harbor配置https访问

目录
harbor配置https访问
随机启动配置
主备 Harbor 部署(harbor同步)

注:高版本(14以上)docker执行login命令,默认使用https,且harbor必须使用域名,只是用ip访问是不行的。本文以docker-ce-19.03版本为例。

假设harbor服务器使用的网址是:harbor.hzsun.com,本机ip是172.16.7.198

1.主机配置

因为这个网址是虚拟的,所以需要在harbor主机及访问harbor的客户机上的hosts文件中添加

echo '172.16.7.198 harbor.hzsun.com' >> etc/hosts

2.上传解压harbor安装包并修改harbor配置文件

cd /opt/
tar -zxvf harbor.v2.1.2.tar.gz
cd harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml

把yourdomain.com换成实际使用的域名或者ip或者ip:port,要跟harbor.yml文件中的配置信息保持一致

hostname: harbor.hzsun.com
# http related config
#http:
#  # port for http, default is 80. If https enabled, this port will redirect to https port
#  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/harbor.hzsun.com.crt
  private_key: /data/cert/harbor.hzsun.com.key

3. 一键创建自签名证书脚本文件

#!/bin/bash

# 在该目录下操作生成证书,正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key ca.key -out ca.crt
openssl genrsa -out harbor.hzsun.com.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key harbor.hzsun.com.key -out harbor.hzsun.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.hzsun.com
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.hzsun.com.csr -out harbor.hzsun.com.crt

openssl x509 -inform PEM -in harbor.hzsun.com.crt -out harbor.hzsun.com.cert

cp harbor.hzsun.com.crt /etc/pki/ca-trust/source/anchors/harbor.hzsun.com.crt 
update-ca-trust

4. 配置harbor服务器docker访问harbor仓库(https)

将三个证书文件(ca.crt,harbor.hzsun.com.cert,harbor.hzsun.com.key)复制到docker目录/etc/docker/certs.d/harbor.hzsun.com/
登录docker主机

mkdir -pv /etc/docker/certs.d/harbor.hzsun.com/

scp root@172.16.7.198:/data/cert/harbor.hzsun.com.cert  /etc/docker/certs.d/harbor.hzsun.com/
scp root@172.16.7.198:/data/cert/harbor.hzsun.com.key  /etc/docker/certs.d/harbor.hzsun.com/
scp root@172.16.7.198:/data/cert/ca.crt  /etc/docker/certs.d/harbor.hzsun.com/

最终docker目录结构:

[root@harbor docker]# tree -C /etc/docker
/etc/docker
├── certs.d
│   └── harbor.techzsun.com
│       ├── ca.crt            <-- Certificate authority that signed the registry certificate
│       ├── harbor.techzsun.com.cert                     <-- Server certificate signed by CA
│       └── harbor.techzsun.com.key                              <-- Server key signed by CA
├── daemon.json
└── key.json

5. 重启docker

systemctl restart docker.service

6.重新配置harbor

6.1 停止harbor

docker-compose down -v

6.2 重新生成配置文件

./prepare --with-notary --with-clair --with-chartmuseum

6.3 启动harbor

docker-compose up -d

7. 使用docker login

登录docker主机,登录harbor仓库

[root@worker-03 ~]# docker login https://harbor.hzsun.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

8.问题

使用docker login 命令登陆的话报错

docker login https://192.168.75.100

x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs

排查步骤:
检查harbor.yml文件中hostname变量的值是否跟生成证书使用的一致

9. 随机启动配置

[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml stop

[Install]
WantedBy=multi-user.target

配置随机启动

systemctl enable harbor

10 主备 Harbor 部署(harbor同步)

https://www.cnblogs.com/linux-SFeng/p/13353786.html
https://blog.zhenglin.work/docker/harbor-sync.html
https://blog.csdn.net/hiyun9/article/details/79655385
http://blog.zhenglin.work/docker/harbor-sync.html

11 docker-compose up 启动报日志错误

docker-compose down -v 后,再启动docker-compose up,报日志使用错误如下:但不影响harbor功能
建议手工启动时,用命令 docker-compose up -d

Attaching to harbor-log, harbor-portal, redis, registryctl, harbor-db, registry, harbor-core, harbor-jobservice, nginx
harbor-core    | WARNING: no logs are available with the 'syslog' log driver
harbor-db      | WARNING: no logs are available with the 'syslog' log driver
harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver
harbor-portal  | WARNING: no logs are available with the 'syslog' log driver
nginx          | WARNING: no logs are available with the 'syslog' log driver
redis          | WARNING: no logs are available with the 'syslog' log driver
registry       | WARNING: no logs are available with the 'syslog' log driver
registryctl    | WARNING: no logs are available with the 'syslog' log driver

解决日志报错问题,可以参数如下修改方法:(个人认为没必要)
https://itindex.net/detail/58617-docker-%E9%95%9C%E5%83%8F-%E4%BB%93%E5%BA%93

1.修改docker-compose.yml文件

version: '2.3'
x-logging:                    #新增
  &default-logging          #新增
  options:                  #新增
    max-size: '12m'         #新增
    max-file: '5'           #新增
  driver: json-file         #新增
services:

把下面内容
查找关键字: logging,把所有logging这段内容替换

depends_on:
      - log                                        #需要被替换的内容
    logging:                                       #需要被替换的内容
      driver: "syslog"                             #需要被替换的内容
      options:                                     #需要被替换的内容
        syslog-address: "tcp://127.0.0.1:1514"     #需要被替换的内容
        tag: "registry"                            #需要被替换的内容
  registryctl:

替换为

    depends_on:
      - registry
      - redis
      - postgresql
      - log
    logging: *default-logging                     #用这行内容替换上面需要替换的内容
  portal:
    image: goharbor/harbor-portal:v2.1.2

说明:
1、docker-compose安装路径

[root@harbor-slave ~]# which docker-compose
/usr/bin/docker-compose

2、设置harbor开机自启动
https://blog.csdn.net/qq_17054989/article/details/96871639
3、为什么用up,不用start启动harbor的原因
https://www.cnblogs.com/kirito-c/p/11145881.html

参考资料:

1.harbor配置https访问
https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html 参考此文验证
https://www.cnblogs.com/cjwnb/p/13441071.html

2.Harbor高可用部署及配置(主从)
https://blog.csdn.net/weixin_45308292/article/details/107248788
我还需要多吐槽一句,在实际生产使用中,主从复制十分的不靠谱。所以这里推荐使用下面要说的这种方案多harbor实例共享后端存储
此作者的运维日志不错,可以参考学习。

3.Harbor1.9+Nginx高可用集群仓库搭建笔记
https://juejin.cn/post/6844903957412708365
搭建高可用的Harbor
https://blog.51cto.com/zero01/2530940
部署搭建harbor高可用集群并实现nginx负载均衡转发
https://blog.csdn.net/wt334502157/article/details/102894931
如何搭建高可用Docker Harbor仓库
http://linuxops.xyz/2019/02/18/%E5%A6%82%E4%BD%95%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8Docker-Harbor%E4%BB%93%E5%BA%93/#
基于Harbor和CephFS搭建高可用Private Registry
https://www.ctolib.com/topics-118455.html 有方案思路

4.harbor定时清理镜像
https://www.cnblogs.com/only-me/p/12416369.html

5.本地私服仓库nexus3.3.1使用手册
https://cloud.tencent.com/developer/article/1098081
Docker学习之搭建私有镜像仓库
https://cloud.tencent.com/developer/article/1095277?from=article.detail.1098081