From 5604527d48cef35eae6e2364142e02a3413ec23f Mon Sep 17 00:00:00 2001 From: FNS Service Date: Tue, 21 Apr 2026 20:37:55 +0800 Subject: [PATCH] Update from Sync Service --- Linux/CentOS/CentOS7搭建NTP服务器.md | 193 +++++++++--- Linux/CentOS/CentOS安装Harbor并开启HTTPS.md | 319 +++++++++++++------- 2 files changed, 362 insertions(+), 150 deletions(-) diff --git a/Linux/CentOS/CentOS7搭建NTP服务器.md b/Linux/CentOS/CentOS7搭建NTP服务器.md index e5aa4a8..4dbf9e1 100755 --- a/Linux/CentOS/CentOS7搭建NTP服务器.md +++ b/Linux/CentOS/CentOS7搭建NTP服务器.md @@ -1,50 +1,165 @@ -**NTP****简介:** -NTP是网络时间协议(Network Time Protocol),它是用来同步网络中各个计算机的时间的协议。 -在计算机的世界里,时间非常地重要 -例如:对于火箭发射这种科研活动,对时间的统一性和准确性要求就非常地高,是按照A这台计算机的时间,还是按照B这台计算机的时间? -NTP就是用来解决这个问题的,NTP(Network Time Protocol,网络时间协议)是用来使网络中的各个计算机时间同步的一种协议。 -它的用途是把计算机的时钟同步到世界协调时UTC,其精度在局域网内可达0.1ms,在互联网上绝大多数的地方其精度可以达到1-50ms。 -它可以使计算机对其服务器或时钟源(如石英钟,GPS等等)进行时间同步,它可以提供高精准度的时间校正,而且可以使用加密确认的方式来防止病毒的协议攻击。 +# CentOS7 搭建 NTP 服务器 -**环境:** -## 系统:====CentOS Linux release 7.4.1708 (Core) -## NTP Server**==服务器****IP****:**==192.168.0.15 -## NTP Client**==客户端****IP****:**==192.168.0.16 +> NTP (Network Time Protocol) 时间同步 -**1****、搭建****NTP****服务器** -**1.1****、查看服务器是否安装****ntp****,系统默认安装****ntpdate****;** -[root@localhost ~]# rpm -qa |grep ntpntpdate-4.2.6p5-28.el7.centos.x86_64ntp-4.2.6p5-28.el7.centos.x86_64 -**1.2****、安装****ntp****,****ntpdate****已经系统默认安装过了** -[root@localhost ~]# yum install -y ntp -**1.3****、修改****ntp****配置文件** +--- -[![Exported image](Exported%20image%2020260407231343-0.gif)](javascript:void\(0\);) +## 简介 -[root@localhost ~]# vim /etc/ntp.conf -把配置文件下面四行注释掉:server 0.cn.pool.ntp.org iburstserver 1.cn.pool.ntp.org iburstserver 2.cn.pool.ntp.org iburstserver 3.cn.pool.ntp.org iburst然后在下面添加这几行:server 0.cn.pool.ntp.org iburstserver 1.cn.pool.ntp.org iburstserver 2.cn.pool.ntp.org iburstserver 3.cn.pool.ntp.org iburst +NTP 用于同步网络中各个计算机的时间,精度在局域网可达 **0.1ms**。 -[![Exported image](Exported%20image%2020260407231344-1.gif)](javascript:void\(0\);) +--- -**1.4****、启动****ntp****服务,并开机自启动** -[root@localhost ~]# systemctl start ntpd[root@localhost ~]# systemctl enable ntpd -**1.5****、查询****ntp****是否同步** -[root@localhost ~]# ntpq -p remote refid st t when poll reach delay offset jitter**=****=****=****=****=****=****=****=****=****=****=****=****=****=****=**===*119.28.206.193 100.122.36.196 2 u 128 128 377 19.711 -0.468 5.363 -**1.6****、开启防火墙****ntp****默认端口****udp123** -[root@localhost ~]# firewall-cmd --permanent --zone=public --add-port=123/udpsuccess[root@localhost ~]# firewall-cmd --reloadsuccess +## 环境 -**2****、****NTP****客户端配置** -安装的NTP跟上面的步骤一样 -**2.1****、修改****ntp****配置文件,将上面的****NTP****服务器作为客户端同步****NTP****时间服务器** +| 角色 | IP | +|------|-----| +| NTP Server | 192.168.0.15 | +| NTP Client | 192.168.0.16 | -[![Exported image](Exported%20image%2020260407231346-2.gif)](javascript:void\(0\);) +--- -[root@localhost ~]# vim /etc/ntp.conf#配置允许NTP Server时间服务器主动修改本机的时间restrict 192.168.0.15 nomodify notrap noquery#注释掉其他时间服务器#server 0.centos.pool.ntp.org iburst#server 1.centos.pool.ntp.org iburst#server 2.centos.pool.ntp.org iburst#server 3.centos.pool.ntp.org iburst#配置时间服务器为本地搭建的NTP Server服务器server 192.168.0.15 +## NTP 服务器配置 -[![Exported image](Exported%20image%2020260407231348-3.gif)](javascript:void\(0\);) +### 1. 