How to build a Harbor server on Photon 4 OS
Harbor is a CNCF application and code repository, and is one of the preferred ways to get code and applications into and out of an airgapped environment. There are several guides available on the web on how to deploy Harbor, but I wanted to make my own guide on how to set one on on a Photon 4 OS virtual machine.
1.) Install Photon 4 OS
Deploy the Photon 4 image in vCenter, I deployed the machine with 2 vCPUs, 8GB of RAM and added an extra 200GB disk.
Power on the VM and use the TUI to make initial configurations.
In the disk selection section, select the /dev/sda disk and select Auto.
Select Photon Minimal install.
Select Configure network Manually, enter your VM IP information and DNS, hit OK.
Select VMware hypervisor optimized, hit next.
Enter hostname and password, hit confirm to begin installation. The VM will now install and reboot.
Once the VM reboots, log into the VM with VMRC. Photon OS is very locked down by default, so some configurations need to be made in order to manage the system. As the root user, run the following command to enable root access via SSH: vi /etc/ssh/sshd_config.
Navigate to the bottom of the file, change the PermitRootLogin parameter to yes, save the file and exit.
You can now ssh to the node using putty as root.
Enable ping to the VM:
iptables -A INPUT -p ICMP -j ACCEPT iptables -A OUTPUT -p ICMP -j ACCEPT
As this is an airgapped lab environment, we need to add access to our proxy server by editing the vi /etc/sysconfig/proxy file. Insure to place the airgap server FQDN and the network that is resides in the NO_PROXY section.
Reboot the VM, log back in and test connectivity towards the outside world:
curl https://projects.registry.vmware.com --head curl https://vmwtec.jfrog.io --head curl https://packages.vmware.com --head curl https://github.com --head
tdnf install -y bindutils tar parted
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose --version systemctl start docker systemctl enable docker docker version
Configure the secondary (200GB) VM disk:
fdisk -l parted /dev/sdb mklabel gpt mkpart ext4 0% 100% mkfs -t ext4 /dev/sdb1 mkdir /data vi /etc/fstab
Add the following line to the end of the file:
/dev/sdb1 /data ext4 defaults 0 0
Exit the file, and mount the volume:
mount /data df -h
2.) Deploy Harbor
mkdir -p /harbor /etc/docker/certs.d/YOUR:VM:FQDN:GOES:HERE cd /harbor curl -sLO https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz tar xvf harbor-offline-installer-v2.4.1.tgz --strip-components=1
Prepare SSL certificates:
cat > /harbor/harbor_cert.conf <<-EOF [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = YOUR.ORG commonName = HARBORVMNAME.DNSNAME [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = HARBORVMNAME.DNSNAME DNS.2 = HARBORVMNAME DNS.3 = YOURDNSIP EOF
These commands will generate some files:
Create certificate file:
openssl x509 -req -days 365 -in harbor_req.csr -signkey harbor_key.key -out ca.crt
Copy the certificate files over to the docker certificate directory:
cp harbor.cert harbor_key.key ca.crt /etc/docker/certs.d/YOUR:VM:FQDN:GOES:HERE/
Extract Harbor. Run the following command:
cp harbor.yml.tmpl harbor.yml
Edit the harbor configuration file, add the FQDN of the Harbor server and add the location of the ca.crt and harbor_key.key files:
Save the file, and run the installer with ./install.sh
Verify all containers have started with docker ps:
Verify that you can log into harbor, by navigating to the VM FQDN URL:
Lastly, configure the Harbor service to automatically start on boot:
systemctl enable harbor.service