1. Preparation
Note: Pay attention to the choice of version. Does the docker version correspond?
- Prepare images and binaries
1.1 Download the harbor offline package. I packaged the image from a machine using docker save -o.
1.2 docker-compose binaries
curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
- Configure local resolution
echo "192.168.40.63 qiushi.cn" >> /etc/hosts
2. Deploy harbor
1.Issuing CA certificate
Browse harbor official website
https://goharbor.io/docs/2.4.0/install-config/configure-https/
[root@qiushi ~]# mkdir ssl & amp; & amp; cd ssl
[root@qiushi ssl] cat ssl.sh
# 1. Root certificate self-signed CA private key openssl genrsa -out ca.key 4096 # 2. Root certificate self-signed CA crt certificate openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \ -key ca.key \ -out ca.crt #Complete the issuance of a pair of self-signed CA root keys, used to issue certificates to harbor #Parameter Description: ## C, Country, represents the country # ST, STate, represents the province # L, Location, represents the city # O, Organization, represents organization, company # OU, Organization Unit, representative department # CN, Common Name, represents the server domain name # emailAddress, represents the contact email address. # 3. Client private key certificate openssl genrsa -out qiushi.cn.key 4096 # 4. Client certificate application file csr file openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \ -key qiushi.cn.key \ -out qiushi.cn.csr # 5. The client certificate needs to issue a SAN file #v3.ext text file, which target domain names these certificates are issued to. The harbor domain name must choose one of the following three domain names. The issued certificate is only valid for the following three domain names. cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=qiushi.cn DNS.2=qiushi2.cn DNS.3=qiushi3.cn EOF # 6. Client certificate openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in qiushi.cn.csr \ -out qiushi.cn.crt # 7. The Docker daemon interprets the .crt file as a CA certificate and the .cert file as a client certificate. openssl x509 -inform PEM -in qiushi.cn.crt -out qiushi.cn.cert
[root@qiushissl]# chmod + x ssl.sh
[root@qiushissl]# ./ssl.sh
[root@qiushissl]# ls
ssl.sh ca.crt ca.key ca.srl v3.ext qiushi.cn.crt qiushi.cn.cert< /strong> qiushi.cn.csr qiushi.cn.key
2.harbor, docker mounting certificate
Certificate to harbor mounting directory
[root@qiushi ssl]# mkdir /data/{<!-- -->ssl,install} -p [root@qiushi ssl]# cp qiushi.cn.crt qiushi.cn.key /data/ssl
Certificate to docker mounting directory
[root@qiushi ssl]# mkdir /etc/docker/certs.d/qiushi.cn/ -p [root@qiushi ssl]cp ca.crt qiushi.cn.cert qiushi.cn.key /etc/docker/certs.d/qiushi.cn/
3. Unzip the harbor file, which contains images, harbor.yaml, etc., and docker-compose.yaml needs to be loaded
[root@qiushi ~]# tar xzvf harbor-offline-installer-v2.3.0-rc3.tgz -C /data/install/ harbor/harbor.v2.3.0.tar.gz harbor/prepare harbor/LICENSE harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl [root@qiushi harbor]# docker load -i harbor.v2.3.0.tar.gz Execute ./prepare to load the available configuration file docker-compose.yml [root@qiushi harbor]# ./prepare prepare base dir is set to /data/install/harbor Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [root@qiushi harbor]# ls common docker-compose.yml harbor.yaml.bak harbor.yml.tmpl LICENSE common.sh harbor.v2.3.0.tar.gz harbor.yml install.sh prepare [root@qiushi harbor]# cp harbor.yml.tmpl harbor.yml
3. Modify the configuration file: file mounting, 80 mapped port, hostname
3.1 Harbor configuration file modification
