基础环境
ubuntu server18
域名配置
sudo vi /etc/hosts
www.node23.com 192.168.43.23
docker安装
一键安装
curl -sSL https://get.daocloud.io/docker | sh
配置docker
vi /etc/docker/daemon.json
{
"registry-mirrors": [
"https://squpqgby.mirror.aliyuncs.com"
],
"insecure-registries" : ["www.node23.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
重启:
systemctl daemon-reload
service docker restart
docker-compose安装
sudo curl -L https://github.com/docker/compose/releases/download/1.20.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
Harbor安装
下载:
wget http://kubernetes.cvimer.com/harbor-offline-installer-v1.10.3.tgz
解压:
tar xf harbor-offline-installer-v1.10.3.tgz
cd harbor
#将镜像加载到docker中
docker load -i harbor.v1.10.3.tar.gz
harbor配置
vi harbor.yml,大致更改点参考如下,https先关闭
hostname: www.node23.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
#certificate: /your/certificate/path
# private_key: /your/private/key/path
harbor_admin_password: nufront
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 100 for postgres.
max_open_conns: 100
# The default data volume
data_volume: /data/harbor
初始登录账号/密码:admin/root123
harbor启动/停止
运行prepare脚本
Harbor将nginx实例用作所有服务的反向代理。您可以使用prepare脚本来配置nginx为使用HTTP和HTTPS
./prepare
利用docker-compose启动和停止Harbor
#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
#强制清理
docker system prune -a -f
#查看
sudo docker-compose ps
Harbor访问、登录和使用
修改daemon.json,默认http私有仓库不能访问,设置后才可以。修改cgroupdriver是为了消除安装k8s集群时的告警。
vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://squpqgby.mirror.aliyuncs.com"
],
"insecure-registries" : ["www.node23.com"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
# 重启Docker进程
sudo systemctl daemon-reload
sudo service docker restart
# 重启Harbor
sudo docker-compose up -d
#查看cgroup状态
docker info | grep Cgroup
从Docker客户端登录Harbor,确保所有需要使用harbor的节点都能正常登录
docker login www.node23.com
注:实际登录过程中出现
Error saving credentials: error storing credentials - err: exit status 1, out: `Failed to execute child process “dbus-launch” (No such file or directory)`
解决参考:authentication - Cannot login to Docker account - Stack Overflow
sudo apt-get update
sudo apt-get install gnupg2 pass
web管理界面访问:http://www.node23.com/
上传镜像
将需要push到远程仓库的镜像进行版本标记
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
如
在项目中标记镜像
docker tag SOURCE_IMAGE[:TAG] www.node23.com/library/IMAGE[:TAG]
sudo docker tag hello-world www.node23.com/library/hello-world:1.0.0
推送镜像到当前项目或公开library:
docker push www.node23.com/library/IMAGE[:TAG]
docker push www.node23.com/library/hello-world:1.0.0
拉取镜像
docker pull www.node23.com/boss/hello-world:1.0.0
生产环境中使用
生成Ca证书
cd /home/kangming/cert/
#生成CA证书私钥
openssl genrsa -out ca.key 4096
#生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.com" \
-key ca.key \
-out ca.crt
生成服务器证书
证书通常包含一个.crt文件和一个.key文件
生成私钥
openssl genrsa -out www.node23.com.key 4096
生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=GaungZhou/L=GaungZhou/O=www.node23.com/OU=Personal/CN=www.node23.comm" \
-key www.node23.com.key \
-out www.node23.com.csr
生成一个x509 v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.node23.com
DNS.2=*.node*.com
DNS.3=www.test.com
IP.1=192.168.43.23
EOF
使用该v3.ext文件为您的Harbor主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in www.node23.com.csr \
-out www.node23.com.crt
向Harbor和Docker提供证书
sudo mkdir -p /data/cert
sudo cp www.node23.com.crt /data/cert/
sudo cp www.node23.com.key /data/cert/
转换www.node23.com.crt为www.node23.com.cert,供Docker使用
openssl x509 -inform PEM -in www.node23.com.crt -out www.node23.com.cert
-
将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。必须首先创建适当的文件夹
sudo mkdir -p /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.cert /etc/docker/certs.d/www.node23.com:443/
sudo cp www.node23.com.key /etc/docker/certs.d/www.node23.com:443/
sudo cp ca.crt /etc/docker/certs.d/www.node23.com:443/ -
重新启动Docker Engine
sudo systemctl restart docker
修改Harbor配置
开启https
cd /home/kangming/harbor/
vim harbor.yml
https:
port: 443
certificate: /etc/docker/certs.d/www.node23.com:443/www.node23.com.cert
private_key: /etc/docker/certs.d/www.node23.com:443/www.node23.com.key
启动harbor
./prepare
#启动
sudo docker-compose up -d
#关闭
sudo docker-compose down
#查看
sudo docker-compose ps
从Docker客户端登录Harbor
cd /home/kangming/cert/
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
sudo chmod 644 /usr/local/share/ca-certificates/ca.crt && sudo update-ca-certificates
# 重启Docker进程
sudo systemctl restart docker
cd /home/kangming/harbor/
sudo docker-compose down
sudo docker-compose up -d
登录Harbor
docker login www.node23.com:443
web登录:https://www.node23.com/
另外,将ca.crt证书安装到受信任的根证书机构即可让浏览器承认,显示绿色小箭头。