前言 harbor是一個docker/podman鏡像管理庫,可用於存儲私人鏡像。現將本人在debian12系統搭建harbor鏡像庫的過程記錄下來,留作後續參考。 可以參考github harbor項目給定的安裝教程,很詳細了:https://goharbor.io/docs/2.11.0/ins ...
前言
harbor是一個docker/podman鏡像管理庫,可用於存儲私人鏡像。現將本人在debian12系統搭建harbor鏡像庫的過程記錄下來,留作後續參考。
可以參考github harbor項目給定的安裝教程,很詳細了:https://goharbor.io/docs/2.11.0/install-config/configure-https/
本篇博客著重參考了博客園另一位作者的文章 私有鏡像倉庫harbor之手把手搭建步驟,在此基礎上做了一些補充。
正文
harbor 鏡像管理庫依賴於docker環境,並且會使用 docker-compose 的方式啟動,所以需要先安裝docker以及docker-compose,然後從github下載harbor離線安裝包安裝。由於是個人學習實驗使用,安裝環境是本地的debian12,安裝全程使用root用戶。
harbor安裝包使用github目前最新的版本:https://github.com/goharbor/harbor/releases/download/v2.9.5-rc1/harbor-offline-installer-v2.9.5-rc1.tgz
根據官網上的說法,harbor對於環境有一定要求:
- 硬體要求
The following table lists the minimum and recommended hardware configurations for deploying Harbor.
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 CPU | 4 CPU |
| Mem | 4 GB | 8 GB |
| Disk | 40 GB | 160 GB |
- 軟體要求
The following table lists the software versions that must be installed on the target host.
| Software | Version | Description |
|---|---|---|
| Docker Engine | Version 20.10.10-ce+ or higher | For installation instructions, see Docker Engine documentation |
| Docker Compose | docker-compose (v1.18.0+) or docker compose v2 (docker-compose-plugin) | For installation instructions, see Docker Compose documentation |
| OpenSSL | Latest is preferred | Used to generate certificate and keys for Harbor |
- 網路埠要求
Harbor requires that the following ports be open on the target host.
| Port | Protocol | Description |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file. |
| 4443 | HTTPS | Connections to the Docker Content Trust service for Harbor. You can change this port in the configuration file. |
| 80 | HTTP | Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file. |
1. 安裝docker
apt update
apt install docker.io
docker --version
# Docker version 20.10.24+dfsg1, build 297e128
配置docker鏡像
cd /etc/docker/
touch daemon.json
編輯 daemon.json (如果這個不可用,需要自行尋找可用鏡像源)
{
"registry-mirrors": ["https://docker.nastool.de"]
