极客时间运维进阶训练营第二周作业-容器技术(2)
1、基于 dockerfile,实现分层构建的 nginx 业务镜像
创建基础镜像
BASE_DIR="/opt/dockerfiles" mkdir -p ${BASE_DIR}/app mkdir -p ${BASE_DIR}/runtime mkdir -p ${BASE_DIR}/system ########创建os基础镜像 UBUNTU_Dockerfile="${BASE_DIR}/system/ubuntu2204" if [[ ! -d ${UBUNTU_Dockerfile} ]];then mkdir ${UBUNTU_Dockerfile} fi cd ${UBUNTU_Dockerfile} tee ${UBUNTU_Dockerfile}/sources.list << "EOF" deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiverse deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse EOF tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF" FROM ubuntu:22.04 RUN apt update && apt install -y apt-transport-https ca-certificates curl software-properties-common && apt clean all ADD sources.list /etc/apt/sources.list RUN apt update && apt install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute gcc openssh-server lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip make && apt clean all EOF #####制作镜像 docker build -t system/ubuntu2204:v1 . docker run -it -d --rm system/ubuntu2204:v1 bash
创建自己的nginx镜像
UBUNTU_Dockerfile="${BASE_DIR}/runtime/nginx" if [[ ! -d ${UBUNTU_Dockerfile} ]];then mkdir ${UBUNTU_Dockerfile} fi cd ${UBUNTU_Dockerfile} curl -O http://nginx.p2hp.com/download/nginx-1.21.6.tar.gz tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF" FROM system/ubuntu2204:v1 ADD nginx-1.21.6.tar.gz /usr/local/src/ RUN cd /usr/local/src/nginx-1.21.6 && ./configure --prefix=/apps/nginx && make && make install &&\ ln -sv /apps/nginx/sbin/nginx /usr/bin && rm -rf /usr/local/src/nginx-1.21.6 &&\ groupadd -g 2088 nginx && useradd -g nginx -s /usr/sbin/nologin -u 2088 nginx && chown -R nginx.nginx /apps/nginx EXPOSE 80 443 ENTRYPOINT ["/apps/nginx/sbin/nginx"] CMD ["-g","daemon off;"] #CMD ["/apps/nginx/sbin/nginx","-g","daemon off;"] #ENTRYPOINT ["/apps/nginx/sbin/nginx","-g","daemon off;"] EOF #####制作镜像 docker build -t runtime/nginx:v1 . docker run -it -d --rm -p 80:80 runtime/nginx:v1
创建自己的nginx_app镜像
UBUNTU_Dockerfile="${BASE_DIR}/app/web1" if [[ ! -d ${UBUNTU_Dockerfile} ]];then mkdir ${UBUNTU_Dockerfile} fi cd ${UBUNTU_Dockerfile} tee nginx.conf << "EOF" #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; #daemon off; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; upstream tomcat { server 192.168.56.50:8080; server 192.168.56.18:8080; } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } location /myapp { proxy_pass http://tomcat; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} } EOF tee ${UBUNTU_Dockerfile}/Dockerfile << "EOF" FROM runtime/nginx:v1 ADD nginx.conf /apps/nginx/conf/ ADD frontend.tar.gz /apps/nginx/html/ EOF #####制作镜像 docker build -t app/web1:v1 . docker run -it -d --rm -p 80:80 -p 443:443 app/web1:v1
2、基于 docker 实现对容器的 CPU 和内存的资源限制
## 内存
docker run -it -d -m 512m --rm -p 80:80 nginx:1.20.0-alpine
docker run -it --rm lorel/docker-stress-ng --help
docker run -it --rm -m 256m lorel/docker-stress-ng --vm 2 --vm-bytes 256m
docker stats
## cpu
##### 不限制
docker run -it --rm --name=test_cup1 lorel/docker-stress-ng --cpu 4 --vm 4
##### 限制2个cpu
docker run -it --rm --name=test_cup2 --cpus 2 lorel/docker-stress-ng --cpu 4 --vm 4
##### 容器运行在指定cpu上
docker run -it --rm --name=test_cpu22 --cpus 2 --cpuset-cpus 1,3 lorel/docker-stress-ng --cpu 4 --vm 4
3、部署 http 协议的 harbor 镜像仓库
#前提:docker和docker-compse安装完毕且版本符合要求
#域名 harbor.iclinux.com
HTTP版安装
cd /usr/local/src/ && curl -O https://github.com/goharbor/harbor/releases/download/v2.6.1/harbor-offline-installer-v2.6.1.tgz mkdir /apps tar /usr/local/src/ tar xzf /usr/local/src/harbor-offline-installer-v2.6.1.tgz -C /apps/ cd /apps/harbor && cp harbor.yml.tmpl harbor.yml root@harbor:/apps/harbor# vim harbor.yml 5 hostname: harbor.iclinux.com 12 # https related config 13 #https: 14 # https port for harbor, default is 443 15 # port: 443 16 # The path of cert and key files for nginx 17 # certificate: /your/certificate/path 18 # private_key: /your/private/key/path # 通过配置文件可知,管理员账号密码为admin\Harbor12345 root@harbor:/apps/harbor# ./install.sh --with-trivy --with-chartmuseum # 出现如下字样,方表示安装成功 #----Harbor has been installed and started successfully.---- # 使用harbor 账号密码为admin\Harbor12345 登录 http://harbor.iclinux.com/
4、扩展作业∶掌握 containerd 的安装 A
apt-get -y install apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" apt-get -y update apt-cache madison containerd.io apt install -y containerd.io=1.6.8-1 containerd --version #查看默认配置 root@u-test:~# containerd --version root@u-test:~# containerd config default > /etc/containerd/config.toml root@u-test:~# vim /etc/containerd/config.toml 61 sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7" 153 [plugins."io.containerd.grpc.v1.cri".registry.mirrors] 154 [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] 155 endpoint = ["https://9916w1ow.mirror.aliyuncs.com"] root@u-test:~# systemctl restart containerd.service #安装runc cd /usr/local/src/ && curl -O https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64 &&\ cp /usr/local/src/runc.amd64 /usr/bin/runc chmod a+x /usr/bin/runc runc -v #安装cni cd /usr/local/src/ && curl -O https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz mkdir /opt/cni/bin -pv tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin #安装nerdctl cd /usr/local/src/ && curl -O https://github.com/containerd/nerdctl/releases/download/v0.23.0/nerdctl-0.23.0-linux-amd64.tar.gz tar xvf nerdctl-0.23.0-linux-amd64.tar.gz -C /usr/bin/
5、扩展作业∶基于 nerdctl 拉取镜像和创建容器 A
nerdctl pull nginx:1.18.0-alpine nerdctl run -i -t -p 80:80 --name=nginx-web1 --restart=always nginx:1.18.0-alpine