Harbor内网离线安装使用HTTPS访问

harbor

Harbor 是一个开源的容器镜像仓库，用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点：支持多种镜像格式、易于使用、安全性和访问控制

项目地址：https://gitcode.com/gh_mirrors/ha/harbor

免费下载资源

Twish

1428人浏览 · 2023-08-11 16:59:03

Twish · 2023-08-11 16:59:03 发布

重要提醒：使用的是域名形式访问Harbor。通过https://harbor.top访问网址。
1、首先在自己windows电脑
“此磁盘C->Windows->System32->drivers->etc”
修改hosts文件添加“ip harbor.top”例如：“172.33.33.33 harbor.top”
2、进入内网服务器 172.33.33.33
修改

vi  /etc/hosts 
172.33.33.33 harbor.top

1、生成证书

harbor文件在/root/harbor/
然后再次文件夹下创建mkdir cert文件夹

cd cert
openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/C=CN/ST=Shanghai/O=dev/OU=IT/CN=harbor.top"  -key ca.key  -out ca.crt

openssl genrsa -out harbor.key 4096

openssl req  -new -sha512  -subj "/C=CN/ST=Shanghai/O=dev/OU=IT/CN=harbor.top"  -key harbor.key  -out harbor.csr 
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.top
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt

会生成 ca.crt ca.key ca.srl harbor.crt harbor.csr harbor.key v3.ext
接下来将客户端的证书复制到docker文件夹下

mkdir -p /etc/docker/certs.d/harbor.top/

scp harbor.crt 172.33.33.33:/etc/docker/certs.d/harbor.top/

2、配置安装HTTPS证书


cd /root/harbor/
vi harbor.yml

修改harbor.yml文件

hostname: harbor.top
https:
 port: 443
 certificate: /root/harbor/harbor.crt
 private_key: /root/harbor/harbor.key

进入harbor文件，重新编译启动harbor

cd /root/harbor/

./prepare

./install.sh

3、docker

修改docker.service

vim /lib/systemd/system/docker.service

修改ExecStart 内容

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry

4、登录

172.33.33.33
docker login harbor.top
Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 
 Login Succeeded

4、常见问题

1、在https双向验证时出现错误：

x509: cannot validate certificate for 172.33.33.33 because it doesn't contain any IP SANs

这个问题是：
（1）harbor.yml里面配置的hostname 是IP地址。
（2）登录的时候使用的是 docker login 172.33.33.33方式登录
网上参考的解决方式：
https://blog.csdn.net/qq_35078688/article/details/124945817
该方式不好解决。建议按照文章。按照文章方式。

GitHub 加速计划 / ha / harbor

下载

最近提交(Master分支：6 个月前 )

45659070 Fix integration issue with UI Signed-off-by: stonezdj <stone.zhang@broadcom.com> 9 天前

add0b600 chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.31.0 to 1.34.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.31.0...v1.34.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 11 天前