Harbor仓库开启SSL
创始人
2025-06-01 04:35:26
目录
- 一、部署docker
- 二、安装docker-compose
- 三、安装harbor
- 下载离线安装包:
- 创建CA证书(把11.0.1.5改成你自己的harbor的服务器IP)
- 修改harbor.yaml文件
- 将证书加为受信任的证书:
- 开始安装harbor
- docker登录私有仓库测试:
- 四、其他服务器连接harbor
- 问题记录:
一、部署docker
下载并解压:
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.6.tgz
tar -zxf docker-20.10.6.tgz
cp docker/* /usr/bin/
将docker注册为 Systemd 的 service
cat > /etc/systemd/system/docker.service <为 docker.service添加可执行权限
chmod +x /etc/systemd/system/docker.service
启动docker并设置开机自启
mkdir /etc/docker
systemctl daemon-reload
systemctl enable --now docker.service
二、安装docker-compose
通过DaoCloud下载:
curl -L https://get.daocloud.io/docker/compose/releases/download/v1.28.6/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
三、安装harbor
因为是在内网,所以我们采用离线安装包的方式。
下载离线安装包:
[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v1.10.17/harbor-offline-installer-v1.10.17.tgz
解压
[root@harbor ~]# tar -zxf harbor-offline-installer-v1.10.17.tgz -C /app
创建CA证书(把11.0.1.5改成你自己的harbor的服务器IP)
[root@harbor ~]# mkdir /app/harbor/certs.d
[root@harbor ~]# cd /app/harbor/certs.d
[root@harbor certs.d]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
................................................................++
............................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:11.0.1.5
Email Address []:
创建证书请求文件csr
[root@harbor certs.d]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 11.0.1.5.key -out 11.0.1.5.csr
Generating a 4096 bit RSA private key
...........................++
............................................................................................................................................................................................................................................................................................++
writing new private key to '11.0.1.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:11.0.1.5
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
创建证书
[root@harbor certs.d]# echo subjectAltName = IP:11.0.1.5 > extfile.cnf
[root@harbor certs.d]# openssl x509 -req -days 365 -in 11.0.1.5.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 11.0.1.5.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=DevOps/OU=Tec/CN=192.168.11.11/emailAddress=352972405@qq.com
Getting CA Private Key
查看已生成的证书:
[root@harbor certs.d]# ll
总用量 28
-rw-r--r-- 1 root root 1915 3月 21 20:14 11.0.1.5.crt
-rw-r--r-- 1 root root 1687 3月 21 20:13 11.0.1.5.csr
-rw-r--r-- 1 root root 3272 3月 21 20:13 11.0.1.5.key
-rw-r--r-- 1 root root 1996 3月 21 20:13 ca.crt
-rw-r--r-- 1 root root 3272 3月 21 20:13 ca.key
-rw-r--r-- 1 root root 17 3月 21 20:14 ca.srl
-rw-r--r-- 1 root root 29 3月 21 20:14 extfile.cnf修改harbor.yaml文件
# hostname这里修改为你的IP,跟上面创建证书使用的IP一致
hostname: 11.0.1.5# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 18080# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginx# 证书路径certificate: /app/harbor/certs.d/11.0.1.5.crtprivate_key: /app/harbor/certs.d/11.0.1.5.key将证书加为受信任的证书:
[root@harbor certs.d]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@harbor certs.d]# cat /app/harbor/certs.d/11.0.1.5.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@harbor certs.d]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
重启docker
[root@harbor certs.d]# systemctl restart docker
开始安装harbor
[root@harbor certs.d]# cd /app/harbor
[root@harbor harbor]# ./prepare
[root@harbor harbor]# ./install.sh --with-notary --with-clair
docker登录私有仓库测试:
[root@harbor harbor]# docker login -u admin -p Harbor12345 11.0.1.5:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded登录成功后,认证信息会保存在/root/.docker里面:
[root@harbor ~]# cat .docker/config.json
{"auths": {"11.0.1.5:443": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}}
}
[root@harbor ~]# 再次登录时,就不需要加用户名和密码了:
[root@harbor harbor]# docker login 11.0.1.5:443
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded四、其他服务器连接harbor
在新的服务器上/etc/docker/上创建目录:
mkdir /etc/docker/certs.d/11.0.1.5
将harbor的证书文件发送过去
scp /app/harbor/certs.d/* 11.0.1.4:/etc/docker/certs.d/11.0.1.5
同样将证书添加为受信任的证书:
[root@jenkins 11.0.1.5]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@jenkins 11.0.1.5]# cat /etc/docker/certs.d/11.0.1.5/11.0.1.5.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@jenkins 11.0.1.5]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
重启docker
systemctl restart docker
登录测试:
[root@jenkins 11.0.1.5]# docker login -u admin -p Harbor12345 11.0.1.5:443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded问题记录:
1、通过浏览器访问Harbor页面时,报500内部错误的话,可能是科学上网工具Ss的问题,将Ss退出或改为其他的模式。
2、docker login的时候报404,将harbor.yml的hostname改成跟证书使用的一致,如果创建证书的过程中使用的是11.0.1.5,hostname也使用这个IP。反之如果使用的是主机名,这里也改成主机名。
3、docker login的时候提示“wanted to harbor.com”类似的内容,将/etc/hosts的主机名解析注释掉。
相关内容
热门资讯
双子座流星雨划过各地夜空
12月13日至14日,年度“终极浪漫天象”,一年一度的双子座流星雨来临。双子座流星雨是北半球三大流星...
三案合并查处罚没6528万 永...
中经记者 孙汝祥 夏欣 北京报道12月13日,江苏证监局公布对永拓会计师事务所(以下简称“永拓所”)...
约车“张冠李戴” 司机收入缩水...
据央视新闻消息,数据显示,2024年我国网络货运市场规模已突破930亿元,发展势头迅猛。然而,快速增...
四年来总结
我们来总结一下这四年以来行情的变化。前三年有3000点之下有很好的机会,只不过这个时候大多数人倾向于...