检查并安装 NTP -**2.2****、与****NTP server****服务器同步一下时间:** -[root@localhost ~]# ntpdate -u 192.168.0.15 -**2.3****、查看****ntp****同步状态** -能看到已经成功同步,要记得开启ntpd这个服务器 -[root@localhost ~]# ntpq -p remote refid st t when poll reach delay offset jitter**=****=****=****=****=****=****=****=****=****=****=****=****=****=****=**=== 192.168.0.15 119.28.206.193 3 u 7 64 1 0.217 -288085 0.000 - > 来自 <[https://www.cnblogs.com/Sungeek/p/10197345.html](https://www.cnblogs.com/Sungeek/p/10197345.html)> \ No newline at end of file +```bash +# 查看是否已安装 +rpm -qa | grep ntp + +# 安装 NTP +yum install -y ntp +``` + +### 2. 修改配置文件 + +```bash +vim /etc/ntp.conf +``` + +注释默认时间服务器,添加: +```conf +# 中国 NTP 服务器 +server 0.cn.pool.ntp.org iburst +server 1.cn.pool.ntp.org iburst +server 2.cn.pool.ntp.org iburst +server 3.cn.pool.ntp.org iburst + +# 允许上层时间服务器修改本机时间 +restrict 0.cn.pool.ntp.org nomodify notrap noquery +restrict 1.cn.pool.ntp.org nomodify notrap noquery +``` + +### 3. 启动 NTP 服务 + +```bash +# 启动 +systemctl start ntpd + +# 开机自启 +systemctl enable ntpd + +# 查看状态 +systemctl status ntpd +``` + +### 4. 查看同步状态 + +```bash +ntpq -p +``` + +输出示例: +``` + remote refid st t when poll reach delay offset jitter +============================================================================== +*119.28.206.193 100.122.36.196 2 u 128 128 377 19.711 -0.468 5.363 +``` + +> `*` 表示已成功同步 + +### 5. 开放防火墙端口 + +```bash +firewall-cmd --permanent --zone=public --add-port=123/udp +firewall-cmd --reload +``` + +--- + +## NTP 客户端配置 + +### 1. 安装 NTP + +```bash +yum install -y ntp +``` + +### 2. 修改配置文件 + +```bash +vim /etc/ntp.conf +``` + +添加 NTP 服务器地址: +```conf +# 允许 NTP Server 主动修改本机时间 +restrict 192.168.0.15 nomodify notrap noquery + +# 时间服务器 +server 192.168.0.15 +``` + +### 3. 立即同步时间 + +```bash +ntpdate -u 192.168.0.15 +``` + +### 4. 启动 NTP 服务 + +```bash +systemctl start ntpd +systemctl enable ntpd +``` + +### 5. 查看同步状态 + +```bash +ntpq -p +``` + +--- + +## 常用命令 + +```bash +# 手动同步(客户端) +ntpdate -u 192.168.0.15 + +# 查看 NTP 服务器列表 +ntpq -p + +# 查看时间 +date + +# 查看硬件时间 +hwclock + +# 同步硬件时间 +hwclock --systohc +``` + +--- + +## 中国 NTP 服务器 + +| 服务器 | 地址 | +|--------|------| +| 中国教育网 | 1.cn.pool.ntp.org | +| 阿里云 | ntp.aliyun.com | +| 腾讯云 | time1.cloud.tencent.com | + +--- + +> 参考:[CentOS7 NTP 搭建](https://www.cnblogs.com/Sungeek/p/10197345.html) diff --git a/Linux/CentOS/CentOS安装Harbor并开启HTTPS.md b/Linux/CentOS/CentOS安装Harbor并开启HTTPS.md index 9b29209..74719ee 100755 --- a/Linux/CentOS/CentOS安装Harbor并开启HTTPS.md +++ b/Linux/CentOS/CentOS安装Harbor并开启HTTPS.md @@ -1,127 +1,224 @@ +# CentOS 安装 Harbor 并开启 HTTPS + +> 私有 Docker 镜像仓库 + +--- + +## 环境 + +- 服务器 IP:192.168.69.128 +- 系统:CentOS 7 + +--- + +## 一、生成自签名证书 + +### 1. 创建证书目录 + +```bash +mkdir -p /opt/cert +cd /opt/cert +``` + +### 2. 生成根证书 + +```bash openssl req \ --newkey rsa:4096 -nodes -sha256 -keyout ca.key \ --x509 -days 3650 -out ca.crt \ --subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=test/emailAddress=11111111@qq.com" - openssl req \ --newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key \ --out harbor-registry.csr \ --subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=10.10.200.175/emailAddress=974418136@qq.com" - echo subjectAltName = IP:10.10.200.175 > extfile.cnf - openssl x509 -req -days 3650 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt + -newkey rsa:4096 -nodes -sha256 \ + -keyout ca.key \ + -x509 -days 3650 -out ca.crt \ + -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com" +``` -## 因为Harbor发布时默认并不包含certificates,并使用http来提供registry请求服务。然而,我们建议在实际的生产环境中还是要使用安全的https。Harbor有一个Nginx实例以作为其他所有服务的反向代理。可以使用prepare脚本来配置Nginx以支持https。 -**1. 停止Harbor** -## 上一章我们使用的是Harbor默认的http方式工作,这里我们首先将Harbor停止,并删除掉原有的一些数据,以恢复到一个干净的环境: -## # docker-compose down -v**==****# ls /data/*********# rm -rf /data/database********# rm -rf /data/registry********# rm -rf /data/*********# rm -rf /var/log/harbor*********#** == -## 注意,可能是因为目前Harbor工作负载过重,导致上面调用**==docker-compose down -v**==经常会失败,可用如下方式来停止: -## # docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker stop**==**==# docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker rm -vf -**2. 获取证书** -## 这里假设你的registry主机名为**==reg.yourdomain.com****,并且通过DNS记录能够找到你运行Harbor的主机。首先你应该从CA处获得一个certificate。该certificate通常包含一个****a.crt****文件和一个****a.key****文件,例如:****yourdomain.com.crt****以及****yourdomain.com.key**==。 -## 在测试或开发环境下,你也许会使用一个自签名证书,而不是从CA那里获取。可以通过如下的命令产生你自己的证书: -**2.1 创建自签名根证书** -## 可以通过如下的方式来产生一个**==私钥****及****自签名证书**==: -## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout ca.key \****** **-x509 -days 365 -out ca.crt**== -**2.2 产生证书签名请求** -## 假如你使用类似于**==reg.yourdomain.com****的FQDN(Fully Qualified Domain Name)方式来连接registry主机,则你必须使用****reg.yourdomain.com**==来作为CN(Common Name)。否则,假如你使用IP地址来连接你的registry主机的话,CN可以指定为任何值(例如指定为你的名字): -## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key \****** **-out yourdomain.com.csr**== -**2.3 为registry主机产生证书** -## 假如你使用类似于**==reg.yourdomain.com**==的FQDN(Full Qualified Domain Name)方式来连接registry主机,你可以使用如下的命令来为registry主机产生证书: -## # openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yourdomain.com.crt==== -## 假如你是使用ip的话, 比如使用**==192.168.1.101**==来连接registry主机的话,你需要使用如下命令: -## # echo subjectAltName = IP:192.168.1.101 > extfile.cnf==== -## # openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out yourdomain.com**==**==.crt -**3. 配置与安装** -## 在你获得**==yourdomain.com.crt****与****yourdomain.com.key****文件之后,你可以将它们放到一个目录,比如****/root/cert/**==: -## # cp yourdomain.com.crt /root/cert/**==****# cp yourdomain.com.key /root/cert/** == -## 然后修改**==harbor.cfg****配置文件,更新hostname及protocol,然后更新****ssl_cert****及****ssl_cert_key**==: -## #set hostname**==****hostname = reg.yourdomain.com********#set ui_url_protocol********ui_url_protocol = https********......********#The path of cert and key files for nginx, they are applied only the protocol is set to https** ******ssl_cert = /root/cert/yourdomain.com.crt********ssl_cert_key = /root/cert/yourdomain.com.key**== -## 然后再执行如下命令为Harbor产生配置文件: -## # ./prepare==== -## 假如当前**==Harbor****正在运行的话,停止并移除当前的运行实例。通过如下方式你的****image data**==仍会保留在文件系统中: -## # docker-compose down==== -## 最后,重启Harbor。 -## 在设置了**==https**==之后,你可以通过如下的步骤来进行验证: +### 3. 生成证书签名请求 -- **打开浏览器输入访问地址****https://reg.yourdomain.com****,就会显示出Harbor的 UI界面** -- **在安装有docker daemon的机器上(请确保没有****--insecure-registry****设置),你必须拷贝上述步骤所产生的****ca.crt****到****/etc/docker/certs.d/reg.yourdomain.com****目录(或者****registry host IP****目录)。假如该目录并不存在的话,请创建该目录。假如你将nginx 443端口映射到了其他端口的话,则你必须创建****/etc/docker/certs.d/reg.yourdomain.com:port****目录(或者****registry host IP:port****目录),然后运行相应的docker命令行来验证https是否工作正常:** +```bash +openssl req \ + -newkey rsa:4096 -nodes -sha256 \ + -keyout harbor-registry.key \ + -out harbor-registry.csr \ + -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com" +``` -## # docker login reg.yourdomain.com==== -## 假如你已经将nginx 443端口映射到了其他端口的话,你需要在登录时添加相应的端口,例如: -## # docker login reg.yourdomain.com:port==== -**4. Troubleshooting** -## 1) 你也许从一个certificate issuer处获得了一个intermediate certificate。在这种情况下,你可以将该intermediate certificate与你自己的certificate合并,创建出一个certificate bundle。你可以通过如下命令来实现: -## # cat intermediate-certificate.pem >> yourdomain.com.crt -## 2) 在有一些docker daemon运行的操作系统上,你也许需要在操作系统级别信任该证书 +### 4. 生成证书 -- **在Ubuntu操作系统上,你可以通过如下命令来完成** +```bash +# 创建扩展配置文件 +echo "subjectAltName = IP:192.168.69.128" > extfile.cnf -## # cp youdomain.com.crt /usr/local/share/ca-certificates/reg.yourdomain.com.crt**==****# update-ca-certificates**== +# 签名 +openssl x509 -req -days 365 \ + -in harbor-registry.csr \ + -CA ca.crt -CAkey ca.key \ + -CAcreateserial \ + -extfile extfile.cnf \ + -out harbor-registry.crt +``` -- **在Redhat(Centos等)操作系统上,你可以通过如下命令来完成** +### 5. 证书文件 -## # cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/reg.yourdomain.com.crt**==****# update-ca-trust**== -**5. 部署示例** -## 我们当前部署环境ip地址为====192.168.69.128 -**5.1 获得证书文件** -**1) 产生根证书** -## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout ca.key \****** **-x509 -days 365 -out ca.crt \****** **-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com"**== -## # ls**==****ca.crt ca.key**== -**2) 产生证书签名请求** -## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key \****** **-out harbor-registry.csr \****** **-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com"**== -## # ls**==****ca.crt ca.key harbor-registry.csr harbor-registry.key**== -**3) 为registry产生证书** -## # echo subjectAltName = IP:192.168.69.128 > extfile.cnf==== -## # openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt==== -## # ls**==**==ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key -**5.2 配置及安装** -## 1) 拷贝harbor-registry证书到**==/opt/cert**==目录 -## # mkdir -p /opt/cert**==****# cp harbor-registry.crt /opt/cert/********# cp harbor-registry.key /opt/cert/**== -## 2) 修改harbor.cfg配置文件 -## #set hostname**==****hostname = 192.168.69.128********#set ui_url_protocol********ui_url_protocol = https********......