K8S(02)模拟生产环境搭建高可用集群之Docker私服

By | 2021年5月6日
目录
[隐藏]

由于 kubernetes 是对 docker 容器的编排,kubernetes 搭建过程中需要从 docker 仓库中去拉取所需要的镜像。生产的 k8s 集群一般是搭建在内网中,因此需要在内网搭建一个 Docker 仓库私服。

安装 docker 服务

下载 docker 二进制安装包:
https://download.docker.com/linux/static/stable/x86_64/docker-19.03.4.tgz

解压 docker 二进制包
将下载的 docker 二进制包上传到服务器上,然后解压:
tar -zxvf docker-19.03.4.tgz


移动到系统 bin 目录
在解压目录执行:sudo cp docker/* /usr/bin/

开启 docker 守护进程
sudo dockerd &

此时 docker info 可以看到 docker 服务的信息


增加 docker 启动参数文件
sudo cat > /etc/docker/daemon.json <<EOF
{
“insecure-registries”:[“192.168.100.101”]
}
EOF

注册 docker 为系统服务
sudo vi /usr/lib/systemd/system/docker.service
文件内容如下:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecStart=/usr/bin/dockerd
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
# TasksMax=infinity
TimeoutStartSec=0

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target
然后就可使用 service docker restart/stop/status 或者 systemctl start/stop/status docker 等来操作 docker 服务


添加 docker 开机自启动
sudo systemctl enable docker

安装 docker-compose 服务

下载 docker-compose 二进制包
https://github.com/docker/compose/releases

上传 docker-compose 二进制包
将下载的 docker-compose-Linux-x86_64 二进制包上传到服务器上

移动到系统 bin 目录
在上传目录执行:sudo cp docker-compose-Linux-x86_64 /usr/bin/docker-compose
给 docker-compose 添加可执行权限:sudo chmod +x /usr/bin/docker-compose
然后 docker-compose -v 验证下:

安装 harbor 服务

下载 harbor 离线镜像包
https://github.com/vmware/harbor/releases 或 https://github.com/goharbor/harbor/releases
https://storage.googleapis.com/harbor-releases/release-1.9.0/harbor-offline-installer-v1.9.1.tgz
注:离线安装包中是 docker 镜像,大概 500 多 MB

解压 harbor 离线安装包
将下载的 harbor-offline-installer-v1.9.1.tgz 离线安装包上传到服务器上
然后解压:tar -zxvf harbor-offline-installer-v1.9.1.tgz


创建 https 证书
mkdir cert && cd cert
创建 https 证书,根据官方文档:https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj “/C=CN/ST=SH/L=BS/O=GR/OU=MaxBill/CN=registry.maxbill.com” \
-key ca.key \
-out ca.crt

openssl genrsa -out registry.maxbill.com.key 4096

openssl genrsa -out registry.maxbill.com.key 4096

openssl req -sha512 -new \
-subj “/C=CN/ST=SH/L=BS/O=GR/OU=MaxBill/CN=registry.maxbill.com” \
-key registry.maxbill.com.key \
-out registry.maxbill.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=registry.maxbill.com
DNS.2=192.168.100.101
EOF

openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in registry.maxbill.com.csr \
-out registry.maxbill.com.crt


修改 harbor 配置文件
vi harbor.yml 具体配置如下:
修改 hostname: registry.maxbill.com
放开 https 配置:
https:
port: 443
certificate: /work/harbor/cert/registry.maxbill.com.crt
private_key: /work/harbor/cert/registry.maxbill.com.key
修改 harbor_admin_password 管理密码:MaxBill2019


执行安装准备
在 harbor 目录下执行 ./prepare


开始安装操作
在 harbor 目录执行 ./install.sh

等待安装程序打印如下日志,说明安装完成:


安装验证
在 docker 中看下启动的容器:
docker ps

在浏览器中 https://192.168.100.101 或者 https://registry.maxbill.com 访问:

使用上面配置的账户登录:admin/MaxBill2019

 

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注