硬件要求
最低配置:
2CPU 4GB RAM 40GB HDD
推荐配置:
4CPU 8GB RAM 160GB HDD
软件要求
python: 2.7+
docker-engine: 1.10+
docker-compose: 1.6.0+
openssl: 建议直接使用最新版,用于为Harbor创建证书和密钥
网络端口
80/443: http/https harbor的ui和api
4443:htts,连接docker contente可信服务,只有启用notary时才需要
安装前准备工作
下载Harbor的离线包
curl -L -O https://github.com/goharbor/harbor/releases/download/v2.3.3/harbor-offline-installer-v2.3.3.tgz
获取其他版本可以访问harbor的GitHub仓库:https://github.com/goharbor/harbor/releases
创建自签名证书
如果有域名且有CA机构颁发的证书可以跳过这一步,自签证书并不是很方便。
创建CA根证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Jiangsu
Locality Name (eg, city) []:Jiangsu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:simaek.com
Organizational Unit Name (eg, section) []:simaek.com
Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
Email Address []:example@mail.com
创建证书签名请求
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 10.240.4.159.key -out 10.240.4.159.csr
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Harbin
Locality Name (eg, city) []:Harbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
Organizational Unit Name (eg, section) []:ydgw
Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
Email Address []:liuyajun@ydgw.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码留空即可
An optional company name []:
touch /etc/pki/CA/index.txt
echo '01' > /etc/pki/CA/serial
openssl genrsa -out /etc/pki/CA/private/cakey.pem
cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
[root@xuexi tmp]# touch /etc/pki/CA/index.txt
[root@xuexi tmp]# echo "01" > /etc/pki/CA/serial
[root@xuexi tmp]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@xuexi tmp]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@xuexi tmp]# openssl ca -selfsign -in rootCA.csr
[root@xuexi tmp]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
签名证书:
echo subjectAltName = IP:10.240.4.159 > extfile.cnf
openssl ca -in 10.240.4.159.csr -out 10.240.4.159.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days 3650 -outdir .
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 3106:39:392018 GMT
Not After : Jan 3106:39:392019 GMT
Subject:
countryName = CN
stateOrProvinceName = Harbin
organizationName = ydgw
organizationalUnitName = ydgw
commonName = 10.240.4.159
emailAddress = liuyajun@ydgw.cn
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:10.240.4.159
Certificate is to be certified until Jan 3106:39:392019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 证书加入本机信任
cp 10.240.4.159.crt /usr/local/share/ca-certificates/
update-ca-certificates
# 重启docker使证书生效
systemctl daemon-reload
systemctl restart docker
提示需要输入的一些参数:
解决harbor重启失败问题:
harbor重启后,因为容器依赖和启动顺序问题,可能导致启动失败,对此推荐一个解决方法。
利用systemd,编写服务:/etc/systemd/system/harbor.service
[Unit]
Description=Harbor Docker Repository
Alter=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
最后我们就可以通过systemd控制服务的运行了。
systemctl enable --now harbor //自动运行
systemctl disable --now harbor //不自动运行