参考:https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

Resource Capacity Description
CPU minimal 2 CPU 4 CPU is prefered
Mem minimal 4GB 8GB is prefered
Disk minimal 40GB 160GB is prefered

安装前置条件
1.python2.7以上
2.docker 1.10以上
3.docker-compose 1.6以上
4.Openssl

当前测试环境:

使用的是vm的虚拟机创建的cenos7(ip:192.168.1.86)

python安装参考:https://www.jianshu.com/p/ada7ca038d7f

docker-ce安装:
https://docs.docker.com/install/linux/docker-ce/centos/#os-requirements

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
卸载本机旧版本docker
$ sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-engine
yum安装docker-ce
 sudo yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2
$ sudo yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
$ sudo yum install docker-ce
$ sudo systemctl start docker
$ sudo docker -v
Docker version 1.12.6, build 3e8e77d/1.12.6

docker-compose安装
https://docs.docker.com/compose/install/#install-compose

1
2
3
4
curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
chmod +x docker-compose
docker-compose -v
docker-compose version 1.21.2, build a133471

下载harbor离线安装包

1
2
3
4
5
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.2.tgz
tar xvf harbor-offline-installer-v1.5.2.tgz
cd harbor
vim harbor.cfg(这是hostname=本地ip)
./install.sh

使用虚拟机中centos7执行harbor安装脚本(install.sh)时遇到个坑,因为我使用的harbor的离线安装包,需要使用docker load harbor的docker 镜像文件(比较大),虚拟机中docker默认的Thin Pool有限制,倒入的时候会报如下错误

1
devmapper: Thin Pool has 68 free data blocks which is less than minimum required 708 free data blocks. Create more free space in thin pool or use dm.min_free_space option to change behavior

解决办法是:

1
2
3
4
5
[root@k8s1 harbor]#  yum remove docker -y        #先卸载了docker
[root@k8s1 harbor]#  rm -rf /var/lib/docker      #删除了/var/lib/docker
[root@k8s1 harbor]#  yum install docker -y       #yum安装docker
[root@k8s1 harbor]#  systemctl enable docker     #设置docker服务开机启动
[root@k8s1 harbor]# systemctl start docker       #启动docker

虚拟机中新增一块虚拟20G IDE虚拟盘,然后挂在到系统中,更改docker lib库路径,再导入docker镜像就不会报错了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@k8s1 harbor]# mkdir /docker
[root@k8s1 harbor]# mkfs.ext4 /dev/sda             #fdisk -l可查看新盘符(此处用是sdb),格式化sda
[root@k8s1 harbor]# echo '/dev/sda  /docker ext4    defaults    0  0' >> /etc/fstab  #设置开机自动挂在
[root@k8s1 harbor]# mount -a
[root@k8s1 harbor]# df -hl
文件系统                 容量  已用  可用 已用% 挂载点
/dev/mapper/centos-root   14G  3.2G  9.6G   25% /
devtmpfs                 478M     0  478M    0% /dev
tmpfs                    489M     0  489M    0% /dev/shm
tmpfs                    489M  6.8M  482M    2% /run
tmpfs                    489M     0  489M    0% /sys/fs/cgroup
/dev/sdb                  40G  3.2G   35G    9% /docker
/dev/sda1                190M  124M   53M   71% /boot
tmpfs                     98M     0   98M    0% /run/user/0
[root@k8s1 harbor]# systemctl stop docker           #停止docker服务器
[root@k8s1 harbor]# mv /var/lib/docker/* /docker/   #将docker库中所有文件移动至/docker中
[root@k8s1 harbor]# rm -rf /var/lib/docker          #删除原docker库
[root@k8s1 harbor]# ln -s  /docker /var/lib/docker  #将/docker目录中映射到/var/lib/docker中
[root@k8s1 harbor]# systemctl start docker          #启动docker

公司内部使用docker私有hub是需要登录和加密的,证书加密参照

https://github.com/vmware/harbor/blob/master/docs/configure_https.md

创建证书

1
[root@k8s1 cert]#mkdir -p /system/cert&&cd /system/cert
  • 创建CA证书
    1
    2
    3
    [root@k8s1 cert]# openssl req \
        -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
        -x509 -days 365 -out ca.crt                 #一路回车,注意出现CN时要输入本机ip或者域名
  • 创建通讯crt与key
    1
    2
    3
    [root@k8s1 cert]# openssl req \
        -newkey rsa:4096 -nodes -sha256 -keyout 192.168.1.86.key \
        -out 192.168.1.86.csr                       #一路回车,注意出现CN时要输入本机ip或者域名
  • 生成的证书注册主机
    1
    2
    3
    [root@k8s1 cert] #openssl x509 -req -days 365 -in 192.168.1.86.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.1.86.crt
    [root@k8s1 cert] echo subjectAltName = IP:192.168.1.86 > extfile.cnf
    [root@k8s1 cert] openssl x509 -req -days 365 -in 192.168.1.86.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.1.86.crt

    证书生成完毕:我们所需要的证书主要有192.168.1.86.crt和192.168.1.86.key

    harbor的配置与安装

解压完harbor离线安装包后编辑harbor.cfg文件,需要修改的参数如下:

1
2
3
4
hostname=192.168.1.86                #改成本机ip或者域名
ui_url_protocol = https          #协议改为https
ssl_cert = /system/cert/192.168.1.86.crt
ssl_cert_key = /system/cert/192.168.1.86.key

保存退出后然后运行安装脚本

1
2
3
4
5
6
7
8
9
10
11
[root@k8s1 harbor]# ./install.sh                #等待安装完成。
[root@k8s1 harbor]# docker ps -a
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                       PORTS                                                              NAMES
e284c6fe107d        vmware/harbor-jobservice:v1.5.2        "/harbor/start.sh"       2 hours ago         Up About an hour                                                                                harbor-jobservice
901396649ea3        vmware/nginx-photon:v1.5.2             "nginx -g 'daemon ..."   2 hours ago         Up About an hour (healthy)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
b1fdd865e3a6        vmware/harbor-ui:v1.5.2                "/harbor/start.sh"       2 hours ago         Up About an hour (healthy)                                                                      harbor-ui
3582ebd4cc54        vmware/harbor-adminserver:v1.5.2       "/harbor/start.sh"       2 hours ago         Up About an hour (healthy)                                                                      harbor-adminserver
ce0684f4e056        vmware/registry-photon:v2.6.2-v1.5.2   "/entrypoint.sh se..."   2 hours ago         Up About an hour (healthy)   5000/tcp                                                           registry
7bc01fd5cd51        vmware/harbor-db:v1.5.2                "/usr/local/bin/do..."   2 hours ago         Up About an hour (healthy)   3306/tcp                                                           harbor-db
6bd7f638c608        vmware/redis-photon:v1.5.2             "docker-entrypoint..."   2 hours ago         Up About an hour             6379/tcp                                                           redis
1e7310db3ac2        vmware/harbor-log:v1.5.2               "/bin/sh -c /usr/l..."   2 hours ago         Up About an hour (healthy)   127.0.0.1:1514->10514/tcp                                          harbor-log

如果registry启动失败,则查看/var/log/harbor/registry.log日志

一般删除harbor/common/config/registry/config.yml中swiff相关信息即可。然后再重启registry容器。

当容器都运行正常,使用ie访问192.168.1.86登录admin密码Harbor12345此用户是超级管理员,可添加用户,权限给予管理员权限。

其他设备如要上传或者下载此私有docker hub镜像,需要向管理员索取192.168.1.86.crt证书并docker login 192.168.1.86方可上传下载。

客户端安装证书

  • linux系统导入证书:

    • 1.mkdir /etc/docker/cert.d/192.168.1.86 #创建docker证书目录
    • 2.cp 192.168.1.86.crt /etc/docker/cert.d/192.168.1.86/ca.crt #将证书改名ca.crt并放置在此路径下
    • 3.systemctl restart docker #加入ca证书后重启docker生效
    • 4.docker login 192.168.1.86 #输入用户名和密码后登录成功

  • Mac系统导入证书:

    • 1.双机192.168.1.86.crt证书,系统默认钥匙串访问。
    • 2.进入钥匙串访问,找到该证书,选择使用信任。
    • 3.重启docker让证书生效
    • 4.docker login 192.168.1.86 #输入用户名和密码后登录成功

如果登录时出现此类问题

1
Error response from daemon: Get https://192.168.1.86/v2/: x509: certificate signed by unknown authority

那是因为证书问题,主要查看服务端registry容器是否报错,或者客户端docker添加完证书后未重启导致。

Docker 登录成功后验证上传镜像:

  • 1.将镜像改名192.168.1.86/library/* (library)
    1
    docker tag quay.io/coreos/etcd:v2.3.8 192.168.1.86/library/etcd:V1
  • 2.docker push 192.168.1.86/library/etcd:V1