------------------------------------------------------------
-- 1. Install Python
------------------------------------------------------------
1) Install Python Dependencies
yum -y groupinstall "Development Tools"
yum -y install openssl-devel bzip2-devel libffi-devel
gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-39)
2) Download latest Python 3.8 Archive
yum -y install wget
wget https://www.python.org/ftp/python/3.8.3/Python-3.8.3.tgz
tar xvf Python-3.8.3.tgz -O /opt
cd /opt/Python-3.8.3
3) Install Python 3.8
./configure --enable-optimizations
make altinstall
4) Check Python 3.8
python3.8 --version
pip3.8 --version
------------------------------------------------------------
-- 2. Install Docker Engine
------------------------------------------------------------
1) Uninstall old versions:
yum remove docker docker-common docker-selinux docker-engine
2) Install Prereqs
yum install -y yum-utils device-mapper-persistent-data lvm2
3) Setup stable repo
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
4) Install Docker CE
yum -y install docker-ce docker-ce-cli containerd.io
5) If you get dependency errors, the run
yum install -y --setopt=obsoletes=0 docker-ce docker-ce-selinux
6) Start and enable docker service
systemctl start docker && systemctl enable docker
systemctl enable --now docker
systemctl is-active docker
systemctl is-enabled docker
newgrp docker
docker version
usermod -aG docker root
# Create Harbor User
groupadd -g 1001 -r harbor
useradd -c "Harbor" -u 1001 -g harbor -s /bin/bash -r -p password harbor
usermod -aG docker harbor
------------------------------------------------------------
-- 3. Install Docker Compose
------------------------------------------------------------
● Run this command to download the current stable release of Docker Compose
curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
● install command completion for the bash
curl -L https://raw.githubusercontent.com/docker/compose/1.25.5/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
# Source the file or re-login to enjoy completion feature.
source /etc/bash_completion.d/docker-compose
● Test the installation.
docker-compose --version
docker-compose version 1.25.5, build 8a1c60f6
● Upgrading
docker-compose 1.5.0
docker container rm -f -v myapp_web_1 myapp_db_1 ...
● Uninstallation
# To uninstall Docker Compose if you installed using curl
rm /usr/local/bin/docker-compose
# To uninstall Docker Compose if you installed using pip
pip uninstall docker-compose
● docker image pull & tag
# harbor docker image pull
-----------------------------------------------------
docker pull goharbor/harbor-log:v2.0.0
docker pull goharbor/registry-photon:v2.0.0
docker pull goharbor/harbor-registryctl:v2.0.0
docker pull goharbor/harbor-db:v2.0.0
docker pull goharbor/harbor-core:v2.0.0
docker pull goharbor/harbor-portal:v2.0.0
docker pull goharbor/harbor-jobservice:v2.0.0
docker pull goharbor/redis-photon:v2.0.0
docker pull goharbor/nginx-photon:v2.0.0
docker pull goharbor/notary-server-photon:v2.0.0
docker pull goharbor/notary-signer-photon:v2.0.0
docker pull goharbor/clair-photon:v2.0.0
docker pull goharbor/clair-adapter-photon:v2.0.0
docker pull goharbor/chartmuseum-photon:v2.0.0
# harbor docker image save
-----------------------------------------------------
docker save -o harbor-images.tar \
goharbor/harbor-log:v2.0.0 \
goharbor/registry-photon:v2.0.0 \
goharbor/harbor-registryctl:v2.0.0 \
goharbor/harbor-db:v2.0.0 \
goharbor/harbor-core:v2.0.0 \
goharbor/harbor-portal:v2.0.0 \
goharbor/harbor-jobservice:v2.0.0 \
goharbor/redis-photon:v2.0.0 \
goharbor/nginx-photon:v2.0.0 \
goharbor/notary-server-photon:v2.0.0 \
goharbor/notary-server-photon:v2.0.0 \
goharbor/notary-signer-photon:v2.0.0 \
goharbor/clair-photon:v2.0.0 \
goharbor/clair-adapter-photon:v2.0.0 \
goharbor/chartmuseum-photon:v2.0.0
# harbor docker image load
-----------------------------------------------------
docker load -i harbor-images.tar
# harbor docker image tag
-----------------------------------------------------
