介绍:
使用共享后端存储(此环境使用NFS),共享一个数据库(Postgres+Redis主从),Keepalived避免单节点故障。
NFS挂载
| [root@dh1 ~]$ mkdir /data |
|---|
[root@dh1 ~]$ mount -t nfs 10.3.164.22:/data /data
[root@dh2 ~]$ mkdir /data
[root@dh2 ~]$ mount -t nfs 10.3.164.22:/data /data
Haproxy搭建
| ##两台机器配置步骤相同 |
|---|
[root@dh1 ~]$ tar xf haproxy-2.4.2.tar.gz
[root@dh1 ~]$ cd haproxy-2.4.2
[root@dh1 ~]$ yum install -y openssl openssl-devel systemd-devel.x86_64 gcc
[root@dh1 ~]$ uname -r
[root@dh1 ~]$ make TARGET=linux5134 CPU=x86_64 PREFIX=/usr/local/haproxy #TARGET对应内核版本号
[root@dh1 ~]$ make install PREFIX=/usr/local/haproxy
[root@dh1 ~]$ mkdir -p /usr/local/haproxy/conf #创建配置目录
[root@dh1 ~]$ mkdir -p /etc/haproxy #创建配置目录
[root@dh1 ~]$ mkdir -p /usr/share/haproxy/ #防止启动出错
[root@dh1 ~]$ touch /usr/local/haproxy/conf/haproxy.cfg #创建配置文件
[root@dh1 ~]$ ln -s /usr/local/haproxy/conf/haproxy.cfg /etc/haproxy/haproxy.cfg #添加配置文件
[root@dh1 ~]$ mkdir -p /usr/local/haproxy/log #创建日志文件
[root@dh1 ~]$ touch /usr/local/haproxy/log/haproxy.log #创建日志文件
[root@dh1 ~]$ ln -s /usr/local/haproxy/log/haproxy.log /var/log/haproxy.log #添加软链接
[root@dh1 ~]$ cp /opt/haproxy-2.4.2/examples/haproxy.init /etc/rc.d/init.d/haproxy #做成系统服务
[root@dh1 ~]$ chmod +x /etc/rc.d/init.d/haproxy #添加脚本权限
[root@dh1 ~]$ chkconfig haproxy on #设置开机启动
[root@dh1 ~]$ ln -s /usr/local/haproxy/sbin/haproxy /usr/sbin #添加软链接
[root@dh1 ~]$ groupadd haproxy #添加haproxy的组
[root@dh1 ~]$ useradd -g haproxy haproxy -s /bin/false
[root@dh1 ~]$ cat /usr/local/haproxy/conf/haproxy.cfg ###两个节点配置文件相同
global
log 127.0.0.1 local0 warning
chroot /usr/share/haproxy
pidfile /var/run/haproxy.pid
stats socket /usr/local/haproxy/stats
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
#option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
timeout connect 5000
timeout client 50000
timeout server 50000
listen stats
mode http
bind :8281
stats enable
stats hide-version
stats uri /haproxyadmin?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
frontend main
bind 0.0.0.0:443
default_backend harbor
backend harbor
balance source
server dh1 10.3.164.20:8443 check port 8443 inter 1000 fall 2
server dh2 10.3.164.21:8443 check port 8443 inter 1000 fall 2
[root@dh1 ~]$ systemctl restart haproxy.service
Keepalived搭建
| ~]$ yum install libnl* libnfnetlink-devel -y |
|---|
~]$ tar xf keepalived-2.2.2.tar.gz
~]$ cd keepalived-2.2.2
~]$ ./configure —prefix=/usr/local/keepalived
~]$ make && make install
~]$ cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
~]$ cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
~]$ cp /opt/keepalived-2.2.2/keepalived/etc/init.d/keepalived /etc/init.d/keepalived
~]$ chmod +x /etc/init.d/keepalived
##节点1
~]$ vim /etc/keepalived/keepalived.conf
global_defs { #这里关于邮箱的都删掉了现在用不到。
smtp_connect_timeout 30 #连接超时时间
router_id LVS_DEVEL01 #相当于给这个服务器起个昵称
}
vrrp_script chk_haproxy{
script “/etc/keepalived/check_haproxy.sh“
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER #定义为主服务器
interface ens160 #承载漂移ip的网卡 7的系统 ens开头
virtual_router_id 51 #定义一个热备组,可以认为这是51号热备组
priority 100 #主服务器优先级要比备服务器高
advert_int 1 #1秒互相通告一次,检查对方死了没。
authentication {
auth_type PASS #认证类型
auth_pass 1111 #认证密码 这些相当于暗号
}
track_script{
chk_haproxy
}
virtual_ipaddress {
10.3.164.23 #漂移ip
}
notify_master “/etc/keepalived/clean_arp.sh 10.3.164.23“
}
##节点2
~]$ vim /etc/keepalived/keepalived.conf
global_defs { #这里关于邮箱的都删掉了现在用不到。
smtp_connect_timeout 30 #连接超时时间
router_id LVS_DEVEL02 #相当于给这个服务器起个昵称
}
vrrp_script chk_haproxy{
script “/etc/keepalived/check_haproxy.sh“
interval 2
weight 2
}
vrrp_instance VI_1 {
state BACKUP #定义为主服务器
interface ens160 #承载漂移ip的网卡 7的系统 ens开头
virtual_router_id 51 #定义一个热备组,可以认为这是51号热备组
priority 90 #主服务器优先级要比备服务器高
advert_int 1 #1秒互相通告一次,检查对方死了没。
authentication {
auth_type PASS #认证类型
auth_pass 1111 #认证密码 这些相当于暗号
}
track_script{
chk_haproxy
}
virtual_ipaddress {
10.3.164.23 #漂移ip
}
notify_master “/etc/keepalived/clean_arp.sh 10.3.164.23“
}
设置HAproxy服务监控脚本(两台机器均要操作)
~]$ vim /etc/keepalived/check_haproxy.sh
#!/bin/bash
A=ps -C haproxy --no-header | wc -l
if [ $A -eq 0 ];then
/etc/init.d/haproxy start
sleep 3
if [ ps -C haproxy —no-header | wc -l -eq 0 ];then
/etc/init.d/keepalived stop
fi
fi
~]$ chmod +x /etc/keepalived/check_haproxy.sh
~]$ vim /etc/keepalived/clean_arp.sh
#!/bin/sh
VIP=$1
GATEWAY=10.3.164.254 #网关地址
/sbin/arping -I eth0 -c 5 -s $VIP $GATEWAY &>/dev/null
~]$ chkconfig keepalived on
~]$ systemctl restart keepalived.service
数据库部署使用docker-compose:
| ~]$ docker-compose.yml |
|---|
version: ‘2.3’
services:
postgresql:
image: goharbor/harbor-db:v2.2.2
container_name: harbor-postgresql-slave
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
environment:
POSTGRES_USER: root
POSTGRES_PASSWORD: hulu@2021
#volumes:
# - /data/hulu_slave_database/harbor-postgresql:/var/lib/postgresql/data:z
networks:
- harbor-db
ports:
- 5432:5432
redis:
hostname: redis-slave
container_name: redis-slave
restart: always
image: redis:5
command: redis-server /etc/redis/redis.conf
volumes:
- /data/hulu_slave_database/redis/data:/data
- /data/hulu_slave_database/redis/redis.conf:/etc/redis/redis.conf:rw
ports:
- ‘6379:6379’
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
networks:
- harbor-db
networks:
harbor-db:
driver: bridge
~]$ docker-compose up -d
###redis master配置
bind 0.0.0.0
requirepass hulu@2021
###redis slave配置
requirepass hulu@2021
replicaof 10.3.164.20 6379
masterauth hulu@2021
Harbor部署:
| ###生产环境是harbor的部署是使用李恒创建ansible文件部署的,参考以下做修改 |
|---|
# 在线部署Harbor
~]$ cd /opt/
~]$ wget https://github.com/goharbor/harbor/releases/download/v2.2.2/harbor-online-installer-v2[.2.2.tgz](https://oa.hulupos.com/confluence/pages/.2.2.tgz)
~]$ tar xf harbor-online-installer-v2.2.1.tgz
~]$ cd /opt/harbor
~]$ cp harbor.yml.tmpl harbor.yml
# 创建harbor数据存储
~]$ mkdir /data/harbor
# 添加域名证书,已有域名SSL证书
~]$ mkdir /data/harbor/cert
# 把SSL证书公钥和私钥上传到 /data/harbor/cert 目录中
~]$ scp harbor.example.pem root@10.3.164.20:/data/harbor/cert/
~]$ scp harbor.example.key root@10.3.164.20:/data/harbor/cert/
# 配置 harbor.yml 文件,下面是修改后文件与原文件比较结果
~]$ diff harbor.yml harbor.yml.tmpl
5c5
< hostname: harbor.example.com
—-
> hostname: reg.mydomain.com
17,18c17,18
< certificate: /data/harbor/cert/harbor.example.pem
< private_key: /data/harbor/cert/harbor.example.key
—-
> certificate: /your/certificate/path
> private_key: /your/private/key/path
29c29
< external_url: https://harbor[.example.com](https://oa.hulupos.com/confluence/pages/.example.com)
—-
> # external_url: https://reg.mydomain.com:8433
< data_volume: /data/harbor
—-
> data_volume: /data
# 进入临时harbor-db容器导出相关表及数据
~]$ docker exec -it -u postgres harbor-db bash
# 从自带的容器中导出数据
~]$ pg_dump -U postgres registry > /tmp/registry.sql
~]$ pg_dump -U postgres notarysigner > /tmp/notarysigner.sql
~]$ pg_dump -U postgres notaryserver > /tmp/notaryserver.sql
# 将数据导入单独部署的PostgreSQL数据库
~]$ psql -U postgres registry -W < /tmp/registry.sql
~]$ psql -U postgres notarysigner -W < /tmp/notarysigner.sql
~]$ psql -U postgres notaryserver -W < /tmp/notaryserver.sql
~]$ harbor.yml
hostname: harbor.hulupos.com
http:
port: 8080
https:
port: 8443
certificate: /usr/local/harbor/cert/harbor.hulupos.com.crt
private_key: /usr/local/harbor/cert/harbor.hulupos.com.key
harbor_admin_password: 8XHeH5bC6i6bTttZ
database:
password: TbZC8gBss5A7DedM
max_idle_conns: 50
max_open_conns: 1000
data_volume: /data
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.2.0
external_database:
harbor:
host: 10.3.164.20
port: 5432
db_name: registry
username: postgres
password: hulu@2021
ssl_mode: disable
max_idle_conns: 50
max_open_conns: 100
notary_signer:
host: 10.3.164.20
port: 5432
db_name: notarysigner
username: postgres
password: hulu@2021
ssl_mode: disable
notary_server:
host: 10.3.164.20
port: 5432
db_name: notaryserver
username: postgres
password: hulu@2021
ssl_mode: disable
external_redis:
host: 10.3.164.20:6379
password: hulu@2021
registry_db_index: 1
jobservice_db_index: 2
chartmuseum_db_index: 3
trivy_db_index: 5
idle_timeout_seconds: 30
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# 生成配置文件
~]$ cd /opt/harbor
# harbor开启helm charts 和 镜像漏洞扫描
~]$ ./prepare —with-notary —with-trivy —with-chartmuseum
# 安装
~]$ ./install.sh —with-notary —with-trivy —with-chartmuseum
# 查看
~]$ docker-compose ps
# 查看
~]$ docker-compose ps
若有收获,就点个赞吧
0 人点赞
