chill/chill_notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c3801d7a609b543c331b9488d5129d423430c47
chill_notes/Linux/CentOS安装Harbor并开启HTTPS.md
FNS Service 1c3801d7a6 Update from Sync Service
2026-04-21 20:18:10 +08:00

127 lines
15 KiB
Markdown
Executable File
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ca.key \
-x509 -days 3650 -out ca.crt \
-subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=test/emailAddress=11111111@qq.com"
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key \
-out harbor-registry.csr \
-subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=10.10.200.175/emailAddress=974418136@qq.com"
echo subjectAltName = IP:10.10.200.175 > extfile.cnf
openssl x509 -req -days 3650 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt
## 因为Harbor发布时默认并不包含certificates并使用http来提供registry请求服务。然而我们建议在实际的生产环境中还是要使用安全的https。Harbor有一个Nginx实例以作为其他所有服务的反向代理。可以使用prepare脚本来配置Nginx以支持https。
**1. 停止Harbor**
## 上一章我们使用的是Harbor默认的http方式工作这里我们首先将Harbor停止并删除掉原有的一些数据以恢复到一个干净的环境
## # docker-compose down -v**==****# ls /data/*********# rm -rf /data/database********# rm -rf /data/registry********# rm -rf /data/*********# rm -rf /var/log/harbor*********#** ==
## 注意可能是因为目前Harbor工作负载过重导致上面调用**==docker-compose down -v**==经常会失败,可用如下方式来停止:
## # docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker stop**==**==# docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker rm -vf
**2. 获取证书**
## 这里假设你的registry主机名为**==reg.yourdomain.com****并且通过DNS记录能够找到你运行Harbor的主机。首先你应该从CA处获得一个certificate。该certificate通常包含一个****a.crt****文件和一个****a.key****文件,例如:****yourdomain.com.crt****以及****yourdomain.com.key**==。
## 在测试或开发环境下你也许会使用一个自签名证书而不是从CA那里获取。可以通过如下的命令产生你自己的证书
**2.1 创建自签名根证书**
## 可以通过如下的方式来产生一个**==私钥****及****自签名证书**==:
## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout ca.key \****** **-x509 -days 365 -out ca.crt**==
**2.2 产生证书签名请求**
## 假如你使用类似于**==reg.yourdomain.com****的FQDN(Fully Qualified Domain Name)方式来连接registry主机则你必须使用****reg.yourdomain.com**==来作为CN(Common Name)。否则假如你使用IP地址来连接你的registry主机的话CN可以指定为任何值例如指定为你的名字
## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key \****** **-out yourdomain.com.csr**==
**2.3 为registry主机产生证书**
## 假如你使用类似于**==reg.yourdomain.com**==的FQDN(Full Qualified Domain Name)方式来连接registry主机你可以使用如下的命令来为registry主机产生证书
## # openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yourdomain.com.crt====
## 假如你是使用ip的话 比如使用**==192.168.1.101**==来连接registry主机的话你需要使用如下命令
## # echo subjectAltName = IP:192.168.1.101 > extfile.cnf====
## # openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out yourdomain.com**==**==.crt
**3. 配置与安装**
## 在你获得**==yourdomain.com.crt****与****yourdomain.com.key****文件之后,你可以将它们放到一个目录,比如****/root/cert/**==:
## # cp yourdomain.com.crt /root/cert/**==****# cp yourdomain.com.key /root/cert/** ==
## 然后修改**==harbor.cfg****配置文件更新hostname及protocol然后更新****ssl_cert****及****ssl_cert_key**==
## #set hostname**==****hostname = reg.yourdomain.com********#set ui_url_protocol********ui_url_protocol = https********......********#The path of cert and key files for nginx, they are applied only the protocol is set to https** ******ssl_cert = /root/cert/yourdomain.com.crt********ssl_cert_key = /root/cert/yourdomain.com.key**==
## 然后再执行如下命令为Harbor产生配置文件
## # ./prepare====
## 假如当前**==Harbor****正在运行的话,停止并移除当前的运行实例。通过如下方式你的****image data**==仍会保留在文件系统中:
## # docker-compose down====
## 最后重启Harbor。
## 在设置了**==https**==之后,你可以通过如下的步骤来进行验证:
- **打开浏览器输入访问地址****https://reg.yourdomain.com****就会显示出Harbor的 UI界面**
- **在安装有docker daemon的机器上请确保没有****--insecure-registry****设置),你必须拷贝上述步骤所产生的****ca.crt****到****/etc/docker/certs.d/reg.yourdomain.com****目录(或者****registry host IP****目录)。假如该目录并不存在的话请创建该目录。假如你将nginx 443端口映射到了其他端口的话则你必须创建****/etc/docker/certs.d/reg.yourdomain.com:port****目录(或者****registry host IP:port****目录然后运行相应的docker命令行来验证https是否工作正常**
## # docker login reg.yourdomain.com====
## 假如你已经将nginx 443端口映射到了其他端口的话你需要在登录时添加相应的端口例如
## # docker login reg.yourdomain.com:port====
**4. Troubleshooting**
## 1) 你也许从一个certificate issuer处获得了一个intermediate certificate。在这种情况下你可以将该intermediate certificate与你自己的certificate合并创建出一个certificate bundle。你可以通过如下命令来实现
## # cat intermediate-certificate.pem >> yourdomain.com.crt
## 2) 在有一些docker daemon运行的操作系统上你也许需要在操作系统级别信任该证书
- **在Ubuntu操作系统上你可以通过如下命令来完成**
## # cp youdomain.com.crt /usr/local/share/ca-certificates/reg.yourdomain.com.crt**==****# update-ca-certificates**==
- **在Redhat(Centos等操作系统上你可以通过如下命令来完成**
## # cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/reg.yourdomain.com.crt**==****# update-ca-trust**==
**5. 部署示例**
## 我们当前部署环境ip地址为====192.168.69.128
**5.1 获得证书文件**
**1) 产生根证书**
## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout ca.key \****** **-x509 -days 365 -out ca.crt \****** **-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com"**==
## # ls**==****ca.crt ca.key**==
**2) 产生证书签名请求**
## # openssl req \**==** **-newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key \****** **-out harbor-registry.csr \****** **-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com"**==
## # ls**==****ca.crt ca.key harbor-registry.csr harbor-registry.key**==
**3) 为registry产生证书**
## # echo subjectAltName = IP:192.168.69.128 > extfile.cnf====
## # openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt====
## # ls**==**==ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key
**5.2 配置及安装**
## 1) 拷贝harbor-registry证书到**==/opt/cert**==目录
## # mkdir -p /opt/cert**==****# cp harbor-registry.crt /opt/cert/********# cp harbor-registry.key /opt/cert/**==
## 2) 修改harbor.cfg配置文件
## #set hostname**==****hostname = 192.168.69.128********#set ui_url_protocol********ui_url_protocol = https********......********#The path of cert and key files for nginx, they are applied only the protocol is set to https** ******ssl_cert = /opt/cert/harbor-registry.crt********ssl_cert_key = /opt/cert/harbor-registry.key**==
## 3) 重新产生配置文件
## # ./prepare====
## 4) 关闭harbor
## # docker-compose down** **
## 5) 查看docker daemon是否有**==--insecure-registry**==选项
## 如果仍有该选项请将其去掉并执行如下命令重启docker daemon:
## # systemctl daemon-reload**==****# systemctl restart docker**==
## 6) 重启Harbor
## # docker-compose up -d**==****Creating network "harbor_harbor" with the default driver********Creating harbor-log ... done********Creating registry ... done********Creating harbor-adminserver ... done********Creating harbor-db ... done********Creating harbor-ui ... done********Creating harbor-jobservice ... done********Creating nginx ... done**==
## # docker ps**==****CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES********c7b4d837fefc vmware/nginx-photon:v1.4.0 "nginx -g 'daemon of…" 6 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx********257ec984fc98 vmware/harbor-jobservice:v1.4.0 "/harbor/start.sh" 6 seconds ago Up 4 seconds (health: starting) harbor-jobservice********331fe98b1623 vmware/harbor-ui:v1.4.0 "/harbor/start.sh" 8 seconds ago Up 5 seconds (health: starting) harbor-ui********d155d8a3cf00 vmware/harbor-db:v1.4.0 "/usr/local/bin/dock…" 10 seconds ago Up 7 seconds (health: starting) 3306/tcp harbor-db********183a8f508491 vmware/harbor-adminserver:v1.4.0 "/harbor/start.sh" 10 seconds ago Up 7 seconds (health: starting) harbor-adminserver********579642c3cecc vmware/registry-photon:v2.6.2-v1.4.0 "/entrypoint.sh serv…" 10 seconds ago Up 7 seconds (health: starting) 5000/tcp registry********06a1618f789e vmware/harbor-log:v1.4.0 "/bin/sh -c /usr/loc…" 10 seconds ago Up 9 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log**==
## 7) 通过https形式访问Harbor
- **通过浏览器访问**
## 这里首先需要将上面产生的**==ca.crt****导入到浏览器的****受信任的根证书**==中。然后就可以通过https进行访问这里经过测试Chrome浏览器、IE浏览器可以正常访问但360浏览器不能正常访问
- **通过docker命令来访问**
## 首先新建**==/etc/docker/certs.d/192.168.69.128****目录,然后将上面产生的****ca.crt**==拷贝到该目录:
## # mkdir -p /etc/docker/certs.d/192.168.69.128**==****# cp ca.crt /etc/docker/certs.d/192.168.69.128/**==
## 然后登录到docker registry:
## # docker login 192.168.69.128**==****Username (admin): admin********Password:** ******Login Succeeded**==
## 用向**==registry**==中上传一个镜像:
## # docker images**==****192.168.69.128/library/redis alpine c27f56585938 3 weeks ago 27.7MB**==
## [root@localhost test]# docker push 192.168.69.128/library/redis:alpine**==****The push refers to repository [192.168.69.128/library/redis]********f6b9463783dc: Pushed** ******222a85888a99: Pushed** ******1925395eabdd: Pushed** ******c3d278563734: Pushed** ******ad9247fe8c63: Pushed** ******cd7100a72410: Pushed** ******alpine: digest: sha256:9d017f829df3d0800f2a2582c710143767f6dda4df584b708260e73b1a1b6db3 size: 1568**==
- **通过curl命令来访问 registry API版本号**
## 查询registry API版本号
## # curl -iL -X GET** **https://192.168.69.128/v2** **--cacert ca.crt**==****HTTP/1.1 301 Moved Permanently********Server: nginx********Date: Tue, 10 Apr 2018 09:33:39 GMT********Content-Type: text/html********Content-Length: 178********Location:** **https://192.168.69.128/v2/********Connection: keep-alive**==
## HTTP/1.1 401 Unauthorized**==****Server: nginx********Date: Tue, 10 Apr 2018 09:33:39 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 87********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=575f32ac760f52c8cf1cdb748e48ab5e; Path=/; HttpOnly********Www-Authenticate: Bearer realm="https://192.168.69.128/service/token",service="harbor-registry"**==
## {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}====
## # curl -iL -X GET -u admin:Harbor12345** **https://192.168.69.128/service/token?account=admin\&service=harbor-registry** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Tue, 10 Apr 2018 09:34:39 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 1100********Connection: keep-alive********Set-Cookie: beegosessionID=77bc62dcdc4a810a0e208487a89f069a; Path=/; HttpOnly**==
## {**==** **"token": "nHLZqMPw",****** **"expires_in": 1800,****** **"issued_at": "2018-04-10T09:34:39Z"********}**==
## # curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer nHLZqMPw"** **https://192.168.69.128/v2** **--cacert ca.crt**==****HTTP/1.1 301 Moved Permanently********Server: nginx********Date: Tue, 10 Apr 2018 09:36:48 GMT********Content-Type: text/html********Content-Length: 178********Location:** **https://192.168.69.128/v2/********Connection: keep-alive**==
## HTTP/1.1 200 OK**==****Server: nginx********Date: Tue, 10 Apr 2018 09:36:48 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 2********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=e651b65d891617a999254ec875c1c63c; Path=/; HttpOnly**==
## 上面为了显示,我们对返回过来的**==token****做了适当的裁剪。此外这里****curl****命令不适用****-k**==选项,表示需要对服务器证书进行检查。
- **通过curl来访问registry中的镜像列表**
## # curl -iL -X GET -u admin:Harbor12345** **https://192.168.69.128/service/token?account=admin\&service=harbor-registry\&scope=registry:catalog:*** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Mon, 09 Apr 2018 09:33:52 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 1166********Connection: keep-alive********Set-Cookie: beegosessionID=648fd5a5ec4f06389d45c02f7f5971b4; Path=/; HttpOnly**==
## {**==** **"token": "A7yfEdUBYD3bDhLM",****** **"expires_in": 1800,****** **"issued_at": "2018-04-09T09:33:52Z"********}**==
## # curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer LA7yfEdUBYD3bDhLM"** **http://192.168.69.128/v2/_catalog** **--cacert ca.crt**==****HTTP/1.1 200 OK********Server: nginx********Date: Mon, 09 Apr 2018 09:36:35 GMT********Content-Type: application/json; charset=utf-8********Content-Length: 34********Connection: keep-alive********Docker-Distribution-Api-Version: registry/2.0********Set-Cookie: beegosessionID=1b84e760ab0234045f06680e56e28818; Path=/; HttpOnly**==
## {"repositories":["library/redis"]}====
## 上面为了显示,我们对返回过来的**==token****做了适当的裁剪。此外这里****curl****命令不适用****-k**==选项,表示需要对服务器证书进行检查。
> 来自 <[https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https](https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https)>
> 来自 <[https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https](https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https)>
Reference in New Issue View Git Blame Copy Permalink