30.7 部署Harbor
Harbor是由VMWare中国团队开源的容器镜像仓库。事实上,harbor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制,水平扩展,同步,AD/LDAP集成以及日志审计等。
github地址:https://github.com/goharbor/harbor/releases
手动部署
之前已经搭建了kubernetes集群,其中192.168.30.150作为master2节点,我们把它作为harbor服务器。
- 下载最新的docker-compose二进制文件:
[root@master2 ~]# vim /etc/hosts #添加一行54.231.48.160 github-production-release-asset-2e65be.s3.amazonaws.com[root@master2 ~]# curl -L https://github.com/docker/compose/releases/download/1.24.0-rc1/docker-compose-`uname -s`-`uname -m` -o /usr/bin/docker-compose[root@master2 ~]# chmod +x /usr/bin/docker-compose
- 下载harbor离线安装包:
[root@master2 ~]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.0-rc2.tgz[root@master2 ~]# tar zxf harbor-offline-installer-v1.7.0-rc2.tgz
- 准备CA证书:
[root@master2 ~]# mkdir /data/ && cd /data上传证书 harbor.lzxlinux.com.key.tar.gz #自制证书[root@master2 data]# tar zxf harbor.lzxlinux.com.key.tar.gz[root@master2 data]# ls cert/ca.crt server.crt server.key
- 修改配置文件:
[root@master2 cert]# cd harbor/[root@master2 harbor]# vim harbor.cfg #做下面修改hostname = harbor.lzxlinux.com
ui_url_protocol = https
- 执行安装:
[root@master2 harbor]# sh install.sh
[root@master2 harbor]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5cad50fe8189 goharbor/nginx-photon:v1.7.0 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
7f536f3285ff goharbor/harbor-jobservice:v1.7.0 "/harbor/start.sh" 5 minutes ago Up 5 minutes harbor-jobservice
f4c2f03e9315 goharbor/harbor-portal:v1.7.0 "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes (healthy) 80/tcp harbor-portal
45755eaf06e3 goharbor/harbor-core:v1.7.0 "/harbor/start.sh" 5 minutes ago Up 5 minutes (healthy) harbor-core
d1b57df6021c goharbor/harbor-adminserver:v1.7.0 "/harbor/start.sh" 5 minutes ago Up 5 minutes (healthy) harbor-adminserver
f65f40cac8cc goharbor/harbor-db:v1.7.0 "/entrypoint.sh post…" 5 minutes ago Up 5 minutes (healthy) 5432/tcp harbor-db
dd50b19871b8 goharbor/harbor-registryctl:v1.7.0 "/harbor/start.sh" 5 minutes ago Up 5 minutes (healthy) registryctl
034de27d8a84 goharbor/registry-photon:v2.6.2-v1.7.0 "/entrypoint.sh /etc…" 5 minutes ago Up 5 minutes (healthy) 5000/tcp registry
dd0c1abf428c goharbor/redis-photon:v1.7.0 "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 6379/tcp redis
97530153c3b7 goharbor/harbor-log:v1.7.0 "/bin/sh -c /usr/loc…" 5 minutes ago Up 5 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
0baf1dbfb8d0 ff281650a721 "/opt/bin/flanneld -…" 2 hours ago Up 2 hours k8s_kube-flannel_kube-flannel-ds-amd64-lfgv5_kube-system_f40a3fe8-34d6-11e9-83ed-000c297ff3a2_0
96ce131643a0 mirrorgooglecontainers/pause-amd64:3.1 "/pause" 2 hours ago Up 2 hours k8s_POD_kube-flannel-ds-amd64-lfgv5_kube-system_f40a3fe8-34d6-11e9-83ed-000c297ff3a2_0
- 浏览器访问:
编辑Windows上的hosts文件,路径:C:\Windows\System32\drivers\etc\hosts,增加一行:192.168.30.150 harbor.lzxlinux.com 。
用户名:admin ,密码:Harbor12345(默认密码)
- 新建项目:
一般项目不设为公开
- 拉取公共镜像:
[root@master2 harbor]# docker pull busybox[root@master2 harbor]# docker pull tomcat
- 打标签:
[root@master2 harbor]# docker tag busybox harbor.lzxlinux.com/lzx/busybox[root@master2 harbor]# echo 192.168.30.150 harbor.lzxlinux.com >> /etc/hosts[root@master2 harbor]# docker login https://harbor.lzxlinux.comUsername: admin
Password:
Error response from daemon: Get https://harbor.lzxlinux.com/v2/: x509: certificate signed by unknown authority
- 解决509问题:
[root@master2 harbor]# echo -n | openssl s_client -showcerts -connect harbor.lzxlinux.com:443 2>/dev/null |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/P' >> /etc/ssl/certs/ca-bundle.trust.crt [root@master2 harbor]# systemctl restart docker[root@master2 harbor]# docker-compose up -d # -d 后台启动
如果上面方法还是不行,可以这样操作
