https://6xyun.cn/article/50
环境:
192.168.0.65 harbor 、docker
一、安装相关依赖
1、安装Docker
Docker 使用离线版docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm下载地址:https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
# 将安装 Docker 和依赖包
yum install -y docker-ce-*.rpm
启动docker
systemctl enable docker
systemctl restart docker
查看docker版本
[root@bogon harbor]# docker version
Client:
Version: 17.03.2-ce
API version: 1.27
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 02:21:36 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.2-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: f5ec1e2
Built: Tue Jun 27 02:21:36 2017
OS/Arch: linux/amd64
Experimental: false
2、安装docker-compose
直接下载
curl -L https://github.com/docker/compose/releases/download/1.8.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
方式一:python-pip安装
# 安装python-pip
yum -y install epel-release
yum -y install python-pip # 安装docker-compose
pip install docker-compose
pip install --upgrade pip
方式二:源码安装
wget https://github.com/docker/compose/archive/master.zip
unzip master.zip compose-master
python setup.py install
查看docker-compose版本
[root@bogon harbor]# docker-compose version
docker-compose version 1.13.0dev, build unknown
docker-py version: 2.2.1
CPython version: 2.7.5
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
二、部署镜像私服Harbor
Harbor官方网址:https://github.com/vmware/harbor
1、下载Harbor离线安装包
wget https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-offline-installer-v1.4.0.tgz
官方镜像站:http://harbor.orientsoft.cn/
2、解压
tar zxvf harbor-offline-installer-v1.4.0.tgz
3、修改配置文件
cd harbor
vi harbor.cfg
注意:此处我们只修改 hostname=192.168.0.65:5000(私有仓库主机ip)
配置文件参数说明(转自:http://www.cnblogs.com/jicki/p/5737369.html)
## Configuration file of Harbor
# hostname 设置访问地址,支持IP,域名,主机名,禁止设置127.0.0.1
hostname = reg.mydomain.com
# 访问协议,可设置 http,https
ui_url_protocol = http
# 邮件通知, 配置邮件通知。
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
# harbor WEB UI登陆使用的密码
harbor_admin_password = Harbor12345
# 认证方式,这里支持多种认证方式,默认是 db_auth ,既mysql数据库存储认证。
# 这里还支持 ldap 以及 本地文件存储方式。
auth_mode = db_auth
# ldap 服务器访问地址。
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = uid=%s,ou=people,dc=mydomain,dc=com
# mysql root 账户的 密码
db_password = root123
self_registration = on
use_compressed_js = on
max_job_workers = 3
verify_remote_cert = on
customize_crt = on
# 一些显示的设置.
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com
此处我们只修改 hostname=192.168.0.65:5000(私有仓库主机ip)
修改端口:
需要修改web访问端口的话,先在harbor.cfg中hostname=192.168.0.65:5000,再把docker-compose.yml中的80端口改为5000,如下(只贴修改部分)
[root@bogon harbor]# vi harbor.cfg
hostname=192.168.0.65:5000
[root@bogon harbor]# vi docker-compose.yml
proxy:
image: vmware/nginx:1.11.5-patched
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 5000:80
- 443:443
- 4443:4443
4.1、配置docker加速拉取官方镜像、同时配置docker可以上传镜像到私有仓库
[root@bogon harbor]# vi /etc/docker/daemon.json
{ "registry-mirrors": ["https://wb2g6zxl.mirror.aliyuncs.com"],"insecure-registries":["192.168.43.65:5000"]}
[root@bogon harbor]# systemctl restart docker
说明:哪台主机需要上传镜像到刚搭建的私有仓库,就需要更改docker进程启动的相关参数
以上参数说明如下:
A、修改docker守护进程启动参数
注意:
--registry-mirror=https://olzwzeg2.mirror.aliyuncs.com 是用于docker镜像下载加速的,
如何设置镜像加速请参照如下链接:
https://www.cnblogs.com/effortsing/p/10060610.html
B、insecure-registries":["192.168.43.65:5000"] 这句话的意思是可以把本地的镜像上传到192.168.43.65这台上的harbor仓库上
哪台主机的docker需要上传镜像到harbor仓库,就需要修改那一台的docker启动参数为 insecure-registries":["192.168.43.65:5000"]
