本地私有镜像仓库搭建流程(docker_harbor)

本地私有镜像仓库搭建流程(docker_harbor)

1、规划

主机名 IP地址 系统
harbor 192.168.10.53 rocky8.8

注:本项目使用的是rocky系统,也可以使用centos系统,操作方法一样

2、环境部署

2.1、修改主机名

hostnamectl set-hostname harbor.com

2.2、关闭 selinux和防火墙,设置永久关闭,这样重启机器 selinux 也处于关闭状态

#关闭selinux
    sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/'  /etc/selinux/config
    grep SELINUX=disabled /etc/selinux/config 
    setenforce 0
    getenforce
#关闭firewalld  centos7       
    systemctl stop firewalld
    systemctl disable firewalld
    systemctl status  firewalld
#重启虚拟机
	reboot

2.3、配置 yum 源

#安装阿里yum源、epel源
sed -e 's|^mirrorlist=|#mirrorlist=|g' 
    -e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' 
    -i.bak 
    /etc/yum.repos.d/Rocky-*.repo

dnf makecache
#安装epel源
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
#将 repo 配置中的地址替换为阿里云镜像站地址
sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
#配置docker源
yum install yum-utils -y
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

2.4、安装一些依赖包

yum -y install wget net-tools nfs-utils lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo libaio-devel wget vim ncurses-devel autoconf automake zlib-devel epel-release openssh-server socat ipvsadm conntrack yum-utils device-mapper-persistent-data lvm2 telnet

2.5、配置时间同步

yum install chrony -y
systemctl enable chronyd --now #启动 chronyd 服务同步网络时间编辑 chronyd 配置文件
vim /etc/chrony.conf
#文件最后增加如下内容
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp1.tencent.com iburst
server ntp2.tencent.com iburst
#重启 chronyd 服务
 systemctl restart chronyd
 #写个计划任务,定时同步时间:
  crontab -e
  	* * * * * /usr/bin/systemctl restart chronyd
systemctl restart crond

2.6、修改内核参数

modprobe br_netfilter
cat <<EOF >/etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl -p /etc/sysctl.d/k8s.conf

3、安装 Harbor

3.1、在需要登录harbor的主机配置解析

#在/etc/hosts增加如下:
192.168.10.53 harcor

3.2、为 Harbor 自签发证书

mkdir /data/ssl -p
cd /data/ssl/
#生成 ca 证书:
 openssl genrsa -out ca.key 3072
#生成一个 3072 位的 key,也就是私钥
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
#生成一个数字证书 ca.pem,3650 表示证书的有效时间是 10 年,按箭头提示填写即可,没有箭头标注的为空:
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]: shenzhen
Organization Name (eg, company) [Default Company Ltd]:ha
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:harbor
Email Address []:[email protected]
#生成域名的证书:
openssl genrsa -out harbor.key 3072
#生成一个 3072 位的 key,也就是私钥
openssl req -new -key harbor.key -out harbor.csr
#生成一个证书请求,一会签发证书时需要的,标箭头的按提示填写,没有箭头标注的为空:
openssl req -new -key harbor.key -out harbor.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]: shenzhen
Organization Name (eg, company) [Default Company Ltd]:ha
Organizational Unit Name (eg, section) []:CA 
Common Name (eg, your name or your server's hostname) []:harbor
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#签发证书:
openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 3650
#查看证书是否有效:
openssl x509 -noout -text -in harbor.pem
显示如下,说明有效:
Certificate:
     Data:
     Version: 1 (0x0)
     Serial Number:
     cd:21:3c:44:64:17:65:40
     Signature Algorithm: sha256WithRSAEncryption
     Issuer: C=CH, ST=BJ, L=BJ, O=Default Company Ltd
     Validity
     Not Before: Dec 26 09:29:19 2020 GMT
     Not After : Dec 24 09:29:19 2030 GMT
     Subject: C=CN, ST=BJ, L=BJ, O=xuegod Ltd, CN=harbor
     Subject Public Key Info:
     Public Key Algorithm: rsaEncryption
     Public-Key: (3072 bit)
     Modulus:
     00:b0:60:c3:e6:35:70:11:c8:73:83:38:9a:7e:b8:
     。。。

3.3、安装 docker

yum install docker-ce -y
#启动 docker 服务
systemctl start docker && systemctl enable docker
#配置镜像加速器
vim /etc/docker/daemon.json 
写入如下内容:
{"registry-mirrors":["https://rsbud4vc.mirror.aliyuncs.com","https://registry.dockercn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hubmirror.c.163.com"],
"insecure-registries":["192.168.1.62","harbor.cn"]
}
#重启 docker 服务使配置生效
systemctl restart docker  #无报错则是加速文件无问题,有报错则是加速文件有问题

3.4、安装 harbor

#创建安装目录
mkdir /data/install -p
 cd /data/install/
#把 harbor 的离线包 harbor-offline-installer-v2.3.0-rc3.tgz 上传到这个目录,离线包在课件里提供了
#下载 harbor 离线包的地址:
https://github.com/goharbor/harbor/releases/tag/
#解压:
tar zxvf harbor-offline-installer-v2.3.0-rc3.tgz
 cd harbor
 cp harbor.yml.tmpl harbor.yml
#修改配置文件:
hostname: harbor
#修改 hostname,跟上面签发的证书域名保持一致
#协议用 https
certificate: /data/ssl/harbor.pem
private_key: /data/ssl/harbor.key
邮件和 ldap 不需要配置,在 harbor 的 web 界面可以配置
其他配置采用默认即可
修改之后保存退出
注:harbor 默认的账号密码:admin/Harbor12345

3.5、安装 docker-compose

#下载地址:https://github.com/docker/compose/tags
 mv docker-compose-Linux-x86_64.64 /usr/local/bin/docker-compose
#添加执行权限
chmod +x /usr/local/bin/docker-compose
注: docker-compose 项目是 Docker 官方的开源项目,负责实现对 Docker 容器集群的快速编排。Docker-Compose 的工程配置文件默认为 docker-compose.yml,Docker-Compose 运行目录下的必要有一个 docker-compose.yml。docker-compose 可以管理多个 docker 实例。

3.6、安装 harbor 需要的离线镜像包

#上传镜像:
cd /data/install/harbor
docker load -i harbor.v2.3.0.tar.gz
#安装:
cd /data/install/harbor
./install.sh

3.7、配置解析

#在hosts文件加入解析
192.168.10.53 harbor
#在浏览器输入:
https://harbor/

3.8、登录仓库

在这里插入图片描述
在这里插入图片描述

账号:admin

密码:Harbor12345

输入账号密码出现如下:

在这里插入图片描述

3.9、创建项目

在这里插入图片描述

注:存储容量-1代表不限容量

3.10、登录、拉取、上传镜像

#其他节点已安装好docker后,登录本地镜像仓库:
docker login 192.168.10.53
Username: admin
Password:
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#镜像(测试nginx):
#docker images nginx
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
nginx        latest    605c77e624dd   2 years ago   141MB
#给nginx镜像打标签
	#docker tag 605c77e624dd 192.168.10.53/test/nginx:latest
#上传
	#docker push 192.168.10.53/test/nginx:latest
#拉取镜像
	#docker pull 192.168.10.53/test/nginx:latest