基于nerdctl + buildkitd + containerd构建容器镜像【弃用docker build方式】

容器技术除了的docker之外,还有coreOS的rkt、google的gvisor、以及docker开源的containerd、redhat的podman、阿⾥的pouch等,为了保证容器⽣态的标准性和健康可持续发展,包括Linux 基⾦会、Docker、微软、红帽、⾕歌和IBM等公司在2015年6⽉共同成⽴了⼀个叫open container(OCI)的组织,其⽬的就是制定开放的标准的容器规范,⽬前OCI⼀共发布了两个规范,分别是runtime spec和image format spec,有了这两个规范,不同的容器公司开发的容器只要兼容这两个规范,就可以保证容器的可移植性和相互可操作性。

介绍

buildkit: 从Docker公司的开源出来的⼀个镜像构建⼯具包,⽀持OCI标准的镜像构建。
github地址:https://github.com/moby/buildkit

buildkitd组成部分:
buildkitd(服务端),⽬前⽀持runc和containerd作为镜像构建环境,默认是runc,可以更换为containerd。
buildctl(客户端),负责解析Dockerfile⽂件,并向服务端buildkitd发出构建请求。

部署buildkitd

cd /usr/local/src
wget https://github.com/moby/buildkit/releases/download/v0.10.3/buildkit-v0.10.3.linux-amd64.tar.gz
tar -xvf buildkit-v0.10.3.linux-amd64.tar.gz -C /usr/local/bin/
mv /usr/local/bin/bin/buildctl /usr/local/bin/bin/buildkitd  /usr/local/bin/

生成buildkitd-socket文件

vim /lib/systemd/system/buildkit.socket
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit

[Socket]
ListenStream=%t/buildkit/buildkitd.sock

[Install]
WantedBy=sockets.target

生成buildkitd-server文件

vim /lib/systemd/system/buildkitd.service 
[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socketDocumentation=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

加载启动命令

systemctl daemon-reload
systemctl enable buildkitd
systemctl start buildkitd
systemctl status buildkitd

部署nerdctl

安装nerdctl推荐使用,需要安装cni

wget https://github.com/containerd/nerdctl/releases/download/v0.22.0/nerdctl-0.22.0-linux-amd64.tar.gz #下载地址
tar xvf nerdctl-0.22.0-linux-amd64.tar.gz
cp nerdctl /usr/bin/
nerdctl version #验证是否安装成功

安装cni

https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz #下载地址
mkdir /opt/cni/bin -p #保存cni插件的路径
tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/

镜像构建

nerdctl常用命令

 vim /etc/profile    
 source <(nerdctl completion bash)
 source  /etc/profile
nerdctl login --insecure-registry reg.zhangjw.com
nerdctl pull busybox:latest
nerdctl tag busybox:latest reg.zhangjw.com/baseImages/busybox:1.0
nerdctl --insecure-registry push  reg.zhangjw.com/baseImages/busybox:1.0

harbor证书分发

https://goharbor.io/docs/2.4.0/install-config/configure-https/

#镜像构建服务器创建证书⽬录:
mkdir  /etc/containerd/certs.d/reg.zhangjw.com
#harbor证书分发过程:
cd /app/harbor/certs
openssl x509 -inform PEM -in zhangjw.com.crt -out zhangjw.com.cert #格式转换
#开始分发证书
scp ca.crt  zhangjw.com.cert zhangjw.com.key  192.168.2.131:/etc/containerd/certs.d/reg.zhangjw.com/
以上步骤完成之后,nerdctl login reg.zhangjw.com 输入用户名和密码即可登录成功

构建镜像

nerdctl build -t reg.zhangjw.com/public/busybox:1.0 .  #镜像构建
nerdctl push reg.zhangjw.com/public/busybox:1.0   #镜像上传仓库
nerdctl --insecure-register  run -d reg.zhangjw.com/public/busybox:1.0  #运行镜像

基于nginx代理harbor并实现https

将harbor修改为http协议

docker-compose down
./prepare
docker-compose up -d

nginx实现反向代理

nginx安装及配置

cd /usr/local/src
wget https://nginx.org/download/nginx-1.22.0.tar.gz
tar xvf nginx-1.22.0.tar.gz
cd nginx-1.22.0/
./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module  \
--with-http_gzip_static_module \
--with-pcre \--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module 
make && make install

#创建证书目录并拷贝证书
mkdir  /apps/nginx/certs
#登录harbor服务器拷贝证书
cd /apps/harbor/certs/
scp  zhangjw.com.crt  zhangjw.com.key  192.168.2.131:/apps/nginx/certs/
#编辑nginx配置文件
 vim /apps/nginx/conf/nginx.conf
client_max_body_size 1000m;#gzip  on;
    server {
          listen 80;
          listen 443 ssl;
          server_name reg.zhangjw.com;
          ssl_certificate /apps/nginx/certs/zhangjw.com.crt;
          ssl_certificate_key /apps/nginx/certs/zhangjw.com.key;
          ssl_session_cache shared:sslcache:20m;
          ssl_session_timeout 10m; 
          location / {
            #root   html;
            #index  index.html index.htm;
            proxy_pass http://192.168.2.131; #harbor服务器ip地址	
            
        }
      
 /apps/nginx/sbin/nginx  -t #配置文件校验
 /apps/nginx/sbin/nginx #启动服务

buildkitd配置文件

# vim /etc/buildkit/buildkitd.toml 
[registry."harbor.magedu.net"]  
	http = true  
	insecure = true

nerdctl配置文件

# vim /etc/nerdctl/nerdctl.toml
namespace      = "k8s.io"
debug          = false
debug_full     = false
insecure_registry = true

你可能感兴趣的:(kubernetes,docker,容器,运维)