創建harbor私有鏡像庫
一、部署准備:
harbor軟件包
在部署節點上:
1)解壓harbor的軟件包將harbor目錄下所有文件發送到/opt/目錄下
tar zxvf harbor-offline-installer-v1.4.0.tgz
[root@cicd kubernetes]# cd harbor [root@cicd harbor]# ls common docker-compose.notary.yml ha harbor.v1.4.0.tar.gz LI docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh
root@cicd kubernetes]# mv harbor /opt/
[root@cicd kubernetes]# cd /opt/
[root@cicd opt]# ls
harbor
二、在根目錄下創建 /data目錄
在/data目錄下創建/harbor目錄
[root@cicd /]# mkdir data
[root@cicd data]# mkdir harbor
然后cd到kubernetes目錄下解壓ca.tar.gz,將解壓后的ca目錄移動到創建的/data/harbor/目錄並重命名為cert
[root@cicd harbor]# cd /root/kubernetes [root@cicd kubernetes]# ls bash ca.tar.gz harbor-offline-installer-v1.4.0.tgz image image.tar.gz k8s197.tar.gz [root@cicd kubernetes]# tar zxf ca.tar.gz [root@cicd kubernetes]# ls bash ca ca.tar.gz harbor-offline-installer-v1.4.0.tgz image image.tar.gz k8s197.tar [root@cicd kubernetes]# mv ca /data/harbor/cert [root@cicd kubernetes]# cd /data/harbor/cert/ [root@cicd cert]# ls ca.crt ca.key ca.srl harbor.crt harbor.csr harbor.key
三、cd到/opt/harbor/目錄下修改配置文件:
1)找到volumes模塊,將映射的目錄改為/data/harbor/clair-db
[root@cicd harbor]# cat docker-compose.clair.yml
volumes:
- /data/harbor/clair-db:/var/lib/postgresql/data:z
2)再找到volumes模塊,將映射目錄改為
- /data/harbor/notary-db
[root@cicd harbor]# cat docker-compose.notary.yml
volumes:
- /data/harbor/notary-db:/var/lib/mysql:z
3)然后找到docker-compose.yml配置文件中需要修改映射目錄的地方(一共6處)
[root@cicd harbor]# cat docker-compose.yml
volumes: - /data/harbor/var/log/harbor/:/var/log/docker/:z - ./common/config/log/:/etc/logrotate.d/:z volumes: - /data/harbor/registry:/storage:z - ./common/config/registry/:/etc/registry/:z volumes: - /data/harbor/database:/var/lib/mysql:z volumes: - /data/harbor/config/:/etc/adminserver/config/:z - /data/harbor/secretkey:/etc/adminserver/key:z - /data/harbor/:/data/:z volumes: - /data/harbor/secretkey:/etc/ui/key:z - /data/harbor/ca_download/:/etc/ui/ca/:z - /data/harbor/psc/:/etc/ui/token/:z volumes: - /data/harbor/job_logs:/var/log/jobs:z - ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z - /data/secretkey:/etc/jobservice/key:z
4)編輯harbor.cfg文件
找到如下參數,並修為如下配置:
hostname =
reg.yunwei.edu
ui_url_protocol = http
s
ssl_cert =
/data/harbor/cert/harbor.crt
ssl_cert_key =
/data/harbor/cert/harbor.key
secretkey_path =
/data/harbor
harbor_admin_password =
admin
以上為
ca證書名稱,必須與實際文件同名
secretkey_path =
/data/harbor 為ca證書目錄
三、安裝harbor程序:
執行安裝腳本,搭建harbor鏡像庫
(1)cd到 /opt/harbor/目錄下,執行
sh install.sh
成功的話末尾會顯示以下幾行
✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.yunwei.edu. For more details, please visit https://github.com/vmware/harbor .
