containerd推送+kaniko build

containerd推送+kaniko build配置简述
前置条件
设置清华yum源
https://mirrors.tuna.tsinghua.edu.cn/help/centos/

下载所有安装包

1.kubernetes1.25.+的二进制包
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md
wget https://dl.k8s.io/v1.25.0/kubernetes-server-linux-amd64.tar.gz
2.下载etcdctl二进制包
https://github.com/etcd-io/etcd/releases
wget https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gz
3.containerd二进制包
https://github.com/containerd/containerd/releases
4.containerd带cni插件的二进制包
wget https://github.com/containerd/containerd/releases/download/v1.6.8/cri-containerd-cni-1.6.8-linux-amd64.tar.gz
5.cfssl二进制包
https://github.com/cloudflare/cfssl/releases
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
6.cni插件
https://github.com/containernetworking/plugins/releases
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
7.crictl客户端二进制
https://github.com/kubernetes-sigs/cri-tools/releases
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.2/crictl-v1.24.2-linux-amd64.tar.gz

初始化

systemctl disable --now firewalld
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
sed -ri 's/.swap./#&/' /etc/fstab
swapoff -a && sysctl -w vm.swappiness=0

# /dev/mapper/centos-swap swap                    swap    defaults        0 0

# systemctl disable --now NetworkManager
# systemctl start network && systemctl enable network

yum install chrony -y
cat > /etc/chrony.conf << EOF
pool ntp.aliyun.com iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow x.x.x.x/24
local stratum 10
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony
EOF

systemctl restart chronyd ; systemctl enable chronyd

yum install chrony -y
cat > /etc/chrony.conf << EOF
pool 192.168.42.132 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony
EOF

systemctl restart chronyd ; systemctl enable chronyd

chronyc sources -v

ulimit -SHn 65535
cat >> /etc/security/limits.conf <<EOF

• soft nofile 655360
• hard nofile 131072
• soft nproc 655350
• hard nproc 655350
• seft memlock unlimited
• hard memlock unlimitedd
  EOF

yum install -y sshpass
ssh-keygen -f /root/.ssh/id_rsa -P ''
export IP="x.x.x.x j.j.j.j ...."
export SSHPASS=123123
for HOST in $IP;do
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no $HOST
done

yum install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm -y
sed -i "s@mirrorlist@#mirrorlist@g" /etc/yum.repos.d/elrepo.repo
sed -i "[email protected]/[email protected]/elrepo@g" /etc/yum.repos.d/elrepo.repo

yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm -y
sed -i "s@mirrorlist@#mirrorlist@g" /etc/yum.repos.d/elrepo.repo
sed -i "[email protected]/[email protected]/elrepo@g" /etc/yum.repos.d/elrepo.repo

yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
升级内核至4.18版本以上
安装最新的内核
我这里选择的是稳定版kernel-ml 如需更新长期维护版本kernel-lt
yum --enablerepo=elrepo-kernel install kernel-ml

rpm -qa | grep kernel

grubby --default-kernel
/boot/vmlinuz-5.16.7-1.el8.elrepo.x86_64

grubby --set-default /boot/vmlinuz-「您的内核版本」.x86_64

reboot

安装一些工具
yum -y install wget jq psmisc vim net-tools nfs-utils telnet yum-utils device-mapper-persistent-data lvm2 git network-scripts tar curl -y
部署containerd
设置containerd配置文件中的下述部分
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["http://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.42.132"]
endpoint = ["http://192.168.42.132"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.42.132".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.42.132".auths]
username="admin"
password="Harbor12345"

重启
systemctl restart containerd

部署完k8s系统
部署完Harbor仓库或者docker registry仓库
这里仓库是http协议未使用https
工作目录:/root/kaniko

为k8s添加镜像仓库认证
kubectl create secret docker-registry myregistrykey --docker-server=192.168.42.132 --docker-username=admin --docker-password=Harbor12345
查看
kubectl get secret

写文件
vim Dockerfile
FROM alpine
RUN echo "created from standard input"

设置为pod资源类型的
写文件
vim kaniko.yaml
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:

• name: kaniko
  image: 192.168.42.132/wxg/kaniko-project-executor:latest
  args: [ "--dockerfile=Dockerfile",
  "--context=/root/kaniko",
  "--destination=192.168.42.132/k8s/kaniko-project-executor:v12"]
  volumeMounts:
  • name: kaniko-secret
    mountPath: /root/.docker
  • name: project-volume
    mountPath: /root/kaniko
    restartPolicy: Never
    volumes:
  • name: kaniko-secret
    secret:
    secretName: myregistrykey
    items:
    - key: .dockerconfigjson
    path: config.json
  • name: project-volume
    hostPath:
    path: /root/kaniko

设置为Job资源类型，100s后销毁Pod
apiVersion: batch/v1
kind: Job
metadata:
name: kaniko
spec:
ttlSecondsAfterFinished: 100
template:
spec:
containers:
- name: kaniko
image: 192.168.42.132/wxg/kaniko-project-executor:latest
args: [ "--dockerfile=Dockerfile",
"--context=/tmp",
"--destination=192.168.42.132/k8s/kaniko-project-executor:v14"]
volumeMounts:
- name: kaniko-secret
mountPath: /root/.docker/
- name: project-volume
mountPath: /tmp
restartPolicy: Never
volumes:
- name: kaniko-secret
secret:
secretName: myregistrykey
items:
- key: .dockerconfigjson
path: config.json
- name: project-volume
hostPath:
path: /tmp