使用docker-compose安装harbor

先决条件：

• 安装docker
• 安装docker-compose

安装参考

下载并解压

wget -c https://github.com/goharbor/harbor/releases/download/v2.3.5/harbor-offline-installer-v2.3.5.tgz

tar -zxvf harbor-offline-installer-v2.3.5.tgz

cd harborcp harbor.yml.tmpl harbor.yml

修改密码

按照图中红线，修改配置文件中的hostname,http.port,harbor_admin_password，并将https的配置注释掉，然后运行./prepare,./install.sh等待后即可安装成功。

对接containerd，配置https

在containerd使用harbor时，需要支持harbor的https端口，所以我们在containerd中使用harbor私库时，需要在harbor中配置https。

生成证书以hostname为harbor.jdragon.club为例

mkdir -p /data/cert/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.jdragon.club" \
 -key ca.key \
 -out ca.crt


openssl genrsa -out harbor.jdragon.club.key 4096
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.jdragon.club" \
    -key harbor.jdragon.club.key \
    -out harbor.jdragon.club.csr


cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.jdragon.club
DNS.2=harbor.jdragon
DNS.3=localhost
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.jdragon.club.csr \
    -out harbor.jdragon.club.crt


openssl x509 -inform PEM -in harbor.jdragon.club.crt -out harbor.jdragon.club.cert

执行以上指令后，会产生多个证书相关文件，最终harbor使用到的有以harbor.jdragon.club.cert与harbor.jdragon.club.key文件(最终以你配置的hostname为主)。

若按照文中将文件生成到/data/cert下(因为harbor的docker-compose中直接挂载的/data)，则不需要改动，直接编辑第一步安装harbor时的所修改的配置文件harbor.yml，将https.certificate与https.private_key修改后。执行./prepare,./install.sh后无报错即可。

而containerd在harbor的基础上还需要ca.crt文件。将文件放在所有containerd服务节点上的/etc/containerd/certs.d/hostname:port文件夹中。本文将三个文件放入/etc/containerd/certs.d/harbor.jdragon.club:11843中。

执行containerd config default > /etc/containerd/config.toml获取默认配置文件，在此基础上进行修改。vim /etc/containerd/config.toml

## containerd配置私有harbor和国内镜像
   [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""
      [plugins."io.containerd.grpc.v1.cri".registry.auths]
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.jdragon.club".tls]
          insecure_skip_verify = true
        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.jdragon.club".auth]
          username = "admin"
          password = "zhjl951753"
      [plugins."io.containerd.grpc.v1.cri".registry.headers]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
            endpoint = ["https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
            endpoint = ["https://gcr.mirrors.ustc.edu.cn"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
            endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
            endpoint = ["https://quay.mirrors.ustc.edu.cn"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.jdragon.club"]
            endpoint = ["https://harbor.jdragon.club"]

重启containerdsystemctl daemon-reload && systemctl restart containerd.service

安装nerdctl

wget https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-1.1.0-linux-amd64.tar.gz
tar -zxvf nerdctl-1.1.0-linux-amd64.tar.gz
mv nerdctl /usr/local/bin/

使用nerdctl登录harbor
nerdctl login -u admin harbor.jdragon.club:11843

参考

harbor官方文档https配置