基于nerdctl + buildkitd构建容器镜像

nerdctl + buildkitd构建镜像

       buildkit 从Docker公司的开源的镜像构建工具包,支持OCI标准的镜像构建

 

       buildkitd组成部分

       buildkitd(服务端),目前支持runc和containerd作为镜像构建环境,默认是runc,可以更换containerd。

       buildctl(客户端),负责解析Dockerfile文件、并向服务端buildkitd发出构建请求。

 

安装buildkit

Github项目地址:

https://github.com/moby/buildkit/releases

  解压复制到/usr/local/bin

root@master1:~# tar xf buildkit-v0.10.3.linux-amd64.tar.gz
root@master1:~# cd bin/
root@master1:~/bin# cp * /usr/local/bin/

 

  创建buildkit.socket

root@master1:~# vim /lib/systemd/system/buildkit.socket
[Unit]
Description=BuildKit
Documention=https://github.com/moby/buildkit

[Socket]
ListenStream=%t/buildkit/buildkitd.sock

[Install]
WantedBy=sockets.target

 

  创建buildkitd.service

root@master1:~# vim /lib/systemd/system/buildkitd.service                       
[Unit]
Description=BuildKit
Require=buildkit.socket
After=buildkit.socketDocumention=https://github.com/moby/buildkit

[Service]
ExecStart=/usr/local/bin/buildkitd --oci-worker=false --containerd-worker=true

[Install]
WantedBy=multi-user.target

 

  配置buildkitd配置文件,添加镜像仓库使用http访问

root@master1:/dockerfile# mkdir /etc/buildkit/
root@master1:/dockerfile# vim /etc/buildkit/buildkitd.toml
[registry."harbor.cncf.net"]
  http = true
  insecure = true

 

  启动buildkitd

root@master1:~# systemctl daemon-reload
root@master1:~# systemctl start buildkitd
root@master1:~# systemctl enable buildkitd

 

测试镜像构建

1、nerdctl构建镜像

       修改nerdctl默认命名空间

root@master1:/dockerfile# mkdir -p /etc/nerdctl
root@master1:/dockerfile# vim /etc/nerdctl/nerdctl.toml
namespace = "k8s.io"
debug = false
debug_full = false
insecure_registry = true

 

       需提前安装nerdctl工具

root@master1:~# nerdctl login --insecure-registry harbor.cncf.net

root@master1:~# nerdctl pull ubuntu:20.04

root@master1:~# nerdctl tag ubuntu:20.04 harbor.cncf.net/baseimages/ubuntu:20.04

root@master1:~# nerdctl push harbor.cncf.net/baseimages/ubuntu:20.04

 

       添加私有仓库harbor https证书认证

root@master1:~# mkdir /etc/containerd/certs.d/harbor.cncf.net -p

#containerd会将crt识别为ca证书,Harbor需要将证书格式转换为cert格式
root@Harbor:/usr/local/harbor/certs# openssl x509 -inform PEM -in cncf.net.crt -out cncf.net.cert

root@Harbor:/usr/local/harbor/certs# scp ca.crt cncf.net.cert cncf.net.key 192.168.119.6:/etc/containerd/certs.d/harbor.cncf.net/

 

       nerdctl打包构建dockerfile

root@master1:/dockerfile# cat Dockerfile
FROM harbor.cncf.net/baseimages/ubuntu:20.04
MAINTAINER LXH

ADD sources.list /etc/apt/

RUN apt-get update && \
apt-get install -y make libpcre3 libpcre3-dev \
zlib1g-dev libssl-dev build-essential \
openssl gcc vim make telnet iproute2 iputils-ping

ADD Shanghai /usr/share/zoneinfo/Asia/

RUN ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtimes

#构建镜像
root@master1:/dockerfile# nerdctl build -t harbor.cncf.net/os/ubuntu:20.04 .

 

  推送镜像到harbor

root@master1:/dockerfile# nerdctl push harbor.cncf.net/os/ubuntu:20.04

  访问harbor验证

 

2、修改harbor自签发证书验证

       如果harbor使用的是自签发的https认证,则containerd打包镜像就会出现证书认证错误:unkown authority未知的签发机构。

root@master1:/dockerfile# nerdctl build -t harbor.cncf.net/os/ubuntu:20.04 .

       解决方法:

       1、harbor仅使用http。

       编辑harbor.yaml注释https配置

root@harbor:/usr/local/harbor# docker-compose stop
root@harbor:/usr/local/harbor# ./prepare
root@harbor:/usr/local/harbor# docker-compose up -d

 

       2、可以使用机构签发的证书。(可选)

       3、搭建nginx使用https,反向代理harbor http。

root@etcd1:/usr/local/nginx/conf# mkdir /usr/local/nginx/conf/certs

#harbor分发证书到nginx
root@harbor:/usr/local/harbor/certs# scp cncf.net.crt cncf.net.key 192.168.100.8:/usr/local/nginx/conf/certs/

#配置nginx
root@etcd1:/usr/local/nginx/conf# vim nginx.conf
	client_max_body_size 2000m;

    server {
       listen       80;
       server_name  harbor.cncf.net;

       listen 443 ssl;
       ssl_certificate /usr/local/nginx/conf/certs/cncf.net.crt;
       ssl_certificate_key /usr/local/nginx/conf/certs/cncf.net.key;
       ssl_session_timeout 10m;
       ssl_session_cache    shared:sslcache:20m;

       location / {
           proxy_pass http://192.168.100.15;
       }
    }

#启动nginx
root@etcd1:/usr/local/nginx/conf# cd ../sbin/
root@etcd1:/usr/local/nginx/sbin# ./nginx

 

  修改containerd服务器hosts 解析harbor地址为nginx

root@master1:/dockerfile# vim /etc/hosts
192.168.100.8 harbor.cncf.net

 

       测试拉取镜像

 

posted @ 2022-08-11 11:14  PunchLinux  阅读(2442)  评论(0)    收藏  举报