docker 从docker 仓库中推送或获取镜像都是默认走https协议的。需要配置ssl证书,否则将无法方面,为了解决这以问题,我们有2个方案:
修改docker配置文件,关闭证书 "insecure-registries"。关闭证书校验
配置ssl证书,配置harbor走https协议
对比:
- 关闭证书校验,也就是不加密,不走https协议。带来的问题就是不安全,能都收到数据篡改和数据劫持等风险。且修改insecure-registries参数是需要重启docker服务的,是会终断容器业务的,并且每次修改仓库ip,或新增仓库,或修改网段都需要重启docker
- 配置ssl证书,也是实现数据加密保障数据安全。官方建议采用https方式运行,下面我们介绍如何配置harbor添加ssl证书。
证书分类
ssl证书分为:自签名证书、公网证书
自签名证书就是通过自建CA的方面,创建签名证书,具有加密的功能,一般仅供内部使用。公网证书是受信任的证书提供商签名的证书,由于我们所有的系统、浏览器内置的受信任的根证书颁发机构中都默认有了公网证书提供商的CA证书,公网证书可以直接使用。内网证书需要导入自签名的CA跟证书才能使用。简单来说,公网证书相对方便,一般基于域名进行签名。私有证书供内部使用,一般需要导入自签名CA证书,或提前预制导入CA证书,私有证书的优势在于自签名,无需通过第三方证书供应商。为了方便起见,我们采用公网免费ca证书。使用域名的形式配置证书,这样就可以实现一次配置多处使用。
公网ssl证书申请
- 公网ssl证书提供商有很多,如赛门铁克、geotrust 、沃通 等等。免费的单二级域名ssl证书也有很多,如geotrust、Let's Encrypt、Free ssl等。三方平台一般都会提供各个厂商的ssl证书申请。下面我们就用阿里云的SSL证书服务来申请免费的证书。、
- 在阿里云的证书服务中找到购买证书,选择免费证书。
- 点击申请,输入域名 地址 ,联系人等。按照提示进行dns配置,域名验证
- 找到已颁发证书,点击下载证书
因为公网ssl证书每次使用期限仅有一年时间,所以更换ssl证书时,也可以使用以下方法:
1、修改harbor配置文件
# cd /opt/app/harbor
# ls
common common.sh docker-compose.yml harbor.v2.0.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare ssl
修改Harbor相关https的配置,指定ssl证书的路径
# vim harbor.yml
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
certificate: /opt/app/harbor/ssl/peogoo.com.pem
private_key: /opt/app/harbor/ssl/peogoo.com.key
2、修改harbor后需要预编译下harbor
# cd /opt/app/harbor
# ls
common common.sh docker-compose.yml harbor.v2.0.0.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare ssl
# ./prepare
prepare base dir is set to /opt/app/harbor
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/passwd
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
3、重新关闭启动harbor
# cd /opt/app/harbor
# docker-compose down
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-portal ... done
Stopping registryctl ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing harbor-db ... done
Removing redis ... done
Removing harbor-portal ... done
Removing registryctl ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
# docker-compose start
Starting log ... done
Starting postgresql ... done
Starting redis ... done
Starting portal ... done
Starting registry ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
Starting registryctl ... done
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d680a4205f1 goharbor/nginx-photon:v2.0.0 "nginx -g 'daemon of..." 5 months ago Up 27 seconds (health: starting) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
65c3dc2e985a goharbor/harbor-jobservice:v2.0.0 "/harbor/entrypoint...." 5 months ago Up 27 seconds (health: starting) harbor-jobservice
6c5eebed24f9 goharbor/harbor-core:v2.0.0 "/harbor/entrypoint...." 5 months ago Up 27 seconds (health: starting) harbor-core
2b6477408c44 goharbor/harbor-db:v2.0.0 "/docker-entrypoint...." 5 months ago Up 28 seconds (health: starting) 5432/tcp harbor-db
ebb763bea740 goharbor/redis-photon:v2.0.0 "redis-server /etc/r..." 5 months ago Up 28 seconds (health: starting) 6379/tcp redis
3c68c72a79c0 goharbor/harbor-portal:v2.0.0 "nginx -g 'daemon of..." 5 months ago Up 29 seconds (health: starting) 8080/tcp harbor-portal
2aa053eaa705 goharbor/harbor-registryctl:v2.0.0 "/home/harbor/start...." 5 months ago Up 29 seconds (health: starting) registryctl
c3a6086e810e goharbor/registry-photon:v2.0.0 "/home/harbor/entryp..." 5 months ago Up 28 seconds (health: starting) 5000/tcp registry
dec4b5284ff8 goharbor/harbor-log:v2.0.0 "/bin/sh -c /usr/loc..." 5 months ago Up 30 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
4、重新登录harbor
# docker login harbor.peogoo.com