一、环�/h3>

˜q™é‡Œ˜q˜æ˜¯å¤ç”¨ä»¥å¾€æ–‡ç« ä¸­çš„Docker环境åQ?/p>

Docker Registry Server: 10.10.105.71 Ubuntu 14.04 3.16.0-57-genericåQ›docker 1.9.1

其他两个工作ServeråQ?
10.10.105.72 Ubuntu 14.04 3.19.0-25-generic; docker 1.9.1
10.10.126.101 Ubuntu 12.04 3.16.7-013607-generic; docker 1.9.1

本次Registry使用当前最新stable版本:Registry 2.3.0。由于镜像采用本地磁盘存储，root分区较小åQŒéœ€è¦æ˜ ž®„ä‹É用其他volumeã€?/p>

二、初‹Æ¡æ­å»?/h3>

本以为Docker Registry的搭建是何其½Ž€å•çš„åQŒç”šè‡³ç®€å•åˆ°é€šè¿‡ä¸€è¡Œå‘½ä»¤å°±å¯ä»¥å®Œæˆçš„。比如我们在Registry Server上执行：

在~/dockerregistry下，执行åQ?

$sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
f32095d4ba8a: Pull complete
9b607719a62a: Pull complete
973de4038269: Pull complete
2867140211c1: Pull complete
8da16446f5ca: Pull complete
fd8c38b8b68d: Pull complete
136640b01f02: Pull complete
e039ba1c0008: Pull complete
c457c689c328: Pull complete
Digest: sha256:339d702cf9a4b0aa665269cc36255ee7ce424412d56bee9ad8a247afe8c49ef1
Status: Downloaded newer image for registry:2
e9088ef901cb00546c59f89defa4625230f4b36b0a44b3713f38ab3d2a5a2b44

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry            2                   c457c689c328        9 days ago          165.7 MB

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                    NAMES
e9088ef901cb        registry:2          "/bin/registry /etc/d"   About a minute ago   Up About a minute   0.0.0.0:5000->5000/tcp   registry

Registry container已经跑è“v来了åQŒå…¶å¯åŠ¨æ—¥å¿—可以通过åQšdocker logs registry查看ã€?/p>

我们åœ?1本地¾l™busybox:latest打一个tagåQŒåƈž®è¯•ž®†æ–°tag下的image push到Registry中去åQ?/p>

$ docker tag busybox:latest 10.10.105.71:5000/tonybai/busybox:latest
$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
... ...

push到Registry中：

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: Tunnel or SSL Forbidden
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: Tunnel or SSL Forbidden

出错了！½Ž€å•åˆ†æžäº†ä¸€ä¸‹ï¼Œå¯èƒ½æ˜?1上docker daemon配置中加了http代理的缘故，å¯ÆD‡´æ— æ³•ping通registry endpoint。于是在/etc/default/docker中注释掉export http_proxy=”xxx”的设¾|®ï¼Œòq‰™‡å¯docker daemonã€?/p>

再次ž®è¯•pushåQ?/p>

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

虽然˜q˜æ˜¯å¤ÞpÓ|åQŒä½†é”™è¯¯ä¿¡æ¯å·²æœ‰æ‰€ä¸åŒäº†ã€‚è¿™‹Æ¡çœ‹æ¥è¿žæŽ¥æ˜¯å¯ä»¥å»ºç«‹çš„，但client端通过https讉K—®server端，ä¼ég¹Žæƒ³tls通信åQŒä½†˜q™ä¸€˜q‡ç¨‹òq¶æœªå®Œæˆã€?/p>

在其他机器上ž®è¯•push image到registry也遇åˆîCº†åŒæ ·çš„错误输出，如下åQ?/p>

10.10.105.72:

$ docker push 10.10.105.71:5000/tonybai/ubuntu
The push refers to a repository [10.10.105.71:5000/tonybai/ubuntu] (len: 1)
unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

从错误信息来看，client与Registry交互åQŒé»˜è®¤å°†é‡‡ç”¨https讉K—®åQŒä½†æˆ‘们在install Registryæ—¶åƈ未配¾|®æŒ‡å®šä“Q何tls相关的keyå’Œcrtæ–‡äšgåQŒhttps讉K—®å®šç„¶å¤ÞpÓ|。要惛_¼„清这个问题，只能查看 Registry Manual ã€?/p>

三、Insecure Registry

Registry的文档还是相对详ž®½çš„。在文档中，我们扑ֈ°äº?nbsp;Insecure Registry åQŒå³æŽ¥æ”¶plain http讉K—®çš„Registry的配¾|®å’Œä½¿ç”¨æ–ÒŽ(gu¨©)³•åQŒè™½ç„¶è¿™ä¸æ˜¯å®˜æ–¹æŽ¨èçš„ã€?/p>

实际上对于我们内部网¾lœè€Œè¨€åQŒInsecure Registry基本能满­‘³éœ€æ±‚，部çÖv˜q‡ç¨‹ä¹Ÿé¿å…äº†secure registry的那些繁琐步骤，比如制作和部¾|²è¯ä¹¦ç­‰ã€?/p>

ä¸ÞZº†æ­å¾ä¸€ä¸ªInsecure RegistryåQŒæˆ‘们需要先清理一下上面已¾lå¯åŠ¨çš„Registry容器ã€?/p>

$ docker stop registry
registry
$ docker rm registry
registry

修改Registry server上的Docker daemon的配¾|®ï¼Œä¸ºDOCKER_OPTS增加–insecure-registryåQ?/p>

DOCKER_OPTS="--insecure-registry 10.10.105.71:5000 ....

