本文已参与「新人创作礼」活动,一起开启掘金创作之路。
一、系统资源规划
| 节点名称 | 系统名称 | CPU/内存 | 网卡 | 磁盘 | IP地址 | OS |
|---|---|---|---|---|---|---|
| Harbor | harbor.mengshicheng.io | 2C/4G | ens33 | 64G | 192.168.0.10 | CentOS7 |
| Client | client.mengshicheng.io | 2C/4G | ens33 | 64G | 192.168.0.20 | CentOS7 |
二、系统软件安装与设置
如未指定,下述命令在所有节点执行!
1、安装基本软件
yum -y install vim lrzsz
2、设置名称解析
echo 192.168.0.10 harbor.mengshicheng.io >> /etc/hosts
echo 192.168.0.20 client.mengshicheng.io >> /etc/hosts
3、设置NTP
yum -y install chrony
systemctl start chronyd
systemctl enable chronyd
systemctl status chronyd
chronyc sources
4、设置防火墙、SELinux
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
三、部署Docker及Docker Compose
1、安装Docker
在所有节点上安装Docker所需的包:
yum -y install yum-utils device-mapper-persistent-data lvm2
在所有节点上设置稳定存储库:
yum-config-manager --add-repo <http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo>
在所有节点上安装Docker CE:
yum -y install docker-ce
在所有节点上启动Docker,并设置自启动:
systemctl start docker
systemctl enable docker
systemctl status docker
2、配置Docker
在Harbor节点上配置Docker镜像加速和Cgroup驱动:
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://7y88q662.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
systemctl restart docker
docker info | grep "Cgroup Driver"
3、部署Docker Compose
在Harbor节点上安装Docker Compose:
curl -L https://github.com/docker/compose/releases/download/1.29.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
查看Docker Compose版本:
docker-compose --version
四、IP方式部署Harbor镜像仓库
在Harbor节点上下载Harbor安装文件:
解压Harbor安装文件至系统目录:
tar -zxf /root/harbor-offline-installer-v2.3.2.tgz -C /usr/local/
在Harbor节点上创建证书目录:
mkdir -p /usr/local/harbor/ssl
cd /usr/local/harbor/ssl
在Harbor节点上生成CA证书私钥:
openssl genrsa -out ca.key 4096
在Harbor节点上生成CA证书:
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=JiangSu/L=NanJing/O=Harbor/OU=Personal/CN=192.168.0.10" -key ca.key -out ca.crt
在Harbor节点上生成私钥:
openssl genrsa -out harbor.key 4096
在Harbor节点上生成证书签名请求:
openssl req -sha512 -new -subj "/C=CN/ST=JiangSu/L=NanJing/O=Harbor/OU=Personal/CN=192.168.0.10" -key harbor.key -out harbor.csr
在Harbor节点上生成x509 v3扩展文件:
cat > v3.ext << EOF
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.0.10
EOF
在Harbor节点上生成Harbor证书:
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
在Harbor节点上转换证书格式:
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
在Harbor节点上修改Harbor配置文件:
cat > /usr/local/harbor/harbor.yml << EOF
hostname: 192.168.0.10
http:
port: 80
https:
port: 443
certificate: /usr/local/harbor/ssl/harbor.crt
private_key: /usr/local/harbor/ssl/harbor.key
external_url: https://192.168.0.10
harbor_admin_password: Harbor12345
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /harbordata
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.3.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
EOF
在Harbor节点上安装Harbor:
cd /usr/local/harbor/
./prepare
./install.sh
登录Harbor:
https://192.168.0.10,用户名/密码:admin/Harbor12345
在Client节点上配置Docker镜像源、镜像加速和Cgroup驱动:
cat > /etc/docker/daemon.json << EOF
{
"insecure-registries": ["192.168.0.10"],
"registry-mirrors": ["https://7y88q662.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
systemctl restart docker
docker info | grep "Cgroup Driver"
在Client节点上下载公网镜像,上传至Harbor节点:
docker pull busybox
docker tag busybox:latest 192.168.0.10/library/busybox:1.0
docker images
docker login 192.168.0.10
docker push 192.168.0.10/library/busybox:1.0
查看Harbor镜像仓库镜像:
在Client节点上删除公网镜像,下载Harbor节点镜像:
docker logout
docker rmi 192.168.0.10/library/busybox:1.0
docker images
docker pull 192.168.0.10/library/busybox:1.0
docker images
五、域名方式部署Harbor镜像仓库
在Harbor节点上下载Harbor安装文件:
在Harbor节点上解压Harbor安装文件至系统目录:
tar -zxf /root/harbor-offline-installer-v2.3.2.tgz -C /usr/local/
在Harbor节点上创建证书目录:
mkdir -p /usr/local/harbor/ssl
cd /usr/local/harbor/ssl
在Harbor节点上生成CA证书私钥:
openssl genrsa -out ca.key 4096
在Harbor节点上生成CA证书:
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=JiangSu/L=NanJing/O=Harbor/OU=Personal/CN=harbor.mengshicheng.io" -key ca.key -out ca.crt
在Harbor节点上生成私钥:
openssl genrsa -out harbor.key 4096
在Harbor节点上生成证书签名请求:
openssl req -sha512 -new -subj "/C=CN/ST=JiangSu/L=NanJing/O=Harbor/OU=Personal/CN=harbor.mengshicheng.io" -key harbor.key -out harbor.csr
在Harbor节点上生成x509 v3扩展文件:
cat > v3.ext << EOF
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.mengshicheng.io
DNS.2=harbor.mengshicheng.io
DNS.3=harbor.mengshicheng.io
EOF
在Harbor节点上生成证书:
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
在Harbor节点上转换证书格式:
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
在Harbor节点上修改Harbor配置文件:
cat > /usr/local/harbor/harbor.yml << EOF
hostname: harbor.mengshicheng.io
http:
port: 80
https:
port: 443
certificate: /usr/local/harbor/ssl/harbor.crt
private_key: /usr/local/harbor/ssl/harbor.key
external_url: https://harbor.mengshicheng.io
harbor_admin_password: Harbor12345
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /harbordata
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.3.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
EOF
在Harbor节点上安装Harbor:
cd /usr/local/harbor/
./prepare
./install.sh
登录Harbor:
harbor.mengshicheng.io,用户名/密码:admin/Ha…
在Client节点上配置Docker镜像加速和Cgroup驱动:
cat > /etc/docker/daemon.json << EOF
{
"insecure-registries": ["harbor.mengshicheng.io"],
"registry-mirrors": ["https://7y88q662.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
systemctl restart docker
docker info | grep "Cgroup Driver"
在Client节点上下载公网镜像,上传至Harbor节点:
docker pull busybox
docker tag busybox:latest harbor.mengshicheng.io/library/busybox:1.0
docker images
docker login harbor.mengshicheng.io
docker push harbor.mengshicheng.io/library/busybox:1.0
查看Harbor镜像仓库镜像:
在Client节点上删除公网镜像,下载Harbor节点镜像:
docker logout
docker rmi harbor.mengshicheng.io/library/busybox:1.0
docker images
docker pull harbor.mengshicheng.io/library/busybox:1.0
docker images
六、重启Harbor镜像仓库
在Harbor节点上停止并删除现有实例:
cd /usr/local/harbor/
docker-compose down -v
在Harbor节点上重启Docker:
docker-compose up -d
