赞
踩
不知道各位有没有我这种尴尬:kubernetes搭建过程中需要拉取到一些镜像,比如: dockerhub的镜像,这个还好。毕竟有加速器。but k8s.gcr.io,quay.io.这些怎么搞?正巧搭建kubeadm 1.25,helm安装cilium的时候悲摧了。下载不动怎么搞?docker时代的时候我还可以直接导入,但是containerd时代了 导入了还是要麻烦一些阿?搜索引擎搜了一下,找到下面三个文章,借鉴一下!
参照:搭建Docker镜像仓库代理
搭建容器仓库的镜像服务器(gcr, ghcr, quay, k8s-gcr)
真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!
其中米开朗基杨大佬写的真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!搭建一个k3s集群搞比较全国,但是我国外服务器就一台,还是轻量级的服务器…开始就是下载镜像然后上传到国内harbor仓库的…这里就用搭建Docker镜像仓库代理的方式去操作了!
服务器在国外
四个域名 以及ssl证书
注意:我这台服务器为轻量服务器,ubuntu操作系统(docker我之前其实早安装了…)
apt-get update
apt-get upgrade
apt-get install docker*
如果是**centos **请参照:
yum update
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
[root@dqzboy ~]# mkdir /etc/docker [root@dqzboy ~]# cat << EOF > /etc/docker/daemon.json { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "3" }, "insecure-registry": [ "hub.dqzboy.com" ], "registry-mirror": "https://a7ye1cuu.mirror.aliyuncs.com", "data-root": "/data/docker", "exec-opts": ["native.cgroupdriver=systemd"], "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } EOF
systemctl enable docker && systemctl start docker
看版本吧,我没有安装什么最新的 ,毕竟能跑起来就可以对我来说
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
启动镜像仓库代理
git clone https://github.com/findsec-cn/registry-proxy.git
cd registry-proxy
我这里先修改以下docker-compose.yaml,原github项目只代理了gcr.io,k8s.gcr.io,恩我这里主要是使用代理quay.io仓库,如果代理其他仓库可类似方法!
version: '2' services: local: container_name: reg-local image: findsec/registry-proxy:latest restart: always environment: - DELETE_ENABLED=true volumes: - ~/data/registry:/var/lib/registry ports: - 5000:5000 networks: - registry-net quay: container_name: reg-quay image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://quay.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net gcr: container_name: reg-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net k8s-gcr: container_name: reg-k8s-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://k8s.gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net ui: container_name: reg-ui image: findsec/registry-ui:latest restart: always links: - local:reg-local environment: - REGISTRY_TITLE=My Private Docker Registry - REGISTRY_URL=http://reg-local:5000 - DELETE_IMAGES=true networks: - registry-net nginx: container_name: reg-nginx image: nginx:alpine restart: always ports: - 80:80 - 443:443 links: - ui:reg-ui - gcr:reg-gcr - quay:reg-quay - k8s-gcr:reg-k8s-gcr volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf - ./cert:/etc/nginx/ssl networks: - registry-net networks: registry-net:
依着葫芦画瓢。根据仓库中yaml文件中gcr配置 生成一个quay的配置:
nginx相关配置中link也添加上quay配置:
sed -i 's/xxx.com/zhangpeng.com/g' nginx.conf
添加quay域名相关配置:
最终配置文件如下:
server { listen 80; listen 443 ssl; server_name hub.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-ui:80; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name k8s-gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name quay.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-quay:5000; proxy_buffering off; proxy_request_buffering off; } }
一定记得要上传ssl证书到cert目录下:
当然了你也可以修改docker-compose.yaml.修改nginx中volumes中挂载路径
也可以修改nginx.conf文件中ssl_certificate ssl_certificate_key 文件名:
docker-compose up -d
docker-compose logs -f
可能会出现证书配置不对的报错,哈哈哈自己解决以下…
我的域名用的dnspod
本地工作环境为rocky 8.5安装了podman 使用podman进行测试:
###要下载镜像
[root@zhangpeng ~]# podman pull k8s.gcr.io/pause:3.6
###通过镜像仓库代理方式下载:
[root@zhangpeng ~]# podman pull k8s-gcr.zhangpeng.com/pause:3.6
访问hub.zhangpeng.com。可以看到我们下载的镜像被缓存了
不能一直缓存吧,空间写满了怎么办,最苯的方法写一个crontab:
* * */2 * * /usr/bin/rm -rf /var/lib/registry/* &>/dev/null
服务器镜像代理被白嫖怎么办?最简单的搞一个htpasswd搞一下:
apt-get install apache2-utils
htpasswd -c passwd zhangpeng
然后修改nginx.conf文件,我这里为了演示只修改了k8s-gcr这一个的相关配置,其他的都如此就可以:
server { listen 80; listen 443 ssl; server_name k8s-gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; auth_basic "请输入用户和密码"; # 验证时的提示信息 auth_basic_user_file /etc/nginx/passwd; # 认证文件 location / { proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off; } }
重启docker-compose服务:
注:当前registry目录下
docker-compose down
docker-compose up -d
本地测试:
还拿pause镜像为例,恩显示认证失败了
podman pull k8s-gcr.zhangpeng.com/pause:3.5
podman login k8s-gcr.zhangpeng.com
podman pull k8s-gcr.zhangpeng.com/pause:3.5
如下图,pull成功:
容器运行时配置的配置,参照米开朗基杨大佬:
https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10
感谢各位大佬的踩坑,后人能那么方便的使用!
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。