-
Docker Harbor私有镜像image仓库安装
-
goharbor/harbor
- 参考:https://www.cnblogs.com/wuvikr/p/14688079.html
-
#停止harbor
- systemctl stop harbor.service
-
使用prepare脚本重新加载harbor.yml中的配置
- [root@harbor harbor]#./prepare
-
-
-
- 稍等一会harbor会自动启动起来
- 查看一下,可以看到nginx的443端口已经打开了
- [root@harbor harbor]#docker-compose ps
- #如果没启动起来, 改用systemclt来启动Harbor
- [root@harbor harbor]# systemctl enable --now harbor.service
-
-
-
HTTPS
-
创建一个生成证书的目录
- mkdir -p /usr/local/harbor/certs
-
生成CA证书
- openssl req -newkey rsa:2048 -nodes -x509 -subj "/C=CN/ST=Beijing/L=Beijing/O=david/OU=IT/CN=ca.david.com/emailAddress=ca.david.com" -set_serial 01 -keyout ca.key -days 3650 -out ca.crt
-
生成harbor证书申请
- openssl req -newkey rsa:2048 -nodes -subj "/C=CN/ST=Beijing/L=Beijing/O=david/OU=devops/CN=harbor.david.com" -set_serial 02 -keyout harbor.key -out harbor.csr
-
为harbor颁发证书
-
-
-
-
-
- 参考:OpenSSL SAN 证书-CSDN博客
- 需要使用SAN(Subject Alternative Name) 扩展,所以在颁发证书的需要做一些处理,不然登录时会报以下异常
- [root@bogon config]# docker login harbor.david.com
-
-
-
-
-
-
- Username: admin
- Password:
- Error response from daemon: Get "https://harbor.david.com/v2/": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
-
-
-
-
-
-
-
创建v3_req的配置文件 *.david.com 支持该域名下的所有子域名
- 参考:https://www.cnblogs.com/punchlinux/p/16499966.html
-
-
-
-
-
-
-
-
- cat > v3.ext
- authorityKeyIdentifier=keyid,issuer
- basicConstraints=CA:FALSE
- keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
- extendedKeyUsage = serverAuth
- subjectAltName = @alt_names
- [alt_names]
- DNS.1=*.david.com
- EOF
-
开始为harbor颁发带SAN扩展的证书 -extfile v3.ext
-
-
-
-
-
-
-
-
-
- openssl x509 -req -in harbor.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out harbor.crt -extfile v3.ext
-
查看证书 支持所有子域名 DNS:*.david.com
- openssl x509 -text -noout -in harbor.crt
-
-
-
-
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B8:44:82:67:B2:E3:2C:70:B3:A9:04:66:BE:D4:C6:95:FD:2F:95:0F
X509v3 Basic Constraints:CA:FALSE
X509v3 Key Usage:Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:TLS Web Server Authentication
X509v3 Subject Alternative Name:DNS:*.david.com-
修改harbor.yml
- 打开之前被我们注释掉的https配置,并配置好crt和key的路径:
- Harbor.crt 和 Harbor.key 中的harbor是小写,不是大写
- certificate: /root/harbor/certs/Harbor.crt
- private_key: /root/harbor/certs/Harbor.key
- 修改为正确的路径
- -rw-r--r-- 1 root root 1391 Oct 26 15:18 ca.crt
- -rw------- 1 root root 1708 Oct 26 15:18 ca.key
- -rw-r--r-- 1 root root 41 Oct 26 15:20 ca.srl
- -rw-r--r-- 1 root root 1261 Oct 26 15:20 harbor.crt
- -rw-r--r-- 1 root root 1013 Oct 26 15:19 harbor.csr
- -rw------- 1 root root 1704 Oct 26 15:19 harbor.key
- certificate: /usr/local/harbor/certs/harbor.crt
- private_key: /usr/local/harbor/certs/harbor.key
-
将证书复制到harbor目录下,推送我使用的是reg.david.com域名
- mkdir -pv /etc/docker/certs.d/reg.david.com
- cp ca.crt /etc/docker/certs.d/reg.david.com/
- mkdir -pv /etc/docker/certs.d/harbor.david.com
- cp ca.crt /etc/docker/certs.d/harbor.david.com/
-
登录harbor
- docker login harbor.david.com
-
退出harbor
- docker logout harbor.david.com
-
本地host添加域名 harbor.david.com / ca.david.com / reg.david.com
-
- [root@bogon config]# cat /etc/hosts
- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- 192.168.221.129 reg.david.com
- 192.168.221.129 harbor.david.com
- 192.168.221.129 ca.david.com
-
docker push 报错:unauthorized: unauthorized to access repository: library/xx处理方法
- #daemon.json中添加insecure-registries字段,代表上传不受IP限制
- cat /etc/docker/daemon.json
- {
- "insecure-registries": ["0.0.0.0/0"],
- "registry-mirrors": ["https://wbdhknhl.mirror.aliyuncs.com"]
- }
-
再次重启docker服务
- systemctl daemon-reload && systemctl restart docker.service
- 不一定是这个造成的,我看直接推送到library目录中就正常
- #daemon.json中添加insecure-registries字段,代表上传不受IP限制
-
为镜像打Tag
- docker tag seatunnel:2.3.3 reg.david.com/library/seatunnel:2.3.3
-
向仓库推荐镜像
- docker push reg.david.com/library/seatunnel:2.3.3
)