重启Docker DaemonåQŒå¯åŠ¨Registry容器åQ?/p>

$ sudo service docker restart
docker stop/waiting
docker start/running, process 6712
$ sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2
5966e92fce9c34705050e19368d19574e021a272ede1575385ef35ecf5cea019

ž®è¯•å†æ¬¡Push image:

$ docker push 10.10.105.71:5000/tonybai/busybox
The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1)
65e4158d9625: Pushed
5506dda26018: Pushed
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

˜q™å›žpush okåQ?/p>

我们ž®†æœ¬åœ°çš„tag做untag处理åQŒå†ä»ŽRegistry pull相关imageåQ?/p>

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu                              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

$ docker rmi 10.10.105.71:5000/tonybai/busybox
Untagged: 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry            2                   c457c689c328        9 days ago          165.7 MB
busybox             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

$ docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox
Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
registry                            2                   c457c689c328        9 days ago          165.7 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB
busybox                             latest              65e4158d9625        9 days ago          1.114 MB
ubuntu                              14.04               6cc0fc2a5ee3        5 weeks ago         187.9 MB

可以看到åQšPull˜q‡ç¨‹ä¹Ÿå¾ˆ™åºåˆ©ã€?/p>

在Private Registry2中查看或‹‚€ç´¢Repository或imagesåQ?nbsp;ž®†ä¸èƒ½ç”¨docker search åQ?/p>

$ docker search 10.10.105.71:5000/tonybai/busybox/
Error response from daemon: Unexpected status code 404

但通过v2版本的APIåQŒæˆ‘们可以实现相同目的：

$curl  http://10.10.105.71:5000/v2/_catalog
{"repositories":["tonybai/busybox"]}

$ curl  http://10.10.105.71:5000/v2/tonybai/busybox/tags/list
{"name":"tonybai/busybox","tags":["latest"]}

在其他主æœÞZ¸ŠåQŒæˆ‘们尝试pull busyboxåQ?/p>

10.10.105.72:

$docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
Error response from daemon: unable to ping registry endpoint https://10.10.105.71:5000/v0/
v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527

我们发现依旧不能pullå’ŒpushåQåœ¨Registry手册中讲刎ͼŒå¦‚果采用insecure registry的模式，那么所有与Registry交互的主æœÞZ¸Šçš„Docker Daemon都要配置åQ?#8211;insecure-registry选项ã€?/p>

我们按照上面的配¾|®æ–¹æ³•ï¼Œä¿®æ”¹105.72上的/etc/default/dockeråQŒé‡å¯Docker daemonåQŒå†æ‰§è¡Œpull/pushž®×ƒ¼šå¾—到正确的结果：

$ sudo vi /etc/default/docker
$ sudo service docker restart
docker stop/waiting
docker start/running, process 10614
$ docker pull 10.10.105.71:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox
5506dda26018: Pull complete
65e4158d9625: Pull complete
Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for 10.10.105.71:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu                              14.04               36248ae4a9ac        8 days ago          187.9 MB
10.10.105.71:5000/tonybai/ubuntu    14.04               36248ae4a9ac        8 days ago          187.9 MB
10.10.105.71:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB

$ docker push 10.10.105.71:5000/tonybai/ubuntu
The push refers to a repository [10.10.105.71:5000/tonybai/ubuntu] (len: 1)
36248ae4a9ac: Pushed
8ea5373bf5a6: Pushed
2e0188208e83: Pushed
e3c70beaa378: Pushed
14.04: digest: sha256:72e56686cb9fb38438f0fd68fecf02ef592ce2ef7069bbf97802d959d568c5cc size: 6781

四、Secure Registry

Docker官方是推荐你采用Secure Registry的工作模式的åQŒå³transport采用tls。这æ ähˆ‘们就需要äØ“Registry配置tls所需的keyå’Œcrtæ–‡äšg了ã€?/p>

我们首先清理一下环境，ž®†ä¸Šé¢çš„Insecure Registry停掉òq¶rm掉；ž®†å„åîC¸»æœÞZ¸ŠDocker Daemonçš„DOCKER_OPTS配置中的–insecure-registryåŽÀLŽ‰åQŒåƈ重启Docker Daemonã€?/p>

如果你拥有一个域名，域名下主机提供Registry服务åQŒåƈ且你拥有某知名CA½{„¡Öv的证书文ä»Óž¼Œé‚£ä¹ˆä½ å¯ä»¥å¾ç«‹è“v一个Secure Registry。不˜q‡æˆ‘˜q™é‡Œæ²¡æœ‰çŽ°æˆçš„证书，只能使用自签¾|²çš„证书。严格来è®ÔŒ¼Œä½¿ç”¨è‡ªç­¾¾|²çš„证书在Docker官方çœég¸­ä¾æ—§å±žäºŽInsecureåQŒä¸˜q‡è¿™é‡Œåªæ˜¯å€ŸåŠ©è‡ªç­¾¾|²çš„证书来说明一下Secure Registry的部¾|²æ­¥éª¤çŞ了ã€?/p>

1、制作自½{„¡Öv证书

如果你有知名CA½{„¡Öv的证书，那么˜q™æ­¥å¯ç›´æŽ¥å¿½ç•¥ã€?/p>

$ openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 2048 bit RSA private key
..............+++
............................................+++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Liaoning
Locality Name (eg, city) []:shenyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:foo
Organizational Unit Name (eg, section) []:bar
Common Name (e.g. server FQDN or YOUR name) []:mydockerhub.com
Email Address []:bigwhite.cn@gmail.com

2、启动Secure Registry

启动带证书的RegistryåQ?/p>

$ docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/data:/var/lib/registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2
35e8ce77dd455f2bd50854e4581cd52be8a137f4aaea717239b6d676c5ea5777

ç”׃ºŽè¯ä¹¦çš„CN是mydockerhub.comåQŒæˆ‘们需要修改一ä¸?etc/hostsæ–‡äšg:

10.10.105.71 mydockerhub.com

重新为busybox制作一个tag:

$docker tag busybox:latest mydockerhub.com:5000/tonybai/busybox:latest

Push到Registry:

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
unable to ping registry endpoint https://mydockerhub.com:5000/v0/
v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority
 v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authority

pushå¤ÞpÓ|了！从错误日志来看，docker client认äØ“server传输˜q‡æ¥çš„证书的½{„¡Övæ–ÒŽ(gu¨©)˜¯ä¸€ä¸ªunknown authorityåQˆæœªçŸ¥çš„CAåQ‰ï¼Œå› æ­¤éªŒè¯å¤ÞpÓ|。我们需要让docker client安装我们的CA证书åQ?/p>

$ sudo mkdir -p /etc/docker/certs.d/mydockerhub.com:5000
$ sudo cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt
$ sudo service docker restart //安装证书后，重启Docker Daemon

再执行PushåQŒæˆ‘们看åˆîCº†æˆåŠŸçš„输出日志。由于data目录下之前已¾lè¢«push了tonybai/busybox repositoryåQŒå› æ­¤æ½C?#8220;已存åœ?#8221;åQ?/p>

$docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image already exists
5506dda26018: Image already exists
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

3、外部访问Registry

我们换其他机器试试访问这个secure registry。根据之前的要求åQŒæˆ‘们照猫画虎的修改一下hostsæ–‡äšgåQŒå®‰è£…ca.certåQŒåŽ»é™?#8211;insecure-registry选项åQŒåƈ重启Docker daemon。之后尝试从registry pull imageåQ?/p>

$ docker pull mydockerhub.com:5000/tonybai/busybox
Using default tag: latest
latest: Pulling from tonybai/busybox

Digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892
Status: Downloaded newer image for mydockerhub.com:5000/tonybai/busybox:latest

$ docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
10.10.105.71:5000/tonybai/ubuntu       14.04               36248ae4a9ac        9 days ago          187.9 MB
ubuntu                                 14.04               36248ae4a9ac        9 days ago          187.9 MB
10.10.105.71:5000/tonybai/busybox      latest              65e4158d9625        9 days ago          1.114 MB
mydockerhub.com:5000/tonybai/busybox   latest              65e4158d9625        9 days ago          1.114 MB

˜q™æ ·æ¥çœ‹åQŒå¦‚æžœä‹É用自½{„¡Öv的证书，那么所有要与Registry交互的Dockerä¸ÀLœºéƒ½éœ€è¦å®‰è£…mydockerhub.comçš„ca.crt(domain.crt)。但如果你ä‹É用知名CAåQŒè¿™ä¸€æ­¥ä¹Ÿž®±å¯ä»¥å¿½ç•¥ã€?/p>

五、Registry的鉴权管�/h3>

Registry提供了一¿UåŸº¼‹€çš„鉴权方式。我们通过下面步骤卛_¯ä¸ºRegistry加上基础鉴权åQ?/p>

在Register server上，为Registry增加foo用户åQŒå¯†ç foo123åQšï¼ˆä¹‹å‰éœ€è¦åœæŽ‰å·²æœ‰çš„RegistryåQŒåƈ删除之）

//生成鉴权密码文äšg
$ mkdir auth
$ docker run --entrypoint htpasswd registry:2 -Bbn foo foo123  > auth/htpasswd
$ ls auth
htpasswd

//启动带鉴权功能的RegistryåQ?
$ docker run -d -p 5000:5000 --restart=always --name registry \
   -v `pwd`/auth:/auth \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
   -v `pwd`/data:/var/lib/registry \
   -v `pwd`/certs:/certs \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
   registry:2
199ad0b3591fb9613b21b1c96f017267f3c39661a7025d30df636c6805e7ab50

åœ?05.72上，我们ž®è¯•push image到RegistryåQ?/p>

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image push failed
Head https://mydockerhub.com:5000/v2/tonybai/busybox/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: no basic auth credentials

错误信息提示åQšé‰´æƒå¤±è´¥ã€?/p>

�2上执行docker login:

$docker login mydockerhub.com:5000
Username: foo
Password:
Email: bigwhite.cn@gmail.com
WARNING: login credentials saved in /home/baiming/.docker/config.json
Login Succeeded

login成功后，再行PushåQ?/p>

$ docker push mydockerhub.com:5000/tonybai/busybox
The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1)
65e4158d9625: Image already exists
5506dda26018: Image already exists
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739

Push okåQ?/p>

六、Registry中images的管�/h3>

前面提到˜q‡ï¼Œé€šè¿‡V2版Rest API可以查询Repositoryå’ŒimagesåQ?/p>

$ curl --cacert domain.crt  --basic --user foo:foo123 https://mydockerhub.com:5000/v2/_catalog
{"repositories":["tonybai/busybox","tonybai/ubuntu"]}

但如果要删除Registry中的Repository或某个tagçš„ImageåQŒç›®å‰v2˜q˜ä¸æ”¯æŒåQŒåŽŸå› è§ Registryçš„roadmap中的说明 ã€?/p>

不过如果你的Registry的存储引擎ä‹É用的是本地盘åQŒå€’是有一些第三方脚本可供使用åQŒæ¯”如：delete-docker-registry-image ã€?/p>

七、小¾l?/h3>

Registry2发布不到1òqß_¼Œç›®å‰˜q˜æœ‰è®¸å¤šé—®é¢˜å¾…解冻I¼Œž®±æ¯”如delete image的问题，ç›æ€¿¡åœ?.4以及后箋版本˜q™äº›é—®é¢˜ä¼šè¢«é€ä¸ªè§£å†³æŽ‰æˆ–能找åˆîC¸€ä¸ªç›¸å¯¹ç†æƒ³çš„æ–ÒŽ(gu¨©)¡ˆã€?/p>

. 前言

上一节我们阐˜qîCº†Kubernetesçš„ç³»¾lŸæž¶æž„，让大家对Kubernetes有一定的初步了解åQŒä½†æ˜¯å°±å¦‚何使用KubernetesåQ?也许大家˜q˜ä¸çŸ¥å¦‚何下手。本文作者将带领大家如何在本地部¾|ŒÓ€é…¾|®Kubernetes集群¾|‘络环境以及通过实例演示跨机器服务间的通信åQŒä¸»è¦åŒ…括如下内容：

• 部çÖv环境介绍
• Kubernetes集群逻辑架构
• 部çÖvOpen vSwitch、Kubernetes、Etcd¾l„äšg
• 演示Kubernetes½Ž¡ç†å®¹å™¨

