一、部署docker
下载链接:
https://download.docker.com/linux/static/stable/x86_64/
1、下载docker二进制安装包 wget https://download.docker.com/linux/static/stable/x86_64/docker-24.0.5.tgz 2、解压并移动到bin目录下 tar xf docker-24.0.5.tgz cp docker/* /usr/bin/ 3、创建containerd的service文件,并且启动 cat >/etc/systemd/system/containerd.service <<EOF [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always RestartSec=5 LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=1048576 TasksMax=infinity OOMScoreAdjust=-999 [Install] WantedBy=multi-user.target EOF systemctl enable --now containerd.service 4、准备docker的service文件 cat > /etc/systemd/system/docker.service <<EOF [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket containerd.service [Service] Type=notify ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always StartLimitBurst=3 StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Delegate=yes KillMode=process OOMScoreAdjust=-500 [Install] WantedBy=multi-user.target EOF 5、准备docker的socket文件 cat > /etc/systemd/system/docker.socket <<EOF [Unit] Description=Docker Socket for the API [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 SocketUser=root SocketGroup=docker [Install] WantedBy=sockets.target EOF 6、创建docker组 groupadd docker 7、启动docker systemctl enable --now docker.socket && systemctl enable --now docker.service 8、验证 docker info 9、创建daemon.json文件 cat >/etc/docker/daemon.json <<EOF { "exec-opts": ["native.cgroupdriver=systemd"], "registry-mirrors": [ "https://docker.mirrors.ustc.edu.cn", "http://hub-mirror.c.163.com" ], "max-concurrent-downloads": 10, "log-driver": "json-file", "log-level": "warn", "log-opts": { "max-size": "10m", "max-file": "3" }, "data-root": "/var/lib/docker" } EOF 9、重启docker systemctl restart docker
二、部署docker-compose
下载链接:
https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
1、下载docker-compose的rpm包 wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-compose-plugin-2.10.2-3.el7.x86_64.rpm 2、安装rpm包 yum install -y docker-compose-plugin-2.10.2-3.el7.x86_64.rpm 3、修改路径(默认路径是/usr/libexec/docker/cli-plugins/docker-compose) mv /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/ 4、验证 docker-compose -v
三、部署harbor仓库
下载链接:
https://github.com/goharbor/harbor/releases
一、配置harbor
1、解压安装包 tar xf harbor-offline-installer-v2.8.2.tgz 2、进入安装目录 cd harbor/ [root@harbor ~/harbor]# ll total 596680 -rw-r--r-- 1 root root 3639 Jun 2 19:43 common.sh -rw-r--r-- 1 root root 610962984 Jun 2 19:44 harbor.v2.8.2.tar.gz -rw-r--r-- 1 root root 11736 Jun 2 19:43 harbor.yml.tmpl #配置文件 需改名 -rwxr-xr-x 1 root root 2725 Jun 2 19:43 install.sh #安装脚本 -rw-r--r-- 1 root root 11347 Jun 2 19:43 LICENSE -rwxr-xr-x 1 root root 1881 Jun 2 19:43 prepare #生成配置 3、修改配置文件 # 复制一份配置文件 egrep -v '^$|^#|^[ ]+#' harbor.yml.tmpl > harbor.yml 4、查看配置文件(修改后) cat >harbor.yml<<'EOF' hostname: harbor.fxx.cn # harbor主机名 http: port: 8000 #http端口 https: port: 443 certificate: /fxx/harbor/cert/ #证书目录 需创建 private_key: /fxx/harbor/cert/ harbor_admin_password: Harbor12345 # harbor仓库密码 database: password: root123 max_idle_conns: 100 max_open_conns: 900 conn_max_lifetime: 5m conn_max_idle_time: 0 data_volume: /data trivy: ignore_unfixed: false skip_update: false offline_scan: false security_check: vuln insecure: false jobservice: max_job_workers: 10 logger_sweeper_duration: 1 #days notification: webhook_job_max_retry: 3 webhook_job_http_client_timeout: 3 #seconds log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.8.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy upload_purging: enabled: true age: 168h interval: 24h dryrun: false cache: enabled: false expire_hours: 24 EOF
二、配置https证书
1、创建证书目录 mkdir -p /fxx/harbor/cert/ cd /fxx/harbor/cert/ 2、生成ca的私钥 openssl genrsa -out ca.key 4096 3、生成ca的自签名证书 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=fxx.cn" \ -key ca.key \ -out ca.crt 4、生成harbor主机的私钥 openssl genrsa -out harbor.fxx.cn.key 4096 5、生成harbor主机的证书申请 openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.fxx.cn" \ -key harbor.fxx.cn.key \ -out harbor.fxx.cn.csr 6、生成x509 v3扩展文件 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=fxx.cn DNS.2=fxx DNS.3=harbor.fxx.cn EOF 7、使用"v3.ext"给harbor主机签发证书 openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in harbor.fxx.cn.csr \ -out harbor.fxx.cn.crt 8、将crt文件转换为cert客户端证书文件 openssl x509 -inform PEM -in harbor.fxx.cn.crt -out harbor.fxx.cn.cert 温馨提示: docker程序认为"*.crt"文件是CA证书文件,"*.cert"客户端证书文件,于是上面第8步需要转换一下,其实使用cp一下也是可以的,内容并没有变化。 9、修改harbor的配置文件 vim harbor.yml ... hostname: harbor.fxx.cn ... https: ... certificate: /fxx/harbor/cert/harbor.fxx.cn.crt private_key: /fxx/harbor/cert/harbor.fxx.cn.key ... harbor_admin_password: Harbor12345 10、安装harbor服务 cd /root/harbor && ./install.sh 11、分发证书 cd /fxx/harbor/cert/ mkdir -pv /etc/docker/certs.d/harbor.fxx.cn cp {harbor.fxx.cn.cert,harbor.fxx.cn.key,ca.crt} /etc/docker/certs.d/harbor.fxx.cn 温馨提示: 如果已经安装harbor服务的话,就不需要重复执行"./install.sh"脚本,仅需执行"./prepare"并搭配"docker-compose down"和"docker-compose up -d"即可。 12、访问https:10.0.0.41即可
到此,harbor仓库搭建完成。
三、其他docker节点使用harbor仓库
1、在需要使用harbor仓库的docker-node节点创建目录 mkdir -pv /etc/docker/certs.d/harbor.fxx.cn 2、在harbor主机上发送证书 scp /etc/docker/certs.d/harbor.fxx.cn/{harbor.fxx.cn.cert,harbor.fxx.cn.key,ca.crt} root@10.0.0.10:/etc/docker/certs.d/harbor.fxx.cn/ 3、node节点重启docker并配置解析 echo 10.0.0.41 harbor.fxx.cn >>/etc/hosts systemctl restart docker 4、登录验证 docker login harbor.fxx.cn