miaoyun+Rancher+K8S学习与实践


harbor配置https访问

<pre><code>目录 harbor配置https访问 随机启动配置 主备 Harbor 部署(harbor同步)</code></pre> <p>注:高版本(14以上)docker执行login命令,默认使用https,且harbor必须使用域名,只是用ip访问是不行的。本文以docker-ce-19.03版本为例。</p> <p>假设harbor服务器使用的网址是:harbor.hzsun.com,本机ip是172.16.7.198</p> <h1>1.主机配置</h1> <p>因为这个网址是虚拟的,所以需要在harbor主机及访问harbor的客户机上的hosts文件中添加</p> <pre><code class="language-bash">echo '172.16.7.198 harbor.hzsun.com' &gt;&gt; etc/hosts</code></pre> <h1>2.上传解压harbor安装包并修改harbor配置文件</h1> <pre><code class="language-bash">cd /opt/ tar -zxvf harbor.v2.1.2.tar.gz cd harbor cp harbor.yml.tmpl harbor.yml vim harbor.yml</code></pre> <p>把yourdomain.com换成实际使用的域名或者ip或者ip:port,要跟harbor.yml文件中的配置信息保持一致</p> <pre><code class="language-bash">hostname: harbor.hzsun.com # http related config #http: # # port for http, default is 80. If https enabled, this port will redirect to https port # port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /data/cert/harbor.hzsun.com.crt private_key: /data/cert/harbor.hzsun.com.key</code></pre> <h1>3. 一键创建自签名证书脚本文件</h1> <pre><code class="language-bash">#!/bin/bash # 在该目录下操作生成证书,正好供harbor.yml使用 mkdir -p /data/cert cd /data/cert openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key ca.key -out ca.crt openssl genrsa -out harbor.hzsun.com.key 4096 openssl req -sha512 -new -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=Global/OU=ZYROX/CN=harbor.hzsun.com" -key harbor.hzsun.com.key -out harbor.hzsun.com.csr cat &gt; v3.ext &lt;&lt;-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.hzsun.com DNS.2=harbor DNS.3=ks-allinone EOF openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.hzsun.com.csr -out harbor.hzsun.com.crt openssl x509 -inform PEM -in harbor.hzsun.com.crt -out harbor.hzsun.com.cert cp harbor.hzsun.com.crt /etc/pki/ca-trust/source/anchors/harbor.hzsun.com.crt update-ca-trust</code></pre> <h1>4. 配置harbor服务器docker访问harbor仓库(https)</h1> <p>将三个证书文件(ca.crt,harbor.hzsun.com.cert,harbor.hzsun.com.key)复制到docker目录/etc/docker/certs.d/harbor.hzsun.com/ 登录docker主机</p> <pre><code class="language-bash">mkdir -pv /etc/docker/certs.d/harbor.hzsun.com/ scp root@172.16.7.198:/data/cert/harbor.hzsun.com.cert /etc/docker/certs.d/harbor.hzsun.com/ scp root@172.16.7.198:/data/cert/harbor.hzsun.com.key /etc/docker/certs.d/harbor.hzsun.com/ scp root@172.16.7.198:/data/cert/ca.crt /etc/docker/certs.d/harbor.hzsun.com/</code></pre> <p>最终docker目录结构:</p> <pre><code class="language-bash">[root@harbor docker]# tree -C /etc/docker /etc/docker ├── certs.d │   └── harbor.techzsun.com │   ├── ca.crt &lt;-- Certificate authority that signed the registry certificate │   ├── harbor.techzsun.com.cert &lt;-- Server certificate signed by CA │   └── harbor.techzsun.com.key &lt;-- Server key signed by CA ├── daemon.json └── key.json</code></pre> <h1>5. 重启docker</h1> <pre><code class="language-bash">systemctl restart docker.service</code></pre> <h1>6.重新配置harbor</h1> <h2>6.1 停止harbor</h2> <pre><code class="language-bash">docker-compose down -v</code></pre> <h2>6.2 重新生成配置文件</h2> <pre><code class="language-bash">./prepare --with-notary --with-clair --with-chartmuseum</code></pre> <h2>6.3 启动harbor</h2> <pre><code class="language-bash">docker-compose up -d</code></pre> <h1>7. 使用docker login</h1> <p>登录docker主机,登录harbor仓库</p> <pre><code class="language-bash">[root@worker-03 ~]# docker login https://harbor.hzsun.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded</code></pre> <h1>8.问题</h1> <p>使用docker login 命令登陆的话报错</p> <pre><code class="language-bash">docker login https://192.168.75.100 x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs 排查步骤: 检查harbor.yml文件中hostname变量的值是否跟生成证书使用的一致</code></pre> <h2>9. 随机启动配置</h2> <pre><code class="language-bash">[Unit] Description=Harbor After=docker.service systemd-networkd.service systemd-resolved.service Requires=docker.service Documentation=http://github.com/vmware/harbor [Service] Type=simple Restart=on-failure RestartSec=5 ExecStart=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up ExecStop=/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml stop [Install] WantedBy=multi-user.target</code></pre> <p>配置随机启动</p> <pre><code class="language-bash">systemctl enable harbor</code></pre> <h1>10 主备 Harbor 部署(harbor同步)</h1> <p><a href="https://www.cnblogs.com/linux-SFeng/p/13353786.html">https://www.cnblogs.com/linux-SFeng/p/13353786.html</a> <a href="https://blog.zhenglin.work/docker/harbor-sync.html">https://blog.zhenglin.work/docker/harbor-sync.html</a> <a