k8s学习二：k8s编译安装集群搭建——单master多node简易部署

admin

服务器环境
! U+ l; n( \3 a0 `- a4 X" f
centos7.5
mac装的pd虚拟机
1 i3 g" @# T$ Y/ e( B; S作用        IP        部署服务        配置
master        10.211.55.10        etcd、kube-apiserver、kube-controller-manager、kube-scheduler        2C、2G
node1        10.211.55.11        docker 、kubelet、kube-proxy        2C、2G
node2        10.211.55.12        docker 、kubelet、kube-proxy        2C、2G
8 B- F1 {0 ]: I: i  B5 C" s- 计划采用二进制包进行部署：

所需二进制包下载地址：
+ t+ _  e' c/ S* L+ q5 u1.https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
2.https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
3.https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
注意所有服务器都需要关闭防火墙
Master部署

二进制安装基本都是以下几个步骤：
" ]# e1 b" r2 l& p: a% S1、复制对应的二进制文件到/usr/bin目录下
2、创建systemd service启动服务文件
3、创建service中对应的配置参数文件
4、将该应用加入到开机自启
5、启动服务并查看服务状态
etcd部署
& p; }2 f" U2 E, o: `& \
下载二进制安装包并安装：
- \" W3 |2 W- o& E% Zwget https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
cd etcd-v3.2.22-linux-amd64/
cp etcd /usr/bin/
cp etcdctl /usr/bin/
mkdir /var/lib/etcd
! O5 P9 }* ?- \mkdir /etc/etcd

编辑systemd管理文件
4 l# ^. L9 w$ nvim /usr/lib/systemd/system/etcd.service

[Unit]
% F. q- {# Q. ?" i! G# eDescription=Etcd Server
After=network.target
+ V( `: a  |5 y8 d' f" X( L
. f% E. d& z( k# g8 _% S[Service]
0 \# V7 T1 ]) }8 S6 H- x3 XType=simple
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
9 f1 C9 j  o; kExecStart=/usr/bin/etcd

[Install]
7 _, z3 l) {9 T( T  a& vWantedBy=multi-user.target
: p3 S. n: H1 H  h: a6 w" m6 z

$ i1 T: \/ y) }$ e/ l' L启动服务,并设置开机启动
* `5 Y, h. g6 V, n" gsystemctl daemon-reload
systemctl start etcd
systemctl enable etcd
* d$ Y* y; x! L8 Q( y
( \; W: v8 U7 x1 p查看服务状态的三种命令
0 q& x& |8 z) osystemctl status etcd.service
" G% T* m' A. K* Z
! ^% c& G" c* ]3 tcurl -L http://127.0.0.1:2379/version

( R5 ?8 u, b3 O2 ?2 n- Getcdctl cluster-health

! P0 p" n+ y* S2 q这个安装的还挺顺利，很快就ok了。继续。。。。
" D8 d5 C' P3 B6 n. F+ ^kube-apiserver
; h6 d8 x0 L2 G) W, R
下载并安装
wget https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
, ^2 L' m6 U/ Ltar -xzvf kubernetes-server-linux-amd64.tar.gz  
cd kubernetes/server/bin
cp kube-apiserver /usr/bin/

4 f$ O2 r2 v+ A8 r2 C& B2 s# 一起拷贝吧，后面就直接配置了
cp kube-controller-manager /usr/bin/
5 ?4 @0 C) ~$ g, c7 {cp kube-scheduler /usr/bin/


) c+ S2 w3 Q0 B6 ?3 c6 y1 T编辑systemd的启动文件
& F( g* \- e9 d/ d0 p6 `6 N4 dvim /usr/lib/systemd/system/kube-apiserver.service

[Unit]
Description=Kubernetes API Server
Documentation=https://kubernetes.io/docs/concepts/overview
; P7 U4 K6 r7 K9 M2 gAfter=network.target
9 M3 s0 j" W3 v- X1 Q2 IAfter=etcd.service

[Service]
EnvironmentFile=/etc/kubernetes/apiserver
) t. Q) z' {# U; p! E# _ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
8 d* x9 R2 ~5 V$ u' v8 vRestart=on-failure
, V5 g! _( {0 X4 e! `+ a, \# gType=notify
LimitNOFILE=65536

1 M. ~1 D3 X4 e! S[Install]
/ s6 [: e7 a0 B0 w, K3 B/ ]9 |WantedBy=multi-user.target
/ ~4 v5 W4 \& N  y+ m
0 }+ h8 s7 c' G2 B  g% J

配置参数文件
+ N* z3 F2 ^' s, K, O: R, f# s! Vmkdir /etc/kubernetes/
vim /etc/kubernetes/apiserver

KUBE_API_ARGS="--storage-backend=etcd3 \
               --etcd-servers=http://127.0.0.1:2379 \
1 W% v  y. k6 d- C               --bind-address=0.0.0.0 \
               --secure-port=6443  \
& M/ R& D* P& }, |4 c               --service-cluster-ip-range=192.168.2.0/16  \
               --service-node-port-range=1-65535 \
               --client-ca-file=/etc/kubernetes/ssl/ca.crt \
& y7 a- x' P+ `. T) U& X; q               --tls-private-key-file=/etc/kubernetes/ssl/server.key  \
               --tls-cert-file=/etc/kubernetes/ssl/server.crt  \
3 R) s% [$ z. N1 S               --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
8 J2 ]4 G4 B) M* |" \' d; a               --logtostderr=false \
               --log-dir=/var/log/kubernetes \
( `7 ~; v3 M4 u; Q+ g. H! S               --v=2"
! o1 V8 u, v9 S, q( o" z0 k
- Z8 u( r. n6 O! y  Z* [7 n
2 e- [3 ?* N, K" T3 bservice-cluster-ip-range是servcies的虚拟IP的IP范围，这里可以自己定义，不能当前的宿主机网段重叠。
bind-addres 指定的apiserver监听地址，对应的监听端口是6443，使用的https的方式。(0.0.0.0 表示绑定所有地址)
) y7 S+ \5 g; C7 Pclient-ca-file 这是认证的相关文件，这预先定义，后面会创建证书文件，并放置到对应的路径。
创建日志目录和证书目录
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/log/kubernete

