差異處

這裏顯示兩個版本的差異處。

--- tech:harbor_rancher_ca [2020/12/11 00:18] – jonathan
+++ tech:harbor_rancher_ca [2021/04/20 09:12] (目前版本) – [Harbor 使用 Private CA, Rancher 出現 ErrImagePull: rpc error ..... x509] jonathan
@@ 行 1: / 行 1: @@
+====== Rancher + Harbor + private CA ======
+  * Harbor Info:
+    * URL - https://10.20.0.71:5443/
+    * User tryweb
+    * Add Public Project - tryweb {{:tech:2020121101.png|}}
+  * Login Harbor:<cli>
+localadmin@iiidevops1:~$ sudo docker login https://10.20.0.71:5443/
+[sudo] password for localadmin:
+Username: tryweb
+Password:
+WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
+Configure a credential helper to remove this warning. See
+https://docs.docker.com/engine/reference/commandline/login/#credentials-store
+Login Succeeded
+</cli>
+===== push 建立好的 image 到 Harbor =====
+  * 參考網址 - https://ithelp.ithome.com.tw/articles/10191213
+  * Exp. 建立的 image : devops-db:v1 <cli>
+sudo docker build ~/deploy-devops-develop/devops-db --tag devops-db:v1
+</cli>
+  * 檢視本地 images 清單<cli>
+localadmin@iiidevops1:~$ sudo docker images
+REPOSITORY                      TAG             IMAGE ID       CREATED        SIZE
+devops-db                       v1              25269cfee615   4 hours ago    314MB
+postgres                        12              386fd8c60839   3 weeks ago    314MB
+iiiorg/devops-db                latest          ec09d7015ce5   2 months ago   314MB
+</cli>
+  * 使用 tag 來設定 image Harbor 的位址, 專案:tryweb <cli>
+sudo docker tag devops-db:v1 10.20.0.71:5443/tryweb/devops-db:v1
+localadmin@iiidevops1:~$ sudo docker images
+REPOSITORY                      TAG             IMAGE ID       CREATED        SIZE
+devops-db                       v1              25269cfee615   4 hours ago    314MB
+postgres                        12              386fd8c60839   3 weeks ago    314MB
+iiiorg/devops-db                latest          ec09d7015ce5   2 months ago   314MB
+.20.0.71:5443/devops-db       v1              25269cfee615   5 hours ago    314MB
+</cli>
+  * push 至 Harbor<cli>
+localadmin@iiidevops1:~$ sudo docker push --disable-content-trust 10.20.0.71:5443/tryweb/devops-db:v1
+The push refers to repository [10.20.0.71:5443/tryweb/devops-db]
+dad28bba27f8: Pushed
+d1e867a: Pushed
+f7e00914c15: Pushed
+af0b57c72d50: Pushed
+e0cf62a99bcd: Pushed
+b1096cae6203: Pushed
+e076f7b31275: Pushed
+cd7c4e12078: Pushed
+cf3adf6112: Pushed
+d45f80eac: Pushed
+aac10e9b066: Pushed
+f5c702: Pushed
+a01778662164: Pushed
+d24bc9ae1: Pushed
+f5600c6330da: Pushed
+v1: digest: sha256:7aec874faa639f6b73b7438f0f7bc6aa3e7fece8ea575bcd6421fc44e00161ea size: 3453
+</cli> {{:tech:2020121102.png|}}
+===== Rancher yaml 取用的寫法 =====
+  * Exp.  deploy-devops-develop/devops-db/devopsdb-deployment.yaml<file>
+apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
+kind: Deployment
+metadata:
+  name: devopsdb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: devopsdb
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: devopsdb
+    spec:
+      containers:
+      - name: devopsdb
+        image: 10.20.0.71:5443/tryweb/devops-db:v1
+        env:
+        - name: POSTGRES_PASSWORD
+          value: xxxxxxxx
+        - name: POSTGRES_DB
+          value: devopsdb
+        ports:
+        - containerPort: 5432
+        volumeMounts:
+        - name: db-data
+          mountPath: /var/lib/postgresql/data
+      volumes:
+      - name: db-data
+        nfs:
+          server: 10.20.0.71
+          path: /iiidevopsNFS/devopsdb
+</file>
+===== Harbor 使用 Private CA, Rancher 出現 ErrImagePull: rpc error ..... x509 =====
+  * 參考 - https://forums.rancher.com/t/rancher-2-private-docker-registry/12541
+  * {{:tech:2020121103.png|}}
+  * 完整錯誤訊息大致如下: <code>
+ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: Get ... v2/: x509: certificate signed by unknown authority</code>
+  * 解決方法一 : 讓 Rancher 所使用的自簽憑證 Exp. 10.20.0.71.crt 複製到 Rancher cluster 所有 k8s 主機內並設定信任這憑證, 然後重啟 docker 服務
+    * [email protected] <cli>
+sudo cp 10.20.0.71.crt /usr/local/share/ca-certificates/
+sudo update-ca-certificates
+sudo systemctl restart docker.service
+ls /etc/ssl/certs | awk /10.20.0.71/
+</cli>
+  * 解決方法二 : 將所有 k8s 主機內的 Docker 信任 Harbor 的 IP:Port 10.20.0.71:5443 或 Domain Name, 然後重啟 docker 服務
+    * [email protected] <cli>
+sudo vi /etc/docker/daemon.json
+{
+    "insecure-registries":["10.20.0.71:5443", "harbor.iiidevops.org"]
+}
+</cli>
+{{tag>rancher harbor k8s iiidevops}}