极客时间运维进阶训练营第二周作业-容器技术(2)
1、基于 dockerfile,实现分层构建的 nginx 业务镜像
创建基础镜像
BASE_DIR="/opt/dockerfiles"
mkdir -p ${BASE_DIR}/app
mkdir -p ${BASE_DIR}/runtime
mkdir -p ${BASE_DIR}/system
########创建os基础镜像
UBUNTU_Dockerfile="${BASE_DIR}/system/ubuntu2204"
if [[ ! -d ${UBUNTU_Dockerfile} ]];then
mkdir ${UBUNTU_Dockerfile}
fi
cd ${UBUNTU_Dockerfile}
tee ${UBUNTU_Dockerfile}/sources.list << "EOF"
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
EOF
tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF"
FROM ubuntu:22.04
RUN apt update && apt install -y apt-transport-https ca-certificates curl software-properties-common && apt clean all
ADD sources.list /etc/apt/sources.list
RUN apt update && apt install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute gcc openssh-server lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip make && apt clean all
EOF
#####制作镜像
docker build -t system/ubuntu2204:v1 .
docker run -it -d --rm system/ubuntu2204:v1 bash
创建自己的nginx镜像
UBUNTU_Dockerfile="${BASE_DIR}/runtime/nginx"
if [[ ! -d ${UBUNTU_Dockerfile} ]];then
mkdir ${UBUNTU_Dockerfile}
fi
cd ${UBUNTU_Dockerfile}
curl -O http://nginx.p2hp.com/download/nginx-1.21.6.tar.gz
tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF"
FROM system/ubuntu2204:v1
ADD nginx-1.21.6.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.21.6 && ./configure --prefix=/apps/nginx && make && make install &&\
ln -sv /apps/nginx/sbin/nginx /usr/bin && rm -rf /usr/local/src/nginx-1.21.6 &&\
groupadd -g 2088 nginx && useradd -g nginx -s /usr/sbin/nologin -u 2088 nginx && chown -R nginx.nginx /apps/nginx
EXPOSE 80 443
ENTRYPOINT ["/apps/nginx/sbin/nginx"]
CMD ["-g","daemon off;"]
#CMD ["/apps/nginx/sbin/nginx","-g","daemon off;"]
#ENTRYPOINT ["/apps/nginx/sbin/nginx","-g","daemon off;"]
EOF
#####制作镜像
docker build -t runtime/nginx:v1 .
docker run -it -d --rm -p 80:80 runtime/nginx:v1
创建自己的nginx_app镜像
UBUNTU_Dockerfile="${BASE_DIR}/app/web1"
if [[ ! -d ${UBUNTU_Dockerfile} ]];then
mkdir ${UBUNTU_Dockerfile}
fi
cd ${UBUNTU_Dockerfile}
tee nginx.conf << "EOF"
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
#daemon off;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream tomcat {
server 192.168.56.50:8080;
server 192.168.56.18:8080;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /myapp {
proxy_pass http://tomcat;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
EOF
tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF"
FROM runtime/nginx:v1
ADD nginx.conf /apps/nginx/conf/
ADD frontend.tar.gz /apps/nginx/html/
EOF
#####制作镜像
docker build -t app/web1:v1 .
docker run -it -d --rm -p 80:80 -p 443:443 app/web1:v1
2、基于 docker 实现对容器的 CPU 和内存的资源限制
## 内存
docker run -it -d -m 512m --rm -p 80:80 nginx:1.20.0-alpine
docker run -it --rm lorel/docker-stress-ng --help
docker run -it --rm -m 256m lorel/docker-stress-ng --vm 2 --vm-bytes 256m
docker stats
## cpu
##### 不限制
docker run -it --rm --name=test_cup1 lorel/docker-stress-ng --cpu 4 --vm 4
##### 限制2个cpu
docker run -it --rm --name=test_cup2 --cpus 2 lorel/docker-stress-ng --cpu 4 --vm 4
##### 容器运行在指定cpu上
docker run -it --rm --name=test_cpu22 --cpus 2 --cpuset-cpus 1,3 lorel/docker-stress-ng --cpu 4 --vm 4
3、部署 http 协议的 harbor 镜像仓库
#前提:docker和docker-compse安装完毕且版本符合要求
#域名 harbor.iclinux.com
HTTP版安装
cd /usr/local/src/ && curl -O https://github.com/goharbor/harbor/releases/download/v2.6.1/harbor-offline-installer-v2.6.1.tgz mkdir /apps tar /usr/local/src/ tar xzf /usr/local/src/harbor-offline-installer-v2.6.1.tgz -C /apps/ cd /apps/harbor && cp harbor.yml.tmpl harbor.yml root@harbor:/apps/harbor# vim harbor.yml 5 hostname: harbor.iclinux.com 12 # https related config 13 #https: 14 # https port for harbor, default is 443 15 # port: 443 16 # The path of cert and key files for nginx 17 # certificate: /your/certificate/path 18 # private_key: /your/private/key/path # 通过配置文件可知,管理员账号密码为admin\Harbor12345 root@harbor:/apps/harbor# ./install.sh --with-trivy --with-chartmuseum # 出现如下字样,方表示安装成功 #----Harbor has been installed and started successfully.---- # 使用harbor 账号密码为admin\Harbor12345 登录 http://harbor.iclinux.com/
4、扩展作业∶掌握 containerd 的安装 A
apt-get -y install apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" apt-get -y update apt-cache madison containerd.io apt install -y containerd.io=1.6.8-1 containerd --version #查看默认配置 root@u-test:~# containerd --version root@u-test:~# containerd config default > /etc/containerd/config.toml root@u-test:~# vim /etc/containerd/config.toml 61 sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7" 153 [plugins."io.containerd.grpc.v1.cri".registry.mirrors] 154 [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] 155 endpoint = ["https://9916w1ow.mirror.aliyuncs.com"] root@u-test:~# systemctl restart containerd.service #安装runc cd /usr/local/src/ && curl -O https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64 &&\ cp /usr/local/src/runc.amd64 /usr/bin/runc chmod a+x /usr/bin/runc runc -v #安装cni cd /usr/local/src/ && curl -O https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz mkdir /opt/cni/bin -pv tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin #安装nerdctl cd /usr/local/src/ && curl -O https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-0.23.0-linux-amd64.tar.gz tar xvf nerdctl-0.23.0-linux-amd64.tar.gz -C /usr/bin/
5、扩展作业∶基于 nerdctl 拉取镜像和创建容器 A
nerdctl pull nginx:1.18.0-alpine nerdctl run -i -t -p 80:80 --name=nginx-web1 --restart=always nginx:1.18.0-alpine