( J* ~6 L% O6 F5 C0 Ykube-controller-manager
) z/ ]. k& o; T3 Z
kube-controller-manager 依赖 kube-apiserver服务
/ F! a  m8 c) `# e6 e. I编辑systemd启动文件
vim /usr/lib/systemd/system/kube-controller-manager.service
4 `) c! t) B% r! B& d0 G) v8 X
( C. ?+ R1 I6 n0 w1 i[Unit]
) ?6 F( h* Q/ Y* w: p  n0 WDescription=Kubernetes Controller Manager
7 w. |. y+ r4 }+ U. vDocumentation=https://kubernetes.io/docs/setup
; L$ x, a6 @) c1 S7 `3 E$ EAfter=kube-apiserver.service
3 Y, e. S; y0 R/ qRequires=kube-apiserver.service
" ^- X& t" s; L1 ?. J6 _- [
[Service]
$ r1 ~7 u) b/ ^) j9 wEnvironmentFile=/etc/kubernetes/controller-manager
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
" Y: X' D( {" Z' M4 N! ZRestart=on-failure
! B) W- D# r" ^2 t5 ~LimitNOFILE=65536
% T3 U$ s- m/ K* B6 J- }) k4 Y
( U% [1 E3 ^1 S# u. n' `1 V[Install]
WantedBy=multi-user.target
1 C$ R9 `& e1 {8 _5 N
" u3 N2 X# ~# e6 H7 H
8 R, w( x! j3 u- z) m  S配置启动参数
vim /etc/kubernetes/controller-manager
, }" b) G# d# d* e  G
KUBE_CONTROLLER_MANAGER_ARGS="--master=https://10.211.55.10:6443   \
               --service-account-private-key-file=/etc/kubernetes/ssl/server.key  \
               --root-ca-file=/etc/kubernetes/ssl/ca.crt \
( a4 A6 ]' V* M# R2 d9 m               --kubeconfig=/etc/kubernetes/kubeconfig \
               --logtostderr=false \
5 r4 ?' e' s5 V* A; w. I3 y, y               --log-dir=/var/log/kubernetes \
8 ]8 b6 r( I* U( S' j7 d8 K               --v=2"

) Q0 K) J9 T% A7 e; G
kube-scheduler
) f2 O& Z. v$ N( j
7 @  S/ z9 l$ b! w0 c% s0 H# Skube-scheduler也依赖kubu-apiserver
/ J+ H% ?, a. A7 Y3 w% x- 编辑systemd启动文件
vim /usr/lib/systemd/system/kube-scheduler.service
! U; c% U4 D: {" D+ i/ m
, c% \7 ]5 n/ N& \6 o3 N0 u0 |: ~[Unit]
Description=Kubernetes Controller Manager
% D4 j9 [  U; H3 e% J! m- PDocumentation=https://kubernetes.io/docs/setup
After=kube-apiserver.service
Requires=kube-apiserver.service
, F+ Z, K! a* J2 B; O) \6 }$ }
[Service]
EnvironmentFile=/etc/kubernetes/scheduler
9 \& A: k" @! K% S8 L& o7 CExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
5 e$ q" t( S4 f7 n3 tRestart=on-failure
3 {; Z# i' L* K& l9 i5 t5 n3 aLimitNOFILE=65536

# V8 V# G/ U6 Y( w' O[Install]
- ?4 U# E2 X' \9 Y2 l+ Y3 [, EWantedBy=multi-user.target
' c; t2 a/ n! y- U* {配置参数文件
vim /etc/kubernetes/scheduler

' q) W- G- k& x5 }; q- P* N2 R. GKUBE_SCHEDULER_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig \
               --logtostderr=false \
) ~8 d. Z9 k* R; \* k) B" e% N               --log-dir=/var/log/kubernetes \
* ]( L. l3 D' y; u, M: [/ h               --v=2"

创建CA证书

注意生成证书前先同步一下服务器时间：ntpdate s2m.time.edu.cn
2 `4 j3 l! ?) ?& P创建kube-apiserver的CA证书和私钥文件
# S5 a' t; r' r/ {7 Q8 z. W% Gcd  /etc/kubernetes/ssl/
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=10.211.55.10" -days 5000 -out ca.crt
( _. M! L7 W7 kopenssl genrsa -out server.key 2048
7 C- z; O6 m* x0 G
/ ~& z. Z/ |6 E/ C; q7 R+ A创建master_ssl.cnf文件
8 b7 s  a3 v! Avim master_ssl.cnf
! q3 }9 N, C8 t6 P+ V
; E4 C( J7 x# I* z9 O- p[req]
( H) i' \9 @& Yreq_extensions = v3_req
distinguished_name = req_distinguished_name
% T0 F( w5 }( y# I" N  W; M/ M' Q[req_distinguished_name]
/ N3 s; y. ?( E[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  J" t0 E' L4 AsubjectAltName = @alt_names
4 H- Y3 p5 V4 L2 I6 {* ^5 ]- u8 h[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
5 M' x, X; `) K* QDNS.4 = kubernetes.default.svc.cluster.local
; P) P: p$ Z) h  ?$ x0 k  |- I$ \8 tDNS.5 = k8s_master
IP.1 = 192.168.2.1     # ClusterIP 地址
& V3 O+ D' _" T( Z- r5 ZIP.2 = 10.211.55.10    # master IP地址
2 F' v; q" ?; v) e* }
9 m: x$ g) y$ M

生成apiserver证书
4 ~3 R. a* q; x) k! ?1 M$ L# X# a8 \2 }openssl req -new -key server.key -subj "/CN=10.211.55.10" -config master_ssl.cnf -out server.csr

