[Docker] Harbor 로컬 컨테이너 저장소 구축하기

Docker는 Docker Hub라는 공용 이미지 관리 서비스를 제공하고 있다. 그러나 오픈되어 있기 때문 누구나 접근 가능하므로 기업의 내부 프로젝나 공개하고 싶지 않은 개인 프로젝를 진행하는 경우 로컬 이미지 저장소가 필요할 수 있는데 오픈소스인 Harbor가 그 답이 될 수 있다.

 

공식 홈페이지는 아래와 같다. 최신정보는 아래 홈페이지에서 찾아보자

https://goharbor.io 

 

Harbor 설치

 

Harbor는 docker-compose로 구동을 시키므로 docker-compose가 설치되어 있지 않다면 설치하도록 한다.

apt-get install docker-compose

 

 

인증서 생성

# 인증기관 인증서 생성
root@DESKTOP-GH94F8C:/home/kindlove/temp# openssl genrsa -out ca.key 4096
root@DESKTOP-GH94F8C:/home/kindlove/temp# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=skkkm@xxx.com" -key ca.key -out ca.crt

# 서버인증서 생성
root@DESKTOP-GH94F8C:/home/kindlove/temp# openssl genrsa -out skkkm@xxx.com.key 4096
root@DESKTOP-GH94F8C:/home/kindlove/temp# openssl req -sha512 -new -subj "/CN=skkkm@xxx.com" -key skkkm@xxx.com.key -out skkkm@xxx.com.csr

# 설정 파일 생성
vi v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1=172.17.0.1 (인증서를 사용할 서버 IP 입력)
IP.2=127.0.0.1

# crt 인증서 생성
root@DESKTOP-GH94F8C:/home/kindlove/temp# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in skkkm@xxx.com.csr -out skkkm@xxx.com.crt
Certificate request self-signature ok
subject=CN = skkkm@xxx.com

 

설치파일 다운로드

# wget으로 설치파일 다운로드
root@DESKTOP-GH94F8C:/home/kindlove/temp# wget https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz
--2024-02-14 15:11:07--  https://github.com/goharbor/harbor/releases/download/v2.8.2/harbor-offline-installer-v2.8.2.tgz
Resolving github.com (github.com)... 20.200.245.247
Connecting to github.com (github.com)|20.200.245.247|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/50613991/c5170940-22fb-46bb-9b63-99d048e50124?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240214T061126Z&X-Amz-Expires=300&X-Amz-Signature=52530650ca8761b5cbc1d9dba8f144ab1971a51c3c7026ff40530915a9756153&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50613991&response-content-disposition=attachment%3B%20filename%3Dharbor-offline-installer-v2.8.2.tgz&response-content-type=application%2Foctet-stream [following]
--2024-02-14 15:11:07--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/50613991/c5170940-22fb-46bb-9b63-99d048e50124?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240214T061126Z&X-Amz-Expires=300&X-Amz-Signature=52530650ca8761b5cbc1d9dba8f144ab1971a51c3c7026ff40530915a9756153&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=50613991&response-content-disposition=attachment%3B%20filename%3Dharbor-offline-installer-v2.8.2.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 607390683 (579M) [application/octet-stream]
Saving to: ‘harbor-offline-installer-v2.8.2.tgz’

harbor-offline-installer-v2.8.2.tgz   100%[======================================================================>] 579.25M  58.5MB/s    in 9.9s

2024-02-14 15:11:18 (58.4 MB/s) - ‘harbor-offline-installer-v2.8.2.tgz’ saved [607390683/607390683]

# 다운로드 받은 tgz 압축해제
root@DESKTOP-GH94F8C:/home/kindlove/temp# tar xvzf harbor-offline-installer-v2.8.2.tgz
harbor/harbor.v2.8.2.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
root@DESKTOP-GH94F8C:/home/kindlove/temp#

 

인증서 복사 후 Docker 재시작

root@DESKTOP-GH94F8C:/home/kindlove/temp# cp skkkm@xxx.com.crt /etc/docker/certs.d/server/
root@DESKTOP-GH94F8C:/home/kindlove/temp# cp skkkm@xxx.com.key /etc/docker/certs.d/server/
root@DESKTOP-GH94F8C:/home/kindlove/temp# systemctl restart docker

 

harbor.yml 수정 (harbor.yml.tmpl -> harbor.yml로 이름 변경)

 - hostname에 서버 IP입력

 - certificate, private_key에 위에서 복사한 인증서, key 파일을 지정한다.

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 172.17.0.1 

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /etc/docker/certs.d/server/skkkm@xxx.com.crt
  private_key: /etc/docker/certs.d/server/skkkm@xxx.com.key

 

위 harbor.yml 하단에 admin 암호가 명시되어있다 (기본은 Harbor12345)

 

.prepare 실행

root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# ./prepare
prepare base dir is set to /home/kindlove/temp/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

 

docker-compose로 서버 실행

# 추후 실행시 docker-compose down 후에 docker-compose up을 해주자
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker-compose down -v
Removing network harbor_harbor
WARNING: Network harbor_harbor not found.
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-db     ... done
Creating registryctl   ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done

 

서버 실행

 

브라우저에 https://localhost를 입력하면 아래와 같이 나온다.

하단 고급을 입력한 후 계속 진행한다.

 

Harbor 포탈 로그인 화면에서 admin/Harbor12345 입력하면 아래 초기화면으로 진입한다.

 

Repository Login

이미지를 저장소로 push하기 위해서는 login이 되어야 한다. 아래와 같이 새 저장소 서버에 로그인을 해보면 인증서 fail 에러가 남을 볼 수 있다.

root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker login 172.17.0.1:443
Username: admin
Password:
Error response from daemon: Get "https://172.17.0.1:443/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

 

현재 서버에 사용했던 인증서가 docker 실행 wsl 리눅스 상에 install되어 있지 않기 때문이다.

 

위에서 서버에 사용하기 위해 생성한 crt 인증서 파일을 아래 위치에 복사하고 update-ca-certificates 명령으로 적용한 후 docker, harbor를 재시작 하면 정상적으로 로그인 됨을 볼 수 있다.

root@DESKTOP-GH94F8C:/home/kindlove/temp# cp skkkm@xxx.com.crt /usr/local/share/ca-certificates/
root@DESKTOP-GH94F8C:/home/kindlove/temp# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker-compose down -v
Stopping harbor-jobservice ... done
Stopping nginx             ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping registry          ... done
Stopping redis             ... done
Stopping registryctl       ... done
Stopping harbor-portal     ... done
Stopping harbor-log        ...
Stopping harbor-log        ... done
Removing harbor-jobservice ... done
Removing nginx             ... done
Removing harbor-core       ... done
Removing harbor-db         ... done
Removing registry          ... done
Removing redis             ... done
Removing registryctl       ... done
Removing harbor-portal     ... done
Removing harbor-log        ... done
Removing network harbor_harbor
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor#
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# systemctl restart docker.service
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker-compose up -d
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating redis         ... done
Creating registry      ... done
Creating registryctl   ... done
Creating harbor-db     ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor#
root@DESKTOP-GH94F8C:/home/kindlove/temp/harbor# docker login 172.17.0.1:443
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

 

-- The end --