二进制基于kubeasz部署 K8s 1.34.x 高可用集群实战指南-第三章:Harbor 私有镜像仓库部署(3-4)
第三章:Harbor 私有镜像仓库部署 (主节点 104)
目标:在 104 节点部署 Harbor 主仓库,为集群提供镜像存储服务。
3.1 部署 Harbor 主节点 (192.168.44.104)
# 1. 登录 harbor1 节点
ssh root@192.168.44.104
# 2. 配置 hosts
cat >> /etc/hosts << EOF
192.168.44.104 harbor.myarchitect.online
EOF
# 3. 创建证书目录
mkdir -p /apps/harbor/certs
cd /apps/harbor/certs
# 4. 生成自签名证书
# 生成CA私钥
openssl genrsa -out ca.key 4096
# 生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=HarborCA" \
-key ca.key -out ca.crt
# 生成域名私钥
openssl genrsa -out harbor.myarchitect.online.key 4096
# 生成证书签名请求
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.myarchitect.online" \
-key harbor.myarchitect.online.key \
-out harbor.myarchitect.online.csr
# 生成扩展文件
cat > v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=IP:192.168.44.104,DNS:harbor.myarchitect.online
EOF
# 签发证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.myarchitect.online.csr \
-out harbor.myarchitect.online.crt
记得安装docker
tar -zxvf runtime-docker_24.0.9-containerd_1.7.20-binary-install.tar.gz
./runtime-install.sh docker
# 5. 解压并配置 Harbor
mkdir -p /apps && cd /apps
tar xvf harbor-offline-installer-v2.14.1.tgz
cd harbor
# 复制配置文件
cp harbor.yml.tmpl harbor.yml
# 6. 编辑配置文件
vim harbor.yml3.1.1 harbor.yml 配置内容
# 域名
hostname: harbor.myarchitect.online
# HTTP 配置
http:
port: 80
# HTTPS 配置
https:
port: 443
certificate: /apps/harbor/certs/harbor.myarchitect.online.crt
private_key: /apps/harbor/certs/harbor.myarchitect.online.key
# 管理员密码
harbor_admin_password: Harbor12345
# 数据库密码
database:
password: root123
# 数据目录
data_volume: /data/harbor3.1.2 安装 Harbor
# 执行安装
./install.sh --with-trivy
# 验证安装
docker ps | grep harbor
# 预期输出:
# goharbor/nginx-photon:v2.14.0
# goharbor/harbor-core:v2.14.0
# goharbor/registry-photon:v2.14.0
# ...3.2 创建项目并准备镜像
# 1. 创建 baseimages 项目 (通过 API)
curl -k -u "admin:Harbor12345" -X POST \
"https://harbor.myarchitect.online/api/v2.0/projects" \
-H "Content-Type: application/json" \
-d '{"project_name": "baseimages", "public": true}'
----------------------------------------------------------------
#配置 Docker 信任自签名证书 (推荐)
mkdir -p /etc/docker/certs.d/harbor.myarchitect.online
# 2. 复制证书
cp ca.crt /etc/docker/certs.d/harbor.myarchitect.online/
cp harbor.myarchitect.online.crt /etc/docker/certs.d/harbor.myarchitect.online/harbor.myarchitect.online.cert
cp harbor.myarchitect.online.key /etc/docker/certs.d/harbor.myarchitect.online/
# 3. 配置 insecure-registry
cat > /etc/docker/daemon.json << EOF
{
"insecure-registries": ["harbor.myarchitect.online"]
}
EOF
# 4. 重启 Docker
systemctl restart docker
apt update && apt install -y docker-compose
# 验证是否安装成功
docker compose version
然后再执行重启 Harbor 就正常了:
cd /apps/harbor
docker compose down
docker compose up -d
---------------------------------------------------------------
# 2. 拉取并推送 pause 镜像
docker pull registry.aliyuncs.com/google_containers/pause:3.10
docker tag registry.aliyuncs.com/google_containers/pause:3.10 \
harbor.myarchitect.online/baseimages/pause:3.10
docker login harbor.myarchitect.online -u admin -p Harbor12345
docker push harbor.myarchitect.online/baseimages/pause:3.10
# 3. 拉取测试镜像
docker pull registry.cn-hangzhou.aliyuncs.com/myhubregistry/rockylinux:9.3.20231119
docker tag registry.cn-hangzhou.aliyuncs.com/myhubregistry/rockylinux:9.3.20231119 \
harbor.myarchitect.online/baseimages/rockylinux:9.3.20231119
docker push harbor.myarchitect.online/baseimages/rockylinux:9.3.20231119
# 4. 查看已推送镜像
curl -k -u "admin:Harbor12345" \
"https://harbor.myarchitect.online/api/v2.0/projects/baseimages/repositories"3.3 分发 Harbor CA 证书到所有节点
# 在 104 节点导出证书
cd /apps/harbor/certs
# 复制到所有节点
for ip in 101 102 103 105 106 107 108 109 110 111 112 113 160; do
scp ca.crt root@192.168.44.$ip:/usr/local/share/ca-certificates/harbor-ca.crt
ssh root@192.168.44.$ip "update-ca-certificates"
echo "=== 192.168.44.$ip 证书已安装 ==="
done3.4 验证 Harbor 可用性
# 在部署节点 (160) 测试
ssh root@192.168.44.160
# 配置 hosts
echo "192.168.44.104 harbor.myarchitect.online" >> /etc/hosts
# 测试 Docker 登录
docker login harbor.myarchitect.online -u admin -p Harbor12345
# 测试拉取镜像
docker pull harbor.myarchitect.online/baseimages/pause:3.10
# 验证成功
docker images | grep pausePS问题和技巧:
问题处理1:
# 一键修复 docker-proxy + 清理日志配置 + 启动 Harbor
cat > /etc/docker/daemon.json <<'EOF'
{"insecure-registries":["harbor.myarchitect.online"],"userland-proxy":false}
EOF
systemctl daemon-reload
systemctl restart docker
cd /apps/harbor
sed -i '/^ logging:/,/^ tag:/d' docker-compose.yml
docker-compose down -v
docker-compose up -d
# 查看启动结果
docker-compose ps简易重启指令技巧:
docker-compose version
然后再执行重启 Harbor 就正常了:
cd /apps/harbor
docker-compose down
docker-compose up -d离线文件准备:
runtime-docker_24.0.9-containerd_1.7.20-binary-install.tar.gz,
harbor-offline-installer-v2.14.1.tgz
需要自行下载!!