在线观看h视频,国产精品一卡二卡,欧美人成在线视频

部��v�U�有Docker Registry

Tue, 25 Oct 2016 06:24:00 GMT

来自�Q?nbsp;http://tonybai.com/2016/02/26/deploy-a-private-docker-registry/
安装部��v一个私有的Docker Registry是引入、学�?f��n)和使�?nbsp;Docker �q�门技术的必经之�\之一。尤其是当Docker被所在组�l�接受，更多人、项目和产品开始接触和使用Docker�Ӟ��存储和分发自制的Docker image便成了刚需。Docker Registry一如既往的��承了“Docker坑多”的特点，为此�q�里��自己搭�?#8221;各类”Registry�q�程中执行的步骤、遇到的问题记录下来�Q��ؓ己备忘，��Z��参考�?/p>
Docker�?015�q�推��Z�� distribution ��目�Q�即Docker Registry 2。相比于 old registry �Q�Registry 2使用Go实现�Q�在安全性、性能斚w��均有大幅改进。Registry设计了全新的Rest API�Q��ƈ且在image存储格式�{�方面不再兼容于old Registry。去�q?月䆾�Q�docker官方hub使用Registriy 2.1替代了原先的old Registry。如果你要与Registry2交互�Q�你的Docker版本臛_��要是Docker 1.6�?/p>
Docker的开发者也一直在致力于改善Registry安装和��用的体验�Q�通过提供官方Registry Image以及 Docker Compose工具 �{�来��化Registry的配�|�。不�q�在本文中，我们只是利用Docker以及Registry的官方Image来部�|�Registry�Q�这��h��便于全面了解Registry的部�|�配�|�细节�?/p>
Registry2在镜像存储方面不仅支持本地盘�Q�还支持诸多��L��W�三方存储方案。通过分布式存储系�l�你�q�可以实��C��个分布式Docker Registry服务。这里仅以本地盘以及single node registry2��Z��?/p>

一、环�?/h3>

�q�里�q�是复用以往文章中的Docker环境�Q?/p>

Docker Registry Server: 10.10.105.71 Ubuntu 14.04 3.16.0-57-generic�Q�docker 1.9.1

其他两个工作Server�Q?
10.10.105.72 Ubuntu 14.04 3.19.0-25-generic; docker 1.9.1
10.10.126.101 Ubuntu 12.04 3.16.7-013607-generic; docker 1.9.1

本次Registry使用当前最新stable版本:Registry 2.3.0。由于镜像采用本地磁盘存储，root分区较小�Q�需要映��用其他volume�?/p>

二、初�ơ搭�?/h3>

本以为Docker Registry的搭建是何其��单的�Q�甚至简单到通过一行命令就可以完成的。比如我们在Registry Server上执行：

在~/dockerregistry下，执行�Q?

$sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
f32095d4ba8a: Pull complete
9b607719a62a: Pull complete
973de4038269: Pull complete
2867140211c1: Pull complete
8da16446f5ca: Pull complete
fd8c38b8b68d: Pull complete
136640b01f02: Pull complete
e039ba1c0008: Pull complete
c457c689c328: Pull complete
Digest: sha256:339d702cf9a4b0aa665269cc36255ee7ce424412d56bee9ad8a247afe8c49ef1
Status: Downloaded newer image for registry:2
e9088ef901cb00546c59f89defa4625230f4b36b0a44b3713f38ab3d2a5a2b44

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry            2                   c457c689c328        9 days ago          165.7 MB

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                    NAMES
e9088ef901cb        registry:2          "/bin/registry /etc/d"   About a minute ago   Up About a minute   0.0.0.0:5000->5000/tcp   registry

Registry container已经跑�v来了�Q�其启动日志可以通过�Q�docker logs registry查看�?/p>

我们�?1本地�l�busybox:latest打一个tag�Q��ƈ��试��新tag下的image push到Registry中去�Q?/p>

$ docker tag busybox:latest 10.10.105.71:5000/tonybai/busybox:latest
$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
... ...

push到Registry中：

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: Tunnel or SSL Forbidden
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: Tunnel or SSL Forbidden

出错了！��单分析了一下，可能�?1上docker daemon配置中加了http代理的缘故，��D��无法ping通registry endpoint。于是在/etc/default/docker中注释掉export http_proxy=”xxx”的设�|�，�q��启docker daemon�?/p>

再次��试push�Q?/p>

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

虽然�q�是��p�|�Q�但错误信息已有所不同了。这�ơ看来连接是可以建立的，但client端通过https讉K��server端，��g��想tls通信�Q�但�q�一�q�程�q�未完成�?/p>

在其他机器上��试push image到registry也遇��C��同样的错误输出，如下�Q?/p>

10.10.105.72:

$ docker push 10.10.105.71:5000/tonybai/ubuntu
The push refers to a repository [10.10.105.71:5000/tonybai/ubuntu] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

从错误信息来看，client与Registry交互�Q�默认将采用https讉K��Q�但我们在install Registry时�ƈ未配�|�指定�Q何tls相关的key和crt文�g�Q�https讉K��定然��p�|。要惛_��清这个问题，只能查看 Registry Manual �?/p>

三、Insecure Registry

Registry的文��还是相对详��的。在文��中，我们扑ֈ��?nbsp;Insecure Registry �Q�即接收plain http讉K��的Registry的配�|�和使用�Ҏ(gu��)��Q�虽然这不是官方推荐的�?/p>

实际上对于我们内部网�l�而言�Q�Insecure Registry基本能满��需求，部��v�q�程也避免了secure registry的那些繁琐步骤，比如制作和部�|�证书等�?/p>

��Z��搭徏一个Insecure Registry�Q�我们需要先清理一下上面已�l�启动的Registry容器�?/p>

$ docker stop registry
registry
$ docker rm registry
registry

修改Registry server上的Docker daemon的配�|�，为DOCKER_OPTS增加–insecure-registry�Q?/p>

DOCKER_OPTS="--insecure-registry 10.10.105.71:5000 ....

重启Docker Daemon�Q�启动Registry容器�Q?/p>

$ sudo service docker restart
docker stop/waiting
docker start/running, process 6712
$ sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2
5966e92fce9c34705050e19368d19574e021a272ede1575385ef35ecf5cea019

��试再次Push image:

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
65e4158d9625: Pushed
5506dda26018: Pushed
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

�q�回push ok�Q?/p>

我们��本地的tag做untag处理�Q�再从Registry pull相关image�Q?/p>

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu                              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

$ docker rmi 10.10.105.71:5000/tonybai/busybox
Untagged: 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry            2                   c457c689c328        9 days ago          165.7 MB
busybox             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

$ docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox
Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu                              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

可以看到�Q�Pull�q�程也很��利�?/p>

在Private Registry2中查看或��索Repository或images�Q?nbsp;��不能用docker search �Q?/p>

$ docker search 10.10.105.71:5000/tonybai/busybox/
Error response from daemon: Unexpected status code 404

但通过v2版本的API�Q�我们可以实现相同目的：

$curl  http://10.10.105.71:5000/v2/_catalog
{"repositories":["tonybai/busybox"]}

$ curl  http://10.10.105.71:5000/v2/tonybai/busybox/tags/list
{"name":"tonybai/busybox","tags":["latest"]}

在其他主��Z��Q�我们尝试pull busybox�Q?/p>

10.10.105.72:

$docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
Error response from daemon: unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

我们发现依旧不能pull和push�Q�在Registry手册中讲刎ͼ�如果采用insecure registry的模式，那么所有与Registry交互的主��Z��的Docker Daemon都要配置�Q?#8211;insecure-registry选项�?/p>

我们按照上面的配�|�方法，修改105.72上的/etc/default/docker�Q�重启Docker daemon�Q�再执行pull/push��׃��得到正确的结果：

$ sudo vi /etc/default/docker
$ sudo service docker restart
docker stop/waiting
docker start/running, process 10614
$ docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox
5506dda26018: Pull complete
65e4158d9625: Pull complete
Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu                              14.04               36248ae4a9ac        8 days ago          187.9 MB
10.10.105.71:5000/tonybai/ubuntu    14.04               36248ae4a9ac        8 days ago          187.9 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB

$ docker push 10.10.105.71:5000/tonybai/ubuntu
The push refers to a repository [10.10.105.71:5000/tonybai/ubuntu] (len: 1)
36248ae4a9ac: Pushed
8ea5373bf5a6: Pushed
2e0188208e83: Pushed
e3c70beaa378: Pushed
14.04: digest: sha256:72e56686cb9fb38438f0fd68fecf02ef592ce2ef7069bbf97802d959d568c5cc size: 6781

四、Secure Registry

Docker官方是推荐你采用Secure Registry的工作模式的�Q�即transport采用tls。这��h��们就需要�ؓRegistry配置tls所需的key和crt文�g了�?/p>
我们首先清理一下环境，��上面的Insecure Registry停掉�q�rm掉；��各��C��Z��Docker Daemon的DOCKER_OPTS配置中的–insecure-registry��L��Q��ƈ重启Docker Daemon�?/p>
如果你拥有一个域名，域名下主机提供Registry服务�Q��ƈ且你拥有某知名CA�{��v的证书文�Ӟ��那么你可以徏立�v一个Secure Registry。不�q�我�q�里没有现成的证书，只能使用自签�|�的证书。严格来�Ԍ��使用自签�|�的证书在Docker官方��g��依旧属于Insecure�Q�不�q�这里只是借助自签�|�的证书来说明一下Secure Registry的部�|�步骤�Ş了�?/p>

1、制作自�{��v证书

如果你有知名CA�{��v的证书，那么�q�步可直接忽略�?/p>

$ openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 2048 bit RSA private key
..............+++
............................................+++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Liaoning
Locality Name (eg, city) []:shenyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:foo
Organizational Unit Name (eg, section) []:bar
Common Name (e.g. server FQDN or YOUR name) []:mydockerhub.com
Email Address []:bigwhite.cn@gmail.com

2、启动Secure Registry

启动带证书的Registry�Q?/p>

$ docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/data:/var/lib/registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2
35e8ce77dd455f2bd50854e4581cd52be8a137f4aaea717239b6d676c5ea5777

�׃��证书的CN是mydockerhub.com�Q�我们需要修改一�?etc/hosts文�g:

10.10.105.71 mydockerhub.com

重新为busybox制作一个tag:

$docker tag busybox:latest mydockerhub.com:5000/tonybai/busybox:latest

Push到Registry:

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://mydockerhub.com:5000/v0/
v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority
 v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authority

push��p�|了！从错误日志来看，docker client认�ؓserver传输�q�来的证书的�{��v�Ҏ(gu��)��一个unknown authority�Q�未知的CA�Q�，因此验证��p�|。我们需要让docker client安装我们的CA证书�Q?/p>

$ sudo mkdir -p /etc/docker/certs.d/mydockerhub.com:5000
$ sudo cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt
$ sudo service docker restart //安装证书后，重启Docker Daemon

再执行Push�Q�我们看��C��成功的输出日志。由于data目录下之前已�l�被push了tonybai/busybox repository�Q�因此提�C?#8220;已存�?#8221;�Q?/p>

$docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image already exists
5506dda26018: Image already exists
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

3、外部访问Registry

我们换其他机器试试访问这个secure registry。根据之前的要求�Q�我们照猫画虎的修改一下hosts文�g�Q�安装ca.cert�Q�去�?#8211;insecure-registry选项�Q��ƈ重启Docker daemon。之后尝试从registry pull image�Q?/p>

$ docker pull mydockerhub.com:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox

Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for mydockerhub.com:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
10.10.105.71:5000/tonybai/ubuntu       14.04               36248ae4a9ac        9 days ago          187.9 MB
ubuntu                                 14.04               36248ae4a9ac        9 days ago          187.9 MB
10.10.105.71:5000/tonybai/busybox      latest              65e4158d9625        9 days ago          1.114 MB
mydockerhub.com:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB

�q�样来看�Q�如果��用自�{��v的证书，那么所有要与Registry交互的Docker��L��都需要安装mydockerhub.com的ca.crt(domain.crt)。但如果你��用知名CA�Q�这一步也��可以忽略�?/p>

五、Registry的鉴权管�?/h3>

Registry提供了一�U�基��的鉴权方式。我们通过下面步骤卛_��为Registry加上基础鉴权�Q?/p>

在Register server上，为Registry增加foo用户�Q�密码foo123�Q�（之前需要停掉已有的Registry�Q��ƈ删除之）

//生成鉴权密码文�g
$ mkdir auth
$ docker run --entrypoint htpasswd registry:2 -Bbn foo foo123  > auth/htpasswd
$ ls auth
htpasswd

//启动带鉴权功能的Registry�Q?
$ docker run -d -p 5000:5000 --restart=always --name registry \
   -v `pwd`/auth:/auth \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
   -v `pwd`/data:/var/lib/registry \
   -v `pwd`/certs:/certs \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   registry:2
199ad0b3591fb9613b21b1c96f017267f3c39661a7025d30df636c6805e7ab50

�?05.72上，我们��试push image到Registry�Q?/p>

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image push failed
Head https://mydockerhub.com:5000/v2/tonybai/busybox/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: no basic auth credentials

