2020-09-09
为k8s搭建harbor镜像仓库
准备:
- 操作系统:Centos7.6
k8s-harbor(服务端):192.168.191.134
k8s-node2(客户端):192.168.191.135 - 安装docker
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://bc437cce.m.daocloud.io #配置镜像下载加速地址
- docker管理工具(应用程序):docker-compose
下载途径一:GitHub:docker-compose1.22
curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
下载途径二:aliyun:docker-compose1.21
curl -L https://mirrors.aliyun.com/docker-toolbox/linux/compose/1.21.2/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose
chmod a+x /usr/local/bin/docker-compose
- harbor离线安装包,里面包含所需镜像:harbor-offline-installer-v1.5.3.tgz
(https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.3.tgz)
方案一:不需要证书
[root@k8s-harbor ~]# tar xf harbor-offline-installer-v1.5.3.tgz
[root@k8s-harbor ~]# cd harbor
[root@k8s-harbor ~]# vim harbor.cfg #只改两个地方,其他的不要改
hostname = 主机域名或IP
customize_crt = false
[root@k8s-harbor ~]# ./prepare
[root@k8s-harbor ~]# ./install.sh #加载离线安装包里的镜像,并启动harbor
(如果重新安装,需要删除/data,删除已经load的docker镜像,然后重启docker)
[root@k8s-harbor ~]# docker-compose ps #查看harbor是否启动成功
(看到 harbor-adminserver、harbor-db、harbor-jobservice、harbor-log、harbor-ui、nginx、redis、registry都启动起来了就代表成功了)
客户端测试(k8s-node2):
[root@k8s-node2 ~]# docker login 192.168.191.134
Username: admin
Password: Harbor12345
Error response from daemon: Get https://192.168.191.134/v2/: dial tcp 192.168.191.134:443: connect: connection refused
(客户端登录失败,因为harbor底层依赖于registry,registry版本更新后默认https方式登录)
# 解决以上问题:
在客户端k8s-node2上操作
[root@k8s-node2 ~]# vim /etc/docker/daemon.conf
{
"insecure-registries": ["http://192.168.191.134"]
}
[root@k8s-node2 ~]# vim /usr/lib/systemd/system/docker.service
#找到ExecStart=这一行,在后面加一些内容
ExecStart=/usr/bin/dockerd --insecure-registry=192.168.191.134
[root@k8s-node2 ~]# systemctl daemon-reload
[root@k8s-node2 ~]# systemctl restart docker
在服务端k8s-harbor上操作
[root@k8s-harbor ~]# vim /etc/docker/daemon.conf
{
"insecure-registries": ["http://192.168.191.134"]
}
[root@k8s-harbor ~]# vim /usr/lib/systemd/system/docker.service #修改这一行
ExecStart=/usr/bin/dockerd --insecure-registry=192.168.191.134:5000
[root@k8s-harbor ~]# systemctl daemon-reload
[root@k8s-harbor ~]# systemctl restart docker
重新启动docker-compose
[root@k8s-harbor ~]# cd harbor
[root@k8s-harbor ~]# docker-compose down -v
[root@k8s-harbor ~]# docker-compose up -d
[root@k8s-harbor ~]# docker-compose ps #确保所有服务都是健康的
再次docker login 尝试是否能成功登录
Harbor的使用
浏览器登录harbor:http://192.168.191.134
默认初始账号:admin 密码:Harbor12345
dd2.png
系统管理---用户管理---创建用户(填写相应信息,例如用户kk)
项目---library---成员---新建成员(姓名:kk 角色:开发人员)(开发人员拥有上传下载镜像的权限)
测试使用kk账号上传镜像
在客户端k8s-node2上操作
[root@k8s-node2 ~]# docker pull daocloud.io/library/nginx
[root@k8s-node2 ~]# docker tag daocloud.io/library/nginx:latest 192.168.191.134/library/nginx
[root@k8s-node2 ~]# docker logout 192.168.191.134
Removing login credentials for 192.168.191.134
[root@k8s-node2 ~]# docker login 192.168.191.134
Username: kk
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node2 ~]# docker push 192.168.191.134/library/nginx
The push refers to repository [192.168.191.134/library/nginx]
550333325e31: Pushed
22ea89b1a816: Pushed
a4d893caa5c9: Pushed
0338db614b95: Pushed
d0f104dc0a1f: Pushed
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362
没有报错说明上传成功
在浏览器上查看到已有镜像上传
dd3.png
如果push镜像失败,则执行以下操作
在服务端k8s-harbor上操作
先检查/usr/lib/systemd/system/docker.service 和/etc/docker/daemon.conf 这两个文件是否配置正确
[root@k8s-harbor ~]# cd harbor
[root@k8s-harbor harbor]# systemctl daemon-reload
[root@k8s-harbor harbor]# systemctl restart docker
[root@k8s-harbor harbor]# docker-compose down -v
[root@k8s-harbor harbor]# docker-compose up -d #确保所有镜像都是正常启动的健康状态
然后在客户端上重新docker logout 和 docker login,docker push
注:docker tag 的时候只能tag成 ip/镜像名 ,因为在服务端和客户端的/root/harbor/harbor.cfg(服务端) 、
usr/lib/systemd/system/docker.service 和/etc/docker/daemon.conf 文件中配置了ip,如果想在tag的时候用域名,在对应的配置文件里也要改成域名
网友评论