背景:
不晓得各位有没有我这种难堪:kubernetes 搭建过程中须要拉取到一些镜像,比方:dockerhub 的镜像,这个还好。毕竟有加速器。but k8s.gcr.io,quay.io. 这些怎么搞?刚巧搭建 kubeadm 1.25,helm 装置 cilium 的时候悲摧了。下载不动怎么搞?docker 时代的时候我还能够间接导入,然而 containerd 时代了 导入了还是要麻烦一些阿?搜索引擎搜了一下,找到上面三个文章,借鉴一下!
参照:搭建 Docker 镜像仓库代理
搭建容器仓库的镜像服务器 (gcr, ghcr, quay, k8s-gcr)
真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!
搭建镜像代理仓库
其中米开朗基杨大佬写的真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!搭建一个 k3s 集群搞比拟全国,然而我国外服务器就一台,还是轻量级的服务器 …. 开始就是下载镜像而后上传到国内 harbor 仓库的 …… 这里就用搭建 Docker 镜像仓库代理的形式去操作了!
前提条件
服务器在国外
四个域名 以及 ssl 证书
装置 Docker
留神:我这台服务器为轻量服务器,ubuntu 操作系统(docker 我之前其实早装置了 ……)
apt-get update
apt-get upgrade
apt-get install docker*
如果是 centos 请参照:
yum update
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
配置 Docker
- 设置 Docker 的日志格局为 json,日志文件大小为 100M,最多保留 3 个日志;
- 设置 Docker 镜像公有仓库和官网镜像减速地址;
- 设置 Docker 的数据目录到 /data/docker;
-
设置 Docker 的 Storage Driver 为 overlay2。
[root@dqzboy ~]# mkdir /etc/docker [root@dqzboy ~]# cat << EOF > /etc/docker/daemon.json { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "3" }, "insecure-registry": ["hub.dqzboy.com"], "registry-mirror": "https://a7ye1cuu.mirror.aliyuncs.com", "data-root": "/data/docker", "exec-opts": ["native.cgroupdriver=systemd"], "storage-driver": "overlay2", "storage-opts": ["overlay2.override_kernel_check=true"] } EOF
启动 Docker
systemctl enable docker && systemctl start docker
装置 Docker Compose
看版本吧,我没有装置什么最新的,毕竟能跑起来就能够对我来说
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose docker-compose --version
启动镜像仓库代理
git clone 相干 registry-proxy 仓库配置文件
git clone https://github.com/findsec-cn/registry-proxy.git cd registry-proxy
自定义批改配置文件
- 将域名的证书搁置到 cert 目录下,并把证书文件名称命名为该目录下的 server 名称;
- 其中 server.crt 为 ssl 证书文件,server.key 为 ssl 私钥。
- 留神:证书肯定要是对应域名的,不然进行下载镜像会提醒 x509
-
批改 nginx.conf 配置文件,将配置文件中的域名替换成本人的域名(xxx.com)
docker-compose.yaml 批改
我这里先批改以下 docker-compose.yaml, 原 github 我的项目只代理了gcr.io,k8s.gcr.io,恩我这里次要是应用代理quay.io 仓库,如果代理其余仓库可相似办法!
version: '2' services: local: container_name: reg-local image: findsec/registry-proxy:latest restart: always environment: - DELETE_ENABLED=true volumes: - ~/data/registry:/var/lib/registry ports: - 5000:5000 networks: - registry-net quay: container_name: reg-quay image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://quay.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net gcr: container_name: reg-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net k8s-gcr: container_name: reg-k8s-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://k8s.gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net ui: container_name: reg-ui image: findsec/registry-ui:latest restart: always links: - local:reg-local environment: - REGISTRY_TITLE=My Private Docker Registry - REGISTRY_URL=http://reg-local:5000 - DELETE_IMAGES=true networks: - registry-net nginx: container_name: reg-nginx image: nginx:alpine restart: always ports: - 80:80 - 443:443 links: - ui:reg-ui - gcr:reg-gcr - quay:reg-quay - k8s-gcr:reg-k8s-gcr volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf - ./cert:/etc/nginx/ssl networks: - registry-net networks: registry-net:
依着葫芦画瓢。依据仓库中 yaml 文件中 gcr 配置 生成一个 quay 的配置:
nginx 相干配置中 link 也增加上 quay 配置:
批改 nginx.conf 中域名:
sed -i 's/xxx.com/zhangpeng.com/g' nginx.conf
增加 quay 域名相干配置:
最终配置文件如下:
server { listen 80; listen 443 ssl; server_name hub.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-ui:80; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name k8s-gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name quay.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-quay:5000; proxy_buffering off; proxy_request_buffering off; } }
ssl 证书
肯定记得要上传 ssl 证书到 cert 目录下:
当然了你也能够批改 docker-compose.yaml. 批改 nginx 中 volumes 中挂载门路
也能够批改 nginx.conf 文件中 ssl_certificate ssl_certificate_key 文件名:
启动镜像仓库代理
docker-compose up -d docker-compose logs -f
可能会呈现证书配置不对的报错,哈哈哈本人解决以下 …..
解析域名
我的域名用的 dnspod
应用镜像仓库代理
本地工作环境为 rocky 8.5 装置了 podman 应用 podman 进行测试:
### 要下载镜像 [root@zhangpeng ~]# podman pull k8s.gcr.io/pause:3.6 ### 通过镜像仓库代理形式下载:[root@zhangpeng ~]# podman pull k8s-gcr.zhangpeng.com/pause:3.6
拜访 hub.zhangpeng.com。能够看到咱们下载的镜像被缓存了
接下来能够进阶的:
image 的清理
不能始终缓存吧,空间写满了怎么办,最苯的办法写一个 crontab:
-
-
/2 /usr/bin/rm -rf /var/lib/registry/ &>/dev/null
## 防白嫖认证 服务器镜像代理被白嫖怎么办?最简略的搞一个 htpasswd 搞一下:
apt-get install apache2-utils
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663215731715-0400026f-de42-4e02-bb84-ee07e2582eb8.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=613&id=u6ea56dcf&margin=%5Bobject%20Object%5D&name=image.png&originHeight=552&originWidth=1558&originalType=binary&ratio=1&rotation=0&showTitle=false&size=165037&status=done&style=none&taskId=u12cbfe81-8e65-42f1-a55c-7ef08d1fc0f&title=&width=1731.1111569698958)
htpasswd -c passwd zhangpeng
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216091653-bca81c8d-5e5a-40cc-bbce-ffcc40ab5288.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=362&id=u19bf4674&margin=%5Bobject%20Object%5D&name=image.png&originHeight=326&originWidth=1030&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75803&status=done&style=none&taskId=u5b34d78f-ceaa-4093-9f8a-ba43c839947&title=&width=1144.4444747618695) 而后批改 nginx.conf 文件, 我这里为了演示只批改了 k8s-gcr 这一个的相干配置,其余的都如此就能够:
server {
listen 80;
listen 443 ssl;server_name k8s-gcr.zhangpeng.com;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
auth_basic “ 请输出用户和明码 ”; # 验证时的提示信息
auth_basic_user_file /etc/nginx/passwd; # 认证文件
location / {proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off;
}
}![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223421666-9b74a6d3-6550-4c75-b61f-9559c071f32b.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=452&id=ub4a6ba27&margin=%5Bobject%20Object%5D&name=image.png&originHeight=407&originWidth=784&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62319&status=done&style=none&taskId=u35803e53-44c0-4f33-807c-abc0f4aa46b&title=&width=871.1111341876755) 重启 docker-compose 服务: 注:以后 registry 目录下
docker-compose down
docker-compose up -d本地测试:还拿 pause 镜像为例,恩显示认证失败了
podman pull k8s-gcr.zhangpeng.com/pause:3.5
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216471176-42b0a7cb-ab51-4d3e-9684-8454658ba38c.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=87&id=u5cf5f600&margin=%5Bobject%20Object%5D&name=image.png&originHeight=78&originWidth=1515&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23494&status=done&style=none&taskId=ud8147e18-4bee-4668-b5dc-647e6d21077&title=&width=1683.3333779264392)
podman login k8s-gcr.zhangpeng.com
podman pull k8s-gcr.zhangpeng.com/pause:3.5如下图,pull 胜利:![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216534534-88291b53-a02d-478b-ac06-5836315f2e17.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=ude8b7067&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=1639&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70759&status=done&style=none&taskId=u3cb41aab-9547-497c-8ed7-6b3934e724e&title=&width=1821.1111593540816) ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223726340-5a5d7c8c-4e8a-4765-9ada-f3402cb8966c.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=794&id=u898d4747&margin=%5Bobject%20Object%5D&name=image.png&originHeight=715&originWidth=1620&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88829&status=done&style=none&taskId=u87b13877-eb9d-4338-8e5a-ba0d4e9b8a1&title=&width=1800.0000476837172) ## 其余的?容器运行时配置的配置,参照米开朗基杨大佬:[https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10](https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10) ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663224003069-1475caa7-1633-4422-b21d-b7e0aeca9dbf.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=513&id=u1c52a7ec&margin=%5Bobject%20Object%5D&name=image.png&originHeight=462&originWidth=1011&originalType=binary&ratio=1&rotation=0&showTitle=false&size=107943&status=done&style=none&taskId=ud60903dd-3662-432f-af03-30ff64dbf2d&title=&width=1123.333363091505)
-