前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >docker基础:私库系列:再探Harbor:(4) https方式的私库管理

docker基础:私库系列:再探Harbor:(4) https方式的私库管理

作者头像
全栈程序员站长
发布2022-09-09 10:23:15
2650
发布2022-09-09 10:23:15
举报
文章被收录于专栏:全栈程序员必看

大家好,又见面了,我是你们的朋友全栈君。

在前面的介绍中,缺省使用了http的方式,而考虑安全的角度,容器的仓库在生产环境中往往被设定为https的方式,而harbor将这些证书的创建和设定都进行了简单的集成,这篇文章来看一下在harbor下如何使用https的方式。

Step 1:创建CA

代码语言:javascript
复制
[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
...........................................................++
......................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com
[root@liumiao ~]#

Step 2:创建证书请求文件csr

代码语言:javascript
复制
[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.163.128.key -out 192.168.163.128.csr
Generating a 4096 bit RSA private key
...........................++
.............................++
writing new private key to '192.168.163.128.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liumiaopw
An optional company name []:devops
[root@liumiao ~]# 

Step 3:创建证书

代码语言:javascript
复制
[root@liumiao ~]# echo subjectAltName = IP:192.168.163.128 > extfile.cnf
[root@liumiao ~]# openssl x509 -req -days 365 -in 192.168.163.128.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.163.128.crt
Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=DevOps/OU=Reg/CN=192.168.163.128/emailAddress=liumiaocn@outlook.com
Getting CA Private Key
[root@liumiao ~]#

Step 4:设定证书&修改

将证书拷贝到/root/cert, 后面将harbor.cfg中的路径也同样设定

代码语言:javascript
复制
[root@liumiao ~]# ls
ca.crt  ca.key  ca.srl  harbor.com.crt  harbor.com.csr  harbor.com.key
[root@liumiao ~]#
[root@liumiao ~]# mkdir -p /root/cert/
[root@liumiao ~]# cp harbor.com.crt /root/cert
[root@liumiao ~]# cp harbor.com.key /root/cert
[root@liumiao ~]# ls /root/cert
harbor.com.crt  harbor.com.key
[root@liumiao ~]#

修改harbor.cfg的如下设定:

设定项

设定值

hostname

192.168.163.128:8848

ui_url_protocol

https

ssl_cert

/root/cert/192.168.163.128.crt

ssl_cert_key

/root/cert/192.168.163.128.key

Step 5:

从docker的systemd设定文件的dockerd的启动参数中,删除如下设定:

代码语言:javascript
复制
--insecure-registry 192.168.163.128

Step 6: 修改docker-compose.yml

修改docker-compose.yml,https宿主端口443 -> 8848

代码语言:javascript
复制
  proxy:
    image: vmware/nginx-photon:v1.5.2
    container_name: nginx
    restart: always
    volumes:
      - ./common/config/nginx:/etc/nginx:z     networks:
      - harbor     ports:
      - 80:80       - 8848:443       - 4443:4443     depends_on:
      - mysql       - registry       - ui       - log     logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "proxy

Step 7:重启harbor

停止当前harbor服务

代码语言:javascript
复制
[root@liumiao harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing redis ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[root@liumiao harbor]#

起效docker设定

因为删除了insecure registry的设定,所以需要sytemd的命令使之起效

代码语言:javascript
复制
[root@liumiao harbor]# systemctl daemon-reload
[root@liumiao harbor]# systemctl restart docker
[root@liumiao harbor]# 

执行prepare

代码语言:javascript
复制
[root@liumiao harbor]# ./prepare 
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@liumiao harbor]# 

启动harbor

代码语言:javascript
复制
[root@liumiao harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... 
Creating harbor-log ... done
Creating redis ... 
Creating registry ... 
Creating harbor-db ... 
Creating harbor-adminserver ... 
Creating harbor-db
Creating redis
Creating registry
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating nginx ... 
Creating harbor-jobservice ... 
Creating nginx
Creating nginx ... done
[root@liumiao harbor]#

确认结果

使用docker login确认

代码语言:javascript
复制
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Login Succeeded
[root@liumiao ~]# 

或者使用-u和-p结合直接输入用户名和密码进行login

代码语言:javascript
复制
[root@liumiao ~]# docker logout
Not logged in to https://index.docker.io/v1/
[root@liumiao ~]# docker login -u admin -p liumiaopw 192.168.163.128:8848
Login Succeeded
[root@liumiao ~]#

确认https的访问

代码语言:javascript
复制
[root@liumiao ~]# curl -k -v https://192.168.163.128:8848 
* About to connect() to 192.168.163.128 port 8848 (#0)
*   Trying 192.168.163.128...
* Connected to 192.168.163.128 (192.168.163.128) port 8848 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
*   start date: Aug 19 01:24:44 2018 GMT
*   expire date: Aug 19 01:24:44 2019 GMT
*   common name: 192.168.163.128
*   issuer: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.163.128:8848
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 19 Aug 2018 02:06:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 810
< Connection: keep-alive
< Set-Cookie: beegosessionID=34cb9b83a97fe53425657460a1d88a38; Path=/; secure; HttpOnly
< 
<!doctype html>
<html>
...省略
</html>
* Connection #0 to host 192.168.163.128 left intact
[root@liumiao ~]#

页面确认

常见错误

一般来说https的方式只要hostname/docker-compose.yml配置正确,prepare没有忘记执行,一般来说不会出错,出错的大概率可能在于docker login,一般因为一般需要设定OS和docker中的ca和证书操作未执行的缘故。

signed by unknown authority

CA是收费验证的机构,而这里我们自己签的显然不是其他人所能接受的,所以我们需要将我们做的CA添加到信任OS的信任列表中,不然可能会出现诸如如下的错误信息

代码语言:javascript
复制
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority
[root@liumiao ~]# 

对应方法

将证书添加到OS信任的列表中即可

代码语言:javascript
复制
[root@liumiao ~]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# cat 192.168.163.128.crt >>/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# 

然后重启docker,这个问题一般即可解决

parent certificate cannot sign this kind of certificate

代码语言:javascript
复制
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password: 
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "192.168.163.128")
[root@liumiao ~]# 

对应方法

将ca证书添加到docker信任路径下,并重启docker即可

代码语言:javascript
复制
[root@liumiao ~]# ls
192.168.163.128.crt  192.168.163.128.csr  192.168.163.128.key  ca.crt  ca.key  ca.srl  cert  extfile.cnf
[root@liumiao ~]# mkdir -p /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# cp ca.crt /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# systemctl restart docker
[root@liumiao ~]#

参考内容

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/161296.html原文链接:https://javaforall.cn

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • Step 1:创建CA
  • Step 2:创建证书请求文件csr
  • Step 3:创建证书
  • Step 4:设定证书&修改
  • Step 5:
  • Step 6: 修改docker-compose.yml
  • Step 7:重启harbor
    • 停止当前harbor服务
      • 起效docker设定
        • 执行prepare
          • 启动harbor
          • 确认结果
          • 常见错误
            • signed by unknown authority
              • 对应方法
                • parent certificate cannot sign this kind of certificate
                  • 对应方法
                  • 参考内容
                  相关产品与服务
                  容器镜像服务
                  容器镜像服务(Tencent Container Registry,TCR)为您提供安全独享、高性能的容器镜像托管分发服务。您可同时在全球多个地域创建独享实例,以实现容器镜像的就近拉取,降低拉取时间,节约带宽成本。TCR 提供细颗粒度的权限管理及访问控制,保障您的数据安全。
                  领券
                  问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档