Rancher + Harbor + private CA
- Harbor Info:
- URL - https://10.20.0.71:5443/
- User tryweb
- Login Harbor:
localadmin@iiidevops1:~$ sudo docker login https://10.20.0.71:5443/ [sudo] password for localadmin: Username: tryweb Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
push 建立好的 image 到 Harbor
- Exp. 建立的 image : devops-db:v1
sudo docker build ~/deploy-devops-develop/devops-db --tag devops-db:v1
- 檢視本地 images 清單
localadmin@iiidevops1:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE devops-db v1 25269cfee615 4 hours ago 314MB postgres 12 386fd8c60839 3 weeks ago 314MB iiiorg/devops-db latest ec09d7015ce5 2 months ago 314MB
- 使用 tag 來設定 image Harbor 的位址, 專案:tryweb
sudo docker tag devops-db:v1 10.20.0.71:5443/tryweb/devops-db:v1 localadmin@iiidevops1:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE devops-db v1 25269cfee615 4 hours ago 314MB postgres 12 386fd8c60839 3 weeks ago 314MB iiiorg/devops-db latest ec09d7015ce5 2 months ago 314MB 10.20.0.71:5443/devops-db v1 25269cfee615 5 hours ago 314MB
- push 至 Harbor
localadmin@iiidevops1:~$ sudo docker push --disable-content-trust 10.20.0.71:5443/tryweb/devops-db:v1 The push refers to repository [10.20.0.71:5443/tryweb/devops-db] dad28bba27f8: Pushed 21086d1e867a: Pushed 5f7e00914c15: Pushed af0b57c72d50: Pushed e0cf62a99bcd: Pushed b1096cae6203: Pushed e076f7b31275: Pushed 9cd7c4e12078: Pushed 73cf3adf6112: Pushed 065d45f80eac: Pushed 3aac10e9b066: Pushed 117725f5c702: Pushed a01778662164: Pushed 883d24bc9ae1: Pushed f5600c6330da: Pushed v1: digest: sha256:7aec874faa639f6b73b7438f0f7bc6aa3e7fece8ea575bcd6421fc44e00161ea size: 3453
Rancher yaml 取用的寫法
- Exp. deploy-devops-develop/devops-db/devopsdb-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2 kind: Deployment metadata: name: devopsdb spec: replicas: 1 selector: matchLabels: app: devopsdb strategy: type: Recreate template: metadata: labels: app: devopsdb spec: containers: - name: devopsdb image: 10.20.0.71:5443/tryweb/devops-db:v1 env: - name: POSTGRES_PASSWORD value: xxxxxxxx - name: POSTGRES_DB value: devopsdb ports: - containerPort: 5432 volumeMounts: - name: db-data mountPath: /var/lib/postgresql/data volumes: - name: db-data nfs: server: 10.20.0.71 path: /iiidevopsNFS/devopsdb
Harbor 使用 Private CA, Rancher 出現 ErrImagePull: rpc error ..... x509
- 完整錯誤訊息大致如下:
ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: Get ... v2/: x509: certificate signed by unknown authority
- 解決方法一 : 讓 Rancher 所使用的自簽憑證 Exp. 10.20.0.71.crt 複製到 Rancher cluster 所有 k8s 主機內並設定信任這憑證, 然後重啟 docker 服務
- [email protected]
sudo cp 10.20.0.71.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates sudo systemctl restart docker.service ls /etc/ssl/certs | awk /10.20.0.71/
- 解決方法二 : 將所有 k8s 主機內的 Docker 信任 Harbor 的 IP:Port 10.20.0.71:5443 或 Domain Name, 然後重啟 docker 服務
- [email protected]
sudo vi /etc/docker/daemon.json { "insecure-registries":["10.20.0.71:5443", "harbor.iiidevops.org"] }