Task Objectives#
- Complete the setup of the Docker image repository
Task Platform#
- Physical Device --
- Operating System: openEuler 22.03 LTS SP2
Deployment Guide#
Task One: Environment Requirements#
- Hardware Configuration
The following figure lists the minimum and recommended hardware configurations for deploying Harbor.
- Network Ports
Harbor requires the following ports to be open on the target host
| Port | Protocol | Remarks |
|---|---|---|
| 443 | HTTPS | Harbor portal and core API accept HTTPS requests on this port |
| 4443 | HTTPS | Connects to the Docker content trust service for Harbor |
| 80 | HTTP | Harbor portal and core API accept HTTP requests on this port |
Task Two: Basic Environment Preparation#
Task Three: Deployment#
-
Download Harbor#
wget https://github.com/goharbor/harbor/releases/download/v2.9.1/harbor-offline-installer-v2.9.1.tgz
# Unzip
tar -vzxf harbor-offline-installer-v2.9.1.tgz
-
Install HTTPS Certificate#
-
Simple Version#
# Create certificate directory and set permissions mkdir -p /data/cert/ chmod -R 777 /data/cert/ cd /data/cert # Create private key openssl genrsa -des3 -out harbor.key 2048 # Generate CA certificate, IP is the local IP openssl req -sha512 -new \ -subj "/C=CN/ST=hennan/L=zhengzhou/O=qishi/OU=qishi/CN=images.store.net.crt" \ -key harbor.key \ -out harbor.csr # Backup certificate cp harbor.key harbor.key.org # Convert to passwordless private key openssl rsa -in harbor.key.org -out harbor.key # Sign using the certificate openssl x509 -req -days 100000 -in harbor.csr -signkey harbor.key -out harbor.crt-
Official Version#
# Create storage directory mkdir -p /data/harbor-ca cd /data/harbor-ca-
Generate Certificate Authority Certificate
- Generate CA Certificate Private Key
openssl genrsa -out ca.key 4096- Generate CA Certificate
# The content after CN is the IP or domain name openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=henan/L=zhengzhou/O=qishi/OU=qishi/CN=hub-docker.xxx.net" \ -key ca.key \ -out ca.crt-
Generate Server Certificate
- Generate Private Key
# Naming by domain name or IP openssl genrsa -out hub-docker.xxx.net.key 4096- Generate Certificate Signing Request (CSR)
openssl req -sha512 -new \ -subj "/C=CN/ST=henan/L=zhengzhou/O=qishi/OU=qishi/CN=hub-docker.xxx.net" \ -key hub-docker.xxx.net.key \ -out hub-docker.xxx.net.csr- Generate x509 v3 Extension File
cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=hub-docker.xxx.net DNS.2=hub-docker.xxx DNS.3=hub-docker EOF- Generate Certificate Using v3.ext
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in hub-docker.xxx.net.csr \ -out hub-docker.xxx.net.crt-
Provide Certificates to Harbor and Docker
- Copy the server certificate and key to the directory where Harbor uses certificates
# Create directory for Harbor certificates mkdir -p /data/cert/ # Copy certificates cp hub-docker.xxx.net.crt /data/cert/ cp hub-docker.xxx.net.key /data/cert/-
Convert certificates for Docker use
openssl x509 -inform PEM -in hub-docker.xxx.net.crt -out hub-docker.xxx.net.cert # Create directory for Docker certificates, naming as ip:port or domain name mkdir -p /etc/docker/certs.d/hub-docker.xxx.net/ # Copy certificates cp hub-docker.xxx.net.cert /etc/docker/certs.d/hub-docker.xxx.net/ cp hub-docker.xxx.net.key /etc/docker/certs.d/hub-docker.xxx.net/ cp ca.crt /etc/docker/certs.d/hub-docker.xxx.net/ # Restart Docker systemctl restart docker
-
-
-
Install Harbor#
Modify the configuration file
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
#################################
hostname: hub-docker.xxx.net # Change to local IP or custom domain name
http:
port: 80 # Port can be customized
https:
port: 443 # Port can be customized
certificate: /data/harbor/harbor-ca/hub-docker.xxx.net.crt # Certificate path
private_key: /data/harbor/harbor-ca/hub-docker.xxx.net.key # Private key path
harbor_admin_password: Harbor12345 # Login password
data_volume: /data/harbor-data # Data storage directory
#################################
Execute installation
./install.sh --with-trivy
Access via browser using IP and port (after adding hosts, access via domain name)
Task Four: Set Up Docker Login Credential Encryption (On the Host that Pulls Images)#
- Install pass
# Basic environment
yum install -y make
# Get pass source code
wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.4.tar.xz
# Unzip to /usr/local/ directory
tar Jxf password-store-1.7.4.tar.xz -C /usr/local/
# Execute installation
cd /usr/local/password-store-1.7.4
make install
# Verify
pass version
- Install docker-credential-helpers
# Install Go basic environment
yum -y install golang-1.17.3
# Get docker-credential-helpers source code
wget https://github.com/docker/docker-credential-helpers/archive/refs/tags/v0.8.0.tar.gz
tar -xf v0.8.0.tar.gz
mv docker-credential-helpers-0.8.0 docker-credential-helpers
cd docker-credential-helpers/
# Install using pass method
make pass
cp bin/build/docker-credential-pass /usr/bin/
chmod +x /usr/bin/docker-credential-pass
- Modify password configuration file
# Generate key pair
gpg --full-generate-key
# View keys
gpg --list-keys
##################################################
/root/.gnupg/pubring.kbx
------------------------
pub rsa3072 2023-11-30 [SC] [expires: 2025-11-29]
56CCF64EC289B13B1C0F14CCF2BB16136358AEA4
uid [ultimate] qishi <[email protected]>
sub rsa3072 2023-11-30 [E] [expires: 2025-11-29]
##################################################
# Initialize
pass init 56CCF64EC289B13B1C0F14CCF2BB16136358AEA4
# Log in to Docker repository and check if login credentials are encrypted
docker login hub-docker.xxx.net
cat /root/.docker/config.json
#######################################
{
"auths": {
"hub-docker.xxx.net": {}
},
"credsStore": "pass"
}
#######################################
# Create password store save file directory
pass insert docker-credential-helpers/docker-pass-initialized-check
# View password store list
docker-credential-pass list
# Verify password store
yum install tree -y
pass
# Based on actual path
pass show docker-credential-helpers/aW1hZ2VzLnN0b3JlLm5ldA==/admin
Task Five: Upload and Download Images (On the Host that Pulls Images)#
On the host that needs to pull and upload images, modify the daemon.json file and then restart Docker
vi /etc/docker/daemon.json
{
"insecure-registries": ["hub-docker.xxx.net"] # IP or domain name
}
systemctl restart docker
Pull and upload images
# Pull nginx image for testing
docker pull nginx
# Re-tag, where test is an existing project in Harbor
docker tag nginx:latest 172.20.1.55/test/nginx-test:1.0
docker tag nginx:latest hub-docker.xxx.net/test/nginx-test:1.0
# Log in to the repository, enter username and password
docker login 172.20.1.55
docker login hub-docker.xxx.net
systemctl restart docker
# Push the image to the repository
docker push 172.20.1.55/test/nginx-test:1.0
docker push hub-docker.xxx.net/test/nginx-test:1.0
# Pull the image
docker pull 172.20.1.55/test/nginx-test:1.0
docker pull hub-docker.xxx.net/test/nginx-test:1.0
Task Six: Cosign Sign Images (On the Host that Pulls Images)#
mkdir -p /data/cosign
# Download and install cosign
wget https://github.com/sigstore/cosign/releases/download/v2.2.2/cosign-2.2.2-1.x86_64.rpm
rpm -ivh cosign-2.2.2-1.x86_64.rpm
# arm
wget https://github.com/sigstore/cosign/releases/download/v2.2.2/cosign-2.2.2-1.aarch64.rpm
rpm -ivh cosign-2.2.2-1.aarch64.rpm
# Verify installation
cosign version
# Generate keys
cosign generate-key-pair
# Sign the image
cosign sign --allow-insecure-registry --key /data/cosign/cosign.key images.store.net/test/test-nginx:1.0.0
# Verify decryption
cosign verify --allow-insecure-registry --key /data/cosign/cosign.pub images.store.net/test/test-nginx:1.0.0