(2)驗證harbor是否部署成功:
必須在/opt/harbor/目錄下執行
#docker-compose ps
[root@cicd opt]# docker-compose ps ERROR: Can't find a suitable configuration file in this directory or any parent. Are you in the right directory? #此報錯就是因為沒有再/opt/harbor目錄下執行 Supported filenames: docker-compose.yml, docker-compose.yaml [root@cicd opt]# cd harbor/ [root@cicd harbor]# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------------------------------ harbor-adminserver /harbor/start.sh Up harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp harbor-ui /harbor/start.sh Up nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
可以看到所有容器的狀態都為啟動,即為成功部署了harbor。
四、各節點設置登陸harbor私有鏡像倉庫:
為各節點分發ca證書,以便各節點都能登陸創建的私有倉庫。
(1)進入下載了ansible的容器,並在每個節點(包括harbor節點)的/etc/docker/目錄下,創建certs.d/
reg.yunwei.edu/目錄
/ # ansible all -m shell -a 'mkdir -p /etc/docker/certs.d/reg.yunwei.edu' [WARNING]: Consider using file module with state=directory rather than running mkdir 192.168.253.9 | SUCCESS | rc=0 >> 192.168.253.10 | SUCCESS | rc=0 >> 192.168.253.11 | SUCCESS | rc=0 >> 192.168.253.14 | SUCCESS | rc=0 >>
可以看到四個節點都創建目錄成功。注意此操作是在下載了ansible的容器里面。
當然這是建立在此容器已經能夠成功ping通其他節點。
(2)harbor節點上(部署節點),將harbor的ca證書中的ca.crt拷貝到/etc/docker目錄下
[root@cicd reg.yunwei.edu]# cp ca.crt /etc/docker/certs.d/reg.yunwei.edu/
(3)將harbor節點的ca.crt文件,分發給各節點的/etc/docker/certs.d/reg.yunwei.edu/下
scp /etc/docker/certs.d/
reg.yunwei.edu/ca.crt node1:/etc/docker/certs.d/
reg.yunwei.edu/
scp /etc/docker/certs.d/
reg.yunwei.edu/ca.crt node1:/etc/docker/certs.d/
reg.yunwei.edu/
scp /etc/docker/certs.d/
reg.yunwei.edu/ca.crt node1:/etc/docker/certs.d/
reg.yunwei.edu/
(4)在/etc/hosts 解析中添加一行解析到自己私有倉庫的地址,(部署節點ip)
192.168.253.9 reg.yunwei.edu
然后harbor鏡像庫驗證
命令行:各節點登陸鏡像庫地址后,輸入用戶名/密碼(admin/admin)后出現 Login Succeeded
docker login
reg.yunwei.edu
[root@cicd ~]# docker login reg.yunwei.edu
Username: admin
Password:
Login Succeeded
注意需要命令行登陸了鏡像庫之后,才可以推送或者下載鏡像從私有倉庫中。
來到web瀏覽器:輸入harbor節點ip/harbor訪問
登陸用戶名和密碼后會有一個默認的library項目,可以選擇新建項目。
五、上傳鏡像到harbor私有鏡像倉庫:
(1)選擇本地鏡像nginx
(2)查看鏡像上傳的格式標准。
按照上述標准重命名
[root@cicd ~]# docker tag nginx reg.yunwei.edu/test/nginx:latest [root@cicd ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE reg.yunwei.edu/test/nginx latest 719cd2e3ed04 9 days ago 109MB nginx latest 719cd2e3ed04 9 days ago 109MB 。。。
將重新打tag之后的鏡像上傳到鏡像庫
[root@cicd ~]# docker push reg.yunwei.edu/test/nginx The push refers to repository [reg.yunwei.edu/test/nginx] d7acf794921f: Pushed d9569ca04881: Pushed cf5b3c6798f7: Pushed latest: digest: sha256:079aa93463d2566b7a81cbdf856afc6d4d2a6f9100ca3bcbecf24ade92c9a7fe size: 948
成功后刷新網頁,可以看到鏡像被上傳到了選擇的test庫。
私有鏡像庫的使用
(1)在節點上下載倉庫中的鏡像。
但前提是倉庫中有。
[root@cicd ~]# docker pull reg.yunwei.edu/test/nginx:latest latest: Pulling from test/nginx Digest: sha256:079aa93463d2566b7a81cbdf856afc6d4d2a6f9100ca3bcbecf24ade92c9a7fe Status: Downloaded newer image for reg.yunwei.edu/test/nginx:latest
(2)節點配置好了ca證書的ca.crt后,便可執行如下命令下載鏡像。在kubernets集群中節點在啟動pod時,會自動下載鏡像
[root@node1 ~]# docker pull reg.yunwei.edu/test/nginx:latest
值得注意的是不管上傳還是下載鏡像都需要命令行登陸,不然會報錯拒絕連接denied access。