1. 预备条件
安装rke2:
2. 配置镜像仓库
Containerd 可以配置为连接到私有镜像仓库,并使用仓库在每个节点上拉取私有镜像。
启动时,RKE2 会检查 /etc/rancher/rke2/
中是否存在 registries.yaml
文件,并指示 containerd 使用该文件中定义的镜像仓库。
$ vim /etc/rancher/rke2/registries.yaml
mirrors:
harbor.ghostwritten.com:
endpoint:
- "https://harbor.ghostwritten.com"
configs:
"harbor.ghostwritten.com":
auth:
username: admin
password: Harbor12345
tls:
insecure_skip_verify: true
重启 rke2-server
systemctl restart rke2-server.service && systemctl status rke2-server.service
重启后/etc/rancher/rke2/registries.yaml
的仓库配置会传递到/var/lib/rancher/rke2/agent/etc/containerd/config.toml
。
cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml
# File generated by rke2. DO NOT EDIT. Use config.toml.tmpl instead.
version = 2
[plugins."io.containerd.internal.v1.opt"]
path = "/var/lib/rancher/rke2/agent/containerd"
[plugins."io.containerd.grpc.v1.cri"]
stream_server_address = "127.0.0.1"
stream_server_port = "10010"
enable_selinux = false
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
sandbox_image = "index.docker.io/rancher/pause:3.6"
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
disable_snapshot_annotations = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.ghostwritten.com"]
endpoint = ["https://harbor.ghostwritten.com"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.ghostwritten.com".auth]
username = "admin"
password = "Harbor12345"
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.ghostwritten.com".tls]
insecure_skip_verify = true
3. https 登陆验证
- 部署镜像仓库:centos 7.9 部署 harbor 镜像仓库实践
mkdir -p /etc/docker/certs.d/
echo "192.168.23.47 harbor.fumai02.com" >> /etc/hosts
scp -r root@192.168.23.47:/etc/docker/certs.d/harbor.fumai02.com/ /etc/docker/certs.d/
配置
$ vim /etc/rancher/rke2/registries.yaml
mirrors:
docker.io:
endpoint:
- "https://harbor.fumai02.com"
configs:
"harbor.fumai02.com":
auth:
username: admin
password: Harbor12345
tls:
cert_file: /etc/docker/certs.d/harbor.fumai02.com/harbor.fumai02.com.cert
key_file: /etc/docker/certs.d/harbor.fumai02.com/harbor.fumai02.com.key
ca_file: /etc/docker/certs.d/harbor.fumai02.com/ca.crt
insecure_skip_verify: true
查看 containerd 配置内容, 方便与更新后的配置做对比
cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml
重启 rke2-server,即可生效。
systemctl restart rke2-server.service && systemctl status rke2-server.service
这里我为了另外给集群打快照,先进行关机。打快照,在启动机器。 rke2-server 会自动启动。
$ cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml | grep -C 3 fumai02
cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml |grep -C 3 fumai02
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://harbor.fumai02.com"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.fumai02.com".auth]
username = "admin"
password = "Harbor12345"
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.fumai02.com".tls]
ca_file = "/etc/docker/certs.d/harbor.fumai02.com/ca.crt"
cert_file = "/etc/docker/certs.d/harbor.fumai02.com/harbor.fumai02.com.cert"
key_file = "/etc/docker/certs.d/harbor.fumai02.com/harbor.fumai02.com.key"
insecure_skip_verify = true
参考: