极客时间运维进阶训练营第二周作业
- 2022-10-30 北京
本文字数:19043 字
阅读完需:约 62 分钟
1.分层构建 nginx 业务镜像
文件准备
1)nginx 二进制源码包
root@ubuntu2004:~# mkdir nginx
root@ubuntu2004:~# cd nginx/
root@ubuntu2004:~/nginx# wget https://nginx.org/download/nginx-1.22.1.tar.gz
--2022-10-29 15:29:48-- https://nginx.org/download/nginx-1.22.1.tar.gz
Resolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172, 2a05:d014:edb:5704::6, ...
Connecting to nginx.org (nginx.org)|52.58.199.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1073948 (1.0M) [application/octet-stream]
Saving to: ‘nginx-1.22.1.tar.gz’
nginx-1.22.1.tar.gz 100%[=========================================================================================================>] 1.02M 50.6KB/s in 36s
2022-10-29 15:30:25 (29.5 KB/s) - ‘nginx-1.22.1.tar.gz’ saved [1073948/1073948]
2)替换成清华大学镜像源的文件
root@ubuntu2004:~/nginx# cat sources.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
3)编写 Dockerfile,基础镜像为 ubuntu:22.04, 编译 nginx,设置 nginx 运行命令。
root@ubuntu2004:~/nginx# cat Dockerfile
FROM ubuntu:22.04
LABEL "author" "starry 360159416@qq.com"
RUN apt-get update && apt-get -y install apt-transport-https ca-certificates curl software-properties-common
ADD sources.list /etc/apt/sources.list
RUN apt update \
&& apt install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common \
lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump \
telnet traceroute gcc openssh-server lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev \
zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip make
ADD nginx-1.22.1.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.22.1 \
&& ./configure --prefix=/apps/nginx && make && make install \
&& ln -sv /apps/nginx/sbin/nginx /usr/bin
RUN groupadd -g 2088 nginx \
&& useradd -g nginx -s /usr/sbin/nologin -u 2088 nginx \
&& chown -R nginx.nginx /apps/nginx
#ADD nginx.conf /apps/nginx/conf/
#ADD frontend.tar.gz /apps/nginx/html/
EXPOSE 80 443
#ENTRYPOINT ["nginx"]
CMD ["/apps/ngins/sbin/nginx","-g","daemon off;"]
编写 shell 脚本,存放打镜像的命令
root@ubuntu2004:~/nginx# cat build.sh
#!/bin/bash
TAG=$1
docker build -t harbor.magedu.net/myserver/nginx:$TAG .
运行脚本,打包 nginx 镜像,tag 值为 v1
root@ubuntu2004:~/nginx# bash build.sh v1
# 打包成功后,查看镜像
root@ubuntu2004:~/nginx# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.magedu.net/myserver/nginx v1 3314da964420 6 seconds ago 540MB
启动临时容器,验证 nginx 是否成功访问。
# docker run -it --rm -p 80:80 harbor.magedu.net/myserver/nginx:v1
容器能成功访问,镜像可以使用。
2.容器的 CPU 和内存资源限制
准备工作:
服务器:2C2G,操作系统 Ubuntu22.04,Docker 版本 20.10.17。
修改 Docker 的 Cgroup Driver 为 systemd
编辑/etc/docker/daemon.json, 增加"exec-opts": ["native.cgroupdriver=systemd"],然后重启 docker 服务。
root@ubuntu2004:~/nginx# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-opts": {
"max-file": "5",
"max-size": "100m"
}
}
root@ubuntu2004:~/nginx# systemctl stop docker.socket
root@ubuntu2004:~/nginx# systemctl start docker.socket
2.1 内存资源限制(-m)
限制内存使用为 512m,并设置--oom-kill-disable,保证容器在系统发生 oom 时不会被 kill。
root@ubuntu2004:~/nginx# docker run -it -d -m 512m --oom-kill-disable -p 80:80 harbor.magedu.net/myserver/nginx:v1
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
1a9deba691a88f0ad5b1c45c73c10d750db5401612d4b8f2cfd5483d723812a4
查看容器内存资源占用
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
1a9deba691a8 trusting_shannon 0.00% 2.875MiB / 512MiB 0.56% 1.09kB / 0B 0B / 0B 2
说明:
docker run 限制内存资源最低大小为 6M,小于 6M 报错.
-m 为硬限制。--memory-reservation 为软限制,软限制不能超过硬限制。
root@ubuntu2004:~/nginx# docker run -it -d -m 512m --memory-reservation 1024m -p 80:80 harbor.magedu.net/myserver/nginx:v1
docker: Error response from daemon: Minimum memory limit can not be less than memory reservation limit, see usage.
root@ubuntu2004:~/nginx# docker run -it -d -m 512m --memory-reservation 256m -p 80:80 harbor.magedu.net/myserver/nginx:v1
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
f3d516484d491121d1504048188efdcfab29c000a05e49c5a24080361c26a67
压测镜像,设置不同参数,可以进行内存和 cpu 限制验证。下载镜像命令如下:
root@ubuntu2004:~/nginx# docker pull lorel/docker-stress-ng
查看帮助信息
root@ubuntu2004:~/nginx# docker run -it --rm lorel/docker-stress-ng --help
容器不做资源限制时,压测申请512m内存
root@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 lorel/docker-stress-ng --vm 2 --vm-bytes 256M
stress-ng: info: [1] defaulting to a 86400 second run per stressor
stress-ng: info: [1] dispatching hogs: 2 vm
另一终端查看MEM USAGE可以看到内存占用约512m
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
6729338b12d0 magedu-c1 199.76% 517.4MiB / 1.907GiB 26.50% 1.02kB / 0B 0B / 0B 5
容器限制256M内存,压测申请512m内存
root@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 -m 256m lorel/docker-stress-ng --vm 2 --vm-bytes 256M
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
stress-ng: info: [1] defaulting to a 86400 second run per stressor
stress-ng: info: [1] dispatching hogs: 2 vm
另一终端查看MEM USAGE可以看到内存只占用约256m,无法申请多余资源
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
6a7025db8670 magedu-c1 160.98% 255.8MiB / 256MiB 99.91% 1.02kB / 0B 22GB / 0B 5
2.2 CPU 资源限制(--cpus)
# 分配1.5核cpu资源,申请占用1核cpu
root@ubuntu2004:~/nginx# docker run -it --rm --name magedu-c1 --cpus 1 lorel/docker-stress-ng --cpu 1
stress-ng: info: [1] defaulting to a 86400 second run per stressor
stress-ng: info: [1] dispatching hogs: 1 cpu
# 压测占满1核cpu
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
98dd2594768d magedu-c1 100.66% 5.898MiB / 1.907GiB 0.30% 1.02kB / 0B 0B / 0B 2
默认 cpu 资源申请是使用所有 cpu 的资源。如果要将资源绑定在某个 cpu 上,可以用参数--cpuset-cpu 参数。cpu 从 0 开始。如果是 4 核,则 cpu 为 0,1,2,3。
cpu 是可压缩资源,可以利用时间片做上下文切换。
3.部署 http 协议的 habor 镜像仓库
首先基于 ubuntu2004 克隆两台虚拟机,主机名分别为 ubuntu200402,docker-harbor1。源主机名由 ubuntu2004 改为 ubuntu200401。
ubuntu200402 的 mac 和 ubuntu200401 不同,但是 ip 一样。在 ubuntu200402 上执行如下命令重新获取 ip:
hostnamectl set-hostname ubuntu200402
reboot
dhclient -r
dhclient
三台服务器:
主机名 IP
ubuntu200401 10.0.0.134
ubuntu200402 10.0.0.132
docker-harbor1 10.0.0.133
服务器已经安装了 docker,再安装 docker-compose 组件。
root@docker-harbor1:~# apt update
root@docker-harbor1:~# apt-cache madison docker-compose
docker-compose | 1.25.0-1 | http://mirrors.aliyun.com/ubuntu focal/universe amd64 Packages
root@docker-harbor1:~# apt install docker-compose=1.25.0-1 -y
下载 harbor 安装包
https://github.com/goharbor/harbor
安装包分为离线版和在线版。我们这里下载离线版
上传版本包并解压,修改 harbor.yml 文件
# 解压版本包
root@docker-harbor1:~# tar xvf harbor-offline-installer-v2.6.1.tgz
root@docker-harbor1:~# cd harbor/
root@docker-harbor1:~/harbor# ls
common.sh harbor.v2.6.1.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
# 复制模板文件为yml文件
root@docker-harbor1:~/harbor# cp harbor.yml.tmpl harbor.yml
# 修改yml文件内容,最终文件内容如下
root@docker-harbor1:~/harbor# grep -Ev '^\s*#|^$' harbor.yml
hostname: docker-harbor1
http:
port: 80
harbor_admin_password: 12345678
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.6.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
upload_purging:
enabled: true
age: 168h
interval: 24h
dryrun: false
cache:
enabled: false
expire_hours: 24
执行安装
安装参数说明:
set --with-notary 当开启 ssl 时,做可信验证
set --with-trivy 对镜像做漏洞扫描的组件
set --with-chartmuseum helm 里用的 chart 格式的镜像,可以打开。
root@docker-harbor1:~/harbor# ./install.sh --with-trivy --with-chartmuseum
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.21
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.25.0
[Step 2]: loading Harbor images ...
19b3e561bd53: Loading layer [==================================================>] 37.69MB/37.69MB
b1c55ad746b8: Loading layer [==================================================>] 5.754MB/5.754MB
3fad059e5b96: Loading layer [==================================================>] 8.718MB/8.718MB
ac3d56834181: Loading layer [==================================================>] 15.88MB/15.88MB
ac64291e7095: Loading layer [==================================================>] 29.29MB/29.29MB
347c69d047c1: Loading layer [==================================================>] 22.02kB/22.02kB
2bc68bdd74b4: Loading layer [==================================================>] 15.88MB/15.88MB
Loaded image: goharbor/notary-server-photon:v2.6.1
a3f881ff8a8a: Loading layer [==================================================>] 5.759MB/5.759MB
bf4fe2665116: Loading layer [==================================================>] 90.88MB/90.88MB
1bbf13d3b736: Loading layer [==================================================>] 3.072kB/3.072kB
6864945044da: Loading layer [==================================================>] 4.096kB/4.096kB
e74206fce300: Loading layer [==================================================>] 91.67MB/91.67MB
Loaded image: goharbor/chartmuseum-photon:v2.6.1
d1cca5e33760: Loading layer [==================================================>] 126.9MB/126.9MB
f21ade3affb4: Loading layer [==================================================>] 3.584kB/3.584kB
2b10bb22d396: Loading layer [==================================================>] 3.072kB/3.072kB
cddb26029f4f: Loading layer [==================================================>] 2.56kB/2.56kB
120e581fca06: Loading layer [==================================================>] 3.072kB/3.072kB
b55ab4161be8: Loading layer [==================================================>] 3.584kB/3.584kB
708b88dc9728: Loading layer [==================================================>] 20.99kB/20.99kB
Loaded image: goharbor/harbor-log:v2.6.1
aa3c0eeab3fd: Loading layer [==================================================>] 5.759MB/5.759MB
08acd59679e5: Loading layer [==================================================>] 4.096kB/4.096kB
dbfa72b62e7c: Loading layer [==================================================>] 17.1MB/17.1MB
3db46c922bff: Loading layer [==================================================>] 3.072kB/3.072kB
db46f9ab20a1: Loading layer [==================================================>] 29.15MB/29.15MB
c28b264c5c77: Loading layer [==================================================>] 47.04MB/47.04MB
Loaded image: goharbor/harbor-registryctl:v2.6.1
46e1d8c22785: Loading layer [==================================================>] 119.1MB/119.1MB
Loaded image: goharbor/nginx-photon:v2.6.1
ebe1f7ed9475: Loading layer [==================================================>] 7.162MB/7.162MB
780db4ad3bef: Loading layer [==================================================>] 4.096kB/4.096kB
dc07146a4e90: Loading layer [==================================================>] 3.072kB/3.072kB
2cdc8f8be3a6: Loading layer [==================================================>] 91.21MB/91.21MB
d4efae655490: Loading layer [==================================================>] 12.86MB/12.86MB
c11badbab4ee: Loading layer [==================================================>] 104.9MB/104.9MB
Loaded image: goharbor/trivy-adapter-photon:v2.6.1
6ada5ff70437: Loading layer [==================================================>] 43.85MB/43.85MB