2. 部çÖv环境

• VMware WorkstationåQ?0.0.3
• VMware Workstation¾|‘络模式åQšNAT
• 操作¾pȝ»Ÿä¿¡æ¯åQšCentOS 7 64ä½?/li>
• Open vSwitch版本信息åQ?.3.0
• Kubernetes版本信息åQ?.5.2
• Etcd版本信息åQ?.4.6
• Docker版本信息åQ?.3.1

• 服务器信æ?

          | Role      | Hostname   | IP Address  | 	|:---------:|:----------:|:----------: | 	|APIServer  |kubernetes  |192.168.230.3| 	|Minion     | minion1    |192.168.230.4| 	|Minion     | minion2    |192.168.230.5|

3. Kubernetes集群逻辑架构

在详¾l†ä»‹¾léƒ¨¾|²Kubernetes集群前，先给大家展示下集¾Ÿ¤çš„逻辑架构。从下图可知åQŒæ•´ä¸ªç³»¾lŸåˆ†ä¸ÞZ¸¤éƒ¨åˆ†åQŒç¬¬ä¸€éƒ¨åˆ†æ˜¯Kubernetes APIServeråQŒæ˜¯æ•´ä¸ª¾pȝ»Ÿçš„核心，承担集群中所有容器的½Ž¡ç†å·¥ä½œåQ›ç¬¬äºŒéƒ¨åˆ†æ˜¯minionåQŒè¿è¡ŒContainer DaemonåQŒæ˜¯æ‰€æœ‰å®¹å™¨æ –息之圎ͼŒåŒæ—¶åœ¨minion上运行Open vSwitch½E‹åºåQŒé€šè¿‡GRE Tunnelè´Ÿè´£minion之间Pod的网¾lœé€šä¿¡å·¥ä½œã€?/p>

4. 部çÖvOpen vSwitch、Kubernetes、Etcd¾l„äšg

4.1 安装Open vSwitch及配¾|®GRE

ä¸ÞZº†è§£å†³è·¨minion之间Pod的通信问题åQŒæˆ‘们在每个minion上安装Open vSwtichåQŒåƈ使用GRE或者VxLAN使得跨机器之间Pod能相互通信åQŒæœ¬æ–‡ä‹É用GREåQŒè€ŒVxLAN通常用在需要隔¼›Èš„大规模网¾lœä¸­ã€‚对于Open vSwitch的具体安装步骤，可参考这½‹?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">博客åQŒæˆ‘们在˜q™é‡Œž®×ƒ¸å†è¯¦¾l†ä»‹¾lå®‰è£…步骤了。安装完Open vSwitch后，接下来便建立minion1å’Œminion2之间的隧道。首先在minion1å’Œminion2上徏立OVS Bridge,

[root@minion1 ~]# ovs-vsctl add-br obr0 

接下来徏立greåQŒåƈž®†æ–°å»ºçš„gre0æ·ÕdŠ åˆ°obr0åQŒåœ¨minion1上执行如下命令，

[root@minion1 ~]# ovs-vsctl add-port obr0 gre0 -- set Interface gre0 type=gre options:remote_ip=192.168.230.5 

在minion2上执�

[root@minion2 ~]# ovs-vsctl add-port obr0 gre0 -- set Interface gre0 type=gre options:remote_ip=192.168.230.4 

è‡Ïx­¤åQŒminion1å’Œminion2之间的隧道已¾lå¾ç«‹ã€‚然后我们在minion1å’Œminion2上创建Linux¾|‘æ¡¥kbr0替代Docker默认的docker0åQˆæˆ‘们假设minion1å’Œminion2都已安装DockeråQ‰ï¼Œè®„¡½®minion1çš„kbr0的地址ä¸?72.17.1.1/24åQ?minion2çš„kbr0的地址ä¸?72.17.2.1/24åQŒåƈæ·ÕdŠ obr0为kbr0的接口，以下命ä×o在minion1å’Œminion2上执行ã€?/p>

[root@minion1 ~]# brctl addbr kbr0               //创徏linux bridge [root@minion1 ~]# brctl addif kbr0 obr0          //æ·ÕdŠ obr0为kbr0的接å?[root@minion1 ~]# ip link set dev docker0 down   //讄¡½®docker0为down状æ€?[root@minion1 ~]# ip link del dev docker0        //删除docker0 

ä¸ÞZº†ä½¿æ–°å»ºçš„kbr0在每‹Æ¡ç³»¾lŸé‡å¯åŽä»È„¶æœ‰æ•ˆåQŒæˆ‘们在/etc/sysconfig/network-scripts/目录下新建minion1çš„ifcfg-kbr0如下åQ?/p>

DEVICE=kbr0 ONBOOT=yes BOOTPROTO=static IPADDR=172.17.1.1 NETMASK=255.255.255.0 GATEWAY=172.17.1.0 USERCTL=no TYPE=Bridge IPV6INIT=no 

同样在minion2上新建ifcfg-kbr0åQŒåªéœ€ä¿®æ”¹ipaddrä¸?72.17.2.1å’Œgatewayä¸?72.17.2.0卛_¯åQŒç„¶åŽæ‰§è¡Œsystemctl restart network重启¾pȝ»Ÿ¾|‘络服务åQŒä½ èƒ½åœ¨minion1å’Œminion2上发现kbr0都设¾|®äº†ç›¸åº”çš„IP地址。äؓ了验证我们创建的隧道是否能通信åQŒæˆ‘们在minion1å’Œminion2上相互pingå¯ÒŽ(gu¨©)–¹kbr0çš„IP地址åQŒä»Žä¸‹é¢çš„结果发现是不通的åQŒç»æŸ¥æ‰¾˜q™æ˜¯å› äؓ在minion1å’Œminion2上缺ž®‘访é—?72.17.1.1å’?72.17.2.1çš„èµ\由，因此我们需要添加èµ\ç”׃¿è¯å½¼æ­¤ä¹‹é—´èƒ½é€šä¿¡ã€?/p>

