Harbor 2.1.2 installation and deployment

Time:2022-1-13

environment

First, you need to prepare the docker + docker compose environment. Docker is available in CentOS 7 Please refer to the installation tutorial of XThis article, subsequent articles assume that you have installed the above environment.

install

Standard installation

First, download the latest installation package from harbor’s official GitHub relax. Harbor itself also depends on docker compose. The whole compressed package is essentially a series of offline images, and executing the installation script is executiondocker loadThe command loads the required image directly.

  1. To download the installation package, visithttps://github.com/goharbor/harbor/releases/tag/v2.1.2Download the tgz compressed package.

  2. Move the files to the installation folder, where I set up a/opt/harborfolder.

  3. functiontar -xvf harbor-offline-installer-v1.10.1.tgzUnzip the package.

  4. Move to the unzipped folder and edit the corresponding folderharbor.ymlFile to set domain name, SSL certificate and other information.

    be careful ⚠️:

    The certificate file in this step must be a full chain certificate, otherwise it will be used laterdocker loginX509 error will be prompted when.

  5. implement./install.sh --with-clairStart installing harbor.

After completing the above steps, harbor is successfully installed.

Do not use built-in nginx

In our environment, the nginx container exists alone and usesdocker nework createCreate a new external network. At this time, nginx provided in the harbor installation script cannot be used, and the docker compose file of harbor needs to be changed.

  1. implementdocker-compose downCommand to stop all harbor containers.

  2. Edit harbor’sdocker-compose.ymlFile, introduce external network, here Iinternal-networkAs an example, the following is the changed yaml file.

    version: '2.3'
    services:
      log:
        image: goharbor/harbor-log:v2.1.2
        container_name: harbor-log
        restart: always
        dns_search: .
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /var/log/harbor/:/var/log/docker/:z
          - type: bind
            source: ./common/config/log/logrotate.conf
            target: /etc/logrotate.d/logrotate.conf
          - type: bind
            source: ./common/config/log/rsyslog_docker.conf
            target: /etc/rsyslog.d/rsyslog_docker.conf
        ports:
          - 127.0.0.1:1514:10514
        networks:
          - harbor
          - internal-network
      registry:
        image: goharbor/registry-photon:v2.1.2
        container_name: registry
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: /data/secret/registry/root.crt
            target: /etc/registry/root.crt
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registry"
      registryctl:
        image: goharbor/harbor-registryctl:v2.1.2
        container_name: registryctl
        env_file:
          - ./common/config/registryctl/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: ./common/config/registryctl/config.yml
            target: /etc/registryctl/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registryctl"
      postgresql:
        image: goharbor/harbor-db:v2.1.2
        container_name: harbor-db
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /data/database:/var/lib/postgresql/data:z
        networks:
          harbor:
        dns_search: .
        env_file:
          - ./common/config/db/env
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "postgresql"
      core:
        image: goharbor/harbor-core:v2.1.2
        container_name: harbor-core
        env_file:
          - ./common/config/core/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - SETGID
          - SETUID
        volumes:
          - /data/ca_download/:/etc/core/ca/:z
          - /data/:/data/:z
          - ./common/config/core/certificates/:/etc/core/certificates/:z
          - type: bind
            source: ./common/config/core/app.conf
            target: /etc/core/app.conf
          - type: bind
            source: /data/secret/core/private_key.pem
            target: /etc/core/private_key.pem
          - type: bind
            source: /data/secret/keys/secretkey
            target: /etc/core/key
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
          - registry
          - redis
          - postgresql
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "core"
      portal:
        image: goharbor/harbor-portal:v2.1.2
        container_name: harbor-portal
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
          - NET_BIND_SERVICE
        volumes:
          - type: bind
            source: ./common/config/portal/nginx.conf
            target: /etc/nginx/nginx.conf
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "portal"
    
      jobservice:
        image: goharbor/harbor-jobservice:v2.1.2
        container_name: harbor-jobservice
        env_file:
          - ./common/config/jobservice/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/job_logs:/var/log/jobs:z
          - type: bind
            source: ./common/config/jobservice/config.yml
            target: /etc/jobservice/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - core
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "jobservice"
      redis:
        image: goharbor/redis-photon:v2.1.2
        container_name: redis
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/redis:/var/lib/redis
        networks:
          harbor:
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "redis"
    
    networks:
      harbor:
        external: false
      internal-network:
        external: true
  3. Create the corresponding configuration file in the independent nginx. In the yaml file in the previous step, I specifiedcontainer_name, ensure that the container name is unique and will not change for external reasons. I copied this configuration file from nginx in harbor before. Take it directly and change it. You can use it.

    server{
        listen 80;
        server_ Name your domain name;
        Return 301 HTTPS: // your domain name $request_ uri;
    }
    
    server{
        listen 443 ssl;
        server_ Name your domain name;
    
        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
    
        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;
    
        # Add extra headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";
    
        ssl_ Certificate / etc / nginx / SSL / your domain name / full pem;      #  Storage path of SSL certificate file
        ssl_ certificate_ Key / etc / nginx / SSL / your domain name / key pem;   #  Storage path of SSL key file
    
        ssl_protocols TLSv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
    
        location / {
          proxy_pass http://harbor-portal:8080/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; HttpOnly; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /c/ {
          proxy_pass http://harbor-core:8080/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /api/ {
          proxy_pass http://harbor-core:8080/api/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /chartrepo/ {
          proxy_pass http://harbor-core:8080/chartrepo/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /v1/ {
          return 404;
        }
    
        location /v2/ {
          proxy_pass http://harbor-core:8080/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
          proxy_send_timeout 900;
          proxy_read_timeout 900;
        }
    
        location /service/ {
          proxy_pass http://harbor-core:8080/service/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /service/notifications {
          return 404;
        }
    }

What I use here isacme.shThe requested universal resolution SSL certificate.

effect