Devops_CICD/Harbor2020. 8. 19. 17:36

------------------------------------------------------------

-- 1. Install Python

------------------------------------------------------------

1) Install Python Dependencies

yum -y groupinstall "Development Tools"

yum -y install openssl-devel bzip2-devel libffi-devel

 

gcc --version

gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-39)

 

2) Download latest Python 3.8 Archive

yum -y install wget

wget https://www.python.org/ftp/python/3.8.3/Python-3.8.3.tgz

tar xvf Python-3.8.3.tgz -O /opt

cd /opt/Python-3.8.3

 

3) Install Python 3.8

./configure --enable-optimizations

make altinstall

 

4) Check Python 3.8

python3.8 --version

pip3.8 --version

 

------------------------------------------------------------

-- 2. Install Docker Engine

------------------------------------------------------------

1) Uninstall old versions:

yum remove docker docker-common docker-selinux docker-engine

 

2) Install Prereqs

yum install -y yum-utils device-mapper-persistent-data lvm2

 

3) Setup stable repo

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

 

4) Install Docker CE

yum -y install docker-ce docker-ce-cli containerd.io

 

5) If you get dependency errors, the run

yum install -y --setopt=obsoletes=0 docker-ce docker-ce-selinux

 

6) Start and enable docker service

systemctl start docker && systemctl enable docker

 

systemctl enable --now docker

systemctl is-active docker

systemctl is-enabled docker

 

newgrp docker

docker version

 

usermod -aG docker root

 

# Create Harbor User

groupadd -g 1001 -r harbor

useradd -c "Harbor" -u 1001 -g harbor -s /bin/bash -r -p password harbor

usermod -aG docker harbor

 

------------------------------------------------------------

-- 3. Install Docker Compose

------------------------------------------------------------

● Run this command to download the current stable release of Docker Compose

curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose

ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

 

● install command completion for the bash

curl -L https://raw.githubusercontent.com/docker/compose/1.25.5/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose

 

# Source the file or re-login to enjoy completion feature.

source /etc/bash_completion.d/docker-compose

 

● Test the installation.

docker-compose --version

docker-compose version 1.25.5, build 8a1c60f6

 

● Upgrading

docker-compose 1.5.0

docker container rm -f -v myapp_web_1 myapp_db_1 ...

 

● Uninstallation

# To uninstall Docker Compose if you installed using curl

rm /usr/local/bin/docker-compose

 

# To uninstall Docker Compose if you installed using pip

pip uninstall docker-compose

 

  docker image pull & tag

# harbor docker image pull

-----------------------------------------------------

docker pull goharbor/harbor-log:v2.0.0

docker pull goharbor/registry-photon:v2.0.0

docker pull goharbor/harbor-registryctl:v2.0.0

docker pull goharbor/harbor-db:v2.0.0

docker pull goharbor/harbor-core:v2.0.0

docker pull goharbor/harbor-portal:v2.0.0

docker pull goharbor/harbor-jobservice:v2.0.0

docker pull goharbor/redis-photon:v2.0.0

docker pull goharbor/nginx-photon:v2.0.0

docker pull goharbor/notary-server-photon:v2.0.0

docker pull goharbor/notary-signer-photon:v2.0.0

docker pull goharbor/clair-photon:v2.0.0

docker pull goharbor/clair-adapter-photon:v2.0.0

docker pull goharbor/chartmuseum-photon:v2.0.0

 

# harbor docker image save

-----------------------------------------------------

docker save -o harbor-images.tar \

  goharbor/harbor-log:v2.0.0 \

  goharbor/registry-photon:v2.0.0 \

  goharbor/harbor-registryctl:v2.0.0 \

  goharbor/harbor-db:v2.0.0 \

  goharbor/harbor-core:v2.0.0 \

  goharbor/harbor-portal:v2.0.0 \

  goharbor/harbor-jobservice:v2.0.0 \

  goharbor/redis-photon:v2.0.0 \

  goharbor/nginx-photon:v2.0.0 \

  goharbor/notary-server-photon:v2.0.0 \

  goharbor/notary-server-photon:v2.0.0 \

  goharbor/notary-signer-photon:v2.0.0 \

  goharbor/clair-photon:v2.0.0 \

  goharbor/clair-adapter-photon:v2.0.0 \

  goharbor/chartmuseum-photon:v2.0.0

 

# harbor docker image load

-----------------------------------------------------

docker load -i harbor-images.tar

 

