Shulou(Shulou.com)06/03 Report--

First, deployment environment: host operating system ip address k8s01 (master) Centos 7.3172.16.1.30k8s02 (node01) Centos 7.3172.16.1.31k8s03 (node02) Centos 7.3172.16.1.32 II, deploy Harbor

You can choose any server, and here you choose master in the K8s cluster as the harboar private repository.

1) install the necessary system tools

[root@master ~] # yum- y install yum-utils device-mapper-persistent-data lvm2

2) install docker-compose

Github download address: https://github.com/docker/compose/releases, you can choose to download the corresponding version, for example, download version 1.25.0:

[root@master ~] # curl-L https://github.com/docker/compose/releases/download/1.25.0-rc4/docker-compose-`uname-s`-`uname-m`-o / usr/local/bin/docker-compose# add executable permissions: [root@master ~] # chmod + x / usr/local/bin/docker-compose# View compose version: [root@master ~] # docker-compose-vdocker-compose version 1.25.0-rc4, build 8f3c9c58

3) download the harbor installation package and extract it:

Download address: https://github.com/goharbor/harbor/releases

For example, download v1.7.4.

# choose offline installation mode (offline): [root@master harbor] # wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.4.tgz[root@master harbor] # tar xf harbor-offline-installer-v1.7.4.tgz [root@master harbor] # cd harbor/ [root@master harbor] # lscommon docker-compose.notary.yml harbor.v1.7 .4.tar.gz open_source_licensedocker-compose.chartmuseum.yml docker-compose.yml install.sh preparedocker-compose.clair.yml harbor.cfg LICENSE

4) configure harbor

# modify harbor configuration file:

[root@master harbor] # vim harbor.cfg

Change "hostname" to the native ip address or domain name, and leave other parameters as default for the time being. If needed, you can modify them again. The detailed parameters of the configuration file are as follows:

# hostname sets the access address. You can use ip and domain name. It cannot be set to 127.0.0.1 or localhosthostname = 172.16.1.3 protocols. The default is http, or you can set https. If you set https, nginx ssl needs to set onui_url_protocol = http# mysql database root user default password root123 Modify the db_password = root123max_job_workers = 3 customize_crt = onssl_cert = / data/cert/server.crtssl_cert_key = / data/cert/server.keysecretkey_path = / dataadmiral_url = NA# email settings when in actual use, and use email_identity = email_server = smtp.mydomain.comemail_server_port = 25email_username = sample_admin@mydomain.comemail_password = abcemail_from = admin email_ssl = false# to start Harbor when sending the reset password email. The password for administrator UI login. The default is Harbor12345harbor_admin_password = Harbor12345# authentication, which supports multiple authentication methods, such as LADP, this storage, and database authentication. The default is db_auth,mysql database authentication auth_mode = db_auth# LDAP authentication configuration item ldap_url = ldaps://ldap.mydomain.comldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=comldap_search_pwd = passwordldap_basedn = (objectClass=person) ldap_uid = uid ldap_scope = 3 ldap_timeout = "whether to enable self-registration self_registration = on# Token valid time, default is 30 minutes token_expiration = 3" user create project permission control The default is everyone (everyone), or it can be set to adminonly (administrator only) project_creation_restriction = everyoneverify_remote_cert = on

5) install harbor

Simply execute the installation script:

[root@master harbor] #. / install.sh # Note in the harbor directory

6) Log in to the harbor web interface and visit URL: http://172.16.1.30

# default user name: admin, password: Harbor12345

/ / the above information can be found in the harbor configuration file:

/ / the login interface is as follows:

# create a new project:

# the newly built project can be used as a repository. Currently, there are no images in the repository, so you can upload images at will:

7) start and stop of Harbor

/ / stop harbor:

[root@master harbor] # docker-compose stopStopping nginx... DoneStopping harbor-portal... DoneStopping harbor-jobservice... DoneStopping harbor-core... DoneStopping harbor-adminserver... DoneStopping registryctl... DoneStopping redis... DoneStopping registry... DoneStopping harbor-db... DoneStopping harbor-log... Done

/ / start harbor:

[root@master harbor] # docker-compose startStarting log... DoneStarting registry... DoneStarting registryctl... DoneStarting postgresql... DoneStarting adminserver... DoneStarting core... DoneStarting portal... DoneStarting redis... DoneStarting jobservice... DoneStarting proxy... Done

/ / restart harbor

Restarting harbor is generally recommended to stop stop and then enable start. Using restart directly may cause an error.

8) modify the default login password of Harbor

# using the default login password may take security into account. Therefore, in the web interface of Harbor, we have been provided with the menu option to change the password, as follows:

/ / modify the password of admin:

Third, use Harobr private repository # to modify the docker configuration file: [root@master harbor] # vim / usr/lib/systemd/system/docker.service

# reload and restart docker: [root@master harbor] # systemctl daemon-reload [root@master harbor] # systemctl restart docker# restart harbor: [root@master harbor] # docker-compose stop [root@master harbor] # docker-compose start

2) the client logs in to harbor:

[root@master harbor] # docker login-uadmin-p Harbor12345 172.16.1.30:80WARNING! Using-- password via the CLI is insecure. Use-password-stdin.WARNING! Your password will be stored unencrypted in / root/.docker/config.json.Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

# push images that need to be uploaded to the harbor repository, such as nginx images

# Note: upload to the existing warehouse in harbor [root@master harbor] # docker tag nginx:latest 172.16.1.30:80/harbor/nginx:v1.0 [root@master harbor] # docker push 172.16.1.30:80/harbor/nginx:v1.0 The push refers to repository [172.16.1.30:80/harbor/nginx] 12fdf55172df: Pushed 002a63507c1c: Pushed 1c95c77433e8: Pushed v1.0: digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911 size: 948

# you can see the uploaded image in the harbor repository

# if you need to delete an image, you can delete it online:

3) other users share harbor repository

# copy the docker configuration file on master to another node (node01 Node02): [root@master harbor] # scp / usr/lib/systemd/system/docker.service root@node01:/usr/lib/systemd/system/docker.service 1634 1.6KB/s 00:00 [root@master harbor] # scp / usr/lib/systemd/system/docker.service root@node02:/usr/lib/systemd/system/docker.service 1634 1.6KB/s 00:00 # reload docker: [root@node01 ~] # systemctl daemon-reload [root@node01 ~] # systemctl restart docker [root@node02 ~] # systemctl daemon-reload [root@node02 ~] # systemctl restart docker

2) Log in to harbor private repository (take node01 as an example):

[root@node01] # docker login-u admin-p Harbor12345 172.16.1.30:80WARNING! Using-- password via the CLI is insecure. Use-password-stdin.WARNING! Your password will be stored unencrypted in / root/.docker/config.json.Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

3) pull the image from the harbor repository:

[root@node01 ~] # docker pull 172.16.1.30:80/harbor/nginx:v1.0v1.0: Pulling from harbor/nginx1ab2bdfe9778: Pull complete a17e64cfe253: Pull complete e1288088c7a8: Pull complete Digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911Status: Downloaded newer image for 172.16.1.30:80/harbor/nginx:v1.0 [root@node01 ~] # docker images | grep nginx172.16.1.30:80/harbor/nginx v1.0 5a3221f0137b 6 months ago 126MB

4) simply deploy the nginx service with the image in the harbor private repository

[root@master harbor] # cat nginx.yaml apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginxspec: template: metadata: labels: app: web spec: containers:-name: nginx image: 172.16.1.30:80/harbor/nginx:v1.0 # download the image ports:-containerPort: 80---apiVersion: v1kind: Servicemetadata: name in the specified harbor repository : nginx-svcspec: type: NodePort selector: app: web ports:-protocol: TCP port: 80 targetPort: 80 nodePort: 30000

/ / create a nginx service and visit the nginx web page:

[root@master harbor] # kubectl create-f nginx.yaml deployment.extensions/nginx createdservice/nginx-svc created [root@master harbor] # kubectl get pod SvcNAME READY STATUS RESTARTS AGEpod/nginx-7559d56464-tqc2g 1 Running 0 63sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEservice/kubernetes ClusterIP 10.96.0.1 443/TCP 113dservice/nginx-svc NodePort 10.105.18.41 80:30000/TCP 63s

Fourth, pull the private images in the Harbor repository

By default, K8S can only pull public images from the Harbor repository. Pulling private images will result in an error: ErrImagePull or ImagePullBackOff, as shown in the following figure (node02 does not have a pull image locally, so an error will be reported)

To solve this problem, we need to create an authenticated login key to pull the private image.

Core idea: to pull the private warehouse image, you need to configure the login information of the private warehouse, store it with Secret, and when defining Deployment or Pod, specify imagePullSecret as the Secret name that stores the login information of the private warehouse.

Note: you need to log in to harbor on the client before you can pull the private image in the harbor repository.

# there are two ways to create a Secret:

1Docker credential to create a Secret

1) Log in to the Harbor repository on the server:

[root@master harbor] # docker login-uadmin-pHarbor12345 172.16.1.30

2) after a successful login, a ~ / .docker / config.json file will be generated under the current user:

[root@master harbor] # cat ~ / .docker/config.json {"auths": {"172.16.1.30 docker/config.json 80": {"auth": "YWRtaW46SGFyYm9yMTIzNDU="}} "HttpHeaders": {"User-Agent": "Docker-Client/18.09.0 (linux)"} # encrypt the config.json file with base64: [root@master harbor] # cat ~ / .docker/config.json | base64-w 0ewoJIMF1dGhzIjogewoJCSIxNzIuMTYuMS4zMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5W05W05eU1USXpORFU9IgoJX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzXIQWdlbnQiiAiRG9jaLUNsaWWud8OC4wOw4ChW5CX0CgkiSHR0cEhlYWRlcMiOiB7CgkiSHR0cEhlYWRlcMiOiB7CgkiSHR0cEhlYWRlcMiOiB7CgkiSHR0cEhlYWRlcMiOiB7CgkJIlVzXlbnQiiRG9ja2VyLUNsaWWVud8GgiOiWVdSdGFXNDZZTR0Z5W05W0CHR0cEhlYWRlcMiOiB7CgkJIlVzXZQuMTYuMS4zMDo4MCI6IHsKQkJImF1dGgiOiWVdSdGFX0ZTR0Z5W05W0CHR0cEhlYWRlcMiOiB7CgkJIlVzX

3) create a secret

[root@master harbor] # vim login-secret.yaml apiVersion: v1kind: Secretmetadata: name: logintype: kubernetes.io/dockerconfigjsondata: .dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxNzIuMTYuMS4zMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4wOS4wIChsaW51eCkiCgl9Cn0= [root@master harbor] # kubectl create-f login-secret.yaml secret/login created [root@master harbor] # kubectl get secrets NAME TYPE DATA AGEdefault-token-wswg2 kubernetes.io/service-account-token 3 113dlogin Kubernetes.io/dockerconfigjson 1 36s

2. Create Secret with user name and password (one command is solved, recommended)

# use the username and password of the private warehouse Create Secret directly: [root@master harbor] # kubectl create secret docker-registry login-new-- docker-server=172.16.1.30:80-- docker-username=admin-- docker-password=Harbor12345secret/login-new created [root@master harbor] # kubectl get secrets NAME TYPE DATA AGEdefault-token-wswg2 kubernetes.io/service-account-token 3 113dlogin kubernetes.io/ Dockerconfigjson 1 38mlogin-new kubernetes.io/dockerconfigjson 1 11m

# # deploy applications and pull private images (take the nginx service above as an example):

[root@master harbor] # cat nginx.yaml apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginxspec: template: metadata: labels: app: web spec: containers:-name: nginx image: 172.16.1.30:80/harbor/nginx:v1.0 ports:-containerPort: 80 imagePullSecrets: # add imagePullSecrets field-name: login---apiVersion: v1kind : Servicemetadata: name: nginx-svcspec: type: NodePort selector: app: web ports:-protocol: TCP port: 80 targetPort: 80 nodePort: 30000

Note: you need to specify the imagePullSecrets field when creating the container (specify the key you just created)

# recreate the nginx service:

[root@master harbor] # kubectl delete-f nginx.yaml [root@master harbor] # kubectl apply-f nginx.yaml

# check pod again and successfully pull the private image in the harbor repository

# # Test the Secret created by the second method and deploy the application:

# recreate the nginx service:

Note: delete the original image pulled locally on the node node.

[root@master harbor] # kubectl apply-f nginx.yaml deployment.extensions/nginx configuredservice/nginx-svc unchanged

# viewing pod, you can also successfully pull private images in the Harbor repository:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.