href="https://blog.csdn.net/hiyun9/article/details/79655385">https://blog.csdn.net/hiyun9/article/details/79655385</a> <a href="http://blog.zhenglin.work/docker/harbor-sync.html">http://blog.zhenglin.work/docker/harbor-sync.html</a></p> <h1>11 docker-compose up 启动报日志错误</h1> <p><code>docker-compose down -v</code> 后,再启动<code>docker-compose up</code>,报日志使用错误如下:但不影响harbor功能 建议手工启动时,用命令 <code>docker-compose up -d</code></p> <pre><code class="language-bash">Attaching to harbor-log, harbor-portal, redis, registryctl, harbor-db, registry, harbor-core, harbor-jobservice, nginx harbor-core | WARNING: no logs are available with the 'syslog' log driver harbor-db | WARNING: no logs are available with the 'syslog' log driver harbor-jobservice | WARNING: no logs are available with the 'syslog' log driver harbor-portal | WARNING: no logs are available with the 'syslog' log driver nginx | WARNING: no logs are available with the 'syslog' log driver redis | WARNING: no logs are available with the 'syslog' log driver registry | WARNING: no logs are available with the 'syslog' log driver registryctl | WARNING: no logs are available with the 'syslog' log driver</code></pre> <p>解决日志报错问题,可以参数如下修改方法:(个人认为没必要) <a href="https://itindex.net/detail/58617-docker-%E9%95%9C%E5%83%8F-%E4%BB%93%E5%BA%93">https://itindex.net/detail/58617-docker-%E9%95%9C%E5%83%8F-%E4%BB%93%E5%BA%93</a></p> <p>1.修改docker-compose.yml文件</p> <pre><code class="language-bash">version: '2.3' x-logging: #新增 &amp;default-logging #新增 options: #新增 max-size: '12m' #新增 max-file: '5' #新增 driver: json-file #新增 services:</code></pre> <p>把下面内容 查找关键字: logging,把所有logging这段内容替换</p> <pre><code class="language-bash">depends_on: - log #需要被替换的内容 logging: #需要被替换的内容 driver: "syslog" #需要被替换的内容 options: #需要被替换的内容 syslog-address: "tcp://127.0.0.1:1514" #需要被替换的内容 tag: "registry" #需要被替换的内容 registryctl:</code></pre> <p>替换为</p> <pre><code class="language-bash"> depends_on: - registry - redis - postgresql - log logging: *default-logging #用这行内容替换上面需要替换的内容 portal: image: goharbor/harbor-portal:v2.1.2</code></pre> <p>说明: 1、docker-compose安装路径</p> <pre><code class="language-bash">[root@harbor-slave ~]# which docker-compose /usr/bin/docker-compose</code></pre> <p>2、设置harbor开机自启动 <a href="https://blog.csdn.net/qq_17054989/article/details/96871639">https://blog.csdn.net/qq_17054989/article/details/96871639</a> 3、为什么用up,不用start启动harbor的原因 <a href="https://www.cnblogs.com/kirito-c/p/11145881.html">https://www.cnblogs.com/kirito-c/p/11145881.html</a></p> <h1>参考资料:</h1> <p>1.harbor配置https访问 <a href="https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html">https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html</a> 参考此文验证 <a href="https://www.cnblogs.com/cjwnb/p/13441071.html">https://www.cnblogs.com/cjwnb/p/13441071.html</a></p> <p>2.Harbor高可用部署及配置(主从) <a href="https://blog.csdn.net/weixin_45308292/article/details/107248788">https://blog.csdn.net/weixin_45308292/article/details/107248788</a> 我还需要多吐槽一句,在实际生产使用中,主从复制十分的不靠谱。所以这里推荐使用下面要说的这种方案<code>多harbor实例共享后端存储</code>。 此作者的运维日志不错,可以参考学习。</p> <p>3.Harbor1.9+Nginx高可用集群仓库搭建笔记 <a href="https://juejin.cn/post/6844903957412708365">https://juejin.cn/post/6844903957412708365</a> 搭建高可用的Harbor <a href="https://blog.51cto.com/zero01/2530940">https://blog.51cto.com/zero01/2530940</a> 部署搭建harbor高可用集群并实现nginx负载均衡转发 <a href="https://blog.csdn.net/wt334502157/article/details/102894931">https://blog.csdn.net/wt334502157/article/details/102894931</a> 如何搭建高可用Docker Harbor仓库 <a href="http://linuxops.xyz/2019/02/18/%E5%A6%82%E4%BD%95%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8Docker-Harbor%E4%BB%93%E5%BA%93/">http://linuxops.xyz/2019/02/18/%E5%A6%82%E4%BD%95%E6%90%AD%E5%BB%BA%E9%AB%98%E5%8F%AF%E7%94%A8Docker-Harbor%E4%BB%93%E5%BA%93/</a># 基于Harbor和CephFS搭建高可用Private Registry <a href="https://www.ctolib.com/topics-118455.html">https://www.ctolib.com/topics-118455.html</a> 有方案思路</p> <p>4.harbor定时清理镜像 <a href="https://www.cnblogs.com/only-me/p/12416369.html">https://www.cnblogs.com/only-me/p/12416369.html</a></p> <p>5.本地私服仓库nexus3.3.1使用手册 <a href="https://cloud.tencent.com/developer/article/1098081">https://cloud.tencent.com/developer/article/1098081</a> Docker学习之搭建私有镜像仓库 <a href="https://cloud.tencent.com/developer/article/1095277?from=article.detail.1098081">https://cloud.tencent.com/developer/article/1095277?from=article.detail.1098081</a></p>

页面列表

ITEM_HTML