k8s学习二：k8s编译安装集群搭建——单master多node简易部署

admin

服务器环境
9 [" ]# ~; U/ q+ v9 n
' F4 T  K, v: }2 H6 h/ |& lcentos7.5
. `+ h3 q8 m2 lmac装的pd虚拟机
  {9 P* ~& F, {$ s# A, K: T5 i作用        IP        部署服务        配置
- [: a7 D. X  r. bmaster        10.211.55.10        etcd、kube-apiserver、kube-controller-manager、kube-scheduler        2C、2G
- m& Z# i4 b2 R- rnode1        10.211.55.11        docker 、kubelet、kube-proxy        2C、2G
* `. T- c# ^* H# e* y2 m. A! _node2        10.211.55.12        docker 、kubelet、kube-proxy        2C、2G
- 计划采用二进制包进行部署：

所需二进制包下载地址：
/ B, V* j. ?4 O6 k8 S1.https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
, q1 H1 b" G/ L$ a. N2.https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
3.https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
注意所有服务器都需要关闭防火墙
Master部署
* p- u, o3 }7 d5 ^
/ _9 a7 D6 o" G( y二进制安装基本都是以下几个步骤：
$ T% b: e3 H+ _# I8 S. @/ x) r1、复制对应的二进制文件到/usr/bin目录下
2、创建systemd service启动服务文件
3、创建service中对应的配置参数文件
9 {1 |, {6 g' U6 v4、将该应用加入到开机自启
5、启动服务并查看服务状态
etcd部署

& `  h* \3 u5 w) f下载二进制安装包并安装：
8 j4 Z0 x) J  w3 b) x, Kwget https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
cd etcd-v3.2.22-linux-amd64/
/ K/ h/ F2 |: O2 _( B% _cp etcd /usr/bin/
cp etcdctl /usr/bin/
mkdir /var/lib/etcd
mkdir /etc/etcd

7 `' n; ~- `+ c编辑systemd管理文件
vim /usr/lib/systemd/system/etcd.service
2 [  t: r8 R$ R# t) z" b& x
# {* s. Z7 S$ c[Unit]
Description=Etcd Server
After=network.target

$ @9 k6 O1 [9 M3 T! v! _( O[Service]
3 X* Z9 L2 \/ FType=simple
$ Z8 E# e  s5 BWorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
0 V; ?5 w" U9 E3 S. ?, Y( O" W
9 X- l4 w) a1 |" Q6 N[Install]
/ A% i6 ]4 ^) u  NWantedBy=multi-user.target
* o4 A& e1 u( R' Q
& r# o) ?4 @6 R: g" Y8 V/ z7 P
: q% f- X: X4 j0 c/ V6 S% D+ n( C' f启动服务,并设置开机启动
6 `% [! A9 }' D0 |% h; i% vsystemctl daemon-reload
systemctl start etcd
systemctl enable etcd
7 n9 s8 T/ V  G. B9 E
查看服务状态的三种命令
systemctl status etcd.service

curl -L http://127.0.0.1:2379/version

etcdctl cluster-health
2 L2 ?) h& \; E" p! ]9 e, w6 c- ~
# a7 ?5 m( S: ?. Q2 [这个安装的还挺顺利，很快就ok了。继续。。。。
. X& r0 p& m1 d* m5 W; q- {! akube-apiserver

6 b1 A" u: b8 H下载并安装
  m4 I9 l9 i7 P# J, f: N. y, w3 Uwget https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
2 R  q. v6 S2 M9 Rtar -xzvf kubernetes-server-linux-amd64.tar.gz  
cd kubernetes/server/bin
) S! ~3 \6 v9 [+ P6 {! s) L1 Tcp kube-apiserver /usr/bin/
3 v* W+ g, r! h+ R5 ?2 I
# 一起拷贝吧，后面就直接配置了
cp kube-controller-manager /usr/bin/
cp kube-scheduler /usr/bin/


编辑systemd的启动文件
; n6 V7 @$ N0 W7 `  K: G: Vvim /usr/lib/systemd/system/kube-apiserver.service
( I1 z' d' e, r7 g+ }! a
+ J' V* d$ Y: {- z2 b- W[Unit]
Description=Kubernetes API Server
" t7 H5 |  [. ~, }9 `Documentation=https://kubernetes.io/docs/concepts/overview
# b3 s) \# _/ s* lAfter=network.target
. {! I# E0 o" M$ {5 d, CAfter=etcd.service
' i6 g! s  p. Q4 M5 ~
/ N8 ]- H% \% o$ {9 [* w[Service]
EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
Restart=on-failure
9 l6 i( G9 m% d& a; y4 k: ?5 b( n0 gType=notify
) _' d' e+ z- u6 j7 P: GLimitNOFILE=65536
# r; a4 r$ u2 U9 L* U
! E% a" g9 o% i) y: @[Install]
WantedBy=multi-user.target
) J# y2 U- h/ p. N
7 o- N% D( o6 S, S8 }/ P
) I- B" y# F& s& }& c
配置参数文件
9 r/ E/ Q! A: s: E1 b  U8 [mkdir /etc/kubernetes/
* }9 f$ ^( K2 w$ M3 @  c. {5 Vvim /etc/kubernetes/apiserver
' G- h# U$ x) `: d. R; X9 d
. \/ ^3 r) }0 ~7 }' a4 E5 xKUBE_API_ARGS="--storage-backend=etcd3 \
               --etcd-servers=http://127.0.0.1:2379 \
               --bind-address=0.0.0.0 \
               --secure-port=6443  \
               --service-cluster-ip-range=192.168.2.0/16  \
               --service-node-port-range=1-65535 \
7 b& y  m: ]7 G* p0 P9 F               --client-ca-file=/etc/kubernetes/ssl/ca.crt \
               --tls-private-key-file=/etc/kubernetes/ssl/server.key  \
               --tls-cert-file=/etc/kubernetes/ssl/server.crt  \
% e5 `/ s* e8 k( v/ w6 U5 q' y1 E               --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
               --logtostderr=false \
               --log-dir=/var/log/kubernetes \
               --v=2"


& j! z5 T. {9 o8 |' f# h; p  Aservice-cluster-ip-range是servcies的虚拟IP的IP范围，这里可以自己定义，不能当前的宿主机网段重叠。
bind-addres 指定的apiserver监听地址，对应的监听端口是6443，使用的https的方式。(0.0.0.0 表示绑定所有地址)
client-ca-file 这是认证的相关文件，这预先定义，后面会创建证书文件，并放置到对应的路径。
创建日志目录和证书目录
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/log/kubernete

# d7 V7 w* Q% H% K4 N3 akube-controller-manager
" G( z% Z9 P% R) Q2 \
kube-controller-manager 依赖 kube-apiserver服务
$ |$ B6 T& P" f4 G编辑systemd启动文件
7 E; k9 E& |' C( i* M) Kvim /usr/lib/systemd/system/kube-controller-manager.service

) ~/ y6 [0 K0 W- [0 l  P7 X& A[Unit]
Description=Kubernetes Controller Manager
4 r* y, J  b' `. n3 _4 `Documentation=https://kubernetes.io/docs/setup
After=kube-apiserver.service
0 W4 o6 y4 J0 P) [Requires=kube-apiserver.service

% r+ Q8 x4 w# V& [* X9 }, U[Service]
6 P# _3 @8 c4 Y, Q$ XEnvironmentFile=/etc/kubernetes/controller-manager
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
7 \% ]- o0 L+ c$ G: rWantedBy=multi-user.target
( n& \  n! J- j2 M6 t2 T) l

. D/ N" ~3 E# f/ g4 J/ l配置启动参数
, c; h! U! y3 d/ ]3 p4 N) Dvim /etc/kubernetes/controller-manager
; t) z; O9 ]+ h: N7 `; v
KUBE_CONTROLLER_MANAGER_ARGS="--master=https://10.211.55.10:6443   \
3 Q$ Y. o+ {. ~9 j( O) ~               --service-account-private-key-file=/etc/kubernetes/ssl/server.key  \
               --root-ca-file=/etc/kubernetes/ssl/ca.crt \
' ]9 C( R+ W, |               --kubeconfig=/etc/kubernetes/kubeconfig \
               --logtostderr=false \
' U# d9 |; E8 l5 i               --log-dir=/var/log/kubernetes \
               --v=2"


( c$ R* q9 t* ^' d2 xkube-scheduler
3 |1 m; }( O8 g- Q9 }: ?% t  N' V
7 E3 f9 p8 K- F* Tkube-scheduler也依赖kubu-apiserver
- 编辑systemd启动文件
vim /usr/lib/systemd/system/kube-scheduler.service

7 S; l& U$ t+ t2 M+ j[Unit]
Description=Kubernetes Controller Manager
Documentation=https://kubernetes.io/docs/setup
After=kube-apiserver.service
% D' p/ ~' P" @5 H2 z" Y5 PRequires=kube-apiserver.service

[Service]
EnvironmentFile=/etc/kubernetes/scheduler
3 x! I6 O/ `8 R$ Z- C/ g/ G- w- m9 DExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=on-failure
0 b+ B" V/ W- _3 v# ILimitNOFILE=65536
  L. W8 T* P% `( y0 \8 l/ |
[Install]
  |* V2 c7 ?6 B( V5 V. u! D+ xWantedBy=multi-user.target
配置参数文件
vim /etc/kubernetes/scheduler

% o0 e* z/ J$ _) e$ P4 r& J' sKUBE_SCHEDULER_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig \
, z# W0 @2 u; b3 G0 W! l0 j               --logtostderr=false \
" y3 E( G7 \6 _/ B8 c               --log-dir=/var/log/kubernetes \
               --v=2"

$ J, R) N! r7 U! U* n4 \* H0 ?- V创建CA证书
# q3 I- ]- h" J6 A- n
注意生成证书前先同步一下服务器时间：ntpdate s2m.time.edu.cn
  a6 ~, B& B5 ~0 L2 b4 T0 s4 s创建kube-apiserver的CA证书和私钥文件
cd  /etc/kubernetes/ssl/
0 q& r5 d: c% w; L# r, l/ B+ fopenssl genrsa -out ca.key 2048
# L. `6 L6 ~3 V5 B0 y$ U7 Xopenssl req -x509 -new -nodes -key ca.key -subj "/CN=10.211.55.10" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048

3 h& _6 a7 ^7 T; f创建master_ssl.cnf文件
vim master_ssl.cnf

# b! o. h1 N8 `0 Z" R5 Y* s. s1 _[req]
req_extensions = v3_req
2 Q% o# W' Z! d3 s& n  jdistinguished_name = req_distinguished_name
[req_distinguished_name]
# _. }" e; f4 Q3 V7 T( @* G[ v3_req ]
  D" w8 w: ~4 Q  u/ n$ hbasicConstraints = CA:FALSE
1 v2 I( @# s7 \3 O2 e6 g9 ZkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
$ ]5 Y8 A/ j0 s( n[alt_names]
DNS.1 = kubernetes
- R1 X- s+ T4 j8 t# |DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
. w+ Z9 L+ |. y. aDNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s_master
1 f9 {* `+ r$ Y3 F( a3 k" kIP.1 = 192.168.2.1     # ClusterIP 地址
IP.2 = 10.211.55.10    # master IP地址
+ W' J9 e) D1 _7 o( C# m/ _
- E& ^  ]/ U2 {' n( \
& y) @3 N5 E# y0 i/ @
生成apiserver证书
0 a4 w$ l3 j$ u% iopenssl req -new -key server.key -subj "/CN=10.211.55.10" -config master_ssl.cnf -out server.csr
5 D7 I+ Q. j5 t
$ d+ ~2 H7 g8 e0 D# N/ @openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
* a: l2 i6 ?' Q& a4 A$ d/ T% w
设置kube-controller-manager相关证书
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=10.211.55.10" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000