docker tag goharbor/harbor-log:v2.0.0 registry.test.paas/library/harbor-log:v2.0.0
docker tag goharbor/registry-photon:v2.0.0 registry.test.paas/library/registry-photon:v2.0.0
docker tag goharbor/harbor-registryctl:v2.0.0 registry.test.paas/library/harbor-registryctl:v2.0.0
docker tag goharbor/harbor-db:v2.0.0 registry.test.paas/library/harbor-db:v2.0.0
docker tag goharbor/harbor-core:v2.0.0 registry.test.paas/library/harbor-core:v2.0.0
docker tag goharbor/harbor-portal:v2.0.0 registry.test.paas/library/harbor-portal:v2.0.0
docker tag goharbor/harbor-jobservice:v2.0.0 registry.test.paas/library/harbor-jobservice:v2.0.0
docker tag goharbor/redis-photon:v2.0.0 registry.test.paas/library/redis-photon:v2.0.0
docker tag goharbor/nginx-photon:v2.0.0 registry.test.paas/library/nginx-photon:v2.0.0
docker tag goharbor/notary-server-photon:v2.0.0 registry.test.paas/library/notary-server-photon:v2.0.0
docker tag goharbor/notary-signer-photon:v2.0.0 registry.test.paas/library/notary-signer-photon:v2.0.0
docker tag goharbor/clair-photon:v2.0.0 registry.test.paas/library/clair-photon:v2.0.0
docker tag goharbor/clair-adapter-photon:v2.0.0 registry.test.paas/library/clair-adapter-photon:v2.0.0
docker tag goharbor/chartmuseum-photon:v2.0.0 registry.test.paas/library/chartmuseum-photon:v2.0.0
# harbor docker image push to registry
-----------------------------------------------------
docker push registry.test.paas/library/harbor-log:v2.0.0
docker push registry.test.paas/library/registry-photon:v2.0.0
docker push registry.test.paas/library/harbor-registryctl:v2.0.0
docker push registry.test.paas/library/harbor-db:v2.0.0
docker push registry.test.paas/library/harbor-core:v2.0.0
docker push registry.test.paas/library/harbor-portal:v2.0.0
docker push registry.test.paas/library/harbor-jobservice:v2.0.0
docker push registry.test.paas/library/redis-photon:v2.0.0
docker push registry.test.paas/library/nginx-photon:v2.0.0
docker push registry.test.paas/library/notary-server-photon:v2.0.0
docker push registry.test.paas/library/notary-signer-photon:v2.0.0
docker push registry.test.paas/library/clair-photon:v2.0.0
docker push registry.test.paas/library/clair-adapter-photon:v2.0.0
docker push registry.test.paas/library/chartmuseum-photon:v2.0.0
vi /opt/harbor/docker-compose.yml
=> tag image 편집
------------------------------------------------------------
-- 4. Download the Harbor Installer
------------------------------------------------------------
* Online installer: The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.
* Offline installer: Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet.
The offline installer contains pre-built images, so it is larger than the online installer.
● Download and Unpack the Installer
https://github.com/goharbor/harbor/releases
#wget https://github.com/goharbor/harbor/releases/download/v2.0.0/harbor-offline-installer-v2.0.0.tgz
wget https://storage.googleapis.com/harbor-releases/release-2.0.0/harbor-online-installer-v2.0.0.tgz
tar xvf harbor-online-installer-v2.0.0.tgz
mv /app/harbor /opt
ls -l /opt
root docker 94 Jun 2 10:58 harbor
------------------------------------------------------------
-- 5. Registry disk setting (optional)
------------------------------------------------------------
● partitioning disk
------------------------------------------------------------
fdisk -l
fdisk /dev/sdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xf3f4d873.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-209715199, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-209715199, default 209715199):
Using default value 209715199
Partition 1 of type Linux and of size 100 GiB is set
Command (m for help): p
Disk /dev/sdc: 107.4 GB, 107374182400 bytes, 209715200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xf3f4d873
Device Boot Start End Blocks Id System
/dev/sdc1 2048 209715199 104856576 83 Linux
Command (m for help): t
Selected partition 1
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'
Command (m for help): w
The partition table has been altered!
yum install lvm2
fdisk -l
pvcreate /dev/sdb1
vgcreate registry-vg /dev/sdb1
lvcreate -n registry-lv -l 100%FREE registry-vg
#mkfs.ext4 /dev/mapper/registry--vg-registry--lv
mkfs.xfs /dev/mapper/registry--vg-registry--lv
mkfs.xfs -f -ssize=4k /dev/mapper/registry--vg-registry--lv
fsck -y /dev/mapper/registry--vg-registry--lv
mkdir /harbor-data
mount /dev/mapper/registry--vg-registry--lv /harbor-data
vi /etc/fstab
#/dev/mapper/registry--vg-registry--lv /harbor-data ext4 defaults 0 0
/dev/mapper/registry--vg-registry--lv /harbor-data xfs defaults 0 0
● install NFS Server
------------------------------------------------------------
yum install nfs-utils libnfsidmap
systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
systemctl start rpc-statd
systemctl start nfs-idmapd
systemctl enable nfs.service
systemctl start nfs.service
chkconfig nfs on
mkdir -p /harbor-data/registry
chmod 750 /harbor-data/registry
chown nfsnobody:nfsnobody /harbor-data/registry
mkdir -p /harbor-data/db-data
chmod 750 /harbor-data/db-data
chown nfsnobody:nfsnobody /harbor-data/db-data
vi /etc/exports
/harbor-data/registry *(rw,async,all_squash)
/harbor-data/db-data *(rw,async,all_squash)
exportfs -a
setsebool -P virt_use_nfs on (server, client 둘다 등록)
● configure NFS server firewall
-------------------------------------------------------------
# add-service
firewall-cmd --permanent --zone public --add-service mountd
firewall-cmd --permanent --zone public --add-service rpc-bind
firewall-cmd --permanent --zone public --add-service nfs
firewall-cmd --reload
# add-port(server, client 둘다 등록)
firewall-cmd --permanent --zone=public --add-port=53248/tcp
firewall-cmd --permanent --zone=public --add-port=50825/tcp
firewall-cmd --permanent --zone=public --add-port=20048/tcp
firewall-cmd --permanent --zone=public --add-port=2049/tcp
firewall-cmd --permanent --zone=public --add-port=111/tcp
firewall-cmd --reload
exportfs -r
exportfs -v
client)
mount -t nfs registry.test.paas:/harbor-data /mnt
------------------------------------------------------------
-- 6. Configure HTTPS Access to Harbor
------------------------------------------------------------
mkdir -p ./openssl
cd openssl
● Generate a Certificate Authority Certificate
1) Generate a CA certificate private key
openssl genrsa -out ca.key 4096
2) Generate the CA certificate
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry.test.paas" \
-key ca.key \
-out ca.crt
● Generate a Server Certificate
1) Generate a private key
openssl genrsa -out registry.test.paas.key 4096
2) Generate a certificate signing request (CSR)
openssl req -sha512 -new \
-subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry.test.paas" \
-key registry.test.paas.key \
-out registry.test.paas.csr
3) Generate an x509 v3 extension file
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=registry.test.paas
DNS.2=registry
DNS.3=harbor.test.paas
EOF
4) Use the v3.ext file to generate a certificate for your Harbor host
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in registry.test.paas.csr \
-out registry.test.paas.crt
● Provide the Certificates to Harbor and Docker
1) Copy the server certificate and key into the certficates folder on your Harbor host.
mkdir -p /harbor-data/cert/
nfs)
chmod 750 /harbor-data/cert
chown nfsnobody:nfsnobody /harbor-data/cert
vi /etc/exports
/harbor-data/cert *(rw,async,all_squash)
exportfs -a
cp registry.test.paas.crt /harbor-data/cert/
cp registry.test.paas.key /harbor-data/cert/
2) Convert registry.test.paas.crt to registry.test.paas.cert, for use by Docker.
openssl x509 -inform PEM -in registry.test.paas.crt -out registry.test.paas.cert
# openssl x509 -inform PEM -in ca.crt -out ca.cert
3) Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
# http (80)
mkdir -p /etc/docker/certs.d/registry.test.paas/
cp registry.test.paas.cert /etc/docker/certs.d/registry.test.paas/
cp registry.test.paas.key /etc/docker/certs.d/registry.test.paas/
cp ca.crt /etc/docker/certs.d/registry.test.paas/
# https (443)
mkdir -p /etc/docker/certs.d/registry.test.paas:443/
cp registry.test.paas.cert /etc/docker/certs.d/registry.test.paas:443/
cp registry.test.paas.key /etc/docker/certs.d/registry.test.paas:443/
cp ca.crt /etc/docker/certs.d/registry.test.paas:443/
cp registry.test.paas.crt /etc/pki/ca-trust/source/anchors/registry.test.paas.crt
update-ca-trust
# Restart Docker Engine.
systemctl restart docker
systemctl status docker
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
------------------------------------------------------------
-- 7. Configure Internal TLS communication between Harbor Component
------------------------------------------------------------
mkdir -p /harbor-data/tls/cert
nfs)
chmod 750 /harbor-data/tls
chown nfsnobody:nfsnobody /harbor-data/tls
vi /etc/exports
/harbor-data/tls *(rw,async,all_squash)
exportfs -a
cp /harbor-install/openssl/cat.crt /harbor-data/tls/cert/
cp /harbor-install/openssl/cat.key /harbor-data/tls/cert/
cp /harbor-install/openssl/v3.ext /harbor-data/tls/cert/
cd /harbor-data/tls/cert
1) harbor_internal_ca
------------------------------------------------------------
openssl genrsa -out harbor_internal_ca.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=harbor_internal_ca" -key harbor_internal_ca.key -out harbor_internal_ca.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor_internal_ca.csr -out harbor_internal_ca.crt
2) core
------------------------------------------------------------
openssl genrsa -out core.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=core" -key core.key -out core.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in core.csr -out core.crt
3) job_service
------------------------------------------------------------
openssl genrsa -out job_service.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=job_service" -key job_service.key -out job_service.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in job_service.csr -out job_service.crt
4) proxy
------------------------------------------------------------
openssl genrsa -out proxy.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=proxy" -key proxy.key -out proxy.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in proxy.csr -out proxy.crt
5) portal
------------------------------------------------------------
openssl genrsa -out portal.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=portal" -key portal.key -out portal.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in portal.csr -out portal.crt
6) registry
------------------------------------------------------------
openssl genrsa -out registry.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registry" -key registry.key -out registry.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registry.csr -out registry.crt
7) registryctl
------------------------------------------------------------
openssl genrsa -out registryctl.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=registryctl" -key registryctl.key -out registryctl.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in registryctl.csr -out registryctl.crt
8) notary_server
------------------------------------------------------------
openssl genrsa -out notary_server.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=notary_server" -key notary_server.key -out notary_server.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in notary_server.csr -out notary_server.crt
9) notary_signer
------------------------------------------------------------
openssl genrsa -out notary_signer.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=notary_signer" -key notary_signer.key -out notary_signer.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in notary_signer.csr -out notary_signer.crt
10) trivy_adapter
------------------------------------------------------------
openssl genrsa -out trivy_adapter.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=trivy_adapter" -key trivy_adapter.key -out trivy_adapter.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in trivy_adapter.csr -out trivy_adapter.crt
11) clair
------------------------------------------------------------
openssl genrsa -out clair.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=clair" -key clair.key -out clair.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in clair.csr -out clair.crt
12) clair_adapter
------------------------------------------------------------
openssl genrsa -out clair_adapter.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=clair_adapter" -key clair_adapter.key -out clair_adapter.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in clair_adapter.csr -out clair_adapter.crt
13) chartmuseum
------------------------------------------------------------
openssl genrsa -out chartmuseum.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=freedream/OU=IT Department/CN=chartmuseum" -key chartmuseum.key -out chartmuseum.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in chartmuseum.csr -out chartmuseum.crt
# offline docker images save
docker save -o goharbor.tar goharbor/prepare:v2.0.0
docker run -v /:/harbor-data goharbor/prepare:v2.0.0 gencert -p /harbor-data/tls/cert
------------------------------------------------------------
-- 8. Configure the Harbor YML File
------------------------------------------------------------
● Configure the Harbor YML File
cd harbor
cp harbor.yml.tmpl harbor.yml
# vi harbor.yml
------------------------------------------------------------
hostname: registry.test.paas
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /harbor-data/cert/registry.test.paas.crt
private_key: /harbor-data/cert/registry.test.paas.key
# enable tls communication between all harbor components
internal_tls:
# # set enabled to true means internal tls is enabled
enabled: true
# # put your cert and key files on dir
dir: /harbor-data/tls/cert
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 100 for postgres.
max_open_conns: 100
# The default data volume
data_volume: /harbor-data/db-data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
...
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
------------------------------------------------------------
cd /opt/openssl
openssl genrsa -out harbor_db.key 4096
openssl req -sha512 -new -subj "/C=KR/ST=Seoul/L=Seoul/O=INSoft/OU=Cloud Department/CN=harbor_db" -key harbor_db.key -out harbor_db.csr
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor_db.csr -out harbor_db.crt
mkdir -p /harbor-data/db-data/secret/tls
cp harbor_db.crt /harbor-data/db-data/secret/tls/
cp harbor_db.key /harbor-data/db-data/secret/tls/
cp harbor_db.csr /harbor-data/db-data/secret/tls/
chown -R 10000:10000 /harbor-data/db-data/secret/tls/
tail -f /var/log/harbor/registry.log
------------------------------------------------------------
-- 9. Run the Installer Script
------------------------------------------------------------
1) Default installation without Notary, Clair, or Chart Repository Service
cd /opt/harbor
# Connecting to Harbor via HTTP
vi /etc/docker/daemon.json
{
"insecure-registries" : ["myregistrydomain.com:5000", "0.0.0.0"]
}
./install.sh
https://registry.test.paas admin / Harbor12345
docker login reg.yourdomain.com
docker push reg.yourdomain.com/myproject/myrepo:mytag
2) Installation with Notary, Clair, and Chart Repository Service
cd /opt/harbor
# Run the prepare script to enable HTTPS
./prepare --with-notary --with-clair --with-chartmuseum
./install.sh --with-notary --with-clair --with-chartmuseum
# If Harbor is running, stop and remove the existing instance
docker-compose down -v
3) Restart Harbor
docker-compose stop
docker-compose start
docker-compose restart
4) Reconfigure Harbor
# stop Harbor
docker-compose down -v
# update
vim harbor.yml
# populate the configuration
./prepare
# start Harbor
docker-compose up -d
docker-compose ps
# remove docker-compose
docker-compose rm -f
5) Verify the HTTPS Connection
https://registry.test.paas admin / Harbor12345
systemctl restart docker
systemctl status docker
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --reload
6) Harbor management
# harbor console
admin / Harbor12345
# create harbor user
Harbor console > Administration > User > New User
set as admin 권한 부여
# docker login to registry
docker login registry.test.paas
harbor / Harbor12345
# docker image push to registry
docker pull nginx:latest
docker tag nginx:latest registry.test.paas/library/nginx:latest
docker push registry.test.paas/library/nginx:latest
# docker image pull from registry
# docker rmi nginx:latest
# docker rmi registry.test.paas/library/nginx:latest
docker pull registry.test.paas/library/nginx:latest
