master节点上操作
创建自签名证书
# cd ~
# mkdir certs
# cd certs
# cp /opt/mesosphere/packages/openssl--8042860cf76ca9ef965af9ee6d59acace266356e/etc/ssl/openssl.cnf ./openssl.cnf
# sed -i "/\[ v3_ca \]/a subjectAltName = IP:192.168.0.1" ./openssl.cnf
# openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt -subj "/C=CN/ST=SH/L=Shang Hai/O=example.com/CN=192.168.0.1"
此处IP“192.168.0.1”为虚拟IP,仅在DCOS集群内部可见
拷贝证书和私钥到所有Agent节点
# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -ivh epel-release-latest-7.noarch.rpm
# yum install -y jq
# MESOS_AGENTS=$(curl -sS 192.168.22.191:5050/slaves | jq '.slaves[] | .hostname' | tr -d '"');
# for i in $MESOS_AGENTS; do ssh "$i" -oStrictHostKeyChecking=no "sudo mkdir --parent /etc/privateregistry/certs/"; done
# for i in $MESOS_AGENTS; do scp -o StrictHostKeyChecking=no ./domain.* "$i":~/; done
# for i in $MESOS_AGENTS; do ssh "$i" -oStrictHostKeyChecking=no "sudo mv ./domain.* /etc/privateregistry/certs/"; done
配置所有Agent节点上的Docker守护程序信任为私有容器仓库创建的自签名证书。
# MESOS_AGENTS=$(curl -sS 192.168.22.191:5050/slaves | jq '.slaves[] | .hostname' | tr -d '"');
# for i in $MESOS_AGENTS; do ssh "$i" -oStrictHostKeyChecking=no "sudo mkdir --parent /etc/docker/certs.d/192.168.0.1"; done
# for i in $MESOS_AGENTS; do ssh "$i" -oStrictHostKeyChecking=no "sudo cp /etc/privateregistry/certs/domain.crt /etc/docker/certs.d/192.168.0.1/ca.crt"; done
# for i in $MESOS_AGENTS; do ssh "$i" -oStrictHostKeyChecking=no "sudo systemctl restart docker"; done
部署Registry到DCOS集群
marathon上部署registry
json内容:
{
"id": "/registry",
"cmd": null,
"cpus": 0.5,
"mem": 128,
"disk": 0,
"instances": 1,
"constraints": [
[
"hostname",
"LIKE",
"192.168.22.193"
]
],
"acceptedResourceRoles": [
"*"
],
"container": {
"type": "DOCKER",
"docker": {
"forcePullImage": false,
"image": "registry",
"parameters": [],
"privileged": false
},
"volumes": [
{
"containerPath": "/certs/",
"hostPath": "/etc/privateregistry/certs/",
"mode": "RO"
},
{
"containerPath": "/var/lib/registry",
"hostPath": "/data/docker-registry",
"mode": "RW"
}
],
"portMappings": [
{
"containerPort": 5000,
"hostPort": 0,
"labels": {
"VIP_0": "192.168.0.1:443"
},
"protocol": "tcp",
"servicePort": 5000
}
]
},
"env": {
"REGISTRY_HTTP_TLS_CERTIFICATE": "/certs/domain.crt",
"REGISTRY_HTTP_TLS_KEY": "/certs/domain.key",
"REGISTRY_HTTP_SECRET": "123456secret"
},
"healthChecks": [
{
"gracePeriodSeconds": 60,
"intervalSeconds": 60,
"maxConsecutiveFailures": 3,
"portIndex": 0,
"protocol": "TCP",
"ipProtocol": "IPv4",
"timeoutSeconds": 20,
"delaySeconds": 15
}
],
"labels": {
"HAPROXY_GROUP": "external"
},
"networks": [
{
"mode": "container/bridge"
}
],
"portDefinitions": []
}
在集群内部节点上访问容器仓库
# curl -k https://192.168.0.1/v2/_catalog
{"repositories":[]}
在集群外部访问容器仓库
https://192.168.22.192:5000/v2/_catalog (通过marathon-lb访问)
推送镜像到容器仓库
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat 8.5.32 5808f01b11bf 5 weeks ago 462.5 MB
mesosphere/marathon-lb latest 3d928337c5fd 6 weeks ago 217.2 MB
# docker tag 5808f01b11bf 192.168.0.1/tomcat:8.5.32
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.0.1/tomcat 8.5.32 5808f01b11bf 5 weeks ago 462.5 MB
tomcat 8.5.32 5808f01b11bf 5 weeks ago 462.5 MB
mesosphere/marathon-lb latest 3d928337c5fd 6 weeks ago 217.2 MB
# docker push 192.168.0.1/tomcat
# curl -k https://192.168.0.1/v2/_catalog
{"repositories":["tomcat"]}
删除容器仓库的镜像
私有容器仓库宿主机上操作
参考:https://github.com/burnettk/delete-docker-registry-image
# curl https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null
# chmod a+x /usr/local/bin/delete_docker_registry_image
# echo "export REGISTRY_DATA_DIR=/data/docker-registry/docker/registry/v2" >> /etc/profile
# source /etc/profile
# delete_docker_registry_image --image tomcat
网友评论