当前位置: 首页 > 工具软件 > Harbor > 使用案例 >

harbor 入门

丰飞龙
2023-12-01

1 安装

0 系统初始化

sed -i 's/enforcing/disabled/g'  /etc/selinux/config
setenforce 0

sed -i 's/#UseDNS yes/UseDNS no/g'   /etc/ssh/sshd_config
systemctl   restart sshd

systemctl  disable firewalld
systemctl  disable NetworkManager
systemctl  stop  firewalld  NetworkManager




yum -y install ntpdate

ntpdate ntp1.aliyun.com
yum -y install ntp
systemctl  enable  ntpd

cat >   /etc/ntp.conf  << EOF
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1 
restrict ::1
server ntp1.aliyun.com iburst  iburst
logfile /var/log/ntp.log
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF


systemctl  start   ntpd
ntpq -p

1.1 docker-compose

安装 docker-compose

wget https://github.com/docker/compose/releases/download/1.23.0-rc3/docker-compose-Linux-x86_64 
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version

1.2 安装docker



 cat docker-ce.repo 
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable
enabled=1
gpgcheck=0
yum -y install docker-ce-19.03.9-3.el7
mkdir  /etc/docker
mkdir /data/docker-data  -p
cat > /etc/docker/daemon.json << EOF
{
"graph": "/data/docker-data",
"registry-mirrors": ["https://bmtrgdvx.mirror.aliyuncs.com", "https://hub-mirror.c.163.com", "https://dockerhub.azk8s.cn"]
}
EOF
systemctl  start docker
systemctl  enable docker
systemctl  status docker

harbor download

https://github.com/goharbor/harbor/releases

wget  https://github.com/goharbor/harbor/releases/download/v2.2.2-rc1/harbor-offline-installer-v2.2.2-rc1.tgz  -P /opt/

2 http harbor

tar xzvf  /opt/harbor-offline-installer-v2.2.2-rc1.tgz   -C  /data/
cp /data/harbor/harbor.yml.tmpl  /data/harbor/harbor.yml
mkdir  /data/harbor-data
vim /data/harbor/harbor.yml
hostname: 192.168.3.14

data_volume: /data/harbor-data

database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  
harbor_admin_password: 12345678
# https related config
#https:
  # https port for harbor, default is 443
  #  port: 443
  # The path of cert and key files for nginx
  # certificate: /your/certificate/path
  #private_key: /your/private/key/path
mkdir /var/log/harbor

install

cd /data/harbor
./prepare
cd /data/harbor
./install.sh

http://http://192.168.3.14/

admin
12345678

扩展 镜像同步工具 image-transfer

3 变更配置用域名代替ip

vim /data/harbor/harbor.yml
hostname: www.harbor.com

重新加载配置

cd /data/harbor
./prepare
cd /data/harbor
./install.sh

http harbor 客户端配置 此处客户端也是192.168.3.14

配置hosts

cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.14 www.harbor.com

配置docker 允许使用 http 仓库

cat /etc/docker/daemon.json 
{
"graph": "/data/docker-data",
"registry-mirrors": ["https://bmtrgdvx.mirror.aliyuncs.com", "https://hub-mirror.c.163.com", "https://dockerhub.azk8s.cn"],
"insecure-registries":["www.harbor.com"]
}
systemctl  restart docker
docker-compose  -f /data/harbor/docker-compose.yml  up -d

测试

使用管理员登录

docker login  www.harbor.com -u admin -p 12345678

测试 push

docker  pull   busybox
docker tag busybox:latest  www.harbor.com/library/busybox:latest
docker push www.harbor.com/library/busybox:latest

测试 pull

docker rmi busybox  www.harbor.com/library/busybox:latest
docker pull   www.harbor.com/library/busybox:latest

harbor https 待整理

wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.9.2-rc1.tgz

cd /opt/
tar xzvf harbor-offline-installer-v1.9.2-rc1.tgz 

vim /opt/harbor/harbor.yml
hostname: 172.16.100.216
https:
   port: 443
   certificate: /opt/cert/reg.lz.com.crt
   private_key: /opt/cert/reg.lz.com.key
   
data_volume: /data

database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: root123
  
harbor_admin_password: ops@456

制作自签证书

rm -rf /certs/
mkdir  /certs
cd /certs/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.lz.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out reg.lz.com.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.lz.com" \
-key reg.lz.com.key \
-out reg.lz.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1=172.16.100.216
DNS.1=reg.lz.com
DNS.2=yourdomain
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in reg.lz.com.csr \
-out reg.lz.com.crt

将 证书放置 harbor指定路径

mkdir /opt/cert/
cp reg.lz.com.crt  reg.lz.com.key  /opt/cert/
为客户端转换证书
Docker守护进程将.crt文件解释为CA证书,.cert文件解释为客户端证书。

将服务器yourdomain.com.crt转换为yourdomain.com.cert:
openssl x509 -inform PEM -in reg.lz.com.crt -out reg.lz.com.cert

客户端需要的三个整证书是

reg.lz.com.cert   reg.lz.com.key  ca.crt

开始安装 harbor

/etc/fstab
/dev/mapper/data--vg-data--lv  /data/                   xfs     defaults        0 0


mkdir /data/
mount /dev/mapper/data--vg-data--lv  /data/
mkdir /var/log/harbor
cd /opt/harbor
./prepare
./install.sh

确认服务状态 为health

docker ps  

harbor 启动与停止

cd /opt/harbor
docker-compose  up -d
docker-compose  down -v

webui

https://172.16.100.216/

客户端配置

mkdir -p /etc/docker/certs.d/172.16.100.216
cp  /certs/{reg.lz.com.cert,reg.lz.com.key,ca.crt}   /etc/docker/certs.d/172.16.100.216/

远端客户端

mkdir -p /etc/docker/certs.d/172.16.100.216
scp  172.16.100.216:/certs/{reg.lz.com.cert,reg.lz.com.key,ca.crt}   /etc/docker/certs.d/172.16.100.216/

docker login 测试

docker login 172.16.100.216
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

和K8S 集群集成

kubectl create secret docker-registry lz-rg \
--docker-server=10.255.128.171 \
--docker-username=node \
--docker-password=Node@321 \
--docker-email=node@lz.com \
-n  default

使用 secret

kubectl  edit deploy lz-eoms-org-yyglproduce-deploy


spec:
      containers:
      - image: 10.255.128.171/lz/xx:v1.0.0
        imagePullPolicy: IfNotPresent
        name: lz-eoms-org-produce-container
        resources: {}
        terminationMessagePath: /dev/termination-log
        volumeMounts:
        - mountPath: /opt/conf/application-env.properties
          name: conf-storage
        - mountPath: /opt/conf/businessCluster.json
          name: bus-storage
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: lz-rg

测试 k8s 使用 secret

        imagePullPolicy: Always
        删除 pod 
 类似资料: