K8S(02)模拟生产环境搭建高可用集群之Docker私服

由于kubernetes是对docker容器的编排，kubernetes搭建过程中需要从docker仓库中去拉取所需要的镜像。生产的k8s集群一般是搭建在内网中，因此需要在内网搭建一个Docker仓库私服。

安装docker服务

下载docker二进制安装包：

https://download.docker.com/linux/static/stable/x86_64/docker-19.03.4.tgz

解压docker二进制包

将下载的docker二进制包上传到服务器上，然后解压：
tar -zxvf docker-19.03.4.tgz

移动到系统bin目录

在解压目录执行：sudo cp docker/* /usr/bin/

开启 docker 守护进程

sudo dockerd &

此时docker info 可以看到docker服务的信息

增加docker启动参数文件

sudo cat > /etc/docker/daemon.json <<EOF
{
“insecure-registries”:[“192.168.100.101”]
}
EOF

注册docker为系统服务

sudo vi /usr/lib/systemd/system/docker.service
文件内容如下：

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
 
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecStart=/usr/bin/dockerd
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock 
ExecReload=/bin/kill -s HUP $MAINPID
 
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
 
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
# TasksMax=infinity
TimeoutStartSec=0
 
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
 
# kill only the docker process, not all processes in the cgroup
KillMode=process
 
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
 
[Install]
WantedBy=multi-user.target

然后就可使用service docker restart/stop/status 或者systemctl start/stop/status docker 等来操作docker服务

添加docker开机自启动

sudo systemctl enable docker

安装docker-compose服务

下载docker-compose二进制包

https://github.com/docker/compose/releases

上传docker-compose二进制包

将下载的docker-compose-Linux-x86_64二进制包上传到服务器上

移动到系统bin目录

在上传目录执行：sudo cp docker-compose-Linux-x86_64 /usr/bin/docker-compose
给docker-compose添加可执行权限：sudo chmod +x /usr/bin/docker-compose
然后docker-compose -v验证下：

安装harbor服务

下载harbor离线镜像包

https://github.com/vmware/harbor/releases或https://github.com/goharbor/harbor/releases
https://storage.googleapis.com/harbor-releases/release-1.9.0/harbor-offline-installer-v1.9.1.tgz
注：离线安装包中是docker镜像，大概500多MB

解压harbor离线安装包

将下载的harbor-offline-installer-v1.9.1.tgz离线安装包上传到服务器上
然后解压：tar -zxvf harbor-offline-installer-v1.9.1.tgz

创建https证书

mkdir cert && cd cert
创建https证书，根据官方文档：https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

1	openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=SH/L=BS/O=GR/OU=MaxBill/CN=registry.maxbill.com" \
 -key ca.key \
 -out ca.crt

openssl genrsa -out registry.maxbill.com.key 4096

openssl genrsa -out registry.maxbill.com.key 4096

openssl req -sha512 -new \
 -subj "/C=CN/ST=SH/L=BS/O=GR/OU=MaxBill/CN=registry.maxbill.com" \
 -key registry.maxbill.com.key \
 -out registry.maxbill.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=registry.maxbill.com
DNS.2=192.168.100.101
EOF

openssl x509 -req -sha512 -days 3650 \
 -extfile v3.ext \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in registry.maxbill.com.csr \
 -out registry.maxbill.com.crt

修改harbor配置文件

vi harbor.yml 具体配置如下：
修改hostname: registry.maxbill.com
放开https配置：
https:
port: 443
certificate: /work/harbor/cert/registry.maxbill.com.crt
private_key: /work/harbor/cert/registry.maxbill.com.key
修改harbor_admin_password管理密码：MaxBill2019