临时测试一下harbor+ldap

2021.1.16 harbor 最新版2.1.3 配置对接 ldap 全体验，内含几个常见报错及解决方法。

安装docker

From https://get.docker.com:

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh

1 2	curl -fsSL https://get.docker.com -o get-docker.sh sh get-docker.sh

安装harbor

下载harbor

下载harbor离线包 https://github.com/goharbor/harbor/releases 当前最新版 v2.1.3

直接 wget -c https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-offline-installer-v2.1.3.tgz 发现速度有点糟糕，100K不到，赶紧加上自己的代理，稳定在1.7M左右了，5分多钟下载完成。

已发出 Proxy 请求，正在等待回应... 206 Partial Content 长度：558915667 (533M)，剩余 548785186 (523M) [application/octet-stream] 正在保存至: “harbor-offline-installer-v2.1.3.tgz” 91% [============================================> ] 512,155,158 1.71MB/s 剩余 26s 100%[=================================================>] 558,915,667 1.87MB/s 用时 5m 5s 2021-01-15 23:56:50 (1.71 MB/s) - 已保存 “harbor-offline-installer-v2.1.3.tgz” [558915667/558915667])

安装harbor

解压完成后，解压所有文件内容如下；

[root@10-23-2-95 ~]# ls -lh harbor
总用量 536M
-rw-r--r--. 1 root root 3.3K 1月   9 13:00 common.sh
-rw-r--r--. 1 root root 536M 1月   9 13:01 harbor.v2.1.3.tar.gz
-rw-r--r--. 1 root root 8.0K 1月   9 13:00 harbor.yml.tmpl
-rwxr-xr-x. 1 root root 2.5K 1月   9 13:00 install.sh
-rw-r--r--. 1 root root  12K 1月   9 13:00 LICENSE
-rwxr-xr-x. 1 root root 1.9K 1月   9 13:00 prepare
复制 harbor.yml.tmpl 为  harbor.yml，并修改
将默认的 <span class="s1">reg.mydomain.com 修改为自己需要的域名或ip，本来是个临时测试，那就是直接上ip </span><span class="s1">10.23.2.95
</span><span class="s1">
默认目录，还是考虑改一下
</span><span class="s1"># The default data volume</span>

[root@10-23-2-95 ~]# ls -lh harbor

总用量 536M

-rw-r--r--. 1 root root 3.3K 1月 9 13:00 common.sh

-rw-r--r--. 1 root root 536M 1月 9 13:01 harbor.v2.1.3.tar.gz

-rw-r--r--. 1 root root 8.0K 1月 9 13:00 harbor.yml.tmpl

-rwxr-xr-x. 1 root root 2.5K 1月 9 13:00 install.sh

-rw-r--r--. 1 root root 12K 1月 9 13:00 LICENSE

-rwxr-xr-x. 1 root root 1.9K 1月 9 13:00 prepare

复制 harbor.yml.tmpl 为 harbor.yml，并修改

将默认的 reg.mydomain.com 修改为自己需要的域名或ip，本来是个临时测试，那就是直接上ip 10.23.2.95

默认目录，还是考虑改一下

# The default data volume

data_volume: /Data #将原来的 data改成了大写的Data，后面会提到。

添加磁盘

检查了一下，这个机器还有一个100g的空盘，利用一下吧，临时测试也要正式一点。

[root@10-23-2-95 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 50G 0 disk
├─sda1 8:1 0 2G 0 part /boot
└─sda2 8:2 0 48G 0 part
├─centos-root 253:0 0 40G 0 lvm /
└─centos-swap 253:1 0 8G 0 lvm [SWAP]
sdb 8:16 0 100G 0 disk

pvcreate /dev/sdb vgcreate harbor /dev/sdb lvcreate -l 100%VG harbor -n data mkdir /Data mkfs.xfs /dev/harbor/data mount /dev/harbor/data /Data cat > /etc/fstab << EOF /dev/harbor/data /Data/ xfs defaults 0 0 EOF

再看看lsblk ，sdb已经用上了。

开始执行安装脚本 install，发现走了1步就失败了。
[root@10-23-2-95 harbor]# ./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.2 [Step 1]: checking docker-compose is installed ... ✖ Need to install docker-compose(1.18.0+) by yourself first and run this script again.

安装docker-compose

提示缺docker-compose 环境，打开 https://docs.docker.com/compose/install/
sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
看下版本
[root@10-23-2-95 harbor]# docker-compose --version
docker-compose version 1.27.4, build 40524192
继续安装，遇到报错
[Step 4]: preparing harbor configs ... prepare base dir is set to /root/harbor Error happened in config validation... ERROR:root:Error: The protocol is https but attribute ssl_cert is not set
算了，搞证书又要半天，还是先修改 harbor.yml ，注释 https 443吧
再次继续安装,这次终于安装成功.

登陆看一眼首页吧，1点了，准备洗洗睡了，白天抽空继续。

harbor对接ldap

Administration > Configuration > Authentication

如图，注意一个修改箭头位置2个默认设置为subtree，不然可能这里测试成功，得到提示，Connection to LDAP server is verified，实际用ldap账号缺无法登陆，让你怀疑账号有问题、自己手滑、乃至放弃。

报错及解决

登陆端口报错

仅遇到1次

[root@dcc ~]docker login 10.23.2.95 Username: jie.wan Password: Error response from daemon: Get http://10.23.2.95/v2/: unauthorized: authentication required 解决方法：

增加一个80端口，后来没遇到过，奇怪。 [root@dcc ~]# docker login 10.23.2.95:80 Username: jie.wan Password: Login Succeeded

harbor服务重启后挂起

harbor-core陷入重启，日志报错类似
2021-01-16T14:13:05Z [ERROR] [/common/utils/utils.go:106]: failed to connect to tcp://postgresql:5432, retry after 2 seconds :dial tcp: lookup postgresql on 127.0.0.11:53: no such host 2021-01-16T14:07:08Z [FATAL] [/core/main.go:171]: failed to initialize database: failed to connect to tcp:postgresql:5432 after 60 seconds
仅有docker 4个进程了，显然有问题

解决方法：
切换到原始安装目录 harbor，你会发现多了一个昨夜创建的 docker-compose.yml 文件

依次停止，启动
docker-compose down -v
docker-compose up -d

启动了9个进程，页面也正常了。

传个包看下效果

[root@dcc ~]# docker push 10.23.2.95/apline/alpine:latest
The push refers to a repository [10.23.2.95/apline/alpine]
75bbf4ac162d: Retrying in 1 second
3e207b409db3: Retrying in 1 second
received unexpected HTTP status: 500 Internal Server Error

报错日志
Jan 16 23:00:59 172.18.0.1 proxy[86403]: 10.10.150.105 - "GET /service/token?account=jie.wan&scope=repository%3Aapline%2Falpine%3Apush%2Cpull&service=harbor-registry HTTP/1.1" 500 0 "-" "docker/17.03.2-ce go/go1.7.5 git-commit/f5ec1e2 kernel/3.10.0-1062.9.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.2-ce \x5C(linux\x5C))" 0.011 0.010 .
Jan 16 23:00:59 172.18.0.1 proxy[86403]: 10.10.150.105 - "GET /service/token?account=jie.wan&scope=repository%3Aapline%2Falpine%3Apush%2Cpull&service=harbor-registry HTTP/1.1" 500 0 "-" "docker/17.03.2-ce go/go1.7.5 git-commit/f5ec1e2 kernel/3.10.0-1062.9.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/17.03.2-ce \x5C(linux\x5C))" 0.011 0.011 .
眼花的厉害 alpine 打错 apline ，结果一直500错误

重新打下tag，重新上传，一切正常。
[root@dcc ~]# docker tag 10.10.150.105/myapp/alpine:latest 10.23.2.95/alpine/alpine:latest [root@dcc ~]# docker push 10.23.2.95/alpine/alpine:latest The push refers to a repository [10.23.2.95/alpine/alpine] 75bbf4ac162d: Pushed 3e207b409db3: Pushed latest: digest: sha256:58b9f38489142c9ca9e8c85c2d765e5ceb5248c7e494bb30fb24db4741748c23 size: 739

普通ldap用户界面检查

Push an image to this project:
docker push 10.23.2.95/alpine/REPOSITORY[:TAG]

Push a chart to this project:
helm chart push 10.23.2.95/alpine/REPOSITORY[:TAG]

补充一个10年自签名证书脚本
#!/bin/bash # 在该目录下操作生成证书，正好供harbor.yml使用 mkdir -p /data/cert cd /data/cert openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor2.dmp.local" -key ca.key -out ca.crt openssl genrsa -out harbor2.dmp.local.key 4096 openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor2.dmp.local" -key harbor2.dmp.local.key -out harbor2.dmp.local.csr cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=harbor2.dmp.local DNS.2=harbor EOF openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor2.dmp.local.csr -out harbor2.dmp.local.crt openssl x509 -inform PEM -in harbor2.dmp.local.crt -out harbor2.dmp.local.cert cp harbor2.dmp.local.crt /etc/pki/ca-trust/source/anchors/harbor2.dmp.local.crt update-ca-trust

然后修改harbor.yaml 里面的对应域名和证书位置即可。

5 hostname: harbor2.dsp.local 6 7 # http related config 8 http: 9 # port for http, default is 80. If https enabled, this port will redirect to https port 10 port: 80 11 12 # https related config 13 https: 14 # https port for harbor, default is 443 15 port: 443 16 # The path of cert and key files for nginx 17 #certificate: /your/certificate/path 18 #private_key: /your/private/key/path 19 certificate: /data/cert/harbor2.dsp.local.crt 20 private_key: /data/cert/harbor2.dsp.local.key

再补充一个登陆报错及解决方法

duo@duodeiMac ~ % docker login 10.23.2.188 Username: 1 Password: Error response from daemon: Get https://10.23.2.188/v2/: Get https://harbor2.dsp.local/service/token?account=1&client_id=docker&offline_token=true&service=harbor-registry: Service Unavailable
解决方法，检查10.23.2.188 和 harbor2.dsp.local 之间的解析是否有效。
在内网dns还没做好的前提下，先本地先手动改下/etc/hosts 文件即可。

解析好后，错误密码失败，正确密码成功。
duo@duodeiMac ~ % docker login 10.23.2.188 Username: a1 Password: Error response from daemon: Get https://10.23.2.188/v2/: unauthorized: authentication required duo@duodeiMac ~ % docker login 10.23.2.188 Username: a1 Password: Login Succeeded