大家好,又见面了,我是你们的朋友全栈君。
在前面的介绍中,缺省使用了http的方式,而考虑安全的角度,容器的仓库在生产环境中往往被设定为https的方式,而harbor将这些证书的创建和设定都进行了简单的集成,这篇文章来看一下在harbor下如何使用https的方式。
[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
...........................................................++
......................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com
[root@liumiao ~]#
[root@liumiao ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.163.128.key -out 192.168.163.128.csr
Generating a 4096 bit RSA private key
...........................++
.............................++
writing new private key to '192.168.163.128.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:LiaoNing
Locality Name (eg, city) [Default City]:DaLian
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:Reg
Common Name (eg, your name or your server's hostname) []:192.168.163.128
Email Address []:liumiaocn@outlook.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liumiaopw
An optional company name []:devops
[root@liumiao ~]#
[root@liumiao ~]# echo subjectAltName = IP:192.168.163.128 > extfile.cnf
[root@liumiao ~]# openssl x509 -req -days 365 -in 192.168.163.128.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.163.128.crt
Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=DevOps/OU=Reg/CN=192.168.163.128/emailAddress=liumiaocn@outlook.com
Getting CA Private Key
[root@liumiao ~]#
将证书拷贝到/root/cert, 后面将harbor.cfg中的路径也同样设定
[root@liumiao ~]# ls
ca.crt ca.key ca.srl harbor.com.crt harbor.com.csr harbor.com.key
[root@liumiao ~]#
[root@liumiao ~]# mkdir -p /root/cert/
[root@liumiao ~]# cp harbor.com.crt /root/cert
[root@liumiao ~]# cp harbor.com.key /root/cert
[root@liumiao ~]# ls /root/cert
harbor.com.crt harbor.com.key
[root@liumiao ~]#
修改harbor.cfg的如下设定:
设定项 | 设定值 |
---|---|
hostname | 192.168.163.128:8848 |
ui_url_protocol | https |
ssl_cert | /root/cert/192.168.163.128.crt |
ssl_cert_key | /root/cert/192.168.163.128.key |
从docker的systemd设定文件的dockerd的启动参数中,删除如下设定:
--insecure-registry 192.168.163.128
修改docker-compose.yml,https宿主端口443 -> 8848
proxy:
image: vmware/nginx-photon:v1.5.2
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z networks:
- harbor ports:
- 80:80 - 8848:443 - 4443:4443 depends_on:
- mysql - registry - ui - log logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy
[root@liumiao harbor]# docker-compose down
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-ui ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping redis ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing harbor-jobservice ... done
Removing nginx ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing redis ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[root@liumiao harbor]#
因为删除了insecure registry的设定,所以需要sytemd的命令使之起效
[root@liumiao harbor]# systemctl daemon-reload
[root@liumiao harbor]# systemctl restart docker
[root@liumiao harbor]#
[root@liumiao harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@liumiao harbor]#
[root@liumiao harbor]# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ...
Creating harbor-log ... done
Creating redis ...
Creating registry ...
Creating harbor-db ...
Creating harbor-adminserver ...
Creating harbor-db
Creating redis
Creating registry
Creating registry ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating nginx ...
Creating harbor-jobservice ...
Creating nginx
Creating nginx ... done
[root@liumiao harbor]#
使用docker login确认
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password:
Login Succeeded
[root@liumiao ~]#
或者使用-u和-p结合直接输入用户名和密码进行login
[root@liumiao ~]# docker logout
Not logged in to https://index.docker.io/v1/
[root@liumiao ~]# docker login -u admin -p liumiaopw 192.168.163.128:8848
Login Succeeded
[root@liumiao ~]#
确认https的访问
[root@liumiao ~]# curl -k -v https://192.168.163.128:8848
* About to connect() to 192.168.163.128 port 8848 (#0)
* Trying 192.168.163.128...
* Connected to 192.168.163.128 (192.168.163.128) port 8848 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
* start date: Aug 19 01:24:44 2018 GMT
* expire date: Aug 19 01:24:44 2019 GMT
* common name: 192.168.163.128
* issuer: E=liumiaocn@outlook.com,CN=192.168.163.128,OU=Reg,O=DevOps,L=DaLian,ST=LiaoNing,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.163.128:8848
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 19 Aug 2018 02:06:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 810
< Connection: keep-alive
< Set-Cookie: beegosessionID=34cb9b83a97fe53425657460a1d88a38; Path=/; secure; HttpOnly
<
<!doctype html>
<html>
...省略
</html>
* Connection #0 to host 192.168.163.128 left intact
[root@liumiao ~]#
页面确认
一般来说https的方式只要hostname/docker-compose.yml配置正确,prepare没有忘记执行,一般来说不会出错,出错的大概率可能在于docker login,一般因为一般需要设定OS和docker中的ca和证书操作未执行的缘故。
CA是收费验证的机构,而这里我们自己签的显然不是其他人所能接受的,所以我们需要将我们做的CA添加到信任OS的信任列表中,不然可能会出现诸如如下的错误信息
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password:
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority
[root@liumiao ~]#
将证书添加到OS信任的列表中即可
[root@liumiao ~]# chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# cat 192.168.163.128.crt >>/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]# chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[root@liumiao ~]#
然后重启docker,这个问题一般即可解决
[root@liumiao ~]# docker login 192.168.163.128:8848
Username: admin
Password:
Error response from daemon: Get https://192.168.163.128:8848/v1/users/: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "192.168.163.128")
[root@liumiao ~]#
将ca证书添加到docker信任路径下,并重启docker即可
[root@liumiao ~]# ls
192.168.163.128.crt 192.168.163.128.csr 192.168.163.128.key ca.crt ca.key ca.srl cert extfile.cnf
[root@liumiao ~]# mkdir -p /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# cp ca.crt /etc/docker/certs.d/192.168.163.128:8848/
[root@liumiao ~]# systemctl restart docker
[root@liumiao ~]#
https://github.com/goharbor/harbor/blob/master/docs/configure_https.md
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/161296.html原文链接:https://javaforall.cn