文档版本号:20180216
最近在Ubuntu Linux 14.04上和CentOS Linux 7.4上成功安装了Harbor,现将过程整理如下,供大家参考:
备注:使用非root用户操作
Docker,需要
创建docker组
sudo groupadd docker
将当前用户加入docker组
sudo gpasswd -a ${USER} docker
重新启动docker服务(下面是CentOS7的命令)
sudo systemctl restart docker
当前用户退出系统重新登陆。
一、harbor安装文件下载:
1、harbor项目主页:
2、查看README.md,安装说明在README.md的“Installation & Configuration Guide”中:
blob/master/docs/installation_guide.md
3、README.md告知,master属于开发版,可能不稳定,需下载正式发行版:
releases
为了便于安装,选择下载二进制版,国内镜像目前只有二进制离线版,接近800M,下载了最新的1.4.0版:
harbor-offline-installer-v1.4.0.tgz
MD5:6161843c84c9944a087
4、解压harbor-offline-installer-v1.4.0.tgz后发现,内含一个近800M的全部镜像的压缩包harbor.v1.4.0.tar.gz,为了便于上传到服务器,将harbor.v1.4.0.tar.gz删除,重新打包命名为harbor.bytefish.online-installer-v1.4.0.tgz,大小约为32K。
5、上传harbor.bytefish.online-installer-v1.4.0.tgz到服务器,并解压,会在当前目录下生成harbor目录。
-
$ scp -i .ssh/id_rsa harbor.bytefish.online-installer-v1.4.0.tgz 用户名@docker.MySite.com:/路径/harbor.bytefish.online-installer-v1.4.0.tgz
-
$ ssh 用户名@docker.MySite.com -i .ssh/id_rsa
-
$ tar -zxf harbor.bytefish.online-installer-v1.4.0.tgz && cd harbor
二、确认服务器资源:
1、官方对服务器资源的最小要求和建议:
-
Hardware:
-
Resource Capacity Description
-
CPU minimal 2 CPU 4 CPU is prefered
-
Mem minimal 4GB 8GB is prefered
-
Disk minimal 40GB 160GB is prefered
-
-
-
Software:
-
Software Version Description
-
Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
-
Docker engine version 1.10 or higher For installation instructions, please refer to:
-
Docker Compose version 1.6.0 or higher For installation instructions, please refer to:
-
Openssl latest is prefered Generate certificate and keys for Harbor
-
-
-
Network ports:
-
Port Protocol Description
-
443 HTTPS Harbor UI and API will accept requests on this port for https protocol
-
4443 HTTS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
-
80 HTTP Harbor UI and API will accept requests on this port for http protocol
2、确认服务器docker版本:
$ docker version
3、确认docker-compose、Python、OpenSSL版本:
$ docker-compose version
4、确认硬件情况:
$ cat /proc/cpuinfo
$ free
5、确认网络端口是否被占用:
$ ss -tna
三、编辑配置文件,并安装:
1、编辑harbor目录下harbor.cfg文件,修改内容如下:
-
hostname = docker.MySite.com
-
# email服务的相关参数也可在安装完成后进入网站页面配置:
-
email_identity =
-
email_server = smtp.mailserver.com
-
# mailserver port
-
email_server_port = 25
-
email_username = username@mailserver.com
-
email_password = 邮件服务密码
-
email_from = admin
-
email_ssl = true
-
email_insecure = false
-
harbor_admin_password = 设置一个管理员密码
-
db_password = 设置一个mysql的密码
-
# self_registration默认为on,是针对数据库认证方式,访客可以自己注册,对于LDAP认证方式无法自注册:
-
self_registration = off
2、使用root权限执行install.sh(该脚本将会在根目录下建立/data目录及相关文件),将自动下载相关docker镜像文件,并自动安装完成:
~/harbor$ sudo ./install.sh
3、容器将自动启动,此时可用浏览器打开 ,使用管理员账号admin登陆。
四、配置LDAP:
1、使用管理员账号admin登陆,点击“系统管理”、“配置管理”,将“认证模式”选择为LDAP,并配置相关参数:
-
LDAP URL : ldap://MySite.com
-
LDAP搜索DN : cn=admin,dc=MySite,dc=com
-
LDAP搜索密码: 密码
-
LDAP基础DN : dc=MySite,dc=com
-
LDAP过滤器 : (|(objectclass=inetOrgPerson))
-
LDAP用户UID的属性 : uid
-
LDAP搜索范围 : 子树
-
LDAP 检查证书 : (测试发现: “LDAP 检查证书” 选不选都能通过ldap登陆,待再次验证。)
2、点击“测试LDAP服务器”按钮,如果成功,浏览器顶部将显示“LDAP服务器的连通正常。”的提示。
3、此时可用LDAP中的账号登陆web页面,但无法通过docker login登陆,还需配置网站https证书。
五、配置https证书:
1、安装说明:
blob/master/docs/configure_https.md
2、在/home/ubuntu/harbor目录执行docker-compose down,停止并删除容器:
$ docker-compose down
3、本来想通过Let’s Encrypt官方的certbot脚本(certbot.eff.org)安装证书,但是脚本不能成功执行,估计是因为nginx是在容器里造成的,但是通过这个脚本自动安装了一些软件包。然后尝试通过git获取letsencrypt进行安装:
$ git clone
4、进入letsencrypt目录,生成证书
-
$ cd letsencrypt
-
$ sudo ./letsencrypt-auto certonly --standalone --email username@mailserver.com -d docker.MySite.com
-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-
Plugins selected: Authenticator standalone, Installer None
-
Obtaining a new certificate
-
Performing the following challenges:
-
http-01 challenge for docker.MySite.com
-
Waiting for verification...
-
Cleaning up challenges
-
-
IMPORTANT NOTES:
-
- Congratulations! Your certificate and chain have been saved at:
-
/etc/letsencrypt/live/docker.MySite.com/fullchain.pem
-
Your key file has been saved at:
-
/etc/letsencrypt/live/docker.MySite.com/privkey.pem
-
Your cert will expire on 2018-05-15. To obtain a new or tweaked
-
version of this certificate in the future, simply run
-
letsencrypt-auto again. To non-interactively renew *all* of your
-
certificates, run "letsencrypt-auto renew"
-
- If you like Certbot, please consider supporting our work by:
-
-
Donating to ISRG / Let's Encrypt:
-
Donating to EFF:
5、证书过期日期为2018-05-15,生成的证书文件位于/etc/letsencrypt/live/docker.MySite.com/文件夹(链接文件):
-
$ sudo ls /etc/letsencrypt/live/docker.MySite.com/ -l
-
lrwxrwxrwx 1 root root 40 Feb 14 23:30 cert.pem -> ../../archive/docker.MySite.com/cert1.pem
-
lrwxrwxrwx 1 root root 41 Feb 14 23:30 chain.pem -> ../../archive/docker.MySite.com/chain1.pem
-
lrwxrwxrwx 1 root root 45 Feb 14 23:30 fullchain.pem -> ../../archive/docker.MySite.com/fullchain1.pem
-
lrwxrwxrwx 1 root root 43 Feb 14 23:30 privkey.pem -> ../../archive/docker.MySite.com/privkey1.pem
-
-rw-r--r-- 1 root root 543 Feb 14 23:30 README
cert.pem - 服务端证书
chain.pem - 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
fullchain.pem - 包括了cert.pem和chain.pem的内容
privkey.pem - 证书的私钥
6、新建目录letsencrypt,并将证书文件拷贝到该目录:
-
$ mkdir /home/ubuntu/harbor/letsencrypt/ && cd /home/ubuntu/harbor/letsencrypt/
-
$ sudo cp /etc/letsencrypt/archive/docker.MySite.com/fullchain1.pem docker.MySite.com.crt
-
$ sudo cp /etc/letsencrypt/archive/docker.MySite.com/privkey1.pem docker.MySite.com.key
7、修改/home/ubuntu/harbor/harbor.cfg配置文件:
-
#设置ui_url_protocol为https
-
ui_url_protocol = https
-
#设置证书文件
-
ssl_cert = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.crt
-
ssl_cert_key = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.key
8、用root权限执行一次prepare脚本,并启动docker重建容器:
$ sudo /home/ubuntu/harbor/prepare
$ docker-compose up -d
六、上传镜像:
1、用浏览器打开 ,用普通用户账号登录,并新建一个项目“test”:
2、在客户端登录docker.MySite.com:
$ docker login docker.MySite.com
Username: bytefish
Password: 密码
Login Succeeded
3、将客户端的镜像打tag,然后上传到docker.MySite.com:
格式:
docker tag SOURCE_IMAGE[:TAG] docker.MySite.com/项目名称/IMAGE[:TAG]
docker push docker.MySite.com/项目名称/IMAGE[:TAG]
示例:
$ docker tag hello-world:latest docker.MySite.com/test/hello-world:test
$ docker push docker.MySite.com/test/hello-world:test
The push refers to a repository [docker.MySite.com/test/hello-world]
f999ae22f308: Mounted from library/hello-world
test: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
阅读(1500) | 评论(0) | 转发(0) |
