Harbor 2.1.2 安装部署

环境

首先需要准备好 Docker + Docker-Compose 环境,Docker 在 CentOS 7.x 的安装教程请参考 这篇文章,后续文章假设你已经安装好了上述环境。

安装

标准安装

首先从 Harbor 的官方 GitHub Relase 下载最新的安装包,Harbor 本身的运行也是依赖于 Docker Compose ,整个压缩包本质上就是一系列离线镜像,执行安装脚本就是执行 docker load 命令将需要的镜像直接加载。

  1. 下载安装包,请访问 https://github.com/goharbor/harbor/releases/tag/v2.1.2 下载 tgz 压缩包。

  2. 将文件移动到安装文件夹,这里我建立了一个 /opt/harbor 文件夹。

  3. 运行 tar -xvf harbor-offline-installer-v1.10.1.tgz 解压文件包。

  4. 移动到解压完成的文件夹,编辑对应的 harbor.yml 文件,设置域名、SSL 证书等信息。

    注意⚠️:

    这一步的证书文件必须是全链证书(fullchain),否则后续 docker login 的时候会提示 X509 错误。

  5. 执行 ./install.sh --with-clair 开始安装 Harbor。

完成上述步骤以后 Harbor 就安装成功了。

不使用内置 NGINX

在我们的环境当中,NGINX 容器是单独存在的,并且使用的是 docker nework create 创建的外部网络。这个时候就不能够使用 Harbor 安装脚本内提供的 NGINX,需要变更 Harbor 的 Docker Compose 文件。

  1. 执行 docker-compose down 命令,停止所有 Harbor 容器。

  2. 编辑 Harbor 的 docker-compose.yml 文件,引入外部网络,这里我以 internal-network 为例,下面是变更好的 YAML 文件。

      1
      2
      3
      4
      5
      6
      7
      8
      9
     10
     11
     12
     13
     14
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
     26
     27
     28
     29
     30
     31
     32
     33
     34
     35
     36
     37
     38
     39
     40
     41
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
     55
     56
     57
     58
     59
     60
     61
     62
     63
     64
     65
     66
     67
     68
     69
     70
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    
    version: '2.3'
    services:
      log:
        image: goharbor/harbor-log:v2.1.2
        container_name: harbor-log
        restart: always
        dns_search: .
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /var/log/harbor/:/var/log/docker/:z
          - type: bind
            source: ./common/config/log/logrotate.conf
            target: /etc/logrotate.d/logrotate.conf
          - type: bind
            source: ./common/config/log/rsyslog_docker.conf
            target: /etc/rsyslog.d/rsyslog_docker.conf
        ports:
          - 127.0.0.1:1514:10514
        networks:
          - harbor
          - internal-network
      registry:
        image: goharbor/registry-photon:v2.1.2
        container_name: registry
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: /data/secret/registry/root.crt
            target: /etc/registry/root.crt
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registry"
      registryctl:
        image: goharbor/harbor-registryctl:v2.1.2
        container_name: registryctl
        env_file:
          - ./common/config/registryctl/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: ./common/config/registryctl/config.yml
            target: /etc/registryctl/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registryctl"
      postgresql:
        image: goharbor/harbor-db:v2.1.2
        container_name: harbor-db
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /data/database:/var/lib/postgresql/data:z
        networks:
          harbor:
        dns_search: .
        env_file:
          - ./common/config/db/env
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "postgresql"
      core:
        image: goharbor/harbor-core:v2.1.2
        container_name: harbor-core
        env_file:
          - ./common/config/core/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - SETGID
          - SETUID
        volumes:
          - /data/ca_download/:/etc/core/ca/:z
          - /data/:/data/:z
          - ./common/config/core/certificates/:/etc/core/certificates/:z
          - type: bind
            source: ./common/config/core/app.conf
            target: /etc/core/app.conf
          - type: bind
            source: /data/secret/core/private_key.pem
            target: /etc/core/private_key.pem
          - type: bind
            source: /data/secret/keys/secretkey
            target: /etc/core/key
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
          - registry
          - redis
          - postgresql
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "core"
      portal:
        image: goharbor/harbor-portal:v2.1.2
        container_name: harbor-portal
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
          - NET_BIND_SERVICE
        volumes:
          - type: bind
            source: ./common/config/portal/nginx.conf
            target: /etc/nginx/nginx.conf
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "portal"
    
      jobservice:
        image: goharbor/harbor-jobservice:v2.1.2
        container_name: harbor-jobservice
        env_file:
          - ./common/config/jobservice/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/job_logs:/var/log/jobs:z
          - type: bind
            source: ./common/config/jobservice/config.yml
            target: /etc/jobservice/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - core
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "jobservice"
      redis:
        image: goharbor/redis-photon:v2.1.2
        container_name: redis
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/redis:/var/lib/redis
        networks:
          harbor:
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "redis"
    
    networks:
      harbor:
        external: false
      internal-network:
        external: true
    
  3. 在独立的 NGINX 中创建对应的配置文件,在上一步的 YAML 文件内部,我为每个容器指定了 container_name,确保容器名字唯一不会因为外部原因而变动。这个配置文件我是从之前 Harbor 内部的 NGINX 拷贝出来的,直接拿去改吧改吧就能用。

      1
      2
      3
      4
      5
      6
      7
      8
      9
     10
     11
     12
     13
     14
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
     26
     27
     28
     29
     30
     31
     32
     33
     34
     35
     36
     37
     38
     39
     40
     41
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
     55
     56
     57
     58
     59
     60
     61
     62
     63
     64
     65
     66
     67
     68
     69
     70
     71
     72
     73
     74
     75
     76
     77
     78
     79
     80
     81
     82
     83
     84
     85
     86
     87
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    
    server{
        listen 80;
        server_name 你的域名;
        return 301 https://你的域名$request_uri;
    }
    
    server{
        listen 443 ssl;
        server_name 你的域名;
    
        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
    
        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;
    
        # Add extra headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";
    
        ssl_certificate   /etc/nginx/ssl/你的域名/full.pem;      # SSL 证书文件的存放路径
        ssl_certificate_key  /etc/nginx/ssl/你的域名/key.pem;   # SSL 密钥文件的存放路径
    
        ssl_protocols TLSv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
    
        location / {
          proxy_pass http://harbor-portal:8080/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; HttpOnly; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /c/ {
          proxy_pass http://harbor-core:8080/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /api/ {
          proxy_pass http://harbor-core:8080/api/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /chartrepo/ {
          proxy_pass http://harbor-core:8080/chartrepo/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /v1/ {
          return 404;
        }
    
        location /v2/ {
          proxy_pass http://harbor-core:8080/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
          proxy_send_timeout 900;
          proxy_read_timeout 900;
        }
    
        location /service/ {
          proxy_pass http://harbor-core:8080/service/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /service/notifications {
          return 404;
        }
    }
    

这里我使用的是 acme.sh 申请的泛解析 SSL 证书。

效果

image-20210104133553189

image-20210104141149631

image-20210104141319826

image-20210104141353030

Built with Hugo
主题 StackJimmy 设计