Docker(二)：Docker镜像仓库Harbor搭建

安装docker-compose

因为docker-compose下载容易失败, 所以选择从github下载方式安装。

[root@harbor ~]# mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose [root@harbor ~]# chmod a+x /usr/local/bin/docker-compose [root@harbor ~]# docker-compose --version docker-compose version 1.25.5, build 8a1c60f6 Harbor安装和配置 GitHub下载安装包

地址：https://github.com/goharbor/harbor/releases

[root@harbor ~]# tar -zxvf harbor-offline-installer-v1.10.1.tgz [root@harbor ~]# mv harbor /usr/local/ [root@harbor ~]# cd /usr/local/harbor/ [root@harbor harbor]# cp harbor.yml harbor.yml.bak 修改配置文件 [root@harbor harbor]# vim harbor.yml hostname: chinda.com https: port: 443 certificate: /data/cert/chinda.com.crt private_key: /data/cert/chinda.com.key # harbor管理页面admin用户的密码 harbor_admin_password: admin 修改宿主机hosts 192.168.0.250 chinda.com 配置对Harbor的HTTPS访问 生成机构颁发的证书

生成CA证书私钥

openssl genrsa -out ca.key 4096

生成CA证书

openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=chinda/OU=chinda/CN=chinda.com" \ -key ca.key \ -out ca.crt

生成服务器证书

证书通常包含一个.crt文件和一个.key文件。

生成私钥

openssl genrsa -out chinda.com.key 4096

生成证书签名(CSR)

openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=chinda/OU=chinda/CN=chinda.com" \ -key chinda.com.key \ -out chinda.com.csr

生成x509 v3扩展文件

cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=chinda.com DNS.2=chinda DNS.3=harbor EOF

使用v3.ext文件为Harbor主机生成证书

将chinda.com`CRS和CRT文件名中的替换为Harbor主机名。

openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in chinda.com.csr \ -out chinda.com.crt

提供证书给Harbor和Docker

生成ca.crt，chinda.com.crt和chinda.com.key文件后，必须将它们提供给Harbor和Docker和重新配置使用它们的Harbor。首先创建存放他们的文件夹。

将服务器证书和密钥复制到Harbor主机的cert文件夹中。

cp chinda.com.crt /data/cert/ cp chinda.com.key /data/cert/ chmod a+x /data/cert/

转换chinda.com.crt为chinda.com.cert，供Docker使用。

Docker守护程序将.crt文件解释为CA证书，并将.cert文件解释为客户端证书。

openssl x509 -inform PEM -in chinda.com.crt -out chinda.com.cert

将服务器证书，密钥和CA文件复制到Harbor主机上的Docker 证书文件夹中。首先创建适当的文件夹。

cp chinda.com.cert /etc/docker/certs.d/chinda.com/ cp chinda.com.key /etc/docker/certs.d/chinda.com/ cp ca.crt /etc/docker/certs.d/chinda.com/

重启Docker引擎

systemctl restart docker

运行脚本安装 [root@harbor cert]# cd /usr/local/harbor/ [root@harbor harbor]# ./install.sh 验证

[root@harbor harbor]# docker login https://chinda.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded 操作 # 查看执行状态。注意，要在项目下执行此命令，不然会抛出异常 docker-compose ps # 停止/移除存在的实例 docker-compose down -v # 重启harbor docker-compose up -d 推送镜像的Docker命令 # 在项目中标记镜像： docker tag SOURCE_IMAGE[:TAG] chinda.com/library/IMAGE[:TAG] # 推送镜像到当前项目： docker push chinda.com/library/IMAGE[:TAG] 鉴权失败401 Unauthorized [root@harbor harbor]# docker login https://chinda.com Authenticating with existing credentials... Login did not succeed, error: Error response from daemon: login attempt to https://chinda.com/v2/ failed with status: 401 Unauthorized Username (admin): admin Password: Error response from daemon: login attempt to https://chinda.com/v2/ failed with status: 401 Unauthorized

解决方案

docker-compose down -v docker-compose up -d