错误信息提示�Q�鉴权失败�?/p>

�?2上执行docker login:

$docker login mydockerhub.com:5000
Username: foo
Password:
Email: bigwhite.cn@gmail.com
WARNING: login credentials saved in /home/baiming/.docker/config.json
Login Succeeded

login成功后，再行Push�Q?/p>

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image already exists
5506dda26018: Image already exists
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

Push ok�Q?/p>

六、Registry中images的管�?/h3>

前面提到�q�，通过V2版Rest API可以查询Repository和images�Q?/p>

$ curl --cacert domain.crt  --basic --user foo:foo123 https://mydockerhub.com:5000/v2/_catalog
{"repositories":["tonybai/busybox","tonybai/ubuntu"]}

但如果要删除Registry中的Repository或某个tag的Image�Q�目前v2�q�不支持�Q�原因见 Registry的roadmap中的说明 �?/p>

不过如果你的Registry的存储引擎��用的是本地盘�Q�倒是有一些第三方脚本可供使用�Q�比如：delete-docker-registry-image �?/p>

七、小�l?/h3>

Registry2发布不到1�q�_��目前�q�有许多问题待解冻I��比如delete image的问题，�怿��?.4以及后箋版本�q�些问题会被逐个解决掉或能找��C��个相对理想的�Ҏ(gu��)��?/p>

��马�?/a> 2016-10-25 14:24 发表评论

CentOS 7实战Kubernetes部��v

Tue, 25 Oct 2016 06:23:00 GMT

from:http://www.infoq.com/cn/articles/centos7-practical-kubernetes-deployment

. 前言

上一节我们阐�q�C��Kubernetes的系�l�架构，让大家对Kubernetes有一定的初步了解�Q�但是就如何使用Kubernetes�Q?也许大家�q�不知如何下手。本文作者将带领大家如何在本地部�|�Ӏ�配�|�Kubernetes集群�|�络环境以及通过实例演示跨机器服务间的通信�Q�主要包括如下内容：

部��v环境介绍
Kubernetes集群逻辑架构
部��vOpen vSwitch、Kubernetes、Etcd�l��g
演示Kubernetes��理容器

2. 部��v环境

VMware Workstation�Q?0.0.3
VMware Workstation�|�络模式�Q�NAT
操作�pȝ��信息�Q�CentOS 7 64�?/li>
Open vSwitch版本信息�Q?.3.0
Kubernetes版本信息�Q?.5.2
Etcd版本信息�Q?.4.6
Docker版本信息�Q?.3.1

服务器信�?

        | Role      | Hostname   | IP Address  | 	|:---------:|:----------:|:----------: | 	|APIServer  |kubernetes  |192.168.230.3| 	|Minion     | minion1    |192.168.230.4| 	|Minion     | minion2    |192.168.230.5|

3. Kubernetes集群逻辑架构

在详�l�介�l�部�|�Kubernetes集群前，先给大家展示下集��的逻辑架构。从下图可知�Q�整个系�l�分��Z��部分�Q�第一部分是Kubernetes APIServer�Q�是整个�pȝ��的核心，承担集群中所有容器的��理工作�Q�第二部分是minion�Q�运行Container Daemon�Q�是所有容器栖息之圎ͼ�同时在minion上运行Open vSwitch�E�序�Q�通过GRE Tunnel负责minion之间Pod的网�l�通信工作�?/p>

4. 部��vOpen vSwitch、Kubernetes、Etcd�l��g

4.1 安装Open vSwitch及配�|�GRE

��Z��解决跨minion之间Pod的通信问题�Q�我们在每个minion上安装Open vSwtich�Q��ƈ使用GRE或者VxLAN使得跨机器之间Pod能相互通信�Q�本文��用GRE�Q�而VxLAN通常用在需要隔��ȝ��大规模网�l�中。对于Open vSwitch的具体安装步骤，可参考这��?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">博客�Q�我们在�q�里��׃��再详�l�介�l�安装步骤了。安装完Open vSwitch后，接下来便建立minion1和minion2之间的隧道。首先在minion1和minion2上徏立OVS Bridge,

[root@minion1 ~]# ovs-vsctl add-br obr0

接下来徏立gre�Q��ƈ��新建的gre0��d��到obr0�Q�在minion1上执行如下命令，

[root@minion1 ~]# ovs-vsctl add-port obr0 gre0 -- set Interface gre0 type=gre options:remote_ip=192.168.230.5

在minion2上执�?

