harbor配置https访问
<pre><code>目录
harbor配置https访问
随机启动配置
主备 Harbor 部署(harbor同步)</code></pre>
<p>注:高版本(14以上)docker执行login命令,默认使用https,且harbor必须使用域名,只是用ip访问是不行的。本文以docker-ce-19.03版本为例。</p>
<p>假设harbor服务器使用的网址是:harbor.hzsun.com,本机ip是172.16.7.198</p>
<h1>1.主机配置</h1>
<p>因为这个网址是虚拟的,所以需要在harbor主机及访问harbor的客户机上的hosts文件中添加</p>
<pre><code class="language-bash">echo '172.16.7.198 harbor.hzsun.com' >> etc/hosts</code></pre>
<h1>2.上传解压harbor安装包并修改harbor配置文件</h1>
<pre><code class="language-bash">cd /opt/
tar -zxvf harbor.v2.1.2.tar.gz
cd harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml</code></pre>
<p>把yourdomain.com换成实际使用的域名或者ip或者ip:port,要跟harbor.yml文件中的配置信息保持一致</p>
<pre><code class="language-bash">hostname: harbor.hzsun.com
# http related config
#http:
# # port for http, default is 80. If https enabled, this port will redirect to https port
# port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/harbor.hzsun.com.crt
private_key: /data/cert/harbor.hzsun.com.key</code></pre>
<h1>3. 一键创建自签名证书脚本文件</h1>
<pre><code class="language-bash">#!/bin/bash
# 在该目录下操作生成证书,正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key ca.key -out ca.crt
openssl genrsa -out harbor.hzsun.com.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key harbor.hzsun.com.key -out harbor.hzsun.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.hzsun.com
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.hzsun.com.csr -out harbor.hzsun.com.crt
openssl x509 -inform PEM -in harbor.hzsun.com.crt -out harbor.hzsun.com.cert
cp harbor.hzsun.com.crt /etc/pki/ca-trust/source/anchors/harbor.hzsun.com.crt
update-ca-trust</code></pre>
<h1>4. 配置harbor服务器docker访问harbor仓库(https)</h1>
<p>将三个证书文件(ca.crt,harbor.hzsun.com.cert,harbor.hzsun.com.key)复制到docker目录/etc/docker/certs.d/harbor.hzsun.com/
登录docker主机</p>
<pre><code class="language-bash">mkdir -pv /etc/docker/certs.d/harbor.hzsun.com/
scp root@172.16.7.198:/data/cert/harbor.hzsun.com.cert /etc/docker/certs.d/harbor.hzsun.com/
scp root@172.16.7.198:/data/cert/harbor.hzsun.com.key /etc/docker/certs.d/harbor.hzsun.com/
scp root@172.16.7.198:/data/cert/ca.crt /etc/docker/certs.d/harbor.hzsun.com/</code></pre>
<p>最终docker目录结构:</p>
<pre><code class="language-bash">[root@harbor docker]# tree -C /etc/docker
/etc/docker
├── certs.d
│ └── harbor.techzsun.com
│ ├── ca.crt <-- Certificate authority that signed the registry certificate
│ ├── harbor.techzsun.com.cert <-- Server certificate signed by CA
│ └── harbor.techzsun.com.key <-- Server key signed by CA
├── daemon.json
└── key.json</code></pre>
<h1>5. 重启docker</h1>
<pre><code class="language-bash">systemctl restart docker.service</code></pre>
<h1>6.重新配置harbor</h1>
<h2>6.1 停止harbor</h2>
<pre><code class="language-bash">docker-compose down -v</code></pre>
<h2>6.2 重新生成配置文件</h2>
<pre><code class="language-bash">./prepare --with-notary --with-clair --with-chartmuseum</code></pre>
<h2>6.3 启动harbor</h2>
<pre><code class="language-bash">docker-compose up -d</code></pre>
<h1>7. 使用docker login</h1>
<p>登录docker主机,登录harbor仓库</p>
<pre><code class="language-bash">[root@worker-03 ~]# docker login https://harbor.hzsun.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded</code></pre>
<h1>8.问题</h1>
<p>使用docker login 命令登陆的话报错</p>
<pre><code class="language-bash">docker login https://192.168.75.100
x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs
排查步骤:
检查harbor.yml文件中hostname变量的值是否跟生成证书使用的一致</code></pre>
<h2>9. 随机启动配置</h2>
<pre><code class="language-bash">[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml stop
[Install]
WantedBy=multi-user.target</code></pre>
<p>配置随机启动</p>
<pre><code class="language-bash">systemctl enable harbor</code></pre>
<h1>10 主备 Harbor 部署(harbor同步)</h1>
<p><a href="https://www.cnblogs.com/linux-SFeng/p/13353786.html">https://www.cnblogs.com/linux-SFeng/p/13353786.html</a>
<a href="https://blog.zhenglin.work/docker/harbor-sync.html">https://blog.zhenglin.work/docker/harbor-sync.html</a>
<a href="https://blog.csdn.net/hiyun9/article/details/79655385">https://blog.csdn.net/hiyun9/article/details/79655385</a>
<a href="http://blog.zhenglin.work/docker/harbor-sync.html">http://blog.zhenglin.work/docker/harbor-sync.html</a></p>
<h1>11 docker-compose up 启动报日志错误</h1>
<p><code>docker-compose down -v</code> 后,再启动<code>docker-compose up</code>,报日志使用错误如下:但不影响harbor功能
建议手工启动时,用命令 <code>docker-compose up -d</code></p>
<pre><code class="language-bash">Attaching to harbor-log, harbor-portal, redis, registryctl, harbor-db, registry, harbor-core, harbor-jobservice, nginx
harbor-core | WARNING: no logs are available with the 'syslog' log driver
harbor-db | WARNING: no logs are available with the 'syslog' log driver
harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver
harbor-portal | WARNING: no logs are available with the 'syslog' log driver
nginx | WARNING: no logs are available with the 'syslog' log driver
redis | WARNING: no logs are available with the 'syslog' log driver
registry | WARNING: no logs are available with the 'syslog' log driver
registryctl | WARNING: no logs are available with the 'syslog' log driver</code></pre>
<p>解决日志报错问题,可以参数如下修改方法:(个人认为没必要)
<a href="https://itindex.net/detail/58617-docker-%E9%95%9C%E5%83%8F-%E4%BB%93%E5%BA%93">https://itindex.net/detail/58617-docker-%E9%95%9C%E5%83%8F-%E4%BB%93%E5%BA%93</a></p>
<p>1.修改docker-compose.yml文件</p>
<pre><code class="language-bash">version: '2.3'
x-logging: #新增
&default-logging #新增
options: #新增
max-size: '12m' #新增
max-file: '5' #新增
driver: json-file #新增
services:</code></pre>
<p>把下面内容
查找关键字: logging,把所有logging这段内容替换</p>
<pre><code class="language-bash">depends_on:
- log #需要被替换的内容
logging: #需要被替换的内容
driver: "syslog" #需要被替换的内容
options: #需要被替换的内容
syslog-address: "tcp://127.0.0.1:1514" #需要被替换的内容
tag: "registry" #需要被替换的内容
registryctl:</code></pre>
<p>替换为</p>
<pre><code class="language-bash"> depends_on:
- registry
- redis
- postgresql
- log
logging: *default-logging #用这行内容替换上面需要替换的内容
portal:
image: goharbor/harbor-portal:v2.1.2</code></pre>
<p>说明:
1、docker-compose安装路径</p>
<pre><code class="language-bash">[root@harbor-slave ~]# which docker-compose
/usr/bin/docker-compose</code></pre>
<p>2、设置harbor开机自启动
<a href="https://blog.csdn.net/qq_17054989/article/details/96871639">https://blog.csdn.net/qq_17054989/article/details/96871639</a>
3、为什么用up,不用start启动harbor的原因
<a href="https://www.cnblogs.com/kirito-c/p/11145881.html">https://www.cnblogs.com/kirito-c/p/11145881.html</a></p>
<h1>参考资料:</h1>
<p>1.harbor配置https访问
<a href="https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html">https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html</a> 参考此文验证
<a href="https://www.cnblogs.com/cjwnb/p/13441071.html">https://www.cnblogs.com/cjwnb/p/13441071.html</a></p>
<p>2.Harbor高可用部署及配置(主从)
<a href="https://blog.csdn.net/weixin_45308292/article/details/107248788">https://blog.csdn.net/weixin_45308292/article/details/107248788</a>
我还需要多吐槽一句,在实际生产使用中,主从复制十分的不靠谱。所以这里推荐使用下面要说的这种方案<code>多harbor实例共享后端存储</code>。
此作者的运维日志不错,可以参考学习。</p>
<p>3.Harbor1.9+Nginx高可用集群仓库搭建笔记
<a href="https://juejin.cn/post/6844903957412708365">https://juejin.cn/post/6844903957412708365</a>
搭建高可用的Harbor
<a href="https://blog.51cto.com/zero01/2530940">https://blog.51cto.com/zero01/2530940</a>
部署搭建harbor高可用集群并实现nginx负载均衡转发
<a href="https://blog.csdn.net/wt334502157/article/details/102894931">https://blog.csdn.net/wt334502157/article/details/102894931</a>
如何搭建高可用Docker Harbor仓库
<a href="http://linuxops.xyz/2019/02/18/%E5%A6%82%E4%BD%95%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8Docker-Harbor%E4%BB%93%E5%BA%93/">http://linuxops.xyz/2019/02/18/%E5%A6%82%E4%BD%95%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8Docker-Harbor%E4%BB%93%E5%BA%93/</a>#
基于Harbor和CephFS搭建高可用Private Registry
<a href="https://www.ctolib.com/topics-118455.html">https://www.ctolib.com/topics-118455.html</a> 有方案思路</p>
<p>4.harbor定时清理镜像
<a href="https://www.cnblogs.com/only-me/p/12416369.html">https://www.cnblogs.com/only-me/p/12416369.html</a></p>
<p>5.本地私服仓库nexus3.3.1使用手册
<a href="https://cloud.tencent.com/developer/article/1098081">https://cloud.tencent.com/developer/article/1098081</a>
Docker学习之搭建私有镜像仓库
<a href="https://cloud.tencent.com/developer/article/1095277?from=article.detail.1098081">https://cloud.tencent.com/developer/article/1095277?from=article.detail.1098081</a></p>