/ f) t: R6 o- r0 Xopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

. f0 c, D4 E4 u( }/ B5 L设置kube-controller-manager相关证书
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=10.211.55.10" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000
. K; W' C7 V+ t0 ]: {3 Q
) s, T( V6 C$ y( H$ F3 u! a3 D创建kubeconfig文件,kube-controller-manager和kube-scheduler公用的配置文件
vim /etc/kubernetes/kubeconfig
4 }# h9 m5 M) A9 \/ |! {  o3 l/ H
  @1 d. j+ g# b4 lapiVersion: v1
kind: Config
users:
- name: controllermanager
: y4 Z3 v% {! g# H  user:
    client-certificate: /etc/kubernetes/ssl/cs_client.crt
1 j) {, [( I/ w3 E    client-key: /etc/kubernetes/ssl/cs_client.key
' o2 x/ p  Q6 p3 i7 mclusters:
! {5 ~" g* f# o- @$ G2 I- r- name: local
  cluster:
    certificate-authority: /etc/kubernetes/ssl/ca.crt
* {% j$ Z& S9 @& G  M1 e  K0 ]contexts:
* e! o1 N! K. e: `/ ]- context:
) U. B% O, k# z: |5 \( W* y( l" w    cluster: local
: V1 Q3 j4 D/ N    user: controllermanager
; B- Y! q9 X' }  y; s! V  name: my-context
current-context: my-context
, q2 L! |- S8 x# `$ F( K
启动服务

启动kube-apiserver
systemctl daemon-reload
! R5 h: o6 _4 msystemctl enable kube-apiserver
systemctl start kube-apiserver
5 Y& y7 g- B/ X% A% p0 q
: @4 y0 U( k  r5 U5 @: _启动kube-controller-manager
systemctl enable kube-controller-manager
systemctl start kube-controller-manager
: I1 h# o. U/ X7 h. I9 N! c
3 ^  {# E. D& a7 Z启动kube-scheduler
systemctl enable kube-scheduler
& f+ ?4 }4 W( @7 A2 w" Ysystemctl start kube-scheduler

& e& {7 y  Z/ E( |Node
% K! O: w7 w: _3 h' m; _( C( u1 ?
' |7 Q- b& ^7 ^! _. Z安装docker
( m  g5 E$ J$ [$ `
使用aliyun的yum源
. T: Y1 G" C* d: ~4 P9 y  ]6 pcurl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
* {; Q6 p7 @2 e! n# Acurl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
9 c; p3 I9 K7 O: l; u3 Jyum makecache

yum安装docker工具
. M" P- U! R) {# }7 Tyum install docker-ce
systemctl start docker
6 G" I+ R: Y3 e  H& g6 v* Esystemctl enable docker

docker -v
1 z+ \2 i# v8 @7 U
安装kubelet服务
9 C& ^: I/ B0 P6 M# k
安装包下载，整理
wget https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
tar -xzvf kubernetes-node-linux-amd64.tar.gz
cd kubernetes/node/bin
cp * /usr/bin
2 r5 i% o7 D7 ^( X1 `
添加systemctl启动配置
1 Y$ T7 w% W' |7 ~vim /usr/lib/systemd/system/kubelet.service
mkdir -p /var/lib/kubelet
, X, l: X4 }1 a  r5 ?  Jmkdir -p /etc/kubernetes/
/ \5 p% G" }+ C+ Lmkdir -p /var/log/kubernetes

[Unit]
2 Y" Z$ p; d6 p6 ^& \) P' mDescription=Kubelet Service
After=docker.service
# e+ L0 P  n, C5 f7 M5 cRequires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
7 i0 H' h( c  g) VEnvironmentFile=/etc/kubernetes/kubelet
; n1 _; I; _3 n5 |9 n% \& t1 v$ N( R- zExecStart=/usr/bin/kubelet $KUBELET_ARGS
, L' D1 m5 _0 c9 eRestart=on-failure
9 ~8 D$ N  |# B* l3 q1 {LimitNOFILE=65536
2 C3 k% [* a9 }, `* O3 ^! t
[Install]
* J$ |+ j5 o1 z  }0 ^# g# DWantedBy=multi-user.target
: w8 D7 m: {/ S' ?: |+ ~
kuberlet运行参数配置
1 n! l( y/ I5 E2 t4 y" T安装kube-proxy服务

添加systemctl启动配置
7 p1 \6 Z9 G4 ~vim /usr/lib/systemd/system/kube-proxy.service
/ }4 i  l; g/ j; ?# P0 q
) y' f! B4 |3 X[Unit]
Description=K8s kube-proxy Service
+ X" n3 {/ y' s/ LAfter=network.target
After=docker.service
( X3 Y: F" m5 [3 O' Z0 T* |( ?After=network.target
After=network.service
5 n& i# M% z1 b
- `' c1 g3 t9 s' N[Service]
EnvironmentFile=/etc/kubernetes/kube-proxy
% \4 M' h+ l6 j' F2 UExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
, t& d" R1 w. |. `Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
( e9 w5 u; m4 n0 W' R  z- }/ ~
4 I, ?& L0 N# Q; [生成CA证书
* B3 c* T4 u4 |5 a* i3 Z
  K8 L: L% `! `将master节点上的kube-apiserver证书ca.crt和ca.key拷贝到Node上
使用ca.crt和ca.key生成node证书
4 c% }2 i  t& j. X' Copenssl genrsa -out kubelet_client.key 2048
0 K$ x$ o. g  \/ ?0 N: k8 Eopenssl req -new -key kubelet_client.key -subj "/CN=10.211.55.11" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

) m& F* [  j" Q* Xmkdir /etc/kubernetes/ssl
  t( f; D6 A) vmv kubelet_client.* /etc/kubernetes/ssl/
mv ca.crt /etc/kubernetes/ssl/

