Linux 安装docker ,安装私有镜像仓库 harbor,签发证书,并测试 harbor私有仓库

近期文章:使用 ansible 一键安装kubernetes+containerd+calico集群

一. 安装 harbor 之前先安装docker

1.1 禁用 iptables 和 firewalld 服务

[root@master ~]# systemctl stop firewalld
[root@master ~]# systemctl disable firewalld
[root@master ~]# systemctl stop iptables
[root@master ~]# systemctl disable iptables
#清空防火墙规则
[root@master ~]# iptables -F  

1.2 禁用selinux

#临时关闭
[root@master ~]# setenforce 0 
#永久关闭
[root@master ~]# sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config

1.3 修改主机名

[root@master ~]# hostnamectl set-hostname harbor 
[root@harbor ~]# hostname
harbor 

1.4 安装基础软件包

[root@harbor ~]# yum install -y  wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel  python-devel epel-release openssh-server socat  ipvsadm conntrack

1.5 配置docker-ce国内yum源(阿里云)

[root@harbor ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

#如果yum-config-manager命令找不到,安装net-tools后在执行
[root@harbor ~]# yum install -y net-tools

1.6 安装docker依赖包

[root@harbor ~]# yum install -y yum-utils device-mapper-persistent-data lvm2

1.7 安装docker-ce

[root@harbor ~]# yum install docker-ce -y

1.8 启动docker服务

[root@harbor ~]# systemctl start docker && systemctl enable docker
[root@harbor ~]#  systemctl status docker 
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since 二 2023-06-20 00:07:12 CST; 11h ago
     Docs: https://docs.docker.com
 Main PID: 46686 (dockerd)
    Tasks: 50
   Memory: 63.8M
   CGroup: /system.slice/docker.service

看到running,表示docker正常运行

1.9 查看docker版本

[root@harbor ~]# docker version

1.10 安装docker-compose (主要用于harbor安装和管理)

[root@harbor ~]# sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.21.1/docker-compose-`uname -s`-`uname -m` -o /usr/bin/docker-compose
[root@harbor ~]# chmod +x /usr/bin/docker-compose
[root@harbor ~]# docker-compose version

注: 
docker-compose项目是Docker官方的开源项目,负责实现对Docker容器集群的快速编排。
docker-compose的工程配置文件默认为docker-compose.yml,
docker-compose运行目录下的必要有一个docker-compose.yml。
docker-compose可以管理多个docker实例

1.11 开启包转发功能和修改内核参数

内核参数修改:br_netfilter模块用于将桥接流量转发至iptables链,br_netfilter内核参数需要开启转发。

[root@harbor ~]#  modprobe br_netfilter
[root@harbor ~]#  cat > /etc/sysctl.d/docker.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
[root@harbor ~]# sysctl -p /etc/sysctl.d/docker.conf

注:
Docker 安装后出现:WARNING: bridge-nf-call-iptables is disabled 的解决办法:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

net.ipv4.ip_forward = 1:
将Linux系统作为路由或者VPN服务就必须要开启IP转发功能。当linux主机有多个网卡时一个网卡收到的信息是否能够传递给其他的网卡 如果设置成1的话 可以进行数据包转发,可以实现VxLAN 等功能。不开启会导致docker部署应用无法访问。

#重启docker
[root@harbor ~]#  systemctl restart docker

二. 为 harbor 自签发证书

[root@harbor ~]# mkdir /data/ssl -p
[root@harbor ~]# cd /data/ssl/

2.1 生成ca证书

[root@harbor ssl]#  openssl genrsa -out ca.key 3072
#生成一个3072位的key,也就是私钥
[root@harbor ssl]#  openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
#生成一个数字证书ca.pem,3650表示证书的有效时间是3年,按箭头提示填写即可,没有箭头标注的为空:
[root@master ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
生成ca证书