070561aa0752: Loading layer [==================================================>] 65.9MB/65.9MB
af13505c0fbc: Loading layer [==================================================>] 19.14MB/19.14MB
8eaa0fe4e73c: Loading layer [==================================================>] 65.54kB/65.54kB
9ffc621c4d1d: Loading layer [==================================================>] 2.56kB/2.56kB
4f311e4137a0: Loading layer [==================================================>] 1.536kB/1.536kB
d1ecbcc8c146: Loading layer [==================================================>] 12.29kB/12.29kB
313e339c685b: Loading layer [==================================================>] 2.613MB/2.613MB
6f748b2ed0dc: Loading layer [==================================================>] 379.9kB/379.9kB
Loaded image: goharbor/prepare:v2.6.1
59c6fef03969: Loading layer [==================================================>] 1.097MB/1.097MB
0b0d97fd8a80: Loading layer [==================================================>] 5.888MB/5.888MB
6f21e17052fb: Loading layer [==================================================>] 169MB/169MB
480717132aea: Loading layer [==================================================>] 16.96MB/16.96MB
817dc53a51cf: Loading layer [==================================================>] 4.096kB/4.096kB
beeda54c09df: Loading layer [==================================================>] 6.144kB/6.144kB
0de0c418dfa2: Loading layer [==================================================>] 3.072kB/3.072kB
394a42c14a01: Loading layer [==================================================>] 2.048kB/2.048kB
c53687716453: Loading layer [==================================================>] 2.56kB/2.56kB
46e9e5d728c4: Loading layer [==================================================>] 2.56kB/2.56kB
e05b0e58bb47: Loading layer [==================================================>] 2.56kB/2.56kB
85d4f51c325c: Loading layer [==================================================>] 8.704kB/8.704kB
Loaded image: goharbor/harbor-db:v2.6.1
0bfa75b1d074: Loading layer [==================================================>] 8.902MB/8.902MB
0dda41e1e1a6: Loading layer [==================================================>] 3.584kB/3.584kB
13be21b41d86: Loading layer [==================================================>] 2.56kB/2.56kB
f92838d6a967: Loading layer [==================================================>] 97.91MB/97.91MB
e97573477193: Loading layer [==================================================>] 98.7MB/98.7MB
Loaded image: goharbor/harbor-jobservice:v2.6.1
15fecb8d6c42: Loading layer [==================================================>] 119.1MB/119.1MB
098f54fce48f: Loading layer [==================================================>] 7.535MB/7.535MB
3dc6ef297f52: Loading layer [==================================================>] 1.185MB/1.185MB
Loaded image: goharbor/harbor-portal:v2.6.1
775b1ccf1721: Loading layer [==================================================>] 5.754MB/5.754MB
f4ef31b9659f: Loading layer [==================================================>] 8.718MB/8.718MB
7c9e733a4621: Loading layer [==================================================>] 14.47MB/14.47MB
148050e3b89d: Loading layer [==================================================>] 29.29MB/29.29MB
500fdc71742e: Loading layer [==================================================>] 22.02kB/22.02kB
d38ecdf0c794: Loading layer [==================================================>] 14.47MB/14.47MB
Loaded image: goharbor/notary-signer-photon:v2.6.1
0b6707dd33bc: Loading layer [==================================================>] 5.759MB/5.759MB
8107a2426b6d: Loading layer [==================================================>] 4.096kB/4.096kB
130b71e83c08: Loading layer [==================================================>] 3.072kB/3.072kB
3daa3b45e084: Loading layer [==================================================>] 17.1MB/17.1MB
e1f022373798: Loading layer [==================================================>] 17.9MB/17.9MB
Loaded image: goharbor/registry-photon:v2.6.1
b8ab82a27cb4: Loading layer [==================================================>] 8.902MB/8.902MB
031794af342e: Loading layer [==================================================>] 3.584kB/3.584kB
a6c93180465a: Loading layer [==================================================>] 2.56kB/2.56kB
1181f6dc3b6f: Loading layer [==================================================>] 80.74MB/80.74MB
6aea11036399: Loading layer [==================================================>] 5.632kB/5.632kB
84ea4b6c2a1f: Loading layer [==================================================>] 105.5kB/105.5kB
9da21a8aaea8: Loading layer [==================================================>] 44.03kB/44.03kB
3a6281e6c8dc: Loading layer [==================================================>] 81.68MB/81.68MB
57ba35dc2c40: Loading layer [==================================================>] 2.56kB/2.56kB
Loaded image: goharbor/harbor-core:v2.6.1
24243fc0136d: Loading layer [==================================================>] 8.902MB/8.902MB
9778bfbfaf4b: Loading layer [==================================================>] 24.64MB/24.64MB
c904704d3e3f: Loading layer [==================================================>] 4.608kB/4.608kB
0ee8cf6901bd: Loading layer [==================================================>] 25.43MB/25.43MB
Loaded image: goharbor/harbor-exporter:v2.6.1
5e3e5b804996: Loading layer [==================================================>] 119.9MB/119.9MB
c7323c3b23ff: Loading layer [==================================================>] 3.072kB/3.072kB
6ab347b42178: Loading layer [==================================================>] 59.9kB/59.9kB
4587d0666b27: Loading layer [==================================================>] 61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v2.6.1
[Step 3]: preparing environment ...
[Step 4]: preparing harbor configs ...
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /config/chartserver/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
Removing network harbor_harbor
WARNING: Network harbor_harbor not found.
Removing network harbor_harbor-chartmuseum
WARNING: Network harbor_harbor-chartmuseum not found.
[Step 5]: starting Harbor ...
➜
Chartmusuem will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/15057
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating chartmuseum ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating registry ... done
Creating trivy-adapter ... done
Creating harbor-core ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
查看 docker 容器信息
root@docker-harbor1:~/harbor# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ac5fc309deaa goharbor/harbor-jobservice:v2.6.1 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-jobservice
2283bbaebae1 goharbor/nginx-photon:v2.6.1 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
c3733fde2a83 goharbor/trivy-adapter-photon:v2.6.1 "/home/scanner/entry…" 2 minutes ago Up 2 minutes (healthy) trivy-adapter
101c97c4f38f goharbor/harbor-core:v2.6.1 "/harbor/entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-core
618163feb4a6 goharbor/registry-photon:v2.6.1 "/home/harbor/entryp…" 2 minutes ago Up 2 minutes (healthy) registry
4ca51e1cb5e2 goharbor/harbor-db:v2.6.1 "/docker-entrypoint.…" 2 minutes ago Up 2 minutes (healthy) harbor-db
5f403abedafc goharbor/redis-photon:v2.6.1 "redis-server /etc/r…" 2 minutes ago Up 2 minutes (healthy) redis
6443a1fb71ab goharbor/harbor-registryctl:v2.6.1 "/home/harbor/start.…" 2 minutes ago Up 2 minutes (healthy) registryctl
c08aa86d0a5d goharbor/chartmuseum-photon:v2.6.1 "./docker-entrypoint…" 2 minutes ago Up 2 minutes (healthy) chartmuseum
9e36fcf6c666 goharbor/harbor-portal:v2.6.1 "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes (healthy) harbor-portal
2668aa9efa40 goharbor/harbor-log:v2.6.1 "/bin/sh -c /usr/loc…" 2 minutes ago Up 2 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
编辑 win10 的 host 文件,增加 docker-harbor1 主机的 ip 和主机名映射。
C:\Windows\System32\drivers\etc\hosts
10.0.0.133 harbor.magedu.net
浏览器访问 http://harbor.magedu.net/
输入用户名密码: admin/12345678
登录成功,进入 harbor 主界面。
创建一个项目,名为 magedu
ubuntu240401 上传镜像:
配置信任的仓库
# 在/etc/hosts 配置三台服务器的主机名和ip映射关系,使可以通过主机名访问。
root@ubuntu200401:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu2004
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.0.134 ubuntu200401
10.0.0.132 ubuntu200402
10.0.0.133 docker-harbor1
10.0.0.133 harbor.magedu.net
# 添加"insecure-registries",指定harbor的地址。
root@ubuntu200401:~# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
"insecure-registries": ["harbor.magedu.net"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-opts": {
"max-file": "5",
"max-size": "100m"
}
}
# 重启docker服务
root@ubuntu200401:~# systemctl restart docker
# 检查是否生效
root@ubuntu200401:~# docker info
Client:
...
...
...
Insecure Registries:
harbor.magedu.net
127.0.0.0/8
Registry Mirrors:
https://9916w1ow.mirror.aliyuncs.com/
Live Restore Enabled: false
WARNING: No swap limit support
# 确认能正常访问harbor服务器地址
root@ubuntu200401:~# ping harbor.magedu.net
PING harbor.magedu.net (10.0.0.133) 56(84) bytes of data.
64 bytes from docker-harbor1 (10.0.0.133): icmp_seq=1 ttl=64 time=0.144 ms
64 bytes from docker-harbor1 (10.0.0.133): icmp_seq=2 ttl=64 time=0.343 ms
登录访问
# docker login会提示输入用户名密码 admin/12345678
root@ubuntu200401:~# docker login harbor.magedu.net
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# /root/.docker/config.json文件保存了当前镜像仓库的认证信息。里面的密码可以是通过base64加密。可以通过base64 -d 解密。
上传镜像
root@ubuntu200401:~# docker push harbor.magedu.net/magedu/nginx:v1
镜像推送成功
ubuntu200402 节点下载镜像
修改/etc/docker/daemon.cfg,重启 docker,然后拉取刚推送到仓库的镜像
root@ubuntu200402:~# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["harbor.magedu.net"],
"log-opts": {
"max-file": "5",
"max-size": "100m"
}
}
root@ubuntu200402:~# systemctl restart docker
root@ubuntu200402:~# docker pull harbor.magedu.net/magedu/nginx:v1
v1: Pulling from magedu/nginx
aee1767db0dd: Pull complete
9e75cd419b1c: Pull complete
7679fa654305: Pull complete
232562ad247f: Pull complete
ac842c5bab00: Pull complete
cab6623b2bc5: Pull complete
d18a7ffe0197: Pull complete
Digest: sha256:b8f2e9651766bc915b23286eac05c26df0bde4dbf45ccf41db20c517b5ffb1e1
Status: Downloaded newer image for harbor.magedu.net/magedu/nginx:v1
harbor.magedu.net/magedu/nginx:v1
镜像下载成功。
4. containerd 安装和 nerdctl 简单使用
基于 ubuntu200401 的 init 快照克隆一台虚拟机 ubuntu200403。此环境尚未安装 docker,只安装了操作系统。将四台机器的 ip 都配置成静态 ip。其中 ubuntu200403 为 10.0.0.131。
root@ubuntu200403:~# cd /etc/netplan/
root@ubuntu200403:/etc/netplan# cat 00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens33:
dhcp4: no
addresses: [10.0.0.131/24]
optional: true
gateway4: 10.0.0.2
nameservers:
addresses: [10.0.0.2]
version: 2
其他节点由于安装了 docker,自带了 containerd。如 ubuntu200401 节点的 containerd 信息如下:
root@ubuntu200401:~# which containerd
/usr/bin/containerd
root@ubuntu200401:~# containerd -v
containerd containerd.io 1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
本次我们在全新环境 ubuntu200403 节点安装 containerd
# 安装依赖
root@ubuntu200403:~# apt update
