文章目錄
1、本次部署架構規劃
2、部署前熱身
2.1 系統優化[所有節點執行]
1.yum源準備
# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum makecache
2.關牆
# systemctl stop firewalld
# systemctl disable firewalld
# sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config
# getenforce
Disabled
3.安裝Ops必備包
# yum install tree nmap dos2unix lrzsz nc lsof psmisc net-tools bash-completion bash-completion-extras vim-enhanced \
wget tcpdump unzip htop iftop iotop sysstat nethogs telnet nmap sysstat lrzsz dos2unix bind-utils vim less -y
2.2 DNS服務安裝部署
創建主機域host.com
創建業務域od.com
主輔同步(10.4.7.11主、10.4.7.12輔)
客戶端配置指向自建DNS
安裝Bind服務
1. hdss7-11 安裝bind
[root@hdss7-11 ~]# yum install bind -y
2.配置
[root@hdss7-11 ~]# vim /etc/named.conf # 確保以下配置正確
listen-on port 53 { 10.4.7.11; };
directory "/var/named";
allow-query { any; };
forwarders { 10.4.7.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
3.hdss7-11.host.com 配置區域文件
# 增加兩個zone配置,od.com爲業務域,host.com.zone爲主機域
[root@hdss7-11 ~]# vim /etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 10.4.7.11; };
};
4.hdss7-11.host.com 配置主機域文件
# line6中時間需要修改
[root@hdss7-11 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020062101 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
5.hdss7-11.host.com 配置業務域文件
[root@hdss7-11 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020062101 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
6.hdss7-11.host.com 啓動bind服務,並測試
[root@hdss7-11 ~]# named-checkconf # 檢查配置文件
[root@hdss7-11 ~]# systemctl start named && systemctl enable named.service
[root@hdss7-11 ~]# netstat -lntup |grep 53
tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN 24139/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 24139/named
tcp6 0 0 ::1:53 :::* LISTEN 24139/named
tcp6 0 0 ::1:953 :::* LISTEN 24139/named
udp 0 0 10.4.7.11:53 0.0.0.0:* 24139/named
udp6 0 0 ::1:53 :::* 24139/named
[root@hdss7-11 ~]# dig -t A hdss7-21.host.com @10.4.7.11 +short
10.4.7.21
[root@hdss7-11 ~]# host hdss7-200.host.com 10.4.7.11
Using domain server:
Name: 10.4.7.11
Address: 10.4.7.11#53
Aliases:
HDSS7-200.host.com has address 10.4.7.200
7.修改主機DNS
修改所有主機的dns服務器地址
[root@hdss7-11 ~]# sed -i '/DNS1/s/10.4.7.254/10.4.7.11/' /etc/sysconfig/network-scripts/ifcfg-eth0
[root@hdss7-11 ~]# systemctl restart network
[root@hdss7-11 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.4.7.11
[root@hdss7-11 ~]# ping hdss7-200
PING HDSS7-200.host.com (10.4.7.200) 56(84) bytes of data.
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=1 ttl=64 time=0.738 ms
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=2 ttl=64 time=2.16 ms
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=3 ttl=64 time=1.81 ms
本次實驗環境使用的是虛擬機,因此也要對windows宿主機NAT網卡DNS進行修改
3、準備簽發證書環境
安裝CFSSL
1.hdss7-200 下載工具
[root@hdss7-200 ~]# curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@hdss7-200 ~]# curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@hdss7-200 ~]# curl -s -L -o /usr/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@hdss7-200 ~]# chmod +x /usr/bin/cfssl*
2.hdss7-200 簽發根證書
[root@hdss7-200 ~]# mkdir /opt/certs/ && cd /opt/certs/
# 根證書配置:
# CN 一般寫域名,瀏覽器會校驗
# names 爲地區和公司信息
# expiry 爲過期時間
[root@hdss7-200 certs]# vim /opt/certs/ca-csr.json
{
"CN": "Cyw",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2020/06/22 16:17:57 [INFO] generating a new CA key and certificate from CSR
2020/06/22 16:17:57 [INFO] generate received request
2020/06/22 16:17:57 [INFO] received CSR
2020/06/22 16:17:57 [INFO] generating key: rsa-2048
2020/06/22 16:17:57 [INFO] encoded CSR
2020/06/22 16:17:57 [INFO] signed certificate with serial number 509989174348362559978459385855952629108260519930
查看簽發的證書,生成ca.pem、ca.csr、ca-key.pem(CA私鑰,需妥善保管)
[root@hdss7-200 certs]# ls -l ca*
-rw-r--r-- 1 root root 985 Jun 22 16:17 ca.csr
-rw-r--r-- 1 root root 322 Jun 22 16:14 ca-csr.json
-rw------- 1 root root 1675 Jun 22 16:17 ca-key.pem
-rw-r--r-- 1 root root 1330 Jun 22 16:17 ca.pem
4、部署Docker環境
HDSS7-200.host.com,HDSS7-21.host.com,HDSS7-22.host.com 主機操作:
[root@hdss7-21 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@hdss7-21 ~]# yum install -y docker-ce
[root@hdss7-21 ~]# mkdir /etc/docker/
# 不安全的registry中增加了harbor地址
# 各個機器上bip網段不一致,bip中間兩段與宿主機最後兩段相同,目的是方便定位問題
要是隻配一個daemon.json 我把你頭打偏尼
[root@hdss7-21 ~]# vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@hdss7-21 ~]# mkdir /data/docker
[root@hdss7-21 ~]# systemctl start docker && systemctl enable docker
5、部署私有倉庫Harbor
參考地址:https://www.yuque.com/duduniao/trp3ic/ohrxds#9Zpxx
官方地址:https://goharbor.io/
下載地址:https://github.com/goharbor/harbor/releases
1.hdss7-200 安裝harbor
# 目錄說明:
# /opt/src : 源碼、文件下載目錄
# /opt/release : 各個版本軟件存放位置
# /opt/apps : 各個軟件當前版本的軟鏈接
[root@hdss7-200 ~]# cd /opt/src
下載軟件二進制包並解壓
[root@hdss7-200 src]# wget https://github.com/goharbor/harbor/releases/download/v1.9.4/harbor-offline-installer-v1.9.4.tgz
[root@hdss7-200 src]# tar xf harbor-offline-installer-v1.9.4.tgz
[root@hdss7-200 src]# mv harbor /opt/release/harbor-v1.9.4
[root@hdss7-200 src]# ln -s /opt/release/harbor-v1.9.4 /opt/apps/harbor
[root@hdss7-200 src]# ll /opt/apps/
total 0
lrwxrwxrwx 1 root root 26 Jan 5 11:13 harbor -> /opt/release/harbor-v1.9.4
# 實驗環境僅修改以下配置項,生產環境還得修改密碼
[root@hdss7-200 src]# vim /opt/apps/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
data_volume: /data/harbor
location: /data/harbor/logs
[root@hdss7-200 src]# yum install -y docker-compose
[root@hdss7-200 src]# cd /opt/apps/harbor/
[root@hdss7-200 harbor]# ./install.sh
。。。。。。。。
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://harbor.od.com.
For more details, please visit https://github.com/goharbor/harbor .
檢查harbor啓動情況
[root@hdss7-200 harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up
harbor-db /docker-entrypoint.sh Up 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 8080/tcp
nginx nginx -g daemon off; Up 0.0.0.0:180->8080/tcp
redis redis-server /etc/redis.conf Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
2.配置harbor開機啓動
[root@hdss7-200 harbor]# vim /etc/rc.d/rc.local # 增加以下內容
# start harbor
cd /opt/apps/harbor
/usr/bin/docker-compose stop
/usr/bin/docker-compose start
6、部署Nginx[hdss7-200]
1.安裝配置Nginx反向代理harbor
# 當前機器中Nginx功能較少,使用yum安裝即可。如有多個harbor考慮源碼編譯且配置健康檢查
[root@hdss7-200 harbor]# yum install nginx -y
----------------------------------------------------------
[root@hdss7-200 ssl_key]# mkdir -p /etc/nginx/ssl_key
[root@hdss7-200 ssl_key]# openssl genrsa -idea -out server.key 2048
[root@hdss7-200 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
---------------------------------------------------------
[root@hdss7-200 harbor]# cat /etc/nginx/conf.d/harbor.conf
server {
listen 80;
server_name harbor.od.com;
# 避免出現上傳失敗的情況
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@hdss7-200 ssl_key]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-200 ssl_key]# systemctl start nginx
[root@hdss7-200 ssl_key]# netstat -lntup|grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 74186/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 74186/nginx: master
[root@hdss7-200 ssl_key]# systemctl enable nginx
2.hdss7-11 配置DNS解析
[root@hdss7-11 ~]# vim /var/named/od.com.zone # 序列號需要滾動一個
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020010502 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
[root@hdss7-11 ~]# systemctl restart named.service
[root@hdss7-11 ~]# host harbor.od.com
harbor.od.com has address 10.4.7.200
將本地宿主機的DNS指向10.4.7.11
新建項目
測試harbor:
[root@hdss7-21 ~]# docker image tag nginx:latest harbor.od.com/public/nginx:latest
[root@hdss7-21 ~]# docker login -u admin harbor.od.com
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@hdss7-21 ~]# docker image push harbor.od.com/public/alpine:test
The push refers to repository [harbor.od.com/public/alpine]
1bfeebd65323: Pushed
test: digest: sha256:57334c50959f26ce1ee025d08f136c2292c128f84e7b229d1b0da5dac89e9866 size: 528
[root@hdss7-21 ~]# docker logout