更新时间:2024-05-08 GMT+08:00
搭建harbor仓库
服务器规划
序号 |
IP |
主机名 |
部署描述 |
|---|---|---|---|
1 |
192.168.1.3 |
base02 |
harbor |
获取harbor部署脚本
wget https://github.com/goharbor/harbor/releases/download/v2.3.1/harbor-offline-installer-v2.3.1.tgz
修改配置文件,开启ssl认证
cat harbar.yaml hostname: harbor.talkedu.com http: port: 8080 https: port: 443 certificate: /data/harbor/ssl/harbor.talkedu.com.cert private_key: /data/harbor/ssl/harbor.talkedu.com.key harbor_admin_password: Talkedu@123 database: password: Talkedu@123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data/harbor trivy: ignore_unfixed: false skip_update: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.3.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
创建ssl证书
##创建自签证书命令如下 ]# openssl genrsa -out ca.key 4096 ]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=xian/L=xian/O=example/OU=Personal/CN=harbor.talkedu.com" -key ca.key -out ca.crt ]# openssl genrsa -out harbor.talkedu.com.key 4096 ]# openssl req -sha512 -new -subj "/C=CN/ST=xian/L=xian/O=example/OU=Personal/CN=harbor.talkedu.com" -key harbor.talkedu.com.key -out harbor.talkedu.com.csr ]# cat >v3.ext<<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.talkedu.com DNS.2=harbor.talkedu.com DNS.3=base02 EOF ]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.talkedu.com.csr -out harbor.talkedu.com.crt ]# openssl x509 -inform PEM -in harbor.talkedu.com.crt -out harbor.talkedu.com.cert
执行部署脚本
bash install.sh
验证
docker ps -a ##所用pod均正常启动
图1 验证3
Figure 3:
配置防火墙规则,限制IP访问
iptables -I INPUT -p tcp -m iprange --src-range=192.168.1.1-192.168.1.254 -m multiport --dports 443 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dport 443 -j DROP iptables-save > /etc/sysconfig/iptables ##保存规则,服务器意外重启后能自动加载配置
父主题: 实施步骤
