浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 docker社区 docker社区 k8s学习二:k8s编译安装集群搭建——单master多node简易 ...
返回列表 发新帖
查看: 4757|回复: 3

k8s学习二:k8s编译安装集群搭建——单master多node简易部署

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2018-9-20 11:08:15 | 显示全部楼层 |阅读模式
服务器环境# X( b* K0 J9 I& b3 e

. b& F4 g* U8 [) q; \4 r, gcentos7.5
0 h. Y4 u$ ~7 P% D' U& ?# @mac装的pd虚拟机
( Z* K9 C; ^4 D, p作用        IP        部署服务        配置+ y0 A5 c$ @5 T# c9 H
master        10.211.55.10        etcd、kube-apiserver、kube-controller-manager、kube-scheduler        2C、2G
$ D! J0 ?" H8 I, ^5 Lnode1        10.211.55.11        docker 、kubelet、kube-proxy        2C、2G2 B! Q$ Z" a, R2 ~, ^
node2        10.211.55.12        docker 、kubelet、kube-proxy        2C、2G
3 h4 f# j" ^( O: T  o9 G- 计划采用二进制包进行部署:
6 m. C, Y2 \2 E& D/ S
# G9 n/ S) h) \# G- R' x; _' q所需二进制包下载地址: - s  h$ W, A5 a
1.https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
8 E0 X7 I5 c: w1 P6 r+ w2.https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
2 l/ F' @: N- H/ f: F& l4 Q& c9 f# P! ~3.https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
% \6 \/ O! x( P; S0 f( p注意所有服务器都需要关闭防火墙
2 K5 p5 A; t) K/ z  i, v+ xMaster部署+ \8 N; J$ ?7 L- K* u  K
& I% Q* ^/ C. Y, J2 J; a
二进制安装基本都是以下几个步骤:
1 N3 N- E0 g- O% M' i1、复制对应的二进制文件到/usr/bin目录下 1 ^8 c# c! W* @$ t
2、创建systemd service启动服务文件 ! m- f+ Y7 a1 D' v8 c( |* B
3、创建service中对应的配置参数文件
3 S  _. M5 s$ E) D" [8 I  D4、将该应用加入到开机自启
% e0 i; L$ f+ I9 L5、启动服务并查看服务状态
' S& A! B& n. P7 uetcd部署* s! O% [  s# \6 p% \1 ?/ |
2 {* R. a' ^; ]- e
下载二进制安装包并安装:4 p4 D4 x; O: g
wget https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz# e$ Q+ |& o' y
cd etcd-v3.2.22-linux-amd64/% I* P3 _/ z# @& l
cp etcd /usr/bin/7 j0 T3 H% R4 ~5 m. N
cp etcdctl /usr/bin/
/ U9 s' f- C5 s% ?mkdir /var/lib/etcd
7 @) u; ^+ E: ~: Z# \mkdir /etc/etcd; L; ~8 s/ A2 o) H" q% z

5 G7 k& ?3 U( N7 o8 i( `% p  V" W编辑systemd管理文件
% R' A! l- ?+ o. E5 Ivim /usr/lib/systemd/system/etcd.service: w7 j# g3 O4 e) |, g/ f8 X5 \
4 s6 r7 Q5 e( v  I, H
[Unit]
/ k- b% [6 q1 V$ V$ SDescription=Etcd Server
5 j+ E6 ]" P/ w: H0 o/ w) uAfter=network.target
6 ]* q6 {7 B4 `- F; G! N
7 K; n; w2 D+ `, f[Service]9 Q' R" v7 Q: q
Type=simple
/ _' ~# `; e* a% n' Z; G, JWorkingDirectory=/var/lib/etcd/. H+ h. P- A9 ?& a+ ^
EnvironmentFile=-/etc/etcd/etcd.conf
4 T: d  J7 {- Q2 M' Z& cExecStart=/usr/bin/etcd
) |! \/ D, ~, X/ U7 B0 @2 C+ \2 |
[Install]" U3 M  h3 ?- ~# s' c
WantedBy=multi-user.target
% Y# h% p% ?; e/ N& I
3 I, a: Z  C( s( u8 i4 L
* g( Q) w* q6 i3 F/ G* h启动服务,并设置开机启动, l. W6 H" O/ s& P, E2 b. q. R
systemctl daemon-reload
$ c3 F6 ^; N0 r( M  Asystemctl start etcd
' C& N2 n* h4 w% b9 i) isystemctl enable etcd/ q; a4 \9 K$ }

, }$ f3 @1 u1 c查看服务状态的三种命令
: V8 p- v2 O3 F: ?8 P# L% j) ]systemctl status etcd.service* q5 L. q2 ?& M! S, D

& @8 i# ^; B! mcurl -L http://127.0.0.1:2379/version; M# l! J1 }+ R. W; ~
. R5 z/ u- M/ n3 W
etcdctl cluster-health
  \( L% t" v! y9 Q; f% ~+ q$ l) H# M% p0 }2 y9 Z
这个安装的还挺顺利,很快就ok了。继续。。。。
! }) c. z9 `+ s  i5 ?' d2 N, ukube-apiserver
. {# v5 I. s* P( V7 x) `. E
$ Y7 Y" o) ?# H5 W. @. s下载并安装9 ?( j0 M  l6 e2 F
wget https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
6 R: W7 r. N' {7 E9 btar -xzvf kubernetes-server-linux-amd64.tar.gz  8 s% q# U  D) c  q7 i, y9 N9 Q( E
cd kubernetes/server/bin
9 [; e5 f) \- k; i4 ?$ U! gcp kube-apiserver /usr/bin/
: `2 b7 e6 Q8 U' S/ |: x. b0 K; x
/ w( X$ F/ m8 |) ]# 一起拷贝吧,后面就直接配置了5 e# ]9 c( A  K% o! Q) e
cp kube-controller-manager /usr/bin/
2 p: C5 L0 q9 _+ e5 }3 Q. z/ Bcp kube-scheduler /usr/bin/
. z. A" U* }& H8 S7 n3 J. C8 A5 K: _" u

" `4 c$ G& N! G编辑systemd的启动文件6 J3 M7 Z" p& U  g
vim /usr/lib/systemd/system/kube-apiserver.service
% L+ q" {% q# c* @$ x- s2 y$ N( ^& u$ x1 ]) g$ U
[Unit]
! k0 Z3 _! F* ]Description=Kubernetes API Server7 f/ V. d- e0 z$ L/ H$ b
Documentation=https://kubernetes.io/docs/concepts/overview# V8 r/ T- B; v1 P3 W2 U
After=network.target0 E" A% x0 T( Q5 {3 X' o$ \
After=etcd.service
- H8 [- m! ?. F9 p/ H9 c
3 A5 n$ J* s% D% @6 M( O7 T[Service]
$ z& L( {7 H# TEnvironmentFile=/etc/kubernetes/apiserver
6 q6 W$ @, \& Q: m' ^' jExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS% Q- E6 ?% M" r0 p
Restart=on-failure- X' |3 p+ X) Z) g& e
Type=notify  U9 h5 H' V. j
LimitNOFILE=65536# @% ~& z6 H( L
' x0 [$ `" M; n7 A8 j
[Install]
$ d/ X/ Z5 A/ }* O( `WantedBy=multi-user.target6 [0 C0 y$ N7 Q. |
6 S+ `1 I5 z" L) b
  l4 X6 F* G7 F9 `/ C
. K2 z/ p4 F- W! @
配置参数文件
' U5 ^1 X$ I% O! c- T* umkdir /etc/kubernetes/! ?2 j3 S. H, |$ J
vim /etc/kubernetes/apiserver 8 h6 r5 R( N. j. O' A( U
2 ]# p# f3 g9 `* ?8 H
KUBE_API_ARGS="--storage-backend=etcd3 \
* _' F, G  g: b) M               --etcd-servers=http://127.0.0.1:2379 \
' n& m/ t1 Q7 N4 [               --bind-address=0.0.0.0 \+ f7 v" m/ w" ]! I4 C
               --secure-port=6443  \+ H% }" U- W' F
               --service-cluster-ip-range=192.168.2.0/16  \
( p2 D; p0 `8 k" R$ g+ G, v               --service-node-port-range=1-65535 \
0 X1 `3 y( @1 C+ G               --client-ca-file=/etc/kubernetes/ssl/ca.crt \# p5 }* b3 U- a# E: B
               --tls-private-key-file=/etc/kubernetes/ssl/server.key  \
8 A& X6 M- z. i( L               --tls-cert-file=/etc/kubernetes/ssl/server.crt  \
7 ~5 k$ o7 n& m3 X9 T               --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
( X4 D7 u  x: V- ]* l               --logtostderr=false \( X5 v" a3 X6 t0 s) `
               --log-dir=/var/log/kubernetes \& V1 a" o" o3 f. E
               --v=2"- t3 i3 ?- R* O9 {4 q

