# harbor搭建企业docker私有镜像仓库 本篇文章介绍了如何搭建企业级私有镜像仓库harbor及harbor仓库的使用。 ## 搭建harbor仓库 ### 安装docker和docker-compose ``` # curl -fsSL https://get.docker.com/ | sh # systemctl start docker # systemctl enable docker # curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose # chmod +x /usr/local/bin/docker-compose ``` ### 下载harbor安装包 ``` # wget https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz # tar -zxvf harbor-offline-installer-v2.0.0.tgz # mv harbor /opt/ # cd /opt/harbor # cp harbor.yml.tmpl harbor.yml ``` ### 配置https方式访问证书 1. 生成根证书(存放到目录/etc/docker/certs.d/reg.niewx.club) ``` $ mkdir -p /etc/docker/certs.d/reg.niewx.club && cd /etc/docker/certs.d/reg.niewx.club ``` 2. 创建自己的CA证书(不使用第三方权威机构的CA来认证,自己充当CA的角色 ``` $ openssl genrsa -out ca.key 2048 ``` 3. 生成自签名证书(使用已有私钥ca.key自行签发根证书) ``` $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=Harbor-ca" ``` 4. 生成服务器端私钥和CSR签名请求 ``` $ openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr ``` 5. 签发服务器证书 ``` echo subjectAltName = IP:49.235.179.157 > extfile.cnf openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 365 -extfile extfile.cnf -out server.crt ``` 6. 最终生成的证书如下 ``` [root@VM_0_13_centos reg.niewx.club]# ls ca.crt ca.key ca.srl extfile.cnf server.crt server.csr server.key ``` ### 修改harbor配置项 ``` [root@VM_0_13_centos harbor]# cat harbor.yml # Configuration file of Harbor # The IP address or hostname to access admin UI and registry service. # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. hostname: 1.1.1.1 # http related config #http: # port for http, default is 80. If https enabled, this port will redirect to https port # port: 80 # https related config https: # https port for harbor, default is 443 port: 443 # The path of cert and key files for nginx certificate: /etc/docker/certs.d/reg.niewx.club/server.crt private_key: /etc/docker/certs.d/reg.niewx.club/server.key # # Uncomment following will enable tls communication between all harbor components # internal_tls: # # set enabled to true means internal tls is enabled # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used # external_url: https://reg.mydomain.com:8433 # The initial password of Harbor admin # It only works in first time to install harbor # Remember Change the admin password from UI after launching Harbor. harbor_admin_password: 123456 ``` 主要需要修改上面标记的选项。 ### 启动harbor ``` # cd /opt/harbor # ./ prepare # ./install.sh --with-clair (启动扫描器) ``` ![upload-image](/files/-MN2J8OEatTyan1mqsty) 启动日志显示上面则启动成功 如果修改了配置项需要重新启动harbor则重新执行以下命令即可 ``` # cd /opt/harbor # ./ prepare # ./install.sh --with-clair (启动扫描器) ``` ## haobor仓库的使用 ### harbor的登录和创建项目 默认账号为admin,密码为你之前修改配置密码 ![upload-image](/files/-MN2J8OFPkBaKlwnB3HR) 项目管理,里面会有一个默认的公开项目library,所有人可以上传下载镜像 ![upload-image](/files/-MN2J8OG1k8uRacjFJzb) 点击新建项目,输入项目名称,设置存储容量和是否公开 ![upload-image](/files/-MN2J8OHhKIpt1EIYS-o) 查看项目的镜像仓库,也可以查看推送命令推送镜像 ![upload-image](/files/-MN2J8OIsMrEZ6XaQGlZ) ### 客户端推送镜像 首先需要配置docker认真地址 ``` [root@node1 ~]# cat /etc/docker/daemon.json { "insecure-registries": ["https://1.1.1.1"], "registry-mirrors": ["https://yywkvob3.mirror.aliyuncs.com"], "exec-opts": ["native.cgroupdriver=systemd"] } # systemctl daemon-reload && systemctl restart docker # docker login 1.1.1.1 -u admin -p ***** # docker tag busybox:latest 1.1.1.1/library/busybox:latest # docker push 1.1.1.1/library/busybox:latest ``` ### harbor中角色权限说明 | 角色 | 权限说明 | | ----- | ------------------------- | | 访客 | 对于指定项目拥有只读权限 | | 开发人员 | 对于指定项目拥有读写权限 | | 维护人员 | 对于指定项目拥有读写权限,创建 Webhooks | | 项目管理员 | 除了读写权限,同时拥有用户管理/镜像扫描等管理权限 | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.niewx.cn/20200712harbor-da-jian-qi-ye-docker-si-you-jing-xiang-cang-ku.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.