# TL;dr ```bash cat /etc/redhat-release ``` ```bash CentOS Linux release 7.6.1810 (Core) ``` ```bash uname -a ``` ```bash Linux n21 4.4.189-1.el7.elrepo.x86_64 #1 SMP Sun Aug 11 08:43:49 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux ### docker version Client: Docker Engine - Community Version: 18.09.0 API version: 1.39 Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:46:51 2018 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 18.09.0 API version: 1.39 (minimum version 1.12) Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:52:55 2018 OS/Arch: linux/amd64 Experimental: true ``` ```bash #Install Latest Stable Docker Compose Release COMPOSEVERSION=$(curl -s https://github.com/docker/compose/releases/latest/download 2>&1 | grep -Po [0-9]+\.[0-9]+\.[0-9]+) curl -L "https://github.com/docker/compose/releases/download/$COMPOSEVERSION/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ``` ```bash docker-compose version docker-compose version 1.24.1, build 4667896b docker-py version: 3.7.3 CPython version: 3.6.8 OpenSSL version: OpenSSL 1.1.0j 20 Nov 2018 ``` # exp ```bash # Self-signed certificate: harbor-ca.cert、harbor-ca.key、harbor-reg-domain.cert、harbor-reg-domain.key openssl req -nodes -new -newkey rsa:4096 -x509 -sha512 -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=harborCA" -keyout harbor-ca.key -out harbor-ca.cert -days 3650 openssl genrsa -out harbor-reg-domain.key 2048 openssl req -new -key harbor-reg-domain.key -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com" -out harbor-reg-domain.csr openssl x509 -req -days 3650 -in harbor-reg-domain.csr -CA harbor-ca.cert -CAkey harbor-ca.key -CAcreateserial -out harbor-reg-domain.cert # prepare、harbor.yml ######################################################## curl -skSL -O https://raw.githubusercontent.com/goharbor/harbor/v1.10.1/make/prepare sed -i "s#prepare:dev#prepare:v1.10.1#g" prepare chmod +x prepare curl -skSL -O https://raw.githubusercontent.com/goharbor/harbor/v1.10.1/make/harbor.yml ######################################################## #sed -i "s/reg.mydomain.com/$IPorFQDN/g" harbor.yml cp harbor.yml harbor_org.yml sed -i "s|^hostname: .*|hostname: reg.domain.com|g" ./harbor.yml sed -i "s|^data_volume: .*|data_volume: /data/harbor-data|g" ./harbor.yml sed -i "s|# https:|https:|g" ./harbor.yml sed -i "s| port: 80| port: 80|g" ./harbor.yml sed -i "s|# port: 443| port: 443|g" ./harbor.yml sed -i "s|^# certificate: .*| certificate: /data/harbor/harbor-reg-domain.cert|g" ./harbor.yml sed -i "s|^# private_key: .*| private_key: /data/harbor/harbor-reg-domain.key|g" ./harbor.yml sed -i "s|^ certificate: .*| certificate: /data/harbor/harbor-reg-domain.cert|g" ./harbor.yml sed -i "s|^ private_key: .*| private_key: /data/harbor/harbor-reg-domain.key|g" ./harbor.yml ./prepare --with-notary --with-clair --with-chartmuseum ``` ```bash prepare base dir is set to /data/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated certificate, key file: /tmp/cert_tmp/notary-signer-ca.key, cert file: /tmp/cert_tmp/notary-signer-ca.crt Generated certificate, key file: /tmp/cert_tmp/notary-signer.key, cert file: /tmp/cert_tmp/notary-signer.crt Copying certs for notary signer Copying nginx configuration file for notary Generated configuration file: /config/nginx/conf.d/notary.upstream.conf Generated configuration file: /config/nginx/conf.d/notary.server.conf Generated configuration file: /config/notary/server-config.postgres.json Generated configuration file: /config/notary/server_env Generated and saved secret to file: /secret/keys/defaultalias Generated configuration file: /config/notary/signer_env Generated configuration file: /config/notary/signer-config.postgres.json Generated configuration file: /config/clair/postgres_env Generated configuration file: /config/clair/config.yaml Generated configuration file: /config/clair/clair_env Generated configuration file: /config/clair-adapter/env Generated configuration file: /config/chartserver/env Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir chmod -R 777 ./common/ cat docker-compose.yml |grep image image: goharbor/harbor-log:v1.10.1 image: goharbor/registry-photon:v2.7.1-patch-2819-2553-v1.10.1 image: goharbor/harbor-registryctl:v1.10.1 image: goharbor/harbor-db:v1.10.1 image: goharbor/harbor-core:v1.10.1 image: goharbor/harbor-portal:v1.10.1 image: goharbor/harbor-jobservice:v1.10.1 image: goharbor/redis-photon:v1.10.1 image: goharbor/nginx-photon:v1.10.1 image: goharbor/notary-server-photon:v0.6.1-v1.10.1 image: goharbor/notary-signer-photon:v0.6.1-v1.10.1 image: goharbor/clair-photon:v2.1.1-v1.10.1 image: goharbor/clair-adapter-photon:v1.0.1-v1.10.1 image: goharbor/chartmuseum-photon:v0.9.0-v1.10.1 ``` `docker-compose up` ```bash docker-compose -f docker-compose.yml up -d docker-compose -f docker-compose.yml logs -f docker container ps -a |grep goharbor docker image list|grep goharbor # use sudo cp harbor-ca.cert /etc/pki/ca-trust/source/anchors/ sudo yum install -y ca-certificates sudo update-ca-trust force-enable sudo update-ca-trust sudo systemctl restart docker #openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=reg.domain.com/emailAddress=yy@vivo.com" # 查找project、repository curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X GET --url https://reg.domain.com:11443/api/search?q=nginx # 查看project列表 curl -u "admin:Harbor12345" --header "Content-Type: application/json" --request GET --url https://reg.domain.com:11443/api/projects # 获取project_id curl -sSL -u "admin:Harbor12345" -X GET \ --header "Content-Type: application/json" \ --url https://reg.domain.com:11443/api/projects?name=testrpo |jq -r '.[0].project_id' # 新增project curl -u "admin:Harbor12345" \ --request POST \ --url https://reg.domain.com:11443/api/projects \ --header "Content-Type: application/json" \ --data '{"project_name":"testrpo","metadata":{"public":"false"},"count_limit":-1,"storage_limit":-1}' # 根据project_id获取project curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X GET --url https://reg.domain.com:11443/api/projects/{project_id} # 根据project_id删除project curl -u "admin:Harbor12345" -H "Content-Type: application/json" -X DELETE --url https://reg.domain.com:11443/api/projects/{project_id} ``` ```bash docker login -u admin --password Harbor12345 reg.domain.com:11443 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://reg.domain.com:11443/v2/: x509: certificate signed by unknown authority docker login -u admin --password Harbor12345 reg.domain.com:11443 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /home/vagrant/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #### push example docker pull ubuntu:14.04 docker tag ubuntu:14.04 reg.domain.com:11443/testrpo/ubuntu:14.04 docker push reg.domain.com:11443/testrpo/ubuntu:14.04 docker pull reg.domain.com:11443/testrpo/ubuntu:14.04 docker run -it --rm reg.domain.com:11443/testrpo/ubuntu:14.04 /bin/bash -c "env" # denied: requested access to the resource is denied for i in "alpine:3.10.3" "nginx:1.17.6" "debian:buster" "busybox:1.31.1-glibc" "busybox:1.31.1" "centos:8" "centos:7.7.1908" "python:3.7.5-buster" "node:13.2.0-buster" "node:8.16.2-buster"; do docker pull $i docker tag $i reg.domain.com:11443/testrpo/$i docker push reg.domain.com:11443/testrpo/$i done ``` # troubleshooting ```bash ERROR:root:Please specify hostname ERROR:root:Error: The protocol is https but attribute ssl_cert is not set ERROR:root:Error: the protocol must be https when Harbor is deployed with Notary ERROR: for chartmuseum Cannot start service chartmuseum: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: for portal Cannot start service portal: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: for chartmuseum Cannot start service chartmuseum: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: for registryctl Cannot start service registryctl: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: for registry Cannot start service registry: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: for postgresql Cannot start service postgresql: failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refused ERROR: Encountered errors while bringing up the project. ERROR: for nginx Cannot start service proxy: driver failed programming external connectivity on endpoint nginx (110e6e270623c3b2e721a56b285a7a625c4a06109085a58c3de88feb3b43ecf8): Error staCreating harbor-jobservice ... done ERROR: for proxy Cannot start service proxy: driver failed programming external connectivity on endpoint nginx (110e6e270623c3b2e721a56b285a7a625c4a06109085a58c3de88feb3b43ecf8): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use ERROR: Encountered errors while bringing up the project. ``` # upgrade ```bash sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose ### curl -sSfLk https://get.daocloud.io/docker/compose/releases/download/1.25.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose # 2019/12/17 v1.9.3 ---> v1.10.0 docker-componse -f docker-compose.yml down curl -sSL -o prepare1.10.0 https://raw.githubusercontent.com/goharbor/harbor/v1.10.0/make/prepare sed -i "s#prepare:dev#prepare:v1.10.0#g" prepare1.10.0 chmod +x prepare1.10.0 ./prepare1.10.0 --with-notary --with-clair --with-chartmuseum cp docker-compose.yml docker-compose-v1.10.0.yml # modify logging settings chmod -R 777 ./common/ docker-compose -f docker-compose-v1.10.0.yml up -d ``` # helm ```bash # TODO helm repo add harbor https://helm.goharbor.io helm repo update helm fetch harbor/harbor --version 1.3.0 --untar ## https://hub.helm.sh/charts/harbor/harbor https://hub.helm.sh/charts/bitnami/harbor sudo kill -SIGHUP $(pidof dockerd) ``` # certs.d ```bash # https://docs.docker.com/registry/insecure/#use-self-signed-certificates # Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker. ``` # ref * [Architecture Overview of Harbor · goharbor/harbor Wiki · GitHub](https://github.com/goharbor/harbor/wiki/Architecture-Overview-of-Harbor) * [harbor/make at master · goharbor/harbor · GitHub](https://github.com/goharbor/harbor/tree/master/make) * [Harbor docker login x509 certificate signed by unknown authority](https://blog.csdn.net/nklinsirui/article/details/87952312) * [HARBOR 仓库 API功能接口 - 程序员同行者 - 博客园](https://www.cnblogs.com/guigujun/p/8352983.html) * [ca - How to add Certificate Authority file in CentOS 7 - Stack Overflow](https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7) * https://docs.docker.com/registry/configuration/#http * https://docs.docker.com/registry/insecure/ * https://success.docker.com/article/how-do-i-enable-debug-logging-of-the-docker-daemon