硬件要求
最低配置:
2CPU 4GB RAM 40GB HDD
推荐配置:
4CPU 8GB RAM 160GB HDD

软件要求
python: 2.7+
docker-engine: 1.10+
docker-compose: 1.6.0+
openssl: 建议直接使用最新版,用于为Harbor创建证书和密钥

网络端口
80/443: http/https harbor的ui和api
4443:htts,连接docker contente可信服务,只有启用notary时才需要

安装前准备工作

下载Harbor的离线包

curl -L -O https://github.com/goharbor/harbor/releases/download/v2.3.3/harbor-offline-installer-v2.3.3.tgz

获取其他版本可以访问harbor的GitHub仓库:https://github.com/goharbor/harbor/releases

创建自签名证书

如果有域名且有CA机构颁发的证书可以跳过这一步,自签证书并不是很方便。
创建CA根证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Jiangsu
Locality Name (eg, city) []:Jiangsu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:simaek.com
Organizational Unit Name (eg, section) []:simaek.com
Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
Email Address []:example@mail.com
创建证书签名请求
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 10.240.4.159.key -out 10.240.4.159.csr
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Harbin
Locality Name (eg, city) []:Harbin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ydgw
Organizational Unit Name (eg, section) []:ydgw
Common Name (e.g. server FQDN or YOUR name) []:10.240.4.159
Email Address []:liuyajun@ydgw.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   #密码留空即可
An optional company name []:
touch /etc/pki/CA/index.txt
echo '01' > /etc/pki/CA/serial
openssl genrsa -out /etc/pki/CA/private/cakey.pem
cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
[root@xuexi tmp]# touch /etc/pki/CA/index.txt 
[root@xuexi tmp]# echo "01" > /etc/pki/CA/serial
[root@xuexi tmp]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@xuexi tmp]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@xuexi tmp]# openssl ca -selfsign -in rootCA.csr
[root@xuexi tmp]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

签名证书:

echo subjectAltName = IP:10.240.4.159 > extfile.cnf
openssl ca -in 10.240.4.159.csr -out 10.240.4.159.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -days 3650 -outdir .
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 3106:39:392018 GMT
            Not After : Jan 3106:39:392019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Harbin
            organizationName          = ydgw
            organizationalUnitName    = ydgw
            commonName                = 10.240.4.159
            emailAddress              = liuyajun@ydgw.cn
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.240.4.159
Certificate is to be certified until Jan 3106:39:392019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 证书加入本机信任
cp 10.240.4.159.crt /usr/local/share/ca-certificates/
update-ca-certificates

# 重启docker使证书生效
systemctl daemon-reload
systemctl restart docker

提示需要输入的一些参数:

解决harbor重启失败问题:

harbor重启后,因为容器依赖和启动顺序问题,可能导致启动失败,对此推荐一个解决方法。

利用systemd,编写服务:/etc/systemd/system/harbor.service

[Unit]
Description=Harbor Docker Repository
Alter=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml down

[Install]
WantedBy=multi-user.target

最后我们就可以通过systemd控制服务的运行了。

systemctl enable --now harbor //自动运行
systemctl disable --now harbor //不自动运行
最后修改:2023 年 08 月 02 日
如果觉得我的文章对你有用,请随意赞赏