上面左邊是個人我的微 信,如需進一步溝通,請加好 友。 右邊是個人公衆號「Openstack私有云」,若有興趣,請關注。node
第一次安裝harbor的時候爲了方便,安裝成了http方式,可是後面時候的時候發現各類不方便,由於docker客戶端登陸鏡像源的時候都是默認是https方式,因此每個客戶端都要特別的設置,非常麻煩。所以決定將http方式改成https方式。記錄一下操做過程。
nginx
參考官網的安裝文檔進行操做,以下:
git
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md github
建立CA密鑰對: openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 36500 \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key ca.key \ -out ca.crt openssl genrsa -out yuweibing.com.key 4096 建立web服務器端祕鑰對: openssl req -sha512 -new \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key yuweibing.com.key \ -out yuweibing.com.csr 使web服務器到CA進行簽約: cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yuweibing.com DNS.2=yuweibing DNS.3=harbor EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yuweibing.com.csr \ -out yuweibing.com.crt 執行結果顯示以下: [root@harbor ssl]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in yuweibing.com.csr \ > -out yuweibing.com.crt Signature ok subject=/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com Getting CA Private Key [root@harbor ssl]#
修改harbor.cfg配置文件中如下參數 :
web
hostname = yuweibing.comredis
ui_url_protocol = httpsdocker
ssl_cert = /software/harbor/ssl/yuweibing.com.crtjson
ssl_cert_key = /software/harbor/ssl/yuweibing.com.keywindows
secretkey_path = /software/harbor/ssl安全
而後執行prepare:
./prepare
而後執行install:
./install.sh
如下是執行結果:
[root@harbor harbor]# ./prepare Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf Generated and saved secret to file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [root@harbor harbor]# ls common docker-compose.clair.yml docker-compose.yml docker-compose.chartmuseum.yml docker-compose.notary.yml harbor.cfg [root@harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.13.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... Loaded image: goharbor/registry-photon:v2.6.2-v1.7.1 Loaded image: goharbor/harbor-migrator:v1.7.1 Loaded image: goharbor/harbor-adminserver:v1.7.1 Loaded image: goharbor/harbor-core:v1.7.1 Loaded image: goharbor/harbor-log:v1.7.1 Loaded image: goharbor/harbor-jobservice:v1.7.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.1 Loaded image: goharbor/clair-photon:v2.0.7-v1.7.1 Loaded image: goharbor/harbor-portal:v1.7.1 Loaded image: goharbor/harbor-db:v1.7.1 Loaded image: goharbor/redis-photon:v1.7.1 Loaded image: goharbor/nginx-photon:v1.7.1 Loaded image: goharbor/harbor-registryctl:v1.7.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.1 Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.1 [Step 2]: preparing environment ... Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.crt Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.key Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf loaded secret from file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [Step 3]: checking existing instance of Harbor ... Note: stopping existing Harbor instance ... Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-portal ... done Stopping harbor-core ... done Stopping registry ... done Stopping harbor-adminserver ... done Stopping registryctl ... done Stopping redis ... done Stopping harbor-db ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-portal ... done Removing harbor-core ... done Removing registry ... done Removing harbor-adminserver ... done Creating harbor-log ... done Removing redis ... done Removing harbor-db ... done Removing harbor-log ... done Removing network harbor_harbor Creating redis ... done Creating harbor-core ... done [Step 4]: starting Harbor ... Creating harbor-portal ... done Creating nginx ... done Creating registryctl ... Creating harbor-adminserver ... Creating redis ... Creating registry ... Creating harbor-db ... Creating harbor-core ... Creating harbor-portal ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.yuweibing.com. For more details, please visit https://github.com/goharbor/harbor . [root@harbor harbor]# ./install.sh
接下來修改windows本機客戶端的hosts文件強制解析域名: reg.yuweibing.com
192.168.1.44reg.yuweibing.com
192.168.170.44reg.yuweibing.com
而後就能夠在windows客戶端上輸入域名 reg.yuweibing.com進行訪問harbor的web網頁了,以下:
登陸進去後發現原來的用戶信息和鏡像數據都還在,仍是不錯。
接下來驗證docker客戶端是否可以正常從harbor拉取鏡像:
[root@k8s1 ~]# docker login yuweibing.com Username: ywb Password: Error response from daemon: Get https://yuweibing.com/v2/: x509: certificate signed by unknown authority
發現認證失敗。緣由是還須要設置docker對於yuweibing.com這個域名的認證信息,將這個域名的公鑰私鑰和CA文件拷貝到docker的認證目錄:/etc/docker/certs.d/yuweibing.com/ ,操做以下:
進入上面的祕鑰文件所在的ssl目錄,並執行以下命令: openssl x509 -inform PEM -in yuweibing.com.crt -out yuweibing.com.cert cp yuweibing.com.cert /etc/docker/certs.d/yuweibing.com/ cp yuweibing.com.key /etc/docker/certs.d/yuweibing.com/ cp ca.crt /etc/docker/certs.d/yuweibing.com/
將上面生成的3個文件一樣scp拷貝到須要登陸harbor的全部docker客戶端的/etc/docker/certs.d/yuweibing.com/目錄中,注意這個目錄須要新建,同時須要在docker客戶端中修改hosts文件解析yuweibing.com。
再次驗證一下:
[root@k8s1 yuweibing.com]# docker login yuweibing.com Username: ywb Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@k8s1 yuweibing.com]#
驗證成功!
總結:
若是爲了在安裝harbor的時候省事採用http的方式部署,使用的時候docker客戶端默認使用register倉庫的時候都是使用安全鏈接https,若是要改成http須要修改docker配置,非常麻煩。所以仍是須要使用https方式。
從http方式改成https方式主要是須要從新生成CA證書(頒發機構),web服務器證書(harbor服務器),以及服務器向CA進行簽發註冊。以後修改harbor.cfg配置文件,將服務器證書文件配置到配置文件中,修改hostname從IP地址改成域名,從新prepare和install ,install程序會本身將原來的docker-compose中的容器刪除從新生成。
從新安裝後的用戶信息和鏡像數據都會保留。
最後不要忘記配置docker客戶端harbor服務器的公鑰私鑰,而且作好域名解析,若是沒有dns服務器解析,就直接修改docker客戶端上的hosts文件解析harbor配置的域名。