[root@minion1 network-scripts]# ping 172.17.2.1 PING 172.17.2.1 (172.17.2.1) 56(84) bytes of data. ^C --- 172.17.2.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms  [root@minion2 ~]#  ping 172.17.1.1 PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data. ^C --- 172.17.1.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms 

ç”׃ºŽé€šè¿‡ip route addæ·ÕdŠ çš„èµ\ç”׃¼šåœ¨ä¸‹‹Æ¡ç³»¾lŸé‡å¯åŽå¤±æ•ˆåQŒäؓ此我们在/etc/sysconfig/network-scripts目录下新å»ÞZ¸€ä¸ªæ–‡ä»¶route-eth0存储路由åQŒè¿™é‡Œéœ€è¦æ³¨æ„çš„是route-eth0å’Œifcfg-eth0的黑体部分必™åÖM¿æŒä¸€è‡ß_¼Œå¦åˆ™ä¸èƒ½å·¥ä½œåQŒè¿™æ äh·»åŠ çš„路由在下‹Æ¡é‡å¯åŽä¸ä¼šå¤±æ•ˆã€‚äؓ了保证两台minionçš„kbr0能相互通信åQŒæˆ‘们在minion1çš„route-eth0里添加èµ\ç”?72.17.2.0/24 via 192.168.230.5 dev eno16777736åQŒeno16777736是minion1的网卡，同样在minion2çš„route-eth0里添加èµ\ç”?72.17.1.0/24 via 192.168.230.4 dev eno16777736。重启网¾lœæœåŠ¡åŽå†æ¬¡éªŒè¯åQŒå½¼æ­¤kbr0的地址可以ping通，如：

[root@minion2 network-scripts]# ping 172.17.1.1 PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data. 64 bytes from 172.17.1.1: icmp_seq=1 ttl=64 time=2.49 ms 64 bytes from 172.17.1.1: icmp_seq=2 ttl=64 time=0.512 ms ^C --- 172.17.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.512/1.505/2.498/0.993 ms 

到现在我们已¾lå¾ç«‹äº†ä¸¤minion之间的隧道，而且能正¼‹®çš„工作。下面我们将介绍如何安装Kubernetes APIServer及kubelet、proxy½{‰æœåŠ¡ã€?/p>

4.2 安装Kubernetes APIServer

在安装APIServer之前åQŒæˆ‘们先下蝲Kubernetes及EtcdåQŒåšä¸€äº›å‡†å¤‡å·¥ä½œã€‚在kubernetes上的具体操作如下åQ?/p>

[root@kubernetes ~]# mkdir /tmp/kubernetes [root@kubernetes ~]# cd /tmp/kubernetes/ [root@kubernetes kubernetes]# wget https://github.com/GoogleCloudPlatform/kubernetes/releases/download/v0.5.2/kubernetes.tar.gz [root@kubernetes kubernetes]# wget https://github.com/coreos/etcd/releases/download/v0.4.6/etcd-v0.4.6-linux-amd64.tar.gz 

然后解压下蝲的kuberneteså’Œetcd包，òq¶åœ¨kubernetes、minion1、minion2上创建目å½?opt/kubernetes/binåQ?/p>

[root@kubernetes kubernetes]# mkdir -p /opt/kubernetes/bin [root@kubernetes kubernetes]# tar xf kubernetes.tar.gz [root@kubernetes kubernetes]# tar xf etcd-v0.4.6-linux-amd64.tar.gz [root@kubernetes kubernetes]# cd ~/kubernetes/server [root@kubernetes server]# tar xf kubernetes-server-linux-amd64.tar.gz [root@kubernetes kubernetes]# /tmp/kubernetes/kubernetes/server/kubernetes/server/bin 

复制kube-apiserveråQŒkube-controller-manageråQŒkube-scheduleråQŒkubecfg到kubernetesçš?opt/kubernetes/bin目录下，而kubeletåQŒkube-proxy则复制到minion1å’Œminion2çš?opt/kubernetes/binåQŒåƈ¼‹®ä¿éƒ½æ˜¯å¯æ‰§è¡Œçš„ã€?/p>

[root@kubernetes amd64]# cp kube-apiserver kube-controller-manager kubecfg kube-scheduler /opt/kubernetes/bin [root@kubernetes amd64]# scp kube-proxy kubelet root@192.168.230.4:/opt/kubernetes/bin [root@kubernetes amd64]# scp kube-proxy kubelet root@192.168.230.5:/opt/kubernetes/bin 

ä¸ÞZº†½Ž€å•æˆ‘们只部çÖv一台etcd服务器，如果需要部¾|²etcd的集¾Ÿ¤ï¼Œè¯·å‚è€?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">官方文æ¡£åQŒåœ¨æœ¬æ–‡ä¸­å°†å…¶è·ŸKubernetes APIServer部çÖv同一台机器上åQŒè€Œä¸”ž®†etcd攄¡½®åœ?opt/kubernetes/bin下，etcdctlè·Ÿectd同一目录ã€?/p>

[root@kubernetes kubernetes]# cd /tmp/kubernetes/etcd-v0.4.6-linux-amd64 [root@kubernetes etcd-v0.4.6-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin 

需注意的是kuberneteså’Œminionä¸?opt/kubernetes/bin目录下的文äšg都必™åÀL˜¯å¯æ‰§è¡Œçš„。到目前åQŒæˆ‘们准备工作已¾lå·®ä¸å¤šåQŒçŽ°åœ¨å¼€å§‹ç»™apiserveråQŒcontroller-manageråQŒscheduleråQŒetcd配置unitæ–‡äšg。首先我们用如下脚本etcd.sh配置etcdçš„unitæ–‡äšgåQ?/p>

