基于nerdctl + buildkitd + containerd构建容器镜像【弃用docker build方式】
容器技术除了的docker之外,还有coreOS的rkt、google的gvisor、以及docker开源的containerd、redhat的podman、阿⾥的pouch等,为了保证容器⽣态的标准性和健康可持续发展,包括Linux 基⾦会、Docker、微软、红帽、⾕歌和IBM等公司在2015年6⽉共同成⽴了⼀个叫open container(OCI)的组织,其⽬的就是制定开放的标准的容器规范,⽬前OCI⼀共发布了两个规范,分别是runtime spec和image format spec,有了这两个规范,不同的容器公司开发的容器只要兼容这两个规范,就可以保证容器的可移植性和相互可操作性。
介绍
buildkit: 从Docker公司的开源出来的⼀个镜像构建⼯具包,⽀持OCI标准的镜像构建。
github地址:https://github.com/moby/buildkit
buildkitd组成部分:
buildkitd(服务端),⽬前⽀持runc和containerd作为镜像构建环境,默认是runc,可以更换为containerd。
buildctl(客户端),负责解析Dockerfile⽂件,并向服务端buildkitd发出构建请求。
部署buildkitd
cd /usr/local/src
wget https://github.com/moby/buildkit/releases/download/v0.10.3/buildkit-v0.10.3.linux-amd64.tar.gz
tar -xvf buildkit-v0.10.3.linux-amd64.tar.gz -C /usr/local/bin/
mv /usr/local/bin/bin/buildctl /usr/local/bin/bin/buildkitd /usr/local/bin/
生成buildkitd-socket文件
vim /lib/systemd/system/buildkit.socket
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Socket]
ListenStream=%t/buildkit/buildkitd.sock
[Install]
WantedBy=sockets.target
生成buildkitd-server文件
vim /lib/systemd/system/buildkitd.service
[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socketDocumentation=https://github.com/moby/buildkit
[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true
[Install]
WantedBy=multi-user.target
加载启动命令
systemctl daemon-reload
systemctl enable buildkitd
systemctl start buildkitd
systemctl status buildkitd
部署nerdctl
安装nerdctl推荐使用,需要安装cni
wget https://github.com/containerd/nerdctl/releases/download/v0.22.0/nerdctl-0.22.0-linux-amd64.tar.gz #下载地址
tar xvf nerdctl-0.22.0-linux-amd64.tar.gz
cp nerdctl /usr/bin/
nerdctl version #验证是否安装成功
安装cni
https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz #下载地址
mkdir /opt/cni/bin -p #保存cni插件的路径
tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
镜像构建
nerdctl常用命令
vim /etc/profile
source <(nerdctl completion bash)
source /etc/profile
nerdctl login --insecure-registry reg.zhangjw.com
nerdctl pull busybox:latest
nerdctl tag busybox:latest reg.zhangjw.com/baseImages/busybox:1.0
nerdctl --insecure-registry push reg.zhangjw.com/baseImages/busybox:1.0
harbor证书分发
https://goharbor.io/docs/2.4.0/install-config/configure-https/
#镜像构建服务器创建证书⽬录:
mkdir /etc/containerd/certs.d/reg.zhangjw.com
#harbor证书分发过程:
cd /app/harbor/certs
openssl x509 -inform PEM -in zhangjw.com.crt -out zhangjw.com.cert #格式转换
#开始分发证书
scp ca.crt zhangjw.com.cert zhangjw.com.key 192.168.2.131:/etc/containerd/certs.d/reg.zhangjw.com/
以上步骤完成之后,nerdctl login reg.zhangjw.com 输入用户名和密码即可登录成功
构建镜像
nerdctl build -t reg.zhangjw.com/public/busybox:1.0 . #镜像构建
nerdctl push reg.zhangjw.com/public/busybox:1.0 #镜像上传仓库
nerdctl --insecure-register run -d reg.zhangjw.com/public/busybox:1.0 #运行镜像
基于nginx代理harbor并实现https
将harbor修改为http协议
docker-compose down
./prepare
docker-compose up -d
nginx实现反向代理
nginx安装及配置
cd /usr/local/src
wget https://nginx.org/download/nginx-1.22.0.tar.gz
tar xvf nginx-1.22.0.tar.gz
cd nginx-1.22.0/
./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
make && make install
#创建证书目录并拷贝证书
mkdir /apps/nginx/certs
#登录harbor服务器拷贝证书
cd /apps/harbor/certs/
scp zhangjw.com.crt zhangjw.com.key 192.168.2.131:/apps/nginx/certs/
#编辑nginx配置文件
vim /apps/nginx/conf/nginx.conf
client_max_body_size 1000m;#gzip on;
server {
listen 80;
listen 443 ssl;
server_name reg.zhangjw.com;
ssl_certificate /apps/nginx/certs/zhangjw.com.crt;
ssl_certificate_key /apps/nginx/certs/zhangjw.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
#root html;
#index index.html index.htm;
proxy_pass http://192.168.2.131; #harbor服务器ip地址
}
/apps/nginx/sbin/nginx -t #配置文件校验
/apps/nginx/sbin/nginx #启动服务
buildkitd配置文件
# vim /etc/buildkit/buildkitd.toml
[registry."harbor.magedu.net"]
http = true
insecure = true
nerdctl配置文件
# vim /etc/nerdctl/nerdctl.toml
namespace = "k8s.io"
debug = false
debug_full = false
insecure_registry = true