11.部署 harbor 私有仓库

    本文档用到的变量定义如下:

    下载文件

    从 docker compose 下载最新的 二进制文件

    1. $ wget https://github.com/docker/compose/releases/download/1.21.2/docker-compose-Linux-x86_64
    2. $ mv ~/docker-compose-Linux-x86_64 /opt/k8s/bin/docker-compose
    3. $ chmod a+x  /opt/k8s/bin/docker-compose
    4. $ export PATH=/opt/k8s/bin:$PATH
    5. $

    从 harbor 发布页面下载最新的 harbor 离线安装包

    1. $ wget  --continue https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.1.tgz
    2. $ tar -xzvf harbor-offline-installer-v1.5.1.tgz
    3. $

    导入 docker images

    导入离线安装包中 harbor 相关的 docker images:

    1. $ cd harbor
    2. $ docker load -i harbor.v1.5.1.tar.gz
    3. $

    创建 harbor 证书签名请求:

    • hosts 字段指定授权使用该证书的当前部署节点 IP,如果后续使用域名访问 harbor 则还需要添加域名;

    生成 harbor 证书和私钥:

    1. $ cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \
    2.   -ca-key=/etc/kubernetes/cert/ca-key.pem \
    3.   -config=/etc/kubernetes/cert/ca-config.json \
    4.   -profile=kubernetes harbor-csr.json | cfssljson -bare harbor
    6. $ ls harbor*
    7. harbor.csr  harbor-csr.json  harbor-key.pem harbor.pem
    9. $ sudo mkdir -p /etc/harbor/ssl
    10. $ sudo mv harbor*.pem /etc/harbor/ssl
    11. $ rm harbor.csr  harbor-csr.json

    修改 harbor.cfg 文件

    1. $ cp harbor.cfg{,.bak}
    2. $ vim harbor.cfg
    3. $ diff harbor.cfg{,.bak}
    4. 7c7
    5. < hostname = 172.27.129.81
    6. ---
    7. > hostname = reg.mydomain.com
    8. 11c11
    9. < ui_url_protocol = https
    10. ---
    11. > ui_url_protocol = http
    12. < ssl_cert =  /etc/harbor/ssl/harbor.pem
    13. < ssl_cert_key = /etc/harbor/ssl/harbor-key.pem
    14. ---
    15. > ssl_cert = /data/cert/server.crt
    16. > ssl_cert_key = /data/cert/server.key
    18. $ cp prepare{,.bak}
    19. $ vim prepare
    20. $ diff prepare{,.bak}
    22. >         print("%s %w", args, kw)
    23. 490c491
    24. <     empty_subj = "/"
    25. ---
    26. >     empty_subj = "/C=/ST=/L=/O=/CN=/"

    • Fail to generate key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt

    参考:

    加载和启动 harbor 镜像

    1. $ sudo mkdir /data
    2. $ sudo chmod 777 /var/run/docker.sock /data
    3. $ sudo apt-get install python
    4. $ ./install.sh
    6. [Step 0]: checking installation environment ...
    8. Note: docker version: 18.03.0
    10. Note: docker-compose version: 1.21.2
    12. [Step 1]: loading Harbor images ...
    13. Loaded image: vmware/clair-photon:v2.0.1-v1.5.1
    14. Loaded image: vmware/postgresql-photon:v1.5.1
    15. Loaded image: vmware/harbor-adminserver:v1.5.1
    16. Loaded image: vmware/registry-photon:v2.6.2-v1.5.1
    17. Loaded image: vmware/photon:1.0
    18. Loaded image: vmware/harbor-migrator:v1.5.1
    19. Loaded image: vmware/harbor-ui:v1.5.1
    20. Loaded image: vmware/redis-photon:v1.5.1
    21. Loaded image: vmware/nginx-photon:v1.5.1
    22. Loaded image: vmware/mariadb-photon:v1.5.1
    23. Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1
    24. Loaded image: vmware/harbor-log:v1.5.1
    25. Loaded image: vmware/harbor-db:v1.5.1
    26. Loaded image: vmware/harbor-jobservice:v1.5.1
    27. Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1
    29. [Step 2]: preparing environment ...
    30. loaded secret from file: /data/secretkey
    31. Generated configuration file: ./common/config/nginx/nginx.conf
    32. Generated configuration file: ./common/config/adminserver/env
    33. Generated configuration file: ./common/config/ui/env
    34. Generated configuration file: ./common/config/registry/config.yml
    35. Generated configuration file: ./common/config/db/env
    36. Generated configuration file: ./common/config/jobservice/env
    37. Generated configuration file: ./common/config/jobservice/config.yml
    39. Generated configuration file: ./common/config/jobservice/config.yml
    40. Generated configuration file: ./common/config/ui/app.conf
    41. Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
    42. The configuration files are ready, please use docker-compose to start the service.
    45. [Step 3]: checking existing instance of Harbor ...
    48. [Step 4]: starting Harbor ...
    49. Creating network "harbor_harbor" with the default driver
    50. Creating harbor-log ... done
    51. Creating redis              ... done
    52. Creating harbor-adminserver ... done
    53. Creating harbor-db          ... done
    54. Creating registry           ... done
    55. Creating harbor-ui          ... done
    56. Creating harbor-jobservice  ... done
    57. Creating nginx              ... done
    59.  ----Harbor has been installed and started successfully.----
    61. Now you should be able to visit the admin portal at https://172.27.129.81.
    62. For more details, please visit https://github.com/vmware/harbor .

    确认所有组件都工作正常:

    浏览器访问 https://${NODE_IP},示例的是 https://172.27.129.81

    由于是在 virtualbox 虚机 zhangjun-k8s02 中运行,所以需要做下端口转发,Vagrant 文件中已经指定 host 端口为 4443,也可以在 virtualbox 的 GUI 中直接添加端口转发:

    harbor

    harbor 运行时产生的文件、目录

    harbor 将日志打印到 /var/log/harbor 的相关目录下,使用 docker logs XXX 或 docker-compose logs XXX 将看不到容器的日志。

    1. $ # 日志目录
    2. $ ls /var/log/harbor
    3. adminserver.log  jobservice.log  mysql.log  proxy.log  registry.log  ui.log
    4. $ # 数据目录,包括数据库、镜像仓库
    5. $ ls /data/
    6. ca_download  config  database  job_logs registry  secretkey

    docker 客户端登陆

    将签署 harbor 证书的 CA 证书拷贝到 /etc/docker/certs.d/172.27.129.81 目录下

    1. $ sudo mkdir -p /etc/docker/certs.d/172.27.129.81
    2. $ sudo cp /etc/kubernetes/cert/ca.pem /etc/docker/certs.d/172.27.129.81/ca.crt
    3. $

    登陆 harbor

    1. $ docker login 172.27.129.81
    2. Password:

    认证信息自动保存到 ~/.docker/config.json 文件。

    下列操作的工作目录均为 解压离线安装文件后 生成的 harbor 目录。