写点什么

极客时间运维进阶训练营第二周作业

作者:Starry
  • 2022-10-30
    北京
  • 本文字数:19043 字

    阅读完需:约 62 分钟

1.分层构建 nginx 业务镜像

文件准备

1)nginx 二进制源码包

root@ubuntu2004:~# mkdir nginxroot@ubuntu2004:~# cd nginx/root@ubuntu2004:~/nginx# wget https://nginx.org/download/nginx-1.22.1.tar.gz--2022-10-29 15:29:48--  https://nginx.org/download/nginx-1.22.1.tar.gzResolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172, 2a05:d014:edb:5704::6, ...Connecting to nginx.org (nginx.org)|52.58.199.22|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1073948 (1.0M) [application/octet-stream]Saving to: ‘nginx-1.22.1.tar.gz’
nginx-1.22.1.tar.gz 100%[=========================================================================================================>] 1.02M 50.6KB/s in 36s
2022-10-29 15:30:25 (29.5 KB/s) - ‘nginx-1.22.1.tar.gz’ saved [1073948/1073948]
复制代码


2)替换成清华大学镜像源的文件

root@ubuntu2004:~/nginx# cat sources.list # 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
复制代码


3)编写 Dockerfile,基础镜像为 ubuntu:22.04, 编译 nginx,设置 nginx 运行命令。

root@ubuntu2004:~/nginx# cat Dockerfile FROM ubuntu:22.04LABEL "author"  "starry 360159416@qq.com"RUN apt-get update && apt-get -y install apt-transport-https ca-certificates curl software-properties-commonADD sources.list /etc/apt/sources.listRUN apt update \    &&  apt install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common \        lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump \        telnet traceroute gcc openssh-server lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev \        zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip makeADD nginx-1.22.1.tar.gz /usr/local/src/RUN cd /usr/local/src/nginx-1.22.1 \     && ./configure --prefix=/apps/nginx && make && make install \     && ln -sv /apps/nginx/sbin/nginx /usr/binRUN groupadd -g 2088 nginx \     && useradd -g nginx -s /usr/sbin/nologin -u 2088 nginx \     && chown -R nginx.nginx /apps/nginx#ADD nginx.conf /apps/nginx/conf/#ADD frontend.tar.gz /apps/nginx/html/EXPOSE 80 443#ENTRYPOINT ["nginx"]CMD ["/apps/ngins/sbin/nginx","-g","daemon off;"]
复制代码


编写 shell 脚本,存放打镜像的命令

root@ubuntu2004:~/nginx# cat build.sh #!/bin/bash
TAG=$1docker build -t harbor.magedu.net/myserver/nginx:$TAG .
复制代码

运行脚本,打包 nginx 镜像,tag 值为 v1

root@ubuntu2004:~/nginx# bash build.sh v1# 打包成功后,查看镜像root@ubuntu2004:~/nginx# docker imagesREPOSITORY                         TAG                 IMAGE ID       CREATED          SIZEharbor.magedu.net/myserver/nginx   v1                  3314da964420   6 seconds ago    540MB
复制代码

启动临时容器,验证 nginx 是否成功访问。

# docker run -it --rm -p 80:80 harbor.magedu.net/myserver/nginx:v1

容器能成功访问,镜像可以使用。


2.容器的 CPU 和内存资源限制

准备工作:

服务器:2C2G,操作系统 Ubuntu22.04,Docker 版本 20.10.17。

修改 Docker 的 Cgroup Driver 为 systemd

编辑/etc/docker/daemon.json, 增加"exec-opts": ["native.cgroupdriver=systemd"],然后重启 docker 服务。

root@ubuntu2004:~/nginx# cat /etc/docker/daemon.json {  "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],  "exec-opts": ["native.cgroupdriver=systemd"],  "log-opts": {     "max-file": "5",     "max-size": "100m"  }}root@ubuntu2004:~/nginx# systemctl stop docker.socketroot@ubuntu2004:~/nginx# systemctl start docker.socket
复制代码

2.1 内存资源限制(-m)

限制内存使用为 512m,并设置--oom-kill-disable,保证容器在系统发生 oom 时不会被 kill。

root@ubuntu2004:~/nginx# docker run -it -d -m 512m --oom-kill-disable -p 80:80 harbor.magedu.net/myserver/nginx:v1WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.1a9deba691a88f0ad5b1c45c73c10d750db5401612d4b8f2cfd5483d723812a4
复制代码


查看容器内存资源占用

CONTAINER ID   NAME               CPU %     MEM USAGE / LIMIT   MEM %     NET I/O       BLOCK I/O   PIDS1a9deba691a8   trusting_shannon   0.00%     2.875MiB / 512MiB   0.56%     1.09kB / 0B   0B / 0B     2
复制代码

说明:

  • docker run 限制内存资源最低大小为 6M,小于 6M 报错.

  • -m 为硬限制。--memory-reservation 为软限制,软限制不能超过硬限制。

root@ubuntu2004:~/nginx# docker run -it -d -m 512m --memory-reservation 1024m -p 80:80 harbor.magedu.net/myserver/nginx:v1docker: Error response from daemon: Minimum memory limit can not be less than memory reservation limit, see usage.
root@ubuntu2004:~/nginx# docker run -it -d -m 512m --memory-reservation 256m -p 80:80 harbor.magedu.net/myserver/nginx:v1WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.f3d516484d491121d1504048188efdcfab29c000a05e49c5a24080361c26a67
复制代码


压测镜像,设置不同参数,可以进行内存和 cpu 限制验证。下载镜像命令如下:

root@ubuntu2004:~/nginx# docker pull lorel/docker-stress-ng

查看帮助信息

root@ubuntu2004:~/nginx# docker run -it --rm lorel/docker-stress-ng --help

容器不做资源限制时,压测申请512m内存root@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 lorel/docker-stress-ng --vm 2 --vm-bytes 256Mstress-ng: info: [1] defaulting to a 86400 second run per stressorstress-ng: info: [1] dispatching hogs: 2 vm
另一终端查看MEM USAGE可以看到内存占用约512mCONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS6729338b12d0 magedu-c1 199.76% 517.4MiB / 1.907GiB 26.50% 1.02kB / 0B 0B / 0B 5
容器限制256M内存,压测申请512m内存root@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 -m 256m lorel/docker-stress-ng --vm 2 --vm-bytes 256MWARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.stress-ng: info: [1] defaulting to a 86400 second run per stressorstress-ng: info: [1] dispatching hogs: 2 vm
另一终端查看MEM USAGE可以看到内存只占用约256m,无法申请多余资源CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS6a7025db8670 magedu-c1 160.98% 255.8MiB / 256MiB 99.91% 1.02kB / 0B 22GB / 0B 5
复制代码


2.2 CPU 资源限制(--cpus)


# 分配1.5核cpu资源,申请占用1核cpuroot@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 --cpus 1 lorel/docker-stress-ng --cpu 1stress-ng: info: [1] defaulting to a 86400 second run per stressorstress-ng: info: [1] dispatching hogs: 1 cpu
# 压测占满1核cpuCONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS98dd2594768d magedu-c1 100.66% 5.898MiB / 1.907GiB 0.30% 1.02kB / 0B 0B / 0B 2
复制代码

默认 cpu 资源申请是使用所有 cpu 的资源。如果要将资源绑定在某个 cpu 上,可以用参数--cpuset-cpu 参数。cpu 从 0 开始。如果是 4 核,则 cpu 为 0,1,2,3。

cpu 是可压缩资源,可以利用时间片做上下文切换。


3.部署 http 协议的 habor 镜像仓库

首先基于 ubuntu2004 克隆两台虚拟机,主机名分别为 ubuntu200402,docker-harbor1。源主机名由 ubuntu2004 改为 ubuntu200401。

ubuntu200402 的 mac 和 ubuntu200401 不同,但是 ip 一样。在 ubuntu200402 上执行如下命令重新获取 ip:

hostnamectl set-hostname ubuntu200402

reboot

dhclient -r

dhclient


三台服务器:

主机名 IP

ubuntu200401 10.0.0.134

ubuntu200402 10.0.0.132

docker-harbor1 10.0.0.133


服务器已经安装了 docker,再安装 docker-compose 组件。

root@docker-harbor1:~# apt updateroot@docker-harbor1:~# apt-cache madison docker-composedocker-compose |   1.25.0-1 | http://mirrors.aliyun.com/ubuntu focal/universe amd64 Packagesroot@docker-harbor1:~# apt install docker-compose=1.25.0-1 -y
复制代码


下载 harbor 安装包

https://github.com/goharbor/harbor

安装包分为离线版和在线版。我们这里下载离线版

上传版本包并解压,修改 harbor.yml 文件

# 解压版本包root@docker-harbor1:~# tar xvf harbor-offline-installer-v2.6.1.tgzroot@docker-harbor1:~# cd harbor/root@docker-harbor1:~/harbor# lscommon.sh  harbor.v2.6.1.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare# 复制模板文件为yml文件root@docker-harbor1:~/harbor# cp harbor.yml.tmpl harbor.yml# 修改yml文件内容,最终文件内容如下root@docker-harbor1:~/harbor# grep -Ev '^\s*#|^$' harbor.ymlhostname: docker-harbor1http:  port: 80harbor_admin_password: 12345678database:  password: root123  max_idle_conns: 100  max_open_conns: 900data_volume: /datatrivy:  ignore_unfixed: false  skip_update: false  offline_scan: false  insecure: falsejobservice:  max_job_workers: 10notification:  webhook_job_max_retry: 10chart:  absolute_url: disabledlog:  level: info  local:    rotate_count: 50    rotate_size: 200M    location: /var/log/harbor_version: 2.6.0proxy:  http_proxy:  https_proxy:  no_proxy:  components:    - core    - jobservice    - trivyupload_purging:  enabled: true  age: 168h  interval: 24h  dryrun: falsecache:  enabled: false  expire_hours: 24
复制代码


执行安装

安装参数说明:

set --with-notary 当开启 ssl 时,做可信验证

set --with-trivy 对镜像做漏洞扫描的组件

set --with-chartmuseum helm 里用的 chart 格式的镜像,可以打开。

root@docker-harbor1:~/harbor# ./install.sh --with-trivy --with-chartmuseum
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.21
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.0
[Step 2]: loading Harbor images ...19b3e561bd53: Loading layer [==================================================>] 37.69MB/37.69MBb1c55ad746b8: Loading layer [==================================================>] 5.754MB/5.754MB3fad059e5b96: Loading layer [==================================================>] 8.718MB/8.718MBac3d56834181: Loading layer [==================================================>] 15.88MB/15.88MBac64291e7095: Loading layer [==================================================>] 29.29MB/29.29MB347c69d047c1: Loading layer [==================================================>] 22.02kB/22.02kB2bc68bdd74b4: Loading layer [==================================================>] 15.88MB/15.88MBLoaded image: goharbor/notary-server-photon:v2.6.1a3f881ff8a8a: Loading layer [==================================================>] 5.759MB/5.759MBbf4fe2665116: Loading layer [==================================================>] 90.88MB/90.88MB1bbf13d3b736: Loading layer [==================================================>] 3.072kB/3.072kB6864945044da: Loading layer [==================================================>] 4.096kB/4.096kBe74206fce300: Loading layer [==================================================>] 91.67MB/91.67MBLoaded image: goharbor/chartmuseum-photon:v2.6.1d1cca5e33760: Loading layer [==================================================>] 126.9MB/126.9MBf21ade3affb4: Loading layer [==================================================>] 3.584kB/3.584kB2b10bb22d396: Loading layer [==================================================>] 3.072kB/3.072kBcddb26029f4f: Loading layer [==================================================>] 2.56kB/2.56kB120e581fca06: Loading layer [==================================================>] 3.072kB/3.072kBb55ab4161be8: Loading layer [==================================================>] 3.584kB/3.584kB708b88dc9728: Loading layer [==================================================>] 20.99kB/20.99kBLoaded image: goharbor/harbor-log:v2.6.1aa3c0eeab3fd: Loading layer [==================================================>] 5.759MB/5.759MB08acd59679e5: Loading layer [==================================================>] 4.096kB/4.096kBdbfa72b62e7c: Loading layer [==================================================>] 17.1MB/17.1MB3db46c922bff: Loading layer [==================================================>] 3.072kB/3.072kBdb46f9ab20a1: Loading layer [==================================================>] 29.15MB/29.15MBc28b264c5c77: Loading layer [==================================================>] 47.04MB/47.04MBLoaded image: goharbor/harbor-registryctl:v2.6.146e1d8c22785: Loading layer [==================================================>] 119.1MB/119.1MBLoaded image: goharbor/nginx-photon:v2.6.1ebe1f7ed9475: Loading layer [==================================================>] 7.162MB/7.162MB780db4ad3bef: Loading layer [==================================================>] 4.096kB/4.096kBdc07146a4e90: Loading layer [==================================================>] 3.072kB/3.072kB2cdc8f8be3a6: Loading layer [==================================================>] 91.21MB/91.21MBd4efae655490: Loading layer [==================================================>] 12.86MB/12.86MBc11badbab4ee: Loading layer [==================================================>] 104.9MB/104.9MBLoaded image: goharbor/trivy-adapter-photon:v2.6.16ada5ff70437: Loading layer [==================================================>] 43.85MB/43.85MB070561aa0752: Loading layer [==================================================>] 65.9MB/65.9MBaf13505c0fbc: Loading layer [==================================================>] 19.14MB/19.14MB8eaa0fe4e73c: Loading layer [==================================================>] 65.54kB/65.54kB9ffc621c4d1d: Loading layer [==================================================>] 2.56kB/2.56kB4f311e4137a0: Loading layer [==================================================>] 1.536kB/1.536kBd1ecbcc8c146: Loading layer [==================================================>] 12.29kB/12.29kB313e339c685b: Loading layer [==================================================>] 2.613MB/2.613MB6f748b2ed0dc: Loading layer [==================================================>] 379.9kB/379.9kBLoaded image: goharbor/prepare:v2.6.159c6fef03969: Loading layer [==================================================>] 1.097MB/1.097MB0b0d97fd8a80: Loading layer [==================================================>] 5.888MB/5.888MB6f21e17052fb: Loading layer [==================================================>] 169MB/169MB480717132aea: Loading layer [==================================================>] 16.96MB/16.96MB817dc53a51cf: Loading layer [==================================================>] 4.096kB/4.096kBbeeda54c09df: Loading layer [==================================================>] 6.144kB/6.144kB0de0c418dfa2: Loading layer [==================================================>] 3.072kB/3.072kB394a42c14a01: Loading layer [==================================================>] 2.048kB/2.048kBc53687716453: Loading layer [==================================================>] 2.56kB/2.56kB46e9e5d728c4: Loading layer [==================================================>] 2.56kB/2.56kBe05b0e58bb47: Loading layer [==================================================>] 2.56kB/2.56kB85d4f51c325c: Loading layer [==================================================>] 8.704kB/8.704kBLoaded image: goharbor/harbor-db:v2.6.10bfa75b1d074: Loading layer [==================================================>] 8.902MB/8.902MB0dda41e1e1a6: Loading layer [==================================================>] 3.584kB/3.584kB13be21b41d86: Loading layer [==================================================>] 2.56kB/2.56kBf92838d6a967: Loading layer [==================================================>] 97.91MB/97.91MBe97573477193: Loading layer [==================================================>] 98.7MB/98.7MBLoaded image: goharbor/harbor-jobservice:v2.6.115fecb8d6c42: Loading layer [==================================================>] 119.1MB/119.1MB098f54fce48f: Loading layer [==================================================>] 7.535MB/7.535MB3dc6ef297f52: Loading layer [==================================================>] 1.185MB/1.185MBLoaded image: goharbor/harbor-portal:v2.6.1775b1ccf1721: Loading layer [==================================================>] 5.754MB/5.754MBf4ef31b9659f: Loading layer [==================================================>] 8.718MB/8.718MB7c9e733a4621: Loading layer [==================================================>] 14.47MB/14.47MB148050e3b89d: Loading layer [==================================================>] 29.29MB/29.29MB500fdc71742e: Loading layer [==================================================>] 22.02kB/22.02kBd38ecdf0c794: Loading layer [==================================================>] 14.47MB/14.47MBLoaded image: goharbor/notary-signer-photon:v2.6.10b6707dd33bc: Loading layer [==================================================>] 5.759MB/5.759MB8107a2426b6d: Loading layer [==================================================>] 4.096kB/4.096kB130b71e83c08: Loading layer [==================================================>] 3.072kB/3.072kB3daa3b45e084: Loading layer [==================================================>] 17.1MB/17.1MBe1f022373798: Loading layer [==================================================>] 17.9MB/17.9MBLoaded image: goharbor/registry-photon:v2.6.1b8ab82a27cb4: Loading layer [==================================================>] 8.902MB/8.902MB031794af342e: Loading layer [==================================================>] 3.584kB/3.584kBa6c93180465a: Loading layer [==================================================>] 2.56kB/2.56kB1181f6dc3b6f: Loading layer [==================================================>] 80.74MB/80.74MB6aea11036399: Loading layer [==================================================>] 5.632kB/5.632kB84ea4b6c2a1f: Loading layer [==================================================>] 105.5kB/105.5kB9da21a8aaea8: Loading layer [==================================================>] 44.03kB/44.03kB3a6281e6c8dc: Loading layer [==================================================>] 81.68MB/81.68MB57ba35dc2c40: Loading layer [==================================================>] 2.56kB/2.56kBLoaded image: goharbor/harbor-core:v2.6.124243fc0136d: Loading layer [==================================================>] 8.902MB/8.902MB9778bfbfaf4b: Loading layer [==================================================>] 24.64MB/24.64MBc904704d3e3f: Loading layer [==================================================>] 4.608kB/4.608kB0ee8cf6901bd: Loading layer [==================================================>] 25.43MB/25.43MBLoaded image: goharbor/harbor-exporter:v2.6.15e3e5b804996: Loading layer [==================================================>] 119.9MB/119.9MBc7323c3b23ff: Loading layer [==================================================>] 3.072kB/3.072kB6ab347b42178: Loading layer [==================================================>] 59.9kB/59.9kB4587d0666b27: Loading layer [==================================================>] 61.95kB/61.95kBLoaded image: goharbor/redis-photon:v2.6.1

[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...prepare base dir is set to /root/harborWARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to httpsGenerated configuration file: /config/portal/nginx.confGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/registryctl/config.ymlGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlGenerated and saved secret to file: /data/secret/keys/secretkeySuccessfully called func: create_root_certGenerated configuration file: /config/trivy-adapter/envGenerated configuration file: /config/chartserver/envGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir

Note: stopping existing Harbor instance ...Removing network harbor_harborWARNING: Network harbor_harbor not found.Removing network harbor_harbor-chartmuseumWARNING: Network harbor_harbor-chartmuseum not found.

[Step 5]: starting Harbor ... Chartmusuem will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later. Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/15057Creating network "harbor_harbor" with the default driverCreating network "harbor_harbor-chartmuseum" with the default driverCreating harbor-log ... doneCreating harbor-portal ... doneCreating chartmuseum ... doneCreating redis ... doneCreating registryctl ... doneCreating harbor-db ... doneCreating registry ... doneCreating trivy-adapter ... doneCreating harbor-core ... doneCreating harbor-jobservice ... doneCreating nginx ... done✔ ----Harbor has been installed and started successfully.----

复制代码


查看 docker 容器信息

root@docker-harbor1:~/harbor# docker ps -aCONTAINER ID   IMAGE                                  COMMAND                  CREATED         STATUS                   PORTS                                   NAMESac5fc309deaa   goharbor/harbor-jobservice:v2.6.1      "/harbor/entrypoint.…"   2 minutes ago   Up 2 minutes (healthy)                                           harbor-jobservice2283bbaebae1   goharbor/nginx-photon:v2.6.1           "nginx -g 'daemon of…"   2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp   nginxc3733fde2a83   goharbor/trivy-adapter-photon:v2.6.1   "/home/scanner/entry…"   2 minutes ago   Up 2 minutes (healthy)                                           trivy-adapter101c97c4f38f   goharbor/harbor-core:v2.6.1            "/harbor/entrypoint.…"   2 minutes ago   Up 2 minutes (healthy)                                           harbor-core618163feb4a6   goharbor/registry-photon:v2.6.1        "/home/harbor/entryp…"   2 minutes ago   Up 2 minutes (healthy)                                           registry4ca51e1cb5e2   goharbor/harbor-db:v2.6.1              "/docker-entrypoint.…"   2 minutes ago   Up 2 minutes (healthy)                                           harbor-db5f403abedafc   goharbor/redis-photon:v2.6.1           "redis-server /etc/r…"   2 minutes ago   Up 2 minutes (healthy)                                           redis6443a1fb71ab   goharbor/harbor-registryctl:v2.6.1     "/home/harbor/start.…"   2 minutes ago   Up 2 minutes (healthy)                                           registryctlc08aa86d0a5d   goharbor/chartmuseum-photon:v2.6.1     "./docker-entrypoint…"   2 minutes ago   Up 2 minutes (healthy)                                           chartmuseum9e36fcf6c666   goharbor/harbor-portal:v2.6.1          "nginx -g 'daemon of…"   2 minutes ago   Up 2 minutes (healthy)                                           harbor-portal2668aa9efa40   goharbor/harbor-log:v2.6.1             "/bin/sh -c /usr/loc…"   2 minutes ago   Up 2 minutes (healthy)   127.0.0.1:1514->10514/tcp               harbor-log
复制代码


编辑 win10 的 host 文件,增加 docker-harbor1 主机的 ip 和主机名映射。

C:\Windows\System32\drivers\etc\hosts

10.0.0.133 harbor.magedu.net


浏览器访问 http://harbor.magedu.net/

输入用户名密码: admin/12345678

登录成功,进入 harbor 主界面。

创建一个项目,名为 magedu


ubuntu240401 上传镜像:

配置信任的仓库

# 在/etc/hosts 配置三台服务器的主机名和ip映射关系,使可以通过主机名访问。root@ubuntu200401:~# cat /etc/hosts127.0.0.1 localhost127.0.1.1 ubuntu2004
# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allrouters10.0.0.134 ubuntu20040110.0.0.132 ubuntu20040210.0.0.133 docker-harbor110.0.0.133 harbor.magedu.net
# 添加"insecure-registries",指定harbor的地址。root@ubuntu200401:~# cat /etc/docker/daemon.json { "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"], "insecure-registries": ["harbor.magedu.net"], "exec-opts": ["native.cgroupdriver=systemd"], "log-opts": { "max-file": "5", "max-size": "100m" }}
# 重启docker服务root@ubuntu200401:~# systemctl restart docker
# 检查是否生效root@ubuntu200401:~# docker infoClient:......... Insecure Registries: harbor.magedu.net 127.0.0.0/8 Registry Mirrors: https://9916w1ow.mirror.aliyuncs.com/ Live Restore Enabled: false
WARNING: No swap limit support
# 确认能正常访问harbor服务器地址root@ubuntu200401:~# ping harbor.magedu.netPING harbor.magedu.net (10.0.0.133) 56(84) bytes of data.64 bytes from docker-harbor1 (10.0.0.133): icmp_seq=1 ttl=64 time=0.144 ms64 bytes from docker-harbor1 (10.0.0.133): icmp_seq=2 ttl=64 time=0.343 ms
复制代码


登录访问


# docker login会提示输入用户名密码 admin/12345678root@ubuntu200401:~# docker login harbor.magedu.netUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

# /root/.docker/config.json文件保存了当前镜像仓库的认证信息。里面的密码可以是通过base64加密。可以通过base64 -d 解密。
复制代码


上传镜像

root@ubuntu200401:~# docker push harbor.magedu.net/magedu/nginx:v1

镜像推送成功


ubuntu200402 节点下载镜像

修改/etc/docker/daemon.cfg,重启 docker,然后拉取刚推送到仓库的镜像

root@ubuntu200402:~# cat /etc/docker/daemon.json {  "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],  "exec-opts": ["native.cgroupdriver=systemd"],  "insecure-registries": ["harbor.magedu.net"],  "log-opts": {     "max-file": "5",     "max-size": "100m"  }}
root@ubuntu200402:~# systemctl restart dockerroot@ubuntu200402:~# docker pull harbor.magedu.net/magedu/nginx:v1v1: Pulling from magedu/nginxaee1767db0dd: Pull complete 9e75cd419b1c: Pull complete 7679fa654305: Pull complete 232562ad247f: Pull complete ac842c5bab00: Pull complete cab6623b2bc5: Pull complete d18a7ffe0197: Pull complete Digest: sha256:b8f2e9651766bc915b23286eac05c26df0bde4dbf45ccf41db20c517b5ffb1e1Status: Downloaded newer image for harbor.magedu.net/magedu/nginx:v1harbor.magedu.net/magedu/nginx:v1
复制代码

镜像下载成功。


4. containerd 安装和 nerdctl 简单使用

基于 ubuntu200401 的 init 快照克隆一台虚拟机 ubuntu200403。此环境尚未安装 docker,只安装了操作系统。将四台机器的 ip 都配置成静态 ip。其中 ubuntu200403 为 10.0.0.131。

root@ubuntu200403:~# cd /etc/netplan/root@ubuntu200403:/etc/netplan# cat 00-installer-config.yaml # This is the network config written by 'subiquity'network:  ethernets:    ens33:      dhcp4: no      addresses: [10.0.0.131/24]      optional: true      gateway4: 10.0.0.2      nameservers:           addresses: [10.0.0.2]  version: 2
复制代码


其他节点由于安装了 docker,自带了 containerd。如 ubuntu200401 节点的 containerd 信息如下:

root@ubuntu200401:~# which containerd/usr/bin/containerdroot@ubuntu200401:~# containerd -vcontainerd containerd.io 1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
复制代码


本次我们在全新环境 ubuntu200403 节点安装 containerd

# 安装依赖root@ubuntu200403:~# apt updateroot@ubuntu200403:~#  apt-get -y install apt-transport-https ca-certificates curl software-properties-common# 安装GPG证书root@ubuntu200403:~# curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -OK# 写入软件源信息root@ubuntu200403:~# add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"Hit:1 http://mirrors.aliyun.com/ubuntu focal InReleaseHit:2 http://mirrors.aliyun.com/ubuntu focal-updates InReleaseGet:3 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal InRelease [57.7 kB]Hit:4 http://mirrors.aliyun.com/ubuntu focal-backports InRelease                    Hit:5 http://mirrors.aliyun.com/ubuntu focal-security InRelease                       Get:6 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages [20.8 kB]Fetched 78.5 kB in 1s (84.8 kB/s)Reading package lists... Done
# 更新源信息root@ubuntu200403:~# apt-get -y updateHit:1 http://mirrors.aliyun.com/ubuntu focal InReleaseHit:2 http://mirrors.aliyun.com/ubuntu focal-updates InReleaseHit:3 http://mirrors.aliyun.com/ubuntu focal-backports InRelease Hit:4 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal InRelease Hit:5 http://mirrors.aliyun.com/ubuntu focal-security InRelease Reading package lists... Done
# 查询containerd.io可用版本root@ubuntu200403:~# apt-cache madison containerd.iocontainerd.io | 1.6.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.6.8-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.6.7-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.6.6-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.6.4-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.5.11-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.5.10-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.13-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.12-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.11-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.10-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.8-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.6-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.4-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.3-2 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.4.3-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.3.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.3.7-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packagescontainerd.io | 1.2.13-2 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
# 安装containerd.io,指定版本为1.6.8-1root@ubuntu200403:~# apt install -y containerd.io=1.6.8-1
root@ubuntu200403:~# containerd --versioncontainerd containerd.io 1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
# 打印containerd的默认配置root@ubuntu200403:~# containerd config default
# 自定义配置root@ubuntu200403:~# containerd config default > /etc/containerd/config.toml# 1)修改sandbox_image,改为可访问的地址:sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7”# 2)配置镜像加速,即在153行后增加两行内容root@ubuntu200403:~# sed -n '153,156p' /etc/containerd/config.toml [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://9916w1ow.mirror.aliyuncs.com"] [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
# 重启containerd,使配置生效root@ubuntu200403:~# systemctl restart containerd.service# 查看containerd 为running状态root@ubuntu200403:~# systemctl status containerd
# containerd没有集成runc,需要下载安装runcroot@ubuntu200403:~# wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64--2022-10-30 10:14:11-- https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64Resolving github.com (github.com)... 20.205.243.166Connecting to github.com (github.com)|20.205.243.166|:443... connected.HTTP request sent, awaiting response... 302 FoundLocation: https://objects.githubusercontent.com/github-production-release-asset-2e65be/36960321/be20855c-9592-4953-b63e-58ee2b47b541?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221030%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221030T101411Z&X-Amz-Expires=300&X-Amz-Signature=9cfd028db0db100400c26d5a549a8b83165b6556fcc52a6f1d80eb1d8583a1e1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=36960321&response-content-disposition=attachment%3B%20filename%3Drunc.amd64&response-content-type=application%2Foctet-stream [following]--2022-10-30 10:14:11-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/36960321/be20855c-9592-4953-b63e-58ee2b47b541?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221030%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221030T101411Z&X-Amz-Expires=300&X-Amz-Signature=9cfd028db0db100400c26d5a549a8b83165b6556fcc52a6f1d80eb1d8583a1e1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=36960321&response-content-disposition=attachment%3B%20filename%3Drunc.amd64&response-content-type=application%2Foctet-streamResolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 9431456 (9.0M) [application/octet-stream]Saving to: ‘runc.amd64’
runc.amd64 100%[=========================================================================================================>] 8.99M 2.27MB/s in 4.0s
2022-10-30 10:14:20 (2.27 MB/s) - ‘runc.amd64’ saved [9431456/9431456]
root@ubuntu200403:~# mv runc.amd64 /usr/bin/runcroot@ubuntu200403:~# chmod a+x /usr/bin/runcroot@ubuntu200403:~# runc -vrunc version 1.1.4commit: v1.1.4-0-g5fd4c4d1spec: 1.0.2-devgo: go1.17.10libseccomp: 2.5.4
# containerd没有地址,还需要安装cni。cni是给容器提供地址的组件root@ubuntu200403:~# wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgzroot@ubuntu200403:~# mkdir /opt/cni/bin -pvroot@ubuntu200403:~# tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
# 安装兼容docker的containerd客户端nerdctlroot@ubuntu200403:~# wget https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-0.23.0-linux-amd64.tar.gzroot@ubuntu200403:~# tar xvf nerdctl-0.23.0-linux-amd64.tar.gz -C /usr/bin/nerdctlcontainerd-rootless-setuptool.shcontainerd-rootless.sh

复制代码


安装完之后,就可以使用 nerdctl 了。netdctl 的用法和 docker 命令一样。

# pull一个nginx镜像root@ubuntu200403:~# nerdctl pull nginx:1.18.0-alpinedocker.io/library/nginx:1.18.0-alpine:                                            resolved       |++++++++++++++++++++++++++++++++++++++| index-sha256:93baf2ec1bfefd04d29eb070900dd5d79b0f79863653453397e55a5b663a6cb1:    done           |++++++++++++++++++++++++++++++++++++++| manifest-sha256:ca9fac83c6c89a09424279de522214e865e322187b22a1a29b12747a4287b7bd: done           |++++++++++++++++++++++++++++++++++++++| config-sha256:684dbf9f01f3250437d595669c7437c202573798ab34247d50338ff630e58b6a:   done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:4259d8811e1d8716d6744cee8efe95b081c391ebf596fe0dd197a7041c956da3:    done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:ddad3d7c1e96adf9153f8921a7c9790f880a390163df453be1566e9ef0d546e0:    done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:d04f0a2e920127922c4bf1252186544361b5043887ef177dc2638d07f95e582b:    done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:c7974bc8b744e53e801b97c1819fb9adbd3e36874a645e8e17d35669c25900b3:    done           |++++++++++++++++++++++++++++++++++++++| layer-sha256:df7ae1cb4591426fb91492c8db67abd8e85adb5a9b7f1e61b6da6055fd63a297:    done           |++++++++++++++++++++++++++++++++++++++| elapsed: 25.8s                                                                    total:  9.1 Mi (359.7 KiB/s)                                     
# 查看镜像root@ubuntu200403:~# nerdctl imagesREPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZEnginx 1.18.0-alpine 93baf2ec1bfe About a minute ago linux/amd64 25.0 MiB 9.1 MiB

# 默认镜像在default命名空间 root@ubuntu200403:~# nerdctl -n default imagesREPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZEnginx 1.18.0-alpine 93baf2ec1bfe About a minute ago linux/amd64 25.0 MiB 9.1 MiBroot@ubuntu200403:~# nerdctl -n k8s.io imagesREPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
# 后续pull镜像,可以指定-n k8s.io 命名空间。
# 创建nginx容器root@ubuntu200403:~# nerdctl run -it -p 80:80 --name nginx nginx:1.18.0-alpine
# 另开一终端看看容器状态root@ubuntu200403:~# nerdctl ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES9147985be425 docker.io/library/nginx:1.18.0-alpine "/docker-entrypoint.…" 8 minutes ago Up 0.0.0.0:80->80/tcp nginx

复制代码


访问 nginx 服务正常。


用户头像

Starry

关注

还未添加个人签名 2018-12-10 加入

还未添加个人简介

评论

发布
暂无评论
极客时间运维进阶训练营第二周作业_Starry_InfoQ写作社区