ubuntu 14.04/16.04 https形式dockerプライベートライブラリharborのインストール
harborプリコンパイルパッケージをダウンロード0.4.5
ドメイン名reg.server.comを使用してミラーライブラリにアクセスする準備ができているため、/etc/hostsファイルに192.168.10.90 reg.server.com、IPミラーサーバのアドレスを追加する必要があります.
1 CA証明書の生成(内容が乱記できないことに注意)
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crtYou are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:beijing Locality Name (eg, city) []:beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com Organizational Unit Name (eg, section) []:reg.server.com Common Name (e.g. server FQDN or YOUR name) []:reg.server.com#ここで最も重要なのは、使用するドメイン名Email Address[]:[email protected]
コマンド完了後にca.crt,ca.keyファイルを生成
2それからCA署名を生成して、ファイル名があなたのドメイン名と一致することに注意します
openssl req -newkey rsa:4096 -nodes -sha256 -keyout reg.server.com.key -out reg.server.com.csr入力内容は以下の通りです.
writing new private key to 'reg.server.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:beijing Locality Name (eg, city) []:beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:reg.server.com Organizational Unit Name (eg, section) []:reg.server.com Common Name (e.g.server FQDN or YOUR name)[]:reg.server.com#はドメイン名と一致する必要がありますEmail Address[]:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #パスワードを空にすると、An optional company name[]:
コマンド完了後に生成
reg.server.com.key reg.server.com.csr
可以查看/etc/ssl/openssl.cnf 配置文件中 ssl 默认的文件夹名称是什么,一般来说,没被改动过的话是demoCA.
3.1 创建文件夹和辅助内容
mkdir demoCA
cd demoCA
touch index.txt
echo '01' > serial
cd ..署名を生成するときにFQDNを使用しているので、次のコマンドが必要です.
echo subjectAltName = IP:192.168.10.90 > extfile.cnfopenssl ca -in reg.server.com.csr -out reg.server.com.crt -cert ca.crt -keyfile ca.key -extfile extfile.cnf -outdir .
3.3
3.2 , 01.pem reg.server.com.crt 。
cat 01.pem >> reg.server.com.crt
cp ca.crt reg.server.com.crt /usr/local/share/ca-certificates/
update-ca-certificates
4 docker( docker, docker, service docker restart
https://docs.docker.com/engine/installation/linux/ubuntulinux/
5 docker compose
https://docs.docker.com/compose/install/
。
docker-compose-Linux-x64 。 chmod +x , docker-compose /usr/local/bin , 。
6 harbor
tar -zxvf harbor-offline-installer-0.4.5.tgz
harbor.cfg
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = reg.server.com #
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
#Email account settings for sending out password resetting emails.
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = Harbor12345 #
##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth
#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com
#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
#the password of the ldap_searchdn
#ldap_search_pwd = password
#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com
#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)
# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid
#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3
#The password for the root user of mysql db, change this before any production use.
db_password = root123
#Turn on or off the self-registration feature
self_registration = on
#Determine whether the UI should use compressed js files.
#For production, set it to on. For development, set it to off.
use_compressed_js = on
#Maximum number of job workers in job service
max_job_workers = 3
#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30
#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on
#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off, a key/certificate must
#be supplied for token generation.
customize_crt = on
#Information of your organization for certificate
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = [email protected]
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /etc/nginx/cert/reg.server.com.crt # ,
ssl_cert_key = /etc/nginx/cert/reg.server.com.key # ,
prepare ( ubuntu 16 )
vim /root/harbor/prepare 46 python 3.5, ubuntu 16 python 3.5
os.makedirs(path, mode=0600) os.makedirs(path, mode=0o600) 。
nginx
mv /root/harbor/common/config/nginx/nginx.conf /root/harbor/common/config/nginx/nginx.conf.bak
https /root/harbor/common/config/nginx/
cp /root/harbor/common/templates/nginx/nginx.https.conf /root/harbor/common/config/nginx/nginx.conf
cp reg.server.com.crt reg.server.com.key /etc/nginx/cert/ ( , )
cp reg.server.com.crt reg.server.com.key /root/harbor/common/config/nginx/cert/
harbore
cd /root/harbor
./install.sh
docker ps , 6
docker login reg.server.com ( , )
x509: certificate signed by unknown authority
, ca.crt ,
cp ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
https://github.com/vmware/harbor/blob/master/docs/configure_https.md
https://mritd.me/2016/09/15/Harbor-%E4%BC%81%E4%B8%9A%E7%BA%A7-Docker-Registry-%E7%AC%AC%E4%BA%8C%E5%BC%B9/