}
測試docker鏡像可用性 -- 可略過
docker search hello-world
# NAME DESCRIPTION # STARS OFFICIAL AUTOMATED
# hello-world Hello World! (an example of minimal Dockeriz… 2269 [OK]
docker pull hello-world
docker images |grep hello-world
# hello-world latest d2c94e258dcb 14 months ago 13.3kB
docker run --rm --name=tst hello-world
# Hello from Docker!
# This message shows that your installation appears to be working correctly.
#
# To generate this message, Docker took the following steps:
# 1. The Docker client contacted the Docker daemon.
# 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
# (amd64)
# 3. The Docker daemon created a new container from that image which runs the
# executable that produces the output you are currently reading.
# 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal.
# To try something more ambitious, you can run an Ubuntu container with:
# $ docker run -it ubuntu bash
# Share images, automate workflows, and more with a free Docker ID:
# https://hub.docker.com/
# For more examples and ideas, visit:
# https://docs.docker.com/get-started/
2. 安裝docker-complose
apt install docker-compose
# docker-compose version 1.29.2, build unknown
3. 下載harbor安裝包
從github下載安裝包,安裝包比較大(621M),需要想辦法下載。
# 比如下載到/root/harbor/目錄
mkdir -p /root/harbor
cd /root/harbor
# 可以用aria2c下載
# apt install aria2c
# 從這個頁面找到最新安裝包或最適合的版本 https://github.com/goharbor/harbor/releases
# 下麵的鏈接是我用瀏覽器點擊下載後獲取到的下載鏈接,應該會變,需要實時獲取
aria2c "https://objects.githubusercontent.com/github-production-release-asset-2e65be/50613991/8905e864-0824-4b9c-87c1-44a9e0b4db4f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240630%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240630T170549Z&X-Amz-Expires=300&X-Amz-Signature=484b6cdee5c9f515d800c41cbf3253d918b470b9d9401db224d2a1cfd36fc021&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50613991&response-content-disposition=attachment%3B%20filename%3Dharbor-offline-installer-v2.9.5-rc1.tgz&response-content-type=application%2Foctet-stream"
4. 解壓縮 & 創建文件夾
cd /root/harbor
tar -zxvf ./harbor-offline-installer-v2.9.5-rc1.tgz -C /opt
cd /opt/harbor/
mkdir -p /opt/harbor/certs
mkdir -p /opt/harbor/data
5. 準備證書
harbor 安裝時內部使用了nginx, 從瀏覽器訪問網頁需要用到證書(https 單向認證)
更詳細介紹可以參考:https://goharbor.io/docs/2.11.0/install-config/configure-https/
cd /opt/harbor/certs
# 我把官網的製作證書的過程寫到了shell中
touch mkcerts.sh
mkcerts.sh
#!/bin/bash
# 你想要配置的功能變數名稱 -- 需要按需修改
domain=brian-harbor
# 功能變數名稱全稱
host=${domain}.com
# 證書私鑰 (docker-compose啟動時)需要的證書私鑰
key=${host}.key
# 證書申請文件 - 用於申請證書
csr=${host}.csr
# harbor (docker-compose啟動時)需要的證書
crt=${host}.crt
# docker 需要配置的證書,基於crt生成
cert=${host}.cert
# 部署harbor的主機名稱 -- 需要按需修改
ip=192.168.1.9
# ca 證書
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=MyPersonal Root CA" \
-key ca.key \
-out ca.crt
# cert 功能變數名稱證書
openssl genrsa -out ${key} 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=${host}" \
-key ${key} \
-out ${csr}
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=${host}
DNS.2=${domain}
DNS.3=${ip}
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in ${csr} \
-out ${crt}
openssl x509 -inform PEM -in ${crt} -out ${cert}
# 製作證書
chmod +x mkcerts.sh
./mkcerts.sh
ls
# brian-harbor.com.cert brian-harbor.com.crt brian-harbor.com.csr brian-harbor.com.key ca.crt ca.key ca.srl mkcerts.sh v3.ext
6. 準備環境
如果用的本地伺服器,沒有功能變數名稱,需要用修改/etc/hosts的方式添加功能變數名稱解析地址
vim /etc/hosts
# 添加一行
192.168.1.9 brian-harbor.com
給docker.service添加步驟5生成的證書,否則可能造成docker login時報錯證書未識別
cd /etc/docker
mkdir -p /etc/docker/certs.d
# 下麵的功能變數名稱文件夾要換成你自己的
mkdir -p /etc/docker/certs.d/brian-harbor.com/
# 這個未詳細測試
mkdir -p /etc/docker/certs.d/192.168.1.9/
# 將步驟5生成的證書放入上方新建的子文件夾
cp /opt/harbor/certs/brian-harbor.com.cert /etc/docker/certs.d/brian-harbor.com/
cp /opt/harbor/certs/brian-harbor.com.key /etc/docker/certs.d/brian-harbor.com/
cp /opt/harbor/certs/ca.crt /etc/docker/certs.d/brian-harbor.com/
# 將/etc/docker/certs.d/brian-harbor.com/內容 複製給 /etc/docker/certs.d/192.168.1.9/ 一份
cp /etc/docker/certs.d/brian-harbor.com/* /etc/docker/certs.d/192.168.1.9/
# 最終效果
.
