linux搭建k8s集群1.15.1版+K8s搭建Harbor私有仓库(二)
Harbor私有仓库搭建
前期准备:
一台虚拟机:
配置:2G内存 +1核处理器+100G硬盘+1张NAT网卡
镜像:CentOS-7-x86_64-DVD-1810.iso
虚拟机安装完成之后对其进行配网
ip为:192.168.66.100
主机名:hub.atguigu.com
基本配置
1.1 修改主机名
[root@localhost ~]# hostnamectl set-hostname hub.atguigu.com
[root@localhost ~]# bash
[root@hub ~]#
1.2 编写hosts配置文件
[root@hub ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.66.100 hub.atguigu.com
192.168.66.10 k8s-master
192.168.66.20 k8s-node1
192.168.66.21 k8s-node2
1.3 安装所需依赖包
[root@hub ~]# yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git
1.4 关闭防火墙+iptables设置空规则
[root@hub ~]# systemctl stop firewalld && systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@hub ~]# yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
1.4 关闭Selinux
[root@hub ~]# swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
[root@hub ~]# setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
1.5 设置rsyslogd和systemd journal
[root@hub ~]# mkdir /var/log/journal
[root@hub ~]# mkdir /etc/systemd/journald.conf.d
[root@hub ~]# cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
Storage=persistent
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
SystemMaxUse=10G
SystemMaxFileSize=200M
MaxRetentionSec=2week
ForwardToSyslog=no
EOF
[root@hub ~]# systemctl restart systemd-journald
1.6 调整系统时区
设置系统时区为 中国/shanghai
[root@hub ~]# timedatectl set-timezone Asia/Shanghai
将当前的 UTC 时间写入硬件时钟
[root@hub ~]# timedatectl set-local-rtc 0
安装时间同步
时间需与当前物理机时间一致(与本机电脑时间)
[root@hub ~]# systemctl enable chronyd && systemctl restart chronyd
[root@hub ~]# date
2021年 05月 05日 星期三 17:51:23 CST
1.7 关闭系统不需要的服务避免资源被占用
[root@hub ~]# systemctl stop postfix && systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
1.8 升级系统内核
[root@hub ~]# rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
[root@hub ~]# yum --enablerepo=elrepo-kernel install -y kernel-lt
设置开机从新内核启动
随着时间推移内核版本也会更新,升级完成以后内核版本号你我可能会不一致,只需在cat查看时选择你当前系统中所在的版本号即可
[root@hub ~]# grub2-editenv list
saved_entry=CentOS Linux (3.10.0-957.el7.x86_64) 7 (Core)
[root@hub ~]# cat /boot/grub2/grub.cfg | grep menuentry
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
menuentry_id_option=""
export menuentry_id_option
menuentry 'CentOS Linux (5.4.116-1.el7.elrepo.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-957.el7.x86_64-advanced-3ee9ae23-a36c-4ffd-b36f-6473baf41db7' {
menuentry 'CentOS Linux (3.10.0-957.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-957.el7.x86_64-advanced-3ee9ae23-a36c-4ffd-b36f-6473baf41db7' {
menuentry 'CentOS Linux (0-rescue-398e147a6c18425291ece7dc6ec0c7dc) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-398e147a6c18425291ece7dc6ec0c7dc-advanced-3ee9ae23-a36c-4ffd-b36f-6473baf41db7' {
[root@hub ~]# grub2-set-default 'CentOS Linux (5.4.116-1.el7.elrepo.x86_64) 7 (Core)'
[root@hub ~]# grub2-editenv list
saved_entry=CentOS Linux (5.4.116-1.el7.elrepo.x86_64) 7 (Core)
[root@hub ~]# reboot
查看内核是否升级成功
Last login: Thu May 6 01:16:13 2021 from 192.168.66.1
[root@hub ~]#
[root@hub ~]# uname -r
5.4.116-1.el7.elrepo.x86_64
[root@hub ~]#
安装docker
2.1安装docker软件
[root@hub ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@hub ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@hub ~]# yum upgrade -y && yum install -y docker-ce
2.2设置docker镜像加速和daemon安全
注:此操作在其余三个节点都要重新设置,需添加一个docker私人的认证
[root@hub ~]# mkdir /etc/docker
[root@hub ~]# cat > /etc/docker/daemon.json <<EOF
> {
> "exec-opts": ["native.cgroupdriver=systemd"],
> "log-driver": "json-file",
> "log-opts": {
> "max-size": "100m"
> },
"insecure-registries": ["https://hub.atguigu.com"]
> }
> EOF
[root@hub ~]#
[root@hub ~]# mkdir -p /etc/systemd/system/docker.service.d
[root@hub ~]# systemctl daemon-reload && systemctl restart docker && systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
2.3 使harbor节点与k8s集群的三个节点互通
[root@k8s-master ~]# echo "192.168.66.100 hub.atguigu.com" >>/etc/hosts
[root@k8s-node1 ~]# echo "192.168.66.100 hub.atguigu.com" >>/etc/hosts
[root@k8s-node2 ~]# echo "192.168.66.100 hub.atguigu.com" >>/etc/hosts
将harbor节点的daemon认证cp到三个节点
[root@hub ~]# scp /etc/docker/daemon.json k8s-master:/etc/docker/daemon.json
[root@hub ~]# scp /etc/docker/daemon.json k8s-node1:/etc/docker/daemon.json
[root@hub ~]# scp /etc/docker/daemon.json k8s-node2:/etc/docker/daemon.json
然后分别重启docker
[root@k8s-master ~]# systemctl daemon-reload && systemctl restart docker
2.4添加docker-compose
[root@hub ~]# curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
[root@hub ~]# cd /usr/local/bin/
[root@hub bin]# chmod +x docker-compose
[root@hub bin]# ls
docker-compose
安装harbor
3.1导入harbor的安装包
[root@hub ~]# ls
harbor-offline-installer-v1.2.0.tgz
[root@hub ~]# tar -xzvf harbor-offline-installer-v1.2.0.tgz
3.2 修改harbor脚本配置文件
[root@hub ~]# mv harbor /usr/local/
[root@hub ~]# cd /usr/local/harbor/
[root@hub harbor]# vim harbor.cfg
hostname = hub.atguigu.com
ui_url_protocol = https
3.3 harbor证书创建
[root@hub harbor]# mkdir -p /data/cert/
[root@hub harbor]# cd !$
cd /data/cert/
生成私钥
此处输入两次相同的密码
[root@hub cert]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
生产证书请求
Enter pass phrase for server.key: 输入上一步骤中的密码
[root@hub cert]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Bj
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:atguigu
Organizational Unit Name (eg, section) []:atguigu
Common Name (eg, your name or your server's hostname) []:hub.atguigu.com
Email Address []:wangyanglinux@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
备份私钥+退出私钥密码+
[root@hub cert]# cp server.key server.key.org
[root@hub cert]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
将证书请求签名生成证书+所有证书赋予权限
[root@hub cert]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=Bj/L=BJ/O=atguigu/OU=atguigu/CN=hub.atguigu.com/emailAddress=wangyanglinux@163.com
Getting Private key
[root@hub cert]# chmod a+x *
[root@hub cert]# ls
server.crt server.csr server.key server.key.org
3.4 执行脚本安装harbor
[root@hub cert]# cd -
/usr/local/harbor
[root@hub harbor]# ls
common docker-compose.notary.yml harbor_1_1_0_template harbor.v1.2.0.tar.gz LICENSE prepare
docker-compose.clair.yml docker-compose.yml harbor.cfg install.sh NOTICE upgrade
[root@hub harbor]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 20.10.6
Note: docker-compose version: 1.9.0
[Step 1]: loading Harbor images ...
3.5 修改本机上的hosts文件
3.6 访问harbor的web页面
安装完成以后,查看docker运行的容器,然后访问 hub.atguigu.com
[root@hub harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e3c3b6ef277e vmware/harbor-jobservice:v1.2.0 "/harbor/harbor_jobs…" 5 minutes ago Up 5 minutes harbor-jobservice
81cb93eff75d vmware/nginx-photon:1.11.13 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:4443->4443/tcp, :::4443->4443/tcp nginx
25bf5d9cec46 vmware/harbor-ui:v1.2.0 "/harbor/harbor_ui" 5 minutes ago Up 5 minutes harbor-ui
d7cca953bae8 vmware/harbor-adminserver:v1.2.0 "/harbor/harbor_admi…" 5 minutes ago Up 5 minutes harbor-adminserver
d4f7f19896af vmware/harbor-db:v1.2.0 "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 3306/tcp harbor-db
7e7e12c4d3d7 vmware/registry:2.6.2-photon "/entrypoint.sh serv…" 5 minutes ago Up 5 minutes 5000/tcp registry
e9dce126f215 vmware/harbor-log:v1.2.0 "/bin/sh -c 'crond &…" 5 minutes ago Up 5 minutes 127.0.0.1:1514->514/tcp harbor-log
浏览器访问:https://hub.atguigu.com
admin
Harbor12345
3.7 镜像测试
在node1节点进行测试:
[root@k8s-node1 ~]# docker login https://hub.atguigu.com
Username: admin
Password: Harbor12345
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
拉取镜像测试:
[root@k8s-node1 ~]# docker pull wangyanglinux/myapp:v1
v1: Pulling from wangyanglinux/myapp
550fe1bea624: Pull complete
af3988949040: Pull complete
d6642feac728: Pull complete
c20f0a205eaa: Pull complete
fe78b5db7c4e: Pull complete
6565e38e67fe: Pull complete
Digest: sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
Status: Downloaded newer image for wangyanglinux/myapp:v1
docker.io/wangyanglinux/myapp:v1
[root@k8s-node1 ~]# docker images |grep myapp
wangyanglinux/myapp v1 d4a5e0eaa84f 3 years ago 15.5MB
重新打标+上传到harbor
[root@k8s-node1 ~]# docker tag wangyanglinux/myapp:v1 hub.atguigu.com/library/myapp:v1
[root@k8s-node1 ~]# docker images |grep myapp
wangyanglinux/myapp v1 d4a5e0eaa84f 3 years ago 15.5MB
hub.atguigu.com/library/myapp v1 d4a5e0eaa84f 3 years ago 15.5MB
[root@k8s-node1 ~]# docker push hub.atguigu.com/library/myapp:v1
The push refers to repository [hub.atguigu.com/library/myapp]
a0d2c4392b06: Pushed
05a9e65e2d53: Pushed
68695a6cfd7d: Pushed
c1dc81a64903: Pushed
8460a579ab63: Pushed
d39d92664027: Pushed
v1: digest: sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e size: 1569
[root@k8s-node1 ~]#
刷新后即可看到私有仓里有镜像存在
3.8 启动pod测试镜像是否可用
先将node节点中的myapp镜像删除,才可检验是否能够自行拉取私有仓中的镜像
[root@k8s-node1 ~]# docker rmi -f hub.atguigu.com/library/myapp:v1
Untagged: hub.atguigu.com/library/myapp:v1
Untagged: hub.atguigu.com/library/myapp@sha256:9eeca44ba2d410e54fccc54cbe9c021802aa8b9836a0bcf3d3229354e4c8870e
[root@k8s-node1 ~]# docker rmi -f wangyanglinux/myapp:v1
Untagged: wangyanglinux/myapp:v1
Untagged: wangyanglinux/myapp@sha256:9c3dc30b5219788b2b8a4b065f548b922a34479577befb54b03330999d30d513
Deleted: sha256:d4a5e0eaa84f28550cb9dd1bde4bfe63a93e3cf88886aa5dad52c9a75dd0e6a9
Deleted: sha256:bf5594a16c1ff32ffe64a68a92ebade1080641f608d299170a2ae403f08764e7
Deleted: sha256:b74f3c20dd90bf6ead520265073c4946461baaa168176424ea7aea1bc7f08c1f
Deleted: sha256:8943f94f7db615e453fa88694440f76d65927fa18c6bf69f32ebc9419bfcc04a
Deleted: sha256:2020231862738f8ad677bb75020d1dfa34159ad95eef10e790839174bb908908
Deleted: sha256:49757da6049113b08246e77f770f49b1d50bb97c93f19d2eeae62b485b46e489
Deleted: sha256:d39d92664027be502c35cf1bf464c726d15b8ead0e3084be6e252a161730bc82
[root@k8s-node1 ~]# docker images |grep myapp
[root@k8s-node1 ~]#
运行一个deployment测试是否成功
[root@k8s-master ~]# kubectl run nginx-deployment --image=hub.atguigu.com/library/myapp:v1 --port=80 --replicas=1
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx-deployment created
[root@k8s-master ~]# kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 1/1 1 1 13s
[root@k8s-master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-deployment-85756b779-jnw8m 1/1 Running 0 16s
[root@k8s-master ~]#
运行成功后查看harbor页面中的下载次数已变为2
到此harbor私有仓已搭建完成!!!