********#The path of cert and key files for nginx, they are applied only the protocol is set to https** ******ssl_cert = /opt/cert/harbor-registry.crt********ssl_cert_key = /opt/cert/harbor-registry.key**== -## 3) 重新产生配置文件 -## # ./prepare==== -## 4) 关闭harbor -## # docker-compose down** ** -## 5) 查看docker daemon是否有**==--insecure-registry**==选项 -## 如果仍有该选项,请将其去掉,并执行如下命令重启docker daemon: -## # systemctl daemon-reload**==****# systemctl restart docker**== -## 6) 重启Harbor -## # docker-compose up -d**==****Creating network "harbor_harbor" with the default driver********Creating harbor-log ... done********Creating registry ... done********Creating harbor-adminserver ... done********Creating harbor-db ... done********Creating harbor-ui ... done********Creating harbor-jobservice ... done********Creating nginx ... done**== -## # docker ps**==****CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES********c7b4d837fefc vmware/nginx-photon:v1.4.0 "nginx -g 'daemon of…" 6 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx********257ec984fc98 vmware/harbor-jobservice:v1.4.0 "/harbor/start.sh" 6 seconds ago Up 4 seconds (health: starting) harbor-jobservice********331fe98b1623 vmware/harbor-ui:v1.4.0 "/harbor/start.sh" 8 seconds ago Up 5 seconds (health: starting) harbor-ui********d155d8a3cf00 vmware/harbor-db:v1.4.0 "/usr/local/bin/dock…" 10 seconds ago Up 7 seconds (health: starting) 3306/tcp harbor-db********183a8f508491 vmware/harbor-adminserver:v1.4.0 "/harbor/start.sh" 10 seconds ago Up 7 seconds (health: starting) harbor-adminserver********579642c3cecc vmware/registry-photon:v2.6.2-v1.4.0 "/entrypoint.sh serv…" 10 seconds ago Up 7 seconds (health: starting) 5000/tcp registry********06a1618f789e vmware/harbor-log:v1.4.0 "/bin/sh -c /usr/loc…" 10 seconds ago Up 9 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log**== -## 7) 通过https形式访问Harbor +```bash +ls -la /opt/cert/ +# ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key +``` -- **通过浏览器访问** +--- -## 这里首先需要将上面产生的**==ca.crt****导入到浏览器的****受信任的根证书**==中。然后就可以通过https进行访问(这里经过测试,Chrome浏览器、IE浏览器可以正常访问,但360浏览器不能正常访问) +## 二、停止现有 Harbor -- **通过docker命令来访问** +```bash +# 方式一:docker-compose +docker-compose down -v -## 首先新建**==/etc/docker/certs.d/192.168.69.128****目录,然后将上面产生的****ca.crt**==拷贝到该目录: -## # mkdir -p /etc/docker/certs.d/192.168.69.128**==****# cp ca.crt /etc/docker/certs.d/192.168.69.128/**== -## 然后登录到docker registry: -## # docker login 192.168.69.128**==****Username (admin): admin********Password:** ******Login Succeeded**== -## 用向**==registry**==中上传一个镜像: -## # docker images**==****192.168.69.128/library/redis alpine c27f56585938 3 weeks ago 27.7MB**== -## [root@localhost test]# docker push 192.168.69.128/library/redis:alpine**==****The push refers to repository [192.168.69.128/library/redis]********f6b9463783dc: Pushed** ******222a85888a99: Pushed** ******1925395eabdd: Pushed** ******c3d278563734: Pushed** ******ad9247fe8c63: Pushed** ******cd7100a72410: Pushed** ******alpine: digest: sha256:9d017f829df3d0800f2a2582c710143767f6dda4df584b708260e73b1a1b6db3 size: 1568**== +# 方式二:强制停止 +docker ps | grep -v CONTAINER | awk '{print $1}' | xargs docker stop +docker ps -a | grep -v CONTAINER | awk '{print $1}' | xargs docker rm -vf +``` -- **通过curl命令来访问 registry API版本号** +--- -## 查询registry API版本号: -## # curl -iL -X GET** **https://192.168.69.128/v2** **--cacert ca.crt**==****HTTP/1.1 301 Moved Permanently********Server: nginx********Date: Tue, 10 Apr 2018 09:33:39 GMT********Content-Type: text/html********Content-Length: 178********Location:** **https://192.168.69.128/v2/********Connection: keep-alive**== -## HTTP/1.1 401 Unauthorized**==****Server: nginx********Date: Tue, 10 Apr 2018 09:33:39 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 87********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=575f32ac760f52c8cf1cdb748e48ab5e; Path=/; HttpOnly********Www-Authenticate: Bearer realm="https://192.168.69.128/service/token",service="harbor-registry"**== -## {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}==== -## # curl -iL -X GET -u admin:Harbor12345** **https://192.168.69.128/service/token?account=admin\&service=harbor-registry** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Tue, 10 Apr 2018 09:34:39 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 1100********Connection: keep-alive********Set-Cookie: beegosessionID=77bc62dcdc4a810a0e208487a89f069a; Path=/; HttpOnly**== -## {**==** **"token": "nHLZqMPw",****** **"expires_in": 1800,****** **"issued_at": "2018-04-10T09:34:39Z"********}**== -## # curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer nHLZqMPw"** **https://192.168.69.128/v2** **--cacert ca.crt**==****HTTP/1.1 301 Moved Permanently********Server: nginx********Date: Tue, 10 Apr 2018 09:36:48 GMT********Content-Type: text/html********Content-Length: 178********Location:** **https://192.168.69.128/v2/********Connection: keep-alive**== -## HTTP/1.1 200 OK**==****Server: nginx********Date: Tue, 10 Apr 2018 09:36:48 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 2********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=e651b65d891617a999254ec875c1c63c; Path=/; HttpOnly**== -## 上面为了显示,我们对返回过来的**==token****做了适当的裁剪。此外这里****curl****命令不适用****-k**==选项,表示需要对服务器证书进行检查。 +## 三、配置 Harbor -- **通过curl来访问registry中的镜像列表** +### 1. 修改 harbor.cfg -## # curl -iL -X GET -u admin:Harbor12345** **https://192.168.69.128/service/token?account=admin\&service=harbor-registry\&scope=registry:catalog:*** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Mon, 09 Apr 2018 09:33:52 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 1166********Connection: keep-alive********Set-Cookie: beegosessionID=648fd5a5ec4f06389d45c02f7f5971b4; Path=/; HttpOnly**== -## {**==** **"token": "A7yfEdUBYD3bDhLM",****** **"expires_in": 