配置kubeconfig
+ [# n9 m6 X# @* V9 g* nvim /etc/kubernetes/kubeconfig
+ ]) ]# a. A) l$ h: N8 V
' y4 h8 X, U) y8 {0 u% ]- N* xapiVersion: v1
. f( U' Y% v. V5 Hkind: Config
% x) o+ r% n. \( s' D5 Husers:
! E- q) z+ X, z3 O9 Q7 P5 d- name: kubelet
6 I2 X5 b$ Y) Z* S- h) T  user:
( A, a$ M  p: C6 I9 K. ]8 T      client-certificate: /etc/kubernetes/ssl/kubelet_client.crt
7 ?+ ^3 ?7 F8 r6 k8 G      client-key: /etc/kubernetes/ssl/kubelet_client.key
! _, J) e+ B( Y6 p7 x3 \" hclusters:
- name: local
  cluster:
      certificate-authority: /etc/kubernetes/ssl/ca.crt
7 Y$ m' o! o% v      server: https://10.211.55.10:6443
' W" I) g1 {$ g4 |/ d9 tcontexts:
! R" d0 Y! c( P: V: P- r- context:
) Z  N. k0 A3 f" G/ p: \4 ^: f* \      cluster: local
" K- ?0 b' h2 ~; D5 }      user: kubelet
( {; Z* v1 T# ?5 v  name: my-context
9 U" s/ D7 ^, @, @current-context: my-context
6 A( D, x  r  k3 W: Y
kubelet启动参数配置
, l5 v$ G7 F5 |6 F( Qvim /etc/kubernetes/kubelet

KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=10.211.55.11 --logtostderr=false --log-dir=/var/log/kubernetes --v=2 --fail-swap-on=false"
这里要注意–fail-swap-on=false或者禁用swap，我这里选择配置–fail-swap-on=false
+ [9 u+ t5 g& j* T5 J( `& {$ A设置kube-proxy启动参数
* F5 }5 |5 S: Nvim /etc/kubernetes/kube-proxy

KUBE_PROXY_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
启动服务

, p& w6 _0 {- L; w) S systemctl daemon-reload
; r: I5 y# y& H5 l6 N systemctl start kubelet.service
+ j4 ?6 w/ f8 q% w systemctl status kubelet.service

- Y1 f; y0 F: _0 `% u$ M) D systemctl start kube-proxy
/ H+ G1 Y+ _1 Y5 n& y5 W$ r9 K* K2 X% U systemctl status kube-proxy
node 2就按照上面的步骤进行安装即可

admin

搭建私有库

私有库用于系统内部存储成品镜像，能够快速进行下载及被k8s调度。

1.下载并启动私有库
7 B9 t, o& b  ]7 i! S
' z& O* Z- i7 w+ G3 d8 U[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
0 ^* O' V  K- F6 G. v! V
8 {; k# Y: Z& ]- D. a) o5 D* E#--name 表示启动的容器后名称，此处为registry
#-v 表示挂载路径  格式为宿主机路径:容器内路径
#-p 表示映射端口  格式为宿主机端口:容器内端口
* f1 p$ c1 ^2 l7 P  E#-itd   docker的内部参数，此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上，后跟镜像名称此处为docker.io/registry

8 U' W  A/ ~  I2.创建一个secret服务，用于k8s调度私有库容器时的“令牌”。简单来说，secret服务就是一个存储密码的服务
# r6 g0 V- e0 C3 h# M5 h+ C
[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com

[centos-master]:kubectl get secret
NAME          TYPE                      DATA      AGE
( h! {5 ^4 J4 V- xregistrykey   kubernetes.io/dockercfg   1         6s

7 o$ q+ a) P% g% r8 a" z9 R此时登录时会提示认证错误

& u. N2 |5 q7 n# ][centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
Flag --email has been deprecated, will be removed in 1.13.
Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized
+ n2 t& P% l6 _% F- h5 K
2 J6 n$ U; y/ S" Z8 M( L# t这是因为Docker官方是推荐采用Secure Registry的工作模式的，即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了

3 I( [0 ]' L9 Y3 Q% P- b7 B( y" C- S3.配置nginx反向代理
[centos-master]: cat registry.evehicle.cn.conf
: C# ]- U, H* A4 s
# M! T" X+ b! y# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
) H6 R& l- d6 q! N% Q- Q9 d: ^' E. U  server 192.168.121.9:5000;
  #server 10.44.170.95:5000;
* u* K" B9 K8 L}

# uncomment if you want a 301 redirect for users attempting to connect
# on port 80
3 B1 m4 F$ t0 U, b5 d# NOTE: docker client will still fail. This is just for convenience
# server {
4 P+ B6 Z: H& \. E' C) B( y2 R#   listen *:80;
#   server_name my.docker.registry.com;
4 ]0 I& b  l) h$ }( w$ @#   return 301 https://$server_name$request_uri;
# }

& a+ y6 t& P- u( Kserver {
    listen 443;
    server_name registry.evehicle.cn;

    ssl on;
' x$ T8 ~3 Y& g4 k" x" n/ U    ssl_certificate ssl/registry.evehicle.cn.crt;
    ssl_certificate_key ssl/registry.evehicle.cn.key;
1 |, S- s/ m2 _3 t6 Z# I! _
    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
! V/ w# G; q9 m# u. Y  A" _
; u$ ~0 w0 Y+ X1 s    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
: n9 b7 H4 w# g$ J; R    chunked_transfer_encoding on;

    location / {
        auth_basic  "Restricted";
        auth_basic_user_file  passwd;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        proxy_pass                          http://docker-registry;
8 o+ k  Q: ~/ O9 R7 I! o        proxy_set_header  Host              $http_host;   # required for docker client's sake
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
* ], @+ H0 }: R3 m( o        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
8 W7 ]$ e( x, C+ R: y2 C0 @( ]        proxy_set_header  X-Forwarded-Proto $scheme;
' c& L" S2 i3 _6 a- t! ?        proxy_read_timeout                  900;
        }

6 B: r' I' b# U/ T& }    location /_ping {
        auth_basic off;
3 i% f2 _; ^! U' }        include               docker-registry.conf;
    }
- y& g! R! _. ?) J* @' j# U. \
    location /v1/_ping {
2 J/ n% u  \. M$ m6 N+ @        auth_basic off;
        include               docker-registry.conf;
    }
& I$ B% |7 z* L  N
    location /v2/_ping {
        auth_basic off;
        include               docker-registry.conf;
- e! R3 ]" p- x& B    }
}

将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录

htpasswd -bcm passwd docker docker
" I. X' f' W7 g, G  W' u #-c：创建一个加密文件
; c1 j  K, _! b) A; B7 O7 N #-m：md5加密，默认可不填写
8 U9 y9 C$ M& R# ?1 q- r; B; i #-b：表示用户名密码在命令行中一并输入，不用分别填写
1 R6 `/ B+ r' d8 a& h
4.再次登录
% F$ j6 d& @4 n2 k; a7 q
& Q+ ?+ y8 |0 m4 h3 n2 X$ {[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
5 W/ w- M, M  P4 K9 S1 A3 l
Login Succeeded
表示成功，此时再pull\push既在私有库中进行

% V5 c5 U8 i# d( U: z# T构建服务

docker的本意是将代码包含在容器内制作成镜像形成“产品”。但出于公司的（频繁修改代码及服务器资源受限）的特殊性，我们将代码以“外挂”的形式运行在宿主机上。下面以部署官网（apache）服务为例：
1.从docker的公有库里下载centos7的原生镜像
: l0 R0 o0 k9 [- N+ o
7 a5 r0 A5 Y/ a, A3 M) N[centos-master]:docker pull centos
5 N2 _/ _# r1 A; h/ u+ Q. N
' E  T, _- B- \0 `7 z3 ], sUsing default tag: latest
: L& u/ A" ^2 \Trying to pull repository docker.io/library/centos ...
" N  n; F* w. e# V% _' flatest: Pulling from docker.io/library/centos
d9aaf4d82f24: Downloading [>              ]   540 kB/73.39 MB
) R6 U2 S0 X- h! A  ^d9aaf4d82f24: Pulling fs layer
* A5 F: B( O4 H6 J8 CDigest: sha256:eba772bac22c86d7d6e72421b4700c3f894ab6e35475a34014ff8de74c10872e
+ X7 d; d' x3 zStatus: Downloaded newer image for centos:latest

' {! S* M% }8 o  k: `% X! I2.编写Dockerfile制造apache基础镜像

######httpd####
FROM centos
MAINTAINER lienhua lienhua@zhongchuangsanyou.com
RUN yum -y install epel-release
& r9 m( M3 ~, B; i' ]( zRUN yum -y install httpd  php php-mysql php-memcache* php-mbstring
ADD httpd.conf /etc/httpd/conf/httpd.conf

EXPOSE 80
% y% l* \7 ~$ ~7 C  }. Y6 k
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]

其中httpd.conf文件需要在当前目录下真实存在，此处其内容为

. e5 @2 L8 H% F/ @) U& {ServerRoot "/etc/httpd"
3 u% i. u, t+ V% ZListen 80
Listen 8080
Include conf.modules.d/*.conf
Include zcsy/*.conf
User apache
: |# ^- r& E5 r; S& ?0 p3 GGroup apache
ServerAdmin root@localhost
<Directory />
; t8 z8 v: N: P" O& H    AllowOverride none
    Require all denied
</Directory>
" b: c! N% Z9 `- z, L2 t/ qDocumentRoot "/var/www/html"
<Directory "/var/www">
    AllowOverride None
9 s7 v+ }" I$ y! }3 g' I0 `& j* u9 r    Require all granted
</Directory>
<Directory "/var/www/html">
& B2 s' \$ s5 |2 e; b/ D2 u, q    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
: C+ n, }5 M) J+ K</Directory>
5 n& E6 U; o* `% b8 e<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
5 X- h- o$ L% K! A' I+ B; a    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
, F4 U4 s( Y( _& s9 p/ t      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
' T7 r+ l8 e# E& }0 J    CustomLog "logs/access_log" combined
1 @  Q0 M+ f& C6 M- y7 y; i$ h</IfModule>
+ |* _% N% k& u) x<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
3 H7 |9 l, t0 \) }</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
* Z+ J) z7 r4 O8 f% P) o    AddType application/x-gzip .gz .tgz
* h; _8 d, W5 d) a0 f6 G' `3 n    AddType application/x-httpd-php .php
# j, ]4 f/ q; i6 h! s    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>
6 E! v& [% p3 R: a/ g; m% QAddDefaultCharset UTF-8
<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
3 V( a  `6 ^& u5 |' }4 o7 m</IfModule>
; n# @0 X! d3 qEnableSendfile off
EnableMMAP off
0 s+ }9 s: B1 g- f# W2 c( \IncludeOptional conf.d/*.conf
- o+ }- z5 Z* \" g" i7 [3 s- P
- t# `9 Y5 e, o( Z. B! n' b, A执行[centos-master]:docker build -t registry.evehicle.cn/httpd . 命令制作名为”registry.evehicle.cn/httpd”的镜像（注意此处的点必须要有，并且其意义代表当前目录下的Dockerfile文件）
7 D6 m8 z+ L" Y/ i+ q' L
3.将制作好的镜像上传到私有库

2 c' C! @3 |$ e/ L7 b2 Odocker push registry.evehicle.cn/httpd

4.编写启动apache服务的yaml文件
: v; O- J; w  ^
[centos-master]:cat 13-rc-httpd.yaml

apiVersion: v1
% I2 B( r% G  x0 M8 N$ Y" |$ Tkind: ReplicationController
metadata:
/ g0 K' d) q0 `* L4 L2 Y4 l9 B# S  name: 13-rc-httpd
0 K' G  Y7 T0 l1 r  labels:
    name: 13-rc-httpd
spec:
: e  B; _/ H% B/ }, V  replicas: 2
+ q7 N& j, T* x4 q$ G8 B* L  selector:
6 L1 i* ]8 N! k9 V' h8 V    name: 13-rc-httpd
  template:
  m/ |9 I  R/ D' ~: [    metadata:
3 z! l* E4 ~0 O1 O0 `      labels:
' L6 x" t+ H) \        name: 13-rc-httpd
    spec:
, v+ N/ R  `& Z; k% J3 o      containers:
      - name: 13-rc-httpd
        image: registry.evehicle.cn/httpd
        env:
        - name: LANG
          value: en_US.UTF-8
        ports:
: G$ K1 \+ v( H4 k) Y        - containerPort: 80
          hostPort: 80
  R& C' ?0 A4 Z, q2 n9 w" m- O9 c# A        volumeMounts:
( E" N8 R/ y9 Z6 Z6 m        - name: time
          mountPath: /etc/localtime
/ y9 C* i7 \$ L" g/ O        - name: zcsy
/ f$ [7 ]' a+ A6 n          mountPath: /etc/httpd/zcsy
% J: K$ E; Y0 b/ _7 k% z; u, C        - name: deploy
0 F* x( A0 b! h1 j5 f          mountPath: /docker/httpd/deploy
% B7 T9 E+ N  n. }7 a        - name: log
6 ?+ L2 L7 |$ y- q: ~0 t; I          mountPath: /var/log/httpd
      volumes:
* T* E- ^: W( d3 }9 Q2 P        - name: time
          hostPath:
            path: /etc/localtime
        - name: zcsy
          hostPath:
            path: /docker/httpd/zcsy
        - name: deploy
- V) \% _8 o" ?# a' w          hostPath:
            path: /docker/httpd/deploy
        - name: log
          hostPath:
8 ~/ p7 K, N* y/ V/ N8 V( k            path: /docker/httpd/log
2 g3 q* r/ U2 z) F* L" i3 G) z- [      nodeSelector:
        slave: "13"
3 G7 N1 Q; D. A3 I- o      imagePullSecrets:
4 z7 A" Q6 J; p1 p      - name: registrykey

" d0 c. ^* c2 |' g- g1 z9 K4 t0 G9 |5.给其中一个node加上标签为“13”
% h5 p. d! g3 ?9 T8 M
kubectl label nodes centos-minion-1 slave=13

- k& [$ W; P6 j0 g6.此时拥有标签“13”的nodes应具备的条件
' ]+ i9 ?8 A) n* R" g
9 l7 X: ^5 @7 _/docker/httpd/zcsy下需要有官网的配置文件
' i/ w" H- X; R; i  H* o/ P
; E6 v' z% Q1 x<VirtualHost *:80>
   ServerName www.evehicle.cn
  DocumentRoot /var/deploy/wordpress/
        RewriteEngine on
7 a( z: Y2 w0 Y% F9 ~        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
" ~+ ]: j" ?3 h! W        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
; `; ]5 P/ X2 E% Z        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !^.*\.(ico|pdf|flv|jpe?g|js|gif|png|html|shtml|zip|xml|gz|rar|swf|txt|apk|bmp|css|m4a|ogg|mp3|ipa|plist)$
        RewriteCond %{REQUEST_URI} !^/server-status$
        RewriteRule . /index.php [QSA,PT,L]
4 t2 Y+ a% K& _) R' N
; N/ n" f! T, w% s# V2 @. L</VirtualHost>
<Directory /var/deploy/wordpress/>
    Options FollowSymLinks
7 u( l& `+ L) M8 I- g    AllowOverride All
3 c( y+ X1 j. |3 S- Y9 w    Require all granted
</Directory>

以及/docker/httpd/deploy下需要有官网的代码

! O  p( k- F* J; n7.运行yaml文件启动容器
! P( H7 m0 x0 v) w9 ^
[centos-master]: kuberctl create -f 13-rc-httpd.yaml

8.查看服务

[centos-master]: kuberctl get rc
' U- e8 Y$ B9 C2 ]/ T1 c# _1 E! h
0 B, y9 ^% W0 L" z/ Q  dNAME                 DESIRED   CURRENT   AGE
13-rc-httpd          2         2         168d

5 {" T  j. o, z8 k) E) a- a9.程序中涉及的mysql\redis\memcache等服务也需使用容器运行起来
, X% a+ \9 a+ ?/ J2 Z! I3 P; T9 _0 @2 k
[centos-master]: docker pull redis
[centos-master]: docker tag registry.evehicle.cn/redis redis
[centos-master]: docker push registry.evehicle.cn/redis
[centos-master]: kubectl create -f rc-redis.yaml
- o- a& G/ b: q( G  G2 f[centos-master]: cat rc-redis.yaml

apiVersion: v1
kind: ReplicationController
8 m+ i5 x+ f+ l9 R/ ametadata:
6 i) O. C( {: Q# c! y  name: redis
, a% c/ [" K, q, T  labels:
5 L- T- C& O2 W- k* R% t    name: redis
: S8 l  `) B* G1 D# Bspec:
& n5 T! \! D$ B. v- M2 U( }  replicas: 2
/ R: O9 t( S) Y# c8 P% a3 H  selector:
; P! {9 s$ ?+ O9 I/ z    name: redis
; J' ^% J) B0 A9 v2 w  template:
0 k5 B! S) n+ @% J* D    metadata:
" ^* q# Y. n( _' S( a      labels:
6 u' q4 ~& H1 z* l. ?        name: redis
/ v) n" D, d7 l    spec:
% ]% H. [. ~) Q) a* F      containers:
8 D) T3 f% ]5 T7 Q6 a# i: U/ N* }      - name: redis
        image: registry.evehicle.cn/redis
        ports:
+ y" k0 M# n9 f( g        - containerPort: 6379
          hostPort: 6379
% V1 G) r! \/ Z        volumeMounts:
# c  b* X, I: C* g( |$ N        - name: data
          mountPath: /data
        - name: time
+ |$ B3 {# L9 _' R1 P' k" |. z- E          mountPath: /etc/localtime
+ N9 `0 |) g; Q2 x( I( `      volumes:
3 x& b. f4 ]5 m9 W        - name: data
          hostPath:
- {- }+ \8 }, Z7 j* \            path: /docker/redis/6379
        - name: time
          hostPath:
( z2 W& Q8 f& {7 L            path: /etc/localtime
" E% y8 R5 `, N) F% e/ v      nodeSelector:
        slave: "13"
      imagePullSecrets:
9 r2 x8 W) S( W      - name: registrykey
; t0 w$ I1 t/ \* m. T* ~9 X
% M) _; K2 V( [启动memcache
( _; h  [  Z$ c5 ^; x2 O[centos-master]: docker pull memcache
* ~7 W* f: y: |. i' V% t, H. U[centos-master]: docker tag registry.evehicle.cn/memcached memcache
- W! X- |  }$ `& G4 E[centos-master]: docker push registry.evehicle.cn/memcached
[centos-master]: kubectl create -f rc-memcached.yaml
[centos-master]: cat rc-memcached.yaml

3 z+ F5 o( ~9 W5 KapiVersion: v1
$ v1 G+ v. c6 m2 P) H- H! [6 y3 ekind: ReplicationController
  t; p, Z4 l. |metadata:
5 O; d  U0 }4 [" ~  name: memcached
$ G, C" L6 ]  E5 }: C* F  labels:
2 Z. ~2 V) }: R+ u+ x5 S    name: memcached
% q" w& |6 o+ G0 r3 pspec:
; W" o$ Y- ?0 G6 o/ _  replicas: 3
  selector:
    name: memcached
  template:
" V. i1 @; U/ l9 x& e& b7 L3 U2 a    metadata:
% ~8 [/ o: k+ Y: x- y      labels:
        name: memcached
    spec:
( y; A! q) c5 c) P$ p2 f      containers:
      - name: memcached
        image: registry.evehicle.cn/memcached
        ports:
        - containerPort: 11211
          hostPort: 11211
      #nodeSelector:
      #  slave: "13"
+ v" W% I7 Z  H8 c( l8 I      imagePullSecrets:
      - name: registrykey

制造mysql镜像
[centos-master]: cat Dockerfile
/ \% }/ x) O  _9 R
5 q2 N  [( \6 KFROM alpine
% P- y3 I& z5 P3 i+ X4 o: w5 q& ~
# H# o, h( H: M- L3 z) S
2 X$ v; V% A! {; B0 ?7 \0 p3 i9 FCOPY startup.sh /startup.sh
RUN addgroup mysql && \
, b" w: \7 p$ O& D1 f    adduser -H -D -s /bin/false -G mysql mysql && \
: b& ^# c$ M! [+ J/ e    apk add --update mysql mysql-client && rm -f /var/cache/apk/* && \
% I3 e1 r! M3 x    mkdir /data && \
: o1 b8 h% k2 d% x    chown -R mysql:mysql /data /etc/mysql && \
    chmod 755 /startup.sh \
# v& h# R! L3 A. L+ |( l    ;


WORKDIR /data
. I$ O' k, {+ x4 o5 V1 `& mVOLUME /data
1 |3 U% L! P0 LVOLUME /etc/mysql

( Y' ]$ S$ G1 ]8 Y
EXPOSE 3306
CMD ["/startup.sh"]
7 _  v0 i( n8 M2 T. s6 G0 ~. J
启动mysql（建议mysql在宿主机启动）
[centos-master]: docker build -t registry.evehicle.cn/mysql
7 U$ I' L8 }) ]6 t% e[centos-master]: docker push registry.evehicle.cn/mysql
6 W3 l  ^- O" o1 t* @[centos-master]: kubectl create -f rc-mysql.yaml
[centos-master]: cat rc-mysql.yaml
( A4 ^) Q& A; Q  P1 Q
apiVersion: v1
kind: ReplicationController
+ W. L( D3 ?+ Ometadata:
  name: 13-rc-mysql
  L0 o4 t! O$ g- Y4 @1 _4 c" t# i. I  labels:
0 m, Q# j. n5 Z1 i- |5 ^9 ^4 D6 r    name: 13-rc-mysql
( J( c& R: @, Dspec:
  replicas: 2
- Y  \6 `& r( Q3 T- |1 e. v  selector:
    name: 13-rc-mysql
  template:
    metadata:
4 T  d' a# J- U2 I) e) \6 c9 ]      labels:
        name: 13-rc-mysql
    spec:
      containers:
  U6 U7 C- [: S. Z7 o0 q      - name: 13-rc-mysql
( K& X( R' @* W% Q# j/ o        image: registry.evehicle.cn/mysql
% }, p) I% F& Q/ e- v5 F5 r        env:
  D/ t9 u) A1 W( w4 g/ g3 }' Z/ r        - name: MYSQL_DATABASE
8 H5 o( N; ]7 M1 t& B  m+ A, Z          value: admin
6 o4 o8 ?1 F+ u4 j7 k        - name: MYSQL_USER
. `7 E2 ?) F* |' y5 L" p. [          value: tony
        - name: MYSQL_PASSWORD
          value: 456
6 U+ n9 h2 E! _! q8 v! b        - name: MYSQL_ROOT_PASSWORD
( G; n+ Z9 I. o0 X9 r4 x          value: 123
, r3 h2 f' d. E  W9 F6 j9 w        ports:
  C8 a/ s7 I: O4 n# V8 S        - containerPort: 3306
% _4 k) S5 d( g% Y9 Q6 M$ s          hostPort: 3306
& n7 E1 q. i# t) p        volumeMounts:
        - name: time
- K7 z" {8 C- m9 w% ~' O; ]          mountPath: /etc/localtime
        - name: data
          mountPath: /data
        - name: etc
          mountPath: /etc/mysql
! a- y3 j1 |* V" ~- J        - name: run
' j$ h, \# o4 }          mountPath: /run/mysqld
0 H7 w. L# M9 w7 k      volumes:
9 O$ V+ w0 |% F3 P2 T5 X        - name: time
          hostPath:
" ?- X7 n4 P" O- m( U: w# K            path: /etc/localtime
        - name: data
, h% i# R0 Y) u7 i8 i! S          hostPath:
            path: /docker/mysql/data
        - name: etc
, S! ^, B/ B: F0 V          hostPath:
* k: p9 Y" L; K4 t0 Y            path: /docker/mysql/etc
8 f3 U. S" \, F. j5 \        - name: run
' N  l9 ~5 h9 ^4 l          hostPath:
            path: /docker/mysql/run
- t" F- M+ P" w0 D$ g8 }      nodeSelector:
2 b* \& T1 ?# C# W6 A1 c( Y% O        slave: "13"
      imagePullSecrets:
3 D9 Q: M, {, ]      - name: registrykey

