【Docker】企业级镜像仓库harbor的搭建(http/https)及使用

一：用途###

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器。

二：安装docker-ce###

环境：阿里云轻量应用服务器CentOS 7.3

这里通过yum Docker源仓库安装：

①安装yum 管理依赖包

sudo yum install-y yum-utils device-mapper-persistent-data lvm2

②添加Docker 源仓库

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

③安装Docker CE

sudo yum install docker-ce docker-ce-cli containerd.io

三：安装docker-compose###

参考这篇博客：https://www.cnblogs.com/wucaiyun1/p/11811112.html

四：安装harbor###

https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md

①下载harbor

wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.6.1.tgz

或者到github releases下载

https://github.com/goharbor/harbor/releases

-------------------------------------------------------------------http方式-------------------------------------------------------------------

②配置安装(http方式)

[root@iZuf6hcb8yumasfp52oemxZ ailala]# tar -xf harbor-offline-installer-v1.6.1.tgz

[root@iZuf6hcb8yumasfp52oemxZ ailala]# cd harbor

[root@iZuf6hcb8yumasfp52oemxZ harbor]# vi harbor.yml

-------------------------------------------------------------------http方式-------------------------------------------------------------------

-------------------------------------------------------------------https方式-------------------------------------------------------------------

②配置安装(https方式)

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

Getting Certificate Authority####

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work" \

-key ca.key \

-out ca.crt

Getting Server Certificate####

Create your own Private Key:

openssl genrsa -out fixedbug.work.key 4096

Generate a Certificate Signing Request:

openssl req -sha512 -new \

    -subj "/C=CN/ST=Shanghai/L=Shanghai/O=example/OU=Personal/CN=fixedbug.work" \

    -key fixedbug.work.key \

    -out fixedbug.work.csr

Generate the certificate of your registry host:

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=fixedbug.work

DNS.2=fixedbug

DNS.3=hostname

EOF

openssl x509 -req -sha512 -days 3650 \

    -extfile v3.ext \

    -CA ca.crt -CAkey ca.key -CAcreateserial \

    -in fixedbug.work.csr \

    -out fixedbug.work.crt

Configuration and Installation####

Configure Server Certificate and Key for Harbor

  cp yourdomain.com.crt /data/cert/

  cp yourdomain.com.key /data/cert/

Configure Server Certificate, Key and CA for Docker

Convert server yourdomain.com.crt to yourdomain.com.cert:

openssl x509 -inform PEM -in fixedbug.work.crt -out fixedbug.work.cert

Delpoy yourdomain.com.cert, yourdomain.com.key, and ca.crt for Docker:

  cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/

  cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/

  cp ca.crt /etc/docker/certs.d/yourdomain.com/

/etc/docker/certs.d/

    └── yourdomain.com:port

       ├── yourdomain.com.cert  <-- Server certificate signed by CA

       ├── yourdomain.com.key   <-- Server key signed by CA

       └── ca.crt               <-- Certificate authority that signed the registry certificate

Configure Harbor

-------------------------------------------------------------------https方式-------------------------------------------------------------------

[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./prepare

[root@iZuf6hcb8yumasfp52oemxZ harbor]# ./install

③登录

五：上传镜像到harbor仓库###

在本机配置harbor仓库http可信

/etc/docker/daemon.json中添加“"insecure-registries":["reg.slito.com"]”，不然会报错，默认是走https的，重启docker；

登录harbor仓库

[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker login fixedbug.work:88

Username: admin

Password:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传镜像

[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker tag mysql:8 fixedbug.work:88/library/mysql:v1

[root@iZuf6hcb8yumasfp52oemxZ harbor]# docker push fixedbug.work:88/library/mysql:v1

The push refers to repository [fixedbug.work:88/library/mysql]

55f5c7d40658: Pushed

8d0c9963a6ad: Pushed

17b62e7a629c: Pushed

8eae701cdfcf: Pushing  31.11MB/341.1MB

d4078c1b9fdb: Pushed

8eae701cdfcf: Pushed

2a9aab74013a: Pushing  33.62MB/44.77MB

414373ffccb4: Pushed

2a9aab74013a: Pushed

51734435c93c: Pushed

5a8a245abd1c: Pushed

99b5261d397c: Pushing  23.78MB/55.34MB

99b5261d397c: Pushed

v1: digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3 size: 2828

[root@iZuf6hcb8yumasfp52oemxZ harbor]#

在harbor中查看

六：下载harbor中的镜像###

[root@iZuf6hcb8yumasfp52oemxZ ~]# docker rmi fixedbug.work:88/library/mysql:v1

Untagged: fixedbug.work:88/library/mysql:v1

Untagged: fixedbug.work:88/library/mysql@sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3

[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql

mysql                           8                               d435eee2caa5        12 days ago         456MB

[root@iZuf6hcb8yumasfp52oemxZ ~]# docker pull fixedbug.work:88/library/mysql:v1

v1: Pulling from library/mysql

Digest: sha256:a65e1689b806ccb757887565a3c1d8e7467f14621012d472076cad4117eb06f3

Status: Downloaded newer image for fixedbug.work:88/library/mysql:v1

fixedbug.work:88/library/mysql:v1

[root@iZuf6hcb8yumasfp52oemxZ ~]# docker images | grep mysql

mysql                            8                               d435eee2caa5        12 days ago         456MB

fixedbug.work:88/library/mysql   v1                              d435eee2caa5        12 days ago         456MB

踩坑记录：域名只是用来替代IP的，没有备案会封锁对应IP的80和433端口，这个IP必须是国内的才行。如果域名指向国外IP，备案还是不备案都不妨碍80和433端口的使用。