备注:使用非root用户操作Docker,需要创建docker组
sudo groupadd docker
将当前用户加入docker组
sudo gpasswd -a ${USER} docker
重新启动docker服务(下面是CentOS7的命令)
sudo systemctl restart docker
当前用户退出系统重新登陆。
$ scp -i .ssh/id_rsa harbor.bytefish.online-installer-v1.4.0.tgz 用户名@docker.MySite.com:/路径/harbor.bytefish.online-installer-v1.4.0.tgz
$ ssh 用户名@docker.MySite.com -i .ssh/id_rsa
$ tar -zxf harbor.bytefish.online-installer-v1.4.0.tgz && cd harbor
二、确认服务器资源:
1、官方对服务器资源的最小要求和建议:
Hardware:
Resource Capacity Description
CPU minimal 2 CPU 4 CPU is prefered
Mem minimal 4GB 8GB is prefered
Disk minimal 40GB 160GB is prefered
Software:
Software Version Description
Python version 2.7 or higher Note that you may have to install Python on Linux distributions (Gentoo, Arch) that do not come with a Python interpreter installed by default
Docker engine version 1.10 or higher For installation instructions, please refer to: https://docs.docker.com/engine/installation/
Docker Compose version 1.6.0 or higher For installation instructions, please refer to: https://docs.docker.com/compose/install/
Openssl latest is prefered Generate certificate and keys for Harbor
Network ports:
Port Protocol Description
443 HTTPS Harbor UI and API will accept requests on this port for https protocol
4443 HTTS Connections to the Docker Content Trust service for Harbor, only needed when Notary is enabled
80 HTTP Harbor UI and API will accept requests on this port for http protocol
2、确认服务器docker版本:
$ docker version
3、确认docker-compose、Python、OpenSSL版本:
$ docker-compose version
4、确认硬件情况:
$ cat /proc/cpuinfo
$ free
5、确认网络端口是否被占用:
$ ss -tna
三、编辑配置文件,并安装:
1、编辑harbor目录下harbor.cfg文件,修改内容如下:
hostname = docker.MySite.com
# email服务的相关参数也可在安装完成后进入网站页面配置:
email_identity =
email_server = smtp.mailserver.com
# mailserver port
email_server_port = 25
email_username = [email protected]
email_password = 邮件服务密码
email_from = admin
email_ssl = true
email_insecure = false
harbor_admin_password = 设置一个管理员密码
db_password = 设置一个MySQL的密码
# self_registration默认为on,是针对数据库认证方式,访客可以自己注册,对于LDAP认证方式无法自注册:
self_registration = off
复制代码
2、使用root权限执行install.sh(该脚本将会在根目录下建立/data目录及相关文件),将自动下载相关docker镜像文件,并自动安装完成:
~/harbor$ sudo ./install.sh
3、容器将自动启动,此时可用浏览器打开 http://docker.MySite.com,使用管理员账号admin登陆。
四、配置LDAP:
1、使用管理员账号admin登陆http://docker.MySite.com,点击“系统管理”、“配置管理”,将“认证模式”选择为LDAP,并配置相关参数:
LDAP URL : ldap://MySite.com
LDAP搜索DN : cn=admin,dc=MySite,dc=com
LDAP搜索密码: 密码
LDAP基础DN : dc=MySite,dc=com
LDAP过滤器 : (|(objectclass=inetOrgPerson))
LDAP用户UID的属性 : uid
LDAP搜索范围 : 子树
LDAP 检查证书 : (测试发现: “LDAP 检查证书” 选不选都能通过ldap登陆,待再次验证。)
2、点击“测试LDAP服务器”按钮,如果成功,浏览器顶部将显示“LDAP服务器的连通正常。”的提示。
3、此时可用LDAP中的账号登陆web页面,但无法通过docker login登陆,还需配置网站https证书。
五、配置https证书:
1、安装说明:
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
2、在/home/ubuntu/harbor目录执行docker-compose down,停止并删除容器:
$ docker-compose down
3、本来想通过Let’s Encrypt官方的certbot脚本(certbot.eff.org)安装证书,但是脚本不能成功执行,估计是因为nginx是在容器里造成的,但是通过这个脚本自动安装了一些软件包。然后尝试通过git获取letsencrypt进行安装:
$ git clone https://github.com/letsencrypt/letsencrypt
4、进入letsencrypt目录,生成证书
$ cd letsencrypt
$ sudo ./letsencrypt-auto certonly –standalone –email [email protected] -d docker.MySite.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for docker.MySite.com
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/docker.MySite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/docker.MySite.com/privkey.pem
Your cert will expire on 2018-05-15. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run “letsencrypt-auto renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
5、证书过期日期为2018-05-15,生成的证书文件位于/etc/letsencrypt/live/docker.MySite.com/文件夹(链接文件):
$ sudo ls /etc/letsencrypt/live/docker.MySite.com/ -l
lrwxrwxrwx 1 root root 40 Feb 14 23:30 cert.pem -> ../../archive/docker.MySite.com/cert1.pem
lrwxrwxrwx 1 root root 41 Feb 14 23:30 chain.pem -> ../../archive/docker.MySite.com/chain1.pem
lrwxrwxrwx 1 root root 45 Feb 14 23:30 fullchain.pem -> ../../archive/docker.MySite.com/fullchain1.pem
lrwxrwxrwx 1 root root 43 Feb 14 23:30 privkey.pem -> ../../archive/docker.MySite.com/privkey1.pem
-rw-r–r– 1 root root 543 Feb 14 23:30 README
cert.pem – 服务端证书
chain.pem – 浏览器需要的所有证书但不包括服务端证书,比如根证书和中间证书
fullchain.pem – 包括了cert.pem和chain.pem的内容
privkey.pem – 证书的私钥
6、新建目录letsencrypt,并将证书文件拷贝到该目录:
$ mkdir /home/ubuntu/harbor/letsencrypt/ && cd /home/ubuntu/harbor/letsencrypt/
$ sudo cp /etc/letsencrypt/archive/docker.MySite.com/fullchain1.pem docker.MySite.com.crt
$ sudo cp /etc/letsencrypt/archive/docker.MySite.com/privkey1.pem docker.MySite.com.key
7、修改/home/ubuntu/harbor/harbor.cfg配置文件:
#设置ui_url_protocol为https
ui_url_protocol = https
#设置证书文件
ssl_cert = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.crt
ssl_cert_key = /home/ubuntu/harbor/letsencrypt/docker.MySite.com.key
8、用root权限执行一次prepare脚本,并启动docker重建容器:
$ sudo /home/ubuntu/harbor/prepare
$ docker-compose up -d
六、上传镜像:
1、用浏览器打开 http://docker.MySite.com,用普通用户账号登录,并新建一个项目“test”:
2、在客户端登录docker.MySite.com:
$ docker login docker.MySite.com
Username: bytefish
Password: 密码
Login Succeeded
3、将客户端的镜像打tag,然后上传到docker.MySite.com:
格式:
docker tag SOURCE_IMAGE[:TAG] docker.MySite.com/项目名称/IMAGE[:TAG]
docker push docker.MySite.com/项目名称/IMAGE[:TAG]
示例:
$ docker tag hello-world:latest docker.MySite.com/test/hello-world:test
$ docker push docker.MySite.com/test/hello-world:test
The push refers to a repository [docker.MySite.com/test/hello-world]
f999ae22f308: Mounted from library/hello-world
test: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
文章来源网络,作者:运维,如若转载,请注明出处:https://shuyeidc.com/wp/223031.html<
