[TOC] 离线安装 # 1.安装docker环境 ``` [root@agent_zabbix ~]# uname -a Linux agent_zabbix 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux docker安装 yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install docker-ce systemctl start docker ``` # 2. 安装docker-compose ``` curl -L https://github.com/docker/compose/releases/download/1.16.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose [root@agent_zabbix ~]# docker-compose --version docker-compose version 1.16.1, build 6d1ac21 ``` # 3.下载harbor包 安装 ``` wget -P /usr/local/src/ https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.0.tgz ``` # 4.安装harbor ``` cd /usr/loca/src/ tar zxf harbor-offline-installer-v1.7.0.tgz -C /usr/local/ cd /usr/local/harbor/ 修改配置文件 vim /usr/local/harbor/harbor.cfg grep '^[a-Z]' harbor.cfg hostname = 10.4.0.109 #填写ip地址或者fqdn，访问ui界面要使用的 ui_url_protocol = http #使用http协议，默认的 email_identity = #以下7条均是关于email的设置，默认即可 email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false harbor_admin_password = habor12345 #管理员初始化密码，登录harbor界面使用的 auth_mode = db_auth #认证方式，默认数据库认证，认证数据存放在mysql里，也支持ldap，以下四条为ldap配置方式 ldap_url = ldaps://ldap.mydomain.com ldap_basedn = ou=people,dc=mydomain,dc=com ldap_uid = uid ldap_scope = 3 db_password = 1234565 #数据库密码 self_registration = on #是否开启注册功能 use_compressed_js = on #是否使用压缩js功能，生产建议打开，开发环境可以关闭 max_job_workers = 3 #作业服务中最大的复制数，默认是3。每个worker消耗一定的网络/cpu/和io支援，要基于硬件环境来设置这个值。 token_expiration = 30 #token的过期时间，默认为30分钟 verify_remote_cert = on #远程认证，默认是开启的 customize_crt = on#自定义认证，默认是开启的。关闭的话也可以使用其他方式[Customize Key and Certificate of Harbor Token Service](https://github.com/vmware/harbor/blob/master/docs/customize_token_service.md "Customize Key and Certificate of Harbor Token Service") crt_country = CN #crt配置一些参数 crt_state = State crt_location = CN crt_organization = organization crt_organizationalunit = organizational unit crt_commonname = example.com crt_email = example@example.com project_creation_restriction = everyone ssl_cert = /data/cert/server.crt #server.crt存放路径 ssl_cert_key = /data/cert/server.key #server.key存放路径 执行脚本安装 [root@agent_zabbix harbor]# ./install.sh 查看结果 [root@agent_zabbix harbor]# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/start.sh Up harbor-core /harbor/start.sh Up harbor-db /entrypoint.sh postgres Up 5432/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up 80/tcp nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up 5000/tcp registryctl /harbor/start.sh Up [root@agent_zabbix harbor]# docker-compose images Container Repository Tag Image Id Size ----------------------------------------------------------------------------------------- harbor-adminserver goharbor/harbor-adminserver v1.7.0 9f850341a571 68.6 MB harbor-core goharbor/harbor-core v1.7.0 2ebd58ce5638 90.8 MB harbor-db goharbor/harbor-db v1.7.0 45d94fe5fee5 127 MB harbor-jobservice goharbor/harbor-jobservice v1.7.0 effd390c0cd4 79.9 MB harbor-log goharbor/harbor-log v1.7.0 722fa4a77846 77.3 MB harbor-portal goharbor/harbor-portal v1.7.0 72a291f86bab 38.3 MB nginx goharbor/nginx-photon v1.7.0 6ed96fc73f83 33.8 MB redis goharbor/redis-photon v1.7.0 8adff755797f 91.7 MB registry goharbor/registry-photon v2.6.2-v1.7.0 677f21b09362 82.4 MB registryctl goharbor/harbor-registryctl v1.7.0 1906a8b84fa5 96.6 MB ``` # 5 管理harbor ``` Harbor的启动和停止 启动Harbor # docker-compose start 停止Harbor # docker-comose stop 重启Harbor # docker-compose restart ``` # 6 测试上传和下载镜像 ``` ### 修改各docker client配置 # vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd --insecure-registry 192.168.116.135 或者 cat > /etc/docker/daemon.json << EOF { "insecure-registries":["192.168.116.135"] } EOF 备注：待验证 重启docker [root@agent_zabbix harbor]# systemctl daemon-reload [root@agent_zabbix harbor]# systemctl restart docker 本地构建一个镜像 [root@harbor docker]# cat Dockerfile FROM centos:centos7.1.1503 ENV TZ "Asia/Shanghai" docker build -t 192.168.116.135/library/centos7.1:0.1 . docker login 192.168.116.135 docker push 192.168.116.135/library/centos7.1:0.1 如果不是自己创建的镜像，记得先执行 docker tags 给镜像做tag docker pull nginx docker tag nginx:latest 192.168.116.135/library/nginx:latest