#!/bin/sh  ETCD_PEER_ADDR=192.168.230.3:7001 ETCD_ADDR=192.168.230.3:4001 ETCD_DATA_DIR=/var/lib/etcd ETCD_NAME=kubernetes  ! test -d $ETCD_DATA_DIR && mkdir -p $ETCD_DATA_DIR cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server  [Service] ExecStart=/opt/kubernetes/bin/etcd \\     -peer-addr=$ETCD_PEER_ADDR \\     -addr=$ETCD_ADDR \\     -data-dir=$ETCD_DATA_DIR \\     -name=$ETCD_NAME \\     -bind-addr=0.0.0.0  [Install] WantedBy=multi-user.target EOF  systemctl daemon-reload systemctl enable etcd systemctl start etcd 

对剩下的apiserver,controller-manager,schedulerçš„unitæ–‡äšg配置的脚本，可以在github ä¸?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">GetStartingKubernetes扑ֈ°åQŒåœ¨æ­¤å°±ä¸ä¸€ä¸€åˆ—ä‹D。运行相应的脚本后，在APIServer上etcd, apiserver, controller-manager, scheduler服务ž®Þpƒ½æ­£å¸¸˜qè¡Œã€?/p>

4.3 安装Kubernetes Kubelet及Proxy

æ ÒŽ(gu¨©)®Kubernetes的设计架构，需要在minion上部¾|²docker, kubelet, kube-proxyåQŒåœ¨4.2节部¾|²APIServeræ—Óž¼Œæˆ‘们已经ž®†kubeletå’Œkube-proxy已经分发åˆîC¸¤minion上，所以只需配置docker,kubelet,proxyçš„unitæ–‡äšgåQŒç„¶åŽå¯åŠ¨æœåŠ¡å°±å›_¯åQŒå…·ä½“配¾|®è§GetStartingKubernetesã€?/p>

5. 演示Kubernetes½Ž¡ç†å®¹å™¨

ä¸ÞZº†æ–¹ä¾¿åQŒæˆ‘们ä‹É用Kubernetes提供的例å­?a style="text-decoration: none; color: #286ab2; outline: none !important; margin: 0px; border: 0px; padding: 0px;">Guestbook来演½CºKubernetes½Ž¡ç†è·¨æœºå™¨è¿è¡Œçš„容器åQŒä¸‹é¢æˆ‘们根据Guestbook的步骤创建容器及服务。在下面的过½E‹ä¸­å¦‚果是第一‹Æ¡æ“ä½œï¼Œå¯èƒ½ä¼šæœ‰ä¸€å®šçš„½{‰å¾…æ—‰™—´åQŒçŠ¶æ€å¤„于pendingåQŒè¿™æ˜¯å› ä¸ºç¬¬ä¸€‹Æ¡ä¸‹è½½images需要一ŒD‰|—¶é—´ã€?/p>

5.1 创徏redis-master Pod和redis-master服务

[root@kubernetes ~]# cd /tmp/kubernetes/kubernetes/examples/guestbook [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-master.json create pods [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-master-service.json create services 

完成上面的操作后åQŒæˆ‘们可以看到如下redis-master Pod被调度到192.168.230.4ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 

但除了发现redis-master的服务之外，˜q˜æœ‰ä¸¤ä¸ªKubernetes¾pȝ»Ÿé»˜è®¤çš„服务kubernetes-roå’Œkubernetes。而且我们可以看到每个服务都有一个服务IP及相应的端口åQŒå¯¹äºŽæœåŠ¡IPåQŒæ˜¯ä¸€ä¸ªè™šæ‹Ÿåœ°å€åQŒæ ¹æ®a(ch¨£n)piserverçš„portal_net选项讄¡½®çš„CIDR表示的IP地址ŒD‰|¥é€‰å–åQŒåœ¨æˆ‘们的集¾Ÿ¤ä¸­è®„¡½®ä¸?0.10.10.0/24。äؓ此每新创å»ÞZ¸€ä¸ªæœåŠ¡ï¼Œapiserver都会在这个地址ŒDµä¸­éšæœºé€‰æ‹©ä¸€ä¸ªIP作äؓ该服务的IP地址åQŒè€Œç«¯å£æ˜¯äº‹å…ˆ¼‹®å®šçš„。对redis-master服务åQŒå…¶æœåŠ¡åœ°å€ä¸?0.10.10.206åQŒç«¯å£äØ“6379ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443 

5.2 创徏redis-slave Pod和redis-slave服务

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-slave-controller.json create replicationControllers [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c redis-slave-service.json create services 

然后通过list命ä×o可知新徏的redis-slave Podæ ÒŽ(gu¨©)®è°ƒåº¦½Ž—法调度åˆîC¸¤å°minion上，服务IPä¸?0.10.10.92åQŒç«¯å£äØ“6379

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- redisslave          name=redisslave     name=redisslave                           10.10.10.92         6379 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443 kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379 

5.3 创徏Frontend Pod和Frontend服务

在创å»ÞZ¹‹å‰ä¿®æ”¹frontend-controller.jsonçš„Replicas数量ä¸?åQŒè¿™æ˜¯å› ä¸ºæˆ‘们的集群中只æœ?台minionåQŒå¦‚果按照frontend-controller.jsonçš„Replicas默认å€?åQŒé‚£ä¼šå¯¼è‡´æœ‰2个Pod会调度到同一台minion上，产生端口冲突åQŒæœ‰ä¸€ä¸ªPod会一直处于pending状态，不能被调度ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c frontend-controller.json create replicationControllers [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 -c frontend-service.json create services 

通过查看可知Frontend Pod也被调度åˆîC¸¤å°minionåQŒæœåŠ¡IPä¸?0.10.10.220åQŒç«¯å£æ˜¯80ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running a880b119-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.4/      name=frontend,uses=redisslave,redis-master   Running a881674d-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.5/      name=frontend,uses=redisslave,redis-master   Running  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list services Name                Labels              Selector                                  IP                  Port ----------          ----------          ----------                                ----------          ---------- kubernetes-ro                           component=apiserver,provider=kubernetes   10.10.10.207        80 redis-master        name=redis-master   name=redis-master                         10.10.10.206        6379 redisslave          name=redisslave     name=redisslave                           10.10.10.92         6379 frontend            name=frontend       name=frontend                             10.10.10.220        80 kubernetes                              component=apiserver,provider=kubernetes   10.10.10.161        443 