为方便代码编写及统一管理，应提前做好内部DNS解析。将所负责的应用规整到对应的机器上。

admin

kubectl config set-cluster default-cluster --server=http://192.168.121.9:8080
5 u4 g( U( F& W4 n1 I) c9 ~  W. Ykubectl config set-context default-context --cluster=default-cluster --user=default-admin
kubectl config use-context default-context

admin

搭建私有库
; P+ P0 Z' ~. _8 l- |2 T  ^0 H  i
私有库用于系统内部存储成品镜像，能够快速进行下载及被k8s调度。

1.下载并启动私有库
/ Y7 u0 Y$ q3 ^4 g& E
[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry

6 g: b1 v' N0 s4 K* {  U#--name 表示启动的容器后名称，此处为registry
#-v 表示挂载路径  格式为宿主机路径:容器内路径
& ?: L) K) y! X5 ~8 C2 I#-p 表示映射端口  格式为宿主机端口:容器内端口
#-itd   docker的内部参数，此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上，后跟镜像名称此处为docker.io/registry

0 i1 w; N, J5 U, r2.创建一个secret服务，用于k8s调度私有库容器时的“令牌”。简单来说，secret服务就是一个存储密码的服务

[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com

& I# L6 o4 [9 {) p) ?[centos-master]:kubectl get secret
NAME          TYPE                      DATA      AGE
0 S- k: [# r; Nregistrykey   kubernetes.io/dockercfg   1         6s
1 P" C- a1 m1 o0 `8 L
此时登录时会提示认证错误
" b8 V0 M& n! J; d7 x
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
& a" s9 Q/ q  XFlag --email has been deprecated, will be removed in 1.13.
Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized
, l2 L  L. G2 Y" C- a* m8 y/ L) Q; g
5 [( A/ e9 `+ G& Q9 V' W- s( l这是因为Docker官方是推荐采用Secure Registry的工作模式的，即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
$ n0 o/ j6 ~* |& }0 P* ^
$ G0 U1 k/ x$ g. @, R2 c% G! ~3.配置nginx反向代理
6 m0 t% I  E6 C; b[centos-master]: cat registry.evehicle.cn.conf

# For versions of nginx > 1.3.9 that include chunked transfer encoding support
8 f/ m6 G9 L7 B/ }8 I# Replace with appropriate values where necessary

; w- B0 a6 {* p( V7 ~upstream docker-registry {
  server 192.168.121.9:5000;
  #server 10.44.170.95:5000;
}
7 G- c( P7 T5 ?4 S, y
# uncomment if you want a 301 redirect for users attempting to connect
( K& y8 L' Y! C; y0 B8 v# on port 80
4 y& L4 c# V5 x4 m1 [# NOTE: docker client will still fail. This is just for convenience
4 b2 U, x9 T7 ~8 C# server {
( u; e1 J) P2 ?8 V#   listen *:80;
#   server_name my.docker.registry.com;
% Q) N, S2 `# j  I+ z2 M#   return 301 https://$server_name$request_uri;
: ?6 v8 d5 y( D# U9 @% J# }

server {
- H! z& B# K' v0 F/ O    listen 443;
    server_name registry.evehicle.cn;
+ f4 i# Z& \% A) ]% n
    ssl on;
    ssl_certificate ssl/registry.evehicle.cn.crt;
    ssl_certificate_key ssl/registry.evehicle.cn.key;

    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;
2 l, C& j2 f7 L1 y" z# H
    location / {
        auth_basic  "Restricted";
; |& I1 a) \2 I) [8 D. m* g+ C        auth_basic_user_file  passwd;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        proxy_pass                          http://docker-registry;
        proxy_set_header  Host              $http_host;   # required for docker client's sake
+ U& D9 C1 i/ r, A8 E% \        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
4 Y! ]' I( w/ F& A" _: u8 ^" l        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
5 j5 K5 s% a, v        proxy_read_timeout                  900;
        }

1 h* J* {' O! D6 _6 |    location /_ping {
1 n2 p4 c; f* y' T: a# c6 U        auth_basic off;
        include               docker-registry.conf;
    }

; I2 b+ M9 }* C( `    location /v1/_ping {
6 \. [+ W& F( H/ G8 F  Z- o        auth_basic off;
        include               docker-registry.conf;
% b) {6 ]3 G% `0 W8 B    }
2 x) w7 Q" O4 p+ |0 I# E
( `  f5 q( i1 R    location /v2/_ping {
        auth_basic off;
        include               docker-registry.conf;
    }
. c* `3 Y* x; x: A( J}

将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录

htpasswd -bcm passwd docker docker
2 j& Y7 F! I5 a/ c/ I #-c：创建一个加密文件
#-m：md5加密，默认可不填写
#-b：表示用户名密码在命令行中一并输入，不用分别填写

* x. w3 v* p+ W/ e- `% \4 W" Q4.再次登录

[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn

8 w- P3 y+ H& Z0 m0 }9 MLogin Succeeded
表示成功，此时再pull\push既在私有库中进行