显示匿名用户anonymous对仓库进行了拉取镜像的操作

VMware Harbor构建企业级镜像仓库

 未分类  No Responses »
5月 242019
 

企业级开源镜像仓库服务

https://github.com/goharbor/harbor

特性

Cloud native registry: With support for both container images and Helm charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.
云端适用的镜像仓库服务
Role based access control: Users and repositories are organized via 'projects' and a user can have different permission for images under a project.
基于角色的访问控制
Policy based image replication: Images can be replicated (synchronized) between multiple registry instances based on policies with multiple filters (repository, tag and label). Harbor will auto-retry to replicate if it encounters any errors. Great for load balancing, high availability, multi-datacenter, hybrid and multi-cloud scenarios.
基于策略的镜像复制技术
Vulnerability Scanning: Harbor scans images regularly and warns users of vulnerabilities.
镜像漏洞扫描
LDAP/AD support: Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor and assigning proper project roles to them.
LDAP和AD集成支持
Image deletion & garbage collection: Images can be deleted and their space can be recycled.
镜像删除和垃圾回收机制
Notary: Image authenticity can be ensured.
镜像可信公证机制
Graphical user portal: User can easily browse, search repositories and manage projects.
图形化用户门户
Auditing: All the operations to the repositories are tracked.
操作可审计
RESTful API: RESTful APIs for most administrative operations, easy to integrate with external systems.
具有RESTful接口
Easy deployment: Provide both an online and offline installer.
易于部署

安装配置环境要求
软件
On a Linux host: docker 17.03.0-ce+ and docker-compose 1.18.0+ .
硬件:最小2核4G
端口开放:TCP80/443/4443

下载离线安装包

https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0.tgz

[root@iZj6cehstgjoj3qav88fidZ ~]# curl -O https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.0.tgz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 527M 100 527M 0 0 12.3M 0 0:00:42 0:00:42 --:--:-- 12.2M
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装docker最新版

安装仓库源

[root@iZj6cehstgjoj3qav88fidZ ~]# yum install -y yum-utils device-mapper-persistent-data lvm2

[root@iZj6cehstgjoj3qav88fidZ ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
Loaded plugins: fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@iZj6cehstgjoj3qav88fidZ ~]#

[root@iZj6cehstgjoj3qav88fidZ ~]# yum install docker-ce docker-ce-cli containerd.io

启动服务

[root@iZj6cehstgjoj3qav88fidZ ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@iZj6cehstgjoj3qav88fidZ ~]# systemctl start docker
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装docker-compose最新版

下载

[root@iZj6cehstgjoj3qav88fidZ ~]# sudo curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 617 0 617 0 0 567 0 --:--:-- 0:00:01 --:--:-- 567
100 15.4M 100 15.4M 0 0 2972k 0 0:00:05 0:00:05 --:--:-- 4764k
[root@iZj6cehstgjoj3qav88fidZ ~]#

修改权限

[root@iZj6cehstgjoj3qav88fidZ ~]# chmod +x /usr/local/bin/docker-compose
[root@iZj6cehstgjoj3qav88fidZ ~]# ll /usr/local/bin/docker-compose
-rwxr-xr-x 1 root root 16154160 May 27 18:00 /usr/local/bin/docker-compose
[root@iZj6cehstgjoj3qav88fidZ ~]#

安装OpenSSL及自签证书

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
安装OpenSSL

[root@iZj6cehstgjoj3qav88fidZ ~]# yum -y install openssl

生成CA证书和密钥

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..........................++
................++
e is 65537 (0x10001)
[root@iZj6cehstgjoj3qav88fidZ ~]#

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \
> -key ca.key \
> -out ca.crt
[root@iZj6cehstgjoj3qav88fidZ ~]#

生成服务器证书和密钥
1)生成密钥

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl genrsa -out hub.licensebox.cn.key 4096 
Generating RSA private key, 4096 bit long modulus
.......................................................................................................++
..................................................................................................++
e is 65537 (0x10001)
[root@iZj6cehstgjoj3qav88fidZ ~]#

