二,https证书本地私人仓库的开启
在16服务器上,先建立证书存放路径:
mkdir /opt/ssl
在16服务器上,生成证书,并查看证书:
[root@master v2]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/ssl/myssl.key -x509 -days 365 -out /opt/ssl/myssl.pem Generating a RSA private key ..................................................................................................................++++ ....................................................................++++ writing new private key to '/opt/ssl/myssl.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN#随便写,自己做的证书不需要太多讲究 State or Province Name (full name) [Some-State]:WLMQ#随便写,自己做的证书不需要太多讲究 Locality Name (eg, city) []:XJ Organization Name (eg, company) [Internet Widgits Pty Ltd]:XJJ#随便写,自己做的证书不需要太多讲究 Organizational Unit Name (eg, section) []:WLMQ#随便写,自己做的证书不需要太多讲究 Common Name (e.g. server FQDN or YOUR name) []:master.com.cn # 这个不能乱写了,必须是二级域名的形式,我这里是master.com.cn Email Address []: Email Address []: [root@slave1 repositories]# cd /opt/ssl/ [root@slave1 ssl]# ls myssl.key myssl.pem
在16和17服务器上,域名解析master.com.cn(编辑hosts文件,写入对master.com.cn的解析,这个域名是证书制作的时候定义的哦):
[root@slave1 ssl]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.217.16 master k8s-master master.com.cn 192.168.217.17 slave1 k8s-node1 192.168.217.18 slave2 k8s-node2
在16服务器上,删除前面在运行的那个开启端口5000的镜像:
docker rm -f $(docker ps -aq)
在16服务器上,重新启动镜像,这次启动要开启443端口了(容器里挂载相关证书,-v /opt/ssl:/certs这是挂载到容器得/certs目录。):
docker run -d --restart=always --name registry \ -v /opt/ssl:/certs \ -v /opt/registry/data:/var/lib/registry \ -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myssl.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/myssl.key \ -p 443:443 registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
镜像启动成功后,可以看到443端口开启了:
[root@k8s-master ~]# netstat -antup |grep 443 tcp6 0 0 :::443 :::* LISTEN 8074/docker-proxy
任意服务器,稍微验证一哈是不是开启了443端口:
[root@k8s-node2 ~]# curl -k https://master.com.cn/v2/_catalog {"repositories":["nginx"]}
这里注意一哈,一定要在docker的配置文件里注册啦,因为是https的形式,不然会报错的哦(16和17,18服务器都注册一哈)
[root@slave1 ssl]# cat /etc/docker/daemon.json { "registry-mirrors": ["http://bc437cce.m.daocloud.io"], "exec-opts":["native.cgroupdriver=systemd"], "insecure-registries": ["master.com.cn","192.168.217.16:5000"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2" }
添加完注册重启docker服务:
systemctl daemon-reload && systemctl restart docker
还是同样的套路,同样的配方,修改镜像以符合仓库的要求,然后就可以上传啦:
在17服务器上,先从阿里云下载一个busybox镜像,然后查看现有的镜像:
[root@node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox 1.28.3 8ac48589692a 4 years ago 1.15MB 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上,修改镜像的仓库标识:
[root@node1 ~]# docker tag busybox:1.28.3 master.com.cn/busybox:1.28.3 [root@node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox 1.28.3 8ac48589692a 4 years ago 1.15MB master.com.cn/busybox 1.28.3 8ac48589692a 4 years ago 1.15MB 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上面,上传修改好仓库标识的镜像到16服务器的本地仓库内:
[root@k8s-node1 ~]# systemctl daemon-reload && systemctl restart docker [root@k8s-node1 ~]# docker push master.com.cn/busybox:1.28.3 The push refers to repository [master.com.cn/busybox] 0314be9edf00: Pushed 1.28.3: digest: sha256:186694df7e479d2b8bf075d9e1b1d7a884c6de60470006d572350573bfa6dcd2 size: 527
同样的,上传另一个镜像。在192.168.217.17这个服务器上,看看有哪些镜像:
[root@slave1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox latest 7a80323521cc 4 weeks ago 1.24MB nginx 1.8 0d493297b409 6 years ago 133MB
把这个133M的nginx上传到192.168.217.16上的本地镜像仓库内:
一样的,需要把域名写到17服务器的hosts文件内和docker的配置文件/etc/docker/daemon.json内并重启docker服务,修改镜像的仓库标识,然后就可以上传啦
[root@slave1 ~]# docker push master.com.cn/nginx:1.8 The push refers to repository [master.com.cn/nginx] 5f70bf18a086: Pushed 62fd1c28b3bf: Pushed 6d700a2d8883: Pushed c12ecfd4861d: Pushed 1.8: digest: sha256:746419199c9569216937fc59604805b7ac0f52b438bb5ca4ec6b7f990873b198 size: 1977
那么前面的操作都是上传push,pull是怎么弄呢?通过接口可以查询私人仓库内有哪些镜像核镜像的具体版本号呢?:
[root@slave1 ssl]# curl -k https://master.com.cn/v2/_catalog {"repositories":["nginx"]}
具体版本号:
1. [root@slave2 ~]# curl -k https://master.com.cn/v2/nginx/tags/list 2. {"name":"nginx","tags":["1.8"]}