创建kubeconfig文件,kube-controller-manager和kube-scheduler公用的配置文件
vim /etc/kubernetes/kubeconfig
$ E+ Z/ [- r: h$ x
8 T! H: o5 a& zapiVersion: v1
% d" p! I6 H* h0 f* I. gkind: Config
users:
0 Q/ d1 R- e. c. S5 r9 F- name: controllermanager
" s. w8 K7 ?/ w8 c$ w3 f  user:
    client-certificate: /etc/kubernetes/ssl/cs_client.crt
    client-key: /etc/kubernetes/ssl/cs_client.key
1 d  L3 Z/ g' H* O7 K# lclusters:
  O  h7 \+ k8 D- name: local
  cluster:
    certificate-authority: /etc/kubernetes/ssl/ca.crt
0 J) X, T7 ^1 x4 Acontexts:
- context:
9 g1 n* }& t+ a- y$ v    cluster: local
5 ~; I" B% _$ B$ T' B; f& c3 j    user: controllermanager
  name: my-context
current-context: my-context
( }, W# j8 D1 U
启动服务

启动kube-apiserver
systemctl daemon-reload
systemctl enable kube-apiserver
- t( x0 m5 [5 d# dsystemctl start kube-apiserver
# D3 ]$ ~  p: H8 {
启动kube-controller-manager
systemctl enable kube-controller-manager
0 \7 M9 w* Z/ I3 n+ T1 ssystemctl start kube-controller-manager
3 B/ l( n0 m0 S6 o7 A/ p: D+ R8 [
启动kube-scheduler
systemctl enable kube-scheduler
systemctl start kube-scheduler
1 J9 ~0 R8 N  j9 I7 W
Node

0 |$ k4 Q' [( {+ v安装docker
; Z7 M% n8 I0 Z  z  i6 k6 g. X
使用aliyun的yum源
. Z: w2 h# s9 z# I1 Ycurl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
' X# M- k6 R* w5 [curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
6 Q) A( E3 B0 v) Q& lyum makecache
$ R- R0 J3 N3 F3 f9 s3 F
2 |# |( b9 X; Oyum安装docker工具
yum install docker-ce
systemctl start docker
systemctl enable docker

+ F2 R/ E7 u$ z  G* s0 ^4 P; E+ g* Cdocker -v

0 s. u0 \: I5 s0 F安装kubelet服务

安装包下载，整理
wget https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
* e3 j9 @1 ?7 C4 J, x. Y  ]/ z7 x! Rtar -xzvf kubernetes-node-linux-amd64.tar.gz
* R) z5 P+ |. z( `; bcd kubernetes/node/bin
cp * /usr/bin
! m9 ~8 o) D/ Q$ v- R. T8 f
添加systemctl启动配置
vim /usr/lib/systemd/system/kubelet.service
mkdir -p /var/lib/kubelet
mkdir -p /etc/kubernetes/
: p0 E; P/ P% G7 [6 jmkdir -p /var/log/kubernetes

[Unit]
Description=Kubelet Service
0 x' e# _$ |' O3 U7 F, BAfter=docker.service
Requires=docker.service
[Service]
( }7 i# T0 ^& JWorkingDirectory=/var/lib/kubelet
EnvironmentFile=/etc/kubernetes/kubelet
+ N# o. M4 t5 P* Q0 KExecStart=/usr/bin/kubelet $KUBELET_ARGS
6 ^5 {5 L( V) V& PRestart=on-failure
, R4 i% V0 I, A) \3 O- oLimitNOFILE=65536
4 o- N9 @; G8 L+ X) o* ~
[Install]
WantedBy=multi-user.target

1 l4 ]. f" Y  j8 O' C. a6 H$ x/ ?7 ukuberlet运行参数配置
安装kube-proxy服务

9 R$ A, N3 F$ ?" H添加systemctl启动配置
vim /usr/lib/systemd/system/kube-proxy.service
7 t' W2 x) d% j  N
( X& B! p% i; d9 C; Y[Unit]
Description=K8s kube-proxy Service
After=network.target
After=docker.service
$ r: y# E5 e5 [9 F" ?  F7 DAfter=network.target
After=network.service

& e1 H3 c1 R- p9 e, r9 E/ o[Service]
EnvironmentFile=/etc/kubernetes/kube-proxy
6 q6 m9 W2 l) e" p" [1 }' B4 W' _ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
) T7 P( u0 W; O* n' W0 }
) `# j  g3 P+ i8 O[Install]
. l5 l) [! ^/ W! V0 ?- a; F6 }8 zWantedBy=multi-user.target
# o' m& X& j  s+ }
生成CA证书
+ \& p& g: F+ t8 t$ I
" B* w2 `6 N3 H# P4 a5 P将master节点上的kube-apiserver证书ca.crt和ca.key拷贝到Node上
( C* A$ U7 o* _  B: H使用ca.crt和ca.key生成node证书
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=10.211.55.11" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
% o4 ~  e, G6 U8 V1 w0 c& S; f
mkdir /etc/kubernetes/ssl
mv kubelet_client.* /etc/kubernetes/ssl/
2 E9 [9 l# X' @5 D7 Q1 T2 omv ca.crt /etc/kubernetes/ssl/
' k5 o* E5 }' H; Z4 w( e
6 E2 c8 j% J3 t  L$ @% G; l( i配置kubeconfig
6 {5 ?' M* E; _/ l& S) h) avim /etc/kubernetes/kubeconfig

apiVersion: v1
% h( [( \" N' Z% Skind: Config
) k9 A: M1 l2 y. h- Musers:
  m2 o6 P0 K% s4 D- name: kubelet
  user:
. c/ k7 O5 |/ w, y. I0 T7 h0 D2 x      client-certificate: /etc/kubernetes/ssl/kubelet_client.crt
      client-key: /etc/kubernetes/ssl/kubelet_client.key
clusters:
- name: local
  W+ _1 s$ F) l! Z' b  cluster:
      certificate-authority: /etc/kubernetes/ssl/ca.crt
1 Z1 r. l1 N2 Y& z4 B+ j      server: https://10.211.55.10:6443
! z' }/ Y, i. E+ B( u( l, Z7 icontexts:
1 Y+ B! _( \! c4 y4 ?- context:
      cluster: local
      user: kubelet
9 e, z) q& b% Q* j0 K( P, f  name: my-context
current-context: my-context
6 b( F. |3 Q  |  Q8 V1 [+ S
kubelet启动参数配置
vim /etc/kubernetes/kubelet

