Kubernetes实录-第一篇-集群部署配置(2) 配置企业级镜像仓库Harbor
容器平台Kubernets当前已经1.12.1版本了,将原来的1.11.3文档进行更新,在国内很多公司都在使用这个平台构建容器平台。希望把 K8S初体验 写成一个系列(希望能坚持下来),希望完成3个目标:记录下自己学习K8S的过程为之后的学习使用差缺补漏如果能为新接触K8S的朋友提供些帮助那就更好了K8S初体验记录列表[根据进度补充],以供快速查阅第一篇:使用kubeadm配置3节...
Kubernetes实录系列记录文档完整目录参考: Kubernetes实录-目录
相关记录链接地址 :
harbor是部署容器私有镜像仓库的事实标准组件,当前版本已经发布到2.0.0(刚刚出炉,还有很多bug要修复),其中1版本的最新小版本是1.10.3。
本篇记录是我实际配置harbor 1.10.3企业级镜像仓库服务的步骤以及遇到的坑(挫折),例如harbor使用离线方式配置下载harbor二进制文件遇到墙等。
主机名称 | ip地址 | 操作系统 | 角色 | 软件版本 | 备注 |
---|---|---|---|---|---|
opsharbor-shqs-1 | 10.99.73.38 | CentOS 7.6 | docker hub | docker-ce 19.03.11 docker-compose 1.26.0 harbor 1.10.3 | 测试域名: csrepo.ejuops.com |
备注:准备一个域名使用,可以是一个自定义域名不进行解析,直接配置hosts文件,临时验证使用.
一、准备工作
1. 配置系统,以及docker环境
初始化系统以及安装配置docker-ce,参考第1篇记录: CentOS7配置docker环境
2. 配置docker-compose
使用docker-compose版本为1.26.0
curl -L https://github.com/docker/compose/releases/download/1.26.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
3. 验证
# docker -v
Docker version 19.03.11, build 42e35e61f3
# systemctl status docker
Active: active (running)
# docker-compose -v
docker-compose version 1.26.0, build d4451659
二、生成自签证书
因为我这边是测试以及只是在机房内网使用,因此没有申请证书而是采用配置自签证书的方式。
域名:csrepo.ejuops.com
1. 自签证书生成
mkdir certs
cd certs
openssl genrsa -des3 -passout pass:x -out csrepo.ejuops.com.pass.key 2048
openssl rsa -passin pass:x -in csrepo.ejuops.com.pass.key -out csrepo.ejuops.com.key
# 指定-subj参数不用进入交互模式配置
openssl req -new -subj "/C=CN/ST=ShangHai/L=ShangHai/O=eju/OU=ops/CN=csrepo.ejuops.com" -key csrepo.ejuops.com.key -out csrepo.ejuops.com.csr
# 配置证书有效期10年
openssl x509 -req -sha256 -days 3650 -in csrepo.ejuops.com.csr -signkey csrepo.ejuops.com.key -out csrepo.ejuops.com.crt
2. 可以查询证书的一些信息
# 1. 查询证书有效期
# openssl x509 -in csrepo.ejuops.com.crt -noout -dates
notBefore=Jun 19 03:08:01 2020 GMT
notAfter=Jun 17 03:08:01 2030 GMT
# 2. 也可以查询更细的信息
# openssl x509 -in csrepo.ejuops.com.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c6:cb:48:7f:8b:b8:bb:55
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=ShangHai, L=ShangHai, O=eju, OU=ops, CN=csrepo.ejuops.com
Validity
Not Before: Jun 19 03:08:01 2020 GMT
Not After : Jun 17 03:08:01 2030 GMT
Subject: C=CN, ST=ShangHai, L=ShangHai, O=eju, OU=ops, CN=csrepo.ejuops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
xxxxxxxx[这里省略]
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
YYYYYYYY[这里省略]
到这里证书准备完成,留在这里备用。
三、安装配置harbor
版本:1.10.3
安装模式:离线安装(offline)
1. 下载harbor二进制文件包
备注:国内github.com下载时断时续的,最好开启断点续传。
# 根据实际网络带宽使用情况限速下载这里限速500KB/s,断点续传
wget -c --limit-rate=500K https://github.com/goharbor/harbor/releases/download/v1.10.3/harbor-offline-installer-v1.10.3.tgz
2. 安装harbor准备
备注:本文档所有的操作都在root下进行的。安装目录为/opt/app/harbor
- 解压到安装目录
~]\# mkdir /opt/app
~]\# tar zxvf harbor-offline-installer-v1.10.3.tgz -C /opt/app/
- 将准备好的证书放到安装目录
mv /root/certs /opt/app/harbor/
- 目录信息
~]\# cd /opt/app/harbor
~]\# ls -l
drwxr-xr-x 2 root root 127 Jun 19 10:40 certs
-rw-r--r-- 1 root root 3398 Jun 1 19:14 common.sh
-rw-r--r-- 1 root root 670562154 Jun 1 19:15 harbor.v1.10.3.tar.gz
