docker-harbor
文章目录
TL;dr
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
uname -a
Linux n21 4.4.189-1.el7.elrepo.x86_64 #1 SMP Sun Aug 11 08:43:49 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux
###
docker version
Client: Docker Engine - Community
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:46:51 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:52:55 2018
OS/Arch: linux/amd64
Experimental: true
#Install Latest Stable Docker Compose Release
COMPOSEVERSION=$(curl -s https://github.com/docker/compose/releases/latest/download 2>&1 | grep -Po [0-9]+\.[0-9]+\.[0-9]+)
curl -L "https://github.com/docker/compose/releases/download/$COMPOSEVERSION/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose version
docker-compose version 1.24.1, build 4667896b
docker-py version: 3.7.3
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.1.0j 20 Nov 2018
exp
# Self-signed certificate: harbor-ca.cert、harbor-ca.key、harbor-reg-domain.cert、harbor-reg-domain.key
openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=harborCA" -keyout harbor-ca.key -out harbor-ca.cert -days 3650
openssl genrsa -out harbor-reg-domain.key 2048
openssl req -new -key harbor-reg-domain.key -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com" -out harbor-reg-domain.csr
openssl x509 -req -days 3650 -in harbor-reg-domain.csr -CA harbor-ca.cert -CAkey harbor-ca.key -CAcreateserial -out harbor-reg-domain.cert
# prepare、harbor.yml
########################################################
curl -skSL -O https://raw.githubusercontent.com/goharbor/harbor/v1.10.1/make/prepare
sed -i "s#prepare:dev#prepare:v1.10.1#g" prepare
chmod +x prepare
curl -skSL -O https://raw.githubusercontent.com/goharbor/harbor/v1.10.1/make/harbor.yml
########################################################
#sed -i "s/reg.mydomain.com/$IPorFQDN/g" harbor.yml
cp harbor.yml harbor_org.yml
sed -i "s|^hostname: .*|hostname: reg.domain.com|g" ./harbor.yml
sed -i "s|^data_volume: .*|data_volume: /data/harbor-data|g" ./harbor.yml
sed -i "s|# https:|https:|g" ./harbor.yml
sed -i "s| port: 80| port: 80|g" ./harbor.yml
sed -i "s|# port: 443| port: 443|g" ./harbor.yml
sed -i "s|^# certificate: .*| certificate: /data/harbor/harbor-reg-domain.cert|g" ./harbor.yml
sed -i "s|^# private_key: .*| private_key: /data/harbor/harbor-reg-domain.key|g" ./harbor.yml
sed -i "s|^ certificate: .*| certificate: /data/harbor/harbor-reg-domain.cert|g" ./harbor.yml
sed -i "s|^ private_key: .*| private_key: /data/harbor/harbor-reg-domain.key|g" ./harbor.yml
./prepare --with-notary --with-clair --with-chartmuseum
prepare base dir is set to /data/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated certificate, key file: /tmp/cert_tmp/notary-signer-ca.key, cert file: /tmp/cert_tmp/notary-signer-ca.crt
Generated certificate, key file: /tmp/cert_tmp/notary-signer.key, cert file: /tmp/cert_tmp/notary-signer.crt
Copying certs for notary signer
Copying nginx configuration file for notary
Generated configuration file: /config/nginx/conf.d/notary.upstream.conf
Generated configuration file: /config/nginx/conf.d/notary.server.conf
Generated configuration file: /config/notary/server-config.postgres.json
Generated configuration file: /config/notary/server_env
Generated and saved secret to file: /secret/keys/defaultalias
Generated configuration file: /config/notary/signer_env
Generated configuration file: /config/notary/signer-config.postgres.json
Generated configuration file: /config/clair/postgres_env
Generated configuration file: /config/clair/config.yaml
Generated configuration file: /config/clair/clair_env
Generated configuration file: /config/clair-adapter/env
Generated configuration file: /config/chartserver/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
chmod -R 777 ./common/
cat docker-compose.yml |grep image
image: goharbor/harbor-log:v1.10.1
image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1
image: goharbor/harbor-registryctl:v1.10.1
image: goharbor/harbor-db:v1.10.1
image: goharbor/harbor-core:v1.10.1
image: goharbor/harbor-portal:v1.10.1
image: goharbor/harbor-jobservice:v1.10.1
image: goharbor/redis-photon:v1.10.1
image: goharbor/nginx-photon:v1.10.1
image: goharbor/notary-server-photon:v0.6.1-v1.10.1
image: goharbor/notary-signer-photon:v0.6.1-v1.10.1
image: goharbor/clair-photon:v2.1.1-v1.10.1
image: goharbor/clair-adapter-photon:v1.0.1-v1.10.1
image: goharbor/chartmuseum-photon:v0.9.0-v1.10.1
docker-compose up
docker-compose -f docker-compose.yml up -d
docker-compose -f docker-compose.yml logs -f
docker container ps -a |grep goharbor
docker image list|grep goharbor
# use
sudo cp harbor-ca.cert /etc/pki/ca-trust/source/anchors/
sudo yum install -y ca-certificates
sudo update-ca-trust force-enable
sudo update-ca-trust
sudo systemctl restart docker
#openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com"
# 查找project、repository
curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X GET --url https://reg.domain.com:11443/api/search?q=nginx
# 查看project列表
curl -u "admin:Harbor12345" --header "Content-Type: application/json" --request GET --url https://reg.domain.com:11443/api/projects
# 获取project_id
curl -sSL -u "admin:Harbor12345" -X GET \
--header "Content-Type: application/json" \
--url https://reg.domain.com:11443/api/projects?name=testrpo |jq -r '.[0].project_id'
# 新增project
curl -u "admin:Harbor12345" \
--request POST \
--url https://reg.domain.com:11443/api/projects \
--header "Content-Type: application/json" \
--data '{"project_name":"testrpo","metadata":{"public":"false"},"count_limit":-1,"storage_limit":-1}'
# 根据project_id获取project
curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X GET --url https://reg.domain.com:11443/api/projects/{project_id}
# 根据project_id删除project
curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X DELETE --url https://reg.domain.com:11443/api/projects/{project_id}
docker login -u admin --password Harbor12345 reg.domain.com:11443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://reg.domain.com:11443/v2/: x509: certificate signed by unknown authority
docker login -u admin --password Harbor12345 reg.domain.com:11443
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/vagrant/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#### push example
docker pull ubuntu:14.04
docker tag ubuntu:14.04 reg.domain.com:11443/testrpo/ubuntu:14.04
docker push reg.domain.com:11443/testrpo/ubuntu:14.04
docker pull reg.domain.com:11443/testrpo/ubuntu:14.04
docker run -it --rm reg.domain.com:11443/testrpo/ubuntu:14.04 /bin/bash -c "env"
# denied: requested access to the resource is denied
for i in "alpine:3.10.3" "nginx:1.17.6" "debian:buster" "busybox:1.31.1-glibc" "busybox:1.31.1" "centos:8" "centos:7.7.1908" "python:3.7.5-buster" "node:13.2.0-buster" "node:8.16.2-buster"; do
docker pull $i
docker tag $i reg.domain.com:11443/testrpo/$i
docker push reg.domain.com:11443/testrpo/$i
done
troubleshooting
ERROR:root:Please specify hostname
ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
ERROR:root:Error: the protocol must be https when Harbor is deployed with Notary
ERROR: for chartmuseum Cannot start service chartmuseum: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: for portal Cannot start service portal: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: for chartmuseum Cannot start service chartmuseum: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: for registryctl Cannot start service registryctl: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: for registry Cannot start service registry: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: for postgresql Cannot start service postgresql: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused
ERROR: Encountered errors while bringing up the project.
ERROR: for nginx Cannot start service proxy: driver failed programming external connectivity on endpoint nginx (110e6e270623c3b2e721a56b285a7a625c4a06109085a58c3de88feb3b43ecf8): Error staCreating harbor-jobservice ... done
ERROR: for proxy Cannot start service proxy: driver failed programming external connectivity on endpoint nginx (110e6e270623c3b2e721a56b285a7a625c4a06109085a58c3de88feb3b43ecf8): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use
ERROR: Encountered errors while bringing up the project.
upgrade
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
###
curl -sSfLk https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
# 2019/12/17
v1.9.3 ---> v1.10.0
docker-componse -f docker-compose.yml down
curl -sSL -o prepare1.10.0 https://raw.githubusercontent.com/goharbor/harbor/v1.10.0/make/prepare
sed -i "s#prepare:dev#prepare:v1.10.0#g" prepare1.10.0
chmod +x prepare1.10.0
./prepare1.10.0 --with-notary --with-clair --with-chartmuseum
cp docker-compose.yml docker-compose-v1.10.0.yml
# modify logging settings
chmod -R 777 ./common/
docker-compose -f docker-compose-v1.10.0.yml up -d
helm
# TODO
helm repo add harbor https://helm.goharbor.io
helm repo update
helm fetch harbor/harbor --version 1.3.0 --untar
##
https://hub.helm.sh/charts/harbor/harbor
https://hub.helm.sh/charts/bitnami/harbor
sudo kill -SIGHUP $(pidof dockerd)
certs.d
# https://docs.docker.com/registry/insecure/#use-self-signed-certificates
# Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
ref
- Architecture Overview of Harbor · goharbor/harbor Wiki · GitHub
- harbor/make at master · goharbor/harbor · GitHub
- Harbor docker login x509 certificate signed by unknown authority
- HARBOR 仓库 API功能接口 - 程序员同行者 - 博客园
- ca - How to add Certificate Authority file in CentOS 7 - Stack Overflow
- https://docs.docker.com/registry/configuration/#http
- https://docs.docker.com/registry/insecure/
- https://success.docker.com/article/how-do-i-enable-debug-logging-of-the-docker-daemon
上次更新 2019-11-27
原始文档 查看本文 Markdown 版本 »