首页 » 云自动化 » k8s » 正文

Kubernetes 1.8.6 集群部署–Docker私有仓库(九)20180411更新

搭建Docker私有镜像仓库

安装docker

# yum -y install docker

# systemctl start docker && systemctl enable docker

使用自签名进行安全认证

创建存放证书和密钥的certs目录

# mkdir -p /docker/certs

# chcon -Rt svirt_sandbox_file_t /docker/certs/

修改/etc/pki/tls/openssl.cnf配置文件

在该文件的[ v3_ca ]配置项中添加镜像仓库IP地址:

[ v3_ca ]
# Extensions for a typical CA
subjectAltName = IP:192.168.161.161

生成证书和密钥

# cd /docker && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt

# mkdir -p /etc/docker/certs.d/192.168.161.161:5000/

# cp certs/domain.crt /etc/docker/certs.d/192.168.161.161\:5000/ca.crt

创建存放镜像文件的后端存储

# mkdir -p /docker/data/private_registry

# chcon -Rt svirt_sandbox_file_t /docker/data/private_registry

重新启动docker daemon

# systemctl restart docker

启动私有镜像仓库

# docker run \
-d \
--name private_registry  --restart=always \
-u root \
-p 5000:5000 \
-v /docker/data/private_registry:/var/lib/registry \
-v /docker/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2

-e username=”ritchie”: 设置环境变量;

Docker加速器

该加速器可在pull镜像较慢时配置实用。(_自己在daocloud处申请即可,免费的~~)

地址:

https://www.daocloud.io/mirror#accelerator-doc

添加加速器:

curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://XXXXX.m.daocloud.io

本地测试

[root@master1 docker]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
5e35d10a3eba: Pull complete 
Digest: sha256:dcbc4e5e7052ea2306eed59563da1fec09196f2ecacbe042acbdcd2b44b05270
Status: Downloaded newer image for centos:latest

[root@master1 docker]# docker tag centos:latest 192.168.161.161:5000/centos:v0323

[root@master1 docker]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
7bcae9fb3fc0        registry:2          "/entrypoint.sh /etc"   2 minutes ago       Up 2 minutes        0.0.0.0:5000->5000/tcp   private_registry

[root@master1 docker]# docker push 192.168.161.161:5000/centos:v0323
The push refers to repository [192.168.161.161:5000/centos]
b03095563b79: Pushed 
v0323: digest: sha256:8c7ac054adab3692f7026d49fd1c4df69aa6a138b2f076b432d2ac0164c022d3 size: 529

远程测试

在另一台主机上执行以下命令进行测试:

[root@node01 ~]#  mkdir -p /etc/docker/certs.d/192.168.161.161:5000/

[root@node01 ~]# scp 192.168.161.161:/etc/docker/certs.d/192.168.161.161\:5000/ca.crt /etc/docker/certs.d/192.168.161.161\:5000/
The authenticity of host '192.168.161.161 (192.168.161.161)' can't be established.
ECDSA key fingerprint is 80:76:b7:82:4a:59:66:14:a3:b2:cc:62:f0:75:63:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.161.161' (ECDSA) to the list of known hosts.
root@192.168.161.161's password: 
ca.crt                                                                                                                                                                          100% 2057     2.0KB/s   00:00    

[root@node01 ~]# systemctl restart docker

[root@node01 ~]# docker pull 192.168.161.161:5000/centos:v0323
v0323: Pulling from centos
5e35d10a3eba: Pull complete 
Digest: sha256:8c7ac054adab3692f7026d49fd1c4df69aa6a138b2f076b432d2ac0164c022d3
Status: Downloaded newer image for 192.168.161.161:5000/centos:v0323

k8s实战之从私有仓库拉取镜像 – kubernetes

实战目的

从私有docker仓库拉取镜像,部署pod。如上,我们搭建了私有的镜像仓库,这一篇我们将与k8s结合实战使用私有仓库。

为k8s集群创建Secret

当pod从私用仓库拉取镜像时,k8s集群使用类型为docker-registry的Secret来提供身份认证,创建一个名为registry-key的Secret,执行如下命令:

kubectl -n kube-system create secret docker-registry registry-key \
--docker-server=192.168.161.161:5000 \
--docker-username=zhdya \
--docker-password=XXXX \
--docker-email=XXXX@zhdya.cn

检查Secret

如图:

下载一个测试用的helloworld:

[root@master1 ~]# docker pull justmine/helloworldapi:v2.2 
v2.2: Pulling from justmine/helloworldapi
c73ab1c6897b: Pull complete 
d786150757e1: Pull complete 
5693bd17ac2b: Pull complete 
a4aa7d165ffe: Pull complete 
fb5efe143b31: Pull complete 
80d73f423800: Pull complete 
6c45df748f3d: Pull complete 
Digest: sha256:aae28e40e892a537384403869697c5b8ce0206b36da79b664c9a0d3d45f0bd01
Status: Downloaded newer image for justmine/helloworldapi:v2.2

上传到仓库:

[root@master1 ~]# docker tag justmine/helloworldapi:v2.2 192.168.161.161:5000/helloworldapi:v2.2

