配置docker和containerd,使用ca證書訪問harbor

anyux發表於2024-11-08

配置docker和containerd,使用ca證書訪問harbor

目錄
  • 配置docker和containerd,使用ca證書訪問harbor
  • docker配置ca證書訪問harbor
  • containerd配置ca證書訪問harbor
  • 驗證證書有效性
  • docker配置方法
  • containerd配置方法
  • 驗證證書有效性描述

harbor連結彙總
harbor部署
harbor部署 https docker 登入
瀏覽器不支援https登入harbor
配置docker和containerd,使用ca證書訪問harbor

docker配置ca證書訪問harbor

  1. 獲取ca證書,根據自己簽名的harbor伺服器上獲取,下載拿到
  2. 新增到docker所在例項,放在目錄/etc/ssl/certs//usrl/local/share/ca-certificates/
  3. 例項更新證書,執行命令update-ca-certificates(ubuntu)或update-ca-trust(redhat)
  4. 重啟docker,systemctl restart docker,登入harbor,docker login python.harbor.com -uad
  5. 驗證拉取映象,docker pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1

containerd配置ca證書訪問harbor

  1. 獲取ca證書,根據自己簽名的harbor伺服器上獲取,下載拿到
  2. 新增到containerd所在例項,放在目錄/etc/ssl/certs//usrl/local/share/ca-certificates/
  3. 例項更新證書,執行命令update-ca-certificates(ubuntu)或update-ca-trust(redhat)
  4. 修改contianerd對應配置檔案/etc/containerd/config.toml,新增ca證書配置內容
  5. 重啟containerd使用配置生效,systemctl restart cotnainerd
  6. 驗證拉取映象,ctr image pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1 --user admin:12345

驗證證書有效性

  1. openssl s_client -connect python.harbor.com:443 -CAfile /etc/ssl/certs/ca.crt

docker配置方法

  1. 略過

  2. #複製
    cp -pdr ca.crt /etc/ssl/certs/
    
  3. #資訊證書
    update-ca-trust
    
  4. #重啟docker
    systemctl restart docker
    #登入
    docker login python.harbor.com -uadmin -p12345
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded
    
    
  5. #拉取映象
    docker pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1
    v1.2.1: Pulling from k8s-a/ingress-nginx
    8663204ce13b: Pull complete 
    897a18b2d257: Pull complete 
    3cb02f360cf3: Pull complete 
    2b63816a7692: Pull complete 
    d61ce16aa3b6: Pull complete 
    4391833fbf2c: Pull complete 
    bb397308bcd5: Pull complete 
    803395581751: Pull complete 
    153d402a7263: Pull complete 
    c815f058cf7b: Pull complete 
    a872540e4aca: Pull complete 
    4972574251d0: Pull complete 
    30197fe775a6: Pull complete 
    b059831ea274: Pull complete 
    Digest: sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8
    Status: Downloaded newer image for python.harbor.com/k8s-a/ingress-nginx:v1.2.1
    python.harbor.com/k8s-a/ingress-nginx:v1.2.1
    

containerd配置方法

  1. #複製
    cp -pdr ca.crt /etc/ssl/certs/
    
  2. #資訊證書
    update-ca-trust
    
  3. #修改contianerd對應配置檔案
        [plugins."io.containerd.grpc.v1.cri".registry]
          #中間內容省略,以下是新增內容
          #指定cri映象倉庫的配置,指定了使用python.harbor.io的域名,替換為實際域名
          [plugins."io.containerd.grpc.v1.cri".registry.configs."python.harbor.com"]
          #指定使用python.harbor.com的域名的tls配置
          [plugins."io.containerd.grpc.v1.cri".registry.configs."python.harbor.com".tls]
          #指定ca證書路徑
            ca_file = "/etc/ssl/certs/ca.crt"
          #避免證書驗證錯誤
            insecure = true
    