, O6 s3 ^/ d( _KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=10.211.55.11 --logtostderr=false --log-dir=/var/log/kubernetes --v=2 --fail-swap-on=false"
, T2 z4 o% z. v/ n) i这里要注意–fail-swap-on=false或者禁用swap，我这里选择配置–fail-swap-on=false
设置kube-proxy启动参数
vim /etc/kubernetes/kube-proxy
4 {& K1 s% D  M, g$ Q$ Q
6 o$ z/ q' J' M& o' i& g" EKUBE_PROXY_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
启动服务
* m& s& t( n* F3 s4 `; d# u
2 F. w% u- ^$ r3 `1 C& J systemctl daemon-reload
$ }0 ~3 t, M2 N# x" {; x systemctl start kubelet.service
systemctl status kubelet.service
4 S& U2 o6 n3 B: Z% h5 J
systemctl start kube-proxy
7 F4 a- i7 d3 p. K. J) A5 V systemctl status kube-proxy
node 2就按照上面的步骤进行安装即可

admin

搭建私有库

私有库用于系统内部存储成品镜像，能够快速进行下载及被k8s调度。
2 B4 K  m) x9 i1 ~5 k
' R$ L% [- r7 J0 \6 m$ s8 O9 B; v1.下载并启动私有库
* S) D+ w4 U9 ?5 l
! B1 h; t; n! ]. S  A) r; K9 g& z[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry

; h  X/ \6 b1 `* v' o! S. J# A#--name 表示启动的容器后名称，此处为registry
#-v 表示挂载路径  格式为宿主机路径:容器内路径
+ X1 A; ~) I1 S( Z7 M, g( ^' g#-p 表示映射端口  格式为宿主机端口:容器内端口
#-itd   docker的内部参数，此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上，后跟镜像名称此处为docker.io/registry
" C* H% z) T: G, Q- T& _
5 R6 ~9 V4 }( u. p( \2.创建一个secret服务，用于k8s调度私有库容器时的“令牌”。简单来说，secret服务就是一个存储密码的服务
7 v9 w: U! z6 O* n9 Z$ m. N3 E
[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com
4 L+ }5 a/ Y* i% }2 s/ r
! Z$ c: b+ z" R; t6 X[centos-master]:kubectl get secret
) z) w2 ^' H! Z# n- h$ {4 fNAME          TYPE                      DATA      AGE
2 E2 E) R; l+ \: k( A5 W) D$ e/ @" R/ {3 f7 Nregistrykey   kubernetes.io/dockercfg   1         6s
8 n- D2 _& y6 d! [
此时登录时会提示认证错误
4 Z1 d- u2 V  U3 S2 ^; l' @
) @- P) Q7 o1 z9 P7 T[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
Flag --email has been deprecated, will be removed in 1.13.
Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized
) v7 a1 a/ }0 h" S
% \) P6 f9 }0 J: t; T( k这是因为Docker官方是推荐采用Secure Registry的工作模式的，即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了

3.配置nginx反向代理
[centos-master]: cat registry.evehicle.cn.conf

# For versions of nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
0 e  ~) _7 Q5 t
upstream docker-registry {
/ v: d- J  e, A9 I8 v  server 192.168.121.9:5000;
9 n, F7 T( C& ~1 }2 m4 {+ s  #server 10.44.170.95:5000;
5 _: F: `  h4 h6 n}
6 K! ?$ `3 `: \8 i/ L4 q- \, B4 v
# uncomment if you want a 301 redirect for users attempting to connect
# on port 80
# NOTE: docker client will still fail. This is just for convenience
& v* A! `7 P1 [+ M# server {
#   listen *:80;
#   server_name my.docker.registry.com;
#   return 301 https://$server_name$request_uri;
# }

server {
    listen 443;
5 v6 ^8 r) J  T5 c* I0 x$ y    server_name registry.evehicle.cn;

# T: v2 `' ~7 T    ssl on;
    ssl_certificate ssl/registry.evehicle.cn.crt;
    ssl_certificate_key ssl/registry.evehicle.cn.key;
# U5 }, b3 C: q$ C/ k5 C9 N0 F: b) O
. \/ k6 b0 T1 o0 P% V0 n/ J    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
4 @; o5 Z' q. o9 Y1 N
7 }+ u3 l7 ?9 O. w& Q    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
! A6 G5 w5 y/ `* R& z' k5 K    chunked_transfer_encoding on;
: Z; S. Z8 o: q& ^# @2 J
0 C/ z! a/ B+ w/ V5 I    location / {
        auth_basic  "Restricted";
2 Y4 D- v; t. W        auth_basic_user_file  passwd;
- T) t: {, e4 h/ t        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        proxy_pass                          http://docker-registry;
/ d% A  _3 d" d( @4 m1 j        proxy_set_header  Host              $http_host;   # required for docker client's sake
/ H0 W& i1 t" H        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
& ^/ ^1 m$ b/ b8 `        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
7 r3 [% Z2 t9 K# @        proxy_read_timeout                  900;
' q3 @6 w+ O; p5 @$ d5 v        }

" l3 z$ ?: O8 p- Y& G# O+ Q$ n    location /_ping {
6 V6 ?* d+ F: X. c3 ^) C        auth_basic off;
        include               docker-registry.conf;
8 C  d5 s4 ~/ ]0 c5 t5 l: p    }

    location /v1/_ping {
        auth_basic off;
        include               docker-registry.conf;
    }
# |# f$ x$ d: J, @
    location /v2/_ping {
        auth_basic off;
# B; y- {3 m& h( G        include               docker-registry.conf;
    }
}
, b* _1 x2 Z7 j$ V
将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录

* T/ U) Q' }% o% a; \* n: I8 a( D htpasswd -bcm passwd docker docker
: X, p  R! J( L% B/ m: w #-c：创建一个加密文件
) {( x/ V+ k- N7 J2 c2 d #-m：md5加密，默认可不填写
#-b：表示用户名密码在命令行中一并输入，不用分别填写

' O; m) g% j, }& l, x- u- X4.再次登录

[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn

0 M+ i4 U) m% Q9 s5 d) g, MLogin Succeeded
表示成功，此时再pull\push既在私有库中进行
+ D4 z, I/ m) h/ n4 I
构建服务

6 r8 |8 ?% w* i/ l, \0 j) }9 Pdocker的本意是将代码包含在容器内制作成镜像形成“产品”。但出于公司的（频繁修改代码及服务器资源受限）的特殊性，我们将代码以“外挂”的形式运行在宿主机上。下面以部署官网（apache）服务为例：
, z6 P8 H  g" x* q2 z( O8 u2 R4 N4 W* }1.从docker的公有库里下载centos7的原生镜像

[centos-master]:docker pull centos

9 c; t! @6 q! @) B6 F0 ~7 QUsing default tag: latest
Trying to pull repository docker.io/library/centos ...
latest: Pulling from docker.io/library/centos
d9aaf4d82f24: Downloading [>              ]   540 kB/73.39 MB
$ d' z9 Q: ^7 V" Zd9aaf4d82f24: Pulling fs layer
6 z5 M# K7 V: {" _5 _Digest: sha256:eba772bac22c86d7d6e72421b4700c3f894ab6e35475a34014ff8de74c10872e
Status: Downloaded newer image for centos:latest

5 \! m8 F/ T8 O6 B3 E4 ]2.编写Dockerfile制造apache基础镜像
4 q/ l. N* R, |6 M: w
# H; I9 A5 z/ D, N######httpd####
FROM centos
. s( i& A0 w8 C: s" D& {# L1 cMAINTAINER lienhua lienhua@zhongchuangsanyou.com
! ~, S5 m6 d' u2 B3 W3 ^RUN yum -y install epel-release
RUN yum -y install httpd  php php-mysql php-memcache* php-mbstring
7 h) \8 _* k2 z2 gADD httpd.conf /etc/httpd/conf/httpd.conf

EXPOSE 80
  S6 Q8 J: W( @3 ^, m) y
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]
, O/ I2 v& q3 j$ m$ z
5 L0 C, f: p1 ~1 }8 R其中httpd.conf文件需要在当前目录下真实存在，此处其内容为

ServerRoot "/etc/httpd"
$ S, T3 S8 Q# K! Z2 j& ^/ z# P: lListen 80
' p( k  C4 v6 _# h$ L6 MListen 8080
  {' `( J* `0 ~5 s' FInclude conf.modules.d/*.conf
: _5 p3 H# K: l* U6 y7 c9 d6 LInclude zcsy/*.conf
User apache
, Z" h: o5 v3 P* ^) G. _+ iGroup apache
. g! e! b) F  G5 p, X2 B3 sServerAdmin root@localhost
<Directory />
6 B3 W* `$ z6 y0 u    AllowOverride none
. v; W9 m! [/ j$ I    Require all denied
9 S9 D% g- k0 v2 n4 n# e* x</Directory>
DocumentRoot "/var/www/html"
& l/ j4 q3 V3 j8 {" s0 Y3 U% k9 @<Directory "/var/www">
2 P2 V+ Q: N7 F" d8 o7 Y    AllowOverride None
4 r2 v) L" P* B. i/ i" l- ^    Require all granted
* q& v8 X0 D* I- e- k$ Y! t</Directory>
  U( F' r- X0 I2 Y) K0 c<Directory "/var/www/html">
" D$ q- E5 H: n9 c9 U% L. p    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
2 \' f0 n+ W" J+ _, j/ I3 ~2 j" O<IfModule dir_module>
6 s) a+ j" q& ]( S    DirectoryIndex index.html
7 C( C3 s* u- Y* ]( \</IfModule>
% _' P0 e% U' E4 |0 m<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
* n/ L8 H+ h! e: x    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
' G/ g$ A, f# a2 d& g' E2 @      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
3 G7 J8 b7 A: p3 G0 u0 N</IfModule>
<IfModule alias_module>
3 r9 ^% d. a$ X, B+ r    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
: q; m: d) C' X  V! i4 ]. N* f</IfModule>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
9 ^1 ^* m5 f7 h( V* S! Y- A; r</Directory>
<IfModule mime_module>
    TypesConfig /etc/mime.types
0 o7 g/ K2 f% r8 |    AddType application/x-compress .Z
$ Y& D# ?1 u! ?2 S) ~    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
4 G, a5 j9 e/ A</IfModule>
: h: N' E; W" KAddDefaultCharset UTF-8
. b" N, G% o  o  U3 v; e5 |<IfModule mime_magic_module>
* ?: i& S# K0 e7 L    MIMEMagicFile conf/magic
' }/ R" ?/ Z# J) q0 o</IfModule>
4 o3 }" [1 B( q  O% c& W, DEnableSendfile off
- B( a/ X5 l" w/ m% fEnableMMAP off
: j' z5 h$ H7 m: D( |8 t. R1 R  r0 WIncludeOptional conf.d/*.conf

