为扎赉特等地区用户提供了全套网页设计制作服务,及扎赉特网站建设行业解决方案。主营业务为成都网站设计、成都做网站、扎赉特网站设计,以传统方式定制建设网站,并提供域名空间备案等一条龙服务,秉承以专业、用心的态度为用户提供真诚的服务。我们深信只要达到每一位用户的要求,就会得到认可,从而选择与我们长期合作。这样,我们也可以走得更远!
上面左边是我的个人微 信,如需进一步沟通,请加好 友。 右边是我的公众号“Openstack私有云”,如有兴趣,请关注。
第一次安装harbor的时候为了方便,安装成了http方式,但是后面时候的时候发现各种不方便,因为docker客户端登录镜像源的时候都是默认是https方式,所以每一个客户端都要特别的设置,很是麻烦。因此决定将http方式改为https方式。记录一下操作过程。
参考官网的安装文档进行操作,如下:
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
创建CA密钥对: openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 36500 \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key ca.key \ -out ca.crt openssl genrsa -out yuweibing.com.key 4096 创建web服务器端秘钥对: openssl req -sha512 -new \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key yuweibing.com.key \ -out yuweibing.com.csr 使web服务器到CA进行签约: cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yuweibing.com DNS.2=yuweibing DNS.3=harbor EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yuweibing.com.csr \ -out yuweibing.com.crt 执行结果显示如下: [root@harbor ssl]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in yuweibing.com.csr \ > -out yuweibing.com.crt Signature ok subject=/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com Getting CA Private Key [root@harbor ssl]#
修改harbor.cfg配置文件中以下参数 :
hostname = yuweibing.com
ui_url_protocol = https
ssl_cert = /software/harbor/ssl/yuweibing.com.crt
ssl_cert_key = /software/harbor/ssl/yuweibing.com.key
secretkey_path = /software/harbor/ssl
然后执行prepare:
./prepare
然后执行install:
./install.sh
以下是执行结果:
[root@harbor harbor]# ./prepare Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf Generated and saved secret to file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [root@harbor harbor]# ls common docker-compose.clair.yml docker-compose.yml docker-compose.chartmuseum.yml docker-compose.notary.yml harbor.cfg [root@harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.13.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... Loaded image: goharbor/registry-photon:v2.6.2-v1.7.1 Loaded image: goharbor/harbor-migrator:v1.7.1 Loaded image: goharbor/harbor-adminserver:v1.7.1 Loaded image: goharbor/harbor-core:v1.7.1 Loaded image: goharbor/harbor-log:v1.7.1 Loaded image: goharbor/harbor-jobservice:v1.7.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.1 Loaded image: goharbor/clair-photon:v2.0.7-v1.7.1 Loaded image: goharbor/harbor-portal:v1.7.1 Loaded image: goharbor/harbor-db:v1.7.1 Loaded image: goharbor/redis-photon:v1.7.1 Loaded image: goharbor/nginx-photon:v1.7.1 Loaded image: goharbor/harbor-registryctl:v1.7.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.1 Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.1 [Step 2]: preparing environment ... Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.crt Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.key Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf loaded secret from file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [Step 3]: checking existing instance of Harbor ... Note: stopping existing Harbor instance ... Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-portal ... done Stopping harbor-core ... done Stopping registry ... done Stopping harbor-adminserver ... done Stopping registryctl ... done Stopping redis ... done Stopping harbor-db ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-portal ... done Removing harbor-core ... done Removing registry ... done Removing harbor-adminserver ... done Creating harbor-log ... done Removing redis ... done Removing harbor-db ... done Removing harbor-log ... done Removing network harbor_harbor Creating redis ... done Creating harbor-core ... done [Step 4]: starting Harbor ... Creating harbor-portal ... done Creating nginx ... done Creating registryctl ... Creating harbor-adminserver ... Creating redis ... Creating registry ... Creating harbor-db ... Creating harbor-core ... Creating harbor-portal ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.yuweibing.com. For more details, please visit https://github.com/goharbor/harbor . [root@harbor harbor]# ./install.sh接下来修改windows本机客户端的hosts文件强制解析域名: reg.yuweibing.com
192.168.1.44reg.yuweibing.com
192.168.170.44reg.yuweibing.com
然后就可以在windows客户端上输入域名 reg.yuweibing.com进行访问harbor的web网页了,如下:
登录进去后发现原来的用户信息和镜像数据都还在,还是不错。
接下来验证docker客户端是否能够正常从harbor拉取镜像:
[root@k8s1 ~]# docker login yuweibing.com Username: ywb Password: Error response from daemon: Get https://yuweibing.com/v2/: x509: certificate signed by unknown authority发现认证失败。原因是还需要设置docker对于yuweibing.com这个域名的认证信息,将这个域名的公钥私钥和CA文件拷贝到docker的认证目录:/etc/docker/certs.d/yuweibing.com/ ,操作如下:
进入上面的秘钥文件所在的ssl目录,并执行如下命令: openssl x509 -inform PEM -in yuweibing.com.crt -out yuweibing.com.cert cp yuweibing.com.cert /etc/docker/certs.d/yuweibing.com/ cp yuweibing.com.key /etc/docker/certs.d/yuweibing.com/ cp ca.crt /etc/docker/certs.d/yuweibing.com/将上面生成的3个文件同样scp拷贝到需要登录harbor的所有docker客户端的/etc/docker/certs.d/yuweibing.com/目录中,注意这个目录需要新建,同时需要在docker客户端中修改hosts文件解析yuweibing.com。
再次验证一下:
[root@k8s1 yuweibing.com]# docker login yuweibing.com Username: ywb Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@k8s1 yuweibing.com]#验证成功!
总结:
如果为了在安装harbor的时候省事采用http的方式部署,使用的时候docker客户端默认使用register仓库的时候都是使用安全连接https,如果要改为http需要修改docker配置,很是麻烦。因此还是需要使用https方式。
从http方式改为https方式主要是需要重新生成CA证书(颁发机构),web服务器证书(harbor服务器),以及服务器向CA进行签发注册。之后修改harbor.cfg配置文件,将服务器证书文件配置到配置文件中,修改hostname从IP地址改为域名,重新prepare和install ,install程序会自己将原来的docker-compose中的容器删除重新生成。
重新安装后的用户信息和镜像数据都会保留。
最后不要忘记配置docker客户端harbor服务器的公钥私钥,并且做好域名解析,如果没有dns服务器解析,就直接修改docker客户端上的hosts文件解析harbor配置的域名。
另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
本文题目:Harbor从http方式改为https方式-创新互联
文章分享:https://www.cdcxhl.com/article6/cojjog.html
成都网站建设公司_创新互联,为您提供小程序开发、企业建站、移动网站建设、定制网站、动态网站、网站营销
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 创新互联