Setting up Harbor locally — and scanning an image
I decided to have a complete system, preferably migrateable, in my pc at home. But everything has to run in a cramped 16G total system so lets see what happens.
Lets run a Harbor to stuff our custom images in. Why, because we are going to run a complete CI/CD system on our cluster (without buying ram,/ maybe).
So the harbor setup details are in this link: https://goharbor.io/docs/1.10/install-config/
We need docker and docker-compose.
yum update -y
yum install docker -y
sudo curl -L https://github.com/docker/compose/releases/download/1.29.1/docker-compose-uname -s-uname -m -o /usr/local/bin/docker-composesudo chmod +x /usr/local/bin/docker-compos
Its asking to open up some ports in the firewall, we probably did so before but lets do it again anyway.
firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp --add-port=4443/tcp
sudo firewall-cmd --reloadNGINX?
Move to /opt/harbor_files (or wherever you want to install), pull and unpack the harbor file.
wget https://github.com/goharbor/harbor/releases/download/v2.1.5/harbor-offline-installer-v2.1.5.tgz
tar xvzf harbor-offline-installer-v2.1.5.tgz
cd /opt/harbor_files/harborSo now we need the SSL keys. Harbor loves its SSL so we are going to give it SSL, just self signed. Normally you pay for these keys.
Lets modify /etc/pki/tls/openssl.cnf file and add below part with our server ip like below.
subjectAltName=192.168.56.109
Then typing below to generate our self signed cer we get asked a series of questions.
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Next we generate the signing request as below and it asks same questions again with 2 extra ones. I left the pw blank
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.56.109 -out 192.168.56.109
Now we have to generate the cert with a conf file.
echo "subjectAltName = IP:192.168.56.109" >extfile.cnf
openssl x509 -req -days 3650 -in 192.168.56.109 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.56.109In the end, we should have ca.crt, ca.key and a file with our server ip.
Lets put the certificates where docker can see them,
sudo mkdir -p /etc/docker/certs.d/192.168.56.109
sudo cp *.crt *.key /etc/docker/certs.d/192.168.56.109Finally, create a copy of the harbor.yml.tmpl as harbor.yml and modify the following parts. I removed the other fields I didn’t change
hostname: 192.168.56.109# http related config
http:
port: 8080
...
https:
port: 443
certificate: /etc/docker/certs.d/192.168.56.109/ca.crt
private_key: /etc/docker/certs.d/192.168.56.109/ca.key
...
harbor_admin_password: some pass
database:
password: your db pass
We start installation with the below. We will install clair as well for vulnerability scanning.
./install.sh --with-clairAccess from a link like the one below
Lets try to push something to harbor
- Create a project named local
- Pull any image locally like with docker pull nginx
- Tag and push to our repo
docker tag nginx:latest 192.168.56.109:443/local/nginxmod:latest
docker login 192.168.56.109:443
docker push 192.168.56.109:443/local/nginxmod:latestWe might get something like this:
Error response from daemon: Get https://192.168.56.109:443/v2/: x509: cannot validate certificate for 192.168.56.109 because it doesn’t contain any IP SANsIn this case we open the docker config file in /etc/docker/daemon.json (create if it doesn’t exist) and just stuff the following in it.
{ “insecure-registries” : [“192.168.56.109:443”] }
After this systemctl restart docker to see the config work. We can retry our push op then.
Since we also installed clair, we can start a scan with the pushed image
Lets test from another vm. We need to add the daemon config again but after we do it works.
And thats that. Thanks for reading.
Notes: I tried running the yml as a stack in my swarm but some properties like clair and jobservice became a problem.