0 {) u' ^3 n3 K4 N3 C2 a: ^执行[centos-master]:docker build -t registry.evehicle.cn/httpd . 命令制作名为”registry.evehicle.cn/httpd”的镜像（注意此处的点必须要有，并且其意义代表当前目录下的Dockerfile文件）
) a4 z7 p( e7 E. z" |1 E& N
3.将制作好的镜像上传到私有库
1 d- B" D4 [7 G+ }# N2 `
docker push registry.evehicle.cn/httpd
7 V3 d  K" M5 n) x6 a- v
4.编写启动apache服务的yaml文件

& z& \/ G4 P. w! h" ~9 U; i: u[centos-master]:cat 13-rc-httpd.yaml
& E  p3 x; v( \! d- s3 q% P  D6 m
  v& D* Q* S9 J3 R1 S& ~. `apiVersion: v1
kind: ReplicationController
metadata:
5 n4 d' p7 x; I% h0 I2 _7 @  name: 13-rc-httpd
  labels:
    name: 13-rc-httpd
spec:
& a1 l0 O; v/ @' p1 I; \) s  replicas: 2
  selector:
; `  E1 g  O; [! J) e% A    name: 13-rc-httpd
  template:
    metadata:
      labels:
! i$ O" \/ t2 q3 C7 a% ^" Z1 S        name: 13-rc-httpd
    spec:
      containers:
      - name: 13-rc-httpd
        image: registry.evehicle.cn/httpd
; g7 r" y, O8 z" O        env:
        - name: LANG
          value: en_US.UTF-8
8 t1 ?' ~- a2 Q  z        ports:
        - containerPort: 80
. Y1 `$ A$ L+ y7 _2 a8 K; @          hostPort: 80
9 [, o! C  N% R  }. Z9 h        volumeMounts:
        - name: time
          mountPath: /etc/localtime
        - name: zcsy
          mountPath: /etc/httpd/zcsy
        - name: deploy
; p) J$ {) o& X: P          mountPath: /docker/httpd/deploy
        - name: log
) t8 D% ~8 S: M2 _4 B* H          mountPath: /var/log/httpd
$ J1 l, R/ J' o      volumes:
        - name: time
" L5 a* t4 w- g6 p          hostPath:
            path: /etc/localtime
        - name: zcsy
          hostPath:
9 ]8 n6 ]2 I- @$ r, f5 H& |" `            path: /docker/httpd/zcsy
        - name: deploy
          hostPath:
, Q( z' M4 p6 I% T            path: /docker/httpd/deploy
        - name: log
5 T' A, B4 P' p( y  `3 j# c! }! l          hostPath:
* s+ J0 R9 T3 n4 f            path: /docker/httpd/log
( @7 q$ a8 i7 {! G      nodeSelector:
5 D: j5 d3 I; F        slave: "13"
      imagePullSecrets:
% ?; k$ S" ]0 ~1 `8 `      - name: registrykey
0 }/ f! M5 V4 b: q4 D# }! m
5.给其中一个node加上标签为“13”
2 \/ p5 M1 u" \, [
kubectl label nodes centos-minion-1 slave=13

' }6 q# B) |( H. Q) @6 z6.此时拥有标签“13”的nodes应具备的条件
8 ~0 p0 Y4 [, a5 x$ ]/ l1 p
7 w# D0 m5 u! @+ G; g/docker/httpd/zcsy下需要有官网的配置文件
6 \4 D4 Z; M8 j/ T: ?$ D
<VirtualHost *:80>
   ServerName www.evehicle.cn
  DocumentRoot /var/deploy/wordpress/
5 R5 j: v% D4 \        RewriteEngine on
        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
3 ^2 L0 D# O9 ?' c+ [1 k        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
) P& }) ?& x- {. V        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !^.*\.(ico|pdf|flv|jpe?g|js|gif|png|html|shtml|zip|xml|gz|rar|swf|txt|apk|bmp|css|m4a|ogg|mp3|ipa|plist)$
; G+ E+ n7 @# _) ?        RewriteCond %{REQUEST_URI} !^/server-status$
        RewriteRule . /index.php [QSA,PT,L]
, x3 {2 c. w' ~9 j- A
</VirtualHost>
<Directory /var/deploy/wordpress/>
    Options FollowSymLinks
, ?* g6 Y  k" \: q; c    AllowOverride All
- k7 [# v( e" X    Require all granted
</Directory>

以及/docker/httpd/deploy下需要有官网的代码
% R- [! |! X: Q
7.运行yaml文件启动容器
6 D3 D  s2 U* |. j$ \$ v
6 R. d- e- R* x  F. p& |7 J/ z[centos-master]: kuberctl create -f 13-rc-httpd.yaml

8.查看服务
, X$ o! C5 ^9 _% r& K3 ^0 u
3 s1 E% V# g" S1 d' z[centos-master]: kuberctl get rc
& a) e- G+ i/ x
NAME                 DESIRED   CURRENT   AGE
0 p9 O3 b2 c3 |, `/ t! ~13-rc-httpd          2         2         168d
- m& p& H1 C$ a+ b5 L
9.程序中涉及的mysql\redis\memcache等服务也需使用容器运行起来

[centos-master]: docker pull redis
[centos-master]: docker tag registry.evehicle.cn/redis redis
[centos-master]: docker push registry.evehicle.cn/redis
[centos-master]: kubectl create -f rc-redis.yaml
[centos-master]: cat rc-redis.yaml

