文檔版本號:20180216最近在Ubuntu Linux 14.04上和CentOS Linux 7.4上成功安裝了Harbor,現將過程整理如下,供大家參考: 備註:使用非root用戶操作Docker,需要創建docker組 sudo groupadd docker 將當前用戶加入docker組 ...
文檔版本號:20180216
最近在Ubuntu Linux 14.04上和CentOS Linux 7.4上成功安裝了Harbor,現將過程整理如下,供大家參考:
備註:使用非root用戶操作Docker,需要創建docker組 sudo groupadd docker 將當前用戶加入docker組 sudo gpasswd -a ${USER} docker 重新啟動docker服務(下麵是CentOS7的命令) sudo systemctl restart docker 當前用戶退出系統重新登陸。一、harbor安裝文件下載:
1、harbor項目主頁:https://github.com/vmware/harbor/
2、查看README.md,安裝說明在README.md的“Installation & Configuration Guide”中:
https://github.com/vmware/harbor/blob/master/docs/installation_guide.md
3、README.md告知,master屬於開發版,可能不穩定,需下載正式發行版:
https://github.com/vmware/harbor/releases
為了便於安裝,選擇下載二進位版,國內鏡像目前只有二進位離線版,接近800M,下載了最新的1.4.0版:
harbor-offline-installer-v1.4.0.tgz
MD5:6161843c84c9944a087
4、解壓harbor-offline-installer-v1.4.0.tgz後發現,內含一個近800M的全部鏡像的壓縮包harbor.v1.4.0.tar.gz,為了便於上傳到伺服器,將harbor.v1.4.0.tar.gz刪除,重新打包命名為harbor.bytefish.online-installer-v1.4.0.tgz,大小約為32K。
5、上傳harbor.bytefish.online-installer-v1.4.0.tgz到伺服器,並解壓,會在當前目錄下生成harbor目錄。
$ scp -i .ssh/id_rsa harbor.bytefish.online-installer-v1.4.0.tgz 用戶名@docker.MySite.com:/路徑/harbor.bytefish.online-installer-v1.4.0.tgz $ ssh 用戶名@docker.MySite.com -i .ssh/id_rsa $ tar -zxf harbor.bytefish.online-installer-v1.4.0.tgz && cd harbor
二、確認伺服器資源:
1、官方對伺服器資源的最小要求和建議:
Hardware: Resource Capacity Description CPU minimal 2 CPU 4 CPU is prefered Mem minimal 4GB 8GB is prefered Disk minimal 40GB 160GB is prefered Software: Software Version Description Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default Docker engine version 1.10 or higher For installation instructions, please refer to: https://docs.docker.com/engine/installation/ Docker Compose version 1.6.0 or higher For installation instructions, please refer to: https://docs.docker.com/compose/install/ Openssl latest is prefered Generate certificate and keys for Harbor Network ports: Port Protocol Description 443 HTTPS Harbor UI and API will accept requests on this port for https protocol 4443 HTTS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled 80 HTTP Harbor UI and API will accept requests on this port for http protocol
2、確認伺服器docker版本:
$ docker version
3、確認docker-compose、Python、OpenSSL版本:
$ docker-compose version
4、確認硬體情況:
$ cat /proc/cpuinfo
$ free
5、確認網路埠是否被占用:
$ ss -tna
三、編輯配置文件,並安裝:
1、編輯harbor目錄下harbor.cfg文件,修改內容如下:
hostname = docker.MySite.com # email服務的相關參數也可在安裝完成後進入網站頁面配置: email_identity = email_server = smtp.mailserver.com # mailserver port email_server_port = 25 email_username = [email protected] email_password = 郵件服務密碼 email_from = admin email_ssl = true email_insecure = false harbor_admin_password = 設置一個管理員密碼 db_password = 設置一個mysql的密碼 # self_registration預設為on,是針對資料庫認證方式,訪客可以自己註冊,對於LDAP認證方式無法自註冊: self_registration = off
2、使用root許可權執行install.sh(該腳本將會在根目錄下建立/data目錄及相關文件),將自動下載相關docker鏡像文件,並自動安裝完成:
~/harbor$ sudo ./install.sh
3、容器將自動啟動,此時可用瀏覽器打開 http://docker.MySite.com,使用管理員賬號admin登陸。
四、配置LDAP:
1、使用管理員賬號admin登陸http://docker.MySite.com,點擊“系統管理”、“配置管理”,將“認證模式”選擇為LDAP,並配置相關參數:
LDAP URL : ldap://MySite.com LDAP搜索DN : cn=admin,dc=MySite,dc=com LDAP搜索密碼: 密碼 LDAP基礎DN : dc=MySite,dc=com LDAP過濾器 : (|(objectclass=inetOrgPerson)) LDAP用戶UID的屬性 : uid LDAP搜索範圍 : 子樹 LDAP 檢查證書 : (測試發現: “LDAP 檢查證書” 選不選都能通過ldap登陸,待再次驗證。)
2、點擊“測試LDAP伺服器”按鈕,如果成功,瀏覽器頂部將顯示“LDAP伺服器的連通正常。”的提示。
3、此時可用LDAP中的賬號登陸web頁面,但無法通過docker login登陸,還需配置網站https證書。
五、配置https證書:
1、安裝說明:
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
2、在/home/ubuntu/harbor目錄執行docker-compose down,停止並刪除容器:
$ docker-compose down
3、本來想通過Let’s Encrypt官方的certbot腳本(certbot.eff.org)安裝證書,但是腳本不能成功執行,估計是因為nginx是在容器里造成的,但是通過這個腳本自動安裝了一些軟體包。然後嘗試通過git獲取letsencrypt進行安裝:
$ git clone https://github.com/letsencrypt/letsencrypt
4、進入letsencrypt目錄,生成證書
$ cd letsencrypt $ sudo ./letsencrypt-auto certonly --standalone --email [email protected] -d docker.MySite.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for docker.MySite.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/docker.MySite.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/docker.MySite.com/privkey.pem Your cert will expire on 2018-05-15. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
5、證書過期日期為2018-05-15,生成的證書文件位於/etc/letsencrypt/live/docker.MySite.com/文件夾(鏈接文件):
$ sudo ls /etc/letsencrypt/live/docker.MySite.com/ -l lrwxrwxrwx 1 root root 40 Feb 14 23:30 cert.pem -> ../../archive/docker.MySite.com/cert1.pem lrwxrwxrwx 1 root root 41 Feb 14 23:30 chain.pem -> ../../archive/docker.MySite.com/chain1.pem lrwxrwxrwx 1 root root 45 Feb 14 23:30 fullchain.pem -> ../../archive/docker.MySite.com/fullchain1.pem lrwxrwxrwx 1 root root 43 Feb 14 23:30 privkey.pem -> ../../archive/docker.MySite.com/privkey1.pem -rw-r--r-- 1 root root 543 Feb 14 23:30 READMEcert.pem - 服務端證書
chain.pem - 瀏覽器需要的所有證書但不包括服務端證書,比如根證書和中間證書
fullchain.pem - 包括了cert.pem和chain.pem的內容
privkey.pem - 證書的私鑰
6、新建目錄letsencrypt,並將證書文件拷貝到該目錄:
$ mkdir /home/ubuntu/harbor/letsencrypt/ && cd /home/ubuntu/harbor/letsencrypt/ $ sudo cp /etc/letsencrypt/archive/docker.MySite.com/fullchain1.pem docker.MySite.com.crt $ sudo cp /etc/letsencrypt/archive/docker.MySite.com/privkey1.pem docker.MySite.com.key
7、修改/home/ubuntu/harbor/harbor.cfg配置文件:
#設置ui_url_protocol為https ui_url_protocol = https #設置證書文件 ssl_cert = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.crt ssl_cert_key = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.key
8、用root許可權執行一次prepare腳本,並啟動docker重建容器:
$ sudo /home/ubuntu/harbor/prepare $ docker-compose up -d
六、上傳鏡像:
1、用瀏覽器打開 http://docker.MySite.com,用普通用戶賬號登錄,並新建一個項目“test”:
2、在客戶端登錄docker.MySite.com:
$ docker login docker.MySite.com Username: bytefish Password: 密碼 Login Succeeded
3、將客戶端的鏡像打tag,然後上傳到docker.MySite.com:
格式:
docker tag SOURCE_IMAGE[:TAG] docker.MySite.com/項目名稱/IMAGE[:TAG]
docker push docker.MySite.com/項目名稱/IMAGE[:TAG]
示例:$ docker tag hello-world:latest docker.MySite.com/test/hello-world:test $ docker push docker.MySite.com/test/hello-world:test The push refers to a repository [docker.MySite.com/test/hello-world] f999ae22f308: Mounted from library/hello-world test: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
