1、实验环境
2、环境环境安装前的准备
2.1、所有的机器执行
systemctl stop firewalld systemctl disable firewalld setenforce 0 sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config yum install -y epel-release yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils vim less
2.2、DNS服务部署
2.2.1 安装 bind 服务
yum install -y bind
2.2.2 配置band
• 主配置文件
[root@hdss7-11 ~]# vim /etc/named.conf # 确保以下配置正确
listen-on port 53 { 10.4.7.11; };
directory "/var/named";
allow-query { any; };
forwarders { 10.4.7.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
• 在 hdss7-11.host.com 配置区域文件
# 增加两个zone配置,92fuge.com为业务域,host.com.zone为主机域
[root@hdss7-11 ~]# vim /etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "92fuge.com" IN {
type master;
file "92fuge.com.zone";
allow-update { 10.4.7.11; };
};
在 hdss7-11.host.com 配置主机域文件
# line6中时间需要修改 [root@hdss7-11 ~]# vim /var/named/host.com.zone $ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2020010501 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute dns A 10.4.7.11 HDSS7-11 A 10.4.7.11 HDSS7-12 A 10.4.7.12 HDSS7-21 A 10.4.7.21 HDSS7-22 A 10.4.7.22 HDSS7-200 A 10.4.7.200
• 在 hdss7-11.host.com 配置业务域文件
[root@hdss7-11 ~]# vim /var/named/92fuge.com.zone $ORIGIN 92fuge.com. $TTL 600 ; 10 minutes @ IN SOA dns.92fuge.com. dnsadmin.92fuge.com. ( 2020010501 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.92fuge.com. $TTL 60 ; 1 minute dns A 10.4.7.11
• 在 hdss7-11.host.com 启动bind服务,并测试
[root@hdss7-11 ~]# named-checkconf # 检查配置文件 [root@hdss7-11 ~]# systemctl start named ; systemctl enable named [root@hdss7-11 ~]# host HDSS7-200 10.4.7.11 Using domain server: Name: 10.4.7.11 Address: 10.4.7.11#53 Aliases: HDSS7-200.host.com has address 10.4.7.200
2.2.3 修改DNS
所有主机的dns都要修改
sed -i '/DNS1/s/10.4.7.254/10.4.7.11/' /etc/sysconfig/network-scripts/ifcfg-ens32 systemctl restart network
2.3 证书的准备
2.3.1 下载工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssl-json wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo chmod u+x /usr/local/bin/cfssl*
• 在 hdss7-200 签发根证书
[root@hdss7-200 ~]# mkdir /opt/certs/ ; cd /opt/certs/ # 根证书配置: # CN 一般写域名,浏览器会校验 # names 为地区和公司信息 # expiry 为过期时间
[root@hdss7-200 certs]# vim /opt/certs/ca-csr.json
{
"CN": "92fugeEdu",
"hosts": [ ],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "92fuge",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca 2020/01/05 10:42:07 [INFO] generating a new CA key and certificate from CSR 2020/01/05 10:42:07 [INFO] generate received request 2020/01/05 10:42:07 [INFO] received CSR 2020/01/05 10:42:07 [INFO] generating key: rsa-2048 2020/01/05 10:42:08 [INFO] encoded CSR 2020/01/05 10:42:08 [INFO] signed certificate with serial number 451005524427475354617025362003367427117323539780 [root@hdss7-200 certs]# ls -l ca* -rw-r--r-- 1 root root 993 Jan 5 10:42 ca.csr -rw-r--r-- 1 root root 328 Jan 5 10:39 ca-csr.json -rw------- 1 root root 1675 Jan 5 10:42 ca-key.pem -rw-r--r-- 1 root root 1346 Jan 5 10:42 ca.pem
2.4. docker环境准备
需要安装docker的机器:hdss7-21 hdss7-22 hdss7-200,以hdss7-21为例
[root@hdss7-21 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@hdss7-21 ~]# yum install -y docker-ce
[root@hdss7-21 ~]# mkdir /etc/docker/
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题
[root@hdss7-21 ~]# vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.92fuge.com"],
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@hdss7-21 ~]# mkdir /data/docker
[root@hdss7-21 ~]# systemctl start docker ; systemctl enable docker
2.5. harbor安装
参考地址:https://www.yuque.com/duduniao/trp3ic/ohrxds#9Zpxx 官方地址:https://goharbor.io/ 下载地址:https://github.com/goharbor/harbor/releases
2.5.1. hdss7-200 安装harbor
# 目录说明:
# /opt/src : 源码、文件下载目录
# /opt/release : 各个版本软件存放位置
# /opt/apps : 各个软件当前版本的软链接
[root@hdss7-200 ~]# cd /opt/src [root@hdss7-200 src]# wget https://github.com/goharbor/harbor/releases/download/v1.9.4/harbor-offline-installer-v1.9.4.tgz [root@hdss7-200 src]# mv harbor /opt/release/harbor-v1.9.4 [root@hdss7-200 src]# ln -s /opt/release/harbor-v1.9.4 /opt/apps/harbor [root@hdss7-200 src]# ll /opt/apps/ total 0 lrwxrwxrwx 1 root root 26 Jan 5 11:13 harbor -> /opt/release/harbor-v1.9.4 # 实验环境仅修改以下配置项,生产环境还得修改密码 [root@hdss7-200 src]# vim /opt/apps/harbor/harbor.yml hostname: harbor.92fuge.com http: port: 180 data_volume: /data/harbor location: /data/harbor/logs [root@hdss7-200 src]# yum install -y docker-compose [root@hdss7-200 src]# cd /opt/apps/harbor/ [root@hdss7-200 harbor]# ./install.sh ...... ✔ ----Harbor has been installed and started successfully.---- [root@hdss7-200 harbor]# docker-compose ps Name Command State Ports -------------------------------------------------------------------------------------- harbor-core /harbor/harbor_core Up harbor-db /docker-entrypoint.sh Up 5432/tcp harbor-jobservice /harbor/harbor_jobservice ... Up harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up 8080/tcp nginx nginx -g daemon off; Up 0.0.0.0:180->8080/tcp redis redis-server /etc/redis.conf Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up 5000/tcp registryctl /harbor/start.sh Up
• 设置harbor开机启动
[root@hdss7-200 harbor]# vim /etc/rc.d/rc.local # 增加以下内容 # start harbor cd /opt/apps/harbor /usr/bin/docker-compose stop /usr/bin/docker-compose start 2.5.2. hdss7-200 安装nginx
• 安装Nginx反向代理harbor
# 当前机器中Nginx功能较少,使用yum安装即可。如有多个harbor考虑源码编译且配置健康检查
# nginx配置此处忽略,仅仅使用最简单的配置。
[root@hdss7-200 harbor]# vim /etc/nginx/conf.d/harbor.conf
[root@hdss7-200 harbor]# cat /etc/nginx/conf.d/harbor.conf
server {
listen 80;
server_name harbor.92fuge.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@hdss7-200 harbor]# systemctl start nginx ; systemctl enable nginx
• hdss7-11 配置DNS解析
[root@hdss7-11 ~]# vim /var/named/92fuge.com.zone # 序列号需要滚动一个 $ORIGIN 92fuge.com. $TTL 600 ; 10 minutes @ IN SOA dns.92fuge.com. dnsadmin.92fuge.com. ( 2020010502 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.92fuge.com. $TTL 60 ; 1 minute dns A 10.4.7.11 harbor A 10.4.7.200 [root@hdss7-11 ~]# systemctl restart named.service # reload 无法使得配置生效 [root@hdss7-11 ~]# host harbor.92fuge.com harbor.92fuge.com has address 10.4.7.200
• 新建项目: public
• 测试harbor
[root@hdss7-21 ~]# docker image tag nginx:latest harbor.92fuge.com/public/nginx:latest [root@hdss7-21 ~]# docker login -u admin harbor.92fuge.com [root@hdss7-21 ~]# docker image push harbor.92fuge.com/public/nginx:latest [root@hdss7-21 ~]# docker logout
感谢您的来访,获取更多精彩文章请收藏本站。
© 版权声明
THE END
暂无评论内容