├── certs.d
│ ├── 192.168.1.9
│ │ ├── brian-harbor.com.cert
│ │ ├── brian-harbor.com.key
│ │ └── ca.crt
│ └── brian-harbor.com
│ ├── brian-harbor.com.cert
│ ├── brian-harbor.com.key
│ └── ca.crt
├── daemon.json
└── key.json
重啟docker服務
systemctl restart docker
7. 配置harbor配置文件
cd /opt/harbor/
cp harbor.yml.tmpl harbor.yml
修改 harbor.yml (如果埠號80/443已經被其他服務占用,需要修改成其他的)
# ......
# 改成你自己的功能變數名稱
hostname: brian-harbor.com
# ......
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/harbor/certs/brian-harbor.com.crt
private_key: /opt/harbor/certs/brian-harbor.com.key
# ......
# admin用戶對應的用戶名
harbor_admin_password: Harbor12345
# The default data volume
data_volume: /opt/harbor/data
安裝harbor
cd /opt/harbor
./prepare
./install.sh
# 如果運行過程報錯找不到/hostfs/opt/certs/xxx ,需要核對下/opt/certs/xxx 是否存在,然後再去檢查harbor.yml
# 安裝完畢,發現docker啟動了很多容器
docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------------------------------------------------------
harbor-core /harbor/entrypoint.sh Up (healthy)
harbor-db /docker-entrypoint.sh 13 14 Up (healthy)
harbor-jobservice /harbor/entrypoint.sh Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy)
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp,:::80->8080/tcp, 0.0.0.0:443->8443/tcp,:::443->8443/tcp
redis redis-server /etc/redis.conf Up (healthy)
registry /home/harbor/entrypoint.sh Up (healthy)
registryctl /home/harbor/start.sh Up (healthy)
# 停止並刪除容器和捲 docker-compose down -v
# 啟動容器 docker-compose up -d
# 重啟 docker-compose restart
# 查看狀態 docker-compose ps
打開瀏覽器,訪問 https://192.168.1.9, 瀏覽器會提示證書不可信,選擇跳過。
輸入admin/Harbor12345進入
8. 設備登陸測試
- harbor本機登陸
docker login -u admin brian-harbor.com
# WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
# Configure a credential helper to remove this warning. See
# https://docs.docker.com/engine/reference/commandline/login/#credentials-store
# Login Succeeded
- 另一臺設備登陸
# 準備另一臺設備,我用了一個ubuntu22虛擬機 + podman,podman 和 docker指令幾乎一摸一樣,以下的指令可以將podman換成docker使用
# 修改/etc/hosts
192.168.1.9 brian-harbor.com
# 登陸測試,我這裡很奇怪,可能強制要求信任對方功能變數名稱ca,需要指定ca證書路徑,否則會報錯
# 需要將 6. 準備環境 中做出來的ca.crt 拷貝到這個虛擬機中,我放在了 /root/harbor/ca.crt
podman login -u admin brian-harbor.com
Password:
Error: authenticating creds for "brian-harbor.com": pinging container registry brian-harbor.com: Get "https://brian-harbor.com/v2/": x509: certificate signed by unknown authority
# 需要指定ca文件夾路徑
podman login --cert-dir /root/harbor/ -u admin brian-harbor.com
Login Succeeded!
# push 鏡像
podman push brian-harbor.com/library/redis:latest --cert-dir /home/brian/harbor/
# 帶上 --cert-dir 還是很彆扭的,這個問題還要進一步研究更好的解決方式
# 估計需要配置本機的可信任ca
參考文章
[1]. 私有鏡像倉庫harbor之手把手搭建步驟
[2]. https://goharbor.io/docs/2.11.0/install-config/configure-https/