docker push 192.168.116.135/library/nginx:latest ### pull镜像 docker pull 192.168.116.135/library/nginx:latest latest: Pulling from library/nginx Digest: sha256:e2847e35d4e0e2d459a7696538cbfea42ea2d3b8a1ee8329ba7e68694950afd3 Status: Downloaded newer image for 192.168.116.135/library/nginx:latest [root@agent_zabbix docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.116.135/library/centos7.1 0.1 0305745ac730 29 hours ago 212MB 192.168.116.135/library/nginx latest 7042885a156a 12 days ago 109M ``` # 7 Harbor配置TLS证书 https://github.com/goharbor/harbor/blob/release-1.7.0/docs/configure_https.md ``` a.修改Harbor配置文件 vim /usr/local/harbor/harbor.cfg hostname = reg.suixiaofeng.com ui_url_protocol = https ssl_cert = /data/cert/reg.suixiaofeng.com.crt ssl_cert_key = /data/cert/reg.suixiaofeng.com.key b. 创建自签名证书key文件 cd /data/cert/ openssl genrsa -out ca.key 4096 c.创建自签名证书crt文件 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=192.168.116.135" -key ca.key -out ca.crt or **Create your own Private Key:** openssl genrsa -out yourdomain.com.key 4096 **2) Generate a Certificate Signing Request:** If you use FQDN like **yourdomain.com** to connect your registry host, then you must use **yourdomain.com** as CN (Common Name). openssl req -sha512 -new \ -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \ -key yourdomain.com.key \ -out yourdomain.com.csr **3) Generate the certificate of your registry host:** openssl genrsa -out reg.suixiaofeng.com.key 4096 生成证书签名 openssl req -sha512 -new -subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=reg.suixiaofeng.com" -key reg.suixiaofeng.com.key -out reg.suixiaofeng.com.csr FQDN方式生成注册表主机的证书 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=reg.suixiaofeng.com DNS.3=harbor EOF openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in reg.suixiaofeng.com.csr -out reg.suixiaofeng.com.crt 客户端证书 openssl x509 -inform PEM -in reg.suixiaofeng.com.crt -out reg.suixiaofeng.com.cert 为Harbor生成配置文件： ./prepare docker-compose down -v 最后重启Harbor： COMPOSE_HTTP_TIMEOUT=200 docker-compose up -d 客户端访问方式： /etc/docker/certs.d tree . ├── reg.suixiaofeng.com │   ├── ca.crt │   ├── reg.suixiaofeng.com.cert │   └── reg.suixiaofeng.com.key 重启docker service docker restart 客户端登录 docker login -u suixiaofeng -p 'Suixiaofeng123' reg.suixiaofeng.com 上传一个镜像 docker pull nginx docker tag nginx:latest reg.suixiaofeng.com/comnon/nginx:latest docker images docker push reg.suixiaofeng.com/comnon/nginx:latest ``` 查看结果  # 8 定期垃圾回收，释放磁盘空间 存储库删除分为两步： 1.第一步在UI中删除：在Harbor UI中删除，这是标记删除，但是，存储库的文件仍然保留在Harbor存储中。 2.第二步执行垃圾回收（GC）：在执行GC之前，确保没人在推送镜像或没人访问Harbor。如果有人推送镜像可能会错误的删除镜像，从而导致镜像损坏。因此，在运行GC之前，建议停止Harbor。 `# docker-compose stop` `# docker run -it --name gc --rm --volumes-from registry vmware/registry:2.6.2-photon garbage-collect /etc/registry/config.yml` `# docker-compose start` # 报错及解决 ``` 1.遇到报错如下： Creating harbor-db Creating registryctl Creating registry Creating redis ERROR: for harbor-adminserver UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for registryctl UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for redis UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for harbor-db UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for registry UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for postgresql UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for adminserver UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for redis UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for registry UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: for registryctl UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60) ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information. If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60). 设置超时参数： COMPOSE_HTTP_TIMEOUT=200 docker-compose up -d ``` 参考： ``` https://www.okay686.cn/1110.html https://www.ilanni.com/?p=13492 http://www.52devops.com/chuck/1319.html https://www.cnblogs.com/pangguoping/p/7650014.html http://bk.poph163.com/2018/04/14/kubernetes%e5%ae%b9%e5%99%a8%e9%9b%86%e7%be%a4%e7%ae%a1%e7%90%86/ ```