# harbor docker image tag

-----------------------------------------------------

docker tag goharbor/harbor-log:v2.0.0            registry.test.paas/library/harbor-log:v2.0.0

docker tag goharbor/registry-photon:v2.0.0       registry.test.paas/library/registry-photon:v2.0.0

docker tag goharbor/harbor-registryctl:v2.0.0    registry.test.paas/library/harbor-registryctl:v2.0.0

docker tag goharbor/harbor-db:v2.0.0             registry.test.paas/library/harbor-db:v2.0.0

docker tag goharbor/harbor-core:v2.0.0           registry.test.paas/library/harbor-core:v2.0.0

docker tag goharbor/harbor-portal:v2.0.0         registry.test.paas/library/harbor-portal:v2.0.0

docker tag goharbor/harbor-jobservice:v2.0.0     registry.test.paas/library/harbor-jobservice:v2.0.0

docker tag goharbor/redis-photon:v2.0.0          registry.test.paas/library/redis-photon:v2.0.0

docker tag goharbor/nginx-photon:v2.0.0          registry.test.paas/library/nginx-photon:v2.0.0

docker tag goharbor/notary-server-photon:v2.0.0  registry.test.paas/library/notary-server-photon:v2.0.0

docker tag goharbor/notary-signer-photon:v2.0.0  registry.test.paas/library/notary-signer-photon:v2.0.0

docker tag goharbor/clair-photon:v2.0.0          registry.test.paas/library/clair-photon:v2.0.0

docker tag goharbor/clair-adapter-photon:v2.0.0  registry.test.paas/library/clair-adapter-photon:v2.0.0

docker tag goharbor/chartmuseum-photon:v2.0.0    registry.test.paas/library/chartmuseum-photon:v2.0.0

 

# harbor docker image push to registry

-----------------------------------------------------

docker push registry.test.paas/library/harbor-log:v2.0.0

docker push registry.test.paas/library/registry-photon:v2.0.0

docker push registry.test.paas/library/harbor-registryctl:v2.0.0

docker push registry.test.paas/library/harbor-db:v2.0.0

docker push registry.test.paas/library/harbor-core:v2.0.0

docker push registry.test.paas/library/harbor-portal:v2.0.0

docker push registry.test.paas/library/harbor-jobservice:v2.0.0

docker push registry.test.paas/library/redis-photon:v2.0.0

docker push registry.test.paas/library/nginx-photon:v2.0.0

docker push registry.test.paas/library/notary-server-photon:v2.0.0

docker push registry.test.paas/library/notary-signer-photon:v2.0.0

docker push registry.test.paas/library/clair-photon:v2.0.0

docker push registry.test.paas/library/clair-adapter-photon:v2.0.0

docker push registry.test.paas/library/chartmuseum-photon:v2.0.0

 

vi /opt/harbor/docker-compose.yml

=> tag image 편집

 

------------------------------------------------------------

-- 4. Download the Harbor Installer

------------------------------------------------------------

* Online installer: The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.

* Offline installer: Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet.

  The offline installer contains pre-built images, so it is larger than the online installer.

 

● Download and Unpack the Installer

https://github.com/goharbor/harbor/releases

#wget https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz

wget https://storage.googleapis.com/harbor-releases/release-2.0.0/harbor-online-installer-v2.0.0.tgz

tar xvf harbor-online-installer-v2.0.0.tgz

mv /app/harbor /opt

ls -l /opt

root docker   94 Jun  2 10:58 harbor

 

------------------------------------------------------------

-- 5. Registry disk setting (optional)

------------------------------------------------------------

● partitioning disk

------------------------------------------------------------

fdisk -l

 

fdisk /dev/sdb

  Welcome to fdisk (util-linux 2.23.2).

  Changes will remain in memory only, until you decide to write them.

  Be careful before using the write command.

  Device does not contain a recognized partition table

  Building a new DOS disklabel with disk identifier 0xf3f4d873.

 

  Command (m for help): n

  Partition type:

 p   primary (0 primary, 0 extended, 4 free)

 e   extended

  Select (default p): p

  Partition number (1-4, default 1):

  First sector (2048-209715199, default 2048):

  Using default value 2048

  Last sector, +sectors or +size{K,M,G} (2048-209715199, default 209715199):

  Using default value 209715199

  Partition 1 of type Linux and of size 100 GiB is set

 

  Command (m for help): p

  Disk /dev/sdc: 107.4 GB, 107374182400 bytes, 209715200 sectors

  Units = sectors of 1 * 512 = 512 bytes

  Sector size (logical/physical): 512 bytes / 512 bytes

  I/O size (minimum/optimal): 512 bytes / 512 bytes

  Disk label type: dos

  Disk identifier: 0xf3f4d873

 Device Boot      Start         End      Blocks   Id  System

  /dev/sdc1            2048   209715199   104856576   83  Linux

 

  Command (m for help): t

  Selected partition 1

  Hex code (type L to list all codes): 8e

  Changed type of partition 'Linux' to 'Linux LVM'

 

  Command (m for help): w

  The partition table has been altered!

