4 单机容器编排工具docker-compose + 存放镜像的私有仓库Harbor
docker-compose :单机容器编排工具 https://docs.docker.com/compose/install/
1、安装docker-compose 在一台容器中使用,轻松的管理容器,定义运行多个容器
[root@localhost ~]# wget https://hub.fastgit.org/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
[root@localhost ~]# mv docker-compose-Linux-x86_64 docker-compose
[root@localhost ~]# chmod +x docker-compose
[root@localhost ~]# mv docker-compose /usr/local/bin/
# docker-compose命令补全
[root@localhost ~]# curl -L https://raw.githubusercontent.com/docker/compose/1.29.2/contrib/completion/bash/docker-compose > /etc/bash_completion.d/docker-compose
2、docker-compose的使用
[root@localhost ~]# mkdir docker-compose
[root@localhost ~]# cd docker-compose/
[root@localhost docker-compose]# pwd
/root/docker-compose
[root@localhost docker-compose]# touch docker-compose.yaml
# 启动一个服务
docker-compose up
参数:
-d :以守护进程方式运行
# 停止一个服务
docker-compose down
3、docker-compose的配置文件
version : 指定配置文件的版本号
services :指定项目的
image :指定镜像
3.1、build
根据Dockerfile,临时构建镜像,并运行。
build Dockerfile的路径
[root@localhost work]# cat docker-compose.yaml
version: "3"
services:
django:
build: ./django
3.2、command
指定容器启动命令。
version: "3"
services:
nginxweb:
build: ./django
command: python manage.py runserver 0.0.0.0:8080
3.3、container_name
指定容器名称,默认将会使⽤ 项⽬名称_服务名称_序号 这样的格式。
version: "3"
services:
nginxweb:
build: ./django
command: python manage.py runserver 0.0.0.0:8080
container_name: djangov1
3.4、depends_on
解决容器的依赖、启动先后的问题
version
3.5、env_file
指定一个环境变量文件名称。
version: "3"
services:
nginx:
image: nginx
depends_on:
- django
env_file:
- ./env
3.6、environment
设置环境变量。
3.7、healthcheck
健康检查
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost"]
interval: 1m #延时探测时间
timeout: 10s #超时时间
retries: 3 #时间间隔
3.8、networks
定义再服务中的network,代表指定使用哪个网桥;定义在顶级中的network,代表创建的networks
3.9、ports
映射端口
ports:
- 8092:80
- 8093:443
3.10、sysctls vim/etc/sysctl.conf
设置内核参数。
sysctls:
- net.core.somaxconn=1024
- net.ipv4.tcp_syncookies=0
3.11 ulimits
3.12、volumes
挂载存储卷
案例:nginx+django
version: "3" services: django: build: ./django container_name: django networks: - nginx nginx: build: ./nginx ports: - 8099:80 networks: - nginx depends_on: - django networks: nginx:
bbs
version: "3" services: bbs: build: ./bbs container_name: bbs networks: - nginx nginx: build: ./nginx ports: - 8098:80 depends_on: - bbs networks: - nginx networks: nginx:
#详细操作 cd bbs ll rm -rf bbs/app01/migrations/* touch bbs/app01/migrations/__init__.py #创建数据库,数据迁移 docker run -d --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 mysql:5.7 docker exec -it mysql bash mysql -uroot -p123456 create database bbs; exit; exit python3 manage.py makemigrations python3 manage.py migrate 此时如果报错,去settingd.py 修改HOST:192.168.15.105,然后重新迁移 python3 manage.py makemigrations python3 manage.py migrate vim docker-compose.yaml(见上面) cd work/ docker-compose down docker-compose up -d
docker可视化⼯具
官网: https://www.portainer.io/installation/
Portainer图形化工具构建
# 1、编写docker-compose.yaml文件 [root@docter portainer]# vim docker-compose.yaml version: '3' services: portainer: image: portainer/portainer-ce container_name: portainer ports: - "8000:8000" - "9000:9000" volumes: - "/var/run/docker.sock:/var/run/docker.sock" - "portainer_data:/data" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000"] interval: 15s timeout: 10s retries: 3 volumes: portainer_data: 如果报错: [root@localhost portainer]# chmod 777 portainer_data/ volumes: - "./portainer_data:/data" # 2、启动 docker-compose [root@docter portainer]# docker-compose up -d Creating network "portainer_default" with the default driver Creating volume "portainer_portainer_data" with default driver Pulling portainer (portainer/portainer-ce:)... latest: Pulling from portainer/portainer-ce 651a8e6e1630: Pull complete 56e38df73332: Pull complete 635ae9c57e4c: Pull complete Digest: sha256:3e499846ae1830e9465de7f110cbf19f4dff076e80abc0f7a1d4b50e67c6b873 Status: Downloaded newer image for portainer/portainer-ce:latest Creating portainer ... done # 3、查看 docker-compose容器 [root@docter portainer]# docker-compose ps Name Command State Ports ----------------------------------------------------------------------------------------------------------------------------------- portainer /portainer Up (health: starting) 0.0.0.0:8000->8000/tcp,:::8000->8000/tcp, 0.0.0.0:9000->9000/tcp,:::9000->9000/tcp # 4、IP访问 192.168.15.30:9000
4、Harbor 自己的私有仓库,用来存放镜像
Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理(RBAC)、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
4.1、配置HTTPS
1、生成CA证书私钥 mkdir /opt/cert cd /opt/cert openssl genrsa -out ca.key 4096 2、生成CA证书 openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \ -key ca.key \ -out ca.crt 3、生成服务器证书 openssl genrsa -out 192.168.15.101.key 4096 4、生成证书签名请求 openssl req -sha512 -new \ -subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \ -key 192.168.15.101.key \ -out 192.168.15.101.csr 5、生成一个x509 v3扩展文件 # 域名版 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yourdomain.com DNS.2=yourdomain DNS.3=hostname EOF # IP版 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = IP:192.168.15.101 EOF 6、使用该v3.ext文件生成证书 openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in 192.168.15.101.csr \ -out 192.168.15.101.crt 7、提供证书给Harbor和Docker openssl x509 -inform PEM -in 192.168.15.101.crt -out 192.168.15.101.cert mkdir -pv /etc/docker/certs.d/192.168.15.101/ cp 192.168.15.101.cert /etc/docker/certs.d/192.168.15.101/ cp 192.168.15.101.key /etc/docker/certs.d/192.168.15.101/ cp ca.crt /etc/docker/certs.d/192.168.15.101/ # 如果nginx端口默认部署443和80 /etc/docker/certs.d/192.168.15.101:port /etc/docker/certs.d/192.168.15.101:port # 复制Harbor证书 mkdir -p /data/cert cp 192.168.15.101.crt /data/cert cp 192.168.15.101.key /data/cert cd /data/cert 8、证书受信 在/etc/docker/daemon.json 中添加如下内容 { "insecure-registries": ["192.168.15.101"] } 9、docker加载证书 systemctl restart docker
4.2、安装Harbor
1、安装harbor [root@localhost ~]# tar -xf harbor-offline-installer-v2.3.3.tgz -C /usr/local/ [root@localhost ~]# cd /usr/local [root@localhost local]# cd harbor/ [root@localhost harbor]# docker load < harbor.v2.3.3.tar.gz (可省) [root@localhost harbor]# cp harbor.yml.tmpl harbor.yml 2、修改harbor的配置文件 [root@localhost harbor]#vim harbor.yml hostname: 192.168.15.101 https: certificate: /data/cert/192.168.15.101.crt private_key: /data/cert/192.168.15.101.key 3、安装启动 ./install.sh scp /usr/local/bin/docker-compose 192.168.15.101:/usr/local/bin/ .
4.3、其他的docker免密
mkdir -pv /etc/docker/certs.d/192.168.15.101/ scp 192.168.15.101.cert root@192.168.15.105:/etc/docker/certs.d/192.168.15.101/ scp 192.168.15.101.key root@192.168.15.105:/etc/docker/certs.d/192.168.15.101/ scp ca.crt root@192.168.15.105:/etc/docker/certs.d/192.168.15.101/ # 证书受信 在/etc/docker/daemon.json 中添加如下内容 { "insecure-registries": ["192.168.15.101"] } systemctl restart docker
Habor推送命令
docker images
docker tag nginx:latest 192.168.15.101/linux/nginx:latest
docker images
docker push 192.168.15.101/linux/nginx:latest
然后Harbor后台可以看到上传的镜像
