Using Harbor to configure a private compartment

Before installing the harbor, you need to install the python,docker,dockercompose. Python requires more than 2.7 versions, Docker requires more than 1.10 versions, and Docker Compose requires 1.6.0 or more versions.

One: Install Docker Compose

The various installation methods described in https://docs.docker.com/compose/install/can only be successfully installed using the PIP method.

Install with Pip because the Docker-compose dependency package may conflict with the system package of the original Python environment, so virtualenv is recommended in the documentation.

First install the virtualenv:

Pip Install Virtualenv

Then create the virtual environment for installation Docker-compose:

Mkdir-p/opt/testvenv

Cd/opt/testvenv

Virtualenv venv

To activate the virtual environment, install Docker-compose:

SOURCE Venv/bin/activate

Pip Install Docker-compose

Installed Docker-compose under directory/opt/testvenv/venv/bin, create a soft link:

Ln-s/opt/testvenv/venv/bin/docker-compose/usr/local/bin/docker-compose

This installs the Docker-compose.

Two: Install Harbor

1: Use the source code to install, download the source code through GIT:

Mkdir-p/opt/harbor/git

Cd/opt/harbor/git

git clone Https://github.com/vmware/harbor

2: Configure Harbor

Before installing harbor, you need to modify the configuration parameters in the/opt/harbor/git/harbor/deploy/harbor.cfg, then execute the prepare script to generate the configuration files for all containers Harbor, and finally run Docker Compose start Harbor.

In file harbor.cfg, you need to configure the following parameters:

Hostname: Host name of the private warehouse. Can be an IP address, or it can be a domain name. This is configured as 192.168.1.104;

Ui_url_protocol: The protocol used by the user when accessing the private position, the default HTTP, which is configured as HTTPS;

Harbor_admin_password:harbor Administrator account password, the default password is Harbor12345, username is admin;

Other configuration parameters can be consulted:

Https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

3: Configure HTTPS Access

The default protocol for user access to harbor is HTTP, but registry currently supports HTTPS access by default, and if you use HTTP, you need to modify the Docker configuration file on the host that accesses the private store, adding the--insecure-registry option.

To configure HTTPS access, first generate the certificate:

Mkdir-p/opt/harbor/cert/

OpenSSL req-x509-days 3650-nodes-newkey rsa:2048-keyout \

/opt/harbor/cert/domain.key-out/opt/harbor/cert/domain.crt

...

Country Name (2 letter code) [XX]:

State or province name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default company LTD]:

Organizational Unit Name (eg, section) []:

Common name (eg, your name or your server ' s hostname) []:192.168.1.104

Email Address []:

The resulting certificate is then copied to the specific directory of the Nginx container:

cp/opt/harbor/cert/domain.crt/opt/harbor/git/harbor/deploy/config/nginx/cert/

cp/opt/harbor/cert/domain.key/opt/harbor/git/harbor/deploy/config/nginx/cert/

Then modify the configuration file under the/opt/harbor/git/harbor/deploy/config/nginx directory:

MV Nginx.conf Nginx.conf.bak

CP nginx.https.conf nginx.conf

Modify the contents of the nginx.conf file:

server {

Listen 443 SSL;

server_name 192.168.1.104;

# SSL

SSL_CERTIFICATE/ETC/NGINX/CERT/DOMAIN.CRT;

Ssl_certificate_key/etc/nginx/cert/domain.key;

...

}

server {

Listen 80;

server_name 192.168.1.104;

...

}

4: Generate a configuration file that modifies the harbor container:

Cd/opt/harbor/git/harbor/deploy

./prepare

After running prepare, you need to modify the data volume directory of the container in the/opt/harbor/git/harbor/deploy/docker-compose.yml file, first create the data volume directory:

[CPP] View plain copy on code to see a snippet derived from my Code slice

Mkdir-p/opt/harbor/data

Mkdir-p/opt/harbor/data/registry

Mkdir-p/opt/harbor/data/log

Mkdir-p/opt/harbor/data/database

Then modify the contents of the Docker-compose.yml file:

Version: ' 2 '

Services

Log

Build:./log/

Volumes

-/opt/harbor/data/log/:/var/log/docker/

Ports

-1514:514

Registry

image:library/registry:2.4.0

Volumes

-/opt/harbor/data/registry:/storage

-./config/registry/:/etc/registry/

Environment:

-Godebug=netdns=cgo

Ports

-5,001:5,001

Command

["Serve", "/etc/registry/config.yml"]

DEPENDS_ON:

-Log

Logging

Driver: "Syslog"

Options

Syslog-address: "tcp://127.0.0.1:1514"

Syslog-tag: "Registry"

Mysql:

Build:./db/

Volumes

-/opt/harbor/data/database:/var/lib/mysql

Env_file:

-./config/db/env

DEPENDS_ON:

-Log

Logging

Driver: "Syslog"

Options

Syslog-address: "tcp://127.0.0.1:1514"

Syslog-tag: "MySQL"

Ui:

Build

Context:.. /

Dockerfile:Dockerfile.ui

Env_file:

-./config/ui/env

Volumes

-./config/ui/app.conf:/etc/ui/app.conf

-./config/ui/private_key.pem:/etc/ui/private_key.pem

DEPENDS_ON:

-Log

Logging

Driver: "Syslog"

Options

Syslog-address: "tcp://127.0.0.1:1514"

Syslog-tag: "UI"

Proxy

image:library/nginx:1.9

Volumes

-./config/nginx:/etc/nginx

Ports

-80:80

-443:443

DEPENDS_ON:

-MySQL

-Registry

-UI

-Log

Logging

Driver: "Syslog"

Options

Syslog-address: "tcp://127.0.0.1:1514"

Syslog-tag: "Proxy"

Because the HTTP proxy needs to be set for the current host to access the extranet, you also need to set up the proxy when you build the UI container, so you need to modify the/opt/harbor/git/harbor/dockerfile.ui file in the Apt-get and go that require access to the external network Before the Get command, set the proxy address:

From golang:1.6.2

maintainer [email protected]

RUN export https_proxy=http://192.168.1.22:1888 \

&& export http_proxy=http://192.168.1.22:8000 \

&& apt-get update \

&& apt-get install-y libldap2-dev \

&& Rm-r/var/lib/apt/lists/*

COPY. /go/src/github.com/vmware/harbor

#golang. org is blocked in China

COPY./vendor/golang.org/go/src/golang.org

Workdir/go/src/github.com/vmware/harbor/ui

RUN export https_proxy=http://192.168.1.22:1888 \

&& export http_proxy=http://192.168.1.22:8000 \

&& go get-d github.com/docker/distribution \

&& go get-d github.com/docker/libtrust \

&& go get-d github.com/go-sql-driver/mysql \

&& Go build-v-a-o/go/bin/harbor_ui

ENV mysql_usr root \

Mysql_pwd root \

Registry_url localhost:5000

COPY Views/go/bin/views

COPY static/go/bin/static

COPY Favicon.ico/go/bin/favicon.ico

RUN chmod u+x/go/bin/harbor_ui \

&& sed-i ' s/tls_cacert/#TLS_CAERT/g '/etc/ldap/ldap.conf \

&& sed-i ' $a \tls_reqcert allow '/etc/ldap/ldap.conf

workdir/go/bin/

entrypoint ["/GO/BIN/HARBOR_UI"]

EXPOSE 80

5: Start Stop Harbor

Cd/opt/harbor/git/harbor/deploy

Docker-compose up-d

Be careful not to perform./prepare

Docker-compose stop

Docker-compose rm-f

Docker-compose up-d

6. Login

Docker login-u admin-p harbor12345-e [email protected] 10.10.16.194

7. Docking LDAP authentication

Harbor supports two authentication methods, the default is local storage, that is, the account information is stored under MySQL, described above. Next, we introduce another authentication method LDAP, only need to modify the configuration file. You need to provide the LDAP URL and LDAP basedn parameters, and set Auth_mode to Ldap_auth.

Quickly deploy LDAP services

For testing convenience, we use Docker to start an LDAP server with the following startup script:

!/bin/bash

Name=ldap_server

Docker rm-f $NAME 2>/dev/null

Docker run--env ldap_organisation= "Unitedstack Inc." \

--env ldap_domain= "ustack.com" \

--env ldap_admin_password= "Admin_password" \

-V pwd/containers/openldap/data:/var/lib/ldap \

-V pwd/containers/openldap/slapd.d:/etc/ldap/slapd.d \

--detach--name $NAME osixia/openldap:1.1.2

To create a new user, you first need to define the LDIF file, New_user.ldif:

Dn:uid=test,dc=ustack,dc=com

Uid:test

Cn:test

Sn:3

Objectclass:top

Objectclass:posixaccount

Objectclass:inetorgperson

Loginshell:/bin/bash

HomeDirectory:/home/test

uidnumber:1001

gidnumber:1001

userpassword:1q2w3e4r

Mail: [Email protected]

Gecos:test

Create a new user from the following script, where Ldap_server is the LDAP Service container name.

Docker CP New_user.ldif ldap_server:/

Docker exec ldap_server ldapadd-x \

-d "cn=admin,dc=ustack,dc=com" \

-W admin_password \

-f/new_user.ldif-zz

To see if the user created the success:

Docker exec ldap_server ldapsearch-x-h localhost \

-B dc=ustack,dc=com-d "cn=admin,dc=ustack,dc=com" \

-W Admin_password

Check that the test user exists and, if it exists, that the creation was successful, otherwise you would need to use Docker logs to view the logs.

Configuring Harbor with LDAP authentication

Modify the Harbor.cfg file about the LDAP configuration entry as follows:

Auth_mode = Ldap_auth

Ldap_url = ldap://42.62.x.x

Ldap_basedn = uid=%s,dc=ustack,dc=com

Then redeploy the harbor:

./prepare

Docker-compose stop

Docker-compose rm-f

Docker-compose up-d

Test to be able to log on using test User:

Docker login-u test-p 1q2w3e4r \

-e [email protected] 42.62.x.x

This article is from the "My Ops Time" blog, so be sure to keep this source http://aaronsa.blog.51cto.com/5157083/1834599

Using Harbor to configure a private compartment