# yum -y install docker
# systemctl start docker && systemctl enable docker
# mkdir -p /docker/certs
# chcon -Rt svirt_sandbox_file_t /docker/certs/
在该文件的[ v3_ca ]配置项中添加镜像仓库IP地址:
[ v3_ca ]
# Extensions for a typical CA
subjectAltName = IP:192.168.161.161
# cd /docker && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
# mkdir -p /etc/docker/certs.d/192.168.161.161:5000/
# cp certs/domain.crt /etc/docker/certs.d/192.168.161.161\:5000/ca.crt
# mkdir -p /docker/data/private_registry
# chcon -Rt svirt_sandbox_file_t /docker/data/private_registry
# systemctl restart docker
# docker run \
-d \
--name private_registry --restart=always \
-u root \
-p 5000:5000 \
-v /docker/data/private_registry:/var/lib/registry \
-v /docker/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
-e username=”ritchie”: 设置环境变量;
该加速器可在pull镜像较慢时配置实用。(_自己在daocloud处申请即可,免费的~~)
地址:
https://www.daocloud.io/mirror#accelerator-doc
添加加速器:
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://XXXXX.m.daocloud.io
[[email protected] docker]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
5e35d10a3eba: Pull complete
Digest: sha256:dcbc4e5e7052ea2306eed59563da1fec09196f2ecacbe042acbdcd2b44b05270
Status: Downloaded newer image for centos:latest
[[email protected] docker]# docker tag centos:latest 192.168.161.161:5000/centos:v0323
[[email protected] docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bcae9fb3fc0 registry:2 "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:5000->5000/tcp private_registry
[[email protected] docker]# docker push 192.168.161.161:5000/centos:v0323
The push refers to repository [192.168.161.161:5000/centos]
b03095563b79: Pushed
v0323: digest: sha256:8c7ac054adab3692f7026d49fd1c4df69aa6a138b2f076b432d2ac0164c022d3 size: 529
在另一台主机上执行以下命令进行测试:
[[email protected] ~]# mkdir -p /etc/docker/certs.d/192.168.161.161:5000/
[[email protected] ~]# scp 192.168.161.161:/etc/docker/certs.d/192.168.161.161\:5000/ca.crt /etc/docker/certs.d/192.168.161.161\:5000/
The authenticity of host '192.168.161.161 (192.168.161.161)' can't be established.
ECDSA key fingerprint is 80:76:b7:82:4a:59:66:14:a3:b2:cc:62:f0:75:63:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.161.161' (ECDSA) to the list of known hosts.
[email protected]192.168.161.161's password:
ca.crt 100% 2057 2.0KB/s 00:00
[[email protected] ~]# systemctl restart docker
[[email protected] ~]# docker pull 192.168.161.161:5000/centos:v0323
v0323: Pulling from centos
5e35d10a3eba: Pull complete
Digest: sha256:8c7ac054adab3692f7026d49fd1c4df69aa6a138b2f076b432d2ac0164c022d3
Status: Downloaded newer image for 192.168.161.161:5000/centos:v0323
从私有docker仓库拉取镜像,部署pod。如上,我们搭建了私有的镜像仓库,这一篇我们将与k8s结合实战使用私有仓库。
当pod从私用仓库拉取镜像时,k8s集群使用类型为docker-registry的Secret来提供身份认证,创建一个名为registry-key的Secret,执行如下命令:
kubectl -n kube-system create secret docker-registry registry-key \
--docker-server=192.168.161.161:5000 \
--docker-username=zhdya \
--docker-password=XXXX \
--docker-email[email protected]
如图:
下载一个测试用的helloworld:
[[email protected] ~]# docker pull justmine/helloworldapi:v2.2
v2.2: Pulling from justmine/helloworldapi
c73ab1c6897b: Pull complete
d786150757e1: Pull complete
5693bd17ac2b: Pull complete
a4aa7d165ffe: Pull complete
fb5efe143b31: Pull complete
80d73f423800: Pull complete
6c45df748f3d: Pull complete
Digest: sha256:aae28e40e892a537384403869697c5b8ce0206b36da79b664c9a0d3d45f0bd01
Status: Downloaded newer image for justmine/helloworldapi:v2.2
上传到仓库:
[[email protected] ~]# docker tag justmine/helloworldapi:v2.2 192.168.161.161:5000/helloworldapi:v2.2
[[email protected] ~]# docker push 192.168.161.161:5000/helloworldapi:v2.2
The push refers to repository [192.168.161.161:5000/helloworldapi]
9efe53ed0a5c: Pushed
2bcd37ba9be3: Pushed
c2523d9670b0: Pushed
d2a32c00a3a4: Pushed
8811b8947d7f: Pushed
2b21077ee3b4: Pushed
e1df5dc88d2c: Pushed
v2.2: digest: sha256:c31b14d5d1abe23da8580833492af61d934e50f9025529db0a5ca4a50542710d size: 1792
vim hello-world-deployment.yml:
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: helloworldapi
namespace: kube-system
spec:
selector:
matchLabels:
app: helloworldapi
replicas: 2
template:
metadata:
labels:
app: helloworldapi
namespace: kube-system
spec:
imagePullSecrets:
- name: registry-key
containers:
- name: helloworldapi
image: 192.168.161.161:5000/helloworldapi:v2.2
ports:
- containerPort: 80
创建:
[root@master1 test_yaml]# kubectl create -f hello-world-deployment.yaml
deployment "helloworldapi" created
查看创建:
[[email protected] test_yaml]# kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE
heapster-6c6bb6b7f5-7cv9s 1/1 Running 16 19d 172.30.45.4 192.168.161.162
helloworldapi-57d464bf46-m4zmg 0/1 ContainerCreating 0 38s <none> 192.168.161.162
helloworldapi-57d464bf46-xt9p5 0/1 ContainerCreating 0 38s <none> 192.168.161.163
kube-dns-777f78c558-fshmq 3/3 Running 75 22d 172.30.45.3 192.168.161.162
kubernetes-dashboard-8665cd4dfb-cd8pt 1/1 Running 16 20d 172.30.38.2 192.168.161.163
monitoring-grafana-6f95564858-ggxkn 1/1 Running 16 19d 172.30.38.3 192.168.161.163
monitoring-influxdb-7c77768d9-dgcjp 1/1 Running 16 19d 172.30.45.2 192.168.161.162
通过面板来查看:
查看日志:
[[email protected] test_yaml]# kubectl describe po helloworldapi-57d464bf46-m4zmg -n kube-system
Name: helloworldapi-57d464bf46-m4zmg
Namespace: kube-system
Node: 192.168.161.162/192.168.161.162
Start Time: Wed, 11 Apr 2018 14:48:41 +0800
Labels: app=helloworldapi
pod-template-hash=1380206902
Annotations: kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicaSet","namespace":"kube-system","name":"helloworldapi-57d464bf46","uid":"5e88272f-3d54-11e8-b3cb-000...
Status: Running
IP: 172.30.45.5
Created By: ReplicaSet/helloworldapi-57d464bf46
Controlled By: ReplicaSet/helloworldapi-57d464bf46
Containers:
helloworldapi:
Container ID: docker://7675ea5e72d9b7c474e103f908461523f309b1a8a095437215abd0cdfec08524
Image: 192.168.161.161:5000/helloworldapi:v2.2
Image ID: docker-pullable://192.168.161.161:5000/[email protected]:c31b14d5d1abe23da8580833492af61d934e50f9025529db0a5ca4a50542710d
Port: 80/TCP
State: Running
Started: Wed, 11 Apr 2018 14:50:59 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-gr7zp (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
default-token-gr7zp:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-gr7zp
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m default-scheduler Successfully assigned helloworldapi-57d464bf46-m4zmg to 192.168.161.162
Normal SuccessfulMountVolume 2m kubelet, 192.168.161.162 MountVolume.SetUp succeeded for volume "default-token-gr7zp"
Normal Pulling 2m kubelet, 192.168.161.162 pulling image "192.168.161.161:5000/helloworldapi:v2.2"
Normal Pulled 33s kubelet, 192.168.161.162 Successfully pulled image "192.168.161.161:5000/helloworldapi:v2.2"
Normal Created 33s kubelet, 192.168.161.162 Created container
Normal Started 31s kubelet, 192.168.161.162 Started container
到目前为止关于k8s实战私有仓库体系就先告一段落了,大家可以结合实际情况自己去搭建一套仓库,然后与k8s联合实战,来建立自己的k8s应用平台生态体系。