環境centos 7.3
docker 17.03
參考:
https://www.jianshu.com/p/9cf7ab8cec41
http://www.mamicode.com/info-detail-1855980.html
##################################################
server 端配置
##################################################
1、安裝依賴
$ yum install ebtables ethtool iproute iptables socat util-linux wget vim openssl-devel -y
2、安裝docker 17
$ wget -O - https://raw.githubusercontent.com/cherryleo/scripts/master/centos7-install-docker.sh | sh
3、安裝 docker-compose
$ yum install epel-release -y
$ yum install python-pip -y
$ pip install --upgrade pip
$ pip install docker-compose
4、證書存放目錄
$ mkdir -p /data/cert
$ cd /data/cert/
5、創建CA證書
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..........................................++
........++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Sunline
Organizational Unit Name (eg, section) []:HaiTeng
Common Name (eg, your name or your server's hostname) []:Harbor
Email Address []:[email protected]
6、生成證書籤名請求
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout sunline.com.key -out sunline.com.csr
Generating a 4096 bit RSA private key
....++
...................................................................................++
writing new private key to 'sunline.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Sunline
Organizational Unit Name (eg, section) []:HaiTeng
Common Name (eg, your name or your server's hostname) []:Harbor
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
7、生成註冊表主機的證書
$ openssl x509 -req -days 365 -in sunline.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sunline.com.crt
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Sunline/OU=HaiTeng/CN=Harbor/[email protected]
Getting CA Private Key
如果你使用的是IP,比如10.22.60.169(本機主機IP地址)連接你的註冊表主機,你可以運行下面的命令
$ echo subjectAltName = IP:10.22.60.169 > extfile.cnf
$ openssl x509 -req -days 365 -in sunline.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out sunline.com.crt
8、上傳/解壓harbor離線包
$ tar xvf harbor-offline-installer-v1.5.0.tgz
$ cd harbor
9、修改配置文件
$ vim harbor.cfg
hostname = 10.22.60.169
ui_url_protocol = https
ssl_cert = /data/cert/sunline.com.crt
ssl_cert_key = /data/cert/sunline.com.key
secretkey_path = /data
10、安裝harbor
$ ./install.sh
11、web訪問
默認賬戶密碼爲:admin/Harbor12345
https://10.22.60.167
12、創建ca證書目錄並拷貝ca證書
$ cd /etc/pki/ca-trust/source/anchors/ # 拷貝ca證書使本機可以訪問登錄
$ cp /data/cert/ca.crt .
13、重啓服務
$ update-ca-trust
$ systemctl restart docker
####################################### client 配置 #######################################
1、拷貝證書,使docker可以從harbor倉庫拉取鏡像
$ cd /etc/pki/ca-trust/source/anchors/
$ scp 10.22.60.169:/data/cert/ca.crt .
2、重啓docker
$ update-ca-trust
$ systemctl restart docker
3、登錄測試
$ docker login -u admin -p Harbor12345 10.22.60.169
Login Succeeded
報錯:
Error response from daemon: Get https://10.22.60.169/v1/users/: x509: certificate has expired or is not yet valid
解決方法:同步系統時間