 

yum install lvm2

fdisk -l

pvcreate /dev/sdb1

vgcreate registry-vg /dev/sdb1

lvcreate -n registry-lv -l 100%FREE registry-vg

 

#mkfs.ext4 /dev/mapper/registry--vg-registry--lv

mkfs.xfs /dev/mapper/registry--vg-registry--lv

 

mkfs.xfs -f -ssize=4k /dev/mapper/registry--vg-registry--lv

 

fsck -y /dev/mapper/registry--vg-registry--lv

 

mkdir /harbor-data

mount /dev/mapper/registry--vg-registry--lv /harbor-data

 

vi /etc/fstab

#/dev/mapper/registry--vg-registry--lv         /harbor-data          ext4    defaults        0 0

/dev/mapper/registry--vg-registry--lv         /harbor-data          xfs    defaults        0 0

 

● install NFS Server

------------------------------------------------------------

yum install nfs-utils libnfsidmap

 

systemctl enable rpcbind

systemctl enable nfs-server

 

systemctl start rpcbind

systemctl start nfs-server

systemctl start rpc-statd

systemctl start nfs-idmapd

 

systemctl enable nfs.service

systemctl start nfs.service

chkconfig nfs on

 

mkdir -p /harbor-data/registry

chmod 750 /harbor-data/registry

chown nfsnobody:nfsnobody /harbor-data/registry

 

mkdir -p /harbor-data/db-data

chmod 750 /harbor-data/db-data

chown nfsnobody:nfsnobody /harbor-data/db-data

 

vi /etc/exports

/harbor-data/registry *(rw,async,all_squash)

/harbor-data/db-data *(rw,async,all_squash)

exportfs -a

 

setsebool -P virt_use_nfs on  (server, client 둘다 등록)

 

● configure NFS server firewall

-------------------------------------------------------------

# add-service

firewall-cmd --permanent --zone public --add-service mountd

firewall-cmd --permanent --zone public --add-service rpc-bind

firewall-cmd --permanent --zone public --add-service nfs

firewall-cmd --reload

 

# add-port(server, client 둘다 등록)

firewall-cmd --permanent --zone=public --add-port=53248/tcp

firewall-cmd --permanent --zone=public --add-port=50825/tcp

firewall-cmd --permanent --zone=public --add-port=20048/tcp

firewall-cmd --permanent --zone=public --add-port=2049/tcp

firewall-cmd --permanent --zone=public --add-port=111/tcp

firewall-cmd --reload

 

exportfs -r

exportfs -v

 

client)

mount -t nfs registry.test.paas:/harbor-data /mnt

 

------------------------------------------------------------

-- 6. Configure HTTPS Access to Harbor

------------------------------------------------------------

mkdir -p ./openssl

cd openssl

 

● Generate a Certificate Authority Certificate

1) Generate a CA certificate private key

openssl genrsa -out ca.key 4096

 

2) Generate the CA certificate

openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry.test.paas" \

-key ca.key \

-out ca.crt

 

● Generate a Server Certificate

1) Generate a private key

openssl genrsa -out registry.test.paas.key 4096

 

2) Generate a certificate signing request (CSR)

openssl req -sha512 -new \

-subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry.test.paas" \

-key registry.test.paas.key \

-out registry.test.paas.csr

 

3) Generate an x509 v3 extension file

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

 

[alt_names]

DNS.1=registry.test.paas

DNS.2=registry

DNS.3=harbor.test.paas

EOF

 

4) Use the v3.ext file to generate a certificate for your Harbor host

openssl x509 -req -sha512 -days 3650 \

    -extfile v3.ext \

    -CA ca.crt -CAkey ca.key -CAcreateserial \

    -in registry.test.paas.csr \

    -out registry.test.paas.crt

 

● Provide the Certificates to Harbor and Docker

1) Copy the server certificate and key into the certficates folder on your Harbor host.

mkdir -p /harbor-data/cert/

nfs)

chmod 750 /harbor-data/cert

chown nfsnobody:nfsnobody /harbor-data/cert

vi /etc/exports

/harbor-data/cert *(rw,async,all_squash)

exportfs -a

 

cp registry.test.paas.crt /harbor-data/cert/

cp registry.test.paas.key /harbor-data/cert/

 

2) Convert registry.test.paas.crt to registry.test.paas.cert, for use by Docker.

openssl x509 -inform PEM -in registry.test.paas.crt -out registry.test.paas.cert

# openssl x509 -inform PEM -in ca.crt -out ca.cert

 

3) Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.