! e5 A! ~" b' F$ [
0 W" _' X6 l  Z& o7 |) j' tservice-cluster-ip-range是servcies的虚拟IP的IP范围,这里可以自己定义,不能当前的宿主机网段重叠。   h) h2 S8 Y. d) o' N9 `5 z8 Q
bind-addres 指定的apiserver监听地址,对应的监听端口是6443,使用的https的方式。(0.0.0.0 表示绑定所有地址)
6 x# J7 ~2 b1 W! M+ J, n5 Fclient-ca-file 这是认证的相关文件,这预先定义,后面会创建证书文件,并放置到对应的路径。
" f+ a; d$ e+ k  @, Y- f3 D& M: a* e创建日志目录和证书目录
( B6 ~: B+ g" L+ lmkdir -p /etc/kubernetes/ssl7 N( R- [1 _) u, A
mkdir -p /var/log/kubernete6 M. ]- K8 f# g' G; s
* g+ P8 k  U3 l! p+ X; J& D( b
kube-controller-manager) E1 J) y& r3 L) J* _9 F

, ?& A$ o2 c* x( Qkube-controller-manager 依赖 kube-apiserver服务
7 G% z: @6 a% O! R8 |' |! b编辑systemd启动文件
1 O& ^% J& W' f, _" G1 M- q) avim /usr/lib/systemd/system/kube-controller-manager.service * [( J- h$ E! j& ^% ?! C

3 X, v8 F: e* }/ C; F/ v9 N[Unit]
1 B  [7 d* _+ @# ODescription=Kubernetes Controller Manager
" L8 ?+ S) T. D$ A) v1 ?Documentation=https://kubernetes.io/docs/setup
( S0 ]0 [) H7 h4 k. ]: EAfter=kube-apiserver.service5 }2 j! p3 G4 i; n7 y5 r
Requires=kube-apiserver.service6 K! y* t; T" ]9 Z4 }3 |* z8 c$ F
  s& W, j+ ^3 ^6 B/ i! \2 I2 y1 t
[Service]
0 f) f- u* A* c3 R3 U% x/ L+ j/ mEnvironmentFile=/etc/kubernetes/controller-manager+ ~* k; G4 j7 C. N$ o9 D" o3 {
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
, _* `9 }. l* M: i+ D3 aRestart=on-failure* `7 g  K0 e( _/ X' Q
LimitNOFILE=655367 s8 u8 Y8 j$ e+ v, |4 \
- t, n6 k- o9 ]2 x3 I1 Y
[Install]. C' v6 t  o& P0 ~' c" c: y
WantedBy=multi-user.target
% S2 }  T5 Q% `$ @9 V5 e8 h
* c6 G8 L4 F. G0 @/ a6 Q+ E2 [" u  x6 V
配置启动参数5 i( {; [* S1 B1 S
vim /etc/kubernetes/controller-manager
; s0 j4 h- D: o' _9 y, R, x# u1 [# e& J( @) S1 F' {! L
KUBE_CONTROLLER_MANAGER_ARGS="--master=https://10.211.55.10:6443   \
8 F' z* D" H& x# O/ x4 C: a               --service-account-private-key-file=/etc/kubernetes/ssl/server.key  \0 {- g. h$ Y/ L' F
               --root-ca-file=/etc/kubernetes/ssl/ca.crt \1 t2 d& V% ?! O
               --kubeconfig=/etc/kubernetes/kubeconfig \
) Q5 E! r( [% ?! T               --logtostderr=false \, O6 Q& A9 a" I7 [3 w( W" ~
               --log-dir=/var/log/kubernetes \2 K& N: ]2 d2 {; A
               --v=2"# z7 [5 ^, A" Q7 |% Q
  e' N- y3 ?1 T2 X4 F
" i5 N* u# Z4 |5 \% ^
kube-scheduler
% k$ Q7 C4 p. Z9 }6 h5 \) p0 Y5 I& @8 d0 e0 j/ _7 }) _
kube-scheduler也依赖kubu-apiserver
" s) v2 m" R3 v- 编辑systemd启动文件6 O! I( e- }5 J6 `: y% F: U! p
vim /usr/lib/systemd/system/kube-scheduler.service
' x: U1 L1 U" L0 D9 _+ D/ M7 z+ p$ o1 }4 G; d
[Unit]
/ b+ d. X& q- h/ H: |" p: vDescription=Kubernetes Controller Manager
7 h0 n: l! S- q. ^9 pDocumentation=https://kubernetes.io/docs/setup- Q4 t3 G2 f3 p! T( b+ I
After=kube-apiserver.service/ \6 F. u& y( P6 m  X4 K0 e1 I
Requires=kube-apiserver.service& ~9 D/ v- z, Z2 O0 Z, j

0 K9 V+ v+ P) O3 S& B) S! _& T5 b; I1 `[Service]  |1 k+ a* F: T5 g6 H. w/ Y6 _7 e
EnvironmentFile=/etc/kubernetes/scheduler
# J$ O1 X( v+ G$ Z2 V: AExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS% P6 L2 \. d& H0 I) Y5 h6 o9 V
Restart=on-failure+ g  s0 g  H3 g& c  h: m4 e
LimitNOFILE=65536
/ Y! l) I, u+ i0 n# b$ }/ e
% b# |: a2 |* f; I" h1 X[Install]0 r8 D; s6 O' m# \
WantedBy=multi-user.target# A- P# Y, x; @( ~
配置参数文件
% `& s2 K9 F( ^# S4 \! yvim /etc/kubernetes/scheduler ' t* k( D/ I& X* Q
' B9 |; G- b1 `, T. B1 R8 \
KUBE_SCHEDULER_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig \
/ k5 l. s8 ]& p% b               --logtostderr=false \
: m  X2 \& c2 Q4 K. X' a1 |               --log-dir=/var/log/kubernetes \
' W% c! `- T* u2 E               --v=2"& V0 o8 G# [% H1 F

) t7 S: v1 |2 z9 _( d) l1 F创建CA证书) R+ N; l3 s! r. T, V: c  F
. e7 h! z6 L2 K+ d! G
注意生成证书前先同步一下服务器时间:ntpdate s2m.time.edu.cn' g7 a4 G8 d. f2 ]* B6 W
创建kube-apiserver的CA证书和私钥文件
) e; G8 r. U  W& v* Ccd  /etc/kubernetes/ssl/
1 l  x0 X- ~# l3 D% b6 [# a. `9 z) i1 zopenssl genrsa -out ca.key 2048, n7 M& `& p3 h- H' q2 J4 q
openssl req -x509 -new -nodes -key ca.key -subj "/CN=10.211.55.10" -days 5000 -out ca.crt2 k& q2 J! C$ \, K
openssl genrsa -out server.key 2048
/ a" V" O' u5 i' Z4 K7 @% B, T3 S) |- p5 {# F: B) D0 c
创建master_ssl.cnf文件
' M! k' k  M6 ?# t! bvim master_ssl.cnf
7 F5 z4 ^. ^/ a. a. @! r6 ~* b* B
1 v- Y0 y* \! X; j: j[req]; r& l- d8 D9 _/ L! ?" Q" f0 m
req_extensions = v3_req! L2 W& H/ n1 \) L
distinguished_name = req_distinguished_name
5 c6 E" ?: [9 e& D# c4 z[req_distinguished_name]% C# R8 g; E2 y/ C2 D$ m
[ v3_req ]
  i1 W2 W2 D/ h3 B$ TbasicConstraints = CA:FALSE
  q& S  O5 \7 V+ HkeyUsage = nonRepudiation, digitalSignature, keyEncipherment+ W: F9 `1 @8 }# S0 G0 k4 }+ z
subjectAltName = @alt_names3 t; K& j: K- H  Z; [, r. Q
[alt_names]
8 U  u( p+ U& i* ODNS.1 = kubernetes( h$ K! P6 x: L. v
DNS.2 = kubernetes.default5 ~) m# r; p- T2 U, i* t1 q
DNS.3 = kubernetes.default.svc
! _2 \, N' e2 eDNS.4 = kubernetes.default.svc.cluster.local9 r# M' M6 B% q- F% n' H
DNS.5 = k8s_master  s" b( {. ?9 r. U& s! N
IP.1 = 192.168.2.1     # ClusterIP 地址
5 i  O% z. b7 W" sIP.2 = 10.211.55.10    # master IP地址
, I# h6 J# E6 A
3 e9 u9 {* |$ |7 \. y, p* Q7 }' G) `. [4 _* y+ M& m  v/ Q; b
. {2 l* [$ d5 Y# T; Q, Q
生成apiserver证书
/ f+ F8 Q: ^& Q9 T8 X6 Qopenssl req -new -key server.key -subj "/CN=10.211.55.10" -config master_ssl.cnf -out server.csr
& q! C8 ?3 A, }% d8 q" P& N3 |  p' J) r# N, g6 i! c$ E6 y
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
3 G  u9 r- G6 J4 ^' H; o& m' b, O5 K2 d2 }% O6 n
设置kube-controller-manager相关证书3 E" O$ `+ U6 M3 p
openssl genrsa -out cs_client.key 2048+ P$ p' `. B4 W. V
openssl req -new -key cs_client.key -subj "/CN=10.211.55.10" -out cs_client.csr
( [$ W$ p2 M3 v% ]; d3 A0 R, wopenssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000. n/ M" T# w) p: D
  Y1 f) t1 H6 M
创建kubeconfig文件,kube-controller-manager和kube-scheduler公用的配置文件5 \7 S5 C& C) t1 D
vim /etc/kubernetes/kubeconfig ' Q" k8 Q- Z) k) a, J$ {
$ L" T- N* T) E, e6 q1 Y
apiVersion: v1
) \3 K4 S. p4 b2 f1 Ukind: Config
; W" G3 O7 E# p" I4 R/ xusers:
$ r. H) c" W+ K5 L3 U  b- name: controllermanager
; }( M2 R3 n$ J7 M  user:
# {/ C  y' {2 f$ `  z    client-certificate: /etc/kubernetes/ssl/cs_client.crt
, h+ }- m* ^) n! z  a8 G! I    client-key: /etc/kubernetes/ssl/cs_client.key8 p( e' D/ T+ K
clusters:
% D7 U% |7 q5 e8 [6 F- name: local
8 w6 K4 ~3 Y8 P% ]; Q8 g+ z  cluster:
( G" J1 o0 L" y$ l. G3 |. e1 s/ d    certificate-authority: /etc/kubernetes/ssl/ca.crt
' |2 x* s- s7 g& T2 G) S* z: `% ^contexts:* e% K& h# r6 r/ T/ j9 K
- context:
: |, u# t( m$ U6 M7 L    cluster: local
6 c( B: t( d; X0 @- `! H    user: controllermanager
" ^  P+ d! {9 a1 D* j. W  name: my-context
" N0 I( w/ U2 D' Z- Acurrent-context: my-context3 ?) w% U. m2 S# O1 q
. W  z# l8 ]' `  D! ]6 J# l, ?; d
启动服务
$ |& G; @: Y6 v8 Y- ]. I$ ]) _
% y, B- v5 h& M) g8 `启动kube-apiserver3 ?/ j& E; r! h* O! r
systemctl daemon-reload/ i. C. K0 w% n' m8 V$ K
systemctl enable kube-apiserver$ o4 ~5 c- i* Z# C
systemctl start kube-apiserver5 h6 B/ V& x! l: q  S
4 A% V& n3 J! a) s  W! Z$ J' n1 ]- h
启动kube-controller-manager
- F5 D- c5 i" L2 @: F: T) [systemctl enable kube-controller-manager
7 Y, t; k8 Q+ e' f  z4 T; ksystemctl start kube-controller-manager
# }! h) c8 q# z( ^, [* }9 O2 t$ a
& q" ?! K0 Z4 S9 M6 a7 D启动kube-scheduler. T! `* G! B2 r9 L7 @$ v
systemctl enable kube-scheduler
; W0 f0 a! A4 l$ X0 lsystemctl start kube-scheduler3 }2 Z  p: E, z7 z

) T' u& ]* n0 i9 w. PNode# w3 X  e3 O; A5 w" g, {( J
' E2 l! W9 u7 ?: c+ D
安装docker& h7 H5 o9 z6 e$ ^

4 f& G5 |* w9 H' F使用aliyun的yum源
0 @$ ~! G0 M1 w0 ]6 {3 H* Dcurl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
8 w+ P% O. V0 U* L6 T; ?curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo5 `+ N- T3 p2 o2 F& F
yum makecache
7 w+ e+ ?2 _! J; L5 v* ]6 y* e, `  u) O& K4 ]" M& J* x
yum安装docker工具- ?9 x7 d1 B" Z
yum install docker-ce
& R% M2 N2 P7 e# A' a) m, v8 s0 P! }systemctl start docker8 O0 L! j9 X* l( {+ Z
systemctl enable docker
2 s1 a) A( a! Y) z5 n0 a6 J# K2 N$ q
8 H5 V# a3 p1 ?% I8 }docker -v
2 g: [/ {+ k! U, j$ c0 N0 h2 k
) L" @; \7 _# ]4 r( v安装kubelet服务3 Z5 B: x" O" @) U  M* d2 Q
) J3 ^  d0 L- C' o  i
安装包下载,整理! F7 N2 D' c! r% k( j! _
wget https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
: H8 {7 |# z4 M0 k0 t- G+ @0 G* gtar -xzvf kubernetes-node-linux-amd64.tar.gz$ K# L% E4 W  w% i4 K! }
cd kubernetes/node/bin! L8 h3 d1 ?6 c, Q* L
cp * /usr/bin
) x! l: E1 f! r$ X
0 Z  m! b9 x. z6 ]0 B6 y  ?8 R添加systemctl启动配置2 @# {9 M$ S* P6 X, p3 a
vim /usr/lib/systemd/system/kubelet.service' o, O/ p# Y0 C' T8 y
mkdir -p /var/lib/kubelet
  T2 A9 g! Q* j4 d9 G, ]mkdir -p /etc/kubernetes/6 E- N$ L" s; m$ s/ P
mkdir -p /var/log/kubernetes$ P4 P0 e) e+ O5 N/ Y4 u( R# E

0 ?: C; ^5 @( G6 H! d0 f0 i[Unit], G8 s* C+ \2 |8 A" w& _
Description=Kubelet Service
/ `1 t) }: G' E! V" gAfter=docker.service" \+ R# P" t, E8 b
Requires=docker.service
7 F+ W: Q. U( @0 P# N  o: {[Service]
: p' @- z% t- _8 lWorkingDirectory=/var/lib/kubelet6 r3 o0 ?- ]! F
EnvironmentFile=/etc/kubernetes/kubelet
8 u' S6 h# t" T9 ~$ J. r2 tExecStart=/usr/bin/kubelet $KUBELET_ARGS' w. ]; Z5 Q8 U; a: [
Restart=on-failure+ f+ F: u" h, `8 ^) ?+ q# A
LimitNOFILE=65536
% B1 m  m/ {$ K( Q3 [# v2 R# t! f) Z; g+ k, i
[Install]- P. @" ?! P& s1 C/ x
WantedBy=multi-user.target
8 y* j) h1 S, }- X2 A9 K0 L4 J  ?: H6 _9 c
kuberlet运行参数配置* Q( ~, v2 v" R( o1 v% g* Z0 c, O
安装kube-proxy服务. Q- Z1 q4 G: _. L2 b
4 }4 p  D" H1 l, M
添加systemctl启动配置; E" q7 B% E" a7 f2 W) _
vim /usr/lib/systemd/system/kube-proxy.service
8 h) G8 h8 u# \$ k! }1 {8 O1 c- D0 @: G
$ b% d8 `1 E+ m" {[Unit]3 f0 Q) ~4 I" U* ?
Description=K8s kube-proxy Service. j7 a% v1 [; H& u
After=network.target/ \6 f7 K: o8 w9 \: x- z7 V1 a
After=docker.service
/ X; h& F4 q  I+ p# O; J) y% JAfter=network.target1 u" Q5 P- |2 v9 Q8 ]7 G
After=network.service( j3 u2 k7 B* W' {% j6 g
- a# s/ I$ J: a  x
[Service]
+ V$ x+ Y' r0 I+ b" JEnvironmentFile=/etc/kubernetes/kube-proxy  a$ u$ G; {+ U$ ^
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS& }1 {9 a; C# F' f
Restart=on-failure- k- D9 y: F. V( u$ f
LimitNOFILE=65536
) ~# u8 w7 k3 m, }  i% D5 E/ U" c( N  N# a2 [- f! F, F
[Install]/ c6 f4 u4 h+ [/ a/ K
WantedBy=multi-user.target
2 x. I3 J  ]! s- n$ G9 Q" w( e
生成CA证书' g3 U& \+ D# H3 u

! B* D; E( x# X将master节点上的kube-apiserver证书ca.crt和ca.key拷贝到Node上
) I! {" c# b* d$ o% d使用ca.crt和ca.key生成node证书
6 M6 A% k# L, D2 [1 v/ zopenssl genrsa -out kubelet_client.key 2048* G" F8 ^1 e/ T3 B
openssl req -new -key kubelet_client.key -subj "/CN=10.211.55.11" -out kubelet_client.csr" @  q4 o; Q% z' \8 X. {& K
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 50009 r+ _' p/ r, G

/ o1 U7 G9 C. M; ~* y6 j. o3 D/ k3 S& Emkdir /etc/kubernetes/ssl. c% P: K! `3 }0 E7 U
mv kubelet_client.* /etc/kubernetes/ssl/% p" C. y+ R3 J! Y
mv ca.crt /etc/kubernetes/ssl/
# s5 A1 d- q  b+ I) y% r/ X0 W' ]$ C& G8 `
配置kubeconfig
% R) X6 _  w, ?3 tvim /etc/kubernetes/kubeconfig
& e9 X8 p7 h, X" x1 G
+ g9 [; ?5 S, O: ?( T0 }( R5 _$ a9 hapiVersion: v1
! i3 P$ T& t, J; Bkind: Config3 t3 Q. }  j; t0 f  y3 P& `
users:$ h) P( {. E/ P; t6 a" P! x; j" N* V
- name: kubelet
4 `3 }/ y4 r' r1 `  user:
) p/ e' M. u% X      client-certificate: /etc/kubernetes/ssl/kubelet_client.crt( [9 V9 \% Q3 t2 O) Y: }$ X
      client-key: /etc/kubernetes/ssl/kubelet_client.key
4 n( f3 Q1 n( S, Lclusters:
& S9 ?5 W: R8 ]) l) B- name: local1 \  ?8 `" e; {" ?
  cluster:& g+ D( v3 F$ U8 w1 i! ?
      certificate-authority: /etc/kubernetes/ssl/ca.crt% e, Y4 Q( X- r( F4 ~
      server: https://10.211.55.10:6443* K3 ~' w# L, ^* t
contexts:
  Y2 P( |+ o2 Q* J  W# C$ h- context:6 R1 ~( x+ S- A  y  ]' m6 `, O
      cluster: local1 j0 U6 \1 r) a6 O# v' Z
      user: kubelet2 n3 X# W- [/ v5 g; B! D9 d
  name: my-context/ D# d! J9 ], n% z, l% B6 P
current-context: my-context. j+ o/ h* R3 X9 O# W+ A

