Docker Harbor

使用开源项目Harbor搭建私有镜像仓,包含:

  • https访问
  • 主从同步
  • 使用Notary实现镜像签名
  • 使用Clair实现镜像扫描

2 需要

2.1 软件要求

  • Python(>=2.7)
  • Docker engine(>=1.10)
  • Docker-compose(>=1.6.0)
  • OpenSSL

2.2 下载Harbor

下载地址: https://github.com/vmware/harbor/releases 有Online和Offline版本。

2.3 配置安装

修改harbor/harbor.cfg,至少需要修改访问的地址或域名,这里修改成reg.ziwu.com。 然后安装:

sudo ./install.sh

详细安装参看: https://github.com/vmware/harbor/blob/master/docs/installation_guide.md

2.4 Http访问

通过修改hosts,然后浏览器http://reg.ziwu.com访问,默认管理员的初始帐号密码是admin,Harbor12345

3 自签名证书Https访问

使用自签名的CA证书,https访问。

3.1 创建自签名的CA证书

  openssl req 
    -newkey rsa:4096 -nodes -sha256 -keyout ca.key 
    -x509 -days 365 -out ca.crt

3.2 创建reg.ziwu.com的证书签名请求

csr(Certificate Signing Request):

 openssl req 
    -newkey rsa:4096 -nodes -sha256 -keyout reg.ziwu.com.key 
    -out reg.ziwu.com.csr

3.3 创建reg.ziwu.com的证书

  openssl x509 -req -days 365 -in reg.ziwu.com.csr -CA ca.crt -CAkey 
  ca.key -CAcreateserial -out reg.ziwu.com.crt

3.4 修改配置

这里把reg.ziwu.com.keyreg.ziwu.com.crt,移动到了/root/cert目录下,修改harbor.cfg

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https
略
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /root/cert/reg.ziwu.com.crt
ssl_cert_key = /root/cert/reg.ziwu.com.key

3.5 重启访问

./prepare # 生成Harbor用的配置文档
docker-compose down # down之前的
docker-compose up -d # up现在的

因为使用的自签名的CA证书,这里添加例外(浏览器上面说了很多原因,其中Common Name也不匹配,reg.ziwu.com和Ziwu),然后浏览器就可以Https访问了。
docker login默认也是https访问,所以也要有类似浏览器这样添加例外的操作,只不过只是信任自签名的CA,方法如下: 创建这样的目录,/etc/docker/certs.d/reg.ziwu.com,并将ca证书拷贝进去,这样Common Name不一致也是会报错的,报错信息如下:

sudo docker login reg.ziwu.com
Username (admin): admin
Password: 
Error response from daemon: Get https://reg.ziwu.com/v2/: x509: certificate is valid for Ziwu, not reg.ziwu.com

解决方法是重新生产业务证书或更改harbor的访问域名,解决之后就可以登录了。

sudo docker login reg.ziwu.com
Username (admin): admin
Password: 
Login Succeeded

还需要在系统层面添加信任的(根)证书,notary_server使用的,不这样会报下列错误(Error: error contacting notary server: x509: certificate signed by unknown authority ): On Ubuntu:

cp reg.ziwu.com.crt /usr/local/share/ca-certificates/reg.ziwu.com.crt
update-ca-certificates
### 下面是输出提示,一开始配置的是CA证书
(Certificate added: C=CN, S=Sichuan, L=Mianyang, O=SSC, OU=Security, CN=reg.ziwu.com
1 new root certificates were added to your trust store.
Import process completed.)

On Red Hat(例如CentOS):

cp reg.ziwu.com.crt /etc/pki/ca-trust/source/anchors/reg.ziwu.com.crt
update-ca-trust

详细参看:https://github.com/vmware/harbor/blob/master/docs/configure_https.md

4 Notary镜像签名

https不能保证publisher上传镜像之后,这个镜像不会被修改。使用Notary对镜像进行签名来保证镜像的安全。

4.1 安装带有Notary的Harbor

sudo ./install.sh --with-notary

4.2 上传镜像,并签名

启用docker content trust后,最直观的感受就是,docker pull时,只会拉取签了名的镜像。Notary则是实现镜像签名、存储数据的开源项目。 详细参看: docker content trustNotary

# 标记镜像
sudo docker tag python reg.ziwu.com/library/python:signed

# 环境变量
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://reg.ziwu.com:4443

# 注意sudo -E
sudo -E docker push reg.ziwu.com/library/python:signed
The push refers to repository [reg.ziwu.com/library/python]
02121f51cd48: Layer already exists 
f8668ad6fec5: Layer already exists 
2b58ed0f261e: Layer already exists 
09fc3edb847c: Layer already exists 
6b60013e5875: Layer already exists 
d6335a641f5e: Layer already exists 
5c33df241050: Layer already exists 
ffc4c11463ee: Layer already exists 
signed: digest: sha256:aa237a797b57fdccd2f4f2203116837d7c84cb48693338d4bb89a7c8e4a9668a size: 2011
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID b78c710: 
Repeat passphrase for new root key with ID b78c710: 
Enter passphrase for new repository key with ID 6464e8a: 
Repeat passphrase for new repository key with ID 6464e8a: 
Finished initializing "reg.ziwu.com/library/python"
Successfully signed reg.ziwu.com/library/python:signed

之后,Harbor上就会显示已签名的勾。

5 Clair镜像扫描

Clair是静态的漏洞分析开源项目,可以检测docker的镜像中包含哪些CVE漏洞。 详细参看:Clair

配置可以自定义扫描规则:

python:signed扫描的结果如下:

6 主从同步

在其一台Harbor,复制配置里设置策略就行,还没使用,详细暂略。

7 邮箱服务器

配置邮箱服务器用于修改密码,下面以QQ邮箱为例子。

7.1 QQ邮箱申请授权码

设置-账户:

开通第一个和第二个都行,只用smtp发送邮件。然后,会得到16位的授权码。

7.2 Harbor中配置

如下配置:
注意邮件用户名和来源要一致,否则会报下列错误:

7.3 修改密码

然后就可以在Harbor首页修改密码了,填写邮箱会收到上述配置的邮箱([email protected])发送的修改密码的链接了。

修改密码后,之前的链接就不能再次修改了: