chill/chill_notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28eada1b62c919391d16a236a46a8505fea140e2
chill_notes/实践积累/个人知识库_Linux_CentOS_Harbor_开启https_认证.md
FNS Service ada5b8ad4c Update from Sync Service
2026-04-21 11:49:59 +08:00

15 KiB
Executable File
Raw Blame History

openssl req
-newkey rsa:4096 -nodes -sha256 -keyout ca.key
-x509 -days 3650 -out ca.crt
-subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=test/emailAddress=11111111@qq.com" openssl req
-newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key
-out harbor-registry.csr
-subj "/C=CN/ST=Guangdong/L=Guangzhou/O=zhdgps/OU=IT/CN=10.10.200.175/emailAddress=974418136@qq.com" echo subjectAltName = IP:10.10.200.175 > extfile.cnf openssl x509 -req -days 3650 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt

因为Harbor发布时默认并不包含certificates并使用http来提供registry请求服务。然而我们建议在实际的生产环境中还是要使用安全的https。Harbor有一个Nginx实例以作为其他所有服务的反向代理。可以使用prepare脚本来配置Nginx以支持https。

1. 停止Harbor

上一章我们使用的是Harbor默认的http方式工作这里我们首先将Harbor停止并删除掉原有的一些数据以恢复到一个干净的环境

# docker-compose down -v**==# ls /data/*****# rm -rf /data/database****# rm -rf /data/registry# rm -rf /data/*****# rm -rf /var/log/harbor*********#** ==

注意可能是因为目前Harbor工作负载过重导致上面调用**==docker-compose down -v**==经常会失败,可用如下方式来停止:

# docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker stop**==**==# docker ps | grep -v CONTAINER | grep -v docs | awk '{print $1'} | xargs docker rm -vf

2. 获取证书

这里假设你的registry主机名为**==reg.yourdomain.com****并且通过DNS记录能够找到你运行Harbor的主机。首先你应该从CA处获得一个certificate。该certificate通常包含一个a.crt文件和一个a.key文件,例如:yourdomain.com.crt以及****yourdomain.com.key**==。

在测试或开发环境下你也许会使用一个自签名证书而不是从CA那里获取。可以通过如下的命令产生你自己的证书

2.1 创建自签名根证书

可以通过如下的方式来产生一个**==私钥自签名证书**==:

# openssl req *==** -newkey rsa:4096 -nodes -sha256 -keyout ca.key *** -x509 -days 365 -out ca.crt==

2.2 产生证书签名请求

假如你使用类似于**==reg.yourdomain.com的FQDN(Fully Qualified Domain Name)方式来连接registry主机则你必须使用reg.yourdomain.com**==来作为CN(Common Name)。否则假如你使用IP地址来连接你的registry主机的话CN可以指定为任何值例如指定为你的名字

# openssl req *==** -newkey rsa:4096 -nodes -sha256 -keyout yourdomain.com.key *** -out yourdomain.com.csr==

2.3 为registry主机产生证书

假如你使用类似于**==reg.yourdomain.com**==的FQDN(Full Qualified Domain Name)方式来连接registry主机你可以使用如下的命令来为registry主机产生证书

# openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yourdomain.com.crt====

假如你是使用ip的话 比如使用**==192.168.1.101**==来连接registry主机的话你需要使用如下命令

# echo subjectAltName = IP:192.168.1.101 > extfile.cnf====

# openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out yourdomain.com**==**==.crt

3. 配置与安装

在你获得**==yourdomain.com.crtyourdomain.com.key文件之后,你可以将它们放到一个目录,比如/root/cert/**==:

# cp yourdomain.com.crt /root/cert/==****# cp yourdomain.com.key /root/cert/ ==

然后修改**==harbor.cfg配置文件更新hostname及protocol然后更新ssl_certssl_cert_key**==

#set hostname**==hostname = reg.yourdomain.com#set ui_url_protocolui_url_protocol = https......****#The path of cert and key files for nginx, they are applied only the protocol is set to https** **ssl_cert = /root/cert/yourdomain.com.crt**ssl_cert_key = /root/cert/yourdomain.com.key==

然后再执行如下命令为Harbor产生配置文件

# ./prepare====

假如当前**==Harbor正在运行的话,停止并移除当前的运行实例。通过如下方式你的image data**==仍会保留在文件系统中:

# docker-compose down====

最后重启Harbor。

在设置了**==https**==之后,你可以通过如下的步骤来进行验证:

  • 打开浏览器输入访问地址https://reg.yourdomain.com就会显示出Harbor的 UI界面
  • 在安装有docker daemon的机器上请确保没有**--insecure-registry设置),你必须拷贝上述步骤所产生的ca.crt/etc/docker/certs.d/reg.yourdomain.com目录(或者registry host IP目录)。假如该目录并不存在的话请创建该目录。假如你将nginx 443端口映射到了其他端口的话则你必须创建/etc/docker/certs.d/reg.yourdomain.com:port目录(或者registry host IP:port****目录然后运行相应的docker命令行来验证https是否工作正常**

# docker login reg.yourdomain.com====

假如你已经将nginx 443端口映射到了其他端口的话你需要在登录时添加相应的端口例如

# docker login reg.yourdomain.com:port====

4. Troubleshooting

1) 你也许从一个certificate issuer处获得了一个intermediate certificate。在这种情况下你可以将该intermediate certificate与你自己的certificate合并创建出一个certificate bundle。你可以通过如下命令来实现

# cat intermediate-certificate.pem >> yourdomain.com.crt

2) 在有一些docker daemon运行的操作系统上你也许需要在操作系统级别信任该证书

  • 在Ubuntu操作系统上你可以通过如下命令来完成

# cp youdomain.com.crt /usr/local/share/ca-certificates/reg.yourdomain.com.crt**==****# update-ca-certificates**==

  • 在Redhat(Centos等操作系统上你可以通过如下命令来完成

# cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/reg.yourdomain.com.crt**==****# update-ca-trust**==

5. 部署示例

我们当前部署环境ip地址为====192.168.69.128

5.1 获得证书文件 1) 产生根证书

# openssl req *==** -newkey rsa:4096 -nodes -sha256 -keyout ca.key *** -x509 -days 365 -out ca.crt ** -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=test/emailAddress=11111111@qq.com"==

# ls**==**ca.crt ca.key==

2) 产生证书签名请求

# openssl req *==** -newkey rsa:4096 -nodes -sha256 -keyout harbor-registry.key *** -out harbor-registry.csr ** -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=test_company/OU=IT/CN=192.168.69.128/emailAddress=11111111@qq.com"==

# ls**==**ca.crt ca.key harbor-registry.csr harbor-registry.key==

3) 为registry产生证书

# echo subjectAltName = IP:192.168.69.128 > extfile.cnf====

# openssl x509 -req -days 365 -in harbor-registry.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out harbor-registry.crt====

# ls**==**==ca.crt ca.key ca.srl extfile.cnf harbor-registry.crt harbor-registry.csr harbor-registry.key

5.2 配置及安装

1) 拷贝harbor-registry证书到**==/opt/cert**==目录

# mkdir -p /opt/cert**==# cp harbor-registry.crt /opt/cert/****# cp harbor-registry.key /opt/cert/**==

2) 修改harbor.cfg配置文件

#set hostname**==hostname = 192.168.69.128#set ui_url_protocolui_url_protocol = https......****#The path of cert and key files for nginx, they are applied only the protocol is set to https** **ssl_cert = /opt/cert/harbor-registry.crt**ssl_cert_key = /opt/cert/harbor-registry.key==

3) 重新产生配置文件

# ./prepare====

4) 关闭harbor

# docker-compose down** **

5) 查看docker daemon是否有**==--insecure-registry**==选项

如果仍有该选项请将其去掉并执行如下命令重启docker daemon:

# systemctl daemon-reload**==****# systemctl restart docker**==

6) 重启Harbor

# docker-compose up -d**==Creating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registry ... doneCreating harbor-adminserver ... doneCreating harbor-db ... doneCreating harbor-ui ... doneCreating harbor-jobservice ... done**Creating nginx ... done==

# docker ps**==CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESc7b4d837fefc vmware/nginx-photon:v1.4.0 "nginx -g 'daemon of…" 6 seconds ago Up 3 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx257ec984fc98 vmware/harbor-jobservice:v1.4.0 "/harbor/start.sh" 6 seconds ago Up 4 seconds (health: starting) harbor-jobservice331fe98b1623 vmware/harbor-ui:v1.4.0 "/harbor/start.sh" 8 seconds ago Up 5 seconds (health: starting) harbor-uid155d8a3cf00 vmware/harbor-db:v1.4.0 "/usr/local/bin/dock…" 10 seconds ago Up 7 seconds (health: starting) 3306/tcp harbor-db183a8f508491 vmware/harbor-adminserver:v1.4.0 "/harbor/start.sh" 10 seconds ago Up 7 seconds (health: starting) harbor-adminserver579642c3cecc vmware/registry-photon:v2.6.2-v1.4.0 "/entrypoint.sh serv…" 10 seconds ago Up 7 seconds (health: starting) 5000/tcp registry**06a1618f789e vmware/harbor-log:v1.4.0 "/bin/sh -c /usr/loc…" 10 seconds ago Up 9 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log==

7) 通过https形式访问Harbor

  • 通过浏览器访问

这里首先需要将上面产生的**==ca.crt导入到浏览器的受信任的根证书**==中。然后就可以通过https进行访问这里经过测试Chrome浏览器、IE浏览器可以正常访问但360浏览器不能正常访问

  • 通过docker命令来访问

首先新建**==/etc/docker/certs.d/192.168.69.128目录,然后将上面产生的ca.crt**==拷贝到该目录:

# mkdir -p /etc/docker/certs.d/192.168.69.128**==****# cp ca.crt /etc/docker/certs.d/192.168.69.128/**==

然后登录到docker registry:

# docker login 192.168.69.128**==Username (admin): admin**Password: ****Login Succeeded==

用向**==registry**==中上传一个镜像:

# docker images**==**192.168.69.128/library/redis alpine c27f56585938 3 weeks ago 27.7MB==

[root@localhost test]# docker push 192.168.69.128/library/redis:alpine**==The push refers to repository [192.168.69.128/library/redis]**f6b9463783dc: Pushed ****222a85888a99: Pushed ****1925395eabdd: Pushed ****c3d278563734: Pushed ****ad9247fe8c63: Pushed ****cd7100a72410: Pushed ****alpine: digest: sha256:9d017f829df3d0800f2a2582c710143767f6dda4df584b708260e73b1a1b6db3 size: 1568==

  • 通过curl命令来访问 registry API版本号

查询registry API版本号

# curl -iL -X GET** https://192.168.69.128/v2 --cacert ca.crt==HTTP/1.1 301 Moved PermanentlyServer: nginxDate: Tue, 10 Apr 2018 09:33:39 GMTContent-Type: text/htmlContent-Length: 178Location: **https://192.168.69.128/v2/****Connection: keep-alive==

HTTP/1.1 401 Unauthorized**==Server: nginxDate: Tue, 10 Apr 2018 09:33:39 GMTContent-Type: application/json; charset=utf-8Content-Length: 87Connection: keep-aliveDocker-Distribution-Api-Version: registry/2.0Set-Cookie: beegosessionID=575f32ac760f52c8cf1cdb748e48ab5e; Path=/; HttpOnly****Www-Authenticate: Bearer realm="https://192.168.69.128/service/token",service="harbor-registry"**==

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}====

# curl -iL -X GET -u admin:Harbor12345** https://192.168.69.128/service/token?account=admin&service=harbor-registry --cacert ca.crt==HTTP/1.1 200 OKServer: nginxDate: Tue, 10 Apr 2018 09:34:39 GMTContent-Type: application/json; charset=utf-8Content-Length: 1100Connection: keep-alive**Set-Cookie: beegosessionID=77bc62dcdc4a810a0e208487a89f069a; Path=/; HttpOnly==

{== "token": "nHLZqMPw",**** "expires_in": 1800,**** "issued_at": "2018-04-10T09:34:39Z"}==

# curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer nHLZqMPw"** https://192.168.69.128/v2 --cacert ca.crt==HTTP/1.1 301 Moved PermanentlyServer: nginxDate: Tue, 10 Apr 2018 09:36:48 GMTContent-Type: text/htmlContent-Length: 178Location: **https://192.168.69.128/v2/****Connection: keep-alive==

HTTP/1.1 200 OK**==Server: nginxDate: Tue, 10 Apr 2018 09:36:48 GMTContent-Type: application/json; charset=utf-8Content-Length: 2Connection: keep-aliveDocker-Distribution-Api-Version: registry/2.0**Set-Cookie: beegosessionID=e651b65d891617a999254ec875c1c63c; Path=/; HttpOnly==

上面为了显示,我们对返回过来的**==token做了适当的裁剪。此外这里curl命令不适用-k**==选项,表示需要对服务器证书进行检查。

  • 通过curl来访问registry中的镜像列表

# curl -iL -X GET -u admin:Harbor12345** https://192.168.69.128/service/token?account=admin&service=harbor-registry&scope=registry:catalog:* --cacert ca.crt==HTTP/1.1 200 OKServer: nginxDate: Mon, 09 Apr 2018 09:33:52 GMTContent-Type: application/json; charset=utf-8Content-Length: 1166Connection: keep-alive**Set-Cookie: beegosessionID=648fd5a5ec4f06389d45c02f7f5971b4; Path=/; HttpOnly==

{== "token": "A7yfEdUBYD3bDhLM",**** "expires_in": 1800,**** "issued_at": "2018-04-09T09:33:52Z"}==

# curl -iL -X GET -H "Content-Type: application/json" -H "Authorization: Bearer LA7yfEdUBYD3bDhLM"** http://192.168.69.128/v2/_catalog --cacert ca.crt==HTTP/1.1 200 OKServer: nginxDate: Mon, 09 Apr 2018 09:36:35 GMTContent-Type: application/json; charset=utf-8Content-Length: 34Connection: keep-aliveDocker-Distribution-Api-Version: registry/2.0**Set-Cookie: beegosessionID=1b84e760ab0234045f06680e56e28818; Path=/; HttpOnly==

{"repositories":["library/redis"]}====

上面为了显示,我们对返回过来的**==token做了适当的裁剪。此外这里curl命令不适用-k**==选项,表示需要对服务器证书进行检查。

来自 <https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https> 来自 <https://ivanzz1001.github.io/records/post/docker/2018/04/09/docker-harbor-https>

Reference in New Issue View Git Blame Copy Permalink