背景:
不知道各位有没有我这种尴尬:kubernetes搭建过程中需要拉取到一些镜像,比如: dockerhub的镜像,这个还好。毕竟有加速器。but k8s.gcr.io,quay.io.这些怎么搞?正巧搭建kubeadm 1.25,helm安装cilium的时候悲摧了。下载不动怎么搞?docker时代的时候我还可以直接导入,但是containerd时代了 导入了还是要麻烦一些阿?搜索引擎搜了一下,找到下面三个文章,借鉴一下!
参照:搭建Docker镜像仓库代理
搭建容器仓库的镜像服务器(gcr, ghcr, quay, k8s-gcr)
真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!
搭建镜像代理仓库
其中米开朗基杨大佬写的真◉彻底解决 gcr、quay、DockerHub 镜像下载难题!搭建一个k3s集群搞比较全国,但是我国外服务器就一台,还是轻量级的服务器....开始就是下载镜像然后上传到国内harbor仓库的......这里就用搭建Docker镜像仓库代理的方式去操作了!
前提条件
服务器在国外
四个域名 以及ssl证书
安装Docker
注意:我这台服务器为轻量服务器,ubuntu操作系统(docker我之前其实早安装了......)
apt-get update
apt-get upgrade
apt-get install docker*
如果是centos 请参照:
yum update
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
配置Docker
- 设置 Docker 的日志格式为 json,日志文件大小为 100M,最多保存 3 个日志;
- 设置 Docker 镜像私有仓库和官方镜像加速地址;
- 设置 Docker 的数据目录到 /data/docker;
设置 Docker 的 Storage Driver 为 overlay2。
[root@dqzboy ~]# mkdir /etc/docker [root@dqzboy ~]# cat << EOF > /etc/docker/daemon.json { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "3" }, "insecure-registry": [ "hub.dqzboy.com" ], "registry-mirror": "https://a7ye1cuu.mirror.aliyuncs.com", "data-root": "/data/docker", "exec-opts": ["native.cgroupdriver=systemd"], "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ] } EOF
启动 Docker
systemctl enable docker && systemctl start docker
安装 Docker Compose
看版本吧,我没有安装什么最新的 ,毕竟能跑起来就可以对我来说
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose docker-compose --version
启动镜像仓库代理git clone 相关registry-proxy仓库配置文件
git clone https://github.com/findsec-cn/registry-proxy.git cd registry-proxy
自定义修改配置文件
- 将域名的证书放置到 cert 目录下,并把证书文件名称命名为该目录下的server名称;
- 其中 server.crt 为 ssl 证书文件, server.key 为 ssl 私钥。
- 注意:证书一定要是对应域名的,不然进行下载镜像会提示x509
修改 nginx.conf 配置文件,将配置文件中的域名替换成自己的域名(xxx.com)
docker-compose.yaml修改
我这里先修改以下docker-compose.yaml,原github项目只代理了gcr.io,k8s.gcr.io,恩我这里主要是使用代理quay.io仓库,如果代理其他仓库可类似方法!
version: '2' services: local: container_name: reg-local image: findsec/registry-proxy:latest restart: always environment: - DELETE_ENABLED=true volumes: - ~/data/registry:/var/lib/registry ports: - 5000:5000 networks: - registry-net quay: container_name: reg-quay image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://quay.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net gcr: container_name: reg-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net k8s-gcr: container_name: reg-k8s-gcr image: findsec/registry-proxy:latest restart: always environment: - PROXY_REMOTE_URL=https://k8s.gcr.io volumes: - ~/data/registry:/var/lib/registry networks: - registry-net ui: container_name: reg-ui image: findsec/registry-ui:latest restart: always links: - local:reg-local environment: - REGISTRY_TITLE=My Private Docker Registry - REGISTRY_URL=http://reg-local:5000 - DELETE_IMAGES=true networks: - registry-net nginx: container_name: reg-nginx image: nginx:alpine restart: always ports: - 80:80 - 443:443 links: - ui:reg-ui - gcr:reg-gcr - quay:reg-quay - k8s-gcr:reg-k8s-gcr volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf - ./cert:/etc/nginx/ssl networks: - registry-net networks: registry-net:
依着葫芦画瓢。根据仓库中yaml文件中gcr配置 生成一个quay的配置:
nginx相关配置中link也添加上quay配置:修改nginx.conf中域名:
sed -i 's/xxx.com/zhangpeng.com/g' nginx.conf
server { listen 80; listen 443 ssl; server_name hub.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-ui:80; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name k8s-gcr.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off; } } server { listen 80; listen 443 ssl; server_name quay.zhangpeng.com; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; location / { proxy_pass http://reg-quay:5000; proxy_buffering off; proxy_request_buffering off; } }
ssl证书
一定记得要上传ssl证书到cert目录下:
当然了你也可以修改docker-compose.yaml.修改nginx中volumes中挂载路径
也可以修改nginx.conf文件中ssl_certificate ssl_certificate_key 文件名:启动镜像仓库代理
docker-compose up -d docker-compose logs -f
可能会出现证书配置不对的报错,哈哈哈自己解决以下.....
解析域名
使用镜像仓库代理
本地工作环境为rocky 8.5安装了podman 使用podman进行测试:
###要下载镜像 [root@zhangpeng ~]# podman pull k8s.gcr.io/pause:3.6 ###通过镜像仓库代理方式下载: [root@zhangpeng ~]# podman pull k8s-gcr.zhangpeng.com/pause:3.6
访问hub.zhangpeng.com。可以看到我们下载的镜像被缓存了接下来可以进阶的:
image的清理
不能一直缓存吧,空间写满了怎么办,最苯的方法写一个crontab:
-
/2 /usr/bin/rm -rf /var/lib/registry/ &>/dev/null
## 防白嫖认证 服务器镜像代理被白嫖怎么办?最简单的搞一个htpasswd搞一下:
apt-get install apache2-utils
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663215731715-0400026f-de42-4e02-bb84-ee07e2582eb8.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=613&id=u6ea56dcf&margin=%5Bobject%20Object%5D&name=image.png&originHeight=552&originWidth=1558&originalType=binary&ratio=1&rotation=0&showTitle=false&size=165037&status=done&style=none&taskId=u12cbfe81-8e65-42f1-a55c-7ef08d1fc0f&title=&width=1731.1111569698958)
htpasswd -c passwd zhangpeng
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216091653-bca81c8d-5e5a-40cc-bbce-ffcc40ab5288.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=362&id=u19bf4674&margin=%5Bobject%20Object%5D&name=image.png&originHeight=326&originWidth=1030&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75803&status=done&style=none&taskId=u5b34d78f-ceaa-4093-9f8a-ba43c839947&title=&width=1144.4444747618695) 然后修改nginx.conf文件,我这里为了演示只修改了k8s-gcr这一个的相关配置,其他的都如此就可以:
server {
listen 80;
listen 443 ssl;server_name k8s-gcr.zhangpeng.com;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
auth_basic "请输入用户和密码"; # 验证时的提示信息
auth_basic_user_file /etc/nginx/passwd; # 认证文件
location / {proxy_pass http://reg-k8s-gcr:5000; proxy_buffering off; proxy_request_buffering off;
}
}![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223421666-9b74a6d3-6550-4c75-b61f-9559c071f32b.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=452&id=ub4a6ba27&margin=%5Bobject%20Object%5D&name=image.png&originHeight=407&originWidth=784&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62319&status=done&style=none&taskId=u35803e53-44c0-4f33-807c-abc0f4aa46b&title=&width=871.1111341876755) 重启docker-compose服务: 注:当前registry目录下
docker-compose down
docker-compose up -d本地测试: 还拿pause镜像为例,恩显示认证失败了
podman pull k8s-gcr.zhangpeng.com/pause:3.5
![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216471176-42b0a7cb-ab51-4d3e-9684-8454658ba38c.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=87&id=u5cf5f600&margin=%5Bobject%20Object%5D&name=image.png&originHeight=78&originWidth=1515&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23494&status=done&style=none&taskId=ud8147e18-4bee-4668-b5dc-647e6d21077&title=&width=1683.3333779264392)
podman login k8s-gcr.zhangpeng.com
podman pull k8s-gcr.zhangpeng.com/pause:3.5如下图,pull成功: ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663216534534-88291b53-a02d-478b-ac06-5836315f2e17.png#clientId=u6365ccb6-c667-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=ude8b7067&margin=%5Bobject%20Object%5D&name=image.png&originHeight=294&originWidth=1639&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70759&status=done&style=none&taskId=u3cb41aab-9547-497c-8ed7-6b3934e724e&title=&width=1821.1111593540816) ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663223726340-5a5d7c8c-4e8a-4765-9ada-f3402cb8966c.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=794&id=u898d4747&margin=%5Bobject%20Object%5D&name=image.png&originHeight=715&originWidth=1620&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88829&status=done&style=none&taskId=u87b13877-eb9d-4338-8e5a-ba0d4e9b8a1&title=&width=1800.0000476837172) ## 其他的? 容器运行时配置的配置,参照米开朗基杨大佬: [https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10](https://blog.csdn.net/alex_yangchuansheng/article/details/113855809#t10) ![image.png](https://cdn.nlark.com/yuque/0/2022/png/2505271/1663224003069-1475caa7-1633-4422-b21d-b7e0aeca9dbf.png#clientId=u0c01e561-4da7-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=513&id=u1c52a7ec&margin=%5Bobject%20Object%5D&name=image.png&originHeight=462&originWidth=1011&originalType=binary&ratio=1&rotation=0&showTitle=false&size=107943&status=done&style=none&taskId=ud60903dd-3662-432f-af03-30ff64dbf2d&title=&width=1123.333363091505)