[root@minion2 ~]# ovs-vsctl add-port obr0 gre0 -- set Interface gre0 type=gre options:remote_ip=192.168.230.4

��x��Q�minion1和minion2之间的隧道已�l�徏立。然后我们在minion1和minion2上创建Linux�|�桥kbr0替代Docker默认的docker0�Q�我们假设minion1和minion2都已安装Docker�Q�，讄��minion1的kbr0的地址�?72.17.1.1/24�Q?minion2的kbr0的地址�?72.17.2.1/24�Q��ƈ��d��obr0为kbr0的接口，以下命��o在minion1和minion2上执行�?/p>

[root@minion1 ~]# brctl addbr kbr0               //创徏linux bridge [root@minion1 ~]# brctl addif kbr0 obr0          //��d��obr0为kbr0的接�?[root@minion1 ~]# ip link set dev docker0 down   //讄���docker0为down状�?[root@minion1 ~]# ip link del dev docker0        //删除docker0

��Z��使新建的kbr0在每�ơ系�l�重启后�ȝ��有效�Q�我们在/etc/sysconfig/network-scripts/目录下新建minion1的ifcfg-kbr0如下�Q?/p>

DEVICE=kbr0 ONBOOT=yes BOOTPROTO=static IPADDR=172.17.1.1 NETMASK=255.255.255.0 GATEWAY=172.17.1.0 USERCTL=no TYPE=Bridge IPV6INIT=no

同样在minion2上新建ifcfg-kbr0�Q�只需修改ipaddr�?72.17.2.1和gateway�?72.17.2.0卛_��Q�然后执行systemctl restart network重启�pȝ��|�络服务�Q�你能在minion1和minion2上发现kbr0都设�|�了相应的IP地址。�ؓ了验证我们创建的隧道是否能通信�Q�我们在minion1和minion2上相互ping�Ҏ(gu��)��kbr0的IP地址�Q�从下面的结果发现是不通的�Q�经查找�q�是因�ؓ在minion1和minion2上缺��访�?72.17.1.1�?72.17.2.1的�\由，因此我们需要添加�\�׃��证彼此之间能通信�?/p>

[root@minion1 network-scripts]# ping 172.17.2.1 PING 172.17.2.1 (172.17.2.1) 56(84) bytes of data. ^C --- 172.17.2.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms  [root@minion2 ~]#  ping 172.17.1.1 PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data. ^C --- 172.17.1.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms

�׃��通过ip route add��d��的�\�׃��在下�ơ系�l�重启后失效�Q��ؓ此我们在/etc/sysconfig/network-scripts目录下新��Z��个文件route-eth0存储路由�Q�这里需要注意的是route-eth0和ifcfg-eth0的黑体部分必��M��持一��_��否则不能工作�Q�这��h��加的路由在下�ơ重启后不会失效。�ؓ了保证两台minion的kbr0能相互通信�Q�我们在minion1的route-eth0里添加�\�?72.17.2.0/24 via 192.168.230.5 dev eno16777736�Q�eno16777736是minion1的网卡，同样在minion2的route-eth0里添加�\�?72.17.1.0/24 via 192.168.230.4 dev eno16777736。重启网�l�服务后再次验证�Q�彼此kbr0的地址可以ping通，如：

[root@minion2 network-scripts]# ping 172.17.1.1 PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data. 64 bytes from 172.17.1.1: icmp_seq=1 ttl=64 time=2.49 ms 64 bytes from 172.17.1.1: icmp_seq=2 ttl=64 time=0.512 ms ^C --- 172.17.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.512/1.505/2.498/0.993 ms

到现在我们已�l�徏立了两minion之间的隧道，而且能正��的工作。下面我们将介绍如何安装Kubernetes APIServer及kubelet、proxy�{�服务�?/p>

4.2 安装Kubernetes APIServer

在安装APIServer之前�Q�我们先下蝲Kubernetes及Etcd�Q�做一些准备工作。在kubernetes上的具体操作如下�Q?/p>

[root@kubernetes ~]# mkdir /tmp/kubernetes [root@kubernetes ~]# cd /tmp/kubernetes/ [root@kubernetes kubernetes]# wget https://github.com/GoogleCloudPlatform/kubernetes/releases/download/v0.5.2/kubernetes.tar.gz [root@kubernetes kubernetes]# wget https://github.com/coreos/etcd/releases/download/v0.4.6/etcd-v0.4.6-linux-amd64.tar.gz

