为 docker.service添加可执行权限

chmod +x /etc/systemd/system/docker.service

启动docker并设置开机自启

mkdir /etc/docker
systemctl daemon-reload
systemctl enable --now docker.service

二、安装docker-compose

通过DaoCloud下载：

curl -L https://get.daocloud.io/docker/compose/releases/download/v1.28.6/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

三、安装harbor

因为是在内网，所以我们采用离线安装包的方式。

下载离线安装包：

[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v1.10.17/harbor-offline-installer-v1.10.17.tgz

解压

[root@harbor ~]# tar -zxf harbor-offline-installer-v1.10.17.tgz -C /app

创建CA证书（把11.0.1.5改成你自己的harbor的服务器IP）

[root@harbor ~]# mkdir /app/harbor/certs.d
[root@harbor ~]# cd /app/harbor/certs.d
[root@harbor certs.d]# openssl req  -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
................................................................++
............................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:11.0.1.5
Email Address []:

创建证书请求文件csr

[root@harbor certs.d]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 11.0.1.5.key  -out 11.0.1.5.csr
Generating a 4096 bit RSA private key
...........................++
............................................................................................................................................................................................................................................................................................++
writing new private key to '11.0.1.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:11.0.1.5
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

创建证书

[root@harbor certs.d]# echo subjectAltName = IP:11.0.1.5 > extfile.cnf
[root@harbor certs.d]# openssl x509 -req -days 365 -in 11.0.1.5.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 11.0.1.5.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=DevOps/OU=Tec/CN=192.168.11.11/emailAddress=352972405@qq.com
Getting CA Private Key

查看已生成的证书：

[root@harbor certs.d]# ll
总用量 28
-rw-r--r-- 1 root root 1915 3月  21 20:14 11.0.1.5.crt
-rw-r--r-- 1 root root 1687 3月  21 20:13 11.0.1.5.csr
-rw-r--r-- 1 root root 3272 3月  21 20:13 11.0.1.5.key
-rw-r--r-- 1 root root 1996 3月  21 20:13 ca.crt
-rw-r--r-- 1 root root 3272 3月  21 20:13 ca.key
-rw-r--r-- 1 root root   17 3月  21 20:14 ca.srl
-rw-r--r-- 1 root root   29 3月  21 20:14 extfile.cnf

修改harbor.yaml文件

# hostname这里修改为你的IP，跟上面创建证书使用的IP一致
hostname: 11.0.1.5# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 18080# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginx# 证书路径certificate: /app/harbor/certs.d/11.0.1.5.crtprivate_key: /app/harbor/certs.d/11.0.1.5.key

将证书加为受信任的证书：

[root@harbor certs.d]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@harbor certs.d]# cat /app/harbor/certs.d/11.0.1.5.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@harbor certs.d]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

重启docker

[root@harbor certs.d]# systemctl restart docker

开始安装harbor

[root@harbor certs.d]# cd /app/harbor
[root@harbor harbor]# ./prepare
[root@harbor harbor]# ./install.sh --with-notary --with-clair

docker登录私有仓库测试：

[root@harbor harbor]# docker login -u admin -p Harbor12345 11.0.1.5:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

登录成功后，认证信息会保存在/root/.docker里面：

[root@harbor ~]# cat .docker/config.json 
{"auths": {"11.0.1.5:443": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}}
}
[root@harbor ~]# 

再次登录时，就不需要加用户名和密码了：

[root@harbor harbor]# docker login 11.0.1.5:443
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

四、其他服务器连接harbor

在新的服务器上/etc/docker/上创建目录：

mkdir /etc/docker/certs.d/11.0.1.5

将harbor的证书文件发送过去

scp /app/harbor/certs.d/* 11.0.1.4:/etc/docker/certs.d/11.0.1.5

同样将证书添加为受信任的证书：

[root@jenkins 11.0.1.5]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@jenkins 11.0.1.5]# cat /etc/docker/certs.d/11.0.1.5/11.0.1.5.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@jenkins 11.0.1.5]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

重启docker

systemctl restart docker 

登录测试：

[root@jenkins 11.0.1.5]# docker login -u admin -p Harbor12345 11.0.1.5:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

问题记录：

1、通过浏览器访问Harbor页面时，报500内部错误的话，可能是科学上网工具Ss的问题，将Ss退出或改为其他的模式。
2、docker login的时候报404，将harbor.yml的hostname改成跟证书使用的一致，如果创建证书的过程中使用的是11.0.1.5，hostname也使用这个IP。反之如果使用的是主机名，这里也改成主机名。
3、docker login的时候提示“wanted to harbor.com”类似的内容，将/etc/hosts的主机名解析注释掉。