浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 docker社区 docker社区 k8s学习二:k8s编译安装集群搭建——单master多node简易 ...
返回列表 发新帖
查看: 4756|回复: 3

k8s学习二:k8s编译安装集群搭建——单master多node简易部署

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2018-9-20 11:08:15 | 显示全部楼层 |阅读模式
服务器环境
: T$ A  e! h5 j+ K
+ J" X  n6 L) @7 E9 Gcentos7.5
7 `: w* y2 A- B  [mac装的pd虚拟机: G. g& D  x( a6 s$ e& P: U
作用        IP        部署服务        配置1 j# Q6 Z! Q$ P
master        10.211.55.10        etcd、kube-apiserver、kube-controller-manager、kube-scheduler        2C、2G
7 c! H/ ~7 d$ |  H: [node1        10.211.55.11        docker 、kubelet、kube-proxy        2C、2G5 w) ?3 x' Q8 K3 t
node2        10.211.55.12        docker 、kubelet、kube-proxy        2C、2G
$ q% i4 b3 h- `& L! H. v4 B: [, \- 计划采用二进制包进行部署:8 m( Y! v8 v4 f

9 Z( s8 F; }0 r7 Z8 }# U所需二进制包下载地址: . @0 |" @: d/ h8 [$ }
1.https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
8 t& c* O. ]* D9 \. x% ~0 x2.https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz
1 `$ h4 o2 @! u; U& B3.https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz 7 Q( m9 F8 T! e: P- x. j4 b
注意所有服务器都需要关闭防火墙  t5 p' i! p2 J! M. v
Master部署
: r: ?' @% e: W, t& L& ]2 C4 }3 h5 A0 V3 F5 Z0 L
二进制安装基本都是以下几个步骤:
' ~) p, C0 x5 }4 n. \/ b1 z1、复制对应的二进制文件到/usr/bin目录下 & r* V0 P) \% _) A6 h5 H
2、创建systemd service启动服务文件
1 {' T- C* f. E3、创建service中对应的配置参数文件 # S5 q0 `. R. S# x1 L
4、将该应用加入到开机自启 + D9 R/ ^/ m: l: i+ H
5、启动服务并查看服务状态' |9 j1 b/ p; B" P! Z- `. F' m
etcd部署
5 u+ m* l7 K# z7 W" L2 V6 o" Q/ C, v/ A! Q) a
下载二进制安装包并安装:
1 \, E5 ^1 [5 c7 o. ?9 Iwget https://github.com/coreos/etcd/r ... -linux-amd64.tar.gz
+ A' N, j- ^0 J& }  v+ {2 Ycd etcd-v3.2.22-linux-amd64/
  U3 L# t- q' Y8 n% N& U% Acp etcd /usr/bin/
! i7 Q5 _7 B% G' [cp etcdctl /usr/bin/
; r* R1 I' ^' o, R2 y0 w1 Qmkdir /var/lib/etcd5 e5 T) q$ L0 N& n  \0 n
mkdir /etc/etcd2 I2 ~9 F* s6 D0 x, x; T  {
* Q* a3 J( v+ i+ R2 Y9 ~7 S+ B
编辑systemd管理文件' }! ]3 |! S0 j  h- @  b/ R, I
vim /usr/lib/systemd/system/etcd.service
7 I/ h* w  b2 V' }) |8 b& F
# a$ E) @+ M8 K[Unit]
& w) O" p/ m$ L7 x. F7 YDescription=Etcd Server
+ @6 y8 E- ?: {% A: UAfter=network.target9 K# x# ]  I/ F; U, z7 D; S( e

% C4 E, L5 a3 S% i) ~* }8 p[Service]
. J. z: ?, s5 y5 `! H2 UType=simple
# |9 G2 c8 G, V+ L( d6 {WorkingDirectory=/var/lib/etcd/
7 M3 V7 a4 w  F$ b- s% Q+ B, iEnvironmentFile=-/etc/etcd/etcd.conf
5 W7 C, T) D# P" x$ G1 e! N% zExecStart=/usr/bin/etcd4 I3 Y2 I% W% j* ]

6 z% x3 o& u' j- f2 m[Install]
9 U( t0 ~2 T5 p4 t9 ?- f; vWantedBy=multi-user.target
; }. D. h* ~0 @$ `9 O, k! D0 x; d  U8 R2 a* W; |( T# J
0 G& l: q- D- W; b! c: T% P1 c
启动服务,并设置开机启动$ P) s$ S% a& x8 H! J
systemctl daemon-reload
+ d" ]. G! h/ nsystemctl start etcd8 x7 n! R. W* |. N" o& A
systemctl enable etcd
. N0 d3 _  C- J" D) L  l8 S& y* B0 U
/ f/ G" ~- Q4 O) u" E查看服务状态的三种命令- @* t- p4 [0 V% }; C% G% C
systemctl status etcd.service
  `8 O: d  k, M" J- b/ W/ ~8 H- p: l5 X: M1 {; p+ E  x
curl -L http://127.0.0.1:2379/version
. }: }% r, }" G' b# A3 l) P; q/ e, _+ i
etcdctl cluster-health
$ H  w! J* }2 H( ?9 C; Y! e  I  N( N
这个安装的还挺顺利,很快就ok了。继续。。。。: `  l( }* W3 N: @$ Y) [3 \7 ~
kube-apiserver
5 w" `; {5 K' `! A: H0 \+ [: s5 a0 i/ Z
下载并安装
( q: q. Q; b) e5 [wget https://dl.k8s.io/v1.10.4/kubernetes-server-linux-amd64.tar.gz
. B# Q  A$ h0 ?# Itar -xzvf kubernetes-server-linux-amd64.tar.gz  
/ a5 Q0 h  n! o; \cd kubernetes/server/bin/ x- y5 ^/ W" x
cp kube-apiserver /usr/bin/
0 D* I& T7 }& D4 l3 {4 {# G  x5 x$ @* k6 {; y
# 一起拷贝吧,后面就直接配置了, w; E; @( w0 y  k
cp kube-controller-manager /usr/bin/
; d  T* V1 a" Zcp kube-scheduler /usr/bin/3 Z" ~6 h( ]& I% j

' g; b! ]9 X. w% J/ R
8 B# v  Y6 Y4 S( {* j* O编辑systemd的启动文件2 q; p' |+ D9 ?
vim /usr/lib/systemd/system/kube-apiserver.service/ D! |" X) G# }

' m2 N0 F) A" r[Unit]' O/ {! S* t2 m% ?7 T. x
Description=Kubernetes API Server3 Q7 V& \4 e" O8 M
Documentation=https://kubernetes.io/docs/concepts/overview
) M; R8 `! ?* {9 U! Z" gAfter=network.target. m/ o, z5 M9 \( }: h
After=etcd.service
- s6 i  r3 \2 ^1 R! z) Q) R; w! C4 y% z9 O; Z) ]2 F
[Service]
" F: b0 b1 V7 K/ ?EnvironmentFile=/etc/kubernetes/apiserver
! q) f1 i, |9 m5 [) T+ cExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
2 w" @; x( E% H* L, ORestart=on-failure
" g5 D7 g" \) o, Z' f/ OType=notify% j; C. R. r, M! X% g
LimitNOFILE=65536
1 o6 Y3 k  _  x3 A
- B) H# k+ `# a0 b[Install]# G1 X9 i; q8 F
WantedBy=multi-user.target2 H1 K2 I' {0 d/ A- b

+ ?) q2 n7 a6 j1 N7 ~9 L5 [' k3 V# e# j

/ X# x: \9 e4 W+ ^7 S& j/ w2 T配置参数文件6 s$ J$ R6 J5 c% {# t5 ^; q9 y
mkdir /etc/kubernetes// R  l( n( X: ^" r
vim /etc/kubernetes/apiserver ) v5 X! H" U' l
  E( H* g7 Q, h( Q
KUBE_API_ARGS="--storage-backend=etcd3 \+ D; A7 u- x( f6 _0 K) a
               --etcd-servers=http://127.0.0.1:2379 \8 _6 U# n# W3 M. V. `
               --bind-address=0.0.0.0 \
) S2 C5 Y: q# V4 w# R               --secure-port=6443  \
, w5 n2 @- Y' f4 P' G               --service-cluster-ip-range=192.168.2.0/16  \9 s! I1 n  x$ M6 J8 q8 L5 q0 G/ q
               --service-node-port-range=1-65535 \1 D' |- y% |" c6 N, C. r; G9 v
               --client-ca-file=/etc/kubernetes/ssl/ca.crt \
5 e3 f& Z; v# q( R. d               --tls-private-key-file=/etc/kubernetes/ssl/server.key  \" ]! q/ q# O0 {% q
               --tls-cert-file=/etc/kubernetes/ssl/server.crt  \% b6 ?& y( h! v6 m( H$ @& [' F
               --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
1 |/ C# j! J  j: B& P               --logtostderr=false \8 v" V1 }7 g' g# h0 H3 R% k/ G3 V
               --log-dir=/var/log/kubernetes \
8 _' Z' c. c9 q  G( ~+ J               --v=2"/ N4 V; E: R% U" h# H

8 D" T: S9 O; K1 d. k! H8 u1 C, c5 c' P8 Q' b1 X* L
service-cluster-ip-range是servcies的虚拟IP的IP范围,这里可以自己定义,不能当前的宿主机网段重叠。
$ K* ^0 v; g3 i0 }, l$ F, tbind-addres 指定的apiserver监听地址,对应的监听端口是6443,使用的https的方式。(0.0.0.0 表示绑定所有地址)
8 Y; ], o# P& s6 L! ?& `5 J0 Wclient-ca-file 这是认证的相关文件,这预先定义,后面会创建证书文件,并放置到对应的路径。4 I. h& E; O# g4 Y
创建日志目录和证书目录
% ?, t$ ]- ?* M9 s1 U3 i7 ^, x' C9 @mkdir -p /etc/kubernetes/ssl
; J5 {( }. w# [% ]2 Q$ J  l9 O# cmkdir -p /var/log/kubernete
3 \; `, O' l, c! t8 r7 D- C( o7 z
6 q9 U! }5 \% q0 k' ]kube-controller-manager; w0 A. }7 U8 }3 C, e+ S

6 x# D* T1 p" M- X# E6 fkube-controller-manager 依赖 kube-apiserver服务6 A0 K. k# I' D' L5 Z3 V
编辑systemd启动文件
* b" X7 Q# l$ }' t; i5 L' q$ Svim /usr/lib/systemd/system/kube-controller-manager.service
3 K  e% W7 [1 p# t2 [7 o$ {' H+ \, L
[Unit]
  ]/ Q% e$ Z7 ]1 z7 _6 ^Description=Kubernetes Controller Manager% r+ }: q, c* F9 |0 Z
Documentation=https://kubernetes.io/docs/setup/ E9 }& o4 U' I0 u* f
After=kube-apiserver.service+ m2 E$ T9 H2 B$ [# u. m6 i4 ^
Requires=kube-apiserver.service7 d) W' Z0 U+ @  f3 ^4 I. a0 ]

( i+ @# W  F/ v[Service]& t+ e+ p9 f) M  G2 D$ S
EnvironmentFile=/etc/kubernetes/controller-manager
) c5 c6 g  f  d( ?ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
! x6 a! N5 Y1 l1 vRestart=on-failure- U6 A4 C6 `$ Q6 g! F) t* M. ]
LimitNOFILE=65536
) z9 t% T( V" @9 d% X6 n. P/ _: d9 |. E( ~/ u- U0 R9 ]$ D
[Install]
* R2 o1 F( X( H; K/ U* Y! A6 |WantedBy=multi-user.target. Y, s+ x& O' d, D$ M, w' c, m
- j# \( D" h1 J5 C

* ]' ^" V6 S8 @( S) x  v' `配置启动参数
6 c, Q: v% V6 Ovim /etc/kubernetes/controller-manager
0 F5 ?" o( s9 U6 e7 h  w/ ?, p9 J; o) m8 X4 t8 W( L* n2 K
KUBE_CONTROLLER_MANAGER_ARGS="--master=https://10.211.55.10:6443   \
& W$ w* j3 E" A               --service-account-private-key-file=/etc/kubernetes/ssl/server.key  \, ]7 m  I# v1 K4 `5 V% U
               --root-ca-file=/etc/kubernetes/ssl/ca.crt \6 t6 J4 v  H9 m* }5 M
               --kubeconfig=/etc/kubernetes/kubeconfig \: W* B0 j+ G7 T* I8 d' H% }
               --logtostderr=false \# p' ?* g! H+ k2 U* I6 ^! l
               --log-dir=/var/log/kubernetes \  f# a+ `- h/ A
               --v=2"
' \- b; _+ G% ?3 W& R' l; F# m+ q2 f3 K5 P5 I

* Q! A) X# p3 I' D' [% Rkube-scheduler
  W/ Q7 c9 U0 ^  n! X
" X* R+ H9 n5 Hkube-scheduler也依赖kubu-apiserver
  {! p3 }7 l$ x' T- 编辑systemd启动文件4 \( j0 C, ?4 o
vim /usr/lib/systemd/system/kube-scheduler.service   y+ J; p; G9 C6 k

# o& o) o0 j/ _5 l5 T) q$ b/ Q[Unit]
2 F3 T7 O3 o$ s8 t, yDescription=Kubernetes Controller Manager , U6 r+ I# r2 d/ w2 Q
Documentation=https://kubernetes.io/docs/setup( }( ~$ J% m) o5 e+ u( t* A4 q/ C$ v
After=kube-apiserver.service
# }7 Y' a# W! h6 P" }5 [: I2 g0 K4 HRequires=kube-apiserver.service1 q+ c6 @: ?' X; a4 k

* \& ?/ F- a6 p1 a. G: v[Service]7 x5 y5 T2 P% I, x( c- G
EnvironmentFile=/etc/kubernetes/scheduler  G- t+ r* M' R7 [) `
ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS7 q* W9 a4 K; p2 l: A" {6 Y
Restart=on-failure
0 m2 K# s3 [9 T( C* LLimitNOFILE=655364 {! o. \8 W) A6 H

- t! C  ?# p4 R[Install]+ E$ C. T: W8 W4 u
WantedBy=multi-user.target
" _* e" L4 i7 |配置参数文件
# r! B# p( `6 x: s' Tvim /etc/kubernetes/scheduler
6 f  D7 S6 ?: t/ [2 ^
) b2 E8 {1 @% j5 l% x7 Q+ BKUBE_SCHEDULER_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig \ 2 b0 b6 R' {) h! f2 K
               --logtostderr=false \6 U/ U4 r' f) A+ m
               --log-dir=/var/log/kubernetes \  K: c- {; w" k8 F8 ^
               --v=2"  E$ H0 B6 I5 ]1 s) @2 o/ g6 M
) a: _7 p: x( m; R6 q9 j  P
创建CA证书
! U: q# |( {: `' X; [5 H8 X& y  u" ]  k
注意生成证书前先同步一下服务器时间:ntpdate s2m.time.edu.cn
: T2 |0 ]8 R- B4 ]' W- T  d- S, R9 L" h" G6 g创建kube-apiserver的CA证书和私钥文件
& Y+ J, G! C$ b( i4 ]cd  /etc/kubernetes/ssl/
* @: L$ u' }2 [( iopenssl genrsa -out ca.key 2048
- t4 \/ q$ Y1 P6 c9 }7 }openssl req -x509 -new -nodes -key ca.key -subj "/CN=10.211.55.10" -days 5000 -out ca.crt
" h2 _  d, a# }& _, ?! N1 Z' v+ Jopenssl genrsa -out server.key 2048
' P" u6 e$ W  ^. J, ]
, q% ^' T% \. z0 u: D; X创建master_ssl.cnf文件
# {. X$ v9 }4 l2 @vim master_ssl.cnf
' T" |- x2 k1 Q$ s9 e
- u. C3 ?' K# ?- W- n' `) X8 ~[req]; L" B' t0 @- }$ g2 q1 G, G
req_extensions = v3_req6 V! c! F' e6 V; T. \. ?5 b
distinguished_name = req_distinguished_name
7 B$ H; A' ?7 s[req_distinguished_name]% e% T9 J/ Z0 z  \1 a% u% D5 @6 S
[ v3_req ]. S. G% s, d3 `9 w8 u' U& ~
basicConstraints = CA:FALSE
* t" Q: h4 |  N( gkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
$ a$ E- v3 R& g6 XsubjectAltName = @alt_names
" h2 C- S* F! W$ Y& y6 _- F* @[alt_names]3 o7 z$ D5 j1 p: l
DNS.1 = kubernetes, I. ]! k7 C  G" z$ J, N0 y$ [, ^
DNS.2 = kubernetes.default
* L' L7 O! w6 C9 \/ G8 `8 W2 I: pDNS.3 = kubernetes.default.svc
! m8 `4 u) o7 XDNS.4 = kubernetes.default.svc.cluster.local2 S0 s, \8 U+ `; d9 J% G0 N
DNS.5 = k8s_master
7 I( g* H( n" D- _/ ~! q) R7 H. Q) wIP.1 = 192.168.2.1     # ClusterIP 地址
! s6 t& s9 h1 I! \, w% U% t4 LIP.2 = 10.211.55.10    # master IP地址
; T. q7 @, Y9 L" C6 }- v) F$ B
6 ~) i% e( q; F( d% Z# [% ^$ w" Y7 d: Z( Y4 i4 R: g5 F! m
! ~7 E$ v6 A1 Z# W  Y
生成apiserver证书
2 l3 m- N# f# x$ E0 Kopenssl req -new -key server.key -subj "/CN=10.211.55.10" -config master_ssl.cnf -out server.csr0 s0 D3 C0 T# A+ v6 a

& n1 ?5 j9 s2 V% ^openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt' V2 B; E: F8 O+ _" ?# E0 W  ?

8 [+ _8 Q8 b0 C* C* Z8 I  s设置kube-controller-manager相关证书+ T8 I. t9 u! l9 _. {) Z" z
openssl genrsa -out cs_client.key 2048
1 D; }" {0 p( Fopenssl req -new -key cs_client.key -subj "/CN=10.211.55.10" -out cs_client.csr
% r2 m. p) ~& I* M/ }( S* |/ Xopenssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 50005 t4 G/ u8 j% d( E2 p

2 {0 T7 [9 p4 I$ _( J( ^% A! I/ M创建kubeconfig文件,kube-controller-manager和kube-scheduler公用的配置文件/ D% R' f9 Q2 n+ x; u7 A* v
vim /etc/kubernetes/kubeconfig / y/ F1 I  C) f# ?* ^

# [, C. i! d& S5 R3 rapiVersion: v1
5 T, g7 K* f& Q( Wkind: Config! ^& V$ _4 x( d. H  K
users:: s4 t% O7 s+ T  |% `
- name: controllermanager: Y# W$ }7 \( A# B: ~) L' ?9 w
  user:
7 Y& O' [8 q3 p# D7 f- Z2 m    client-certificate: /etc/kubernetes/ssl/cs_client.crt
9 L/ b) X- v- n0 O    client-key: /etc/kubernetes/ssl/cs_client.key
" z5 X( H3 `  P. Mclusters:
1 M1 @6 t& w1 \- name: local
2 X% T, L3 }& Y1 g) J9 U: O  cluster:
6 g$ S. X) j  N+ F- d3 I8 l9 g6 h    certificate-authority: /etc/kubernetes/ssl/ca.crt
. H4 ]& }6 J* Ocontexts:* @* a4 t% Q2 S. O8 S
- context:1 u5 y" C) D" b4 S" ^
    cluster: local
" L! p/ R9 Y. O. o    user: controllermanager
1 n- j7 A7 c; V6 }7 d/ Z  name: my-context* _' E! |6 h' ?; B
current-context: my-context
6 g3 g6 b$ k9 A' f/ W" Y0 }5 Q! i" F7 _8 _
启动服务' J; k2 r2 a$ @5 e5 c, C5 P4 h

7 V0 `. v9 F+ m6 V* i7 @- ^启动kube-apiserver
: H, p" @" n3 M9 Z+ @' l3 Dsystemctl daemon-reload
- p% l. Z! w3 j- Tsystemctl enable kube-apiserver5 F' T" t$ p* H' z/ f
systemctl start kube-apiserver
% Y3 A. t7 T% Z' X; `9 z4 h. q/ q) s: I
启动kube-controller-manager( k: K2 o* O9 W; q* {
systemctl enable kube-controller-manager0 l" D* N) @9 z$ t9 }
systemctl start kube-controller-manager# x! I8 }# W) O9 l, F& v

! ~) Q. E7 n2 ]8 R/ ?启动kube-scheduler
' Q& J6 V6 P  ], d) ]' `; Xsystemctl enable kube-scheduler' r9 W  a, D9 U. g! _1 ?9 ?
systemctl start kube-scheduler
3 H: E* ^* n/ B/ L3 U' E' P# C; x8 a+ O$ f
Node
, V" d: v7 H& S3 J
8 _1 M7 v& Y# N7 I! G安装docker
% q3 J; `# R( p. |2 v2 l5 L6 L; j3 _; W; S( A5 m# s! F
使用aliyun的yum源# o% P9 S6 {5 I" V6 N0 }9 c
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo& K3 ^- P: w' D' V
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo% q8 g% v9 `& x5 {  d3 @0 W
yum makecache- F# _) J) Z, g9 ^+ J" _$ n, R
: i2 G8 t4 f+ |
yum安装docker工具
" k, }- O. K, w2 Z# A+ v& @  Ryum install docker-ce
, ^6 \( S$ S3 r6 Gsystemctl start docker
8 W8 B; |% @! l% psystemctl enable docker! D7 H; h; f; b9 Y( q2 Z, I

$ h8 l% W7 T* C; s/ @; V, Z% Gdocker -v
! G& w+ P& k) n% y# c
+ t3 V7 i! d" N7 f( `8 b! @; }安装kubelet服务; E" `2 b5 y) p9 y1 T% Z3 S

) C" W5 }0 E2 S. Q安装包下载,整理6 r3 K& b# v* d9 j  ~' q% K) C
wget https://dl.k8s.io/v1.10.4/kubernetes-node-linux-amd64.tar.gz3 w7 d5 U: h4 @5 o: _1 _7 n
tar -xzvf kubernetes-node-linux-amd64.tar.gz/ y- q% Z  f. y0 W
cd kubernetes/node/bin! h- L- s' @% \  ?
cp * /usr/bin8 x8 Q# K" x! V1 X9 |8 ]

  ^$ x- ]7 c: U+ ]5 J$ `, \添加systemctl启动配置
; c  g2 c" `7 E( y6 @vim /usr/lib/systemd/system/kubelet.service
& b: w7 }8 Q8 H! @+ hmkdir -p /var/lib/kubelet
" j3 g" I" {) C9 n9 _6 imkdir -p /etc/kubernetes/1 A5 }+ J0 D5 p8 q
mkdir -p /var/log/kubernetes1 q$ g& N& H! M5 {
3 y3 L% ]! Y+ K2 Q# s- J  q( ]
[Unit]
! h, |( w5 A  B" L9 Z' P1 R+ rDescription=Kubelet Service0 x3 _0 r8 ?8 {1 i5 {! Q
After=docker.service
1 i3 w+ u5 _! h7 |" i* ?+ A2 iRequires=docker.service4 l7 ?+ B. z" p1 ^; Z& Y: O
[Service]
0 j4 f! O7 T& U  ZWorkingDirectory=/var/lib/kubelet
- N0 q% a7 Q) E1 TEnvironmentFile=/etc/kubernetes/kubelet
. E+ t% i9 Q+ `3 k2 B" E' a4 DExecStart=/usr/bin/kubelet $KUBELET_ARGS: Y5 d: W, J6 y9 D8 H
Restart=on-failure/ q' g4 Z+ z) R8 |: N1 w
LimitNOFILE=655360 I8 m5 b1 Y$ ~2 [4 t9 p
7 M9 {! U0 G; I  y
[Install]
, Y! `0 B5 P! T) K& T- d7 O+ @WantedBy=multi-user.target
8 u0 B& v/ H: G. V! P, q* x2 }. L5 J+ @& Z8 W  ]
kuberlet运行参数配置
, w, z% [/ ~/ s- g4 y安装kube-proxy服务
9 r. d5 [0 C  c& a0 e5 E
# t& a1 X0 i. g, ]# {添加systemctl启动配置* i' |2 r7 H3 V" t# _2 w  T+ J
vim /usr/lib/systemd/system/kube-proxy.service4 R2 k" {* t' u$ |) T0 _

' B% U6 v7 p& z  L! l3 ^+ P: o! e[Unit]& o: H- W8 C5 C& F
Description=K8s kube-proxy Service' u# d4 ~2 ?1 L( G, S( u
After=network.target
  i4 U; ]% f- Q$ r- yAfter=docker.service' m# y+ _6 ~  F. y
After=network.target8 ~8 h3 d* C5 E! M  i$ b7 h0 r
After=network.service
# p! v: _( Q5 Y) [+ C7 h
8 y2 M- H5 s/ C) e$ B* h[Service]! u6 g3 y/ G5 F2 Z$ |' E* J
EnvironmentFile=/etc/kubernetes/kube-proxy9 l/ {: B! m. W; q
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
" O' `; Q( J( `& o# T' H3 uRestart=on-failure- y3 n6 \5 s' a) Y
LimitNOFILE=65536( Z  v$ k7 a' J6 K

: F* o' M. C+ B5 g[Install]0 v4 O9 z% i3 H$ b# C3 ^3 |% L
WantedBy=multi-user.target
% Q8 B2 p2 A) Z; C3 [+ d# e0 c6 U: w- v6 I) w* T
生成CA证书) C4 c$ |: n! G; b( q

% ?$ v" x5 M+ N- x将master节点上的kube-apiserver证书ca.crt和ca.key拷贝到Node上
0 |& l/ I" T( O+ w  b$ t使用ca.crt和ca.key生成node证书
5 g" X- j* z2 R# j4 jopenssl genrsa -out kubelet_client.key 2048# g! @; n1 t. I1 C, l/ g; N
openssl req -new -key kubelet_client.key -subj "/CN=10.211.55.11" -out kubelet_client.csr
2 I) G, h5 e3 A( i# y: n* Yopenssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
1 y8 e# ~: Q% k5 y% d6 e  J" z" f% [3 u8 M# P
mkdir /etc/kubernetes/ssl
9 G2 k5 u! n; k/ f  {& x& Fmv kubelet_client.* /etc/kubernetes/ssl/$ |! j! J, z4 u0 O6 N
mv ca.crt /etc/kubernetes/ssl/
! V; v; k4 [  [* s8 N' U
- J  h( P. H1 F. [! M/ ?配置kubeconfig! f( i' |1 z, b
vim /etc/kubernetes/kubeconfig/ v$ i! ~+ o& A* {
# f0 t. f% r. Y7 `# m
apiVersion: v1
1 V% Q! m! U5 f( w& |. Y$ i8 V2 S3 Pkind: Config
0 F3 b- ?, h; ~users:
+ O/ R  S, Z! i; ?! _( Y9 m' D9 {- name: kubelet2 p. l+ x) G4 G( j! r
  user:
/ T  o" @  H, {$ i      client-certificate: /etc/kubernetes/ssl/kubelet_client.crt) a: Z4 F+ A5 s
      client-key: /etc/kubernetes/ssl/kubelet_client.key3 y: i( |2 Q/ d) G/ C
clusters:% Q) Q1 p+ {2 F
- name: local
  z' d; h# A3 p' @9 G  cluster:" G2 X5 j9 e3 z; {/ g4 A0 j
      certificate-authority: /etc/kubernetes/ssl/ca.crt) `1 E2 V& W+ O& O
      server: https://10.211.55.10:6443* v' y8 `/ {' Q; |$ d6 ]
contexts:5 V/ p, K3 F! `9 [5 U8 y  b
- context:
+ v; V# v3 ?: |: ~8 m      cluster: local
) W" l6 f, V* M9 n      user: kubelet4 \$ N$ B3 X3 C: c2 w
  name: my-context4 u; R7 G1 w% b( l% k& H7 ?- U+ m
current-context: my-context
: u" M# C+ p1 c, n$ g2 ^& k' Z2 \7 g, b5 @8 g
kubelet启动参数配置, _0 v* \- b0 D8 T
vim /etc/kubernetes/kubelet: ?& a) U3 X7 d* B- |* R

) z! C7 D5 E" C! cKUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=10.211.55.11 --logtostderr=false --log-dir=/var/log/kubernetes --v=2 --fail-swap-on=false"( l4 Z, f* |, M5 X& |' z
这里要注意–fail-swap-on=false或者禁用swap,我这里选择配置–fail-swap-on=false
! t7 P+ i! n: P! j1 P" M' W- u3 f设置kube-proxy启动参数' D# c2 I( W! N" o( ?! e
vim /etc/kubernetes/kube-proxy! ?# g8 J( f8 F" e) M
" J5 I% s5 Z, b& [# {# }$ x
KUBE_PROXY_ARGS="--master=https://10.211.55.10:6443 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
; ?. c0 O3 X* ~& R" r' F启动服务% s( r  u7 A3 K( E" v: u0 _, k

0 N" b  F, j( ] systemctl daemon-reload8 `/ H, Z; b1 p' L: x
systemctl start kubelet.service$ q$ ^, ~# y& i$ ?
systemctl status kubelet.service
0 D3 n5 |% a7 o8 `
) P3 _6 N3 Q' R1 o2 J systemctl start kube-proxy
- J; |! H, ]( d, N0 c systemctl status kube-proxy, M' M0 J: c" V' A6 c
node 2就按照上面的步骤进行安装即可
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 11:11:21 | 显示全部楼层
搭建私有库
% e# n8 j3 k$ `$ L' U4 E+ ^) d2 ]: T
* P& {  Y- |/ _# P2 D& u2 X私有库用于系统内部存储成品镜像,能够快速进行下载及被k8s调度。5 T+ X  @* c$ N
- ^8 B5 Z& Q  h
1.下载并启动私有库8 D. t& Q6 T0 H* t

( [! r, d! `2 |% c$ A2 ?[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
$ l% n+ S% v6 B# r1 V8 c. R8 ^- G& ~6 u# U7 U. @. W( ?) @  @
#--name 表示启动的容器后名称,此处为registry- f5 e8 h) p) Q& Z$ C. k* N2 v% ?, @
#-v 表示挂载路径  格式为宿主机路径:容器内路径
0 b! }0 f/ B2 w#-p 表示映射端口  格式为宿主机端口:容器内端口$ C7 x2 J/ \- x9 G) e& x
#-itd   docker的内部参数,此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上,后跟镜像名称此处为docker.io/registry4 L# i5 d; N! X" `- W$ B) `1 v
) e, X2 a& M7 X( K* T3 t# p
2.创建一个secret服务,用于k8s调度私有库容器时的“令牌”。简单来说,secret服务就是一个存储密码的服务
9 ]3 u: s# X/ P( A2 Y
( |, H7 k! ^* V; H0 g. T# I# G7 }[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com
2 b. p; p+ a: P( K% B5 @0 l  M. e: R" u$ v
[centos-master]:kubectl get secret
; ~: F  h0 J5 e7 ONAME          TYPE                      DATA      AGE
5 Q3 {* l" v& R( ?' C" C+ O: aregistrykey   kubernetes.io/dockercfg   1         6s
0 X0 o) Q4 c* g: Z+ }6 v, V; p& h. j' c" c( \) `, m9 k
此时登录时会提示认证错误
8 r7 \. @/ Z& s( R. c) A) Z( m0 ?( m7 I! v; Z
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn* {4 M6 Y4 |) z! T7 x% K
Flag --email has been deprecated, will be removed in 1.13.* s, W0 P3 f% X1 y, R9 _6 d2 N0 z
Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized) I* b# T0 E4 ^1 i) D8 |

* @1 q& `7 g! W这是因为Docker官方是推荐采用Secure Registry的工作模式的,即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
+ @1 Z! y( |; J8 p% [
4 Z3 w: K, i  J, r( }2 [/ I3.配置nginx反向代理 : k. J( x4 `; `( t. ~
[centos-master]: cat registry.evehicle.cn.conf2 `* w& l- ?  t; Z! [! e* K

9 e+ |/ N; u5 K. e7 x# @# For versions of nginx > 1.3.9 that include chunked transfer encoding support
5 L, }+ c3 t! N- I6 z. L# Replace with appropriate values where necessary  W* v8 Z3 _4 Q6 J8 I+ D! q

+ h5 M1 r" g7 b% C5 gupstream docker-registry {
, B) J  i) S+ N5 S3 }6 L: Y1 |- A2 c  server 192.168.121.9:5000;
; M5 b+ m9 x9 }) o+ B  \  #server 10.44.170.95:5000;8 U) M% o/ T/ I, L- H" N# j* _1 u
}
1 l  J6 H3 ^  Z9 r/ _& p/ h
. Y. T- `8 k8 n4 F( O0 I8 R# uncomment if you want a 301 redirect for users attempting to connect
9 k# T' c7 V% C! R9 i9 \# on port 80/ T" o) G! {$ q1 }  a8 @* D
# NOTE: docker client will still fail. This is just for convenience2 Q; Q! w2 _5 T6 N
# server {
" \$ V* e: w* T8 V#   listen *:80;
+ M7 t; c: y+ X. N$ H8 E$ r4 _#   server_name my.docker.registry.com;1 a, j0 v1 O4 D# c  |2 r
#   return 301 https://$server_name$request_uri;) k! Y! d% W6 _& a
# }
. Y% y2 D: |/ F6 h. C
9 S( Y. m2 m# n' D; O3 R: Fserver {
1 b2 H6 P3 ?. v0 [    listen 443;
: h* Q9 z& d& p7 @3 ]    server_name registry.evehicle.cn;3 y4 ?2 e! B0 Z' {; B' p. ^

2 h( }* M4 H4 n( w' r    ssl on;
/ g) C5 }4 i! N8 L3 z    ssl_certificate ssl/registry.evehicle.cn.crt;
, o9 t3 O) |& y5 I" B    ssl_certificate_key ssl/registry.evehicle.cn.key;5 h, g' z  ?% I$ G' A7 R9 G$ R
1 T) Z9 Z# }1 H5 N: i# a% v
    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
5 S( ]. W7 j! t/ p1 K$ p8 N
% [. J1 K3 m7 B3 P2 `! f    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)" r+ y7 A. K- M" s" Z
    chunked_transfer_encoding on;9 o# Z; x6 @5 h' y; g' W8 N

; c2 c. D9 k" J. s8 y# o% j    location / {
4 o1 P9 d" {; P$ t        auth_basic  "Restricted";9 b1 O4 [: n& Y
        auth_basic_user_file  passwd;; J! h2 q5 A1 @" N+ v: N
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;6 V( D6 {$ g+ K0 H6 B
  V" F! g6 h+ G5 B
        proxy_pass                          http://docker-registry;
2 v) M" z5 \6 W" \9 O        proxy_set_header  Host              $http_host;   # required for docker client's sake+ S+ e, Q# m# M& V! G
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
' K$ L% M4 i) V) }        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;; Z, Q# ~  W. b/ ^  Z
        proxy_set_header  X-Forwarded-Proto $scheme;
; S* U8 X3 W6 {: G5 T# K2 \        proxy_read_timeout                  900;9 i/ l  G" H' q0 F" w2 h8 l( H  J' R
        }7 v% `5 P. M8 r. X+ u* E$ {8 x+ P

, K: N4 n! c; T$ H    location /_ping {
* m% ?6 @: T- d4 F" q" Z        auth_basic off;
( C7 Y5 W9 J% p- Z        include               docker-registry.conf;" O8 Y; T4 e( E4 _& T
    }
$ y) v9 O' k  z+ r
; ^* T3 Q/ g" W& J    location /v1/_ping {
1 D. L- _7 Z1 J& s        auth_basic off;0 _7 T& M0 O1 e$ z* k0 G6 y
        include               docker-registry.conf;
% I. P8 h. T. J' S& v5 l    }
8 l( `: T1 H3 D# l  u
/ `7 o- Q% g7 ]# b8 {& C; c    location /v2/_ping {) ^" o- J: c8 s3 r+ G3 F  ~
        auth_basic off;
  c. |6 y% N: V$ C6 l        include               docker-registry.conf;
$ @! o" f4 R4 {% l    }
2 k+ ^, I; H+ F7 z" K& h}
3 a( r( q" ]  t2 U/ D) h
" r8 {1 G. J" K将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录! s( d& z* r( ^1 ~" [8 C: S
: S+ `# w9 }* N7 }% z0 F! L
htpasswd -bcm passwd docker docker
4 T* D. Z1 {" x) ^7 F: m0 L #-c:创建一个加密文件" _- F9 q* [% s  l
#-m:md5加密,默认可不填写3 ?% ~7 u% N3 d1 O
#-b:表示用户名密码在命令行中一并输入,不用分别填写
5 }+ g( _# @& x) O5 F9 b5 M5 {7 d8 J2 m# b) S
4.再次登录
% J: e1 p; d: f7 y  u, T
! B# u8 T4 t2 v* n8 i& z$ h) o" ^[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn2 ]( G. \! q! p9 j& M" o  q0 ^

/ p7 t  S3 N. D/ ]9 WLogin Succeeded
( e# J: q  I  s; x" S- _& ~5 [' m' d表示成功,此时再pull\push既在私有库中进行1 V* C; H# a) H2 k! S( _
$ A0 g8 H4 S- q+ b
构建服务# N3 u: Q- {  |) M# J

, a5 ?0 T9 w9 l( a% l2 zdocker的本意是将代码包含在容器内制作成镜像形成“产品”。但出于公司的(频繁修改代码及服务器资源受限)的特殊性,我们将代码以“外挂”的形式运行在宿主机上。下面以部署官网(apache)服务为例: : _, z/ k) {* Z! L8 \) W1 d
1.从docker的公有库里下载centos7的原生镜像
* |" _5 I0 L9 S( ?9 J, }4 R) \2 C7 A3 e! _1 W5 y6 T. Y
[centos-master]:docker pull centos0 b  t  \0 t5 S( h( v1 w3 o

% Z+ I# |; g; H2 o# XUsing default tag: latest
( |+ b, v2 o( ~. MTrying to pull repository docker.io/library/centos ...  Z& X  m7 r5 w2 q2 N) d' p7 g
latest: Pulling from docker.io/library/centos
# M2 C! \" Y8 K) s" E# pd9aaf4d82f24: Downloading [>              ]   540 kB/73.39 MB/ b, W9 ^# E5 }; J# E8 J) C: I
d9aaf4d82f24: Pulling fs layer" m* g4 Z( p& h
Digest: sha256:eba772bac22c86d7d6e72421b4700c3f894ab6e35475a34014ff8de74c10872e
# p  |9 T2 d0 [+ V" vStatus: Downloaded newer image for centos:latest, E/ M+ J* m$ [6 l" M

# `! c" s! x! a# E3 _  B* n2.编写Dockerfile制造apache基础镜像3 X2 Q  L. N; d% \
, p4 m  r0 M- R- m! n6 G1 F
######httpd####9 Z2 t! g+ ^2 z- K/ u6 R; F
FROM centos
7 s) O" M, W' nMAINTAINER lienhua lienhua@zhongchuangsanyou.com
4 g1 r$ t1 R1 w6 \6 A9 O. J7 k2 FRUN yum -y install epel-release. Y" ]5 n' y, C
RUN yum -y install httpd  php php-mysql php-memcache* php-mbstring9 v6 ^0 H) `0 [6 u9 p2 E3 F
ADD httpd.conf /etc/httpd/conf/httpd.conf
3 K, S6 g. I- t" I) {# P
: y/ Y5 H' Y$ z8 \& h! F2 qEXPOSE 802 ]  m  H# {& s9 V# F! @
3 H* s2 N2 j) d, N$ }
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]) W6 {: k4 e0 l5 x; R, K

8 Z# N9 G. }2 t, y$ s) d* @" b/ v; M/ w其中httpd.conf文件需要在当前目录下真实存在,此处其内容为4 r* z6 i& n' B5 |. Y! k- s- x

4 p, H; I$ {9 |4 l. zServerRoot "/etc/httpd"
3 S. D* ^+ ^6 W$ |: LListen 80
% _& L: C- ]3 Q, VListen 8080" ?/ w3 u7 T3 X: f0 f0 Y& }
Include conf.modules.d/*.conf( W; m- V5 K' ?
Include zcsy/*.conf
3 _% O3 X- W' ]; J5 c4 r. aUser apache
$ d! L' D" }- H% o' k/ vGroup apache
+ ^6 m" I# A; F. aServerAdmin root@localhost4 j( ~  ]3 ]; F3 X3 H
<Directory />$ [- M6 |# E* {& `: |
    AllowOverride none
" G) v1 P7 I5 E0 r6 |( h8 Y    Require all denied5 g! n+ W3 b: G, F+ O7 q! R5 n: h
</Directory>- B% L- L& b7 F# F) ]9 o& `( L
DocumentRoot "/var/www/html"
' ?7 @( o2 H  r: R<Directory "/var/www">
3 o0 V' s: \9 Z, V# M    AllowOverride None
  {8 _- F$ E  R: p. X/ f6 e    Require all granted
1 y' l  w! @& [7 X: g( ], r</Directory>
% e5 S0 K3 j4 A& J<Directory "/var/www/html">
9 g9 c, v( r1 r* S3 Y# i    Options Indexes FollowSymLinks- ]9 v6 {3 t6 p: h( `0 z* H0 r
    AllowOverride None
$ B  @) s( B8 _! N/ u( f# e    Require all granted/ N' _; {5 y& `4 c
</Directory>: ?& |. ]1 P2 ^# z; M
<IfModule dir_module>! z; h' v( C; T9 H' m- k
    DirectoryIndex index.html. C/ ~" @" R* w
</IfModule>
; v) t2 |  w$ D* ?( N, ?' \% c1 q<Files ".ht*">
, _# e5 r# z' j) p- ~# t    Require all denied
' D8 S6 `$ F5 n7 l6 l1 ~& t</Files>
& M, `) g, k% v  `ErrorLog "logs/error_log"
7 m7 B6 h5 [3 }1 x8 A/ KLogLevel warn: z: s. M* i+ A  Z
<IfModule log_config_module>
6 Y* J- V; l- {' @* U    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined& y' s# m( X- e6 X
    LogFormat "%h %l %u %t \"%r\" %>s %b" common" h7 b5 @' w' m/ A
    <IfModule logio_module>
+ _7 A4 O; i! a8 J      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio2 K$ p8 E. D* x8 C& k0 n
    </IfModule>
- c7 R+ p9 w/ u4 t    CustomLog "logs/access_log" combined9 J+ `4 k3 h$ Z' F
</IfModule>
3 Y% {5 c$ ?; Y/ c5 P8 f: _<IfModule alias_module>
! h; c6 |  O0 ?! J* C    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"- X( l" i$ [1 Z0 o
</IfModule>
$ y+ Q# M* G' ]; d<Directory "/var/www/cgi-bin">
0 f( I4 J6 d& k. A: P; ~    AllowOverride None" [4 |/ a% m$ i) ~6 X
    Options None3 E, n" E* S* C7 o  H2 }$ Y
    Require all granted
% `8 @. O% T  |" H4 p0 J- x2 I8 c' z</Directory>
% u1 N  Z1 O- y( F6 P<IfModule mime_module>
# e, w  p2 \0 x# |7 g5 L    TypesConfig /etc/mime.types
! S6 i/ N: b$ I! y    AddType application/x-compress .Z
" }4 Z$ `+ Y8 O" k! Q6 g2 z    AddType application/x-gzip .gz .tgz
1 H, f* G" B* I( V* v- {    AddType application/x-httpd-php .php
) J$ U+ Q7 U7 z/ _/ k/ B  d9 c* O    AddType text/html .shtml7 q/ l) W) d* u
    AddOutputFilter INCLUDES .shtml7 f0 x  z3 g7 S- l$ \4 t# ?5 G
</IfModule>
" s, @* ^0 v' j0 p- R6 S, {1 HAddDefaultCharset UTF-8
' u- i" t; x1 O- K  ]+ I* g<IfModule mime_magic_module>
% }9 Y! X$ v* m! J; E1 j    MIMEMagicFile conf/magic4 `  `7 H! O7 O& P3 S# `
</IfModule>; P1 p! R# G( A6 f* Q; m5 {4 R
EnableSendfile off6 L4 E/ w7 l$ _) F  x* C8 P) w
EnableMMAP off2 W( }: V& H) }$ v9 `6 H# }" _+ q2 Q- u
IncludeOptional conf.d/*.conf
- |8 q% g5 s4 S. E! I9 A5 b) I. Z8 `* I
执行[centos-master]:docker build -t registry.evehicle.cn/httpd . 命令制作名为”registry.evehicle.cn/httpd”的镜像(注意此处的点必须要有,并且其意义代表当前目录下的Dockerfile文件); b0 c& o  f( ]+ A5 E

, t* O  Y! B$ R5 D  M1 ]6 `3.将制作好的镜像上传到私有库
  o; n( ^) |4 }6 t# q! @
) |( J" r, {3 G( Adocker push registry.evehicle.cn/httpd) R1 t9 A- T" {

3 L2 {* B' b8 J% }9 T4.编写启动apache服务的yaml文件
7 Q: J% k0 n* g3 d2 O7 B+ ]/ s' Z
[centos-master]:cat 13-rc-httpd.yaml: ^  ]" ?/ U! R. N- w
  w- w* {, \5 S6 y' P5 F
apiVersion: v1
/ |# F8 Y  n5 h7 d8 y0 \kind: ReplicationController- x6 N9 b; Q! ^3 g: p/ o3 r7 s3 u
metadata:# ]4 I- u0 N! n# ^3 {" x0 }5 t
  name: 13-rc-httpd
) Q7 g7 D5 |3 c) T1 B8 L  labels:1 i5 e+ d$ _9 }) E  y! t) S
    name: 13-rc-httpd
- ^+ B8 |( \9 ]" d, Pspec:
; [- I  |+ ~2 S( ]1 Y8 T# A" Z  replicas: 2  W# u1 O& D4 C6 k( _( L
  selector:; i9 X8 u0 `7 v; c6 Y. k
    name: 13-rc-httpd
* d) o$ ?; i5 \2 g, {" D0 [  template:; G( Q$ k  F: \2 `9 K' \$ U( V3 [) M
    metadata:7 s3 E5 g& X) H: T
      labels:8 |# q9 p. i; ^
        name: 13-rc-httpd. ?' ~3 {, ^$ A
    spec:" ^/ _; ~" `1 l9 B* x! Q
      containers:. ~9 M6 N$ X% U" h
      - name: 13-rc-httpd( o; p9 y6 ]2 n: P
        image: registry.evehicle.cn/httpd1 k8 f6 A" X. m& r3 ]
        env:; d4 X' Y0 U6 ?4 t4 y
        - name: LANG
/ \/ q1 c* k2 T- ]0 T          value: en_US.UTF-80 |/ n7 ^; `2 e7 |- g
        ports:
% ?, C7 S3 _6 r) W7 b3 `0 x6 }6 w        - containerPort: 80
1 X' m2 ]- i/ l9 e: {9 \; l7 O+ X0 s# [6 l          hostPort: 80( k- p# y8 J. i4 [1 `8 I. Q
        volumeMounts:) }3 E9 J0 {' G: U9 u9 [: H
        - name: time
% T; m) t9 V2 ~8 L& _5 I/ r0 \0 L          mountPath: /etc/localtime
' O  ?% F, }4 l        - name: zcsy0 r% |7 A8 ~9 F) r  J; h
          mountPath: /etc/httpd/zcsy# h* G: t( U" o: E, i" x
        - name: deploy
+ k- q( q: t5 h8 B          mountPath: /docker/httpd/deploy( p" p$ _" C, X1 J5 P0 a
        - name: log' Z6 t5 @. }) y+ Z5 g
          mountPath: /var/log/httpd
( M/ \7 Y, b* c' `      volumes:
) y. U/ v, I6 P* x, H, B7 k        - name: time
; ]8 U2 L, I/ j+ r          hostPath:5 ~+ k4 _4 q) u: w8 k
            path: /etc/localtime
+ P9 y. ^- x! W" X7 D/ o) y! k8 x        - name: zcsy
' Y8 \4 n4 V. M9 f5 j) J          hostPath:2 u$ ^, {0 H( O& x' p- P
            path: /docker/httpd/zcsy: I  a& F# O& S0 |2 P
        - name: deploy5 Q0 n; N3 e% M5 K! c8 Z6 k
          hostPath:/ M3 c2 d' ?8 U1 {, R
            path: /docker/httpd/deploy) E* J) S* Q2 v# f6 |3 b0 ^" g
        - name: log
# @# e; R  _( E6 a6 |+ x8 Q& V          hostPath:
/ b) F# I9 _2 J; K            path: /docker/httpd/log
0 _! ^. h8 E5 c% q      nodeSelector:* Z* q5 [/ M, D
        slave: "13"
' p/ q7 ^7 U( \+ }5 ~& i# P      imagePullSecrets:
# Z' _  k2 ~7 n: |3 \      - name: registrykey
) h" @' b+ n/ T3 o. z( x7 C/ y% i0 j9 j% @% k( X2 @( W- _) P
5.给其中一个node加上标签为“13”
( c( k; Y  j/ ]+ Q; T, R1 N1 I3 e* F3 ?: ^/ K. C1 O
kubectl label nodes centos-minion-1 slave=13
& P0 ?2 w! r! q' Z. Z3 o. x/ e! P  M4 h& f3 E  r' N! a) n" T2 D
6.此时拥有标签“13”的nodes应具备的条件
2 U- \( H1 \3 q. N1 `' j, d: l! O
/docker/httpd/zcsy下需要有官网的配置文件' ~8 g9 o: Z; ^# C. q% u8 l- e! V

& V; l8 E/ V( k: E3 y<VirtualHost *:80>
+ d( T2 Z2 o  v% A8 z   ServerName www.evehicle.cn
3 Q' ]- m+ j- H4 {" W2 K6 X  DocumentRoot /var/deploy/wordpress/- i) \; q# i! G. M3 c! K
        RewriteEngine on9 u& f6 \' Q5 j1 P* C
        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
/ h4 \8 T& \; @# H; h5 ~0 K        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
5 @! z% N+ i- x! H        RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !^.*\.(ico|pdf|flv|jpe?g|js|gif|png|html|shtml|zip|xml|gz|rar|swf|txt|apk|bmp|css|m4a|ogg|mp3|ipa|plist)$0 Y# E$ c$ i7 `& C7 u* ]9 c
        RewriteCond %{REQUEST_URI} !^/server-status$7 k- E* p' b9 e. Q
        RewriteRule . /index.php [QSA,PT,L], J4 @# _4 Q$ \- V
3 T. y% [4 {, Y
</VirtualHost>0 b; V- F' a& O5 {# F8 e
<Directory /var/deploy/wordpress/># }% o. i* H5 r. C
    Options FollowSymLinks* U# H8 A6 O+ T# u# Y  ]
    AllowOverride All. I3 p& \: R  O  b( h7 v
    Require all granted0 d' i/ G% S! v+ b- L/ i* L/ ]
</Directory>
. C$ W7 ]+ y/ _1 u3 y, U8 |( P
& b; W, `9 Y  g1 t6 ^以及/docker/httpd/deploy下需要有官网的代码" G+ F/ R% ]) P6 y! R  V

& A5 w6 x' J# _% x4 Z% k* w7.运行yaml文件启动容器
* z$ I! p* r& }4 v" V( G) F- \( E, G; z, D" L8 d5 s
[centos-master]: kuberctl create -f 13-rc-httpd.yaml! Y4 n! \; _9 e6 Q2 e% [
' \, y/ Y3 P0 @
8.查看服务& e' K9 E3 W' f# V
# \% e- L; m3 ]( `
[centos-master]: kuberctl get rc7 f6 M* y* v7 Z3 z( k4 G) ?8 G" P

) G$ G, l7 u# X( ^4 sNAME                 DESIRED   CURRENT   AGE
4 e# [) V7 P7 k- Q. e! s. j/ p13-rc-httpd          2         2         168d/ a6 y& ?" F- k

. O& ]3 w( R- G2 l  ~7 w9.程序中涉及的mysql\redis\memcache等服务也需使用容器运行起来6 ~+ b6 m# x8 \8 C# S, J/ K
7 e% E# w5 e- B
[centos-master]: docker pull redis
" y3 P! H4 d+ M+ H[centos-master]: docker tag registry.evehicle.cn/redis redis
6 q/ o/ A- Y# O0 w" s. }2 H[centos-master]: docker push registry.evehicle.cn/redis
7 ]. r& f5 k6 S4 ~[centos-master]: kubectl create -f rc-redis.yaml " W5 E, L. Z& ^: Z" f6 d9 B# y
[centos-master]: cat rc-redis.yaml
; e; p) j+ p8 D# S4 r6 }5 D! M0 l& J& ]6 L- w. l
apiVersion: v1  p! `9 S9 b# k0 d8 l" K, e( @. u9 F8 |
kind: ReplicationController
1 `. m" K4 ~8 ~3 Q9 H$ t' N$ ^metadata:
. t9 Y' I' }' c, c# t0 u+ n. |  name: redis" g+ {9 o) Z! R
  labels:
' e6 i, W3 R5 E8 j    name: redis
0 W% l9 Z% ?( a. |7 `: c( qspec:, J: D: ~  \! l: y
  replicas: 2# O! a$ D; _# I
  selector:
/ j6 @, |1 l  Q) S% m    name: redis
1 c2 Y+ @% d& n0 Y) ~6 a1 G  template:
9 W$ {. A+ m' U/ r, j/ G    metadata:
4 r) L0 n5 k1 O      labels:
$ h8 V/ ?5 m# Q/ `0 ~6 o        name: redis
/ B* ~# I" B3 x& Y    spec:
% t1 Q/ o' z+ y& M1 l! i4 Y      containers:
+ M" {9 z8 `' ]( T. d8 z/ P, K0 y      - name: redis6 l% a& l& W" y! `
        image: registry.evehicle.cn/redis
9 c& H! w1 @0 ]( P3 E        ports:5 N5 Q: m5 _4 C! a7 {
        - containerPort: 6379
; Z4 T9 q7 Y- Q: U          hostPort: 6379
* j6 _, Z/ q: u3 b7 a' h8 c        volumeMounts:
5 S- r5 Z3 G1 ^" X; ?+ B! U        - name: data
  h/ p4 i* B- j2 P& |          mountPath: /data
% ]; a# w0 @: E+ \" m        - name: time* z1 y, B8 {' v/ Q' q) L1 E- M
          mountPath: /etc/localtime: b. `- R3 R$ U% ^
      volumes:
0 {8 i1 x% C: d3 \' F( `        - name: data
3 ^" a- Q1 q( N- V* {          hostPath:# f9 i; p' K: ?% Y& R) _, L
            path: /docker/redis/6379! d) ^1 F3 l- n- v5 u9 V& i
        - name: time
" P  X1 i5 {$ d4 l! Z1 u2 j          hostPath:
/ l/ V+ |& {7 W9 z5 w7 w" b5 g            path: /etc/localtime/ ], K9 U: J4 R. C, U! M
      nodeSelector:
: b8 q7 ^6 ?. M) j5 @; ^/ [- t6 C; ^! _        slave: "13"
5 R/ y2 G# Y( x& {" G5 |5 P! W      imagePullSecrets:( f* [. b, g; H$ r1 w8 A8 B
      - name: registrykey3 c8 M; t. i6 P$ j& @

1 `) x) ?& O3 l- M  O2 r启动memcache ! f* M* ^' `# y% H
[centos-master]: docker pull memcache
: c- P% c8 O# Q1 ?3 M[centos-master]: docker tag registry.evehicle.cn/memcached memcache 6 X  B+ I: Z' p3 M& x
[centos-master]: docker push registry.evehicle.cn/memcached
( M8 B" `2 n2 T( O9 W9 l[centos-master]: kubectl create -f rc-memcached.yaml 1 b2 x1 J( ?( U  t/ q
[centos-master]: cat rc-memcached.yaml9 F( P9 C# \+ U: X4 R
" G+ z2 f* F9 `$ k9 L: F
apiVersion: v1
# c* R0 F% r+ N8 \+ d2 P2 ]3 @kind: ReplicationController; E7 \& w. a& [8 u5 D9 ~
metadata:. E7 {+ U9 t/ r3 l
  name: memcached
/ e, G: X4 Q0 M& n# L% \2 c  labels:
  v" u; f4 M5 S% t    name: memcached) \+ s0 C9 T8 ~1 I8 C3 c% t0 W
spec:
- O9 `$ Y: {3 e2 H  replicas: 3
* Z$ }3 ^4 G% V/ l& Y4 a  selector:
9 g, J0 O+ S4 E5 Z5 u) m$ u    name: memcached
0 X# Z; s! u  y  Y  template:
2 P- Q( U2 O8 z$ b5 D8 V    metadata:
/ u+ u* ]9 n: X      labels:: z: W: A9 Q1 T& @
        name: memcached
# J( f4 T2 k( l. r    spec:
7 R' O+ z+ f$ X+ c2 ?* Z      containers:
; W( y: R2 n. C5 ]" O      - name: memcached
4 I% X: P  {; A4 P        image: registry.evehicle.cn/memcached
* A6 H+ u4 m' N5 w, I9 s        ports:
1 s1 {  x" I7 i& u7 o2 P: F0 c7 c2 x        - containerPort: 11211- a! d) w5 j. r
          hostPort: 112112 M/ b8 m' n& F0 U: |  V! p! Z
      #nodeSelector:
  F8 b0 m. S& G      #  slave: "13"
2 f% e' O" e+ ~2 m9 _6 X' j% S5 v      imagePullSecrets:
0 \$ L( m3 s; ~1 M( l      - name: registrykey
9 @) z2 m, c, X+ ]/ Y! u3 z5 q
( }. t( K9 e! J# j) X: T3 M/ v制造mysql镜像 , X+ {5 s: R5 h  L+ U  n+ L
[centos-master]: cat Dockerfile
4 k# |) c! m3 l# Q8 K$ k1 q6 Y- Q" b; b9 d, ]$ ]" R
FROM alpine
& H6 _* f9 ]4 z8 Z8 O9 E
6 n% ~: y1 v7 x+ o
! C0 x: X/ {) B3 L& T* f0 sCOPY startup.sh /startup.sh+ i5 X/ w2 {! A& X# z. @" y
RUN addgroup mysql && \
/ x4 b1 l, q' E- r- k" l$ S9 g    adduser -H -D -s /bin/false -G mysql mysql && \" T- W$ T1 n# c! J
    apk add --update mysql mysql-client && rm -f /var/cache/apk/* && \7 o% K1 O6 z2 F! x
    mkdir /data && \
( K( X/ c5 P) `4 i, M: P    chown -R mysql:mysql /data /etc/mysql && \7 s, @9 q* p4 K1 {
    chmod 755 /startup.sh \/ N. o/ p  J% x0 [
    ;! w8 i1 K6 n& O/ g+ K
& E4 x4 J' z) ^

$ c* _1 \! y9 |' ?& k3 [WORKDIR /data$ }7 J. b6 D2 g2 b0 L9 ^$ p  w7 J
VOLUME /data) g0 k/ p1 K: ?5 x5 _* h. d
VOLUME /etc/mysql
4 f8 b) ]& O# a5 y% j8 s
/ W1 N* d* n6 x4 D7 y! o- ~
4 F! i, X$ M/ J- p& Z: \6 y3 DEXPOSE 33068 S2 P, |* _+ k! Z( e
CMD ["/startup.sh"]
2 ?4 }' b* h2 |3 b' p% s2 N2 Y5 Q) y+ y5 J8 X
启动mysql(建议mysql在宿主机启动)
( k& a* |% T  P! e1 c2 H7 J( e8 ^[centos-master]: docker build -t registry.evehicle.cn/mysql
7 I: z9 K% A- |- K" S[centos-master]: docker push registry.evehicle.cn/mysql
1 g1 x6 q8 n/ Q  z6 z3 N' s[centos-master]: kubectl create -f rc-mysql.yaml 5 C% g' M9 T5 @2 g$ {
[centos-master]: cat rc-mysql.yaml
9 M; O+ `  Q" M* |" J9 b! k
+ ^- P  x' ?# _% X, Y) Y1 q/ eapiVersion: v1
* Y& q6 t3 k1 a4 hkind: ReplicationController
' w' w- j# B7 \" E5 ?9 Jmetadata:. n- n. V" H7 r2 L8 X
  name: 13-rc-mysql
, f: f' O0 M! x5 X; h3 f  labels:% Q: X% M4 @% J
    name: 13-rc-mysql. x) J. G5 r" U4 J( E" u+ N% E7 F
spec:
8 B& k/ J- ], q  O# v: @: n1 ~/ W  replicas: 2! ^) L$ u; E1 b$ T/ ^
  selector:
4 n" f: T2 A% x& D* H5 f; b    name: 13-rc-mysql
, D( a; Q) a* i7 Y  template:  b0 o* N) v1 a
    metadata:
. c/ ~2 y( y" s4 ]' k# x      labels:+ l! }' \6 g/ H- K$ q4 E% E
        name: 13-rc-mysql
; j+ v; W5 m7 f" H7 S# S2 c    spec:0 }7 w# D7 D% \9 L" y: n/ z
      containers:1 O" q! R  B8 p, Z, c) |- z, j; K. u
      - name: 13-rc-mysql! @; u' Z) w& g9 W  x
        image: registry.evehicle.cn/mysql$ P4 H- f! Z* o" i
        env:
" V+ ]2 E0 E  G" d0 r7 V3 Y        - name: MYSQL_DATABASE! ~; j9 S' R4 j; e
          value: admin; D+ e6 d+ a) D3 z1 l
        - name: MYSQL_USER" V$ p$ O' l$ ?3 ]% Y4 N
          value: tony
4 |& _, H0 {9 T7 }7 B2 l        - name: MYSQL_PASSWORD
% d$ O7 X' F9 e( I          value: 456
+ ~1 Z. M$ P. L" z* R, j        - name: MYSQL_ROOT_PASSWORD( B; D' X- y% C+ V% h# t% O0 ?
          value: 123
& z- v  E' G, n4 E6 u        ports:
1 ?( i, Y- y$ V4 r4 `        - containerPort: 3306
5 c2 V% b9 u; J# j! t$ v5 M          hostPort: 3306
! @% ~8 s0 K; G3 n/ a4 _- E        volumeMounts:% }# I1 h. |' @! A9 n
        - name: time
" p0 }. m! B) P9 @3 a& l+ e          mountPath: /etc/localtime
' j4 p( P% v" ?7 M) J8 l        - name: data4 c+ `7 Y: ?( I+ p
          mountPath: /data+ e* W( G! ?# C' ]# X' ]; E
        - name: etc* B1 |6 r8 v' y; Q; K
          mountPath: /etc/mysql. N/ m+ K4 @1 ]9 F
        - name: run) C$ O4 v& y( U( d& z3 o( {
          mountPath: /run/mysqld6 |! l6 T& c4 u6 u) Y
      volumes:
8 q% R5 u; W" r! Y( ?9 e3 r        - name: time4 {& M2 }1 B2 [' u4 H
          hostPath:8 {- L, ~; P' f8 D' I- S, L4 w
            path: /etc/localtime
; t: Z+ ?8 K- ~        - name: data; s1 v* E% Z6 E" O
          hostPath:3 J9 r1 X3 L0 [4 s4 c
            path: /docker/mysql/data+ G' {2 s8 `1 A3 y/ C
        - name: etc
9 _7 e  a% [$ G8 N          hostPath:
6 b' B/ G3 R# Z$ K( R            path: /docker/mysql/etc
. z. X) V3 q* ]& K' V, k        - name: run
1 q8 m7 B" _5 _! }+ L$ `! C          hostPath:
1 B! T4 L6 Z9 |$ W            path: /docker/mysql/run
1 }- {) h8 w8 S+ L/ k      nodeSelector:9 w$ ~2 T+ k, W/ f3 A2 z: J
        slave: "13"
  e( ^! ?5 J6 P( ?      imagePullSecrets:
( x1 X1 e4 L  r1 R! j" y      - name: registrykey/ F* E+ e9 o: v$ l

* L  d9 ^" Y, G* z# r% e: B为方便代码编写及统一管理,应提前做好内部DNS解析。将所负责的应用规整到对应的机器上。
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 16:11:19 | 显示全部楼层
kubectl config set-cluster default-cluster --server=http://192.168.121.9:8080
: Y% k( X  R2 J' B  Ykubectl config set-context default-context --cluster=default-cluster --user=default-admin
: V* Y  M& {8 ~7 Y1 }kubectl config use-context default-context
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2018-9-20 21:31:29 | 显示全部楼层
搭建私有库
1 N' c% K; a6 n$ p4 M, G9 |3 ~( q9 D) j1 m' ~, S5 M
私有库用于系统内部存储成品镜像,能够快速进行下载及被k8s调度。/ h* N3 e; H/ G! F
" ]* _0 M. I& Z3 H# a1 o
1.下载并启动私有库
/ R& q2 `! V. U) G* s! O3 `1 ?0 N+ f5 A
[centos-master]:docker run --name registry -v /etc/localtime:/etc/localtime -v /opt/registry:/var/lib/registry -p 5000:5000 -itd docker.io/registry
% y7 n5 D2 t& m* p$ R" z+ E; l3 h2 Q8 M1 {. x' G: e4 ]
#--name 表示启动的容器后名称,此处为registry
3 K+ h. e& n. E: N" Z' T#-v 表示挂载路径  格式为宿主机路径:容器内路径
+ _  D6 v) G1 h7 W" ^# a" N1 L#-p 表示映射端口  格式为宿主机端口:容器内端口
6 }. ^9 W# W: s- E#-itd   docker的内部参数,此处声明后台运行容器并分配一个伪终端并绑定到容器的标准输入上,后跟镜像名称此处为docker.io/registry
% L: ?2 _# P( b2 M! y
- e3 s, t8 D: Y! [3 O% |* k2.创建一个secret服务,用于k8s调度私有库容器时的“令牌”。简单来说,secret服务就是一个存储密码的服务
) F% z# Y, e2 y" @8 p* V$ q# D  k4 S& n; \
[centos-master]:kubectl create secret docker-registry registrykey --docker-server=registry.evehicle.cn --docker-username=docker --docker-password=docker --docker-email=lienhua@zhongchuangsanyou.com2 s+ Y, i# v3 m' s  N! c4 {9 {8 K

7 i: k4 O8 d  K) [[centos-master]:kubectl get secret, K9 K  L; O4 D$ Y' V7 N! Q
NAME          TYPE                      DATA      AGE
1 Z- W( Y; P1 i' `( tregistrykey   kubernetes.io/dockercfg   1         6s) ?1 O: g& j! H* Q" Z' L

$ h' }. f4 {" j/ }) p此时登录时会提示认证错误0 a7 x, W, E! c1 G6 O2 l; V8 n

. V8 j  A' ^+ y9 e& }6 c" P! E[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn
: ]/ r, K' S% L" KFlag --email has been deprecated, will be removed in 1.13.
% f8 p* m' ?1 G; k- \: D0 p1 O* ~Error response from daemon: login attempt to https://registry.evehicle.cn/v2/ failed with status: 401 Unauthorized/ e: p9 p% s3 n( _+ ^
* \, l8 d: F, t# ~$ Z
这是因为Docker官方是推荐采用Secure Registry的工作模式的,即transport采用tls。这样我们就需要为Registry配置tls所需的key和crt文件了
% A+ r6 H% h) d7 p- y2 P: c* l% C3 n  V0 ~$ {% ]7 q1 v
3.配置nginx反向代理
* M0 ?3 N2 D) [: J) @* ^[centos-master]: cat registry.evehicle.cn.conf- N; d* X* N- s
" e) P3 O/ F4 E6 r( X& T
# For versions of nginx > 1.3.9 that include chunked transfer encoding support) A3 Y. \  B; ]
# Replace with appropriate values where necessary
! ?/ Z. i; ?9 ~6 i+ }+ A0 G( n$ [; r- ~! `
upstream docker-registry {
% [) T0 F- w; I) V  server 192.168.121.9:5000;
9 B, E1 b' h" T' C  #server 10.44.170.95:5000;2 T( u; q3 r6 O1 n, ?+ r
}
" k: y7 X0 X( K* C
" V) p$ G: C% o5 g- u) ?# uncomment if you want a 301 redirect for users attempting to connect( }1 n' M( Y+ C. U+ D0 \" a
# on port 80! S3 a6 X. ~0 B  f7 ?1 c8 H
# NOTE: docker client will still fail. This is just for convenience
$ H0 u& R* x, R9 R$ \# server {
8 R0 J. i% {! |9 ^2 @#   listen *:80;
0 a5 h3 ?1 u* \5 {  t! _#   server_name my.docker.registry.com;% \$ a. m3 n$ \
#   return 301 https://$server_name$request_uri;
9 ?) |2 d- h" x4 t' s6 r# }# ]3 e! c0 o, {& O5 o* d0 E
6 Y. v, W1 L6 z
server {
  `: E+ T) J) |1 g( D( }    listen 443;
; t* w2 o2 s% U% ^    server_name registry.evehicle.cn;
' W+ r. Z4 O$ T, [6 G& j7 _" U  V7 ?  k0 |6 ^: O
    ssl on;
$ ]5 g/ K9 l/ |2 j: l% H    ssl_certificate ssl/registry.evehicle.cn.crt;
( |& P8 q* A4 ~* V" l" u8 q    ssl_certificate_key ssl/registry.evehicle.cn.key;
( Y3 W! M: B: T; ]2 w; M  k+ |/ S
    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
% D: p/ w* \+ j" U7 P4 a- y5 v5 q7 C
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)  S) _( V- U7 u" S, }
    chunked_transfer_encoding on;
8 r$ j8 q& K! Z  Y& G. Y: B& m$ g7 Y4 d" y! G9 W
    location / {* O$ j1 ?1 {' J
        auth_basic  "Restricted";
( K2 R3 y" i# Z, i& C        auth_basic_user_file  passwd;
& i/ y0 M8 P+ \# s        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;! A/ n" ~8 G) u  X

7 g+ l5 L& W& B        proxy_pass                          http://docker-registry;
. l" H( `. R5 C- a        proxy_set_header  Host              $http_host;   # required for docker client's sake- c! P" c" p, k  i6 M8 Y2 n3 E- S7 P
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP- [, d3 v5 M+ Z  v9 X
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;7 t/ ~, }3 u, S* R$ c3 g" Y
        proxy_set_header  X-Forwarded-Proto $scheme;
9 h& `. A' r6 j3 O, @9 R        proxy_read_timeout                  900;, B0 |; E4 W: Y9 M. _! o5 X$ V
        }
5 `" i- b0 ]) V% h3 p% t" o) w
4 t6 q8 a6 S1 ~" {4 Z/ T2 @) c  R" s. v    location /_ping {
8 @5 o. g. d: A. [        auth_basic off;& S# B% x2 R2 b5 O" \5 Z4 y% p
        include               docker-registry.conf;
7 f: d% h" |3 C    }7 @' e' R) i; A: t9 f% L6 r) P0 C: _5 b
( e& m: ^0 q/ y5 h1 _# k
    location /v1/_ping {. |& |$ |  P! D: B6 v6 J" y
        auth_basic off;( h% |0 P* b5 V$ Q6 Q" E* T4 u
        include               docker-registry.conf;0 v5 H3 k( j4 }  c
    }
( p6 H* g& [3 p0 z% E$ d; F
  g4 [8 z3 w0 s; k2 J    location /v2/_ping {
$ q0 m* m6 c# x) W  ?        auth_basic off;' j4 z$ G% D/ n" w& n% J
        include               docker-registry.conf;  w; Z( `- W0 z  e! Y
    }
7 p1 I! \  _3 _$ F% F  h$ V/ ~1 |}' u  B5 ~; d- [4 T; v& p# @5 a! n

3 O6 C  Q' h2 s, V- T: e将key及crt证书文件放到../ssl目录下。使用htpasswd生成密码放于./上一级目录
; m: s8 |! l: G7 _- e" l1 ]1 K/ U% d* m0 w! |  ?
htpasswd -bcm passwd docker docker
9 t; l% D& Y0 y7 s #-c:创建一个加密文件
0 t! u* _. K8 B2 Z) W #-m:md5加密,默认可不填写" N$ H- z0 R5 J1 s9 ]5 D
#-b:表示用户名密码在命令行中一并输入,不用分别填写# f- Z* N$ b, K0 a- ?

8 e' r: s6 F' I& I' Y4.再次登录
9 d2 u0 S9 f9 R* E0 d3 v/ U- W/ F/ Z; N$ ^2 f
[centos-master]:docker login -u docker -p docker -e lienhua@zhongchuangsanyou.com registry.evehicle.cn; r- j+ [  {' R  X! Q: ?& H: l4 l

( l7 @" W% g$ z8 T+ uLogin Succeeded; r, S! r! F: W1 D, q1 M% ^0 u
表示成功,此时再pull\push既在私有库中进行
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 01:19 , Processed in 0.018435 second(s), 22 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表