This is the sixth day of my participation in the Challenge. For details, see:More article challenges
This article will take you through a quick installation of a stand-alone version of the Harbor container mirroring service for individuals and small to medium businesses. “Building a Highly available Harbor Cluster Based on Kubernetes” will be compiled later. Please stay tuned!
Why do you need a custom container image service
Public cloud services are fast and easy to use, but from the perspective of enterprises, data security will become more important. As a result, many products and services used in enterprises are required to be privatized and private deployment, so as to achieve the goal of ensuring enterprise data security.
Therefore, enterprises may not choose public cloud services such as ACR of Alibaba Cloud or TCR of Tencent Cloud, but choose self-built container image service.
Based on the environment
The official specification requires at least 2 CPU cores, 4 GB memory, and 40 GB disk capacity. However, after the installation, I found that Harbor itself does not occupy a lot of resources as a container mirroring service, so 1 core 2 GB can run, and the disk capacity is allocated according to the size and number of mirrors.
We do not install Harbor directly on the host, but use Docker + Docker Compose to install, so we need to install Docker and Docker Compose and keep the version up to date.
You also need to install Openssl, which configures HTTPS access to the Harbor, and a Docker certificate.
Download the Installation Package
Harbor installation packages are divided into online installation packages and offline installation packages. The online installation package is the image required under DockerHub, while the offline installation package is the pre-built image, which is larger than the online installation package, but the entire installation process of the two packages is basically the same. Here is the download address.
Curl - LO, https://github.com/goharbor/harbor/releases/download/v2.2.2/harbor-online-installer-v2.2.2.tgz tar ZXF Harbor - online - the installer - v2.2.2. TGZCopy the code
The decompressed file is as follows:
> cdharbor && ls -la total 40 drwxr-xr-x 2 root root 4096 Jun 7 23:25 . drwxrwxrwt. 9 root root 4096 Jun 7 23:26 .. -rw-r--r-- 1 root root 3361 May 15 17:32 common.sh -rw-r--r-- 1 root root 7840 May 15 17:32 harbor.yml.tmpl -rwxr-xr-x 1 root root 2500 May 15 17:32 install.sh -rw-r--r-- 1 root root 11347 May 15 17:32 LICENSE -rwxr-xr-x 1 root root 1881 May 15 17:32 prepareCopy the code
Configure HTTPS
Self-built CA
Since this is a test environment, we chose to build our own CA. First, we generate the private key for the CA certificate as follows:
openssl genrsa -out ca.key 4096
Copy the code
Generate a CA certificate using the private key generated above:
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shenzhen/L=Shenzhen/O=example/OU=Personal/CN=k8scat.com" \
-key ca.key \
-out ca.crt
Copy the code
Generating a Domain name Certificate
Now we use the CA certificate generated above to generate the domain name certificate, assuming that we are using the domain name harbor.k8scat.com here. Similarly, we have a private key for the certificate:
openssl genrsa -out harbor.k8scat.com.key 4096
Copy the code
Then use the private key of the Certificate to generate a Certificate Signing Request file (CSR) :
openssl req -sha512 -new \
-subj "/C=CN/ST=Shenzhen/L=Shenzhen/O=example/OU=Personal/CN=harbor.k8scat.com" \
-key harbor.k8scat.com.key \
-out harbor.k8scat.com.csr
Copy the code
You also need to generate x509 V3 extension files to meet the requirements of SAN (Subject Alternative Name) and X509 V3 extensions:
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.k8scat.com EOF
Copy the code
Finally, we use ca.crt, ca.key, harbor.k8scat.com.csr and v3.ext to generate the domain name certificate we need:
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.k8scat.com.csr \
-out harbor.k8scat.com.crt
Copy the code
Configure Harbor and Docker certificates
Harbor
/data/cert. /data/cert. /data/cert.
cp harbor.k8scat.com.crt /data/cert/
cp harbor.k8scat.com.key /data/cert/
Copy the code
Docker
Because the Docker daemon interprets the.crt file as a CA certificate and the.cert file as a client certificate. So here we need to convert the domain name certificate (harbor.k8scat.com.crt) format to harbor.k8scat.com.cert:
openssl x509 -inform PEM -in harbor.k8scat.com.crt -out harbor.k8scat.com.cert
Copy the code
Then copy the domain name certificate and CA certificate to /etc/docker/certs.d:
cp harbor.k8scat.com.cert /etc/docker/certs.d/harbor.k8scat.com/
cp harbor.k8scat.com.key /etc/docker/certs.d/harbor.k8scat.com/
cp ca.crt /etc/docker/certs.d/harbor.k8scat.com/
Copy the code
Finally, restart the Docker service:
systemctl restart docker
Copy the code
The configuration of harbor. Yml
After configuring HTTPS, we need to configure the harbor.yml file, which is copied from the harbor.yml. TMPL file in the installation package:
cp harbor.yml.tmpl harbor.yml
Copy the code
Take a look at the contents of the harbor.yml file:
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be factcheck.org by external clients.
hostname: reg.mydomain.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /your/certificate/path
private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 1000
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.2. 0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis:
:
# # host for redis+sentinel:
# #
:
,
:
,
:
# host: redis:6379
# password:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# idle_timeout_seconds: 30
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
Copy the code
Here we mainly modify the following configurations:
- hostname =
harbor.k8scat.com
- https.certificate =
/data/cert/harbor.k8scat.com.crt
- https.private_key =
/data/cert/harbor.k8scat.com.key
- harbor_admin_password =
xxx
- database.password =
xxx
The Harbor we installed this time does not use other components, such as Notary, Trivy and Chart, so the relevant configuration can be ignored.
Start the Harbor
./install.sh
Copy the code
Reference documentation
- Harbor Installation Prerequisites
- Download the Harbor Installer
- Run the Installer Script
- Configure the Harbor YML File
- Configure HTTPS Access to Harbor