# mkdir -p /etc/docker/certs.d/harbor.lzxlinux.com# cp /data/cert/ca.crt /etc/docker/certs.d/harbor.lzxlinux.com/ca.crt# chmod 400 !$# systemctl restart docker
- 再次登录:
[root@master2 harbor]# docker login https://harbor.lzxlinux.comUsername: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
- 推送busybox镜像:
[root@master2 harbor]# docker push harbor.lzxlinux.com/lzx/busyboxThe push refers to repository [harbor.lzxlinux.com/lzx/busybox]683f499823be: Pushed
latest: digest: sha256:bbb143159af9eabdf45511fd5aab4fd2475d4c0e7fd4a5e154b98e838488e510 size: 527
- 浏览器查看:
刷新一下,可以查看到新传上来的镜像。
- 推送tomcat镜像:
[root@master2 harbor]# docker tag tomcat harbor.lzxlinux.com/lzx/tomcat[root@master2 harbor]# docker push harbor.lzxlinux.com/lzx/tomcat
再次刷新查看
30.8 在Kubernetes中使用harbor
废了很大劲部署harbor,那它有什么作用呢?接下来在kubernetes中使用它。
以下操作在master节点中执行。
- 创建secret:
[root@master ~]# kubectl create secret docker-registry my-secret --docker-server=harbor.lzxlinux.com --docker-username=admin --docker-password=Harbor12345[root@master ~]# kubectl get secretNAME TYPE DATA AGE
default-token-lfx98 kubernetes.io/service-account-token 3 1d
my-secret kubernetes.io/dockerconfigjson 1 38s # secret可创建多个,在拉取镜像时指定
- 推送httpd镜像:
[root@master ~]# docker pull httpd[root@master ~]# docker tag httpd harbor.lzxlinux.com/lzx/httpd[root@master ~]# docker login https://harbor.lzxlinux.com[root@master ~]# docker push harbor.lzxlinux.com/lzx/httpd
刷新查看
- 定义一个pod:
[root@master ~]# vim httpd-pod.yaml
apiVersion: v1kind: Podmetadata:
name: httpd-podspec:
containers:
- image: harbor.lzxlinux.com/lzx/httpd:latest name: httpd-pod imagePullSecrets:
- name: my-secret #引用my-secret
[root@master ~]# kubectl create -f httpd-pod.yaml[root@master ~]# kubectl get podNAME READY STATUS RESTARTS AGE
httpd-pod 0/1 ImagePullBackOff 0 53s #状态不对nginx-6f858d4d45-wwnm9 1/1 Running 0 4h[root@master ~]# kubectl describe pod httpd-pod
Warning Failed 25s (x2 over 53s) kubelet, 192.168.30.130 Error: ErrImagePull
Normal BackOff 11s (x2 over 52s) kubelet, 192.168.30.130 Back-off pulling image "harbor.lzxlinux.com/lzx/httpd:latest"
Warning Failed 11s (x2 over 52s) kubelet, 192.168.30.130 Error: ImagePullBackOff
Normal Pulling 0s (x3 over 1m) kubelet, 192.168.30.130 pulling image "harbor.lzxlinux.com/lzx/httpd:latest"
- 解决问题:
[root@master2 harbor]# scp /data/cert/ca.crt 192.168.30.129:/root/[root@master2 harbor]# scp /data/cert/ca.crt 192.168.30.130:/root/
[root@node1 ~]# mkdir -p /etc/docker/certs.d/harbor.lzxlinux.com[root@node1 ~]# cp ca.crt /etc/docker/certs.d/harbor.lzxlinux.com/ca.crt[root@node1 ~]# chmod 400 !$[root@node1 ~]# systemctl restart docker[root@node1 ~]# vim /etc/hosts #增加一行192.168.30.150 harbor.lzxlinux.com
[root@node2 ~]# mkdir -p /etc/docker/certs.d/harbor.lzxlinux.com[root@node2 ~]# cp ca.crt /etc/docker/certs.d/harbor.lzxlinux.com/ca.crt[root@node2 ~]# chmod 400 !$[root@node2 ~]# systemctl restart docker[root@node2 ~]# vim /etc/hosts #增加一行192.168.30.150 harbor.lzxlinux.com
- 继续创建pod:
[root@master ~]# kubectl delete pod httpd-pod [root@master ~]# kubectl create -f httpd-pod.yaml[root@master ~]# kubectl describe pod httpd-pod
Normal Scheduled <invalid> default-scheduler Successfully assigned default/httpd-pod to 192.168.30.130
Normal Pulling <invalid> kubelet, 192.168.30.130 pulling image "harbor.lzxlinux.com/lzx/httpd:latest"
Normal Pulled <invalid> kubelet, 192.168.30.130 Successfully pulled image "harbor.lzxlinux.com/lzx/httpd:latest"
Normal Created <invalid> kubelet, 192.168.30.130 Created container
Normal Started <invalid> kubelet, 192.168.30.130 Started container
[root@master ~]# kubectl get podNAME READY STATUS RESTARTS AGE
httpd-pod 1/1 Running 0 3m
nginx-6f858d4d45-wwnm9 1/1 Running 0 4h
这次成功创建,正在运行中。刷新浏览器,可以看到下载次数已更新。
免费证书申请:https://freessl.cn/
harbor443: connect: connection refused问题解决:https://blog.51cto.com/u_10272167/2730746
