Setup Harbor

All container images that we used in the previous examples were downloaded from Docker Hub which is a public registry. But in production environments , we have to use private image registry so that we will have better control of images and its security.

In this session , we will deploy a private registry using Harbor

Students needs to deploy this in a separate Ubuntu 16.04 LTS VM (4GB memmory + 2vCPUs). If you are attending live session , then instructor will provide private registry URL and credentials.

In this lab , we use below IP/FQDN. Make sure to create necessary DNS entries or /etc/hosts entries to use the registry once configured.

IP Address : 10.136.102.79
FQDN: k8s-harbor-registry.linxlabs.com

Install Docker

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
$ sudo apt-get update
$ sudo apt-get install -y docker-ce

Verify Docker service state

$ sudo systemctl status docker --no-pager --lines 0

Example output

● docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-04-10 20:49:29 IST; 2min 27s ago
     Docs: https://docs.docker.com
 Main PID: 4315 (dockerd)
   CGroup: /system.slice/docker.service
           └─4315 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Download `docker-compose` binary

$ sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
$ sudo chmod +x /usr/local/bin/docker-compose
$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

Setup Certificates

Create a staging directory first

mkdir ~/harbor_certs/
cd ~/harbor_certs/

Create CA

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=IN/ST=Kerala/L=Kollam/O=demo/OU=Personal/CN=ca.linxlabs.com" \
 -key ca.key \
 -out ca.crt

Create SSL extension file

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=linxlabs.com
DNS.2=k8s-harbor-registry.linxlabs.com
DNS.3=k8s-harbor-registry
EOF

Create a Ceertificate Signing Request(CSR) for Harbor’s nginx service

$ openssl genrsa -out server.key 4096

$ openssl req -sha512 -new \
    -subj "/C=IN/ST=Kerala/L=Kollam/O=demo/OU=Personal/CN=k8s-harbor-registry.linxlabs.com" \
    -key k8s-harbor-registry.linxlabs.com.key \
    -out k8s-harbor-registry.linxlabs.com.csr

Generate and Sign Certificates

$ openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in k8s-harbor-registry.linxlabs.com.csr \
    -out k8s-harbor-registry.linxlabs.com.crt

After signing , we will get output like below

Signature ok
subject=/C=IN/ST=Kerala/L=Kollam/O=demo/OU=Personal/CN=k8s-harbor-registry.linxlabs.com
Getting CA Private Key

Create certificate directory for harbor

$ sudo mkdir -p /data/cert/
$ sudo cp  k8s-harbor-registry.linxlabs.com.crt k8s-harbor-registry.linxlabs.com.key /data/cert/

Download Harbor offline installer.

$ sudo curl https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz -O

$ tar -xvf harbor-offline-installer-v1.7.1.tgz

Configure Harbor.

$ cd harbor
$ sed -i 's/hostname: reg.mydomain.com/hostname: k8s-harbor-registry.linxlabs.com/' harbor.yml

$ sed -i 's@  certificate: /your/certificate/path@  certificate: /data/cert/k8s-harbor-registry.linxlabs.com.crt@' harbor.yml

$ sed -i 's@  private_key: /your/private/key/path@  private_key: /data/cert/k8s-harbor-registry.linxlabs.com.key@' harbor.yml

$ grep k8s-harbor harbor.yml
hostname: k8s-harbor-registry.linxlabs.com
 certificate: /data/cert/k8s-harbor-registry.linxlabs.com.crt
 certificate: /data/cert/k8s-harbor-registry.linxlabs.com.key

Install Harbor & Start Harbor.

$ sudo ./install.sh --with-notary --with-clair --with-chartmuseum

After successful installation , we will get below output.

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating network "harbor_harbor-notary" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating network "harbor_notary-sig" with the default driver
Creating harbor-log ... done
Creating redis         ... done
Creating registry      ... done
Creating registryctl   ... done
Creating chartmuseum   ... done
Creating harbor-portal ... done
Creating harbor-db     ... done
Creating notary-signer ... done
Creating clair             ... done
Creating harbor-core   ... done
Creating notary-server     ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
Creating clair-adapter     ... done
✔ ----Harbor has been installed and started successfully.----

Also , you can use docker-compose to verify the health of containers

$ sudo docker-compose ps
      Name                     Command                  State                                      Ports
---------------------------------------------------------------------------------------------------------------------------------------
chartmuseum         ./docker-entrypoint.sh           Up (healthy)   9999/tcp
clair               ./docker-entrypoint.sh           Up (healthy)   6060/tcp, 6061/tcp
clair-adapter       /clair-adapter/clair-adapter     Up (healthy)   8080/tcp
harbor-core         /harbor/harbor_core              Up (healthy)
harbor-db           /docker-entrypoint.sh            Up (healthy)   5432/tcp
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (healthy)
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)   8080/tcp
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:4443->4443/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
notary-server       /bin/sh -c migrate-patch - ...   Up
notary-signer       /bin/sh -c migrate-patch - ...   Up
redis               redis-server /etc/redis.conf     Up (healthy)   6379/tcp
registry            /home/harbor/entrypoint.sh       Up (healthy)   5000/tcp
registryctl         /home/harbor/start.sh            Up (healthy)

Now , you will be able to access Harbor UI using URL “https://k8s-harbor-registry.linxlabs.com” (Need DNS entry/host file entry) or use the IP of the VM “https://10.136.102.79”

Default username & password is admin/Harbor12345

Setup Harbor

Install Docker

Download docker-compose binary

Setup Certificates

Download Harbor offline installer.

Download `docker-compose` binary