Harbor私有镜像仓库搭建https
环境centos 7.3
docker 17.03
参考:
https://www.jianshu.com/p/9cf7ab8cec41
http://www.mamicode.com/info-detail-1855980.html
##################################################
server 端配置
##################################################
1、安装依赖
$ yum install ebtables ethtool iproute iptables socat util-linux wget vim openssl-devel -y2、安装docker 17
$ wget -O - https://raw.githubusercontent.com/cherryleo/scripts/master/centos7-install-docker.sh | sh3、安装 docker-compose
$ yum install epel-release -y
$ yum install python-pip -y
$ pip install --upgrade pip
$ pip install docker-compose
4、证书存放目录
$ mkdir -p /data/cert
$ cd /data/cert/
5、创建CA证书
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..........................................++
........++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Sunline
Organizational Unit Name (eg, section) []:HaiTeng
Common Name (eg, your name or your server's hostname) []:Harbor
Email Address []:[email protected]
6、生成证书签名请求
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout sunline.com.key -out sunline.com.csr
Generating a 4096 bit RSA private key
....++
...................................................................................++
writing new private key to 'sunline.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Sunline
Organizational Unit Name (eg, section) []:HaiTeng
Common Name (eg, your name or your server's hostname) []:Harbor
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
7、生成注册表主机的证书
$ openssl x509 -req -days 365 -in sunline.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sunline.com.crt
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Sunline/OU=HaiTeng/CN=Harbor/[email protected]
Getting CA Private Key如果你使用的是IP,比如10.22.60.169(本机主机IP地址)连接你的注册表主机,你可以运行下面的命令
$ echo subjectAltName = IP:10.22.60.169 > extfile.cnf
$ openssl x509 -req -days 365 -in sunline.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out sunline.com.crt8、上传/解压harbor离线包
$ tar xvf harbor-offline-installer-v1.5.0.tgz
$ cd harbor9、修改配置文件
$ vim harbor.cfg
hostname = 10.22.60.169
ui_url_protocol = https
ssl_cert = /data/cert/sunline.com.crt
ssl_cert_key = /data/cert/sunline.com.key
secretkey_path = /data
10、安装harbor
$ ./install.sh11、web访问
默认账户密码为:admin/Harbor12345
https://10.22.60.16712、创建ca证书目录并拷贝ca证书
$ cd /etc/pki/ca-trust/source/anchors/ # 拷贝ca证书使本机可以访问登录
$ cp /data/cert/ca.crt .13、重启服务
$ update-ca-trust
$ systemctl restart docker
####################################### client 配置 #######################################
1、拷贝证书,使docker可以从harbor仓库拉取镜像
$ cd /etc/pki/ca-trust/source/anchors/
$ scp 10.22.60.169:/data/cert/ca.crt .2、重启docker
$ update-ca-trust
$ systemctl restart docker3、登录测试
$ docker login -u admin -p Harbor12345 10.22.60.169
Login Succeeded
报错:
Error response from daemon: Get https://10.22.60.169/v1/users/: x509: certificate has expired or is not yet valid
解决方法:同步系统时间