基础环境

ubuntu server18

域名配置

sudo vi /etc/hosts

www.node23.com 192.168.43.23

docker安装

一键安装

curl -sSL https://get.daocloud.io/docker | sh

配置docker

vi /etc/docker/daemon.json

{
"registry-mirrors": ["https://squpqgby.mirror.aliyuncs.com"],"insecure-registries" : ["www.node23.com"],"exec-opts": ["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"},"storage-driver": "overlay2"
}

重启：

systemctl daemon-reload
service docker restart

docker-compose安装

sudo curl -L https://github.com/docker/compose/releases/download/1.20.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Harbor安装

下载：

wget http://kubernetes.cvimer.com/harbor-offline-installer-v1.10.3.tgz

解压：

tar xf harbor-offline-installer-v1.10.3.tgz
cd harbor
#将镜像加载到docker中
docker load -i harbor.v1.10.3.tar.gz

harbor配置

vi harbor.yml，大致更改点参考如下，https先关闭

hostname: www.node23.com
​
# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80
​
# https related config
#https:# https port for harbor, default is 443#  port: 443# The path of cert and key files for nginx#certificate: /your/certificate/path# private_key: /your/private/key/path
harbor_admin_password: nufront
​
# Harbor DB configuration
database:# The password for the root user of Harbor DB. Change this before any production use.password: root123# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.max_idle_conns: 50# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.# Note: the default number of connections is 100 for postgres.max_open_conns: 100
​
# The default data volume
data_volume: /data/harbor

初始登录账号/密码：admin/root123

harbor启动/停止

运行prepare脚本

Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTP和HTTPS

./prepare

利用docker-compose启动和停止Harbor

#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
​
#强制清理
docker system prune -a -f
​
#查看
sudo docker-compose ps

Harbor访问、登录和使用

修改daemon.json，默认http私有仓库不能访问，设置后才可以。修改cgroupdriver是为了消除安装k8s集群时的告警。

vim /etc/docker/daemon.json

{
"registry-mirrors": ["https://squpqgby.mirror.aliyuncs.com"],"insecure-registries" : ["www.node23.com"],"exec-opts": ["native.cgroupdriver=systemd"]
}

# 重启Docker进程
sudo systemctl daemon-reload
sudo service docker restart
​
# 重启Harbor
sudo docker-compose up -d
​
#查看cgroup状态
docker info | grep Cgroup

从Docker客户端登录Harbor，确保所有需要使用harbor的节点都能正常登录

docker login  www.node23.com

注：实际登录过程中出现

Error saving credentials: error storing credentials - err: exit status 1, out: `Failed to execute child process “dbus-launch” (No such file or directory)`

解决参考：authentication - Cannot login to Docker account - Stack Overflow

sudo apt-get update
sudo apt-get install gnupg2 pass

web管理界面访问：http://www.node23.com/

上传镜像

将需要push到远程仓库的镜像进行版本标记

docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

如

在项目中标记镜像

docker tag SOURCE_IMAGE[:TAG] www.node23.com/library/IMAGE[:TAG]
sudo docker tag hello-world www.node23.com/library/hello-world:1.0.0

推送镜像到当前项目或公开library：

docker push www.node23.com/library/IMAGE[:TAG]
docker push www.node23.com/library/hello-world:1.0.0

拉取镜像

docker pull www.node23.com/boss/hello-world:1.0.0

生产环境中使用

生成Ca证书

cd /home/kangming/cert/
​
#生成CA证书私钥
openssl genrsa -out ca.key 4096
#生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.com" \
-key ca.key \
-out ca.crt

生成服务器证书

证书通常包含一个.crt文件和一个.key文件

生成私钥

openssl genrsa -out www.node23.com.key 4096

生成证书签名请求（CSR）

openssl req -sha512 -new \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.comm" \
-key www.node23.com.key \
-out www.node23.com.csr

生成一个x509 v3扩展文件

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
​
[alt_names]
DNS.1=www.node23.com
DNS.2=*.node*.com
DNS.3=www.test.com
IP.1=192.168.43.23
EOF

使用该v3.ext文件为您的Harbor主机生成证书

openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in www.node23.com.csr \
-out www.node23.com.crt

向Harbor和Docker提供证书

sudo mkdir -p /data/cert
sudo cp www.node23.com.crt /data/cert/
sudo cp www.node23.com.key /data/cert/

转换www.node23.com.crt为www.node23.com.cert，供Docker使用

openssl x509 -inform PEM -in www.node23.com.crt -out www.node23.com.cert

• 将服务器证书，密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。必须首先创建适当的文件夹

sudo mkdir -p /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.cert /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.key /etc/docker/certs.d/www.node23.com:443/
sudo cp ca.crt /etc/docker/certs.d/www.node23.com:443/

• 重新启动Docker Engine

sudo systemctl restart docker

修改Harbor配置

开启https

cd /home/kangming/harbor/
​
vim harbor.yml
https:port: 443certificate: /etc/docker/certs.d/www.node23.com:443/www.node23.com.certprivate_key: /etc/docker/certs.d/www.node23.com:443/www.node23.com.key

启动harbor

./prepare
#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
#查看
sudo docker-compose ps

从Docker客户端登录Harbor

cd /home/kangming/cert/
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo chmod 644 /usr/local/share/ca-certificates/ca.crt && sudo  update-ca-certificates
​
​
# 重启Docker进程
sudo systemctl restart docker
cd /home/kangming/harbor/ 
sudo docker-compose down
sudo docker-compose up -d

登录Harbor

docker login www.node23.com:443

web登录：https://www.node23.com/

另外，将ca.crt证书安装到受信任的根证书机构即可让浏览器承认，显示绿色小箭头。