# Harbor基础
# Harbor安装
关闭SELinux。
设置主机名。
如果有firewalld关闭它。
systemctl stop firewalld && systemctl disable firewalld
时间同步:
apt install ntpdate crontab -e 0 */1 * * * ntpdate time1.aliyun.com crontab -l1
2
3
4安装docker。
生成ssl证书,参考文档configure-https (opens new window):
# 生成ca.key openssl genrsa -out ca.key 3072 # 生成ca.pem openssl req -new -x509 -days 3650 -key ca.key -out ca.pem # 生成harbor.key,私钥 openssl genrsa -out harbor.key 3072 # 生成一个证书请求,一会签发证书时需要的, 标箭头的按提示填写, 没有箭头标注的为空。注意输入域名 openssl req -new -key harbor.key -out harbor.csr # 签发证书 openssl x509 -req -in harbor.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out harbor.pem -days 36501
2
3
4
5
6
7
8
9
10下载harbor安装文件 (opens new window)。
复制一份harbor.yml.tmpl为harbor.yml,并修改其中的ssl选项。
hostname: harborenv certificate: /data/ssl/harbor.pem private_key: /data/ssl/harbor.key1
2
3
4
# 使用Harbor
# Docker
下面是Docker接入Harbor仓库:
vi /etc/docker/daemon.json
# 加上如下
"insecure-registries" : ["192.168.10.5","harbor"]
systemctl restart docker
1
2
3
4
5
2
3
4
5
向Harbor推送镜像:
docker login 192.168.20.23
# 如果推至library的库
docker tag nginx:latest 192.168.20.23/library/nginx:v1
docker push 192.168.20.23/library/nginx:v1
1
2
3
4
2
3
4
# Containerd
Containerd接入Harbor仓库,参考文档:Configure Image Registry (opens new window)
containerd config default > /etc/containerd/config.toml
vi /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.20.23:443".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.20.23:443".auth]
username = "admin"
password = "Harbor12345"
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://b9pmyelo.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."*"]
endpoint = ["https://192.168.20.23:443"]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
重启操作:
systemctl daemon-reload
systemctl restart containerd
systemctl status containerd.service
1
2
3
2
3
测试镜像,注意ctr并不读/etc/containerd/config.toml配置文件,这个配置文件会被cri使用,这意味着kubectl或者crictl会使用它。
#如果要测试拉取镜像的话:
crictl pull 192.168.20.23/myrepo/nginx:latest
#如果使用ctr测试的话:
apt install --only-upgrade containerd.io
ctr images pull 192.168.20.23/myrepo/httpd:latest --skip-verify --user=admin:Harbor12345
ctr i pull --plain-http 192.168.20.23/myrepo/httpd:latest
# 上面的镜像并不会在下面时显示:
ctr image ls
# 如果要查看上面的镜像需要:
ctr -n=k8s.io image ls
crictl image
# 删除镜像需要:
crictl rmi imageID
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
如果要在k8s主节点测试该子节点:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pulltestpod
labels:
app: mypulltest
spec:
replicas: 1
selector:
matchLabels:
app: testpull
template:
metadata:
labels:
app: testpull
spec:
containers:
- name: busyapp
image: 192.168.20.23/myrepo/nginx:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
nodeSelector:
kubernetes.io/hostname: worker1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# CRIO
CRIO接入Harbor仓库:
/etc/containers/registries.conf.d/myrepo.conf
[[registry]]
prefix = "192.168.20.23"
insecure = true
blocked = false
location = "192.168.20.23"
[[registry.mirror]]
location = "192.168.20.23"
insecure = true
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
重启crio并测试镜像:
systemctl daemon-reload
systemctl restart crio
crictl pull 192.168.20.23/myrepo/httpd
1
2
3
4
2
3
4
k8s基础入门 →