1800,****** **"issued_at": "2018-04-09T09:33:52Z"********}**== -## # curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer LA7yfEdUBYD3bDhLM"** **http://192.168.69.128/v2/_catalog** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Mon, 09 Apr 2018 09:36:35 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 34********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=1b84e760ab0234045f06680e56e28818; Path=/; HttpOnly**== -## {"repositories":["library/redis"]}==== -## 上面为了显示,我们对返回过来的**==token****做了适当的裁剪。此外这里****curl****命令不适用****-k**==选项,表示需要对服务器证书进行检查。 - > 来自 <[https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https](https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https)> - > 来自 <[https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https](https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https)> \ No newline at end of file +```bash +vim /root/harbor/harbor.cfg +``` + +修改: +```ini +hostname = 192.168.69.128 +ui_url_protocol = https +ssl_cert = /opt/cert/harbor-registry.crt +ssl_cert_key = /opt/cert/harbor-registry.key +``` + +### 2. 生成配置 + +```bash +cd /root/harbor +./prepare +``` + +--- + +## 四、重启 Harbor + +```bash +docker-compose down +docker-compose up -d +``` + +--- + +## 五、客户端配置 + +### 1. 复制证书到 Docker + +```bash +# 创建证书目录 +mkdir -p /etc/docker/certs.d/192.168.69.128 + +# 复制证书 +cp /opt/cert/ca.crt /etc/docker/certs.d/192.168.69.128/ + +# CentOS/RHEL 需要更新证书信任 +cp /opt/cert/ca.crt /etc/pki/ca-trust/source/anchors/ +update-ca-trust +``` + +### 2. 重启 Docker + +```bash +systemctl restart docker +``` + +--- + +## 六、验证 + +### 1. 浏览器访问 + +``` +https://192.168.69.128 +``` + +### 2. Docker 登录 + +```bash +docker login 192.168.69.128 + +# 用户名:admin +# 密码:Harbor12345 +``` + +--- + +## 常用命令 + +```bash +# 启动/停止 +docker-compose up -d +docker-compose down + +# 查看状态 +docker-compose ps + +# 查看日志 +docker-compose logs -f +``` + +--- + +## 常见问题 + +### 1. Docker login 失败 + +```bash +# 确保 /etc/docker/daemon.json 中没有 insecure-registries 配置 +# 如果有,移除并重启 Docker +systemctl restart docker +``` + +### 2. 证书不受信任 + +```bash +# CentOS +sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ +sudo update-ca-trust + +# Ubuntu +sudo cp ca.crt /usr/local/share/ca-certificates/ +sudo update-ca-certificates +``` + +### 3. 浏览器访问提示不安全 + +这是自签名证书的正常警告,点击"高级"→"继续访问"即可。 + +--- + +## 简化命令汇总 + +```bash +# 1. 生成证书 +cd /opt/cert +openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=test" +openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key -out harbor-registry.csr -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=192.168.69.128" +echo "subjectAltName = IP:192.168.69.128" > extfile.cnf +openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt + +# 2. 配置 Harbor +vim /root/harbor/harbor.cfg +# 修改 hostname, ui_url_protocol, ssl_cert, ssl_cert_key + +# 3. 重启 +cd /root/harbor +./prepare +docker-compose down +docker-compose up -d + +# 4. 客户端配置 +mkdir -p /etc/docker/certs.d/192.168.69.128 +cp ca.crt /etc/docker/certs.d/192.168.69.128/ +```