3.9 KiB
Executable File
3.9 KiB
Executable File
CentOS 安装 Harbor 并开启 HTTPS
私有 Docker 镜像仓库
环境
- 服务器 IP:192.168.69.128
- 系统:CentOS 7
一、生成自签名证书
1. 创建证书目录
mkdir -p /opt/cert
cd /opt/cert
2. 生成根证书
openssl req \
-newkey rsa:4096 -nodes -sha256 \
-keyout ca.key \
-x509 -days 3650 -out ca.crt \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com"
3. 生成证书签名请求
openssl req \
-newkey rsa:4096 -nodes -sha256 \
-keyout harbor-registry.key \
-out harbor-registry.csr \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com"
4. 生成证书
# 创建扩展配置文件
echo "subjectAltName = IP:192.168.69.128" > extfile.cnf
# 签名
openssl x509 -req -days 365 \
-in harbor-registry.csr \
-CA ca.crt -CAkey ca.key \
-CAcreateserial \
-extfile extfile.cnf \
-out harbor-registry.crt
5. 证书文件
ls -la /opt/cert/
# ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key
二、停止现有 Harbor
# 方式一:docker-compose
docker-compose down -v
# 方式二:强制停止
docker ps | grep -v CONTAINER | awk '{print $1}' | xargs docker stop
docker ps -a | grep -v CONTAINER | awk '{print $1}' | xargs docker rm -vf
三、配置 Harbor
1. 修改 harbor.cfg
vim /root/harbor/harbor.cfg
修改:
hostname = 192.168.69.128
ui_url_protocol = https
ssl_cert = /opt/cert/harbor-registry.crt
ssl_cert_key = /opt/cert/harbor-registry.key
2. 生成配置
cd /root/harbor
./prepare
四、重启 Harbor
docker-compose down
docker-compose up -d
五、客户端配置
1. 复制证书到 Docker
# 创建证书目录
mkdir -p /etc/docker/certs.d/192.168.69.128
# 复制证书
cp /opt/cert/ca.crt /etc/docker/certs.d/192.168.69.128/
# CentOS/RHEL 需要更新证书信任
cp /opt/cert/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
2. 重启 Docker
systemctl restart docker
六、验证
1. 浏览器访问
https://192.168.69.128
2. Docker 登录
docker login 192.168.69.128
# 用户名:admin
# 密码:Harbor12345
常用命令
# 启动/停止
docker-compose up -d
docker-compose down
# 查看状态
docker-compose ps
# 查看日志
docker-compose logs -f
常见问题
1. Docker login 失败
# 确保 /etc/docker/daemon.json 中没有 insecure-registries 配置
# 如果有,移除并重启 Docker
systemctl restart docker
2. 证书不受信任
# CentOS
sudo cp ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
# Ubuntu
sudo cp ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
3. 浏览器访问提示不安全
这是自签名证书的正常警告,点击"高级"→"继续访问"即可。
简化命令汇总
# 1. 生成证书
cd /opt/cert
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=test"
openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key -out harbor-registry.csr -subj "/C=CN/ST=GD/L=GZ/O=test/OU=IT/CN=192.168.69.128"
echo "subjectAltName = IP:192.168.69.128" > extfile.cnf
openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt
# 2. 配置 Harbor
vim /root/harbor/harbor.cfg
# 修改 hostname, ui_url_protocol, ssl_cert, ssl_cert_key
# 3. 重启
cd /root/harbor
./prepare
docker-compose down
docker-compose up -d
# 4. 客户端配置
mkdir -p /etc/docker/certs.d/192.168.69.128
cp ca.crt /etc/docker/certs.d/192.168.69.128/