apiVersion: v1
* D0 M; o' D1 u) ^kind: ReplicationController
metadata:
  name: redis
) |6 E' n+ a' |# S: Q8 M- S  labels:
    name: redis
spec:
  replicas: 2
  selector:
    name: redis
  template:
4 ]2 s$ t: R6 I3 A3 C1 R# X    metadata:
      labels:
# R$ d5 Y+ O" W* R+ P% ~, h" s. o# p        name: redis
2 M( P/ t2 E8 C2 d. l    spec:
      containers:
      - name: redis
        image: registry.evehicle.cn/redis
        ports:
0 D: \0 |2 L5 A3 T% z1 G        - containerPort: 6379
' k0 L6 T2 B# \/ ^% f          hostPort: 6379
) q/ y3 r" \0 {: j; y        volumeMounts:
/ ?+ V7 g  w" @/ _        - name: data
          mountPath: /data
        - name: time
          mountPath: /etc/localtime
/ y' M" D1 `& D; d" v( _      volumes:
: ~9 C5 J( ^* h; ^2 h7 v7 |        - name: data
          hostPath:
            path: /docker/redis/6379
  O! p$ G9 \' o( A2 R. t        - name: time
+ b- _! j# N+ g5 h+ Y% F          hostPath:
            path: /etc/localtime
" m; n, p. X8 u/ V: a5 }      nodeSelector:
        slave: "13"
      imagePullSecrets:
      - name: registrykey
2 `- n2 `0 A. @* X# f
启动memcache
[centos-master]: docker pull memcache
4 S6 }' h0 K. [9 \! s, n[centos-master]: docker tag registry.evehicle.cn/memcached memcache
[centos-master]: docker push registry.evehicle.cn/memcached
* Q9 B5 L0 `: D9 W9 @[centos-master]: kubectl create -f rc-memcached.yaml
[centos-master]: cat rc-memcached.yaml

apiVersion: v1
/ ^2 W! D" _/ Q+ g- kkind: ReplicationController
metadata:
  name: memcached
: i: @2 b2 M3 ~  labels:
    name: memcached
: v: s4 B: d4 F( pspec:
8 K( S. e! S9 a3 P  replicas: 3
* L/ J% _$ |" A9 m' ?! [. z  selector:
7 z3 f# K2 v) m; I    name: memcached
, [. H$ x; f* [, G- @: c" \  template:
    metadata:
      labels:
        name: memcached
: |; Z" L$ Y- m, o. g    spec:
+ f2 [0 k, A; v# Y+ i      containers:
      - name: memcached
" i, l0 B" M/ e4 s# \9 {6 D, i        image: registry.evehicle.cn/memcached
        ports:
        - containerPort: 11211
          hostPort: 11211
      #nodeSelector:
      #  slave: "13"
      imagePullSecrets:
      - name: registrykey
% F& |* S/ x$ ^& ?1 ^! H9 m3 t& i, O
制造mysql镜像
[centos-master]: cat Dockerfile

) Z5 ~* e8 j5 ^9 ]FROM alpine
; x/ S* L; x5 V1 z
: ]  W3 p* y6 t* M. ]
COPY startup.sh /startup.sh
$ h" t. _' e2 Y2 pRUN addgroup mysql && \
    adduser -H -D -s /bin/false -G mysql mysql && \
    apk add --update mysql mysql-client && rm -f /var/cache/apk/* && \
2 a# H/ Z5 R) J" t* A    mkdir /data && \
    chown -R mysql:mysql /data /etc/mysql && \
    chmod 755 /startup.sh \
    ;
7 T- e2 N- c/ J8 x

5 N4 v; m9 N4 |1 NWORKDIR /data
# L5 n% f( B# v+ i8 K/ ~2 {VOLUME /data
VOLUME /etc/mysql
6 z7 @7 B4 o' X$ {/ V9 W2 @
9 n+ o8 @" }* E+ b$ x  r; X
: D1 X' |4 Z  Y. z$ W/ `EXPOSE 3306
% f% ?' W' [+ N3 Z% qCMD ["/startup.sh"]
" d$ M$ J0 t0 |1 V9 F/ K, K
启动mysql（建议mysql在宿主机启动）
* [+ q/ \" o8 Z. I4 h' N7 Z[centos-master]: docker build -t registry.evehicle.cn/mysql
[centos-master]: docker push registry.evehicle.cn/mysql
[centos-master]: kubectl create -f rc-mysql.yaml
$ @: B( e# t2 a, F, S: X8 v  h[centos-master]: cat rc-mysql.yaml

apiVersion: v1
kind: ReplicationController
# ?/ [$ p6 q0 M7 Ymetadata:
  name: 13-rc-mysql
( b8 o1 q2 j2 `6 e2 R  labels:
$ A4 s/ Q/ R- l: Q2 ], v0 x    name: 13-rc-mysql
+ O5 {* b- C& M$ sspec:
. ?! y* b# R0 V: t& ^1 c  replicas: 2
6 U# `3 A+ P3 \! C1 m2 V  selector:
    name: 13-rc-mysql
; |" ~: d8 }3 P8 V4 |  template:
0 ^  B% L1 _$ S. K& x( o    metadata:
      labels:
7 l' ?( n" K/ N3 N        name: 13-rc-mysql
2 n* C' l* o7 g. K- I0 K    spec:
      containers:
4 M& Z: {" G5 M/ ~      - name: 13-rc-mysql
        image: registry.evehicle.cn/mysql
$ x! D$ {  q) x8 I/ D5 o        env:
        - name: MYSQL_DATABASE
          value: admin
1 d" x* r( d# `: E4 ~        - name: MYSQL_USER
% s  \/ k! T3 g; \          value: tony
        - name: MYSQL_PASSWORD
5 N  }; \* V1 v          value: 456
8 G$ v6 M7 i: w7 v) K  J  ^( D        - name: MYSQL_ROOT_PASSWORD
          value: 123
        ports:
        - containerPort: 3306
          hostPort: 3306
        volumeMounts:
        - name: time
          mountPath: /etc/localtime
9 |3 t9 l  Z% n0 [        - name: data
6 ]. _3 e- I- I0 G# ^4 M; q: t          mountPath: /data
: i8 s( C7 T  @3 d9 c, Z        - name: etc
          mountPath: /etc/mysql
        - name: run
9 f3 s8 I7 O- R  B+ @6 J) o9 p          mountPath: /run/mysqld
      volumes:
/ E( ~$ x3 h; K        - name: time
          hostPath:
            path: /etc/localtime
. A$ L. r% l6 ?! I3 W        - name: data
          hostPath:
' c6 c* _* q2 s- x0 Z" W            path: /docker/mysql/data
1 b8 X" u& w* t$ H; H2 S% ^8 Y5 K- }% V        - name: etc
          hostPath:
4 x  i, w% _9 P; C            path: /docker/mysql/etc
( u0 J" k$ H0 w1 d. l/ a. p        - name: run
          hostPath:
            path: /docker/mysql/run
      nodeSelector:
        slave: "13"
      imagePullSecrets:
. V  X6 x) H0 Q1 W1 ~      - name: registrykey
  f2 H8 T/ K. q9 ~8 y7 ~: o
为方便代码编写及统一管理，应提前做好内部DNS解析。将所负责的应用规整到对应的机器上。

admin

kubectl config set-cluster default-cluster --server=http://192.168.121.9:8080
9 s0 e, m9 D6 @8 V0 F& ]kubectl config set-context default-context --cluster=default-cluster --user=default-admin
kubectl config use-context default-context

admin

搭建私有库

私有库用于系统内部存储成品镜像，能够快速进行下载及被k8s调度。
& b% J6 G; U/ C, \
5 [: E9 K5 f; \' }1.下载并启动私有库
4 K" e8 F0 ], I% z0 V# @) ?) f8 b
[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
* P% W' r6 l1 A1 ^
. H( d: E) u6 Z/ p#--name 表示启动的容器后名称，此处为registry
#-v 表示挂载路径  格式为宿主机路径:容器内路径
#-p 表示映射端口  格式为宿主机端口:容器内端口
#-itd   docker的内部参数，此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上，后跟镜像名称此处为docker.io/registry
# R4 x5 R0 x: @. N3 c) ^
2.创建一个secret服务，用于k8s调度私有库容器时的“令牌”。简单来说，secret服务就是一个存储密码的服务

[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com

! ]9 _7 R7 H$ m& [[centos-master]:kubectl get secret
NAME          TYPE                      DATA      AGE
registrykey   kubernetes.io/dockercfg   1         6s
$ ~" e# g1 `9 k( W
- C# ]; s, L: j此时登录时会提示认证错误

0 f8 n/ G# ?$ T[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
Flag --email has been deprecated, will be removed in 1.13.
. }) g) @# d) F5 DError response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized

这是因为Docker官方是推荐采用Secure Registry的工作模式的，即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
3 D" ~8 P, Z- p- R
3.配置nginx反向代理
[centos-master]: cat registry.evehicle.cn.conf
, F1 I6 ~+ [8 f- i- C
4 _3 f/ ~6 Y. \, G. o# For versions of nginx > 1.3.9 that include chunked transfer encoding support
6 V  h) C5 W( N( e! ~- e# Replace with appropriate values where necessary
& a( O7 ]4 T) p. S4 v
) k$ w. p* N# {, F; l. \upstream docker-registry {
  server 192.168.121.9:5000;
7 `4 e( e) `4 b4 c$ P0 s2 P0 e  #server 10.44.170.95:5000;
}
8 h1 D( ]0 ]: y8 W! k* d8 e* s
# uncomment if you want a 301 redirect for users attempting to connect
+ L. x6 V4 e9 B' u# on port 80
# NOTE: docker client will still fail. This is just for convenience
# server {
0 A+ L7 ^8 f5 G% a#   listen *:80;
#   server_name my.docker.registry.com;
0 \( \% P9 F4 d0 k6 @4 G4 j#   return 301 https://$server_name$request_uri;
6 |% @% `9 s/ b8 s1 z. x# }

/ B2 v. S; e7 u5 V1 D, Vserver {
2 Y1 X$ @  A$ f4 H; O1 z: a    listen 443;
    server_name registry.evehicle.cn;
. @1 B) x4 N+ b: i+ F* z
    ssl on;
    ssl_certificate ssl/registry.evehicle.cn.crt;
    ssl_certificate_key ssl/registry.evehicle.cn.key;

0 W3 D5 v. V: O* F    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
7 }8 ]3 }# ^9 ?9 @  w1 K
* x6 C; g  z! W    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

0 G5 g7 m: }5 O1 U" A. x    location / {
        auth_basic  "Restricted";
        auth_basic_user_file  passwd;
/ b$ @- o1 r- E+ ?* L) t        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
9 P9 L8 d. A, c/ V- C% c
. X& R, K5 J) f8 i5 ~0 f/ B. q+ ^* P        proxy_pass                          http://docker-registry;
        proxy_set_header  Host              $http_host;   # required for docker client's sake
9 i% h" ~8 Q. _% V8 H        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
4 R5 V) X& [9 z' B/ m: F, f: ]' z* j9 J        proxy_set_header  X-Forwarded-Proto $scheme;
0 b6 ^+ S9 H& L% h5 I        proxy_read_timeout                  900;
        }

6 {+ @( W0 Z8 e+ Z( a5 [& o: ^    location /_ping {
        auth_basic off;
- V2 T6 [% l: Y4 A& U$ Z4 r        include               docker-registry.conf;
    }

    location /v1/_ping {
9 V! C; X) ?" b. w, r        auth_basic off;
        include               docker-registry.conf;
    }
7 e% z- |4 n2 c) ?/ y) L2 i
: r" u7 C8 H$ s5 y2 q    location /v2/_ping {
        auth_basic off;
# J$ p" N* k  i: a7 c        include               docker-registry.conf;
    }
}
- ]8 n$ M8 T& C$ q& T. r* z5 @( z
将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录
5 T9 |" Y! y0 X6 J1 A
! r/ k: x3 h1 d! Y htpasswd -bcm passwd docker docker
' m% b, S3 i; L0 E& n, i) v, j #-c：创建一个加密文件
, F) P6 k4 }) r #-m：md5加密，默认可不填写
/ \2 _" h  z$ b; P1 E+ u% _ #-b：表示用户名密码在命令行中一并输入，不用分别填写

$ w7 w* z0 V! {& J. L9 b* [( |4.再次登录

[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
  J! J0 \4 ^0 z9 \
Login Succeeded
表示成功，此时再pull\push既在私有库中进行