-rw-r--r-- 1 root root 5882 Jun 1 19:14 harbor.yml
-rwxr-xr-x 1 root root 2284 Jun 1 19:14 install.sh
-rw-r--r-- 1 root root 11347 Jun 1 19:14 LICENSE
-rwxr-xr-x 1 root root 1749 Jun 1 19:14 prepare
- 修改配置文件
# vi harbor.yml
# 修改如下信息,其他采用默认
hostname: csrepo.ejuops.com
http:
port: 80
https:
port: 443
certificate: /opt/app/harbor/certs/csrepo.ejuops.com.crt
private_key: /opt/app/harbor/certs/csrepo.ejuops.com.key
harbor_admin_password: xxxxxxxxx
database:
password: yyyyyyyyy
data_volume: /data
log:
level: info
location: /data/logs/harbor
- 更新信息,并下载镜像
# ./prepare
prepare base dir is set to /opt/app/harbor
Unable to find image 'goharbor/prepare:v1.10.3' locally
v1.10.3: Pulling from goharbor/prepare
a10779388d4e: Pull complete
12b8569f46a6: Pull complete
298230e0a21f: Pull complete
ea3847dc8bc4: Pull complete
1b52894b31e5: Pull complete
ae5b50c2a4c9: Pull complete
8b279542d577: Pull complete
Digest: sha256:c757f65f753a73618c7bea3b6e5d0ab281bb60b91ae8d85b20f6d8657d703861
Status: Downloaded newer image for goharbor/prepare:v1.10.3
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
3. 安装harbor
- 安装harbor
~]\# cd /opt/app/harbor
~]\# ./install.sh
[Step 0]: checking if docker is installed ...
[Step 1]: checking docker-compose is installed ...
[Step 2]: loading Harbor images ...
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating redis ... done
Creating registryctl ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
- 查看一些信息
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/chartmuseum-photon v1.10.3 f4cd7df55b4a 2 weeks ago 178MB
goharbor/harbor-migrator v1.10.3 524036d275a6 2 weeks ago 357MB
goharbor/redis-photon v1.10.3 6562f3c58b71 2 weeks ago 119MB
goharbor/clair-adapter-photon v1.10.3 75badac8362a 2 weeks ago 61.2MB
goharbor/clair-photon v1.10.3 3c0b186089bd 2 weeks ago 171MB
goharbor/notary-server-photon v1.10.3 d0f003ba5021 2 weeks ago 143MB
goharbor/notary-signer-photon v1.10.3 304f122f4b13 2 weeks ago 140MB
goharbor/harbor-registryctl v1.10.3 2ee885ed2f2d 2 weeks ago 102MB
goharbor/registry-photon v1.10.3 f470058ab661 2 weeks ago 84.5MB
goharbor/nginx-photon v1.10.3 8c88b468cdb0 2 weeks ago 43.6MB
goharbor/harbor-log v1.10.3 b0c9e48d015e 2 weeks ago 82MB
goharbor/harbor-jobservice v1.10.3 044b1a98e9ac 2 weeks ago 143MB
goharbor/harbor-core v1.10.3 6521cd80151b 2 weeks ago 129MB
goharbor/harbor-portal v1.10.3 7d107a7d6eb8 2 weeks ago 51.7MB
goharbor/harbor-db v1.10.3 7d10c16f9b2e 2 weeks ago 157MB
goharbor/prepare v1.10.3 be46b57a9105 2 weeks ago 163MB
# docker ps |less -S
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
06030163f29e goharbor/harbor-jobservice:v1.10.3 "/harbor/harbor_jobs…" 4 minutes ago Up 4 minutes (healthy)
74e2240ed6ba goharbor/nginx-photon:v1.10.3 "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0
08a128187c24 goharbor/harbor-core:v1.10.3 "/harbor/harbor_core" 4 minutes ago Up 4 minutes (healthy)
58143706b0a1 goharbor/harbor-db:v1.10.3 "/docker-entrypoint.…" 4 minutes ago Up 4 minutes (healthy) 5432/tcp