2)生成CSR

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl req -sha512 -new \
> -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=hub.licensebox.cn" \
> -key hub.licensebox.cn.key \
> -out hub.licensebox.cn.csr
[root@iZj6cehstgjoj3qav88fidZ ~]# ls
ca.crt ca.key harbor-offline-installer-v1.8.0.tgz hub.licensebox.cn.csr hub.licensebox.cn.key
[root@iZj6cehstgjoj3qav88fidZ ~]#

3)生成证书

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl x509 -req -sha512 -days 3650 \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in hub.licensebox.cn.csr \
> -out hub.licensebox.cn.crt
Signature ok
subject=/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=hub.licensebox.cn
Getting CA Private Key
[root@iZj6cehstgjoj3qav88fidZ ~]# ls
ca.crt ca.key ca.srl harbor-offline-installer-v1.8.0.tgz hub.licensebox.cn.crt hub.licensebox.cn.csr hub.licensebox.cn.key
[root@iZj6cehstgjoj3qav88fidZ ~]#

转换证书格式(crt–>cert)

[root@iZj6cehstgjoj3qav88fidZ ~]# openssl x509 -inform PEM -in hub.licensebox.cn.crt -out hub.licensebox.cn.cert
[root@iZj6cehstgjoj3qav88fidZ ~]# ls
ca.crt ca.key ca.srl harbor-offline-installer-v1.8.0.tgz hub.licensebox.cn.cert hub.licensebox.cn.crt hub.licensebox.cn.csr hub.licensebox.cn.key
[root@iZj6cehstgjoj3qav88fidZ ~]#

部署证书文件到本机Docker相关配置目录下

[root@iZj6cehstgjoj3qav88fidZ ~]# mkdir -p /etc/docker/certs.d/hub.licensebox.cn/
[root@iZj6cehstgjoj3qav88fidZ ~]# cp ca.crt /etc/docker/certs.d/hub.licensebox.cn/
[root@iZj6cehstgjoj3qav88fidZ ~]# cp hub.licensebox.cn.cert /etc/docker/certs.d/hub.licensebox.cn/
[root@iZj6cehstgjoj3qav88fidZ ~]# cp hub.licensebox.cn.key /etc/docker/certs.d/hub.licensebox.cn/

解压安装包并修改配置文件

[root@iZj6cehstgjoj3qav88fidZ ~]# tar xzf harbor-offline-installer-v1.8.0.tgz 
[root@iZj6cehstgjoj3qav88fidZ ~]# ls
ca.crt ca.key ca.srl harbor harbor-offline-installer-v1.8.0.tgz hub.licensebox.cn.cert hub.licensebox.cn.crt hub.licensebox.cn.csr hub.licensebox.cn.key
[root@iZj6cehstgjoj3qav88fidZ ~]# cd harbor
[root@iZj6cehstgjoj3qav88fidZ harbor]# ls
harbor.v1.8.0.tar.gz harbor.yml install.sh LICENSE prepare
[root@iZj6cehstgjoj3qav88fidZ harbor]#

修改配置文件

修改主机名

hostname: reg.mydomain.com
Hostname: hub.licensebox.cn

启用443端口和配置证书

# https related config
# https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path

# https related config
https:
# # https port for harbor, default is 443
port: 443
# # The path of cert and key files for nginx
certificate: /root/hub.licensebox.cn.crt
private_key: /root/hub.licensebox.cn.key

初始密码修改

harbor_admin_password: Harbor12345
harbor_admin_password: Harbor20190527

修改数据库初始密码(未修改)(生产环境应当修改)

# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123

生成配置文件

[root@iZj6cehstgjoj3qav88fidZ harbor]# ./prepare 
prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v1.8.0' locally
v1.8.0: Pulling from goharbor/prepare
4e360eca2e60: Pull complete 
cd3c4c42d48b: Pull complete 
647e8efbf475: Pull complete 
79272af3d010: Pull complete 
1aec5eb71578: Pull complete 
1a29af1ecc2c: Pull complete 
e382cb5c1ecb: Pull complete 
Digest: sha256:c590164ae2c54e360642b1174c8ad90306b05ca0582f02f35889346c113e555d
Status: Downloaded newer image for goharbor/prepare:v1.8.0
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@iZj6cehstgjoj3qav88fidZ harbor]#

执行安装脚本

[root@iZj6cehstgjoj3qav88fidZ harbor]# ./install.sh

[Step 0]: checking installation environment ...

