526互联

K8S学习之dokcer篇(二)

发布时间 2023-03-22 22:13:33作者: 巡山一大妖

一、搭建配置harbor私有仓库(离线安装)

1. 确认机器已安装docker及dokcer-compose

 

root@harbor002:~# docker info            ##确认docker已安装
Client:
 Debug Mode: false

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 15
 Server Version: 19.03.15
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ea765aba0d05254012b0b9e595e995c09186427f
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-81-generic
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 10
 Total Memory: 9.729GiB
 Name: harbor002
 ID: PK4O:UGU4:YAPK:ANC5:6QCN:2ZSS:DJLP:XLPS:5LXF:FR6E:R5VI:UCZQ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

root@harbor002:~# docker-compose -v         ##确认docker-compose 已安装
docker-compose version 1.24.1, build 4667896b

 

2. 将提前下载好的harbor离线包解压,修改harbor配置文件,之后执行./install.sh

root@harbor002:~# tar -xf  harbor-offline-installer-v2.3.2.tgz
root@harbor002:~# cd  harbor
root@harbor002:~/harbor# cp  harbor.yml.tmpl harbor.yml
root@harbor002:~/harbor# cat  harbor.yml|grep -v "#\|^$"
hostname: harbor.magedu.com                     ##修改harbor域名
http:
  port: 80
harbor_admin_password: 12345                    ##修改harbor web 页面登陆密码(默认登陆名为admin)
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /data                               ##修改数据存储目录
trivy:
  ignore_unfixed: false
  skip_update: false
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.3.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy

 3. 通过Web页面访问harbor

 

 

 

 4. 服务器上通过命令行登录harbor测试
1). 需要在docker启动文件中添加非安全镜像仓库的地址 (即harbor地址)

 

 

 2)执行   systemctl daemon-reload  &&  systemctl restart docker 重启docker 使上面配置的参数生效, 执行docker info 查看是否生效

 

 

 

 3)命令行login harbor

root@master001:~# docker login 192.168.0.10      ##通过harbor地址
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@master001:~# docker login harbor.magedu.com   ##通过域名,需要提前在/etc/hosts 文件中做本地域名解析
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@master001:~#

4) push 镜像至harbor

root@master001:~# docker tag   nginx:v1  192.168.0.10/nginx/nginx:v1     ##修改镜像标签

root@master001:~# docker images |grep  192.168.0.10/nginx/nginx       
192.168.0.10/nginx/nginx         v1                  291dfaf2c1b6        45 hours ago        366MB

root@master001:~# docker push 192.168.0.10/nginx/nginx:v1                 ##push 镜像至habor
The push refers to repository [192.168.0.10/nginx/nginx]
51ef65eceb06: Pushed
02501cc6149f: Pushed
010253d16668: Pushed
bf1e3d89f48f: Pushed
dca8c6072095: Pushed
89169d87dbe2: Pushed
v1: digest: sha256:d139534475507d7eaf5ffd8aabf4c3be1b9918dfaa145aa42265513ec71c7ca6 size: 1577

 二、掌握docker网络

docker 默认支持三种网络模式,brige、host、null 。可以用 docker network ls 查看

root@harbor002:~# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
6593776eaca5        bridge              bridge              local
014d93bedacf        host                host                local
b5bf7c097fee        none                null                local

1. bridge
默认模式,,docker 会为容器分配一个网络接口并设置 IP,并将该网络接口桥接至 docker0 。
该模式下,docker proxy 会创建一对对等虚拟设备接口 veth pair,将其中一个接口设置为容器的 eth0 接口(容器的网络接口),另一个接口放置在宿主机的命名空间中,以类似 vethxxx 这样的名字命名
同时,守护进程还会从网桥 docker0 的私有地址空间中分配一个 IP 地址和子网给该容器,并设置 docker0 的 IP 地址为容器的默认网关

查看容器内网络接口情况

  查看宿主机网络接口情况

2. host

那么这个容器将不会获得一个独立的 Network Namespace,而是和宿主机共用一个 Network Namespace。容器将不会虚拟出自己的网卡,而是使用宿主机的 IP 和端口

host 模式时,在容器中看到的是宿主机的网络接口

 优缺点

优点:减少网络转发次数,网络效率比 bridge 模式更好

缺点:IP 和端口都是使用宿主机,没有隔离性

3. none

none 模式的容器拥有自己的 Network Namespace,但是,并不为 Docker 容器进行任何网络配置。也就是说,这个容器只有 lo 回环网络,没有其他网络接口、IP、路由等信息。也因此,可以很好地保证容器安全性

root@harbor002:~# docker run -it --net none 192.168.0.10/nginx/alpine:latest sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
/ #