environment
First, you need to prepare the docker + docker compose environment. Docker is available in CentOS 7 Please refer to the installation tutorial of XThis article, subsequent articles assume that you have installed the above environment.
install
Standard installation
First, download the latest installation package from harbor’s official GitHub relax. Harbor itself also depends on docker compose. The whole compressed package is essentially a series of offline images, and executing the installation script is executiondocker load
The command loads the required image directly.
-
To download the installation package, visithttps://github.com/goharbor/harbor/releases/tag/v2.1.2Download the tgz compressed package.
-
Move the files to the installation folder, where I set up a
/opt/harbor
folder. -
function
tar -xvf harbor-offline-installer-v1.10.1.tgz
Unzip the package. -
Move to the unzipped folder and edit the corresponding folder
harbor.yml
File to set domain name, SSL certificate and other information.be careful ⚠️:
The certificate file in this step must be a full chain certificate, otherwise it will be used later
docker login
X509 error will be prompted when. -
implement
./install.sh --with-clair
Start installing harbor.
After completing the above steps, harbor is successfully installed.
Do not use built-in nginx
In our environment, the nginx container exists alone and usesdocker nework create
Create a new external network. At this time, nginx provided in the harbor installation script cannot be used, and the docker compose file of harbor needs to be changed.
-
implement
docker-compose down
Command to stop all harbor containers. -
Edit harbor’s
docker-compose.yml
File, introduce external network, here Iinternal-networkAs an example, the following is the changed yaml file.version: '2.3' services: log: image: goharbor/harbor-log:v2.1.2 container_name: harbor-log restart: always dns_search: . cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - /var/log/harbor/:/var/log/docker/:z - type: bind source: ./common/config/log/logrotate.conf target: /etc/logrotate.d/logrotate.conf - type: bind source: ./common/config/log/rsyslog_docker.conf target: /etc/rsyslog.d/rsyslog_docker.conf ports: - 127.0.0.1:1514:10514 networks: - harbor - internal-network registry: image: goharbor/registry-photon:v2.1.2 container_name: registry restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: /data/secret/registry/root.crt target: /etc/registry/root.crt - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor - internal-network dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registry" registryctl: image: goharbor/harbor-registryctl:v2.1.2 container_name: registryctl env_file: - ./common/config/registryctl/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: ./common/config/registryctl/config.yml target: /etc/registryctl/config.yml - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor - internal-network dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registryctl" postgresql: image: goharbor/harbor-db:v2.1.2 container_name: harbor-db restart: always cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - /data/database:/var/lib/postgresql/data:z networks: harbor: dns_search: . env_file: - ./common/config/db/env depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "postgresql" core: image: goharbor/harbor-core:v2.1.2 container_name: harbor-core env_file: - ./common/config/core/env restart: always cap_drop: - ALL cap_add: - SETGID - SETUID volumes: - /data/ca_download/:/etc/core/ca/:z - /data/:/data/:z - ./common/config/core/certificates/:/etc/core/certificates/:z - type: bind source: ./common/config/core/app.conf target: /etc/core/app.conf - type: bind source: /data/secret/core/private_key.pem target: /etc/core/private_key.pem - type: bind source: /data/secret/keys/secretkey target: /etc/core/key - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor - internal-network dns_search: . depends_on: - log - registry - redis - postgresql logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "core" portal: image: goharbor/harbor-portal:v2.1.2 container_name: harbor-portal restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - type: bind source: ./common/config/portal/nginx.conf target: /etc/nginx/nginx.conf networks: - harbor - internal-network dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "portal" jobservice: image: goharbor/harbor-jobservice:v2.1.2 container_name: harbor-jobservice env_file: - ./common/config/jobservice/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/job_logs:/var/log/jobs:z - type: bind source: ./common/config/jobservice/config.yml target: /etc/jobservice/config.yml - type: bind source: ./common/config/shared/trust-certificates target: /harbor_cust_cert networks: - harbor - internal-network dns_search: . depends_on: - core logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "jobservice" redis: image: goharbor/redis-photon:v2.1.2 container_name: redis restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/redis:/var/lib/redis networks: harbor: dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "redis" networks: harbor: external: false internal-network: external: true
-
Create the corresponding configuration file in the independent nginx. In the yaml file in the previous step, I specified
container_name
, ensure that the container name is unique and will not change for external reasons. I copied this configuration file from nginx in harbor before. Take it directly and change it. You can use it.server{ listen 80; server_ Name your domain name; Return 301 HTTPS: // your domain name $request_ uri; } server{ listen 443 ssl; server_ Name your domain name; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; # Add extra headers add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header Content-Security-Policy "frame-ancestors 'none'"; ssl_ Certificate / etc / nginx / SSL / your domain name / full pem; # Storage path of SSL certificate file ssl_ certificate_ Key / etc / nginx / SSL / your domain name / key pem; # Storage path of SSL key file ssl_protocols TLSv1.2; ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://harbor-portal:8080/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; HttpOnly; Secure"; proxy_buffering off; proxy_request_buffering off; } location /c/ { proxy_pass http://harbor-core:8080/c/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /api/ { proxy_pass http://harbor-core:8080/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /chartrepo/ { proxy_pass http://harbor-core:8080/chartrepo/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /v1/ { return 404; } location /v2/ { proxy_pass http://harbor-core:8080/v2/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; proxy_send_timeout 900; proxy_read_timeout 900; } location /service/ { proxy_pass http://harbor-core:8080/service/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /service/notifications { return 404; } }
What I use here isacme.shThe requested universal resolution SSL certificate.