C、然后重启docker进程
重启进程前应先停掉所有在运行的容器
4.2、更新生成相关配置文件
[root@bogon harbor]#./prepare #报错不用管,直接下一步
5、安装
# 启动 Docker
[root@bogon harbor]#systemctl restart docker
# 执行安装脚本
[root@bogon harbor]#./install.sh
完成完成之后就可以在浏览器中输入:http://192.168.0.65::5000 进入Harbor的Web管理后台(5000是docker-compose.yml配置文件中nginx容器的默认端口),
默认的帐号密码是admin,Harbor12345(如果你没有修改harbor.cfg中的harbor_admin_password)
查看compose状态
[root@bogon harbor]# cd harbor (必须先进到harbor仓库里里面,否则无法查看状态)
[root@bogon harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------------------
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:5000->80/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
停止harbor
(必须进到harbor目录下执行,否则报错)
[root@bogon harbor]# cd harbor
[root@bogon harbor]# docker-compose stop
启动harbor
(必须进到harbor目录下执行,否则报错)
[root@bogon harbor]# cd harbor
[root@bogon harbor]# docker-compose start
6、上传镜像到私有仓库
修改docker镜像tag标签 (注意标签的规范格式)
注意;下面的tag标签是按照修改harbor的端口后上传的,需要tag镜像带上端口,否则无法上传,报错
格式为:ip:端口/项目名/image名字:版本号(项目名为harbor中的项目名)
[root@bogon harbor]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest c82521676580 2 weeks a
[root@bogon harbor]# docker tag nginx:latest 192.168.43.65:5000/library/nginx/latest
[root@bogon harbor]# docker images
192.168.43.65:5000/library/nginx/latest latest c82521676580 2 weeks ago 109 MB
登陆并push
账号密码: admin/Harbor12345
[root@bogon harbor]# docker login 192.168.43.65:5000
Username (admin):
Password:
Login Succeeded
[root@bogon harbor]# docker push 192.168.43.65:5000/library/nginx/latest
The push refers to a repository [192.168.43.65:5000/library/nginx/latest]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
退出登录:
docker logout
报错:
[root@bogon harbor]# docker login 192.168.43.65:5000
Username (admin): admin
Password: Harbor12345
Login Succeeded
[root@bogon harbor]# docker push 192.168.43.65/library/nginx:latest
The push refers to a repository [192.168.43.65/library/nginx]
Get https://192.168.43.65/v1/_ping: dial tcp 192.168.43.65:443: getsockopt: connection refused
解决:
能登录成功但是无法上传镜像, 是因为harbor的端口是5000, 没有用原来的80端口,所以需要tag镜像的时候加上5000端口再push
[root@bogon harbor]# docker tag 192.168.43.65/library/nginx:latest 192.168.43.65:5000/library/nginx/latest
[root@bogon harbor]# docker login 192.168.43.65:5000
Username (admin):
Password:
Login Succeeded
[root@bogon harbor]# docker push 192.168.43.65:5000/library/nginx/latest
The push refers to a repository [192.168.43.65:5000/library/nginx/latest]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
7、k8s中使用harbor
7.1、在harbor的ui界面上注册一个账号
姓名:zihao
全名:zhuzihao
密码:Zihao@5tgb
邮箱:15613691030@163.com
7.2、在需要从harbor仓库中拉取镜像的主机上,同样必须要修改docker进程参数(没有这一步,以后会出现各种错误)
在node节点配置:
[root@reg harbor]# vi /etc/docker/daemon.json
{ "registry-mirrors": ["https://wb2g6zxl.mirror.aliyuncs.com"],"insecure-registries": ["192.168.43.65:5000"]}
重启docker
7.3、在node节点验证登录harbor主机
[root@lab2 ~]# docker login 192.168.43.65:5000
Username (zihao): zihao
Password:
Login Succeeded
[root@lab2 ~]# docker logout
Not logged in to https://index.docker.io/v1/
7.4、配置私有仓库harbor的secret
在harbor这台上先登录,输入docker login登陆成功后,会在 /root/.docker/ 目标下生成一个 config.json 文件
[root@reg harbor]# docker login 192.168.43.65:5000
Username (admin): admin
Password:
Login Succeeded
[root@reg harbor]# ls /root/.docker/
config.json
[root@reg harbor]# cat /root/.docker/config.json
{
"auths": {
"192.168.43.65:5000": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
},