# http (80)

mkdir -p /etc/docker/certs.d/registry.test.paas/

cp registry.test.paas.cert /etc/docker/certs.d/registry.test.paas/

cp registry.test.paas.key /etc/docker/certs.d/registry.test.paas/

cp ca.crt /etc/docker/certs.d/registry.test.paas/

 

# https (443)

mkdir -p /etc/docker/certs.d/registry.test.paas:443/

cp registry.test.paas.cert /etc/docker/certs.d/registry.test.paas:443/

cp registry.test.paas.key /etc/docker/certs.d/registry.test.paas:443/

cp ca.crt /etc/docker/certs.d/registry.test.paas:443/

 

cp registry.test.paas.crt /etc/pki/ca-trust/source/anchors/registry.test.paas.crt

update-ca-trust

 

# Restart Docker Engine.

systemctl restart docker

systemctl status docker

 

/etc/docker/certs.d/

    └── yourdomain.com:port

       ── yourdomain.com.cert  <-- Server certificate signed by CA

       ── yourdomain.com.key   <-- Server key signed by CA

       └── ca.crt               <-- Certificate authority that signed the registry certificate

 

------------------------------------------------------------

-- 7. Configure Internal TLS communication between Harbor Component

------------------------------------------------------------

mkdir -p  /harbor-data/tls/cert

nfs)

chmod 750 /harbor-data/tls

chown nfsnobody:nfsnobody /harbor-data/tls

vi /etc/exports

/harbor-data/tls *(rw,async,all_squash)

exportfs -a

 

cp /harbor-install/openssl/cat.crt /harbor-data/tls/cert/

cp /harbor-install/openssl/cat.key /harbor-data/tls/cert/

cp /harbor-install/openssl/v3.ext /harbor-data/tls/cert/

 

cd /harbor-data/tls/cert

1) harbor_internal_ca

------------------------------------------------------------

openssl genrsa -out harbor_internal_ca.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=harbor_internal_ca" -key harbor_internal_ca.key -out harbor_internal_ca.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor_internal_ca.csr -out harbor_internal_ca.crt

 

2) core

------------------------------------------------------------

openssl genrsa -out core.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=core" -key core.key -out core.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in core.csr -out core.crt

 

3) job_service

------------------------------------------------------------

openssl genrsa -out job_service.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=job_service" -key job_service.key -out job_service.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in job_service.csr -out job_service.crt

 

4) proxy

------------------------------------------------------------

openssl genrsa -out proxy.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=proxy" -key proxy.key -out proxy.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in proxy.csr -out proxy.crt

 

5) portal

------------------------------------------------------------

openssl genrsa -out portal.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=portal" -key portal.key -out portal.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in portal.csr -out portal.crt

 

6) registry

------------------------------------------------------------

openssl genrsa -out registry.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry" -key registry.key -out registry.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registry.csr -out registry.crt

 

7) registryctl

------------------------------------------------------------

openssl genrsa -out registryctl.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registryctl" -key registryctl.key -out registryctl.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registryctl.csr -out registryctl.crt

 

8) notary_server

------------------------------------------------------------

openssl genrsa -out notary_server.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=notary_server" -key notary_server.key -out notary_server.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in notary_server.csr -out notary_server.crt

 

9) notary_signer

------------------------------------------------------------

openssl genrsa -out notary_signer.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=notary_signer" -key notary_signer.key -out notary_signer.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in notary_signer.csr -out notary_signer.crt

 

10) trivy_adapter

------------------------------------------------------------

openssl genrsa -out trivy_adapter.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=trivy_adapter" -key trivy_adapter.key -out trivy_adapter.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in trivy_adapter.csr -out trivy_adapter.crt

 

11) clair

------------------------------------------------------------

openssl genrsa -out clair.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=clair" -key clair.key -out clair.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in clair.csr -out clair.crt

 

12) clair_adapter

------------------------------------------------------------

openssl genrsa -out clair_adapter.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=clair_adapter" -key clair_adapter.key -out clair_adapter.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in clair_adapter.csr -out clair_adapter.crt

 

13) chartmuseum

------------------------------------------------------------

openssl genrsa -out chartmuseum.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=chartmuseum" -key chartmuseum.key -out chartmuseum.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in chartmuseum.csr -out chartmuseum.crt

 

# offline docker images save

docker save -o goharbor.tar goharbor/prepare:v2.0.0

 

docker run -v /:/harbor-data goharbor/prepare:v2.0.0 gencert -p /harbor-data/tls/cert

 

------------------------------------------------------------

-- 8. Configure the Harbor YML File

------------------------------------------------------------

● Configure the Harbor YML File

cd harbor

cp harbor.yml.tmpl harbor.yml

# vi harbor.yml

------------------------------------------------------------

hostname: registry.test.paas

# http related config

http:

  # port for http, default is 80. If https enabled, this port will redirect to https port

  port: 80

https:

  # https port for harbor, default is 443

  port: 443

  # The path of cert and key files for nginx

  certificate: /harbor-data/cert/registry.test.paas.crt

  private_key: /harbor-data/cert/registry.test.paas.key

 

# enable tls communication between all harbor components

internal_tls:

#   # set enabled to true means internal tls is enabled

  enabled: true

#   # put your cert and key files on dir

  dir: /harbor-data/tls/cert

 

harbor_admin_password: Harbor12345

 

# Harbor DB configuration

database:

  # The password for the root user of Harbor DB. Change this before any production use.

  password: root123

  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.

  max_idle_conns: 50

  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.

  # Note: the default number of connections is 100 for postgres.

  max_open_conns: 100

 

# The default data volume

data_volume: /harbor-data/db-data

 

# Harbor Storage settings by default is using /data dir on local filesystem

# Uncomment storage_service setting If you want to using external storage

# storage_service:

#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore

#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.

#   ca_bundle:

 

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss

#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/

#   filesystem:

#     maxthreads: 100

#   # set disable to true when you want to disable registry redirect

#   redirect:

#     disabled: false

...

# Log configurations

log:

  # options are debug, info, warning, error, fatal

  level: info

  # configs for logs in local storage

  local:

    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.

    rotate_count: 50

    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.

    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G

    # are all valid.

    rotate_size: 200M

    # The directory on your host that store log

    location: /var/log/harbor

------------------------------------------------------------

cd /opt/openssl

openssl genrsa -out harbor_db.key 4096

openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=INSoft/OU=Cloud Department/CN=harbor_db" -key harbor_db.key -out harbor_db.csr

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor_db.csr -out harbor_db.crt

 

mkdir -p /harbor-data/db-data/secret/tls

cp harbor_db.crt /harbor-data/db-data/secret/tls/

cp harbor_db.key /harbor-data/db-data/secret/tls/

cp harbor_db.csr /harbor-data/db-data/secret/tls/

chown -R 10000:10000 /harbor-data/db-data/secret/tls/

 

tail -f /var/log/harbor/registry.log

 

------------------------------------------------------------

-- 9. Run the Installer Script

------------------------------------------------------------

1) Default installation without Notary, Clair, or Chart Repository Service

cd /opt/harbor

 

# Connecting to Harbor via HTTP

vi /etc/docker/daemon.json

{

"insecure-registries" : ["myregistrydomain.com:5000", "0.0.0.0"]

}

 

./install.sh

https://registry.test.paas   admin / Harbor12345

 

docker login reg.yourdomain.com

docker push reg.yourdomain.com/myproject/myrepo:mytag

 

2) Installation with Notary, Clair, and Chart Repository Service

cd /opt/harbor

 

# Run the prepare script to enable HTTPS

./prepare --with-notary --with-clair --with-chartmuseum

 

./install.sh --with-notary --with-clair --with-chartmuseum

 

# If Harbor is running, stop and remove the existing instance

docker-compose down -v

 

3) Restart Harbor

docker-compose stop

docker-compose start

docker-compose restart

 

4) Reconfigure Harbor

# stop Harbor

docker-compose down -v

 

# update

vim harbor.yml

 

# populate the configuration

./prepare

 

# start Harbor

docker-compose up -d

docker-compose ps

 

# remove docker-compose

docker-compose rm -f

 

5) Verify the HTTPS Connection

https://registry.test.paas     admin / Harbor12345

 

systemctl restart docker

systemctl status docker

 

firewall-cmd --permanent --zone=public --add-port=443/tcp

firewall-cmd --reload

 

6) Harbor management

# harbor console

https://registry.test.paas

admin / Harbor12345

 

# create harbor user

Harbor console > Administration > User > New User

set as admin 권한 부여

 

# docker login to registry

docker login registry.test.paas

harbor / Harbor12345

 

# docker image push to registry

docker pull nginx:latest

docker tag nginx:latest registry.test.paas/library/nginx:latest

docker push registry.test.paas/library/nginx:latest

 

# docker image pull from registry

# docker rmi nginx:latest

# docker rmi registry.test.paas/library/nginx:latest

 

docker pull registry.test.paas/library/nginx:latest

Posted by sonorous34