From 0b3938b411a83410be6fd210434bbde0db32f8a8 Mon Sep 17 00:00:00 2001 From: Wenkai Yin Date: Wed, 23 Nov 2016 17:29:00 +0800 Subject: [PATCH 1/6] workaround for dns and hostname issue --- tools/ova/script/common.sh | 3 +++ tools/ova/script/config.sh | 30 +++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/tools/ova/script/common.sh b/tools/ova/script/common.sh index db57ce047..b70becf51 100755 --- a/tools/ova/script/common.sh +++ b/tools/ova/script/common.sh @@ -10,6 +10,9 @@ function down { function up { base_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" $base_dir/start_harbor.sh + + echo "Resetting DNS and hostname using vami_ovf_process..." + /opt/vmware/share/vami/vami_ovf_process --setnetwork || true } #Configure Harbor diff --git a/tools/ova/script/config.sh b/tools/ova/script/config.sh index 4e630fda1..655bd64f5 100755 --- a/tools/ova/script/config.sh +++ b/tools/ova/script/config.sh @@ -131,20 +131,44 @@ function secure { cp $ca_cert $ca_download_dir/ } +function detectHostname { + #echo "Read attribute using ovfenv: [ vami.domain.Harbor ]" + #hostname=$(ovfenv -k vami.domain.Harbor) + #if [ -n $hostname ] + #then + # echo "Get hostname from ovfenv: $hostname" + # return + #fi + echo "Resetting DNS and hostname using vami_ovf_process..." + /opt/vmware/share/vami/vami_ovf_process --setnetwork || true + hostname=$(hostname --fqdn) || true + if [ -n $hostname ] + then + if [ "$hostname" = "localhost.localdom" ] + then + hostname="" + return + fi + echo "Get hostname from command 'hostname --fqdn': $hostname" + return + fi +} + #Modify hostname -hostname=$(hostname --fqdn) || true +detectHostname ip_addr=$(ip addr show eth0|grep "inet "|tr -s ' '|cut -d ' ' -f 3|cut -d '/' -f 1) if [ -z "$hostname" ] then + echo "Hostname is null, set it to IP" hostname=$ip_addr fi if [ -n "$hostname" ] then - echo "Read hostname/IP: [ hostname/IP - $hostname ]" + echo "Hostname: $hostname" configureHarborCfg hostname $hostname else - echo "Failed to get the hostname/IP" + echo "Failed to get the hostname" exit 1 fi From 810db2415f498dfd384ab50345fd0463f79282b9 Mon Sep 17 00:00:00 2001 From: Henry Zhang Date: Wed, 23 Nov 2016 23:26:57 +0800 Subject: [PATCH 2/6] update ova installation guide --- docs/installation_guide_ova.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/installation_guide_ova.md b/docs/installation_guide_ova.md index c68760eff..7340bcfc3 100644 --- a/docs/installation_guide_ova.md +++ b/docs/installation_guide_ova.md @@ -16,7 +16,10 @@ By default, Harbor stores user information in an internal database. Harbor can a ### Security -By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. +By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot based on its FQDN or IP address. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. +Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address. + +If Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed at the Docker client or VCH. The self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. @@ -26,6 +29,8 @@ Harbor can be configured to use plain HTTP for some environments such as testing Harbor can obtain IP address by DHCP. This is convenient for testing purpose. For a production system, it is recommended that static IP address and host name be used. +For the purpose of generating a self-signed certificate, it is recommended that a DNS record be added to associate Harbor's IP address with a FQDN. This is necessary for both static IP address and dynamic IP address acquired from DHCP. If a DNS record is missing for Harbor's IP address, Harbor can only be accessed by its IP address. + ## Installation 1. Download the OVA file to your local disk from the **[official release page](https://github.com/vmware/harbor/releases)**. @@ -123,7 +128,7 @@ Harbor can obtain IP address by DHCP. This is convenient for testing purpose. Fo ## Getting Certificate of Harbor's CA -By default, Harbor uses a self-signed certificate in HTTPS. A Docker client or a VCH needs to trust Harbor's CA certificate in order to interact with Harbor. +By default, Harbor uses a self-signed certificate in HTTPS. A Docker client or a VCH needs to trust the certificate of Harbor's CA in order to interact with Harbor. To download the certificate of Harbor's CA and import into a Docker client, follow the below steps: 1. Log in Harbor's UI as an admin user. @@ -132,12 +137,14 @@ To download the certificate of Harbor's CA and import into a Docker client, foll ![ova](img/ova/downloadcert.png) -4. Copy the certificate file to a Docker host, put it under the below directory. Replace **host_name_or_IP_of_Harbor** with the actual host name or IP address of Harbor instance. You may need to create the directory if it does not exist: +4. Copy the certificate file to a Docker host and put it under the below directory. Replace **FQDN_or_IP_of_Harbor** with the actual FQDN or IP address of Harbor instance. You may need to create the directory if it does not exist: ``` - /etc/docker/certs.d/host_name_or_IP_of_Harbor/ca.crt + /etc/docker/certs.d/FQDN_or_IP_of_Harbor/ca.crt ``` + **Note:** If FQDN is used in the above directory, Harbor can be accessed by FQDN. Otherwise, Harbor should be accessed via IP address. + 5. Restart Docker service. -6. Run `docker login` to verify that HTTPS is working. +6. Run `docker login` command to verify that HTTPS is working. To import the CA's certificate into VCH, complete Step 1-3 and refer to VCH's document for instructions. From ee7ad59143cb78123bebaa5e3d2aa02a388a160c Mon Sep 17 00:00:00 2001 From: Henry Zhang Date: Wed, 23 Nov 2016 23:33:33 +0800 Subject: [PATCH 3/6] update installation guide --- docs/installation_guide_ova.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/installation_guide_ova.md b/docs/installation_guide_ova.md index 7340bcfc3..3d66714a1 100644 --- a/docs/installation_guide_ova.md +++ b/docs/installation_guide_ova.md @@ -17,11 +17,12 @@ By default, Harbor stores user information in an internal database. Harbor can a ### Security By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot based on its FQDN or IP address. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. + Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address. -If Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed at the Docker client or VCH. +If Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed in the Docker client or VCH. -The self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. +Harbor's self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. Harbor can be configured to use plain HTTP for some environments such as testing and continuous integration (CI). However, it is **NOT** recommended to use HTTP for production because the communication is never secure. @@ -137,7 +138,7 @@ To download the certificate of Harbor's CA and import into a Docker client, foll ![ova](img/ova/downloadcert.png) -4. Copy the certificate file to a Docker host and put it under the below directory. Replace **FQDN_or_IP_of_Harbor** with the actual FQDN or IP address of Harbor instance. You may need to create the directory if it does not exist: +4. Copy the certificate file to a Docker host and put it under the below directory. Replace **FQDN_or_IP_of_Harbor** with the actual FQDN or IP address of the Harbor instance. You may need to create the directory if it does not exist: ``` /etc/docker/certs.d/FQDN_or_IP_of_Harbor/ca.crt ``` From 0c62b5060697928f3ff650ce428375ac5efaeac4 Mon Sep 17 00:00:00 2001 From: Henry Zhang Date: Wed, 23 Nov 2016 23:35:57 +0800 Subject: [PATCH 4/6] update installation guide --- docs/installation_guide_ova.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation_guide_ova.md b/docs/installation_guide_ova.md index 3d66714a1..1c8c49783 100644 --- a/docs/installation_guide_ova.md +++ b/docs/installation_guide_ova.md @@ -20,7 +20,7 @@ By default, Harbor uses HTTPS for secure communication. A self-signed certificat Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address. -If Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed in the Docker client or VCH. +When Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed in the Docker client or VCH. Harbor's self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. From 814e89cadb2064d76e118790873a19e1021a17d6 Mon Sep 17 00:00:00 2001 From: Henry Zhang Date: Thu, 24 Nov 2016 22:39:01 +0800 Subject: [PATCH 5/6] update ova installation guide --- docs/installation_guide_ova.md | 35 +++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/docs/installation_guide_ova.md b/docs/installation_guide_ova.md index 1c8c49783..41732affc 100644 --- a/docs/installation_guide_ova.md +++ b/docs/installation_guide_ova.md @@ -16,11 +16,9 @@ By default, Harbor stores user information in an internal database. Harbor can a ### Security -By default, Harbor uses HTTPS for secure communication. A self-signed certificate is generated at first boot based on its FQDN or IP address. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA in order to interact with Harbor. +Harbor uses HTTPS for secure communication by default. A self-signed certificate is generated at first boot based on its FQDN (Fully Qualified Domain Name) or IP address. A Docker client or a VCH (Virtual Container Host) needs to trust the certificate of Harbor's CA (Certificate Authority) in order to interact with Harbor. -Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address. - -When Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. However, since the certificate of Harbor's own CA does not change, no certificate update is needed in the Docker client or VCH. +Harbor always tries to generate a self-signed certificate based on its FQDN. Therefore, its IP address must have a FQDN associated with it in the DNS server. If Harbor cannot resolve its IP address to a FQDN, it generates the self-signed certificate using its IP address. In this case, Harbor can only be accessed by IP address. When Harbor's IP address or FQDN is changed, the self-signed certificate will be re-generated. Harbor's self-generated certificate can be replaced by supplying a certificate signed by other CAs in OVA's settings. @@ -28,7 +26,7 @@ Harbor can be configured to use plain HTTP for some environments such as testing ### Networking -Harbor can obtain IP address by DHCP. This is convenient for testing purpose. For a production system, it is recommended that static IP address and host name be used. +Harbor can obtain IP address by DHCP. This is convenient for testing purpose. For a production system, it is recommended that static IP address and FQDN be used. For the purpose of generating a self-signed certificate, it is recommended that a DNS record be added to associate Harbor's IP address with a FQDN. This is necessary for both static IP address and dynamic IP address acquired from DHCP. If a DNS record is missing for Harbor's IP address, Harbor can only be accessed by its IP address. @@ -60,7 +58,7 @@ For the purpose of generating a self-signed certificate, it is recommended that ![ova](img/ova/ova06.png) -8. Configure the network(s) the virtual appliance should be connected to. +8. Configure the network(s) that the virtual appliance should be connected to. ![ova](img/ova/ova07.png) @@ -78,7 +76,7 @@ For the purpose of generating a self-signed certificate, it is recommended that * Authentication - The **Authentication Mode** must be set before the first boot of Harbor. Subsequent changes to **Authentication Mode** does not have any effect. When **ldap_auth** mode is enabled, properties related to LDAP/AD must be set. + The **Authentication Mode** must be set before the first boot of Harbor. Subsequent changes to **Authentication Mode** do not have any effect. When **ldap_auth** mode is enabled, properties related to LDAP/AD must be set. * **Authentication Mode**: The default authentication mode is **db_auth**. Set it to **ldap_auth** when users' credentials are stored in an LDAP or AD server. Note: this option can only be set once. * **LDAP URL**: The URL of an LDAP/AD server. @@ -109,7 +107,7 @@ For the purpose of generating a self-signed certificate, it is recommended that * Networking properties * **Default Gateway**: The default gateway address for this VM. Leave blank if DHCP is desired. - * **Domain Name**: The domain name of this VM. Leave blank if DHCP is desired. + * **Domain Name**: The domain name of this VM. Run command `man resolv.conf` for more explanation. Leave blank if DHCP is desired or the domain name is not needed for static IP. * **Domain Search Path**: The domain search path(comma or space separated domain names) for this VM. Leave blank if DHCP is desired. * **Domain Name Servers**: The domain name server IP Address for this VM(comma separated). Leave blank if DHCP is desired. * **Network 1 IP Address**: The IP address of this interface. Leave blank if DHCP is desired. @@ -138,14 +136,20 @@ To download the certificate of Harbor's CA and import into a Docker client, foll ![ova](img/ova/downloadcert.png) -4. Copy the certificate file to a Docker host and put it under the below directory. Replace **FQDN_or_IP_of_Harbor** with the actual FQDN or IP address of the Harbor instance. You may need to create the directory if it does not exist: +4. Copy the certificate file `ca.crt` to a Docker host. To access Harbor using its FQDN, run the below commands, replace `` with the actual FQDN of the Harbor instance: ``` - /etc/docker/certs.d/FQDN_or_IP_of_Harbor/ca.crt + mkdir -p /etc/docker/certs.d/ + cp ca.crt /etc/docker/certs.d// ``` - **Note:** If FQDN is used in the above directory, Harbor can be accessed by FQDN. Otherwise, Harbor should be accessed via IP address. + To access Harbor using its IP address, run the below commands, replace `` with the actual IP address of the Harbor instance: + ``` + mkdir -p /etc/docker/certs.d/ + cp ca.crt /etc/docker/certs.d// + ``` + + **Note:** If you run the above two sets of commands, Harbor can be accessed by both FQDN and IP address. -5. Restart Docker service. -6. Run `docker login` command to verify that HTTPS is working. +5. Run `docker login` command to verify that HTTPS is working. To import the CA's certificate into VCH, complete Step 1-3 and refer to VCH's document for instructions. @@ -164,9 +168,10 @@ If you want to change the properties of Harbor, follow the below steps: 4. **Power on** the VM. **Notes:** -1. The authentication mode can only be set once on firtst boot. Subsequent modification of this option does not have any effect. +1. The authentication mode can only be set once before the firtst boot. Subsequent modification of this option does not have any effect. 2. The initial admin password, root password of the virtual appliance, MySQL root password, and all networking properties can not be modified using this method after Harbor's first launch. Modify them by the following approach: * **Harbor Admin Password**: Change it in Harbor admin portal. * **Root Password of Virtual Appliance**: Change it by logging in the virtual appliance and doing it in the Linux operating system. * **MySQL Root Password**: Change it by logging in the virtual appliance and doing it in the Linux operating system. - * **Networking Properties**: Visit `https://harbor_ip_address:5480`, log in with root/password of your virtual appliance and modify networking properties. Reboot the system after you changing them. \ No newline at end of file + * **Networking Properties**: Visit `https://harbor_ip_address:5480`, log in with root/password of your virtual appliance and modify networking properties. Be sure to reboot the system after modification to ensure Harbor's self-signed certificate gets updated. + \ No newline at end of file From f4017bdd5afd8f49d2d26c9fa9c2f88898963381 Mon Sep 17 00:00:00 2001 From: Henry Zhang Date: Thu, 24 Nov 2016 22:47:33 +0800 Subject: [PATCH 6/6] update ova installation guide --- docs/installation_guide_ova.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation_guide_ova.md b/docs/installation_guide_ova.md index 41732affc..7a760bbaa 100644 --- a/docs/installation_guide_ova.md +++ b/docs/installation_guide_ova.md @@ -173,5 +173,5 @@ If you want to change the properties of Harbor, follow the below steps: * **Harbor Admin Password**: Change it in Harbor admin portal. * **Root Password of Virtual Appliance**: Change it by logging in the virtual appliance and doing it in the Linux operating system. * **MySQL Root Password**: Change it by logging in the virtual appliance and doing it in the Linux operating system. - * **Networking Properties**: Visit `https://harbor_ip_address:5480`, log in with root/password of your virtual appliance and modify networking properties. Be sure to reboot the system after modification to ensure Harbor's self-signed certificate gets updated. - \ No newline at end of file + * **Networking Properties**: Visit `https://harbor_ip_address:5480`, log in with root/password of your virtual appliance and modify networking properties. Reboot the system after modification to ensure Harbor's self-signed certificate gets updated. +