然后解压下蝲的kubernetes和etcd包，�q�在kubernetes、minion1、minion2上创建目�?opt/kubernetes/bin�Q?/p>

[root@kubernetes kubernetes]# mkdir -p /opt/kubernetes/bin [root@kubernetes kubernetes]# tar xf kubernetes.tar.gz [root@kubernetes kubernetes]# tar xf etcd-v0.4.6-linux-amd64.tar.gz [root@kubernetes kubernetes]# cd ~/kubernetes/server [root@kubernetes server]# tar xf kubernetes-server-linux-amd64.tar.gz [root@kubernetes kubernetes]# /tmp/kubernetes/kubernetes/server/kubernetes/server/bin

复制kube-apiserver�Q�kube-controller-manager�Q�kube-scheduler�Q�kubecfg到kubernetes�?opt/kubernetes/bin目录下，而kubelet�Q�kube-proxy则复制到minion1和minion2�?opt/kubernetes/bin�Q��ƈ��保都是可执行的�?/p>

[root@kubernetes amd64]# cp kube-apiserver kube-controller-manager kubecfg kube-scheduler /opt/kubernetes/bin [root@kubernetes amd64]# scp kube-proxy kubelet root@192.168.230.4:/opt/kubernetes/bin [root@kubernetes amd64]# scp kube-proxy kubelet root@192.168.230.5:/opt/kubernetes/bin

��Z��单我们只部��v一台etcd服务器，如果需要部�|�etcd的集��，请参�?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">官方文档�Q�在本文中将其跟Kubernetes APIServer部��v同一台机器上�Q�而且��etcd攄��?opt/kubernetes/bin下，etcdctl跟ectd同一目录�?/p>

[root@kubernetes kubernetes]# cd /tmp/kubernetes/etcd-v0.4.6-linux-amd64 [root@kubernetes etcd-v0.4.6-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin

需注意的是kubernetes和minion�?opt/kubernetes/bin目录下的文�g都必��L��可执行的。到目前�Q�我们准备工作已�l�差不多�Q�现在开始给apiserver�Q�controller-manager�Q�scheduler�Q�etcd配置unit文�g。首先我们用如下脚本etcd.sh配置etcd的unit文�g�Q?/p>

#!/bin/sh  ETCD_PEER_ADDR=192.168.230.3:7001 ETCD_ADDR=192.168.230.3:4001 ETCD_DATA_DIR=/var/lib/etcd ETCD_NAME=kubernetes  ! test -d $ETCD_DATA_DIR && mkdir -p $ETCD_DATA_DIR cat </usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server  [Service] ExecStart=/opt/kubernetes/bin/etcd \\     -peer-addr=$ETCD_PEER_ADDR \\     -addr=$ETCD_ADDR \\     -data-dir=$ETCD_DATA_DIR \\     -name=$ETCD_NAME \\     -bind-addr=0.0.0.0  [Install] WantedBy=multi-user.target EOF  systemctl daemon-reload systemctl enable etcd systemctl start etcd

对剩下的apiserver,controller-manager,scheduler的unit文�g配置的脚本，可以在github �?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">GetStartingKubernetes扑ֈ��Q�在此就不一一列�D。运行相应的脚本后，在APIServer上etcd, apiserver, controller-manager, scheduler服务��p��正常�q�行�?/p>

4.3 安装Kubernetes Kubelet及Proxy

�Ҏ(gu��)��Kubernetes的设计架构，需要在minion上部�|�docker, kubelet, kube-proxy�Q�在4.2节部�|�APIServer�Ӟ��我们已经��kubelet和kube-proxy已经分发��C��minion上，所以只需配置docker,kubelet,proxy的unit文�g�Q�然后启动服务就卛_��Q�具体配�|�见GetStartingKubernetes�?/p>

5. 演示Kubernetes��理容器

��Z��方便�Q�我们��用Kubernetes提供的例�?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">Guestbook来演�C�Kubernetes��理跨机器运行的容器�Q�下面我们根据Guestbook的步骤创建容器及服务。在下面的过�E�中如果是第一�ơ操作，可能会有一定的�{�待旉��Q�状态处于pending�Q�这是因为第一�ơ下载images需要一�D�|��间�?/p>

5.1 创徏redis-master Pod和redis-master服务

[root@kubernetes ~]# cd /tmp/kubernetes/kubernetes/examples/guestbook [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-master.json create pods [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-master-service.json create services

完成上面的操作后�Q�我们可以看到如下redis-master Pod被调度到192.168.230.4�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running

