ubuntu 14.04 https 形式安裝docker 私有庫 harbor

起始目錄/root，root 登錄後，直接在該目錄進行下面的命令

 

下載harbor 預編譯包 0.4.5

準備經過域名 reg.server.com 來訪問鏡像庫因此須要在/etc/hosts 文件中加入 192.168.10.90 reg.server.com, IP 鏡像服務器的地址。

 

1 生成 CA 證書（注意內容不能亂填）

 

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

 

 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com
Organizational Unit Name (eg, section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 這裏最重要，必定要填寫你準備使用的域名
Email Address []:admin@reg.server.com

命令完成後生成ca.crt, ca.key文件

 

 

2 而後生成CA 簽名，注意文件名稱要與你的域名匹配

 

openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.server.com.key -out reg.server.com.csr

 

 

輸入的內容以下

writing new private key to 'reg.server.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com
Organizational Unit Name (eg, section) []:reg.server.com
Common Name (e.g. server FQDN or YOUR name) []:reg.server.com # 必須和域名一致
Email Address []:admin@reg.server.com


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #密碼留空便可
An optional company name []:

 

命令完成後生成 

reg.server.com.csrreg.server.com.key 和

 

 

3 生成證書

能夠查看/etc/ssl/openssl.cnf 配置文件中 ssl 默認的文件夾名稱是什麼，通常來講，沒被改動過的話是demoCA.

 3.1 建立文件夾和輔助內容

 

mkdir demoCA
  cd demoCA
  touch index.txt
  echo '01' > serial
  cd ..

 3.2 簽名證書

 

       由於咱們生成簽名的時候使用的是FQDN 因此須要以下命令

 

echo subjectAltName = IP:192.168.10.90 > extfile.cnf

openssl ca -in reg.server.com.csr -out reg.server.com.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .

 

 3.3 講生成的證書加入本機信任

     運行3.2 的命令以後，會生成一個01.pem 和 reg.server.com.crt的證書。

 

cat 01.pem >> reg.server.com.crt

cp ca.crt reg.server.com.crt /usr/local/share/ca-certificates/

update-ca-certificates 

 

4 安裝Docker（若是在導入信任證書前安裝了docker， 須要重啓docker，命令爲 service docker restart

安裝方法參見

https://docs.docker.com/engine/installation/Linux/ubuntulinux/

 

5 安裝docker compose

安裝方法參見

https://docs.docker.com/compose/install/

 

若是遇到偉大的長城問題。

能夠直接爬牆把docker-compose-Linux-x64 文件下載下來。而後chmod +x 就能夠了，而後在把這個文件更名爲docker-compose 複製到/usr/local/bin 下，就算安裝完成。

 

6 配置harbor

 

解壓安裝包

tar -zxvf harbor-offline-installer-0.4.5.tgz

修改 harbor.cfg 文件爲

 

## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = reg.server.com #必須和簽名時的域名一致

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https

#Email account settings for sending out password resetting emails.
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345   #密碼能夠隨便改

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth

#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn
#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid

#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3

#The password for the root user of mysql db, change this before any production use.
db_password = root123

#Turn on or off the self-registration feature
self_registration = on

#Determine whether the UI should use compressed js files.
#For production, set it to on. For development, set it to off.
use_compressed_js = on

#Maximum number of job workers in job service
max_job_workers = 3

#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30

#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off, a key/certificate must
#be supplied for token generation.
customize_crt = on

#Information of your organization for certificate
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com


#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /etc/nginx/cert/reg.server.com.crt       #文件位置不能變，必須是這個位置
ssl_cert_key = /etc/nginx/cert/reg.server.com.key   #文件位置不能變，必須是這個位置

 

 

修改prepare 源碼（此步驟 僅僅在 ubuntu 16 中才須要執行）

vim /root/harbor/prepare 在第46 行不兼容python 3.5， ubuntu 16 默認時使用的python 3.5

將原來的 os.makedirs(path, mode=0600) 改成 os.makedirs(path, mode=0o600)  否則會報錯。

 

 

備份 nginx 配置文件

mv /root/harbor/common/config/nginx/nginx.conf /root/harbor/common/config/nginx/nginx.conf.bak

 

拷貝 https 的配置文件到 /root/harbor/common/config/nginx/

cp /root/harbor/common/templates/nginx/nginx.https.conf /root/harbor/common/config/nginx/nginx.conf

 

拷貝證書

cp reg.server.com.crt reg.server.com.key /etc/nginx/cert/ （若是文件夾不存在，手動建立）

cp reg.server.com.crt reg.server.com.key /root/harbor/common/config/nginx/cert/

 

安裝harbore

cd /root/harbor

./install.sh

 

安裝完成後運行

docker ps 查看啓動的容器，一共有6個

docker login reg.server.com (輸入用戶名密碼，若是能成功登錄就成功 了）

 

過程當中遇到的問題

 

x509: certificate signed by unknown authority

 

 

若是遇到這個問題，就是ca.crt 沒有導入到本機信任列表中，運行下面命令解決

 

cp ca.crt /usr/local/share/ca-certificates/

update-ca-certificates 

 

 

參考文檔

https://github.com/vmware/harbor/blob/master/docs/configure_https.md

https://mritd.me/2016/09/15/Harbor-%E4%BC%81%E4%B8%9A%E7%BA%A7-Docker-Registry-%E7%AC%AC%E4%BA%8C%E5%BC%B9/