使用docker-compose安装harbor
先决条件:
- 安装docker
- 安装docker-compose
下载并解压
wget -c https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz
tar -zxvf harbor-offline-installer-v2.3.5.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
按照图中红线,修改配置文件中的hostname,http.port,harbor_admin_password,并将https的配置注释掉,然后运行./prepare,./install.sh等待后即可安装成功。
### 对接containerd,配置https
在containerd使用harbor时,需要支持harbor的https端口,所以我们在containerd中使用harbor私库时,需要在harbor中配置https。
生成证书以hostname为harbor.jdragon.club为例
mkdir -p /data/cert/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.jdragon.club" \
-key ca.key \
-out ca.crt
openssl genrsa -out harbor.jdragon.club.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.jdragon.club" \
-key harbor.jdragon.club.key \
-out harbor.jdragon.club.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.jdragon.club
DNS.2=harbor.jdragon
DNS.3=localhost
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.jdragon.club.csr \
-out harbor.jdragon.club.crt
openssl x509 -inform PEM -in harbor.jdragon.club.crt -out harbor.jdragon.club.cert
执行以上指令后,会产生多个证书相关文件,最终harbor使用到的有以harbor.jdragon.club.cert与harbor.jdragon.club.key文件(最终以你配置的hostname为主)。
若按照文中将文件生成到/data/cert下(因为harbor的docker-compose中直接挂载的/data),则不需要改动,直接编辑第一步安装harbor时的所修改的配置文件harbor.yml,将https.certificate与https.private_key修改后。执行./prepare,./install.sh后无报错即可。
而containerd在harbor的基础上还需要ca.crt文件。将文件放在所有containerd服务节点上的/etc/containerd/certs.d/hostname:port文件夹中。本文将三个文件放入/etc/containerd/certs.d/harbor.jdragon.club:11843中。
执行containerd config default > /etc/containerd/config.toml获取默认配置文件,在此基础上进行修改。
vim /etc/containerd/config.toml
## containerd配置私有harbor和国内镜像
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.jdragon.club".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.jdragon.club".auth]
username = "admin"
password = "zhjl951753"
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
endpoint = ["https://gcr.mirrors.ustc.edu.cn"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
endpoint = ["https://quay.mirrors.ustc.edu.cn"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.jdragon.club"]
endpoint = ["https://harbor.jdragon.club"]
重启containerd
systemctl daemon-reload && systemctl restart containerd.service
安装nerdctl
wget https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-1.1.0-linux-amd64.tar.gz
tar -zxvf nerdctl-1.1.0-linux-amd64.tar.gz
mv nerdctl /usr/local/bin/
使用nerdctl登录harbor
nerdctl login -u admin harbor.jdragon.club:11843