但除了发现redis-master的服务之外，�q�有两个Kubernetes�pȝ��默认的服务kubernetes-ro和kubernetes。而且我们可以看到每个服务都有一个服务IP及相应的端口�Q�对于服务IP�Q�是一个虚拟地址�Q�根据a(ch��n)piserver的portal_net选项讄��的CIDR表示的IP地址�D�|��选取�Q�在我们的集��中讄��?0.10.10.0/24。�ؓ此每新创��Z��个服务，apiserver都会在这个地址�D�中随机选择一个IP作�ؓ该服务的IP地址�Q�而端口是事先��定的。对redis-master服务�Q�其服务地址�?0.10.10.206�Q�端口�ؓ6379�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443

5.2 创徏redis-slave Pod和redis-slave服务

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-slave-controller.json create replicationControllers [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-slave-service.json create services

然后通过list命��o可知新徏的redis-slave Pod�Ҏ(gu��)��调度��法调度��C��台minion上，服务IP�?0.10.10.92�Q�端口�ؓ6379

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- redisslave          name=redisslave     name=redisslave                           10.10.10.92         6379 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443 kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379

5.3 创徏Frontend Pod和Frontend服务

在创��Z��前修改frontend-controller.json的Replicas数量�?�Q�这是因为我们的集群中只�?台minion�Q�如果按照frontend-controller.json的Replicas默认�?�Q�那会导致有2个Pod会调度到同一台minion上，产生端口冲突�Q�有一个Pod会一直处于pending状态，不能被调度�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c frontend-controller.json create replicationControllers [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c frontend-service.json create services

通过查看可知Frontend Pod也被调度��C��台minion�Q�服务IP�?0.10.10.220�Q�端口是80�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running a880b119-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.4/      name=frontend,uses=redisslave,redis-master   Running a881674d-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.5/      name=frontend,uses=redisslave,redis-master   Running  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379 redisslave          name=redisslave     name=redisslave                           10.10.10.92         6379 frontend            name=frontend       name=frontend                             10.10.10.220        80 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443

除此之外�Q�你可以删除Pod、Service及更新ReplicationController的Replicas数量�{�操作，如删除Frontend服务�Q?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 delete services/frontend Status ---------- Success

�q�可以更新ReplicationController的Replicas的数量，下面是更新Replicas之前ReplicationController的信息�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list replicationControllers Name                   Image(s)                   Selector            Replicas ----------             ----------                 ----------          ---------- redisSlaveController   brendanburns/redis-slave   name=redisslave     2 frontendController     brendanburns/php-redis     name=frontend       2

现在我们��x��frontendController的Replicas更新�?�Q�则�q�行如下命��o�Q�然后再通过上面的命令查看frontendController信息�Q�发现Replicas已变�?�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 resize frontendController 1  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list replicationControllers Name                   Image(s)                   Selector            Replicas ----------             ----------                 ----------          ---------- redisSlaveController   brendanburns/redis-slave   name=redisslave     2 frontendController     brendanburns/php-redis     name=frontend       1

5.4 演示跨机器服务通信

完成上面的操作后�Q�我们来看当前Kubernetes集群中运行着的Pod信息�?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- a881674d-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.5/      name=frontend,uses=redisslave,redis-master   Running redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running

通过上面的结果可知当前提供前端服务的PHP和提供数据存储的后端服务Redis master的Pod分别�q�行�?92.168.230.5�?92.168.230.4上，卛_��器运行在不同��L��上，�q�有Redis slave也运行在两台不同的主��Z��Q�它会从Redis master同步前端写入Redis master的数据。下面我们从两方面验证Kubernetes能提供跨机器间容器的通信�Q?/p>

