环境信息:
系统:CentOS 7
配置: CPU 4核(建议最少4核)、内存4G 、磁盘200G
IP:192.168.86.9
nexus3版本:nexus-3.27.0-03-unix.tar.gz
nexus3安装包下载地址:
wget http://download.sonatype.com/nexus/3/nexus-3.27.0-03-unix.tar.gz
或者
链接:https://pan.baidu.com/s/1OFruEz3aIU1NxHVQf5YBFQ 提取码:demo
JDK下载地址
JDK版本:jdk-8u151-linux-x64
https://www.oracle.com/cn/java/technologies/javase/javase-jdk8-downloads.html
或者
链接:https://pan.baidu.com/s/1dPIVFRi8hGdP7wOztoX6lg 提取码:demo
一、源码包方式部署
1>安装jdk并配置环境变量并验证
tar -xf jdk-8u151-linux-x64.tar -C /usr/local/
ln -s /usr/local/jdk1.8.0_151 /usr/local/java
echo "JAVA_HOME=/usr/local/java" >>/etc/profile
echo "PATH=\$JAVA_HOME/bin:\$PATH">>/etc/profile
echo "export JAVA_HOME PATH" >>/etc/profile
source /etc/profile
java -version
2>安装nexus
tar -xf nexus-3.27.0-03-unix.tar.gz -C /usr/local/
ln -s /usr/local/nexus-3.27.0-03 /usr/local/nexus
useradd -d "/home/nexus" -m -s "/sbin/nologin" nexus
chown -R nexus:nexus /usr/local/nexus
chown -R nexus:nexus /usr/local/sonatype-work
echo run_as_user='"nexus"' >>/usr/local/nexus/bin/nexus.rc
配置systemctl管理nexus
cat <<EOF >/etc/systemd/system/nexus.service
[Install]
WantedBy=multi-user.target
[Unit]
Description=nexus service
After=network.target
[Service]
Type=forking
LimitNOFILE=65536
ExecStart=/usr/local/nexus/bin/nexus start
ExecStop=/usr/local/nexus/bin/nexus stop
User=nexus
Restart=on-abort
[Install]
WantedBy=multi-user.target
EOF
启动nexus
systemctl daemon-reload
systemctl start nexus.service
systemctl enable nexus.service
3>登录nexus(hostIP:8081)
查看nexus的admin用户密码,使用admin用户登录
cat /usr/local/sonatype-work/nexus3/admin.password
设置新密码
设置仓库访问权限
4>配置https访问
生成服务端需要配置的认证文件
NEXUS_DOMAIN=192.168.86.9
NEXUS_IP_ADDRESS=192.168.86.9
PASSWD=password
keytool -genkeypair -keystore keystore.jks -storepass ${PASSWD} -keypass ${PASSWD} -alias nexus -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=${NEXUS_DOMAIN}, OU=demo, O=demo, L=Beijing, ST=Beijing, C=CN" -ext "SAN=IP:${NEXUS_IP_ADDRESS}" -ext "BC=ca:true"
mv keystore.jks /usr/local/nexus/etc/ssl/
keytool -export -alias nexus -keystore /usr/local/nexus/etc/ssl/keystore.jks -file keystore.cer -storepass password
mv keystore.cer /usr/local/nexus/etc/ssl/
生产客户端证书
口令都配置password
keytool -importkeystore -srckeystore /usr/local/nexus/etc/ssl/keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out keystore.crt
mv keystore.crt keystore.p12 /usr/local/nexus/etc/ssl/
配置 Nexus 使用证书,开启 https
cp /usr/local/nexus/etc/nexus-default.properties /usr/local/nexus/etc/nexus-default.properties.bak
sed -i '/application-port=/i\\ application-port-ssl=8443' /usr/local/nexus/etc/nexus-default.properties
sed -i '/nexus-args/d' /usr/local/nexus/etc/nexus-default.properties
echo 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml' >>/usr/local/nexus/etc/nexus-default.properties
重启nexus验证https访问
systemctl restart nexus.service
二、k8s方式部署
1、环境信息
ingress入口:192.168.86.36
域名规划:
主站点:repository.onap.vip
2、生成证书(参考:certbot生成证书)
certbot --server https://acme-v02.api.letsencrypt.org/directory -d "repository.onap.vip" -d "*.repository.onap.vip" --manual --preferred-challenges dns-01 certonly
3、nexus3部署yaml
#创建namespace
kubectl create ns repository
#生成ingress使用htts需要的secret
kubectl -n repository create secret tls repository-onap-vip-tls-secret --cert=repository.onap.vip.fullchain.pem --key=repository.onap.vip.privkey.pem
kubectl -n repository apply -f nexus3-deploy.yaml
nexus3-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: sonatype-nexus
labels:
app: sonatype-nexus
spec:
type: NodePort
ports:
- name: sonatype-nexus
port: 8081
targetPort: 8081
protocol: TCP
- name: dockerio-proxy
port: 10001
targetPort: 10001
nodePort: 32001
protocol: TCP
- name: local-docker
port: 10002
targetPort: 10002
protocol: TCP
selector:
app: sonatype-nexus
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: repository.onap.vip
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: repository.onap.vip
http:
paths:
- path:
backend:
serviceName: sonatype-nexus
servicePort: 8081
tls:
- hosts:
- repository.onap.vip
secretName: repository-onap-vip-tls-secret
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonatype-nexus
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 10Gi
storageClassName: csi-rbd-sc
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonatype-nexus
labels:
app: sonatype-nexus
spec:
replicas: 1
selector:
matchLabels:
app: sonatype-nexus
template:
metadata:
labels:
app: sonatype-nexus
spec:
containers:
- name: sonatype-nexus
image: sonatype/nexus3:3.34.0
imagePullPolicy: IfNotPresent
ports:
- name: server
containerPort: 8081
containerPort: 10001
containerPort: 10002
livenessProbe:
httpGet:
path: /
port: 8081
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 6
readinessProbe:
httpGet:
path: /
port: 8081
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 6
env:
- name: INSTALL4J_ADD_VM_PARAMS
value: "
-Xms4096M
-Xmx6096M
-XX:MaxDirectMemorySize=4G
-XX:+UnlockExperimentalVMOptions
-XX:+UseCGroupMemoryLimitForHeap
"
resources:
limits:
cpu: 4000m
memory: 4096Mi
requests:
cpu: 2000m
memory: 2048Mi
volumeMounts:
- name: sonatype-nexus-data
mountPath: /nexus-data
volumes:
- name: sonatype-nexus-data
persistentVolumeClaim:
claimName: sonatype-nexus