[root@master1 ~]# docker push 192.168.161.161:5000/helloworldapi:v2.2
The push refers to repository [192.168.161.161:5000/helloworldapi]
9efe53ed0a5c: Pushed 
2bcd37ba9be3: Pushed 
c2523d9670b0: Pushed 
d2a32c00a3a4: Pushed 
8811b8947d7f: Pushed 
2b21077ee3b4: Pushed 
e1df5dc88d2c: Pushed 
v2.2: digest: sha256:c31b14d5d1abe23da8580833492af61d934e50f9025529db0a5ca4a50542710d size: 1792
查看仓库内镜像:

部署Pod

vim hello-world-deployment.yml:

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: helloworldapi
  namespace: kube-system
spec:
  selector:
    matchLabels:
      app: helloworldapi
  replicas: 2
  template:
    metadata:
      labels:
        app: helloworldapi
      namespace: kube-system
    spec:
     imagePullSecrets:
     - name: registry-key
     containers:
     - name: helloworldapi
       image: 192.168.161.161:5000/helloworldapi:v2.2
       ports:
       - containerPort: 80

创建:

[root@master1 test_yaml]# kubectl create -f hello-world-deployment.yaml 
deployment "helloworldapi" created

查看创建:

[root@master1 test_yaml]# kubectl get pod -n kube-system -o wide
NAME                                    READY     STATUS              RESTARTS   AGE       IP            NODE
heapster-6c6bb6b7f5-7cv9s               1/1       Running             16         19d       172.30.45.4   192.168.161.162
helloworldapi-57d464bf46-m4zmg          0/1       ContainerCreating   0          38s       <none>        192.168.161.162
helloworldapi-57d464bf46-xt9p5          0/1       ContainerCreating   0          38s       <none>        192.168.161.163
kube-dns-777f78c558-fshmq               3/3       Running             75         22d       172.30.45.3   192.168.161.162
kubernetes-dashboard-8665cd4dfb-cd8pt   1/1       Running             16         20d       172.30.38.2   192.168.161.163
monitoring-grafana-6f95564858-ggxkn     1/1       Running             16         19d       172.30.38.3   192.168.161.163
monitoring-influxdb-7c77768d9-dgcjp     1/1       Running             16         19d       172.30.45.2   192.168.161.162

通过面板来查看:

查看日志:

[root@master1 test_yaml]# kubectl describe po helloworldapi-57d464bf46-m4zmg -n kube-system
Name:           helloworldapi-57d464bf46-m4zmg
Namespace:      kube-system
Node:           192.168.161.162/192.168.161.162
Start Time:     Wed, 11 Apr 2018 14:48:41 +0800
Labels:         app=helloworldapi
                pod-template-hash=1380206902
Annotations:    kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicaSet","namespace":"kube-system","name":"helloworldapi-57d464bf46","uid":"5e88272f-3d54-11e8-b3cb-000...
Status:         Running
IP:             172.30.45.5
Created By:     ReplicaSet/helloworldapi-57d464bf46
Controlled By:  ReplicaSet/helloworldapi-57d464bf46
Containers:
  helloworldapi:
    Container ID:   docker://7675ea5e72d9b7c474e103f908461523f309b1a8a095437215abd0cdfec08524
    Image:          192.168.161.161:5000/helloworldapi:v2.2
    Image ID:       docker-pullable://192.168.161.161:5000/helloworldapi@sha256:c31b14d5d1abe23da8580833492af61d934e50f9025529db0a5ca4a50542710d
    Port:           80/TCP
    State:          Running
      Started:      Wed, 11 Apr 2018 14:50:59 +0800
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-gr7zp (ro)
Conditions:
  Type           Status
  Initialized    True 
  Ready          True 
  PodScheduled   True 
Volumes:
  default-token-gr7zp:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-gr7zp
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     <none>
Events:
  Type    Reason                 Age   From                      Message
  ----    ------                 ----  ----                      -------
  Normal  Scheduled              2m    default-scheduler         Successfully assigned helloworldapi-57d464bf46-m4zmg to 192.168.161.162
  Normal  SuccessfulMountVolume  2m    kubelet, 192.168.161.162  MountVolume.SetUp succeeded for volume "default-token-gr7zp"
  Normal  Pulling                2m    kubelet, 192.168.161.162  pulling image "192.168.161.161:5000/helloworldapi:v2.2"
  Normal  Pulled                 33s   kubelet, 192.168.161.162  Successfully pulled image "192.168.161.161:5000/helloworldapi:v2.2"
  Normal  Created                33s   kubelet, 192.168.161.162  Created container
  Normal  Started                31s   kubelet, 192.168.161.162  Started container

到目前为止关于k8s实战私有仓库体系就先告一段落了,大家可以结合实际情况自己去搭建一套仓库,然后与k8s联合实战,来建立自己的k8s应用平台生态体系。

赞 (7)

本文共 3 个回复

  • qingfeng 2018/05/28 14:59

    按照之前的步骤操作到这里之后,在master部署镜像仓库,结果是yum安装的docker都无法启动,也没看到明显的报错。

    • zhdya 博主 2018/05/31 00:03

      @ qingfeng 检查docker的配置文件!看下docker的日志输出~

    • 季山 2018/09/22 23:01

      @ qingfeng yum 无法启动 我一开始也是这样 ,这个问题是由于selinux不支持,需要关闭, 参考:https://blog.csdn.net/a1010256340/article/details/80106156 解决方案: 意思是说:此linux的内核中的SELinux不支持 overlay2 graph driver ,解决方法有两个,要么启动一个新内核,要么就在docker里禁用selinux,--selinux-enabled=false 重新编辑docker配置文件:vi /etc/sysconfig/docker

发表评论