  4. systemctl restart containerd.service
    
  5. ctr image pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1 --user admin:12345
    python.harbor.com/k8s-a/ingress-nginx:v1.2.1:                                     resolved       |++++++++++++++++++++++++++++++++++++++| 
    manifest-sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8: done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:b059831ea2745f6578cdc2ac758b8d21b8d65609042ff2670a18f69fd7a3a348:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:8663204ce13b2961da55026a2034abb9e5afaaccf6a9cfb44ad71406dcd07c7b:    done           |++++++++++++++++++++++++++++++++++++++| 
    config-sha256:f3afbfa1117b9eef6f2c9e2db06025c0c2a46a7fd10ff6f6173583850a55a7d5:   done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:897a18b2d2576d82166f3c65a64987eb88304a7a70fa2da6d28c4cd1fbdd6813:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:8033955817515da4a66d743cb568f64474ae8cc410c362668713dcebe8a080aa:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:a872540e4aca4d86fdfab737ffd20e2d973a9d8bc49256ee66cc883687f6c448:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:4972574251d0bc39f77f63a772c3657e5ba8708e96a3e16750cec7b4cf5be177:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:3cb02f360cf34064c6d8ba5c89b4b1ceca1c10f40d58c56e8d9e375da252e3c0:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:153d402a7263107d2d244ebdd7ef11cd0dc747f91d1465e070a033a6fcc90741:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:30197fe775a6846f2f9cb8aa7a602a1c7a486a412c4c3566ea97c937a8eafac8:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:2b63816a7692990821767908dad8a176224461a736582c64284d2c9d6f49e2bb:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:c815f058cf7bd2ff2f47ed9d7526bb2f8070354952a9e32b1b4289af3517df1b:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:d61ce16aa3b66511cc4cb2bad26b9a150ab080c4d42a49865ffc1c30e2304e76:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:4391833fbf2c065a232ebfed436c3daf79f70512222488aec415e682f053df21:    done           |++++++++++++++++++++++++++++++++++++++| 
    layer-sha256:bb397308bcd5d5b0c04aa763f3b3acb1a4a67250bc4d77ef6132db18385c06fa:    done           |++++++++++++++++++++++++++++++++++++++| 
    elapsed: 1.6 s                                                                    total:  102.2  (63.9 MiB/s)                                      
    unpacking linux/amd64 sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8...
    done: 4.744578537s	
    

    驗證證書有效性描述

    Verification: OK 表示驗證了ca.crt的證書鏈

    verify return:1 表示證書驗證成功

    openssl s_client -connect python.harbor.com:443 -CAfile /etc/ssl/certs/ca.crt
    
    CONNECTED(00000003)
    depth=1 C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
    verify return:1
    depth=0 C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
    verify return:1
    ---
    Certificate chain
     0 s:C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
       i:C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIF4DCCA8igAwIBAgIUCVuq5ExYqOi61Q2+C/l+vqJ+jgkwDQYJKoZIhvcNAQEN
    BQAwbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT
    aGFuZ2hhaTEPMA0GA1UECgwGU21hcnRYMQwwCgYDVQQLDANMYWIxGjAYBgNVBAMM
    EXB5dGhvbi5oYXJib3IuY29tMB4XDTI0MTEwNDA2MzQ0OVoXDTM0MTEwMjA2MzQ0
    OVowbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT
    aGFuZ2hhaTEPMA0GA1UECgwGU21hcnRYMQwwCgYDVQQLDANMYWIxGjAYBgNVBAMM
    EXB5dGhvbi5oYXJib3IuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
    AgEApxYGwb1rixCmRXm+cKQrRESzTq+/f5r6B71H23VPRzcEqQz8eDpuhQVRGZj3
    TLdNh6u110QkF87RSP9r9mrpZxmt23EbtnvFEO22Kw13ZzTLbCEJzuAMzxRr9uJs
    3i1FeEKryq3S7q/Eo71a0wFexgucDqJRHotlCa3OJULDEjWg6xzQC+dvCTNWexQU
    OqFj7UTiVyHQ6tU3bv31X1G5Ba2y97U1wjHjk6+gtnzoaDdAfQ31sIQMq1Cgcjg/
    dE5g8zoulzB5Wl2jmsdA0dwpsY2RF0E4glSDab2uAmNifhK+U1qSxbOyK4Zjm29l
    6o7fTXStHs6R/mL3jGgGUWJoIgQQajHSEVumC49vGiJbMGKmh7lXvlPryqxPy/OS
    kof+KSyqGZ8ptoDq/oZsI3/7oF24zbqhXczSALpxVjODBXGdDEJrfBkPbekZRJF/
    Qw4qOSvniwpydYEXFjADj9e+ytHfGAh/wQlPF6gYZ1xbHGONH24kmbXcp+GeqJlA
    M5YUEa5is3ltD6L4oKma5p+J254g/xS1q7nlbx29hlUk6pfB2WuFB/4PmKHNLVOF
    WlZEEuUAWmPp6OaqcSLSsXARrkmrQ2CNlI4nVhFJUGqv48gPUuo3KLAa8w6WyDeV
    HtnuQ8W13/0JmalkeE+PzsccXNgconEZzCYB2N6IeN7DGPECAwEAAaN2MHQwHwYD
    VR0jBBgwFoAUzrJR+LKQdl9311H5gzfZvyQSRhcwCQYDVR0TBAIwADALBgNVHQ8E
    BAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IRcHl0aG9uLmhh
    cmJvci5jb22CBmhhcmJvcjANBgkqhkiG9w0BAQ0FAAOCAgEARznmfU7SxHty91zE
    rdlea45yn2mBcNC8JENFDYuRKlJ6MR+A+rWy7qvgrIix4uVYA4YSy2HguebG3Sij
    0V7QjmufJ6rikFqqQ4Hxkn+x28h2jTlHvIRqwuChSYyeNqxVQMontW61v5mjr7oG
    E4JH8JiYBMig2xGziVgYJKlKafJNqoy6hifGIPqoce0aTGitLgT494XouCBGXXuD
    jeyfT/dq/TlZtzrXkUH8tctdtKuwDvFnqmGZMsLQKpTvKy7qDUZxntcNq5eJvlS2
    JQCzK/a3bZh2bm+P/761dfzK2fJTaHe9f02txY6faDUieD+UZat2hmQbHIUiVqpr
    niGjHOgu1YPhlYjXbDX3ytLx5O9QF3PWtpQJ3/TPy0pPedfyzfLePWQ7wbuvCv9F
    jt9SIon3iAWm92pJs0ilrk+frKhK3rg2DOqBYH8yK0ELGGqC9l0KT99YsmmwW7dy
    1ixU7E6DyKlbbLQ3diqbmXTgT6g0chR1fOM3PGdSBXbAII1x6La++QkDRad+/488
    sZhuzJSCdyzxCyukUsfAOEHWXpaOo2znOwG0W2XbGhQ933Wq0CuUrQdoSoZYf8uK
    bC0sBy5UvVaMUgGoVW3yJ3UOov42v363ruORo0S6U7VLT7YMxwKEMJfnOg5mt11S
    WTDUGUH5y4M5vuar5EMHoIGs45Q=
    -----END CERTIFICATE-----
    subject=C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
    