4ba493895bef goharbor/registry-photon:v1.10.3 "/home/harbor/entryp…" 4 minutes ago Up 4 minutes (healthy) 5000/tcp
2b9ac9d7a907 goharbor/redis-photon:v1.10.3 "redis-server /etc/r…" 4 minutes ago Up 4 minutes (healthy) 6379/tcp
7665b6b28b3e goharbor/harbor-registryctl:v1.10.3 "/home/harbor/start.…" 4 minutes ago Up 4 minutes (healthy)
123ed5421dbe goharbor/harbor-portal:v1.10.3 "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes (healthy) 8080/tcp
0a1317dc03c5 goharbor/harbor-log:v1.10.3 "/bin/sh -c /usr/loc…" 4 minutes ago Up 4 minutes (healthy) 127.0.0.1:1514->10514/tcp
# netstat -pltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:1514 0.0.0.0:* LISTEN 4451/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 5200/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 5184/docker-proxy
四、使用harbor
1. 浏览器访问harbor UI
https://csrepo.ejuops.com
账户:admin
密码:xxxxxx[实际密码]
可以看到浏览器地址栏显示是不安全的,这是因为使用的是自签名证书导致的
2. 配置docker环境使用该harbor
docker使用自签证书的私有仓库需要配置自签证书根证书到docker环境,使用openssl配置自签证书的方式有所不同,这里使用的方式参考 配置企业级镜像仓库Harbor 生成自签证书相关内容。
docker环境配置使用自签证书的方式有多种。这里列出2中方式
私有仓库地址 | 自签证书 |
---|---|
https://csrepo.ejuops.com | csrepo.ejuops.com.crt |
certs]# ll
-rw-r--r-- 1 root root 1212 Jun 19 10:40 csrepo.ejuops.com.crt #这个就是我们需要的证书文件
-rw-r--r-- 1 root root 1009 Jun 19 10:40 csrepo.ejuops.com.csr
-rw-r--r-- 1 root root 1675 Jun 19 10:40 csrepo.ejuops.com.key
-rw-r--r-- 1 root root 1743 Jun 19 10:40 csrepo.ejuops.com.pass.key
方法一. 配置系统全局使用该自签证书
# 安装ca-certificates
yum -y install ca-certificates
# 证书文件放入 /usr/share/pki/ca-trust-source/anchors
cp csrepo.ejuops.com.crt /usr/share/pki/ca-trust-source/anchors/
# 更细系统支持证书列表
update-ca-trust
# 查看是否更细追加成功
tail -n23 /etc/ssl/certs/ca-bundle.trust.crt
# csrepo.ejuops.com #看到这一行说明更新成功了
-----BEGIN TRUSTED CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [这里是省略的意思]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END TRUSTED CERTIFICATE-----
#如果docker守护进程已经启动,需要重启下docker守护进程
systemctl restart docker
# 验证
docker pull hello-world:latest
docker tag hello-world:latest csrepo.ejuops.com/library/hello-world:latest
docker login -u'admin' -p'xxxxx' csrepo.ejuops.com
docker push csrepo.ejuops.com/library/hello-world:latest
docker pull csrepo.ejuops.com/library/hello-world:latest
latest: Pulling from library/hello-world
Digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042
Status: Image is up to date for csrepo.ejuops.com/library/hello-world:latest
csrepo.ejuops.com/library/hello-world:latest
以上说明配置成功了。
方法二. 配置docker服务自己使用自签证书
这里测试的私有仓库域名是: csrepo.ejuops.com
# 配置
DOCKER_REGISTRY=csrepo.ejuops.com
mkdir -p /etc/docker/certs.d/${DOCKER_REGISTRY}
cp ${DOCKER_REGISTRY}.crt /etc/docker/certs.d/${DOCKER_REGISTRY}/ca.crt
#验证,这种方式docker守护进程不需要重启
docker pull csrepo.ejuops.com/library/hello-world:latest
latest: Pulling from library/hello-world
Digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042
Status: Image is up to date for csrepo.ejuops.com/library/hello-world:latest
csrepo.ejuops.com/library/hello-world:latest
更多推荐
所有评论(0)