https的harbor部署与升级实现过程
作者:还行少年
文章简要介绍了Harbor的部署与升级流程:包括安装Docker、配置HTTPS、部署Harbor及测试;小版本升级需备份后替换;大版本升级则需额外注意兼容性,同样执行备份、替换和测试操作
一、部署harbor
1、安装docker
#永久关闭selinux,需要重启
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
#关闭防火墙并设为开机不自启,然后显示状态
systemctl stop firewalld.service &> /dev/null
systemctl disable firewalld.service &> /dev/null
#配置yum源安装需要的组件
yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
#查看docker版本
yum list docker-ce --showduplicates
#安装最新的稳定版本
yum install 3:docker-ce-20.10.17-3.el7.x86_64 -y
#配置镜像加速、镜像仓库、docker数据存储路径
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://7w5yqlyj.mirror.aliyuncs.com"],
"insecure-registries": ["http://docker.hanweb.com"],
"graph": "/data/dockerdata/docker"
}
EOF
#启动docker
sudo systemctl daemon-reload
sudo systemctl start docker
systemctl enable docker
2、配置对Harbor的HTTPS访问(可忽略)
#生成CA证书私钥 openssl genrsa -out ca.key 4096 #生成CA证书 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key ca.key -out ca.crt #生成服务器证书私钥 openssl genrsa -out harbor.com.key 4096 #生成证书签名请求 openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key harbor.com.key -out harbor.com.csr #生成 x509 v3 扩展文件 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor.com DNS.2=harbor EOF #使用该v3.ext文件为Harbor主机生成证书 openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.com.csr -out harbor.com.crt #将crt文件转成cert文件供docker使用 openssl x509 -inform PEM -in harbor.com.crt -out harbor.com.cert #将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中 cp harbor.com.cert harbor.com.key ca.crt /etc/docker/certs.d/harbor.com/ #重启docker systemctl restart docker
3、安装docker-compose
#下载docker-compose https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-linux-x86_64 #移动到/usr/loacl/bin下,并赋权 mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
4、安装harbor
#下载安装包 wget https://github.com/goharbor/harbor/releases/download/v1.8.6/harbor-offline-installer-v1.8.6.tgz #解压 tar xf harbor-offline-installer-v1.8.6.tgz #创建harbor数据目录 mkdir /data/harbor #修改配置文件 grep -v "#" harbor.yml | sed '/^[ ]*$/d' hostname: harbor.com http: port: 80 https: port: 443 certificate: /data/cert/harbor.com.crt private_key: /data/cert/harbor.com.key harbor_admin_password: Harbor12345 database: password: root123 data_volume: /data/harbor clair: updaters_interval: 12 http_proxy: https_proxy: no_proxy: 127.0.0.1,localhost,core,registry jobservice: max_job_workers: 10 chart: absolute_url: disabled log: level: info rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 1.8.0 #运行安装脚本 ./install.sh
5、测试
[root@harbor harbor]# docker login https://harbor.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
[root@harbor harbor]# docker pull cirros Using default tag: latest latest: Pulling from library/cirros d0b405be7a32: Pull complete bd054094a037: Pull complete c6a00de1ec8a: Pull complete Digest: sha256:1e695eb2772a2b511ccab70091962d1efb9501fdca804eb1d52d21c0933e7f47 Status: Downloaded newer image for cirros:latest docker.io/library/cirros:latest [root@harbor harbor]# docker tag cirros:latest harbor.com/public/cirros:test [root@harbor harbor]# docker push harbor.com/public/cirros:test The push refers to repository [harbor.com/public/cirros] 984ad441ec3d: Pushed f0a496d92efa: Pushed e52d19c3bee2: Pushed test: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
二、harbor小版本升级
1、停止当前harbor实例、并备份
#停止harbor实例 docker-compose ps #备份harbor mkdir back_harbor mv harbor back_harbor/harbor1.8.6 #备份数据库 mkdir /data/harbor1.8.6 cp -r /data/harbor/* /data/harbor1.8.6/
2、安装新版本harbor
#下载新版本安装包 wget https://github.com/goharbor/harbor/releases/download/v1.10.7/harbor-offline-installer-v1.10.7.tgz #解压安装包 tar xf harbor-offline-installer-v1.10.7.tgz cd harbor #导入新版镜像 docker load -i harbor.v1.10.7.tar.gz #升级harbor.yml文件 cp -a /opt/back_harbor/harbor1.8.6/harbor.yml /data/ docker run -it --rm -v /data/harbor.yml:/harbor-migration/harbor-cfg/harbor.yml goharbor/harbor-migrator:v1.10.7 --cfg up #使用新harbor.yml启动 cp -a /data/harbor.yml /opt/harbor ./install.sh
3、测试
[root@harbor harbor]# docker rmi harbor.com/public/cirros:test Untagged: harbor.com/public/cirros:test Untagged: harbor.com/public/cirros@sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 [root@harbor harbor]# docker pull harbor.com/public/cirros:test test: Pulling from public/cirros Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 Status: Downloaded newer image for harbor.com/public/cirros:test harbor.com/public/cirros:test [root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test2 [root@harbor harbor]# docker login harbor.com Authenticating with existing credentials... WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@harbor harbor]# docker push harbor.com/public/cirros:test2 The push refers to repository [harbor.com/public/cirros] 984ad441ec3d: Layer already exists f0a496d92efa: Layer already exists e52d19c3bee2: Layer already exists test2: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943
4、回退
#停止harbor docker-compose down #删除当前habror实例 cd .. rm -rf harbor #恢复旧版本数据库 rm -rf /data/harbor mv /data/harbor1.8.6 /data/harbor #重新安装harbor cd harbor ./install.sh
三、大版本升级
1、停止当前harbor实例、并备份
#停止harbor实例 docker-compose down #备份harbor mkdir back_harbor mv harbor back_harbor/harbor1.10.7 #备份数据库 mkdir /data/harbor1.10.7 cp -r /data/harbor/* /data/harbor1.10.7/
2、安装新版本harbor
#下载新版本安装包 wget https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz #解压安装包 tar xf harbor-offline-installer-v2.6.0.tgz cd harbor #导入新版镜像 docker load -i harbor.v2.6.0.tar.gz #升级harbor.yml文件 docker run -it --rm -v /:/hostfs goharbor/prepare:v2.6.0 migrate -i /opt/back_harbor/harbor1.10.7/harbor.yml -o /data/harbor.yml #使用新harbor.yml启动 cp -a /data/harbor.yml /opt/harbor ./install.sh
3、测试
[root@harbor harbor]# docker tag harbor.com/public/cirros:test harbor.com/public/cirros:test3 [root@harbor harbor]# docker login harbor.com Authenticating with existing credentials... WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@harbor harbor]# docker push harbor.com/public/cirros harbor.com/public/cirros harbor.com/public/cirros:test harbor.com/public/cirros:test2 harbor.com/public/cirros:test3 [root@harbor harbor]# docker push harbor.com/public/cirros:test3 The push refers to repository [harbor.com/public/cirros] 984ad441ec3d: Layer already exists f0a496d92efa: Layer already exists e52d19c3bee2: Layer already exists test3: digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 size: 943 [root@harbor harbor]# docker rmi harbor.com/public/cirros:test3 Untagged: harbor.com/public/cirros:test3 [root@harbor harbor]# docker pull harbor.com/public/cirros:test3 test3: Pulling from public/cirros Digest: sha256:483f15ac97d03dc3d4dcf79cf71ded2e099cf76c340f3fdd0b3670a40a198a22 Status: Downloaded newer image for harbor.com/public/cirros:test3 harbor.com/public/cirros:test3
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。