root@ubuntu200403:~# apt-get -y install apt-transport-https ca-certificates curl software-properties-common
# 安装GPG证书
root@ubuntu200403:~# curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
OK
# 写入软件源信息
root@ubuntu200403:~# add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
Hit:1 http://mirrors.aliyun.com/ubuntu focal InRelease
Hit:2 http://mirrors.aliyun.com/ubuntu focal-updates InRelease
Get:3 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal InRelease [57.7 kB]
Hit:4 http://mirrors.aliyun.com/ubuntu focal-backports InRelease
Hit:5 http://mirrors.aliyun.com/ubuntu focal-security InRelease
Get:6 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages [20.8 kB]
Fetched 78.5 kB in 1s (84.8 kB/s)
Reading package lists... Done
# 更新源信息
root@ubuntu200403:~# apt-get -y update
Hit:1 http://mirrors.aliyun.com/ubuntu focal InRelease
Hit:2 http://mirrors.aliyun.com/ubuntu focal-updates InRelease
Hit:3 http://mirrors.aliyun.com/ubuntu focal-backports InRelease
Hit:4 https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal InRelease
Hit:5 http://mirrors.aliyun.com/ubuntu focal-security InRelease
Reading package lists... Done
# 查询containerd.io可用版本
root@ubuntu200403:~# apt-cache madison containerd.io
containerd.io | 1.6.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.6.8-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.6.7-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.6.6-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.6.4-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.5.11-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.5.10-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.13-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.12-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.11-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.10-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.8-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.6-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.4-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.3-2 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.4.3-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.3.9-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.3.7-1 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
containerd.io | 1.2.13-2 | https://mirrors.aliyun.com/docker-ce/linux/ubuntu focal/stable amd64 Packages
# 安装containerd.io,指定版本为1.6.8-1
root@ubuntu200403:~# apt install -y containerd.io=1.6.8-1
root@ubuntu200403:~# containerd --version
containerd containerd.io 1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
# 打印containerd的默认配置
root@ubuntu200403:~# containerd config default
# 自定义配置
root@ubuntu200403:~# containerd config default > /etc/containerd/config.toml
# 1)修改sandbox_image,改为可访问的地址:
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7”
# 2)配置镜像加速,即在153行后增加两行内容
root@ubuntu200403:~# sed -n '153,156p' /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://9916w1ow.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
# 重启containerd,使配置生效
root@ubuntu200403:~# systemctl restart containerd.service
# 查看containerd 为running状态
root@ubuntu200403:~# systemctl status containerd
# containerd没有集成runc,需要下载安装runc
root@ubuntu200403:~# wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64
--2022-10-30 10:14:11-- https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/36960321/be20855c-9592-4953-b63e-58ee2b47b541?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221030%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221030T101411Z&X-Amz-Expires=300&X-Amz-Signature=9cfd028db0db100400c26d5a549a8b83165b6556fcc52a6f1d80eb1d8583a1e1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=36960321&response-content-disposition=attachment%3B%20filename%3Drunc.amd64&response-content-type=application%2Foctet-stream [following]
--2022-10-30 10:14:11-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/36960321/be20855c-9592-4953-b63e-58ee2b47b541?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221030%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221030T101411Z&X-Amz-Expires=300&X-Amz-Signature=9cfd028db0db100400c26d5a549a8b83165b6556fcc52a6f1d80eb1d8583a1e1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=36960321&response-content-disposition=attachment%3B%20filename%3Drunc.amd64&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9431456 (9.0M) [application/octet-stream]
Saving to: ‘runc.amd64’
runc.amd64 100%[=========================================================================================================>] 8.99M 2.27MB/s in 4.0s
2022-10-30 10:14:20 (2.27 MB/s) - ‘runc.amd64’ saved [9431456/9431456]
root@ubuntu200403:~# mv runc.amd64 /usr/bin/runc
root@ubuntu200403:~# chmod a+x /usr/bin/runc
root@ubuntu200403:~# runc -v
runc version 1.1.4
commit: v1.1.4-0-g5fd4c4d1
spec: 1.0.2-dev
go: go1.17.10
libseccomp: 2.5.4
# containerd没有地址,还需要安装cni。cni是给容器提供地址的组件
root@ubuntu200403:~# wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
root@ubuntu200403:~# mkdir /opt/cni/bin -pv
root@ubuntu200403:~# tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
# 安装兼容docker的containerd客户端nerdctl
root@ubuntu200403:~# wget https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-0.23.0-linux-amd64.tar.gz
root@ubuntu200403:~# tar xvf nerdctl-0.23.0-linux-amd64.tar.gz -C /usr/bin/
nerdctl
containerd-rootless-setuptool.sh
containerd-rootless.sh
安装完之后,就可以使用 nerdctl 了。netdctl 的用法和 docker 命令一样。
# pull一个nginx镜像
root@ubuntu200403:~# nerdctl pull nginx:1.18.0-alpine
docker.io/library/nginx:1.18.0-alpine: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:93baf2ec1bfefd04d29eb070900dd5d79b0f79863653453397e55a5b663a6cb1: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:ca9fac83c6c89a09424279de522214e865e322187b22a1a29b12747a4287b7bd: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:684dbf9f01f3250437d595669c7437c202573798ab34247d50338ff630e58b6a: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4259d8811e1d8716d6744cee8efe95b081c391ebf596fe0dd197a7041c956da3: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:ddad3d7c1e96adf9153f8921a7c9790f880a390163df453be1566e9ef0d546e0: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:d04f0a2e920127922c4bf1252186544361b5043887ef177dc2638d07f95e582b: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c7974bc8b744e53e801b97c1819fb9adbd3e36874a645e8e17d35669c25900b3: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:df7ae1cb4591426fb91492c8db67abd8e85adb5a9b7f1e61b6da6055fd63a297: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 25.8s total: 9.1 Mi (359.7 KiB/s)
# 查看镜像
root@ubuntu200403:~# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
nginx 1.18.0-alpine 93baf2ec1bfe About a minute ago linux/amd64 25.0 MiB 9.1 MiB
# 默认镜像在default命名空间
root@ubuntu200403:~# nerdctl -n default images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
nginx 1.18.0-alpine 93baf2ec1bfe About a minute ago linux/amd64 25.0 MiB 9.1 MiB
root@ubuntu200403:~# nerdctl -n k8s.io images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
# 后续pull镜像,可以指定-n k8s.io 命名空间。
# 创建nginx容器
root@ubuntu200403:~# nerdctl run -it -p 80:80 --name nginx nginx:1.18.0-alpine
# 另开一终端看看容器状态
root@ubuntu200403:~# nerdctl ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9147985be425 docker.io/library/nginx:1.18.0-alpine "/docker-entrypoint.…" 8 minutes ago Up 0.0.0.0:80->80/tcp nginx
访问 nginx 服务正常。
Starry
还未添加个人签名 2018-12-10 加入
还未添加个人简介
评论