搭建nerdctl+buildkitd环境: 安装nerdctl:
wget https://github.com/containerd/nerdctl/releases/download/v0.22.0/nerdctl-0.22.0-linux-amd64.tar.gz tar -zxvf nerdctl-0.22.0-linux-amd64.tar.gz cp nerdctl /usr/local/bin/安装cni:
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz mkdir /opt/cni/bin -p tar -zxvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/安装buildkitd:
wget https://github.com/moby/buildkit/releases/download/v0.10.3/buildkit-v0.10.3.linux-amd64.tar.gz tar -zxvf buildkit-v0.10.3.linux-amd64.tar.gz cp -a bin/buildkitd bin/buildctl /usr/local/bin/生成Buildkitd的socket文件
cat <<EOF > /lib/systemd/system/buildkit.socket [Unit] Description=BuildKit Documentation=https://github.com/moby/buildkit [Socket] ListenStream=%t/buildkit/buildkitd.sock [Install] WantedBy=sockets.target EOF生成buildkitd的service文件
cat <<EOF > /lib/systemd/system/buildkitd.service [Unit] Description=BuildKit Requires=buildkit.socket After=buildkit.socketDocumentation=https://github.com/moby/buildkit [Service] ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true [Install] WantedBy=multi-user.target EOF
systemctl daemon-reload systemctl start buildkitd systemctl enable buildkitd###################################################################################################### containerd信任harbor自签名证书: #第一种方式:使用--insecure-registry
nerdctl login --resecure-registry harbor.wyh.net#第二种方式:将证书拿到客户端,让客户端信任证书
mkdir /etc/containerd/certs.d/harbor.wyh.net -p在harbor服务器将crt转换成cert
openssl x509 -inform PEM -in harbor.wyh.net.crt -out harbor.wyh.net.cert将文件复制到客户端服务器的/etc/containerd/certs.d/harbor.wyh.net目录下
scp ca.crt harbor.wyh.net.cert harbor.wyh.net.key 192.168.213.11://etc/containerd/certs.d/harbor.wyh.net测试是否可以登陆harbor
nerdctl login harbor.wyh.net
!!!nerdctl有namespace概念,默认使用的namespace可以在/etc/nerdctl/nerdctl.toml指定!!!
cat <<EOF >/etc/nerdctl/nerdctl.toml namespace = "k8s.io" EOF!!!虽然信任证书后nerdctl可以正常拉取镜像和上传镜像到harbor,但是当制作镜像的源镜像是harbor上的镜像时会出现问题!!! 问题:此正式是未知的颁发机构签发的,所以不被信任
解决方法:
- 使用正规机构颁发的证书(网上有免费申请的地方)
- 在harbor前面部署nginx,nginx来挂证书,同时支持http和https
docker-compose stop#修改其配置文件,注释掉https的配置
vim harbor.yml
更新配置
./prepare启动
docker-compose up -d服务启动成成功后harbor就可以使用http访问了:
启动成功后面临的问题:之前containerd配置的https访问,所以现在服务器上无法下载或者上传镜像:
解决方法:
- 修改containerd的配置文件,改成http访问
- 在harbor前面部署一个nginx,nginx配置https访问
mkdir /etc/{buildkit,nerdctl}
cat <<EOF >/etc/buildkit/buildkitd.toml [registry."harbor.wyh.net"] http = true insecure = true EOF
cat <<EOF >/etc/nerdctl/nerdctl.toml namespace = "k8s.io" debug = false debug_full = false insecure_registry = true EOF分层构建镜像的思路图:
标签:harbor,nerdctl,buildkit,镜像,buildkitd,net,wyh
From: https://www.cnblogs.com/wyh-l6/p/16590586.html