; ~" b1 s5 u. b9 Akubelet启动参数配置
1 ^8 l6 |# o' l+ d" o8 fvim /etc/kubernetes/kubelet
! [- J4 _' T: }* G+ i3 \9 h) g6 Z+ h9 f7 Q
KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=10.211.55.11 --logtostderr=false --log-dir=/var/log/kubernetes --v=2 --fail-swap-on=false") ^- v& E  w9 R
这里要注意–fail-swap-on=false或者禁用swap,我这里选择配置–fail-swap-on=false
$ W6 w& _2 u& Y2 b设置kube-proxy启动参数
# e9 {6 m2 u& a) h  W1 evim /etc/kubernetes/kube-proxy
- |& M) B% w+ I' b% w" G9 b# f9 d9 A) V1 @' b- U/ p4 m
KUBE_PROXY_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
: b) c9 j& s! v2 ]1 d: k) [1 _启动服务% |. S! A# B+ X
5 N0 V& ~; N# v' d' b
systemctl daemon-reload/ u( A5 J0 C" Y% _1 I7 t7 o
systemctl start kubelet.service$ q! L2 `% E1 S4 G1 t# p6 T
systemctl status kubelet.service
: R# U6 ~* V" |  i2 u3 a& w7 q! H; ]5 N3 N/ b7 G
systemctl start kube-proxy
( p9 \; O8 @' ]3 q- H0 v" F2 m systemctl status kube-proxy
* g6 g4 n0 K5 U  _2 {node 2就按照上面的步骤进行安装即可
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 11:11:21 | 显示全部楼层
搭建私有库
4 t7 e6 o0 R/ O
7 H  i3 J+ t3 m& L8 J. O私有库用于系统内部存储成品镜像,能够快速进行下载及被k8s调度。
. N% y: j- c- o% A1 W7 Y
6 r; g: N- g4 {7 M: b1.下载并启动私有库& {( ]& t- X$ Y2 g

# x  G2 w% N) F% f: L& B  ~9 R- C[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
4 A% W) c2 I  H: L1 H7 j
9 l" j. a$ u5 x' I#--name 表示启动的容器后名称,此处为registry# A$ ~9 E9 p2 N) ~
#-v 表示挂载路径  格式为宿主机路径:容器内路径
1 u7 ^$ J9 I* J- n; ]#-p 表示映射端口  格式为宿主机端口:容器内端口
3 J5 r9 p, v# S7 o#-itd   docker的内部参数,此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上,后跟镜像名称此处为docker.io/registry1 ?& |! D7 U6 Z; w" A
' T$ o4 C0 l( w5 }
2.创建一个secret服务,用于k8s调度私有库容器时的“令牌”。简单来说,secret服务就是一个存储密码的服务7 R4 O( B1 r3 q  \# ]1 c- L

7 m# @# C/ G: x! d[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com
% e( ~5 N  }5 E& q  o7 v/ J4 q7 V9 z2 ]: y1 I+ ^: J2 r
[centos-master]:kubectl get secret' r/ ~, C2 d( W0 v7 e  O* L
NAME          TYPE                      DATA      AGE
5 \$ G1 o# V4 ^0 D( y% C$ {registrykey   kubernetes.io/dockercfg   1         6s
; Q! v7 g1 V' w+ s. d, a# d. [' b' f
# \' E- q" n4 B此时登录时会提示认证错误! ^% t# }+ J- v: y# Z/ ~

# e, d2 S) O' l# b  ^5 u[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
! t4 u! V4 Z! y9 eFlag --email has been deprecated, will be removed in 1.13.5 Q& [. p4 N, Y+ S0 z6 k
Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized
7 E" }& Q. ]" g' x+ \3 `8 d1 ?0 K" ?! R# h' a. ]) Z; ]1 n
这是因为Docker官方是推荐采用Secure Registry的工作模式的,即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
8 d2 f! X" o+ i7 S0 n7 H1 K) \% [% P' U6 i) `4 p
3.配置nginx反向代理
' n! Y( m& v' O/ B# v0 p[centos-master]: cat registry.evehicle.cn.conf& F8 V4 g% o8 i3 V1 m, }9 {' N
( B$ h7 o" d( M! E# ~9 R
# For versions of nginx > 1.3.9 that include chunked transfer encoding support0 a5 a. P3 Q/ z& o4 _( x# o  E
# Replace with appropriate values where necessary/ K' c) [/ F, ~( e1 N4 H, J
5 x* g6 i; c- q. N$ Z
upstream docker-registry {7 a3 Z1 Q, [" l. o+ ]: Y% i% s
  server 192.168.121.9:5000;
8 ^: J% ?2 C: s- I! {6 x! r( a  #server 10.44.170.95:5000;
- \. u. x$ k5 _9 I& s4 Y! u/ s}
8 L7 `( B( L) ^) r' p1 Z; r
4 {1 W# I9 ~" i# uncomment if you want a 301 redirect for users attempting to connect: n+ N6 o1 g7 ]% m0 S$ d
# on port 80) E' y; A2 k: N2 O: B- T
# NOTE: docker client will still fail. This is just for convenience" Z" N5 a" a; \$ \, T' `( B- h
# server {8 |. B4 w  F/ O' W
#   listen *:80;  d2 u) L% R8 ~# e& t2 E
#   server_name my.docker.registry.com;
7 q( p% {0 `! t5 b1 s. P( [; K#   return 301 https://$server_name$request_uri;& ^" T4 R# S( \* Y, ^( V
# }/ v. N1 c5 x& u* s

1 M& ?9 e4 r7 M4 kserver {4 K6 T* U+ e# X/ d
    listen 443;
; V* M" m9 D# A* w( A9 E( B    server_name registry.evehicle.cn;
5 g' D7 j% V. G$ M* F2 |6 l4 V. l1 i: F, z
    ssl on;% `8 g6 _; @: f$ ?5 a
    ssl_certificate ssl/registry.evehicle.cn.crt;8 R# l2 A5 F3 B3 z, ]* q
    ssl_certificate_key ssl/registry.evehicle.cn.key;
  t8 [4 [6 w3 c1 v& E. j
' Z) a& W4 {6 N: y7 |+ ]! c    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads; @  k1 @5 A3 C8 Z6 L; F2 W
. T$ t/ Y- X( s; g' j4 E9 |9 d7 v
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)8 I+ ~- V  E( `
    chunked_transfer_encoding on;
5 \8 I! N" l0 o( P# p: {4 U8 f4 p! Z: t  x( }2 b; Y
    location / {
: b6 N. c7 R9 F2 P5 y        auth_basic  "Restricted";
* O5 l9 J  Q: v! s# M+ |        auth_basic_user_file  passwd;9 W- L1 j9 g+ ]. J
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;9 Y3 p5 B/ z* s, b+ g+ |: }

1 \1 n% s* q* q0 L7 D        proxy_pass                          http://docker-registry;
0 b* F# x+ v* V7 h3 m! g        proxy_set_header  Host              $http_host;   # required for docker client's sake9 H6 Y0 B" r3 \7 h; N
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
$ b% K3 `& K% ?) [; {" @9 c' O        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
6 C( @) X5 S9 o9 v        proxy_set_header  X-Forwarded-Proto $scheme;, }  l& L) u! ?, E9 K. F8 N
        proxy_read_timeout                  900;0 d+ Z8 n- O' ~( ?
        }
5 S7 G: w, x/ T/ y# U! [" _* K* n# x: R8 P
    location /_ping {6 t3 P( h$ e! L. ~( k2 p
        auth_basic off;( s' O2 c9 Y# k7 s
        include               docker-registry.conf;
) Y, {9 ?" e$ d  ~" i! g7 F. d* k    }
% ?5 Y: c9 s: B: Y, D2 b4 l; j7 k! N' \
# T9 y4 u1 O5 v/ j% K8 M8 l6 t- Y    location /v1/_ping {
% b( q2 u7 s- d1 M/ s0 {( V9 A        auth_basic off;2 |7 }; W9 B4 G! @3 c
        include               docker-registry.conf;0 q. }. }" r: ]
    }
! d) u' w$ ?/ ~- `- t
) S# b: Y% B+ p5 W8 o/ e    location /v2/_ping {
& {6 s6 ]. c6 t) w2 C        auth_basic off;! L: p$ g$ I, S" }, r: y2 K
        include               docker-registry.conf;
/ p6 Z3 D& _- G1 t1 h3 Q( n. ?0 V    }
9 U" T) i6 t. v' _}
5 s3 B9 ~- z$ s$ a# W
2 d! N# y- r& ?3 ^1 W; N$ @将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录: L& h8 X' M' [, A0 a3 y, ?/ w
( E$ D+ L4 Y# b8 l6 ]' H
htpasswd -bcm passwd docker docker
& m, |% e6 r7 K3 S) W' C #-c:创建一个加密文件
0 E$ ]: v% J  }* f8 z$ {) V: H #-m:md5加密,默认可不填写$ e7 ~! W: V. x
#-b:表示用户名密码在命令行中一并输入,不用分别填写
9 u" A  u9 X) |, \4 Z2 v9 Y9 N5 e# U/ N' e: R
4.再次登录
3 {+ w7 U' I7 v% w6 R' V6 P7 ]( d; f6 v" a/ Y; q3 t) w
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
  j$ {+ t6 @# S) q/ r. B4 r
6 O$ A5 _; J; F; u, d& G- }1 xLogin Succeeded& i3 s6 U& r. W
表示成功,此时再pull\push既在私有库中进行. ~- U7 B8 i: V! g9 {
2 n( b* F3 e8 a
构建服务6 Z4 _; k1 k# s0 D: \

0 D- Y) r2 y3 a: L' I0 cdocker的本意是将代码包含在容器内制作成镜像形成“产品”。但出于公司的(频繁修改代码及服务器资源受限)的特殊性,我们将代码以“外挂”的形式运行在宿主机上。下面以部署官网(apache)服务为例:
1 f, M' e* ~$ X3 i+ ^0 l1.从docker的公有库里下载centos7的原生镜像" k5 G; v# W8 ~) z! w6 s0 J4 e

* u! x9 O* u7 Q6 ^/ t' a8 E[centos-master]:docker pull centos
5 e; T: N, e) q5 O# Q2 e* [! e9 U" C
Using default tag: latest
" F) K7 _& W  d7 Q5 L. DTrying to pull repository docker.io/library/centos ...
* [$ @3 v4 o$ ?9 W; V, h" flatest: Pulling from docker.io/library/centos; k0 g$ b3 a1 @
d9aaf4d82f24: Downloading [>              ]   540 kB/73.39 MB
1 z) N* j/ }! Z! n/ d2 ?7 E3 X9 nd9aaf4d82f24: Pulling fs layer
& s0 G: z3 O; t1 _! y3 S) EDigest: sha256:eba772bac22c86d7d6e72421b4700c3f894ab6e35475a34014ff8de74c10872e
, x6 ?  e! E3 a0 T8 b- D3 {Status: Downloaded newer image for centos:latest: H: L& A% p0 z. h* m8 K

+ z8 ?$ b2 X# I$ o: n2.编写Dockerfile制造apache基础镜像
$ q" w: k5 O" E, J# f6 V
8 B% u! \4 u$ K  b* h######httpd####
# q' B( b! u5 k  [3 aFROM centos
1 R: ?, O+ o3 g4 s$ E# f6 @+ \MAINTAINER lienhua lienhua@zhongchuangsanyou.com  p& y0 H  \" c+ X) U/ I4 v
RUN yum -y install epel-release+ d1 x  R  N6 o9 b9 u
RUN yum -y install httpd  php php-mysql php-memcache* php-mbstring2 V! G" v( T/ D. n, z
ADD httpd.conf /etc/httpd/conf/httpd.conf: E( w$ B6 D7 h4 ]' D2 U4 J

$ t  D6 {% u9 r3 rEXPOSE 80; C( l; ?; q$ M. h# X

5 @* r% d1 c5 d8 U$ m: T9 E6 ICMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]
+ V4 c& f; q. r2 Q% V# w
5 D& o2 v' V; p其中httpd.conf文件需要在当前目录下真实存在,此处其内容为
2 A0 U7 W$ U; m* {1 [, H! X3 A
/ {" A5 u% s  _3 ?9 T* s. HServerRoot "/etc/httpd"
, D# U: ?" q, X+ L% t) }: n! ?Listen 80# t, [/ i2 D  q/ w; b8 y" D
Listen 80801 P, L# u* }, E7 g+ X. F, s" m
Include conf.modules.d/*.conf( Z. ^1 l$ c( J7 {' v* p5 f
Include zcsy/*.conf
+ M3 T# w  h# Q' N0 ^User apache7 w! D+ q& O/ C, v4 n4 u; [' q
Group apache
' t+ X$ {9 G* Z; X0 z6 S3 XServerAdmin root@localhost
& y7 n2 r" Y/ e: h! k1 @9 [& t<Directory />6 k* v: e- s# T
    AllowOverride none
( }8 h% `: F  G, _  \    Require all denied
& I: i- G# Q7 e0 n# @0 Q</Directory>
4 |1 m; a8 h+ L" G/ x. s* ZDocumentRoot "/var/www/html"
# G( Q$ i) S% y<Directory "/var/www">4 J' U  O4 p8 Q; n3 b
    AllowOverride None
/ `1 h  ?. p$ N" S1 N( ?6 m    Require all granted
  t! ^7 ^1 Z- }; A</Directory>) b! S# l, t4 Y! S
<Directory "/var/www/html">
9 k7 t& ?1 U* u6 |) |1 t    Options Indexes FollowSymLinks
; ~. U* V" M! u0 ^  M- K, j    AllowOverride None
* @6 O" r4 @. }3 p    Require all granted( ]; j0 }9 T9 V; Q9 X8 Z2 w. w9 Q
</Directory>
, d6 Z( T% S( {9 U7 p4 p<IfModule dir_module>$ F! b) [/ T0 D/ N
    DirectoryIndex index.html. C  d5 S7 g! |: i: C
</IfModule>
( ]7 q# u) W3 u5 m+ N% u: D* W8 B<Files ".ht*">
5 R# T/ n: z& u" M& m    Require all denied
6 N9 {1 g" P  x</Files># K% ^- R/ g, l% A5 Z) v1 ?7 y
ErrorLog "logs/error_log"- x1 P. @( Y  j: P
LogLevel warn4 _) T# A8 y3 w% D
<IfModule log_config_module>
8 ?6 A# h1 ]) V) h9 x' B    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined2 b$ Z* R% i8 y) }; Y
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
1 [# s7 t; o8 h7 [$ E2 i6 @    <IfModule logio_module>  k# o4 z; T. w# f6 v
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
8 I/ e7 o4 Q) \: Y$ Q7 a& x0 F    </IfModule>" i: b: [% Z% x5 @' Y, S
    CustomLog "logs/access_log" combined
, g; u; Z7 l; O0 r</IfModule>
& a4 ?5 [9 Z3 }( m; [<IfModule alias_module>/ }% C, y' Q1 z# x! E
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"( Q: g# g* z: }; @) s2 B8 Z
</IfModule># _9 e( i& z6 {5 C" y: f
<Directory "/var/www/cgi-bin">  s' B/ |7 G' B3 L4 C
    AllowOverride None+ z- u$ s# Q1 ?" S0 o1 Y
    Options None! c4 j8 s# s8 D/ _
    Require all granted/ M1 G" c6 s' t" \/ w( D
</Directory>
+ J; f- y/ f; g% x$ l<IfModule mime_module>2 D+ U/ I. V9 H1 r0 e/ j
    TypesConfig /etc/mime.types
/ r! _6 b; o. g2 x% [5 m8 \2 p& x    AddType application/x-compress .Z
6 o4 k: G1 c( ~3 ^3 t- k, U    AddType application/x-gzip .gz .tgz
: F" ?+ G4 L( j; r6 {8 k' X    AddType application/x-httpd-php .php
, e  r  m7 |/ Y    AddType text/html .shtml
% o2 m6 W" I: n7 Z    AddOutputFilter INCLUDES .shtml# m4 i/ |+ I1 I8 r  X
</IfModule>6 R% J# b- K: i1 j. [+ c& b: D
AddDefaultCharset UTF-8; s+ n$ T2 v  V3 I' E
<IfModule mime_magic_module>
& D: P1 u& j0 t4 j- Z9 Y0 N& a    MIMEMagicFile conf/magic
; ^+ T3 @3 l4 J% i8 X' C</IfModule>
- C( ]: F6 i* MEnableSendfile off8 r6 f3 k1 a1 ^' X4 g( R
EnableMMAP off8 l4 I: z- I$ d) H8 ]6 t7 c/ S, _
IncludeOptional conf.d/*.conf& K2 o: W5 T3 Q; ^; L
# m' Z' h- h+ {0 k
执行[centos-master]:docker build -t registry.evehicle.cn/httpd . 命令制作名为”registry.evehicle.cn/httpd”的镜像(注意此处的点必须要有,并且其意义代表当前目录下的Dockerfile文件)
9 K2 H/ W* N! B- ~  t
" c1 c4 A, A. x- d4 J3.将制作好的镜像上传到私有库
* Q, h3 \, `% D4 j; x2 Q& Y- V
docker push registry.evehicle.cn/httpd
) a3 ]8 G) y; N- O1 B4 v  [! K8 ]3 E9 @
4.编写启动apache服务的yaml文件- h. G+ E2 y. v9 c! X: x
8 u  Y' w5 P  \9 N7 S
[centos-master]:cat 13-rc-httpd.yaml
, H5 P4 m5 `' b8 C* }% f$ d, E- w. j1 F" @- ^7 r/ y" T
apiVersion: v11 w4 c8 C! ]  d( }) |
kind: ReplicationController+ F3 {8 h% W2 x! Z( p) C& X
metadata:- G& u( Q) m, ?
  name: 13-rc-httpd
1 Z2 p* y: J- s" K2 K2 o  labels:$ I6 i8 L) l+ I% c) Q* q
    name: 13-rc-httpd
" O& Z. F# @2 D8 ^" v: cspec:
& `# _: O4 [8 z% Y% P& f% F, G4 Y3 G  replicas: 2  l: n# A  T- V- v
  selector:
; w) t- S0 p: {5 ~4 F    name: 13-rc-httpd
$ Q1 n! @8 X, B0 F6 C& d/ t  template:
* @: N; ^! ^' a& u. j! i4 Y2 h    metadata:
2 Q- ~/ U8 j) d( c: n9 W' V      labels:3 n6 E1 [% n1 G8 r
        name: 13-rc-httpd
. m% K% }& p& E* t% O7 C+ h' V    spec:7 b1 J7 s4 g9 p$ ~2 _3 }3 {# d
      containers:3 L/ O& ~- b; [: f5 U. P; p$ Z5 m, g
      - name: 13-rc-httpd6 \' q1 H4 ^/ G; W8 \$ E" ^
        image: registry.evehicle.cn/httpd
) A; b3 b' u) P% T9 p8 ~$ T        env:) p# `7 n5 {9 Q1 ?% i- H- x: e
        - name: LANG
/ b* \) y( K: g8 X+ ]+ V          value: en_US.UTF-8
, p$ x* e1 k) g* m" C6 \& U        ports:6 l% o& s9 G* o0 d
        - containerPort: 80
) S9 C" j) V+ J- t8 z          hostPort: 80
* l* M% `( [$ v6 q7 o* _        volumeMounts:
- q! i3 p. ?: A+ q5 f( ]5 B        - name: time7 m5 O# Q- v+ p( Q! C0 }. x
          mountPath: /etc/localtime+ [, R) R1 J3 g" v8 g" Z
        - name: zcsy# D- ^* w9 h: i! M1 N+ M0 L
          mountPath: /etc/httpd/zcsy
8 B7 K/ k' ^& T1 G4 C) A        - name: deploy# I8 \0 G6 o3 \1 V6 B$ `
          mountPath: /docker/httpd/deploy  V6 j- s  o. K8 Y( W, _+ h. C8 e
        - name: log! n# N, M4 R2 O3 a
          mountPath: /var/log/httpd
) g% V* r0 D) Y# n+ T7 I; E      volumes:0 `. L7 C5 v, X1 I- x4 |6 r! s
        - name: time
4 y- x0 w  ]3 w  |3 z0 ^          hostPath:. _5 \! _4 b/ D5 M- Z
            path: /etc/localtime& S  U0 d; A+ y; I+ g' I/ [4 V
        - name: zcsy
) D  o' l( P% t$ E# B          hostPath:
  F& H- m7 R( ]( g  G9 {" G            path: /docker/httpd/zcsy
3 N. Z4 A% c; K        - name: deploy0 P$ p+ _; O8 e" [! Z8 L" ^+ Q5 D
          hostPath:& l% G& d9 `+ H% H. G. R
            path: /docker/httpd/deploy$ b$ g' g' H; h6 F8 J5 f$ ]
        - name: log
7 D8 I' A2 B6 u7 C3 e. s$ G# [          hostPath:, z& E3 |1 e6 M( u
            path: /docker/httpd/log& w; y" Y" U4 c9 f
      nodeSelector:
' i* q# c3 R1 C- D- H0 |: e# d, H        slave: "13"
7 @. \3 j' I1 k1 J& j1 g/ j# [      imagePullSecrets:8 W6 ~" j, k: c8 [; |
      - name: registrykey
' l( p* }; ?' t% j8 b, d
+ v8 G3 P* r) e) t5 R, |" ^5.给其中一个node加上标签为“13”0 D9 a" l" Q  G4 z; x; u, n; q

; r' H7 @! N$ jkubectl label nodes centos-minion-1 slave=13$ o! n8 d/ }$ l0 q! ~

8 _. t, u, K7 h* t9 k6.此时拥有标签“13”的nodes应具备的条件
6 P# H/ z( a# k% }4 `; v* R) g/ P5 R' t/ B0 i, l7 y6 p! ~
/docker/httpd/zcsy下需要有官网的配置文件
, b0 Z0 Z* p: S" J! m) x6 @
$ s. a) t( {1 R+ L, _<VirtualHost *:80>6 q" q3 M' m+ ~' O5 G
   ServerName www.evehicle.cn9 v5 {- O! a; `3 W4 o  }
  DocumentRoot /var/deploy/wordpress/
! Q( Q, z; ?/ q6 `        RewriteEngine on
4 O0 z0 ^! B, l4 c. Y8 b$ f        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
) S# ]6 ?# O( x" v        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
$ W: O3 M1 H+ q# M6 I  J- O6 v        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !^.*\.(ico|pdf|flv|jpe?g|js|gif|png|html|shtml|zip|xml|gz|rar|swf|txt|apk|bmp|css|m4a|ogg|mp3|ipa|plist)$
: z$ r" }9 B9 ]9 R- y% T        RewriteCond %{REQUEST_URI} !^/server-status$
3 I- i  `: i/ f# I$ C        RewriteRule . /index.php [QSA,PT,L]
8 R& R' l+ S% U: K4 y, W3 v7 S1 c9 l& _( Y
</VirtualHost>/ t" s; _! K& W2 z; ^5 J" q! R
<Directory /var/deploy/wordpress/>9 z' c# ]9 c" P" E
    Options FollowSymLinks
: s: H% m' G8 l$ g, N    AllowOverride All
, C" [  ]$ `' x( ~    Require all granted4 E6 h3 o% t# F  H4 \; v2 N$ r
</Directory>5 d% ^$ u: r( j1 `$ D6 A

2 E: ^% T2 j8 l+ c  {0 k以及/docker/httpd/deploy下需要有官网的代码
- z/ J, n% p; Y
3 k. T( f0 J1 ^+ q2 @3 l" T7 G  y7.运行yaml文件启动容器- y; z5 b$ e( M! L$ v- Z

. b6 [& ?- k  |2 _[centos-master]: kuberctl create -f 13-rc-httpd.yaml
1 ~+ G; z" `* M2 y: y8 v$ a5 V) C9 M+ R1 Q; Y. f
8.查看服务5 J  s- v. I1 X
# r7 g% B2 w: E
[centos-master]: kuberctl get rc7 V/ J! P0 o- @9 s# ]) i
1 S! v% C' e* e! e  l' \$ J
NAME                 DESIRED   CURRENT   AGE9 I4 H' L2 _1 \1 B& @
13-rc-httpd          2         2         168d
2 m! i/ ]" q; b! c; v# ]# S; P; ?  ?$ K
9.程序中涉及的mysql\redis\memcache等服务也需使用容器运行起来
0 R/ V6 K' }& h% W" ]! S
. k& m0 h/ W* ]0 i5 k2 ?[centos-master]: docker pull redis
% u$ j7 ]; k! Y! ]  x- D[centos-master]: docker tag registry.evehicle.cn/redis redis
5 A! K6 B6 {* s  e' {1 _8 D# O[centos-master]: docker push registry.evehicle.cn/redis ! p* U4 Y9 V& ^4 ]3 Y
[centos-master]: kubectl create -f rc-redis.yaml
  |$ _0 |5 T  q; H[centos-master]: cat rc-redis.yaml
) H# o& i! h$ V  o
2 W5 W0 L: U0 W/ IapiVersion: v1+ G% J; F6 a8 n" B
kind: ReplicationController
' U" v0 e4 v/ J& i( n+ \% [: u; g# S! Lmetadata:& |# V% }( e" R, T0 G
  name: redis
2 R0 b3 U6 S% Y* [& m, I& A3 X  labels:
) L8 N2 T0 e' {  S$ g6 B    name: redis
; Y0 {3 k. d) Q" @spec:
6 E2 ]* b) i  ?8 ^0 u  replicas: 2
/ q) _$ ~1 m  \7 }% `  selector:
1 q, j* p6 e' O3 B' j' a    name: redis4 S, M! a" I3 @( G3 b2 A
  template:
5 e4 G# r" }& {' R# m8 T( @    metadata:' X+ P* U" L' e7 c; ]! o0 u
      labels:
6 b; Y( w! ~& z' A0 x+ r5 W        name: redis6 v) i- [" b9 ]) V! X2 n
    spec:
  f' \/ s. b  }$ H6 f& k/ f      containers:
0 W' f6 J' i( w  ]. y      - name: redis& i0 q0 [* A1 r
        image: registry.evehicle.cn/redis
: g, w$ a, ]6 L" G/ p3 q        ports:
0 [  @+ g# c3 J" F) K/ l; l6 K$ o        - containerPort: 63795 o7 \( C, M: n. H; v
          hostPort: 6379+ a; t# o  q9 L9 S' a
        volumeMounts:
5 j  Z/ ]/ `6 y" c        - name: data7 w$ [! s' C# k7 f
          mountPath: /data) Y) ^9 o" W# M& x" S4 j# C
        - name: time
7 a1 Z* R/ ^9 V) |4 s1 z& y          mountPath: /etc/localtime5 F+ o6 n' P/ ^2 D
      volumes:9 r3 V8 [- s8 M' [
        - name: data2 U, J% p3 `7 w0 ?6 Z
          hostPath:: P$ F+ a+ \. `( v/ ~
            path: /docker/redis/6379
$ z5 x1 H! d4 |8 l+ {, i8 L        - name: time
9 J" ?0 @* L; D6 \* s, @$ L          hostPath:
# N6 @6 i0 R1 ~8 L- q7 D            path: /etc/localtime
1 W6 P6 S+ X: _2 m+ v      nodeSelector:
; M8 D' |4 h3 j. q% K        slave: "13"
& E) K" c3 F9 t* ~- i7 _# Y      imagePullSecrets:
1 o4 w" g3 k( W/ E; M! s4 ^      - name: registrykey; C1 k0 J8 H* u. u5 F1 A$ I
: P; A! D% Q0 h6 D8 G4 S5 O& z
启动memcache
0 O5 N  _4 V( d( D4 d[centos-master]: docker pull memcache ( G( d( f% P2 J' ?
[centos-master]: docker tag registry.evehicle.cn/memcached memcache
8 A: g; o, ]. U[centos-master]: docker push registry.evehicle.cn/memcached
5 ^) Z, `1 a/ c[centos-master]: kubectl create -f rc-memcached.yaml 1 `+ u* q. F0 q3 D2 ?9 a
[centos-master]: cat rc-memcached.yaml8 Z" m4 }6 [8 Y; X0 a; q6 ~
/ X4 \- F  e0 a* l
apiVersion: v1. O# T) g8 {8 s! {: I( s
kind: ReplicationController% A; W; X7 s2 T4 [' _, m
metadata:
) {( w3 M. p" G* C1 ^7 N) M' b; E7 t! b  name: memcached5 c# F* S5 u- ~& Q$ V9 [
  labels:2 W7 B# J, D1 }0 j: m
    name: memcached9 r4 r' I  [) h, N! g- D/ t/ T
spec:
3 p0 y5 u- h3 K8 `2 o6 f0 z% Y( H  replicas: 3
: A: Q( x3 a3 A" ?; v2 o" h% K  selector:
& j7 S* B8 O  x1 N2 H; `    name: memcached
! g6 Q. L# J9 A3 o6 `  template:0 e1 i4 I9 c, F; S8 @; {, a
    metadata:: L, W& P/ S' j8 N( ^. n
      labels:0 b, H5 r( O% S" Z
        name: memcached
/ h- n- {+ M: I    spec:
6 o$ H. y8 Q  W      containers:
8 t7 J. m& U- e: q- W; z9 B1 m* d      - name: memcached5 b% C/ n" {7 H
        image: registry.evehicle.cn/memcached
2 [& f& H0 E2 \7 J0 n8 U        ports:
, k- Z; j4 ~/ ?$ _( U$ \& a) S        - containerPort: 112115 T8 `/ [! j* h6 ?; y8 S  C0 v9 A- C6 L
          hostPort: 11211
- F" D) K. \( X# T      #nodeSelector:, R, N0 X, F& h. [
      #  slave: "13"3 \7 v% w% [5 t6 D1 T
      imagePullSecrets:) W/ r. Y8 P1 l6 o( Z/ v; F& C. O2 k# k
      - name: registrykey. \0 c! G+ Z. [+ k/ h  y0 L

" c; @0 B! J3 d' {1 ?制造mysql镜像
' t. i2 f  q, ^$ {, B; P$ x! F[centos-master]: cat Dockerfile
/ ?5 \# k+ B7 N* w1 S/ D/ R7 {  ?" }+ T4 T+ U/ @
FROM alpine
3 |! a% Z' ^" Z$ [; E" O  k" i( k5 R. z8 W

# o0 \9 B/ p$ [& Y$ \  ?4 jCOPY startup.sh /startup.sh/ f1 M9 v) H4 s! B  W
RUN addgroup mysql && \; d! }! N4 X5 J0 ]$ b: k( O- C
    adduser -H -D -s /bin/false -G mysql mysql && \
9 [' Q+ p/ X5 d9 g. g& b    apk add --update mysql mysql-client && rm -f /var/cache/apk/* && \0 n7 n8 X7 x: \
    mkdir /data && \
/ T7 D! o5 o' o    chown -R mysql:mysql /data /etc/mysql && \
& r+ ~) f5 [3 g' K  V, R8 A    chmod 755 /startup.sh \' p: }" |2 @# I" v4 j2 v# W. z# @& S
    ;
4 M) l- k) i; j( j+ ^6 c# ~9 Q; _* U3 p2 ^; _! p' ?
5 S2 O- [2 s. a. h5 ?& b6 }
WORKDIR /data: f- L) l- x. m; Q+ w
VOLUME /data) q* F6 x: t8 a! q) Q5 e- O
VOLUME /etc/mysql
" u0 g- b/ t* q( F' D
$ k7 @& {; E4 s/ v; h* L$ V# _, x. N. e* C
EXPOSE 3306
6 ?* q5 [  J4 K5 p' _) A/ BCMD ["/startup.sh"]' ~' v/ A9 q5 {3 C0 u' S* m

; z2 ?( z# z/ M% h/ o1 ^启动mysql(建议mysql在宿主机启动) 0 ?' r3 b6 G  [& T! N5 F
[centos-master]: docker build -t registry.evehicle.cn/mysql
" ]6 F: h- j4 Q/ r; w' @. a  E( v[centos-master]: docker push registry.evehicle.cn/mysql 7 J! h  X+ f& w1 r- W4 {* n3 s
[centos-master]: kubectl create -f rc-mysql.yaml
0 R. f' [3 ^& n4 a[centos-master]: cat rc-mysql.yaml
" T- ~: E5 b7 ]: s  A2 v# i2 Y: {7 |/ z1 f! ?7 c0 L; j, u
apiVersion: v1
! c( K0 n$ z& q2 Q- p# i$ Hkind: ReplicationController. Y* e5 w; V6 l  `9 M# n' I
metadata:
. o1 V7 J, I" |- V  f  name: 13-rc-mysql
2 w. m* a* c6 h2 Q; n! I9 G' \6 ?  labels:1 @, K* g! c* L( j# F8 K
    name: 13-rc-mysql8 `+ }: o7 B  u: F: s
spec:
/ s6 q% ~/ ]- U  replicas: 2! R8 x; Z( h: F, }2 j. d6 J, V
  selector:) u: k4 d$ M( S9 t8 p
    name: 13-rc-mysql3 F; z) d, _; U) q
  template:
. r" u% R- I0 b6 x8 z# A8 F    metadata:
4 y! d% K( f) m9 c      labels:' r* u" D: g# o; A# ?9 Y2 d
        name: 13-rc-mysql
) H) I$ m6 J* c" L  S) v6 D    spec:
  k" L/ ]" U: _2 P1 J      containers:9 x* j4 p3 s0 d
      - name: 13-rc-mysql
+ Q- r; y5 c7 [. s: U        image: registry.evehicle.cn/mysql+ X- ?( {# ?9 n2 P4 c# d1 @& \: j
        env:
5 L$ R# B/ n6 V9 U4 M2 X6 L- n        - name: MYSQL_DATABASE  `* ~# u2 g2 H% A' I. m0 z9 t
          value: admin
# y! P2 \, r' K  \        - name: MYSQL_USER
6 c* u$ K4 b& A( W4 W          value: tony
7 {& ?2 x! f* d" P6 A        - name: MYSQL_PASSWORD
  k5 M8 V7 T! \6 \) H: s: g  y; ~          value: 4560 }4 t8 f$ i) ?/ e4 |4 x
        - name: MYSQL_ROOT_PASSWORD
; ~  {7 j4 ^- d7 a& R+ X          value: 1236 t9 v' s, K( K7 e7 \& ?: e- n% f% y
        ports:# s) c' ~- h" l) J- ^
        - containerPort: 3306
' p1 A1 o$ x5 o) f          hostPort: 3306
8 ~7 j% u: ~- A5 Y5 s        volumeMounts:
: D4 ^' v  ]* \* a. ?        - name: time& q' E2 H1 K' c1 }" T
          mountPath: /etc/localtime
( X. I# K. }* k1 @" ^        - name: data9 Y7 H0 P+ i! W1 Z9 L$ D
          mountPath: /data( v, V0 }2 _5 Z
        - name: etc
  \3 m8 M, w8 v. M0 |8 A/ S; d          mountPath: /etc/mysql
) Q  j" O+ n3 f6 {2 J* a& B& t        - name: run
  I( C/ E# m9 C8 D, _/ i          mountPath: /run/mysqld
4 E  S% I! ]8 _: N* i      volumes:) T2 Q. [0 |' x4 Z" O$ J! a1 d; d  g
        - name: time
* G6 Z  w& S& t- Y          hostPath:
. b: H) u# \& |- S1 q            path: /etc/localtime
8 p. H1 K6 @. L! [& ]        - name: data5 w& E/ }( n; D5 S
          hostPath:7 E9 l/ @" N+ V8 z  W1 j" b
            path: /docker/mysql/data4 K# D4 j8 ]* k* j4 Z' c; J1 V
        - name: etc
! y+ g- F6 X5 r          hostPath:- _( U& k# `5 e; v+ C
            path: /docker/mysql/etc4 F8 U7 E5 M4 L) ~' K
        - name: run
/ @9 C0 I$ n  l% }( f          hostPath:
% j  C5 K; D" v: L- G( e            path: /docker/mysql/run8 G! K* D6 q. o- Z6 ^$ m
      nodeSelector:
% K) C: q9 |$ v3 u6 R4 }3 b, t* d0 i        slave: "13"
6 C# [0 P% Y2 d3 ^  F) I      imagePullSecrets:
- R$ X$ v) k$ B/ ]4 |      - name: registrykey4 T  {) \4 Z) U8 O" _) q
) ]3 F( J2 F6 z0 o9 ~
为方便代码编写及统一管理,应提前做好内部DNS解析。将所负责的应用规整到对应的机器上。
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 16:11:19 | 显示全部楼层
kubectl config set-cluster default-cluster --server=http://192.168.121.9:8080& ]7 j" N( ^; q" j, I7 L0 ~- S- ?
kubectl config set-context default-context --cluster=default-cluster --user=default-admin* E) M: z- Q6 S2 c$ v! _$ |6 p. ~) Y
kubectl config use-context default-context
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 21:31:29 | 显示全部楼层
搭建私有库
9 x* [: i3 w4 K9 e  r
0 q0 k# `0 c* {5 r0 }1 _私有库用于系统内部存储成品镜像,能够快速进行下载及被k8s调度。
$ a' l) e- q- L9 S# W. E9 I3 @2 [* n9 C% `/ P
1.下载并启动私有库% s  I+ f2 u' U* ]

/ y6 \) p- @; v* W4 ]8 x[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
( J7 ]6 m% ^4 W7 G2 B7 @; @3 B- ?0 [+ E
#--name 表示启动的容器后名称,此处为registry
! h3 e- s  h( w# U9 ]0 Y#-v 表示挂载路径  格式为宿主机路径:容器内路径
3 k5 X0 s+ ^9 }: d: f#-p 表示映射端口  格式为宿主机端口:容器内端口( c/ S0 X2 ~* r2 ^/ `5 L
#-itd   docker的内部参数,此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上,后跟镜像名称此处为docker.io/registry
. k0 x: Y7 h/ ^/ \1 i6 [- V7 l3 k5 R7 f3 E; A7 k- l* I
2.创建一个secret服务,用于k8s调度私有库容器时的“令牌”。简单来说,secret服务就是一个存储密码的服务
! J& {3 H* E! G/ L
1 J; W4 E! s1 K0 d- I- X4 R[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com
! N& x# v7 ?6 \+ z, j- w; c2 d* [- I  M
[centos-master]:kubectl get secret
, B' i+ ~6 j' Y5 vNAME          TYPE                      DATA      AGE5 ?8 t: @0 g8 D# W! h7 C
registrykey   kubernetes.io/dockercfg   1         6s
# _1 ?7 p6 Q; D# R! _' n5 |9 W, s) M  U  E/ s" f( m  r
此时登录时会提示认证错误
! i% D6 V7 d' w4 E' u- a, H/ s1 q
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
5 y# o- _# f1 Y/ o! oFlag --email has been deprecated, will be removed in 1.13.
2 n1 {7 j* l7 a( W# X) E' _Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized
. O: S0 e& o" S: n; D+ ?7 z8 J: @! x3 ^( B+ W! Z( J: T2 U- Q( M
这是因为Docker官方是推荐采用Secure Registry的工作模式的,即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
( V$ b/ X# |2 W3 N* E4 V2 k( Y  n7 O% @/ b: O! n' e
3.配置nginx反向代理 & T2 ^& |# B2 T2 ~- H
[centos-master]: cat registry.evehicle.cn.conf
4 f* p& q% z/ \' N& t+ a- C3 J- B5 z1 I, _- |5 @1 J
# For versions of nginx > 1.3.9 that include chunked transfer encoding support
3 |% s1 H3 d2 J0 \' ~& P# Replace with appropriate values where necessary  g) w- I! m$ V' t7 J

" [2 w2 ~# K8 ~2 D& qupstream docker-registry {9 d6 P3 [( x6 c1 x$ x$ T6 l8 y+ \. P
  server 192.168.121.9:5000;2 e, K& t5 ?4 u' X* c7 M
  #server 10.44.170.95:5000;
* V, u( _. y6 g* [}
6 U" }' B1 [. s/ U% k+ Z# W( l: e7 q% E8 T' r! X6 S0 r
# uncomment if you want a 301 redirect for users attempting to connect( p6 ^& ?4 o, Q# t5 a6 S( }0 q% `
# on port 80
, B# ~* ]/ z- Q+ l9 B3 G# q# NOTE: docker client will still fail. This is just for convenience0 V* q( ?# S! |, i
# server {
- x' y3 r, M9 k3 D7 f- b#   listen *:80;
& k' W# G" @/ g, y( k5 x, k: ~#   server_name my.docker.registry.com;
$ r8 k) p0 y9 @7 Z; T+ k#   return 301 https://$server_name$request_uri;
0 [2 b0 Z" v1 q# }( x% S% F) K) ?7 e0 l/ X6 Q
; p; ?, u3 |( f* W3 @+ Z
server {
0 N/ d: u; z* O    listen 443;* K' A  ?5 F. j4 h: Q" g4 Q
    server_name registry.evehicle.cn;/ m( d8 c$ \# t, f
! B( e) m0 `! X
    ssl on;
0 H: p7 G( M7 j- U8 o; Y5 N# V    ssl_certificate ssl/registry.evehicle.cn.crt;& T# [  V( ]+ G, j. E' o' f3 E
    ssl_certificate_key ssl/registry.evehicle.cn.key;
& R1 H0 l- e& o# [3 s6 X
) {8 j* S: J) u1 |: M% P) d    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
" r1 [: b3 d& R4 }3 N8 C6 J1 t" H# t( s4 @& m# L
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)7 D* s7 ^  W; k" x8 T
    chunked_transfer_encoding on;
& r. C9 y3 \9 {! X  v6 O: w% A3 o' ?2 ^: `: D
    location / {
& m# M! E" \6 U- ~( x        auth_basic  "Restricted";& i( o/ ?, ]# x  ~! Z) u, S2 f) x
        auth_basic_user_file  passwd;  W4 \/ a) i5 _+ a. h  t# [% _
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;+ C& D5 f- u& D
1 P8 `$ y6 E( {
        proxy_pass                          http://docker-registry;
) O5 \8 W# ~$ _9 L8 o; G        proxy_set_header  Host              $http_host;   # required for docker client's sake
4 N& I. P4 ?2 S' y- R' q  J( A1 ?        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
% X" o3 c! r: w% a8 ~        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
2 F! l/ u4 Z9 m& @2 u        proxy_set_header  X-Forwarded-Proto $scheme;4 L$ I* d1 \8 w' i) O: E$ W
        proxy_read_timeout                  900;5 A  v. m1 a$ y0 P0 O
        }" z" w! W9 {' d  L: ~

7 [: {. w9 F' u7 Y9 @4 R- K    location /_ping {
6 R6 N( n$ {# I3 A) _5 s( i        auth_basic off;7 @: d# h6 z; D7 B
        include               docker-registry.conf;5 x$ y+ E4 t4 b! ^* f
    }0 [! |/ g/ o1 \# D& G( C5 D! @

5 }* x+ I1 i6 g$ o' Q; i: a    location /v1/_ping {$ v' Y- r1 a" }" ^  \- l
        auth_basic off;
- x1 X; A8 i5 M1 S1 J$ ?        include               docker-registry.conf;
( o1 P6 V) t9 ~* Z    }
. m, @, `8 j7 ?; k& G
5 @* i. c" K# W0 U* n* v& p- d' I    location /v2/_ping {
& G8 a" e( R7 X. s3 L        auth_basic off;
: [! I. a% a. p' \0 P! d9 y        include               docker-registry.conf;
' i8 _" v) a1 D: s. z  H    }
( M; d- x. q: P+ I}$ t4 c. a: b  c# C* b0 W& N
1 j& K+ L& f  j$ Z, _
将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录' e( t$ u9 Y3 i2 W1 R* v8 I/ p

7 r* K) L: ]+ E0 ]9 v) W htpasswd -bcm passwd docker docker
5 `, H. V" l) F5 y! B$ A #-c:创建一个加密文件
2 ?- U/ L/ D0 O1 K' W' V$ g/ n #-m:md5加密,默认可不填写
$ d, Q# z2 U. X3 M #-b:表示用户名密码在命令行中一并输入,不用分别填写4 s0 M% L3 X+ h' K1 R6 r/ ~
4 R- u" Y+ s: J0 |" X
4.再次登录
& x# O, }- s) C2 O8 Q8 s) ~& h; V0 W9 `1 O! P2 h: y0 c+ l3 \4 m4 z
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn* G  p5 p: j$ N( V
8 d" j) t: u' n' H% t7 Z$ E7 _5 }
Login Succeeded2 [0 d( ^6 S6 Y; x4 ?
表示成功,此时再pull\push既在私有库中进行
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 02:21 , Processed in 0.018255 second(s), 22 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表