harbor搭建企业docker私有镜像仓库

1.1 搭建harbor仓库

1.1.1 安装docker和docker-compose

# curl -fsSL https://get.docker.com/ | sh

# systemctl start docker

# systemctl enable docker

# curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

# chmod +x /usr/local/bin/docker-compose

1.1.2 下载harbor安装包

# wget https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz

# tar -zxvf harbor-offline-installer-v2.0.0.tgz

# mv harbor /opt/

# cd /opt/harbor

# cp harbor.yml.tmpl harbor.yml

1.1.3 配置https方式访问证书

1. 生成根证书(存放到目录/etc/docker/certs.d/reg.niewx.club)

$ mkdir -p /etc/docker/certs.d/reg.niewx.club && cd /etc/docker/certs.d/reg.niewx.club

2. 创建自己的CA证书（不使用第三方权威机构的CA来认证，自己充当CA的角色

$ openssl genrsa -out ca.key 2048

3. 生成自签名证书（使用已有私钥ca.key自行签发根证书）

$ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=Harbor-ca"

4. 生成服务器端私钥和CSR签名请求

$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr

5. 签发服务器证书

echo subjectAltName = IP:49.235.179.157 > extfile.cnf

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extfile extfile.cnf -out server.crt

6. 最终生成的证书如下

[root@VM_0_13_centos reg.niewx.club]# ls

ca.crt ca.key ca.srl extfile.cnf server.crt server.csr server.key

1.1.4 修改harbor配置项

[root@VM_0_13_centos harbor]# cat harbor.yml

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.

# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname: 1.1.1.1

# http related config

#http:

# port for http, default is 80. If https enabled, this port will redirect to https port

# port: 80

# https related config

https:

# https port for harbor, default is 443

port: 443

# The path of cert and key files for nginx

certificate: /etc/docker/certs.d/reg.niewx.club/server.crt

private_key: /etc/docker/certs.d/reg.niewx.club/server.key

# # Uncomment following will enable tls communication between all harbor components

# internal_tls:

# # set enabled to true means internal tls is enabled

# enabled: true

# # put your cert and key files on dir

# dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy

# And when it enabled the hostname will no longer used

# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin

# It only works in first time to install harbor

# Remember Change the admin password from UI after launching Harbor.

harbor_admin_password: 123456

主要需要修改上面标记的选项。

1.1.5 启动harbor

# cd /opt/harbor

# ./ prepare

# ./install.sh --with-clair (启动扫描器)

启动日志显示上面则启动成功

如果修改了配置项需要重新启动harbor则重新执行以下命令即可

# cd /opt/harbor

# ./ prepare

# ./install.sh --with-clair (启动扫描器)

1.2 haobor仓库的使用

1.2.1 harbor的登录和创建项目

默认账号为admin，密码为你之前修改配置密码

项目管理，里面会有一个默认的公开项目library，所有人可以上传下载镜像

点击新建项目，输入项目名称，设置存储容量和是否公开

查看项目的镜像仓库，也可以查看推送命令推送镜像

1.2.2 客户端推送镜像

首先需要配置docker认真地址

[root@node1 ~]# cat /etc/docker/daemon.json

{

"insecure-registries": ["https://1.1.1.1"],

"registry-mirrors": ["https://yywkvob3.mirror.aliyuncs.com"],

"exec-opts": ["native.cgroupdriver=systemd"]

}

# systemctl daemon-reload && systemctl restart docker

# docker login 1.1.1.1 -u admin -p *****

# docker tag busybox:latest 1.1.1.1/library/busybox:latest

# docker push 1.1.1.1/library/busybox:latest

1.2.3 harbor中角色权限说明