Harbor 从http方式改为https方式
发表于:2024-11-19 作者:千家信息网编辑
千家信息网最后更新 2024年11月19日,上面左边是我的个人微 信,如需进一步沟通,请加好 友。 右边是我的公众号"Openstack私有云",如有兴趣,请关注。第一次安装harbor的时候为了方便,安装成了http方式,但是后面时候的时候发
千家信息网最后更新 2024年11月19日Harbor 从http方式改为https方式
上面左边是我的个人微 信,如需进一步沟通,请加好 友。 右边是我的公众号"Openstack私有云",如有兴趣,请关注。
第一次安装harbor的时候为了方便,安装成了http方式,但是后面时候的时候发现各种不方便,因为docker客户端登录镜像源的时候都是默认是https方式,所以每一个客户端都要特别的设置,很是麻烦。因此决定将http方式改为https方式。记录一下操作过程。
参考官网的安装文档进行操作,如下:
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
创建CA密钥对:openssl genrsa -out ca.key 4096openssl req -x509 -new -nodes -sha512 -days 36500 \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key ca.key \ -out ca.crtopenssl genrsa -out yuweibing.com.key 4096创建web服务器端秘钥对:openssl req -sha512 -new \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key yuweibing.com.key \ -out yuweibing.com.csr 使web服务器到CA进行签约: cat > v3.ext <<-EOFauthorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]DNS.1=yuweibing.comDNS.2=yuweibingDNS.3=harborEOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yuweibing.com.csr \ -out yuweibing.com.crt 执行结果显示如下: [root@harbor ssl]# openssl x509 -req -sha512 -days 3650 \> -extfile v3.ext \> -CA ca.crt -CAkey ca.key -CAcreateserial \> -in yuweibing.com.csr \> -out yuweibing.com.crtSignature oksubject=/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.comGetting CA Private Key[root@harbor ssl]#
修改harbor.cfg配置文件中以下参数 :
hostname = yuweibing.com
ui_url_protocol = https
ssl_cert = /software/harbor/ssl/yuweibing.com.crt
ssl_cert_key = /software/harbor/ssl/yuweibing.com.key
secretkey_path = /software/harbor/ssl
然后执行prepare:
./prepare
然后执行install:
./install.sh
以下是执行结果:
[root@harbor harbor]# ./prepare Clearing the configuration file: ./common/config/adminserver/envClearing the configuration file: ./common/config/core/envClearing the configuration file: ./common/config/core/app.confClearing the configuration file: ./common/config/core/private_key.pemClearing the configuration file: ./common/config/db/envClearing the configuration file: ./common/config/jobservice/envClearing the configuration file: ./common/config/jobservice/config.ymlClearing the configuration file: ./common/config/registry/config.ymlClearing the configuration file: ./common/config/registry/root.crtClearing the configuration file: ./common/config/registryctl/envClearing the configuration file: ./common/config/registryctl/config.ymlClearing the configuration file: ./common/config/nginx/nginx.confClearing the configuration file: ./common/config/log/logrotate.confGenerated and saved secret to file: /software/harbor/ssl/secretkeyGenerated configuration file: ./common/config/nginx/nginx.confGenerated configuration file: ./common/config/adminserver/envGenerated configuration file: ./common/config/core/envGenerated configuration file: ./common/config/registry/config.ymlGenerated configuration file: ./common/config/db/envGenerated configuration file: ./common/config/jobservice/envGenerated configuration file: ./common/config/jobservice/config.ymlGenerated configuration file: ./common/config/log/logrotate.confGenerated configuration file: ./common/config/registryctl/envGenerated configuration file: ./common/config/core/app.confGenerated certificate, key file: ./common/config/core/private_key.pem, cert filThe configuration files are ready, please use docker-compose to start the servi[root@harbor harbor]# lscommon docker-compose.clair.yml docker-compose.yml docker-compose.chartmuseum.yml docker-compose.notary.yml harbor.cfg [root@harbor harbor]# ./install.sh [Step 0]: checking installation environment ...Note: docker version: 1.13.1Note: docker-compose version: 1.18.0[Step 1]: loading Harbor images ...Loaded image: goharbor/registry-photon:v2.6.2-v1.7.1Loaded image: goharbor/harbor-migrator:v1.7.1Loaded image: goharbor/harbor-adminserver:v1.7.1Loaded image: goharbor/harbor-core:v1.7.1Loaded image: goharbor/harbor-log:v1.7.1Loaded image: goharbor/harbor-jobservice:v1.7.1Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.1Loaded image: goharbor/clair-photon:v2.0.7-v1.7.1Loaded image: goharbor/harbor-portal:v1.7.1Loaded image: goharbor/harbor-db:v1.7.1Loaded image: goharbor/redis-photon:v1.7.1Loaded image: goharbor/nginx-photon:v1.7.1Loaded image: goharbor/harbor-registryctl:v1.7.1Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.1Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.1[Step 2]: preparing environment ...Clearing the configuration file: ./common/config/adminserver/envClearing the configuration file: ./common/config/core/envClearing the configuration file: ./common/config/core/app.confClearing the configuration file: ./common/config/core/private_key.pemClearing the configuration file: ./common/config/db/envClearing the configuration file: ./common/config/jobservice/envClearing the configuration file: ./common/config/jobservice/config.ymlClearing the configuration file: ./common/config/registry/config.ymlClearing the configuration file: ./common/config/registry/root.crtClearing the configuration file: ./common/config/registryctl/envClearing the configuration file: ./common/config/registryctl/config.ymlClearing the configuration file: ./common/config/nginx/cert/yuweibing.com.crtClearing the configuration file: ./common/config/nginx/cert/yuweibing.com.keyClearing the configuration file: ./common/config/nginx/nginx.confClearing the configuration file: ./common/config/log/logrotate.confloaded secret from file: /software/harbor/ssl/secretkeyGenerated configuration file: ./common/config/nginx/nginx.confGenerated configuration file: ./common/config/adminserver/envGenerated configuration file: ./common/config/core/envGenerated configuration file: ./common/config/registry/config.ymlGenerated configuration file: ./common/config/db/envGenerated configuration file: ./common/config/jobservice/envGenerated configuration file: ./common/config/jobservice/config.ymlGenerated configuration file: ./common/config/log/logrotate.confGenerated configuration file: ./common/config/registryctl/envGenerated configuration file: ./common/config/core/app.confGenerated certificate, key file: ./common/config/core/private_key.pem, cert filThe configuration files are ready, please use docker-compose to start the servi[Step 3]: checking existing instance of Harbor ...Note: stopping existing Harbor instance ...Stopping nginx ... doneStopping harbor-jobservice ... doneStopping harbor-portal ... doneStopping harbor-core ... doneStopping registry ... doneStopping harbor-adminserver ... doneStopping registryctl ... doneStopping redis ... doneStopping harbor-db ... doneStopping harbor-log ... doneRemoving nginx ... doneRemoving harbor-jobservice ... doneRemoving harbor-portal ... doneRemoving harbor-core ... doneRemoving registry ... doneRemoving harbor-adminserver ... doneCreating harbor-log ... doneRemoving redis ... doneRemoving harbor-db ... doneRemoving harbor-log ... doneRemoving network harbor_harborCreating redis ... doneCreating harbor-core ... done[Step 4]: starting Harbor ...Creating harbor-portal ... doneCreating nginx ... doneCreating registryctl ... Creating harbor-adminserver ... Creating redis ... Creating registry ... Creating harbor-db ... Creating harbor-core ... Creating harbor-portal ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.----Now you should be able to visit the admin portal at https://reg.yuweibing.com. For more details, please visit https://github.com/goharbor/harbor .[root@harbor harbor]# ./install.sh
接下来修改windows本机客户端的hosts文件强制解析域名: reg.yuweibing.com
192.168.1.44reg.yuweibing.com
192.168.170.44reg.yuweibing.com
然后就可以在windows客户端上输入域名 reg.yuweibing.com进行访问harbor的web网页了,如下:
登录进去后发现原来的用户信息和镜像数据都还在,还是不错。
接下来验证docker客户端是否能够正常从harbor拉取镜像:
[root@k8s1 ~]# docker login yuweibing.comUsername: ywbPassword: Error response from daemon: Get https://yuweibing.com/v2/: x509: certificate signed by unknown authority
发现认证失败。原因是还需要设置docker对于yuweibing.com这个域名的认证信息,将这个域名的公钥私钥和CA文件拷贝到docker的认证目录:/etc/docker/certs.d/yuweibing.com/ ,操作如下:
进入上面的秘钥文件所在的ssl目录,并执行如下命令:openssl x509 -inform PEM -in yuweibing.com.crt -out yuweibing.com.cert cp yuweibing.com.cert /etc/docker/certs.d/yuweibing.com/ cp yuweibing.com.key /etc/docker/certs.d/yuweibing.com/ cp ca.crt /etc/docker/certs.d/yuweibing.com/
将上面生成的3个文件同样scp拷贝到需要登录harbor的所有docker客户端的/etc/docker/certs.d/yuweibing.com/目录中,注意这个目录需要新建,同时需要在docker客户端中修改hosts文件解析yuweibing.com。
再次验证一下:
[root@k8s1 yuweibing.com]# docker login yuweibing.comUsername: ywbPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded[root@k8s1 yuweibing.com]#
验证成功!
总结:
如果为了在安装harbor的时候省事采用http的方式部署,使用的时候docker客户端默认使用register仓库的时候都是使用安全连接https,如果要改为http需要修改docker配置,很是麻烦。因此还是需要使用https方式。
从http方式改为https方式主要是需要重新生成CA证书(颁发机构),web服务器证书(harbor服务器),以及服务器向CA进行签发注册。之后修改harbor.cfg配置文件,将服务器证书文件配置到配置文件中,修改hostname从IP地址改为域名,重新prepare和install ,install程序会自己将原来的docker-compose中的容器删除重新生成。
重新安装后的用户信息和镜像数据都会保留。
最后不要忘记配置docker客户端harbor服务器的公钥私钥,并且做好域名解析,如果没有dns服务器解析,就直接修改docker客户端上的hosts文件解析harbor配置的域名。
客户
文件
方式
客户端
服务器
服务
域名
时候
配置
目录
镜像
信息
证书
生成
登录
认证
验证
接下来
公钥
拷贝
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
美团软件开发团队有多少人
服务器设计与分区
观潮视频软件开发
找一家软件开发公司
网络安全管理制度的封面
服务器及存储器解决方案云存储
蓬莱直播软件开发外包公司
ecshop数据库恢复
文山回收服务器
移动通信和网络技术
计算机网络技术的看法
现代企业 网络安全重要性
心理战网络技术手段
网络安全人才培养哪家好
虹口区加工软件开发活动
做好机关网络安全和信息化工作
小程序如何读取数据库的数据
青岛云豆互联网科技有限公司
信息网络安全技术基础知识
软件开发比软件测试难很多吗
数据库应用考试题库
云服务器可以安装vmware
徐州市中小学生网络安全
可以查城市绿化数据的数据库
济南软件开发机构
上海银庭网络技术有限公司
数据库输入和输出原理
大学软件开发工资
软件开发质量与测试指标
数据库可以当作办公软件