[root@qiushi ~]# cat /data/install/harbor/harbor.yml hostname: qiushi.cn certificate: /data/ssl/qiushi.cn.crt #Mount directory private_key: /data/ssl/qiushi.cn.key #Mount directory port: 9999 # Port 80 is not exposed to the outside world by default # https port for harbor, default is 443 port: 443 Mail and ldap do not need to be configured, they can be configured in the harbor web interface Use the default settings for other configurations Save and exit after modification Note: Harbor’s default account password: admin/Harbor12345
3.2 Docker-compose configuration file modification (modify harbor.yml first and then load prepare to directly generate the modified one)
[root@qiushi ~]# cat /data/install/harbor/docker-compose.yml | grep port 231 proxy: 232 image: goharbor/nginx-photon:v2.3.0 233 container_name: nginx 234 restart: always 251 ports: 252 - 9999:8080 #Port 80 is not exposed to the outside world by default 253-443:8443
3.3 Docker adds a trusted private image repository
[root@qiushi ssl]# cat /etc/docker/daemon.json
{<!-- --> "registry-mirrors":["https://vh3bm52y.mirror.aliyuncs.com","https://registry.dockercn.com","https://docker.mirrors.ustc .edu.cn","https://dockerhub.azk8s.cn","http://hubmirror.c.163.com","https://qiushi.cn"], "exec-opts": ["native.cgroupdriver=systemd"] } [root@qiushi ~]# systemctl daemon-reload [root@qiushi ~]# systemctl restart docker
4. Verify HTTPS
Use the domain name to log in to the private image warehouse
[root@qiushi ~]# ./install.sh [root@qiushi ~]# docker login qiushi.cn -u admin -p Harbor12345
[root@qiushi ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/harbor-exporter v2.3.0 fa4ecf260b3a 2 years ago 80.7MB xuegod.cn/test/aa v1 fa4ecf260b3a 2 years ago 80.7MB [root@qiushi ~]# docker tag goharbor/harbor-exporter:v2.3.0 qiushi.cn/test/test_image:v1 [root@qiushi ~]# docker push qiushi.cn/test/test_image:v1 The push refers to repository [qiushi.cn/test/test_image] 83cea239dd18: Pushed 48f062b756ef: Pushed 3b267db69816: Pushed 230bb4d21843: Pushed 7b63ae3694f2: Pushed v1: digest: sha256:398f5a2058d77b5c66942f78ab871ce69990d75121b5b7ef3af7283cc73bc7a4 size: 1369
http://192.168.40.63:9999/
https://qiushi.cn
5. Configure harbor to start at boot
vim /etc/rc.local
/usr/local/bin/docker-compose -f /data/install/harbor/docker-compose.yml up -d
6.harbor private warehouse docking with K8s
Since it is not public, you need to manually enter your account and password to pull the image. You need to configure the certificate as a secret and mount it to the pod.
7. Record problems
7.1 K8s pulls the image and reports http: server gave HTTP response to HTTPS client.
Our local Docker client needs to maintain the harbor certificate; so how to maintain the certificate on the docker client? 7.1.1 One way is to set the warehouse address in the insecure-registries configuration item to allow access to the remote warehouse 7.1.2 Maintain the harbor certificate, pay special attention to the configuration in docker. The Docker daemon interprets the .crt file as a CA certificate and the .cert file as a client certificate.
7.2 Pushing images cannot use non-FQDN domain names
Note the hostname in harbor.yaml 1.Change the host name to qiushi.cn 1.1 You can modify the local resolution or host name by doing your own experiments (modifying the host name in k8s is risky) 1.2 Produce self-built dns registration 2. The hostname of harbor.yaml also needs to be changed. 3. If you have a DNS registration, you must also change it. 4. After modification, reinstall ../install.sh, which will not affect the installed habit.
7.3 Harbor physical machine restarts, docker restart causes problems
systemctl daemon-reload systemctl restart docker cd /data/install/harbor docker-compose stop docker-compose start ./install Tried restarting but still not working
7.4 Advantages of docker-compose container management
Automatic restart strategy
To configure high-availability harbor, refer to this article. There are many precautions in it.
https://blog.csdn.net/avatar_2009/article/details/125266411