2.2 生成域名的证书

[root@harbor ssl]# openssl genrsa -out harbor.key  3072
#生成一个3072位的key,也就是私钥
[root@harbor ssl]# openssl req -new -key harbor.key -out harbor.csr
#生成一个证书请求,一会签发证书时需要的,标箭头的按提示填写,没有箭头标注的为空:
生成域名证书

2.3 签发证书

[root@harbor ssl]# openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
#显示如下,说明证书签发好了:
Signature ok
subject=/C=CH/ST=BJ/L=BJ/O=Default Company Ltd/CN=harbor
Getting CA Private Key

三. 安装 harbor

3.1 下载 harbor

[root@harbor ~]# cd /opt
[root@harbor opt]# wget https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz

3.2 解压包,并修改配置文件

[root@harbor opt]# tar xvf harbor-offline-installer-v2.8.2.tgz
[root@harbor opt]# cd harbor && cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vim harbor.yml
hostname: reg.mydomain.com 修改为hostname: harbor
  certificate: /your/certificate/path 修改为  certificate: /data/ssl/harbor.pem
  private_key: /your/private/key/path 修改为  private_key: /data/ssl/harbor.key

3.3 安装 harbor

[root@harbor harbor]# ./install.sh 

Note: docker version: 24.0.2

[Step 1]: checking docker-compose is installed ...

Note: Docker Compose version v2.18.1


Loaded image: goharbor/registry-photon:v2.8.2
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

......

Note: stopping existing Harbor instance ...
[+] Running 10/10
 ✔ Container nginx              Removed                                                                          0.1s 
 ✔ Container harbor-jobservice  Removed                                                                          0.1s 


 ✔ Network harbor_harbor        Removed                                                                          0.1s 


[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)                                                                                               
[+] Running 10/10
 ✔ Network harbor_harbor        Created                                                                          0.1s 
 ✔ Container harbor-log         Started                                                                          0.5s 
 ✔ Container registryctl        Started                                                                                                                                    2.3s 
 ✔ Container harbor-jobservice  Started                                                                          2.7s 
 ✔ Container nginx              Started                                                                          2.9s 
✔ ----Harbor has been installed and started successfully.----

至此安装成功

3.4 查看 harbor 服务状态

[root@harbor harbor]# docker-compose ps
      Name                     Command                  State                             Ports                       
----------------------------------------------------------------------------------------------------------------------
harbor-core         /harbor/entrypoint.sh            Up (healthy)                                                     
harbor-db           /docker-entrypoint.sh  13        Up (healthy)                                                     
harbor-jobservice   /harbor/entrypoint.sh            Up (healthy)                                                     
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp                         
harbor-portal       nginx -g daemon off;             Up (healthy)                                                     
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->8080/tcp,:::80->8080/tcp,             
                                                                    0.0.0.0:443->8443/tcp,:::443->8443/tcp            
redis               redis-server /etc/redis.conf     Up (healthy)                                                     
registry            /home/harbor/entrypoint.sh       Up (healthy)                                                     
registryctl         /home/harbor/start.sh            Up (healthy) 

服务都是正常的

3.4 遇到的错误 Network harbor_harbor Error

#按照文档不会有这个报错,我是安装好docker之后,再关闭防火墙,遇到了这个报错
 ✘ Network harbor_harbor  Error                                                                                  0.0s 
failed to create network harbor_harbor: Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-4733c61275a3 -j RETURN: iptables: No chain/target/match by that name.


#方法
#这是因为在启动docker的时候防火墙做了策略,如果容器在运行中,停止防火墙,在操作容器就会报这个错误,我们可以重启docker解决此问题

systemctl restart docker.service
#然后
docker-compose up -d 

3.6 在自己电脑修改hosts文件

在hosts文件添加如下一行,然后保存即可
192.168.5.135  harbor

3.7 如何停掉harbor

[root@harbor harbor]# cd /opt/harbor
[root@harbor harbor]# docker-compose stop 

3.8 如何启动harbor

[root@harbor harbor]# cd /opt/harbor
[root@harbor harbor]# docker-compose up -d #docker start启动,有时候nginx启动失败