"wb2g6zxl.mirror.aliyuncs.com": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
}
}
创建secret
准备:
kubectl create secret docker-registry registry-secret --namespace=default
--docker-server=192.168.43.65:5000 --docker-username=zihao
--docker-password=Zihao@5tgb --docker-email=15613691030@163.com
创建:
[root@lab2 nginx-harbor]# kubectl create secret docker-registry registry-secret --namespace=default
> --docker-server=192.168.43.65:5000 --docker-username=zihao
> --docker-password=Zihao@5tgb --docker-email=15613691030@163.com
查看secret
[root@lab2 nginx-harbor]# kubectl get secret
NAME TYPE DATA AGE
default-token-czfbg kubernetes.io/service-account-token 3 21d
registry-secret kubernetes.io/dockerconfigjson 1 1h
删除secret
[root@lab2 nginx-harbor]# kubectl delete secret registry-secret
secret "registry-secret" deleted
7.5、在k8s的node节点中使用yaml拉取镜像
注意: image不要写成 http:// 这样无法拉取镜像
下面两句不写也可以
imagePullSecrets:
- name: registry-secret
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: http-test-con
image: 192.168.43.65:5000/library/nginx/latest:latest
imagePullPolicy: Always
ports:
- containerPort: 80
imagePullSecrets:
- name: registry-secret
测试:
[root@lab2 nginx-harbor]# vi http-test.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: http-test-dm2
spec:
replicas: 1
template:
metadata:
labels:
name: http-test-dm2
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: http-test-con
image: 192.168.43.65:5000/library/nginx/latest:latest
imagePullPolicy: Always
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: http-nginx-ser
spec:
type: NodePort
ports:
- port: 80
nodePort: 30000
targetPort: 80
selector:
name: http-test-dm2
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana
spec:
rules:
- host: www.nginx2.com
http:
paths:
- path: /
backend:
serviceName: http-nginx-ser
servicePort: 80
[root@lab2 nginx-harbor]# kubectl create -f http-test.yaml
[root@lab2 nginx-harbor]# kubectl get po
NAME READY STATUS RESTARTS AGE
http-test-dm2-7f9c4fd896-jkkrx 1/1 Running 0 8m
8、其他主机从私有仓库下载镜像
在需要下载镜像的机器上,需要修改docker进程参数(跟上传镜像到私有仓库一样操作进行修改)
docker pull 192.168.0.65/library/busybox:latest
9、管理
9.1、修改端口号
对于http发布方式,Harbor默认使用80端口,需要修改端口按照如下方法: 修改docker-compose.yml中nginx的配置,将80:80的第一个80改为自定义的端口号。 修改common/templates/registry/config.yml,在auth部分[root@bogon harbor]#ui_url后面加上自定义的端口号 修改完成后,运行下面的命令重新配置Harbor
docker-compose down
./install.sh
对于第一次安装,直接修改完所有配置文件后执行install.sh就可以。
9.2、停止/启动Harbor
docker-compose stop
docker-compose start
9.3、卸载Harbor
执行如下步骤彻底删除Harbor,以便重新安装:
sudo docker-compose down
rm -rf /data/database
rm -rf /data/registry
9.4、修改Harbor配置
首先删除container,修改配置,然后运行install.sh重新启动container,命令如下:
docker-compose down
vim harbor.cfg
./install.sh
三、部署镜像服Registry
由于Harbor已经包含了registry的镜像,这里就将就使用这个镜像来部署。
配置
创建一个存储registery配置的文件夹:
mkdir registry
拷贝harbor内registry的配置文件
cp harbor/common/config/registry/* registry/
向config.yml追加代理配置
cat>>registry/config.yml<<'EOF'
proxy:
remoteurl: https://registry-1.docker.io
EOF
创建一个docker-compose.yml文件,内容如下:
version: '2'
services:
registry:
image: vmware/registry-photon:v2.6.2-v1.4.0
container_name: registry-mirror
restart: always
volumes:
- /data/registry:/storage:z
- ../registry/:/etc/registry/:z
networks:
- harbor
ports:
- '5000:5000'
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
networks:
harbor:
external: false
管理
# 启动cd registry && docker-compose start# 停止cd registry && docker-compose stop
使用
同阿里云设置,地址改一下就可以。 这里地址根据配置文件是:
http://192.168.0.65:5000