3 min readSep 15, 2023
Harbor deployment (standalone)
以下說明如何建置獨立的Harbor image registry
- Docker installation
# yum install yum-utils
# yum config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum clean all ; yum repolist
#### RHEL8先移除podman
# yum remove podman buildah
# yum install containerd.io-1.6.15-3.1.el8.x86_64.rpm \
docker-ce-20.10.8-3.el8.x86_64.rpm \
docker-ce-cli-20.10.22-3.el8.x86_64.rpm \
docker-ce-rootless-extras-20.10.22-3.el8.x86_64.rpm
# systemctl enable --now docker
# curl -SL https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
# mv docker-compose /usr/local/bin/
# chmod +x docker-compose
# docker-compose version
2. 建立憑證
# openssl genrsa -out ca.key 4096
# openssl req -x509 -new -nodes -sha512 -days 3650 -key ca.key -out ca.crt
...
Common Name (eg, your name or your servers hostname) []:harbor.test.example.poc.
...
# openssl genrsa -out harbor.test.example.poc.key 4096
# openssl req -sha512 -new -key harbor.test.example.poc.key -out harbor.test.example.poc.csr
...
Common Name (eg, your name or your servers hostname) []:harbor.test.example.poc
...
# vim v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=habor.test.example.poc
DNS.2=harbor.test.example.poc
DNS.3=harbor.test.example.poc
# openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.test.example.poc.csr \
-out harbor.test.example.poc.crt
# mkdir -p /data/cert/
# cp -rp harbor.test.example.poc.crt harbor.test.example.poc.key /data/cert/
# ls -al /data/cert/
harbor.test.example.poc.crt
harbor.test.example.poc.key
### convert crt to cert for docker login
# cd /root/docker/certs/
# openssl x509 -inform PEM -in harbor.test.example.poc.crt -out harbor.test.example.poc.cert
### copy to docker certificate folder
# mkdir -p /etc/docker/certs.d/harbor.test.example.poc
# cp harbor.test.example.poc.cert /etc/docker/certs.d/harbor.test.example.poc
# cp harbor.test.example.poc.key /etc/docker/certs.d/harbor.test.example.poc
# cp ca.crt /etc/docker/certs.d/harbor.test.example.poc
# systemctl restart docker
3. Install Harbor
# wget https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz
# tar zxvf harbor-offline-installer-v2.8.2.tgz
# cd /data/harbor/
# cp harbor.yml.tmpl harbor.yml
# vim harbor.yml
hostname: harbor.test.example.poc #指定要部署harbor的位置
external_url: https://harbor.test.example.poc
http: #Production環境不要用
port: 80
https:
port: 443
certificate: /etc/docker/certs.d/harbor.test.example.poc:8443/test.example.poc.cert #SSL certificate
private_key: /etc/docker/certs.d/harbor.test.example.poc:8443/test.example.poc.key #SSL key
harbor_admin_password: Harbor12345 #設定第一次進入harbor的密碼(預設admin/Harbor12345)
# ./install.sh --with-notary --with-trivy
=> 確認都是Healty狀態
# docker-compose ps
# docker login harbor.test.example.poc
Username: admin
Password: Harbor12345
### 從WEB建立新project
# docker tag goharbor/redis-photon:v2.4.3 harbor.test.example.poc/test/redis-photon:v2.4.3
# docker images
# docker push harbor.test.example.poc/test/redis-photon:v2.4.3
# docker rmi harbor.test.example.poc/test/redis-photon:v2.4.3
# docker pull harbor.test.example.poc/test/redis-photon:v2.4.3
4. 讓其他client也可以登入harbor
# scp -rp /data/harbor/cert/ca.crt root@192.168.100.11:/root/
# cp /root/ca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust
# docker login harbor.test.example.poc:8443
Username: admin
Password:
Login Succeeded!
# docker images
# podman pull harbor.test.example.poc/test/redis-photon:v2.4.3
※ browser
https://harbor.test.example.poc:8443
### 確認節點CA憑證
### Podman檢查CA的路徑與docker不同 (/etc/containers/certs.d/)
[worker01]# mkdir /etc/containers/certs.d/harbor.test.example.poc/
[harbor]# scp -rp ca.crt root@worker01:/etc/containers/certs.d/harbor.test.example.poc/
[worker01]# podman pull harbor.test.example.poc/example/nginx:latest