3.9 harbor 图像化界面使用说明

在浏览器输入:https://harbor

接收风险并继续,出现如下界面,说明访问正常

harbor 登录页面

账号:admin

密码:Harbor12345

输入账号密码出现如下

harbor项目页面

所有基础镜像都会放在library里面,这是一个公开的镜像仓库

新建项目->起个项目名字test(把访问级别公开那个选中,让项目才可以被公开使用)

harbor 新建项目
harbor新建项目成功

四. 测试使用 harbor 私有镜像仓库

4.1 修改docker配置,并重启docker

[root@harbor ~]# vim /etc/docker/daemon.json
{  "registry-mirrors": ["https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"],
"insecure-registries": ["192.168.5.135","harbor"] #表示我们内网访问harbor的时候走的是http,192.168.5.135是安装harbor机器的ip
}
[root@harbor ~]# systemctl daemon-reload && systemctl restart docker
[root@harbor ~]# systemctl status docker
#显示如下,则说明启动成功了
Active: active (running) since 二 2023-06-20 00:07:12 CST; 10h ago

4.2 命令行docker登录harbor(如果你有其他docker机器,可以内网远程登录)

[root@harbor ~]# docker login 192.168.5.135
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
#登录成功

4.3 docker 拉取tomcat镜像

我这里拉取dockerhub中的tomcat做测试

[root@harbor ~]#docker pull tomcat
Using default tag: latest
latest: Pulling from library/tomcat
0e29546d541c: Pull complete 
9b829c73b52b: Pull complete 
cb5b7ae36172: Pull complete 
6494e4811622: Pull complete 
668f6fcc5fa5: Pull complete 
dc120c3e0290: Pull complete 
8f7c0eebb7b1: Pull complete 
77b694f83996: Pull complete 
0f611256ec3a: Pull complete 
4f25def12f23: Pull complete 
Digest: sha256:9dee185c3b161cdfede1f5e35e8b56ebc9de88ed3a79526939701f3537a52324
Status: Downloaded newer image for tomcat:latest
docker.io/library/tomcat:latest 

#把tomcat镜像打标签
[root@harbor ~]# docker tag tomcat:latest  192.168.5.135/test/tomcat:v1
#执行上面命令就会把192.168.5.135/test/tomcat:v1上传到harbor里的test项目下
[root@harbor ~]# docker push 192.168.5.135/test/tomcat:v1
#执行上面命令就会把192.168.5.135/test/tomcat:v1上传到harbor里的test项目下
The push refers to repository [192.168.5.135/test/tomcat]
3e2ed6847c7a: Pushed 
bd2befca2f7e: Pushed 
59c516e5b6fa: Pushed 
3bb5258f46d2: Pushed 
832e177bb500: Pushed 
f9e18e59a565: Pushed 
26a504e63be4: Pushed 
8bf42db0de72: Pushed 
31892cc314cb: Pushed 
11936051f93b: Pushed 
v1: digest: sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351 size: 2422

打开harbor控制台,查看

harbor测试项目

4.6 从 harbor 仓库下载镜像

# 在harbor机器上删除镜像
[root@harbor ~]# docker rmi -f 192.168.5.135/test/tomcat:v1
Untagged: 192.168.5.135/test/tomcat:v1
Untagged: 192.168.5.135/test/tomcat@sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351 
#从harbor仓库再次拉取镜像
[root@harbor ~]# docker pull 192.168.5.135/test/tomcat:v1
v1: Pulling from test/tomcat
Digest: sha256:e6d65986e3b0320bebd85733be1195179dbce481201a6b3c1ed27510cfa18351
Status: Downloaded newer image for 192.168.5.135/test/tomcat:v1
192.168.5.135/test/tomcat:v1 

#从自己的harbor拉取镜像,速度是很畅快的

Comments

No comments yet. Why don’t you start the discussion?

发表评论