#创建自己的CA证书
[root@harbor-master ~]# mkdir -p /data/ssl
[root@harbor-master ~]# cd /data/ssl
[root@harbor-master ssl]# which openssl
/usr/bin/openssl
[root@harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
…++
…++
writing new private key to ‘ca.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:Beijing #地区
Locality Name (eg, city) [Default City]:Beijing #城市
Organization Name (eg, company) [Default Company Ltd]:yunjisuan 公司名称
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server’s hostname) []:www.yunjisuan.com #yu’mi
Email Address []: #回车
#生成证书签名请求
[root@harbor-master ssl]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yunjisuan.com.key -out www.yunjisuan.com.csr
Generating a 4096 bit RSA private key
…++
…++
writing new private key to ‘www.yunjisuan.com.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:yunjisuan
Organizational Unit Name (eg, section) []:yunjisuan
Common Name (eg, your name or your server’s hostname) []:www.yunjisuan.com
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@harbor-master ssl]#
#生成注册表主机的证书
[root@harbor-master ssl]# openssl x509 -req -days 365 -in www.yunjisuan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.yunjisuan.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=yunjisuan/OU=yunjisuan/CN=www.yunjisuan.com
Getting CA Private Key
#查看证书情况
[root@harbor-master ssl]# ls
ca.crt ca.srl www.yunjisuan.com.csr
ca.key www.yunjisuan.com.crt www.yunjisuan.com.key
三,信任自签发的域名证书
由于CA证书是我们自己签发的Linux操作系统是不信任的,因此我们需要把证书加入到系统的信任证书里
#将自签ca证书添加到系统信任
[root@harbor-master ssl]# pwd
/data/ssl
[root@harbor-master ssl]# cp www.yunjisuan.com.crt /etc/pki/ca-trust/source/anchors/ #复制到这个下面是让本机先信任这个证书
#让系统ca信任设置立即生效
[root@harbor-master ssl]# update-ca-trust enable
[root@harbor-master ssl]# update-ca-trust extract
四,Harbor1.4版本配置与安装
4.1 安装docker-ce社区版
安装过程请查看docker文档
由于我docker是先安装的,所以需要重启
#看一眼子防火墙的状态
[root@harbor-master ssl]# sestatus
SELinux status: disabled
防火墙什么的都关上! 过程略
#重启docker
[root@harbor-master ssl]# systemctl restart docker
4.2 下载并安装harbor私有仓库
#创建harbor的证书目录,并复制
[root@harbor-master ssl]# mkdir -p /etc/ssl/harbor
[root@harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.key /etc/ssl/harbor/
[root@harbor-master ssl]# cp /data/ssl/www.yunjisuan.com.crt /etc/ssl/harbor/
[root@harbor-master ssl]# ll /etc/ssl/harbor/
total 8
-rw-r–r-- 1 root root 1931 Dec 6 03:04 www.yunjisuan.com.crt
-rw-r–r-- 1 root root 3272 Dec 6 03:04 www.yunjisuan.com.key
#创建harbor下载目录并下载harbor-offline-installer-v1.5.0.tgz
[root@wbq-harbor-master ssl]# mkdir -p /data/install
[root@wbq-harbor-master ssl]# cd /data/install
[root@wbq-harbor-master install]# pwd
/data/install
[root@wbq-harbor-master install]# which wget
/usr/bin/wget
[root@wbq-harbor-master install]# wget http://harbor.orientsoft.cn/harbor-v1.5.0/harbor-offline-installer-v1.5.0.tgz
[root@wbq-harbor-master install]# ls
harbor-offline-installer-v1.5.0.tgz
[root@wbq-harbor-master install]# tar xf harbor-offline-installer-v1.5.0.tgz
[root@wbq-harbor-master install]# ls
harbor harbor-offline-installer-v1.5.0.tgz
[root@wbq-harbor-master install]# cd harbor
[root@wbq-harbor-master harbor]# ll
total 854960
drwxr-xr-x 3 root root 23 Dec 6 03:15 common
-rw-r–r-- 1 root root 1185 May 2 2018 docker-compose.clair.yml
-rw-r–r-- 1 root root 1725 May 2 2018 docker-compose.notary.yml
-rw-r–r-- 1 root root 3596 May 2 2018 docker-compose.yml
drwxr-xr-x 3 root root 156 May 2 2018 ha
-rw-r–r-- 1 root root 6687 May 2 2018 harbor.cfg
-rw-r–r-- 1 root root 875401338 May 2 2018 harbor.v1.5.0.tar.gz
-rwxr-xr-x 1 root root 5773 May 2 2018 install.sh
-rw-r–r-- 1 root root 10771 May 2 2018 LICENSE
-rw-r–r-- 1 root root 482 May 2 2018 NOTICE
-rwxr-xr-x 1 root root 27379 May 2 2018 prepare
[root@wbq-harbor-master harbor]# cp harbor.cfg{,.bak}
#修改harbor.cfg配置文件
[root@wbq-harbor-master harbor]# cat -n harbor.cfg | sed -n ‘7p;11p;23p;24p;68p’
7 hostname = reg.mydomain.com #要修改成我们证书的域名
11 ui_url_protocol = http #启用加密传输协议https
23 ssl_cert = /data/cert/server.crt #证书的位置
24 ssl_cert_key = /data/cert/server.key #证书密钥位置
68 harbor_admin_password = Harbor12345 #默认管理员及密码
#修改成如下配置
[root@wbq-harbor-master harbor]# cat -n harbor.cfg | sed -n ‘7p;11p;23p;24p;68p’
7 hostname = www.yunjisuan.com
11 ui_url_protocol = https
23 ssl_cert = /etc/ssl/harbor/www.yunjisuan.com.crt
24 ssl_cert_key = /etc/ssl/harbor/www.yunjisuan.com.key
68 harbor_admin_password = Harbor12345
#安装命令docker-compose(需要1.21版本)
[root@wbq-harbor-master harbor]# curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-
(
u
n
a
m
e
−
s
)
−
(uname -s)-
(uname−s)−(uname -m) -o /usr/local/bin/docker-compose
[root@wbq-harbor-master harbor]# ll /usr/local/bin/docker-compose
-rw-r–r-- 1 root root 10858808 Dec 6 03:31 /usr/local/bin/docker-compose
[root@wbq-harbor-master harbor]# chmod +x /usr/local/bin/docker-compose
[root@wbq-harbor-master harbor]# which docker-compose
/usr/local/bin/docker-compose
[root@wbq-harbor-master harbor]# docker-compose --version
docker-compose version 1.21.2, build a133471
#安装harbor私有镜像仓库
[root@wbq-harbor-master harbor]# pwd
/data/install/harbor
[root@wbq-harbor-master harbor]# ./install.sh --with-notary --with-clair #–with-notary启用镜像签名; --with-clair启用漏洞扫描
#查看harbor启动的镜像
[root@wbq-harbor-master harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
be5fcf3a1930 vmware/harbor-jobservice:v1.5.0 “/harbor/start.sh” About a minute ago Up 50 seconds harbor-jobservice
ad2f90bb84c3 vmware/nginx-photon:v1.5.0 “nginx -g 'daemon of…” About a minute ago Up About a minute (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
d782fcc8ce01 vmware/notary-server-photon:v0.5.1-v1.5.0 “/bin/server-start.sh” About a minute ago Up About a minute notary-server
a8edc1ccca5f vmware/clair-photon:v2.0.1-v1.5.0 “/docker-entrypoint.…” About a minute ago Up 46 seconds (healthy) 6060-6061/tcp clair
edb4a9a4c11e vmware/harbor-ui:v1.5.0 “/harbor/start.sh” About a minute ago Up About a minute (healthy) harbor-ui
2db41616f8e3 vmware/notary-signer-photon:v0.5.1-v1.5.0 “/bin/signer-start.sh” About a minute ago Up About a minute notary-signer
fa7b3e5f6f24 vmware/postgresql-photon:v1.5.0 “/entrypoint.sh post…” About a minute ago Up About a minute (healthy) 5432/tcp clair-db
1401200b682e vmware/harbor-adminserver:v1.5.0 “/harbor/start.sh” About a minute ago Up About a minute (healthy) harbor-adminserver
0b37da8995e3 vmware/redis-photon:v1.5.0 “docker-entrypoint.s…” About a minute ago Up About a minute 6379/tcp redis
aab6d323c577 vmware/harbor-db:v1.5.0 “/usr/local/bin/dock…” About a minute ago Up About a minute (healthy) 3306/tcp harbor-db
bfbdb8a623e4 vmware/registry-photon:v2.6.2-v1.5.0 “/entrypoint.sh serv…” About a minute ago Up About a minute (healthy) 5000/tcp registry
f29345823b5a vmware/mariadb-photon:v1.5.0 “/usr/local/bin/dock…” About a minute ago Up About a minute 3306/tcp notary-db
3756f90a2271 vmware/harbor-log:v1.5.0 “/bin/sh -c /usr/loc…” About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
通过浏览器进行访问测试
https://192.168.200.138
扫一扫
4万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
