harbor基于http和https的創(chuàng)建與使用

一·http方式

 harbor項目現(xiàn)托管在github上面，在此處以harbor v1.7.5為例演示。
  1·將harbor的二進制包下載到/usr/local/src目錄下
  2·解壓縮 tar xvf harbor.v.1.7.5.tar
  3·進如到解壓harbor目錄中，修改harbor.cfg文件

 1 ## Configuration file of Harbor
  2 
  3 #This attribute is for migrator to detect the version of the .cfg fil    e, DO NOT MODIFY!
  4 _version = 1.7.0
  5 #The IP address or hostname to access admin UI and registry service.
  6 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be access    ed by external clients.
  7 #DO NOT comment out this line, modify the value of "hostname" directl    y, or the installation will fail.
  8 hostname = 192.168.238.7
  9 
 10 #The protocol for accessing the UI and token/notification service, by     default it is http.
 11 #It can be set to https if ssl is enabled on nginx.
 12 ui_url_protocol = http
 13 
 14 #Maximum number of job workers in job service  
 15 max_job_workers = 10 
 ...
 58 email_server = smtp.mydomain.com
 59 email_server_port = 25
 60 email_username = sample_admin@mydomain.com
 61 email_password = abc
 62 email_from = admin <sample_admin@mydomain.com>
 63 email_ssl = false
 64 email_insecure = false
 65 
 66 ##The initial password of Harbor admin, only works for the first time     when Harbor starts. 
 67 #It has no effect after the first launch of Harbor.
 68 #Change the admin password from UI after launching Harbor.
 69 harbor_admin_password = 123456

  主要修改hostname和adminpasswd。
  4·查看install.sh文件，查看安裝harbor所需環(huán)境

#!/bin/bash

#docker version: 1.11.2 
#docker-compose version: 1.7.1 
#Harbor version: 0.4.0 

  此為最低版本要求，docker的安裝可以在阿里鏡像站按照步驟一步步安裝，但是docker-compose若是要安裝最新版本就需要下載python-pip一個類似yum或apt的工具，然后在使用pip install docker-compose安裝即可
  5·運行install.sh腳本安裝，至此，安裝完成

• 我們上傳的鏡像會存放在宿主機的docker/registry/v2/repositories/
• 需要上傳和下載harbor鏡像的docker服務(wù)器需要在docker的啟動腳本中添加信任不可靠的鏡像原

  vim /lib/systemd/system/docker.service
  ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 192.168.238.12(harbor地址)

  • 重啟docker
  • 上傳鏡像時首先要登陸到harbor服務(wù)器
    docker login 192.168.238.7
    輸入賬號為admin密碼為harbor.cfg中所配置密碼登陸成功，然后對制作的鏡像重新打tag，例如
    tag nginx:laste 192.168.238.7/NGINX/nginx:5.2
    其中NGINX必須要有這個項目方可上傳
  • 在網(wǎng)頁打開192.168.238.7，輸入賬號密碼，創(chuàng)建NGINX項目
    <img src="harbor1.png" width = "80%"/>
  • docker push 192.168.238.7/NGINX/nginx:5.2

      2·實現(xiàn)高可用的harbor

        1·配置同上新建一個harbor服務(wù)
        2·在docker的啟動腳本中加上兩個harbor服務(wù)器的地址
        3·在主harbor服務(wù)器的網(wǎng)頁上做如下操作
    <img src="harbor新建規(guī)則.png" width = "80%"/>
    按照提示一步步添加另一臺harbor

二·https方式

 1·如上http方式部署。只是不用在docker的啟動腳本中添加受信任的地址
 2.在harbor的安裝目錄下創(chuàng)建一個certs目錄
mkdir certs
 3·生成私鑰和公鑰（注：公鑰的地址要與harbor.cfg中的hostname相同）
openssl genrsa -out harbor-ca.key
touch /root/.rnd
openssl req -x509 -new -nodes -key harbor-ca.key -subj "/CN=harbor.magedu.net" -days 7120 -out harbor-ca.crt
 4·修改harbor.cfg配置文件

  1 ## Configuration file of Harbor
  2 
  3 #This attribute is for migrator to detect the version of the .cfg fil    e, DO NOT MODIFY!
  4 _version = 1.7.0
  5 #The IP address or hostname to access admin UI and registry service.
  6 #DO NOT use localhost or 127.0.0.1, because Harbor needs to be access    ed by external clients.
  7 #DO NOT comment out this line, modify the value of "hostname" directl    y, or the installation will fail.
  8 hostname = harbor.magedu.net
  9 
 10 #The protocol for accessing the UI and token/notification service, by     default it is http.
 11 #It can be set to https if ssl is enabled on nginx.
 12 ui_url_protocol = https
13 
 14 #Maximum number of job workers in job service  
 15 max_job_workers = 10 
 16 
 17 #Determine whether or not to generate certificate for the registry's     token.
 18 #If the value is on, the prepare script creates new root cert and pri    vate key 
 19 #for generating token to access the registry. If the value is off the     default key/cert will be used.
 20 #This flag also controls the creation of the notary signer's cert.
 21 customize_crt = on
 22 
 23 #The path of cert and key files for nginx, they are applied only the     protocol is set to https
 24 ssl_cert = /usr/local/src/harbor/certs/harbor-ca.crt
 25 ssl_cert_key = /usr/local/src/harbor/certs/harbor-ca.key
 26 
 *67 #It has no effect after the first launch of Harbor.
 68 #Change the admin password from UI after launching Harbor.
 69 harbor_admin_password = 123456
*

這個域名要有dns解析或者是hosts文件
 5·docker客戶端分發(fā)公鑰
mkdir -p /etc/docker/certs.d/(harbor.cfg中的hostname)
將harbor的公鑰拷貝過來 /etc/docker/certs.d/(harbor.cfg中的hostname）重啟docker即可