除此之外åQŒä½ å¯ä»¥åˆ é™¤Pod、Service及更新ReplicationControllerçš„Replicas数量½{‰æ“ä½œï¼Œå¦‚删除Frontend服务åQ?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 delete services/frontend Status ---------- Success 

˜q˜å¯ä»¥æ›´æ–°ReplicationControllerçš„Replicas的数量，下面是更新Replicas之前ReplicationController的信息ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list replicationControllers Name                   Image(s)                   Selector            Replicas ----------             ----------                 ----------          ---------- redisSlaveController   brendanburns/redis-slave   name=redisslave     2 frontendController     brendanburns/php-redis     name=frontend       2 

现在我们æƒÏxŠŠfrontendControllerçš„Replicasæ›´æ–°ä¸?åQŒåˆ™˜q™è¡Œå¦‚下命ä×oåQŒç„¶åŽå†é€šè¿‡ä¸Šé¢çš„命令查看frontendController信息åQŒå‘现Replicas已变ä¸?ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 resize frontendController 1  [root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list replicationControllers Name                   Image(s)                   Selector            Replicas ----------             ----------                 ----------          ---------- redisSlaveController   brendanburns/redis-slave   name=redisslave     2 frontendController     brendanburns/php-redis     name=frontend       1 

5.4 演示跨机器服务通信

完成上面的操作后åQŒæˆ‘们来看当前Kubernetes集群中运行着的Pod信息ã€?/p>

[root@kubernetes guestbook]# kubecfg -h http://192.168.230.3:8080 list pods Name                                   Image(s)                   Host                Labels                                       Status ----------                             ----------                 ----------          ----------                                   ---------- a881674d-7295-11e4-8233-000c297db206   brendanburns/php-redis     192.168.230.5/      name=frontend,uses=redisslave,redis-master   Running redis-master                           dockerfile/redis           192.168.230.4/      name=redis-master                            Running 8c0ddbda-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.5/      name=redisslave,uses=redis-master            Running 8c0e1430-728c-11e4-8233-000c297db206   brendanburns/redis-slave   192.168.230.4/      name=redisslave,uses=redis-master            Running 

通过上面的结果可知当前提供前端服务的PHP和提供数据存储的后端服务Redis masterçš„Pod分别˜qè¡Œåœ?92.168.230.5å’?92.168.230.4上，卛_®¹å™¨è¿è¡Œåœ¨ä¸åŒä¸ÀLœºä¸Šï¼Œ˜q˜æœ‰Redis slave也运行在两台不同的主æœÞZ¸ŠåQŒå®ƒä¼šä»ŽRedis master同步前端写入Redis master的数据。下面我们从两方面验证Kubernetes能提供跨机器间容器的通信åQ?/p>

• 在浏览器打开http://${IPAddress}:8000åQŒIPAddress为PHP容器˜qè¡Œçš„minionçš„IP地址åQŒå…¶æš´æ¼çš„端口äØ“8000åQŒè¿™é‡ŒIP_Addressä¸?92.168.230.5。打开‹¹è§ˆå™¨ä¼šæ˜„¡¤ºå¦‚下信息åQ?/p>

  

  你可以输入信息åƈ提交åQŒå¦‚"Hello Kubernetes"ã€?Container"åQŒç„¶åŽSubmit按钮下方会显½CÞZ½ è¾“入的信息ã€?/p>

  

  ç”׃ºŽå‰ç«¯PHP容器和后端Redis master容器分别在两台minion上，因此PHP在访问Redis master服务时一定得跨机器通信åQŒå¯è§Kubernetes的实现方式避免了用link只能在同一ä¸ÀLœºä¸Šå®žçŽ°å®¹å™¨é—´é€šä¿¡çš„缺é™øP¼Œå¯¹äºŽKubernetes跨机器通信的实现方法，以后我会详细介绍ã€?p style="margin: 0px 0px 15px; padding: 0px; border: 0px; float: none; line-height: 1.8; clear: none; width: 585px;"> 

• 从上面的¾l“æžœåQŒå¯å¾—知已经实现了跨机器的通信åQŒçŽ°åœ¨æˆ‘们从后端数据层验证不同机器容器间的通信。根据上面的输出¾l“果发现Redis slaveå’ŒRedis master分别调度åˆîC¸¤åîC¸åŒçš„minion上，åœ?92.168.230.4ä¸ÀLœºä¸Šæ‰§è¡Œdocker exec -ti c41711cc8971 /bin/shåQŒc41711cc8971是Redis master的容器IDåQŒè¿›å…¥å®¹å™¨åŽé€šè¿‡redis-cli命ä×o查看从浏览器输入的信息如下：

  

  如果我们åœ?92.168.230.5上运行的Redis slave容器里查到跟Redis master容器里相同的信息åQŒé‚£è¯´æ˜ŽRedis masterå’ŒRedis slave之间的数据同步正常工作，下面是从192.168.230.5上运行的Redis slave容器查询到的信息åQ?/p>

  

  由此可见Redis masterå’ŒRedis slave之间数据同步正常åQŒOVS GRE隧道技术ä‹É得跨机器间容器正帔R€šä¿¡ã€?/p>

6. ¾l“论

本文主要介绍如何在本地环境部¾|²Kubernetes集群和演½Cºå¦‚何通过Kubernetes½Ž¡ç†é›†ç¾¤ä¸­è¿è¡Œçš„容器åQŒåƈ通过OVS½Ž¡ç†é›†ç¾¤ä¸åŒminionçš„Pod之间的网¾lœé€šä¿¡ã€‚接下来会对Kubernetes各个¾l„äšg源码˜q›è¡Œè¯¦ç»†åˆ†æžåQŒé˜˜q°Kubernetes的工作原理ã€?/p>

7. 个äh½Ž€ä»?/h2>

杨章显，现就职于CiscoåQŒä¸»è¦ä»Žäº‹WebEx SaaS服务˜qç»´åQŒç³»¾lŸæ€§èƒ½åˆ†æž½{‰å·¥ä½œã€‚特别关注云计算åQŒè‡ªåŠ¨åŒ–˜qç»´åQŒéƒ¨¾|²ç­‰æŠ€æœ¯ï¼Œž®¤å…¶æ˜¯Go、OpenvSwitch、Docker及其生态圈技术，如Kubernetes、Flocker½{‰Docker相关开源项目。Email: yangzhangxian@gmail.com

8. 参考资�/h2>

1. https://n40lab.wordpress.com/2014/09/04/openvswitch-2-3-0-lts-and-centos-7/
2. https://github.com/GoogleCloudPlatform/kubernetes/tree/master/examples/guestbook

---

感谢郭蕾å¯ÒŽ(gu¨©)œ¬æ–‡çš„½{–划和审校ã€?/p>

ž®é©¬æ­?/a> 2016-10-25 14:23 发表评论

]]>http://www.aygfsteel.com/xiaomage234/archive/2016/10/25/431923.htmlž®é©¬æ­?/dc:creator>ž®é©¬æ­?/author>Tue, 25 Oct 2016 06:23:00 GMThttp://www.aygfsteel.com/xiaomage234/archive/2016/10/25/431923.htmlhttp://www.aygfsteel.com/xiaomage234/comments/431923.htmlhttp://www.aygfsteel.com/xiaomage234/archive/2016/10/25/431923.html#Feedback0http://www.aygfsteel.com/xiaomage234/comments/commentRss/431923.htmlhttp://www.aygfsteel.com/xiaomage234/services/trackbacks/431923.html

加快Kubernetes¾~–译速度

除了Linux/amd64åQŒé»˜è®¤è¿˜ä¼šäؓ其他òq›_°åšäº¤å‰ç¼–译。äؓ了减ž®‘编译时é—ß_¼Œå¯ä»¥ä¿®æ”¹hack/lib/golang.shåQŒæŠŠKUBE_SERVER_PLATFORMSåQ?KUBE_CLIENT_PLATFORMSå’ŒKUBE_TEST_PLATFORMS中除linux/amd64以外的其他åã^台注释掉

gcr.io无法讉K—®

Kubernetes在创建Pod的时候，需要从gcr.io下蝲一个helper镜像åQˆç›®å‰æ˜¯ gcr.io/google_containers/pause-amd64:3.0 åQ‰ã€?/p>

但是目前国内无法讉K—®gcr.ioåQŒè¿™ä¸ªé—®é¢˜ä¼šå¯ÆD‡´æ— æ³•ä¸‹è²è¯¥é•œåƒï¼Œç„¶åŽPod一直处于ContainerCreating状态ã€?/p>

解决办法

1) 在可以访问gcr.io的地�/span>

docker pull gcr.io/google_containers/pause-amd64:3.0

传到¿Uæœ‰docker registry

docker tag gcr.io/google_containers/pause-amd64:3.0 k8s-docker.mydomain.com/google_containers/pause-amd64:3.0

docker push k8s-docker.mydomain.com/google_containers/pause-amd64:3.0

2) 在所有的k8s节点

docker pull k8s-docker.mydomain.com/google_containers/pause-amd64:3.0
docker tag k8s-docker.mydomain.com/google_containers/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0

Note

不通过¿Uæœ‰registry中è{åQŒè€Œæ˜¯ä½¿ç”¨Docker save/load应该也可以，只是要把save导出的文件复制到所有节ç‚?

如何从集¾Ÿ¤å¤–讉K—®Serviceå’ŒPod

˜q™é‡Œè¯´çš„集群外是指K8s集群以外的主机，比如使用nginx/HAProxy搭徏的负载均衡主机。这些主æœø™·ŸK8s集群部çÖv在一èµøP¼Œåˆ°K8s¾|‘络可达ã€?/p>

对于不是部çÖv在GCE以及AWS½{‰äº‘òq›_°çš„K8såQŒæˆ‘们一般需要自己搭å»ø™´Ÿè½½å‡è¡¡ï¼Œç„¶åŽåˆ†å‘è¯äh±‚到到Serviceã€?/p>

使用NodePort方式发布服务åQŒé‚£ä¹ˆè´Ÿè½½å‡è¡¡ä¸»æœÞZ¸Šä¸éœ€è¦é¢å¤–配¾|®ï¼›ä½¿ç”¨ClusterIP方式åQŒäؓ了能够访问Serviceçš„ClusterIPåQ?需要在˜q™äº›ä¸ÀLœºä¸Šå®‰è£…Flanneldå’Œkube-proxy

ž®é©¬æ­?/a> 2016-10-25 14:23 发表评论

]]> Ö÷Õ¾Ö©Öë³ØÄ£°å£º ºþ±±Ê¡| ¹ÅÕÉÏØ| ¸·ÑôÊÐ| Ô­ÑôÏØ| ƽÒØÏØ| ÈÕ¿¦ÔòÊÐ| ÕþºÍÏØ| ÁÙëÔÏØ| Çå·áÏØ| ÆѳÇÏØ| ÎÚ³ľÆëÊÐ| Ææ̨ÏØ| »ÔÄÏÏØ| »ÆæèÊÐ| ¹óÄÏÏØ| ÑǶ«ÏØ| °ËËÞÏØ| ñçÑôÊÐ| á·É½ÏØ| ¼ªÄ¾ÄËÏØ| ÁúÁêÏØ| Ì©ÐËÊÐ| ÄÏͶÊÐ| »ÔÏØÊÐ| ¿µ±£ÏØ| ÏĺÓÏØ| °¢°Í¸ÂÆì| ÃÅÔ´| ÉÏÁÖÏØ| èï³ÇÏØ| ÓÀ¿µÊÐ| ÆÕ¸ñÏØ| äùÏØ| ·Ê¶«ÏØ| ±ß°ÓÏØ| ÆÕ°²ÏØ| ÁùÖ¦ÌØÇø| »·½­| ¶¼À¼ÏØ| ¸ÊÂåÏØ| ÎÍ°²ÏØ|