Note: docker version: 18.09.6

Note: docker-compose version: 1.24.0

[Step 1]: loading Harbor images ...
1d4a1da12c02: Loading layer [==================================================>] 50.51MB/50.51MB
8eb1a006f3b0: Loading layer [==================================================>] 3.584kB/3.584kB
41b6f75847f4: Loading layer [==================================================>] 3.072kB/3.072kB
ec9bd6e4d4e8: Loading layer [==================================================>] 2.56kB/2.56kB
6d852bb664c2: Loading layer [==================================================>] 3.072kB/3.072kB
0e4ed2b5a5b8: Loading layer [==================================================>] 3.584kB/3.584kB
8dfb2b644f30: Loading layer [==================================================>] 12.29kB/12.29kB
Loaded image: goharbor/harbor-log:v1.8.0
d8c53538042b: Loading layer [==================================================>] 63.34MB/63.34MB
1b5fb7ee22e0: Loading layer [==================================================>] 47.96MB/47.96MB
a8bdca5e9d71: Loading layer [==================================================>] 6.656kB/6.656kB
f7cec940b52c: Loading layer [==================================================>] 2.048kB/2.048kB
301a4a2af7db: Loading layer [==================================================>] 7.68kB/7.68kB
e588e1e3a775: Loading layer [==================================================>] 2.56kB/2.56kB
539f28a5d0ea: Loading layer [==================================================>] 2.56kB/2.56kB
8b4a72241226: Loading layer [==================================================>] 2.56kB/2.56kB
Loaded image: goharbor/harbor-db:v1.8.0
c88db349fb2f: Loading layer [==================================================>] 8.972MB/8.972MB
1f2d4d72bba2: Loading layer [==================================================>] 35.77MB/35.77MB
dddbcf598df5: Loading layer [==================================================>] 2.048kB/2.048kB
0ced476c2d9c: Loading layer [==================================================>] 3.072kB/3.072kB
af24eb0bf40b: Loading layer [==================================================>] 35.77MB/35.77MB
Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.8.0
Loaded image: goharbor/prepare:v1.8.0
257ebcc1c9c4: Loading layer [==================================================>] 8.967MB/8.967MB
7579d3c94fca: Loading layer [==================================================>] 38.68MB/38.68MB
323611f7dd17: Loading layer [==================================================>] 38.68MB/38.68MB
Loaded image: goharbor/harbor-jobservice:v1.8.0
587a5757a7f6: Loading layer [==================================================>] 3.548MB/3.548MB
Loaded image: goharbor/nginx-photon:v1.8.0
a61ab2060e6e: Loading layer [==================================================>] 8.967MB/8.967MB
25359ae00f57: Loading layer [==================================================>] 5.143MB/5.143MB
610a1668f8bf: Loading layer [==================================================>] 15.13MB/15.13MB
db2252abd9e0: Loading layer [==================================================>] 26.47MB/26.47MB
4f406312560b: Loading layer [==================================================>] 22.02kB/22.02kB
1cee0947e5a7: Loading layer [==================================================>] 3.072kB/3.072kB
48db2b9b0752: Loading layer [==================================================>] 46.74MB/46.74MB
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.8.0
aaf447150765: Loading layer [==================================================>] 113MB/113MB
6835441e1a1d: Loading layer [==================================================>] 10.94MB/10.94MB
9f4739e3a532: Loading layer [==================================================>] 2.048kB/2.048kB
928f489135f0: Loading layer [==================================================>] 48.13kB/48.13kB
1495a1a09ada: Loading layer [==================================================>] 3.072kB/3.072kB
1a5f5b141717: Loading layer [==================================================>] 10.99MB/10.99MB
Loaded image: goharbor/clair-photon:v2.0.8-v1.8.0
66006ea937c6: Loading layer [==================================================>] 337.8MB/337.8MB
d272ba122880: Loading layer [==================================================>] 106.5kB/106.5kB
Loaded image: goharbor/harbor-migrator:v1.8.0
05bc5efb1724: Loading layer [==================================================>] 8.967MB/8.967MB
af3a6f89469a: Loading layer [==================================================>] 46.85MB/46.85MB
452d238b3e48: Loading layer [==================================================>] 5.632kB/5.632kB
36e1cb2d6ffa: Loading layer [==================================================>] 27.14kB/27.14kB
5385ffb8451e: Loading layer [==================================================>] 46.85MB/46.85MB
Loaded image: goharbor/harbor-core:v1.8.0
268091c30a67: Loading layer [==================================================>] 71.66MB/71.66MB
4433bcd802e7: Loading layer [==================================================>] 3.072kB/3.072kB
420b26399278: Loading layer [==================================================>] 59.9kB/59.9kB
8864c4b9ac3d: Loading layer [==================================================>] 61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v1.8.0
63645c97bf5d: Loading layer [==================================================>] 8.968MB/8.968MB
ccb295818ad9: Loading layer [==================================================>] 3.072kB/3.072kB
1ec2d1eefa8f: Loading layer [==================================================>] 2.56kB/2.56kB
b88acf0f9f5f: Loading layer [==================================================>] 20.1MB/20.1MB
0e7375de12e6: Loading layer [==================================================>] 20.1MB/20.1MB
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.0
444b0c8bfeee: Loading layer [==================================================>] 3.548MB/3.548MB
ed0415346760: Loading layer [==================================================>] 6.568MB/6.568MB
572bd51089e0: Loading layer [==================================================>] 160.8kB/160.8kB
1410c2919a92: Loading layer [==================================================>] 215kB/215kB
8ecdca210598: Loading layer [==================================================>] 3.584kB/3.584kB
Loaded image: goharbor/harbor-portal:v1.8.0
7fb66591fb58: Loading layer [==================================================>] 8.968MB/8.968MB
42ec4a6394bf: Loading layer [==================================================>] 3.072kB/3.072kB
be6c2180cb57: Loading layer [==================================================>] 20.1MB/20.1MB
d956d9e974c5: Loading layer [==================================================>] 3.072kB/3.072kB
e2e0b4f17ad8: Loading layer [==================================================>] 7.465MB/7.465MB
7e29d670afe9: Loading layer [==================================================>] 27.56MB/27.56MB
Loaded image: goharbor/harbor-registryctl:v1.8.0
453732ea69d4: Loading layer [==================================================>] 13.72MB/13.72MB
c985f3824f33: Loading layer [==================================================>] 26.47MB/26.47MB
76eaa2763221: Loading layer [==================================================>] 22.02kB/22.02kB
0ef55a752948: Loading layer [==================================================>] 3.072kB/3.072kB
c5749b90723d: Loading layer [==================================================>] 45.33MB/45.33MB
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.8.0


[Step 2]: preparing environment ...
prepare base dir is set to /root/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/cert/server.key
Clearing the configuration file: /config/cert/server.crt
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/core/env
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating redis ... done
Creating registry ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating harbor-portal ... done
Creating nginx ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://hub.licensebox.cn. 
For more details, please visit https://github.com/goharbor/harbor .

[root@iZj6cehstgjoj3qav88fidZ harbor]#

提示安装完成并已启动服务后登录Web门户(SSL证书信任错误)

登录界面

首页,默认已生成一个library名称的项目镜像仓库

Harbor服务的本地数据存储路径