Harbor基于CentOS-Docker容器部署并自建证书域名访问
背景
通常情况下,docker镜像非常之多,同时又有自己的业务应用需要制作成镜像,然而这些镜像最好是有地方存储,docker官方虽然也提供镜像仓库,但是国内网速大家懂的,当然也提供私仓,无可厚非,而本节我们需要构建一款目前非常流行的镜像仓库Harbor,可视化操作,瞬间高大上。
一、环境准备
1. 准备一台安装好的`Docker Centos7`虚拟机
1. 升级内核
| 服务器名称 | 服务器域名 | 说明 |
|---|---|---|
| repository | repository.tarot.cn | 部署harbor服务 |
- 安装版本信息
| 软件 | 版本 |
|---|---|
| Docker | 26.1.4 |
| Docker Compose | v2.27.1 |
| Harbor | v2.12.2 |
二、总体流程:
- 设置主机域名为repository.tarot.cn
- 安装docker;
- 安装docker-compose;(如果docker版本较低, 请自行安装docker compose)
- 在根目录创建文件夹/home/troila/software,将harbor安装资源下载到该文件夹下;
- 进入software进行harbor下载;
## 设置主机名称, 最好重启
[root@repository software]# hostnamectl set-hostname repository.tarot.cn
## 配置ip域名映射
[root@repository harbor]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.27.150.67 repository.tarot.cn repository
[root@repository harbor]#
## 下载harbor
[root@repository software]# wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz
- 解压并迁移
- HTTPS配置
- 安装并启动Harbor
- 访问测试
- Harbor仓库镜像上传下载配置
三、安装Harbor
- 解压, 目录结构如下
[root@repository software]# tar -zxvf harbor-offline-installer-v2.12.2.tgz
[root@repository software]# tree
.
├── harbor
│ ├── common.sh
│ ├── harbor.v2.12.2.tar.gz
│ ├── harbor.yml.tmpl
│ ├── install.sh
│ ├── LICENSE
│ └── prepare
└── harbor-offline-installer-v2.12.2.tgz
1 directory, 7 files
[root@repository software]# pwd
/home/troila/software
- 生成证书相关文件
- 创建create-ca.sh可执行文件
- create-ca.sh文件内容为
- 此处设置证书域名为 repository.tarot.cn
#!/bin/bash
set -euo pipefail # 启用严格错误检查模式
# ========== 配置区 ==========
WORKDIR="/home/troila/software/harbor/ca"
DOMAIN="repository.tarot.cn"
ALT_DNS=(
"tarot.cn"
"repository.tarot.cn"
"*.tarot.cn" # 三级泛域名
"*.*.tarot.cn" # 四级泛域名
"*.*.*.tarot.cn" # 五级泛域名
)
ALT_IPS=(
"127.0.0.1"
"172.27.150.67" # Harbor IP地址
)
VALID_DAYS=3650 # 证书有效期(10年)
KEY_SIZE=4096 # RSA密钥长度
# ========== 函数定义 ==========
generate_v3_ext() {
local domain=$1
local alt_dns=("${!2}")
local alt_ips=("${!3}")
cat <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
$(
for ((i=0; i<${#alt_dns[@]}; i++)); do
echo "DNS.$((i+1))=${alt_dns[i]}"
done
for ((i=0; i<${#alt_ips[@]}; i++)); do
echo "IP.$((i+1))=${alt_ips[i]}"
done
)
EOF
}
# ========== 主流程 ==========
echo "=== 开始生成Harbor证书 ==="
# 1. 准备目录
echo "[1/6] 初始化工作目录..."
rm -rf "$WORKDIR" || { echo "错误: 无法删除目录 $WORKDIR"; exit 1; }
mkdir -p "$WORKDIR" && cd "$WORKDIR" || { echo "错误: 无法进入目录 $WORKDIR"; exit 1; }
# 2. 生成CA根证书
echo "[2/6] 生成CA根证书..."
openssl genrsa -out ca.key "$KEY_SIZE"
openssl req -x509 -new -nodes -sha512 -days "$VALID_DAYS" \
-subj "/C=CN/ST=Beijing/L=Beijing/O=tarot/OU=web/CN=$DOMAIN" \
-key ca.key -out ca.crt
# 3. 生成服务器密钥和CSR
echo "[3/6] 生成服务器密钥和CSR..."
openssl genrsa -out "$DOMAIN.key" "$KEY_SIZE"
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=tarot/OU=web/CN=$DOMAIN" \
-key "$DOMAIN.key" -out "$DOMAIN.csr"
# 4. 生成v3扩展文件
echo "[4/6] 生成v3扩展配置文件..."
generate_v3_ext "$DOMAIN" ALT_DNS[@] ALT_IPS[@] > v3.ext
# 5. 使用CA签署服务器证书
echo "[5/6] 签署服务器证书..."
openssl x509 -req -sha512 -days "$VALID_DAYS" \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in "$DOMAIN.csr" -out "$DOMAIN.crt"
openssl x509 -inform PEM -in "$DOMAIN.crt" -out "$DOMAIN.cert"
# 6. 安装证书到系统信任库
echo "[6/6] 安装证书到系统信任库..."
CERT_STORE="/etc/pki/ca-trust/source/anchors/$DOMAIN.crt"
rm -rf $CERT_STORE
mkdir -p "$(dirname "$CERT_STORE")"
cp "$DOMAIN.crt" "$CERT_STORE" || { echo "警告: 无法复制证书到系统目录"; exit 1; }
update-ca-trust || { echo "警告: 更新CA信任存储失败"; exit 1; }
echo "=== 证书生成完成 ==="
echo "生成文件:"
ls -lh "$WORKDIR"
echo -e "\n请确保 harbor.yml 配置中引用以下路径:"
echo " certificate: $WORKDIR/$DOMAIN.crt"
echo " private_key: $WORKDIR/$DOMAIN.key"
- 执行./create-ca.sh,最终文件目录如下
[root@repository harbor]# tree
.
├── ca
│ ├── ca.crt
│ ├── ca.key
│ ├── ca.srl
│ ├── repository.tarot.cn.cert
│ ├── repository.tarot.cn.crt
│ ├── repository.tarot.cn.csr
│ ├── repository.tarot.cn.key
│ └── v3.ext
├── common.sh
├── create-ca.sh
├── harbor.v2.12.2.tar.gz
├── harbor.yml.tmpl
├── install.sh
├── LICENSE
└── prepare
1 directory, 15 files
[root@repository harbor]#
五、修改Harbor配置
- 创建harbor存储挂载目录
[root@repository harbor]# mkdir -p /home/troila/software/harbor/data
- 复制一份harbor.yml.tmpl为harbor.yml, 并对复制后的文件进行更改
[root@repository harbor]# cp harbor.yml.tmpl harbor.yml
[root@repository harbor]# vi harbor.yml
- 修改hostname,为主机自定义域名
- 端口不变(自定义更改)
- 配置上述生成的证书
- harbor默认密码不变
- 配置harbor存储整体挂载目录
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# 此处修改自己本机的域名
hostname: repository.tarot.cn
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# 此处配置证书文件
certificate: /home/troila/software/harbor/ca/tarot.cn.crt
private_key: /home/troila/software/harbor/ca/tarot.cn.key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
# The default data volume
data_volume: /home/troila/software/harbor/data
六、docker配置证书
- 在/etc/docker下,在在其下面创建 certs.d 文件夹
- 在certs.d下创建tarot.cn机器域名(前提要配置)
- 注意如果harbor配置文件更改了端口号, 此处创建的域名文件夹也要加端口, 保持一致
[root@repository docker]# mkdir -p /etc/docker/certs.d/repository.tarot.cn
- 将 repository.tarot.cnn.cert repository.tarot.cn.key ca.crt 复制到其其下面
[root@repository harbor]# cp /home/troila/software/harbor/ca/repository.tarot.cn.cert /etc/docker/certs.d/repository.tarot.cn
[root@repository harbor]# cp /home/troila/software/harbor/ca/repository.tarot.cn.key /etc/docker/certs.d/repository.tarot.cn
[root@repository harbor]# cp /home/troila/software/harbor/ca/ca.crt /etc/docker/certs.d/repository.tarot.cn
[root@repository harbor]# ll /etc/docker/certs.d/repository.tarot.cn
总用量 12
-rw-r--r-- 1 root root 2029 3月 27 19:04 ca.crt
-rw-r--r-- 1 root root 2163 3月 27 19:04 repository.tarot.cn.cert
-rw-r--r-- 1 root root 3239 3月 27 19:04 repository.tarot.cn.key
[root@repository harbor]#
- 重启docker
[root@base docker]# systemctl daemon-reload && systemctl restart docker
七、安装前检查
/home/troila/software/harbor
├── ca
│ ├── ca.crt
│ ├── ca.key
│ ├── ca.srl
│ ├── repository.tarot.cn.cert
│ ├── repository.tarot.cn.crt
│ ├── repository.tarot.cn.csr
│ ├── repository.tarot.cn.key
│ └── v3.ext
├── common.sh
├── create-ca.sh
├── data
├── harbor.v2.12.2.tar.gz
├── harbor.yml
├── harbor.yml.tmpl
├── install.sh
├── LICENSE
└── prepare
2 directories, 16 files
[root@repository harbor]#
八、安装并启动Harbor
- 执行./install.sh,进行安装
[root@base harbor]# ./install.sh
.....................
[Step 5]: starting Harbor ...
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 1.1s
✔ Container harbor-db Started 1.5s
✔ Container harbor-portal Started 1.6s
✔ Container redis Started 1.7s
✔ Container registry Started 1.5s
✔ Container registryctl Started 1.7s
✔ Container harbor-core Started 1.7s
✔ Container nginx Started 2.6s
✔ Container harbor-jobservice Started 2.4s
✔ ----Harbor has been installed and started successfully.----
[root@base harbor]#
[root@repository harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f80e3bdc5f9d goharbor/harbor-jobservice:v2.12.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-jobservice
a51b08281a12 goharbor/nginx-photon:v2.12.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
c9a242e2cc96 goharbor/harbor-core:v2.12.2 "/harbor/entrypoint.…" About a minute ago Up About a minute (healthy) harbor-core
1a332b3556c4 goharbor/registry-photon:v2.12.2 "/home/harbor/entryp…" About a minute ago Up About a minute (healthy) registry
c2af7f212118 goharbor/harbor-registryctl:v2.12.2 "/home/harbor/start.…" About a minute ago Up About a minute (healthy) registryctl
ffb5f5502731 goharbor/harbor-db:v2.12.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) harbor-db
f2da53624539 goharbor/harbor-portal:v2.12.2 "nginx -g 'daemon of…" About a minute ago Up About a minute (healthy) harbor-portal
ca32e931fb46 goharbor/redis-photon:v2.12.2 "redis-server /etc/r…" About a minute ago Up About a minute (healthy) redis
8efd64d52628 goharbor/harbor-log:v2.12.2 "/bin/sh -c /usr/loc…" About a minute ago Up About a minute (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@repository harbor]# docker compose ls
NAME STATUS CONFIG FILES
harbor running(9) /home/troila/software/harbor/docker-compose.yml
[root@repository harbor]#
- 访问
- https://repository.tarot.cn
- 配置私有仓库harbor地址
- 增加 “insecure-registries”:[“http://repository.tarot.cn”],
- 如果是kubernetes集群,那中每个节点都需要配置
[root@base harbor]# vi /etc/docker/daemon.json
{
"insecure-registries":["https://repository.tarot.cn"]
}
## 完整如下
{
"dns": ["8.8.8.8", "223.5.5.5"],
"data-root": "/home/troila/software/docker",
"insecure-registries": [
"https://repository.tarot.cn", "172.27.150.67"
"base.troila.com:9000","172.27.109.6:9000",
"repository-1.troila.com:9000", "172.27.109.11:9000",
"repository-2.troila.com:9000", "172.27.109.12:9000"
],
"registry-mirrors": [
"https://registry.cn-hangzhou.aliyuncs.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://ma8p1z36.mirror.aliyuncs.com",
"https://mirror.ccs.tencentyun.com",
"http://hub-mirror.c.163.com"
],
"exec-opts": [
"native.cgroupdriver=systemd"
],
"log-opts": {
"max-size": "100m","max-file":"3"
}
}
- 重启docker
[root@repository harbor]# sudo systemctl daemon-reload && sudo systemctl restart docker
- docker重启后, 本身安装的harbor服务没有全部启动, 需要重启harbor
- 进入harbor安装目录下执行
- 先停止, 在启动
[root@repository harbor]# docker compose down -v
[root@repository harbor]# docker compose up -d
- 登录harbor仓库
- 登录仓库
- 下载镜像
- 镜像打tag
- 将镜像提交到harbor
[root@repository harbor]# docker login repository.tarot.cn
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@repository harbor]#
[root@repository harbor]# docker pull ubuntu:24.10
24.10: Pulling from library/ubuntu
77adee7e3226: Pull complete
Digest: sha256:5bd27e8238988fd378427410aed2259c2b4cf1bd09c2abc6a176cef7d729de5c
Status: Downloaded newer image for ubuntu:24.10
ubuntu:24.10
[root@repository harbor]# docker tag ubuntu:24.10 repository.tarot.cn/library/ubuntu:24.10
[root@repository harbor]# docker push repository.tarot.cn/library/ubuntu:24.10
The push refers to repository [repository.tarot.cn/library/ubuntu]
83c89c42636d: Pushed
24.10: digest: sha256:5bd27e8238988fd378427410aed2259c2b4cf1bd09c2abc6a176cef7d729de5c size: 529
[root@repository harbor]#
[root@repository harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.12.2 37fbe3aa524d 2 months ago 125MB
goharbor/redis-photon v2.12.2 3ccb66d5d7e7 2 months ago 166MB
goharbor/trivy-adapter-photon v2.12.2 f3b0ec4861d3 2 months ago 345MB
goharbor/harbor-registryctl v2.12.2 1f39cb9883a3 2 months ago 160MB
goharbor/registry-photon v2.12.2 1542a6e4ebf9 2 months ago 85.6MB
goharbor/nginx-photon v2.12.2 b6b2ea786b90 2 months ago 154MB
goharbor/harbor-log v2.12.2 65a8ac29d6d7 2 months ago 163MB
goharbor/harbor-jobservice v2.12.2 ddf9a3d4d975 2 months ago 171MB
goharbor/harbor-core v2.12.2 883312e8c1f3 2 months ago 194MB
goharbor/harbor-portal v2.12.2 7f2791de5783 2 months ago 162MB
goharbor/harbor-db v2.12.2 a4f39039baed 2 months ago 272MB
goharbor/prepare v2.12.2 617f50c1808f 2 months ago 208MB
ubuntu 24.10 94351b6d67ec 9 months ago 78.2MB
repository.tarot.cn/library/ubuntu 24.10 94351b6d67ec 9 months ago 78.2MB
[root@repository harbor]#
至此基于https域名访问的harbor安装完成