    issuer=C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 2441 bytes and written 414 bytes
    Verification: OK
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 833C51D93109EDB1B9D8E9A2A8C5367C9AC8C45E872B3053A2805BA671817842
        Session-ID-ctx: 
        Master-Key: 7E11E48D49B3E3B94B0FEDC7CDAF46F2A9FE2B34834B5DB724E2C9AA76C1623525DD7E7C4DDC7B713DF727A5AAFBAEF4
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 5e 9c eb 40 9c 16 3b 67-f8 21 e9 97 d6 02 54 7a   ^..@..;g.!....Tz
        0010 - c7 70 37 d2 e0 c0 70 bb-19 33 ed e9 c8 30 14 5a   .p7...p..3...0.Z
        0020 - 83 9a 13 61 9c d8 a9 09-ae 12 da 68 c3 50 31 e0   ...a.......h.P1.
        0030 - 71 82 b5 2a 92 8e 82 e7-2b 23 c3 35 cf d9 63 14   q..*....+#.5..c.
        0040 - b8 c1 35 5a 27 aa 6f 0c-19 5c ed f1 bf f2 b9 8a   ..5Z'.o..\......
        0050 - a4 3d fb 9d 95 2e f6 83-3e e6 9d 99 3b 51 13 8e   .=......>...;Q..
        0060 - 9b 03 c4 fc 1a d4 6b 6f-a2 b3 c1 e8 f4 e8 1b cf   ......ko........
        0070 - fa 0b 81 a7 96 f9 f2 2d-1b 91 02 ca 4c 34 0a ee   .......-....L4..
        0080 - 4f f5 29 dc 2b 4f 2f 00-3d 0e 71 1d 2e a1 b0 3c   O.).+O/.=.q....<
        0090 - 9e 2f 7f b2 d0 82 de cf-a7 8d f7 ba f6 f8 94 69   ./.............i
        00a0 - 91 d4 91 7e a3 ae 7b 29-bb 3f 1a 9e b6 d4 29 21   ...~..{).?....)!
        00b0 - e5 c9 61 5f 74 e3 7b c2-d0 fb 1d d0 8b 33 52 d7   ..a_t.{......3R.
        00c0 - e0 9b da 02 28 b8 18 ee-74 c6 0c 83 07 a0 81 d7   ....(...t.......
    
        Start Time: 1731051695
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: yes
    ---
    
    

相關文章