In this Post we are going to learn about Harbor registry and how we can use it in our Cloud compute platforms.
lets get started.
What is Harbor?
Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.
Harbor Installation and Configuration:
The standard Harbor installation process involves the following stages:
- Make sure that your target host meets the Harbor Installation Prerequisites.
- configure Hardware and Software components and download Harbor installer
- configure Certs part
- Run the script(docker-compose)
In order to deploy/install Harbor the minimum and recommended hardware configurations and Software and its versions installation as follows.
Hardware:
Software:
The following software versions that must be installed on your Linux servers.
2. configure Hardware and Software components:
Hardware:
in order to download Harbor installer we need a host, for this i used GCP cantos with minimum hardware configurations from above table for demo purpose.
for Disk we can use GCP mount point or we can create our own disk partition and use it. in my case i have created a disk from GCP by editing the instance
, i have taken Disk as sdb and allocated 40 GB.
then just follow the below step to create PV,VG,LV.
Go to Linux server which created in GCP and run the below commands
yum install lvm2*
fdisk /dev/sdb
fdisk -l /dev/sdb
pvcreate /dev/sdb1
vgcreate harborvg /dev/sdb1
lvcreate -l 100%VG -n reglv harborvg
lsblk
lvs
mkfs.xfs /dev/harborvg/reglv
mkdir /data
vi /etc/fstab (and add the line: /dev/harbor/reglv /data xfs defaults 0 0 and save and exit)
mount -a
[root@harbor-instance ~]# df -kh
Software Versions:
Docker-Engine
Follow the below steps to install Docker, in my case i have installed Docker version :docker-ce-19.03.0-3.el7.x86_64
- yum install -y yum-utils device-mapper-persistent-data lvm2
- yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
- for specific docker Version: yum search --show-duplicates docker-ce
- yum install docker-ce-19.03.0-3.el7.x86_64
- systemctl start docker
- systemctl enable docker
Docker-Compose
Follow the below steps to install Docker-compose, in my case i have installed Docker-compose version : 1.23.2
execute the command :
curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
OpenSSL
We have to install some required packages to install OpenSSL
yum install make gcc perl pcre-devel zlib-devel
yum install wget
wget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1.tar.gz
tar xvf openssl-1.1.1.tar.gz
cd openssl-1.1.1/
Then, you have to start configuring the package compilation using ./configure. Besides that, you have to use some parameters like the prefix where the route will be established.
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
Now, begin compilation
make
make test
make install
now we have done with hardware and software installations are done.
also make sure to open the Network ports,Harbor requires that the following ports be open on the target host.
443,4443,80. in my case i have created the firewall rule and provided the access to the ports
Download the Harbor Installer
go to website: https://github.com/goharbor/harbor/releases and select the version that you wanted to install. in my case im using below link
run the below command from /data mount
wget https://github.com/goharbor/harbor/releases/download/v2.0.2/harbor-online-installer-v2.0.2.tgz
tar -xvzf harbor-online-installer-v2.0.2.tgz
mv harbor-online-installer-v2.0.2.tgz to /opt/installers
3.Configure HTTPS Access to Harbor
Harbor does not carries with certificates by default, it will be possible with HTTP for non-prod environments,but its not recommended for Production.Using HTTP in environments that are more chances on man-in-the-middle attacks .To configure HTTPS, we must create SSL certificates. we can use certificates that are signed by a trusted third-party CA, or we can use self-signed certificates.
In a production environment, we should obtain a certificate from a CA. In a test or development environment, we can generate our own CA.
To generate a CA certificate, run the following commands.
Go to /data Mount which we have created
Create a folder certs Under data mount
i'm using my DNS as FQDN : harbor.sra1k8s.xyz
Generate a CA certificate & private key.
openssl genrsa -out ca.key 4096
Create a CSR for CA
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=In/L=Karnataka/O=cloud/OU=Personal/CN=sra1k8s.xyz" \
-key ca.key \
-out ca.crt
Generate Server Side Certs & Key
openssl genrsa -out sra1k8s.xyz.key 4096
Create a CSR for Server domain
openssl req -sha512 -new \
-subj "/C=CN/ST=IN/L=Karnataka/O=cloud/OU=Personal/CN=harbor.sra1k8s.xyz" \
-key harbor.sra1k8s.xyz.key \
-out harbor.sra1k8s.xyz.csr
now we have Generate an x509 v3 extension file.
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.sra1k8s.xyz
DNS.2=harbor.sra1k8s
DNS.3=harbor-instance
EOF
Create a CSR for our Domain with CA
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.sra1k8s.xyz.csr \
-out harbor.sra1k8s.xyz.crt
Provide the Certificates to Harbor and Docker
create the folder structure /etc/docker/cert.d/harbor.sra1k8s.xyz/
then , Convert harbor.sra1k8s.xyz.crt to harbor.sra1k8s.xyz.cert, for use by Docker. Docker will understand .cert extension. use below command to convert.
openssl x509 -inform PEM -in sra1k8s.xyz.crt -out sra1k8s.xyz.cert
now we have to copy certs: ca.crt, harbor.sra1k8s.xyz.cert, and harbor.sra1k8s.xyz.key to /etc/docker/cert.d/harbor.sra1k8s.xyz/
Restart Docker Engine.
systemctl restart docker
GO to /data/harbor path and copy the harbor.yml.tmpl to harbor.yml
Vi harbor.yml
edit the below green colerd details as below
hostname: harbor.sra1k8s.xyz (Your domin)
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/certs/harbor.sra1k8s.xyz.crt
private_key: /data/certs/harbor.sra1k8s.xyz.key
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345 (its a default, we can change)
Save & Quit.
Now Run the Prepare script to enable HTTPS. The Prepare is in the Harbor installer bundle under the harbor folder. Harbor uses an ngnix instance as a reverse proxy for all services. You use the prepare script to configure ngnix to use HTTPS.
from here just execute below command
./prepare
as soon as .prepare executed docker-compose yaml will generate. now we have to execute the docker compose up command to start Harbor.
docker-compose up -d
Now we are good at install and configure on the Harbor Rigestry.
Just test the command whether we can connecting to the rigestry or not.
docker login harbor.sra1k8s.xyz
and it will prompt for username & Password, just give username as admin and password : as you have updated on the harbor.yaml, in my case password is Harbor@123.
now you can access the WEB browser url to manage the repositories like Docker HUB
Tag the Image
docker tag sravanakumar28/myrepos:Mongodb harbor.sra1k8s.xyz/sravan_repository/myrepos:Mongodb
push the image in to harbor repository folder.
docker push harbor.sra1k8s.xyz/sravan_repository/myrepos:Mongodb
Example to pull the image from Harbor rigestry.
docker pull harbor.sra1k8s.xyz/sravan_repository/myrepos@sha256:dd22ecdffb3697165d95aa6b6860fa7a2c346ad82e0dd4b1c508b2f8f836bb1a
Now Our Local Registry got ready and we can play around it ..
All the best ... Keep reading.
Excellent document with all steps explained clearly
ReplyDelete