Deploy and configure HTTPS Harbor on the air-gapped repository.
Procedure
- To run Harbor, download and install Docker Compose. Open a command prompt and run the following command:
#wget https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 #chmod a+x docker-compose-Linux-x86_64 #cp docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
- Download and extract the Harbor Offline Installer:
#mkdir /harbor #cd /harbor #wget https://github.com/goharbor/harbor/releases/download/v2.1.2/harbor-offline-installer-v2.1.2.tgz #tar -zxf harbor-offline-installer-v2.1.2.tgz
- Configure HTTPS access to Harbor. For configuration steps, see https://goharbor.io/docs/2.1.0/install-config/configure-yml-file/.
Note:
- You can use certificates that are signed by a trusted third-party Certificate Authority (CA), or you can use self-signed certificates. For information about creating and using a CA certificate to sign a server and client certificate, see https://goharbor.io/docs/2.1.0/install-config/configure-https/.
- For this example, we use a self-signed certificate.
- Extract Harbor. Run the following command:
#cd /harbor/harbor #cp harbor.yml.tmpl harbor.yml
- Using a preferred editor, edit the harbor.yml file:
# setup hostname, generally set to FQDN name hostname: <replace-with-custom-FQDN> # http related config http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 8001 <<<< specify http port to listening # https related config https # https port for harbor, default is 443 port: 8043 <<<< specify https port to listening # The path of cert and key files for nginx certificate: /etc/docker/certs.d/<replace-with-custom-FQDN>[:8043]*/<replace-with-custom-FQDN>.cert private_key: /etc/docker/certs.d/<replace-with-custom-FQDN>[:8043]*/<replace-with-custom-FQDN>.key
Note: Set Harbor's Nginx listening on 8001 (HTTP) and 8043 (HTTPS). Or, specify the ports that work in your environment. Set aside ports 80 and 443 for the Nginx system. The Nginx system forwards access requests to Harbor automatically.Note: For self-signed certificates, you require the port number when creating a folder. You do not require the port number when using commercial certificates. - Switch to the extracted Harbor folder, edit the
prepare
file, and then install Harbor:Note: Docker Hub has a pull rate limitation that may prevent images from downloading. To prevent this, VMware provides a public repository to fetch the required images from Docker Hub.Run the following command:#cd /harbor/harbor #vi prepare
- In the VI editor, enter
/goharbor
and search forgoharbor/prepare:v2.1.2 prepare $@
. - Press I and modify this line to
vmwtec.jfrog.io/registry/goharbor/prepare:v2.1.2 prepare $@
. Press Enter and type :wq to save the file. - Run the following command:
#./prepare #./install.sh
- In the VI editor, enter
- Stop and restart Harbor:
Stop Harbor:
#docker-compose down -v
Restart Harbor:#docker-compose up -d
You must be able to log in to Harbor if it restarts successfully. - Log in to Harbor from the Docker client:
#docker login <harbor_FQDN>:8043 //harbor FQDN is hostname defined in harbor.yml
- Create a Harbor registry project:
- Open a browser on a client system that can access the air-gapped repository and enter the Harbor FQDN name.
- Log in to Harbor.
- From the left navigation pane, click Projects and then click New Project.
- Provide the name of the project as registry and select the Access Level as Public.
- Click OK.
- Select library as the default project and click Delete. Click Delete again for confirmation.
- Add the Harbor
systemd
service so that Harbor autostarts on boot.#cd /etc/systemd/system
- Add the Harbor service file:
#vi harbor.service
[Unit] Description=Harbor After=docker.service systemd-networkd.service systemd-resolved.service Requires=docker.service Documentation=http://github.com/vmware/harbor [Service] Type=simple Restart=on-failure RestartSec=5 ExecStart=/usr/local/bin/docker-compose -f /harbor/harbor/docker-compose.yml up ExecStop=/usr/local/bin/docker-compose -f /harbor/harbor/docker-compose.yml down [Install] WantedBy=multi-user.target
- Save the file and enable Harbor service:
#chmod 644 harbor.service #systemctl daemon-reload #systemctl enable harbor
- To check the status of Harbor, run:
#systemctl status harbor
- Add the Harbor service file: