sed -i 's/enforcing/disabled/g' /etc/selinux/config
setenforce 0
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
systemctl restart sshd
systemctl disable firewalld
systemctl disable NetworkManager
systemctl stop firewalld NetworkManager
yum -y install ntpdate
ntpdate ntp1.aliyun.com
yum -y install ntp
systemctl enable ntpd
cat > /etc/ntp.conf << EOF
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp1.aliyun.com iburst iburst
logfile /var/log/ntp.log
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
systemctl start ntpd
ntpq -p
wget https://github.com/docker/compose/releases/download/1.23.0-rc3/docker-compose-Linux-x86_64
mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version
cat docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable
enabled=1
gpgcheck=0
yum -y install docker-ce-19.03.9-3.el7
mkdir /etc/docker
mkdir /data/docker-data -p
cat > /etc/docker/daemon.json << EOF
{
"graph": "/data/docker-data",
"registry-mirrors": ["https://bmtrgdvx.mirror.aliyuncs.com", "https://hub-mirror.c.163.com", "https://dockerhub.azk8s.cn"]
}
EOF
systemctl start docker
systemctl enable docker
systemctl status docker
https://github.com/goharbor/harbor/releases
wget https://github.com/goharbor/harbor/releases/download/v2.2.2-rc1/harbor-offline-installer-v2.2.2-rc1.tgz -P /opt/
tar xzvf /opt/harbor-offline-installer-v2.2.2-rc1.tgz -C /data/
cp /data/harbor/harbor.yml.tmpl /data/harbor/harbor.yml
mkdir /data/harbor-data
vim /data/harbor/harbor.yml
hostname: 192.168.3.14
data_volume: /data/harbor-data
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
harbor_admin_password: 12345678
# https related config
#https:
# https port for harbor, default is 443
# port: 443
# The path of cert and key files for nginx
# certificate: /your/certificate/path
#private_key: /your/private/key/path
mkdir /var/log/harbor
install
cd /data/harbor
./prepare
cd /data/harbor
./install.sh
http://http://192.168.3.14/
admin
12345678
扩展 镜像同步工具 image-transfer
vim /data/harbor/harbor.yml
hostname: www.harbor.com
重新加载配置
cd /data/harbor
./prepare
cd /data/harbor
./install.sh
http harbor 客户端配置 此处客户端也是192.168.3.14
配置hosts
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.14 www.harbor.com
配置docker 允许使用 http 仓库
cat /etc/docker/daemon.json
{
"graph": "/data/docker-data",
"registry-mirrors": ["https://bmtrgdvx.mirror.aliyuncs.com", "https://hub-mirror.c.163.com", "https://dockerhub.azk8s.cn"],
"insecure-registries":["www.harbor.com"]
}
systemctl restart docker
docker-compose -f /data/harbor/docker-compose.yml up -d
使用管理员登录
docker login www.harbor.com -u admin -p 12345678
测试 push
docker pull busybox
docker tag busybox:latest www.harbor.com/library/busybox:latest
docker push www.harbor.com/library/busybox:latest
测试 pull
docker rmi busybox www.harbor.com/library/busybox:latest
docker pull www.harbor.com/library/busybox:latest
wget https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.9.2-rc1.tgz
cd /opt/
tar xzvf harbor-offline-installer-v1.9.2-rc1.tgz
vim /opt/harbor/harbor.yml
hostname: 172.16.100.216
https:
port: 443
certificate: /opt/cert/reg.lz.com.crt
private_key: /opt/cert/reg.lz.com.key
data_volume: /data
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
harbor_admin_password: ops@456
rm -rf /certs/
mkdir /certs
cd /certs/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.lz.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out reg.lz.com.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=reg.lz.com" \
-key reg.lz.com.key \
-out reg.lz.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1=172.16.100.216
DNS.1=reg.lz.com
DNS.2=yourdomain
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in reg.lz.com.csr \
-out reg.lz.com.crt
将 证书放置 harbor指定路径
mkdir /opt/cert/
cp reg.lz.com.crt reg.lz.com.key /opt/cert/
Docker守护进程将.crt文件解释为CA证书,.cert文件解释为客户端证书。
将服务器yourdomain.com.crt转换为yourdomain.com.cert:
openssl x509 -inform PEM -in reg.lz.com.crt -out reg.lz.com.cert
客户端需要的三个整证书是
reg.lz.com.cert reg.lz.com.key ca.crt
/etc/fstab
/dev/mapper/data--vg-data--lv /data/ xfs defaults 0 0
mkdir /data/
mount /dev/mapper/data--vg-data--lv /data/
mkdir /var/log/harbor
cd /opt/harbor
./prepare
./install.sh
docker ps
cd /opt/harbor
docker-compose up -d
docker-compose down -v
https://172.16.100.216/
mkdir -p /etc/docker/certs.d/172.16.100.216
cp /certs/{reg.lz.com.cert,reg.lz.com.key,ca.crt} /etc/docker/certs.d/172.16.100.216/
远端客户端
mkdir -p /etc/docker/certs.d/172.16.100.216
scp 172.16.100.216:/certs/{reg.lz.com.cert,reg.lz.com.key,ca.crt} /etc/docker/certs.d/172.16.100.216/
docker login 测试
docker login 172.16.100.216
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
kubectl create secret docker-registry lz-rg \
--docker-server=10.255.128.171 \
--docker-username=node \
--docker-password=Node@321 \
--docker-email=node@lz.com \
-n default
kubectl edit deploy lz-eoms-org-yyglproduce-deploy
spec:
containers:
- image: 10.255.128.171/lz/xx:v1.0.0
imagePullPolicy: IfNotPresent
name: lz-eoms-org-produce-container
resources: {}
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: /opt/conf/application-env.properties
name: conf-storage
- mountPath: /opt/conf/businessCluster.json
name: bus-storage
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: lz-rg
imagePullPolicy: Always
删除 pod