当使用默认镜像仓库时,k8s在任务执行时将从网络拉取所需镜像,很明显在实际生产环境中这样的工作方式和效率是不可接受的,本篇文章对docker本地镜像仓库的搭建和k8s的使用进行研究。
0x01 harbor镜像仓库安装
harbor http安装
安装docker-compose: sudo apt-get install -y docker-compose
下载:https://github.com/goharbor/harbor/releases
# 解压
[root@harbor ~]# tar xvf harbor-offline-installer-v2.5.3.tgz -C /usr/local [root@harbor ~]# cd /usr/local/harbor
#因为本机使用ceph作harbor的存储,此处为harbor安装准备路径
/usr/local [root@harbor ~]# mkdir -p /cephfs/harbor/harbor_data
/usr/local [root@harbor ~]# mkdir -p /cephfs/harbor/harbor_logo
# 复制配置文件并修改,这里修改了服务器地址和admin管理账号的登录密码
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vim harbor.yml
……
hostname: harbor.cjm.com
……
harbor_admin_password: 12345678
……
# 将https相关的内容注释掉了,为了简单我们先不配置https
# 后面单独配置一次带https的harbor
#https:
# https port for harbor, default is 443
# port: 443 # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# 这里使用harborcjm.com作为harbor服务器域名。
# 因为是本地使用,这里我们自己在hosts文件里面加上。
# 为了后续访问方便,本地机器最后也在hosts文件里添加一下。
……
data_volume: /cephfs/harbor/harbor_data
……
log:
…….
location: /cephfs/harbor/harbor_log
…
# 添加本地hosts
[root@harbor certs.d]# cat /etc/hosts
127.0.0.1 localhos
192.168.2.16 harbor.cjm.com
[root@harbor harbor]# ./install.sh
[Step 0]: checking if docker is installed … Note: docker version: 20.10.4
[Step 1]: checking docker-compose is installed … Note: docker-compose version: 1.28.5
[Step 2]: loading Harbor images … …
[Step 3]: preparing environment … …
[Step 4]: preparing harbor configs … …
[Step 5]: starting Harbor … …
#使用service管理harbor
[root@harbor harbor]# cat > /lib/systemd/system/harbor.service <<EOF
[Unit]
Description=Docker Harbor
After=docker.service systemd-networkd.service systemd-resolved.service Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple Restart=on-failure
ExecStart=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml up ExecStop=/usr/bin/docker-compose -f /usr/local/harbor/docker-compose.yml down RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
[root@harbor harbor]# systemctl enable –now harbor.service
# 通过docker-compose查看
[root@harbor certs.d]# docker-compose ps
此时即可使用IP或harbor.cjm.com登录仓库查看,默认账户名为admin,密码为刚刚设置的12345678。(若局域网可以访问IP无法访问域名,请确认访问机器host)
此时docker无法登录到IP或域名,其原因是docker默认不支持HTTP,网上有很多教程指导如何为docker添加http支持,但是先别这样做,否则后续仍存在无法push等问题,请继续进行https配置。
harbor https配置
默认情况下,harbor不附带证书,本节内容介绍使openssl创建ca,使用ca签署服务器证书和客户端证书。
#生成ca证书私钥
mkdir -p /root/harbor/ssl
cd /root/harbor/ssl
openssl genrsa -out ca.key 4096
#CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj “/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cjm.com” \
-key ca.key \
-out ca.crt
#生成私钥
openssl genrsa -out harbor.cjm.com 4096
#生成证书签名请求
openssl req -sha512 -new \
-subj “/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cjm.com” \
-key harbor.cjm.com.key \
-out harbor.cjm.com.csr
#生成v3扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.cjm.com
DNS.2=harbor.cjm
DNS.3=harbor
EOF
#生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in registry.harbor.com.csr \
-out registry.harbor.com.crt
#拷贝证书
mkdir -p /cephfs/harbor/harbor_data/cert
cp * /cephfs/harbor/harbor_data/cert
#为docker转换客户端证书
openssl x509 -inform PEM -in harbor.cjm.com.crt -out harbor.cjm.com.cert
#复制证书到docker证书文件夹中
mkdir -p /etc/docker/certs.d/harbor.cjm.com/
cp harbor.cjm.com.cert /etc/docker/certs.d/harbor.cjm.com/
cp harbor.cjm.com.key /etc/docker/certs.d/harbor.cjm.com/
cp ca.crt /etc/docker/certs.d/harbor.cjm.com/
#重启docker
systemctl restart docker
#重新配置harbor
systemctl stop harbor.service
vim /usr/local/harbor/harbor.yml
#为https配置证书路径
……
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
# certificate: /root/harbor/certs/Harbor.crt
#private_key: /root/harbor/certs/Harbor.key
certificate: /cephfs/harbor/harbor_data/cert/harbor.cjm.com.crt
private_key: /cephfs/harbor/harbor_data/cert/harbor.cjm.com.key
……
#重新启动harbor
./prepare
systemctl start harbor.service
#登录
docker login harbor.cjm.com
harbor docker网络配置
若登录后无法push镜像到公共镜像仓库,检查/root/.docker/config.json,按照如下所示配置:
检查 /etc/docker/daemon.json,按照如下所示配置:
然后重启docker:
systemctl daemon-reload
systemctl restart docker.service