在浏览器打开http://${IPAddress}:8000�Q�IPAddress为PHP容器�q�行的minion的IP地址�Q�其暴漏的端口�ؓ8000�Q�这里IP_Address�?92.168.230.5。打开��览器会昄��如下信息�Q?/p>
你可以输入信息�ƈ提交�Q�如"Hello Kubernetes"�?Container"�Q�然后Submit按钮下方会显�C�Z��输入的信息�?/p>
�׃��前端PHP容器和后端Redis master容器分别在两台minion上，因此PHP在访问Redis master服务时一定得跨机器通信�Q�可见Kubernetes的实现方式避免了用link只能在同一��L��上实现容器间通信的缺��P��对于Kubernetes跨机器通信的实现方法，以后我会详细介绍�?p style="margin: 0px 0px 15px; padding: 0px; border: 0px; float: none; line-height: 1.8; clear: none; width: 585px;">
从上面的�l�果�Q�可得知已经实现了跨机器的通信�Q�现在我们从后端数据层验证不同机器容器间的通信。根据上面的输出�l�果发现Redis slave和Redis master分别调度��C��C��同的minion上，�?92.168.230.4��L��上执行docker exec -ti c41711cc8971 /bin/sh�Q�c41711cc8971是Redis master的容器ID�Q�进入容器后通过redis-cli命��o查看从浏览器输入的信息如下：
如果我们�?92.168.230.5上运行的Redis slave容器里查到跟Redis master容器里相同的信息�Q�那说明Redis master和Redis slave之间的数据同步正常工作，下面是从192.168.230.5上运行的Redis slave容器查询到的信息�Q?/p>
由此可见Redis master和Redis slave之间数据同步正常�Q�OVS GRE隧道技术��得跨机器间容器正帔R��信�?/p>

6. �l�论

本文主要介绍如何在本地环境部�|�Kubernetes集群和演�C�如何通过Kubernetes��理集群中运行的容器�Q��ƈ通过OVS��理集群不同minion的Pod之间的网�l�通信。接下来会对Kubernetes各个�l��g源码�q�行详细分析�Q�阐�q�Kubernetes的工作原理�?/p>

7. 个�h��?/h2>
杨章显，现就职于Cisco�Q�主要从事WebEx SaaS服务�q�维�Q�系�l�性能分析�{�工作。特别关注云计算�Q�自动化�q�维�Q�部�|�等技术，��其是Go、OpenvSwitch、Docker及其生态圈技术，如Kubernetes、Flocker�{�Docker相关开源项目。Email: yangzhangxian@gmail.com

8. 参考资�?/h2>
https://n40lab.wordpress.com/2014/09/04/openvswitch-2-3-0-lts-and-centos-7/
https://github.com/GoogleCloudPlatform/kubernetes/tree/master/examples/guestbook
感谢郭蕾�Ҏ(gu��)��文的�{�划和审校�?/p>

��马�?/a> 2016-10-25 14:23 发表评论

Kubernetes使用问题�ȝ��

Tue, 25 Oct 2016 06:23:00 GMT

from:http://blog.csdn.net/linuxgo/article/details/52121125

加快Kubernetes�~�译速度

除了Linux/amd64�Q�默认还会�ؓ其他�q�_��做交叉编译。�ؓ了减��编译时��_��可以修改hack/lib/golang.sh�Q�把KUBE_SERVER_PLATFORMS�Q?KUBE_CLIENT_PLATFORMS和KUBE_TEST_PLATFORMS中除linux/amd64以外的其他��^台注释掉

gcr.io无法讉K��

Kubernetes在创建Pod的时候，需要从gcr.io下蝲一个helper镜像�Q�目前是 gcr.io/google_containers/pause-amd64:3.0 �Q��?/p>

但是目前国内无法讉K��gcr.io�Q�这个问题会��D��无法下蝲该镜像，然后Pod一直处于ContainerCreating状态�?/p>

解决办法

1) 在可以访问gcr.io的地�?/span>

docker pull gcr.io/google_containers/pause-amd64:3.0

传到�U�有docker registry

docker tag gcr.io/google_containers/pause-amd64:3.0 k8s-docker.mydomain.com/google_containers/pause-amd64:3.0

docker push k8s-docker.mydomain.com/google_containers/pause-amd64:3.0

2) 在所有的k8s节点

docker pull k8s-docker.mydomain.com/google_containers/pause-amd64:3.0
docker tag k8s-docker.mydomain.com/google_containers/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0

Note

不通过�U�有registry中�{�Q�而是使用Docker save/load应该也可以，只是要把save导出的文件复制到所有节�?

如何从集��外讉K��Service和Pod

�q�里说的集群外是指K8s集群以外的主机，比如使用nginx/HAProxy搭徏的负载均衡主机。这些主��K8s集群部��v在一��P��到K8s�|�络可达�?/p>

对于不是部��v在GCE以及AWS�{�云�q�_��的K8s�Q�我们一般需要自己搭��载均衡，然后分发��h��到到Service�?/p>

使用NodePort方式发布服务�Q�那么负载均衡主��Z��不需要额外配�|�；使用ClusterIP方式�Q��ؓ了能够访问Service的ClusterIP�Q?需要在�q�些��L��上安装Flanneld和kube-proxy

��马�?/a> 2016-10-25 14:23 发表评论