一、搭建配置harbor私有仓库
安装docker
#! /bin/bash
apt update
# 安装依赖包
apt install -y \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release \
software-properties-common
# 安装GPG证书
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=$(dpkg --print-architecture)] http://mirrors.aliyun.com/docker-ce/linux/ubuntu \
$(lsb_release -cs) stable"
apt update
# apt-cache madison docker-ce docker-ce-cli
apt -y install docker-ce=5:19.03.15~3-0~ubuntu-$(lsb_release -cs) \
docker-ce-cli=5:19.03.15~3-0~ubuntu-$(lsb_release -cs)
# 关闭防火墙
systemctl disable firewalld && systemctl stop firewalld
# 在/etc/hosts中添加IP、主机名
cat >> /etc/hosts <<EOF
`hostname -I|awk '{print $1}'` `hostname`
EOF
# 内核参数优化
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --system
# 设置docker的cgroup driver
# docker 默认的 cgroup driver 是 cgroupfs,可以通过 docker info 命令查看
# 如果用户没有在 KubeletConfiguration 下设置 cgroupDriver 字段,则 kubeadm 将默认为systemd,需要将docker cgroup driver更改为systemd
# 配置docker hub镜像加速
cat <<EOF >/etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://ung2thfc.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"]
}
EOF
systemctl daemon-reload
systemctl restart docker
# 关闭swap
# 在/etc/fstab注释swap那一行
sed -ri 's/(^[^#]*swap)/#\1/' /etc/fstab
echo 'swapoff -a' >> /etc/profile
swapoff -a
# 修改grub
sed -i '/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/c GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 cgroup_enable=memory swapaccount=1"' /etc/default/grub
update-grub
reboot
安装docker-compose
# 安装pip
apt install python3-pip -y
# 安装docker-compose
pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
安装docker harbor
参考:https://goharbor.io/docs/2.5.0/install-config/download-installer/
-
下载安装包
下载地址: https://github.com/goharbor/harbor/releases/download/v2.4.3/harbor-offline-installer-v2.4.3.tgz
-
解压harbor
tar xvf harbor-offline-installer-v2.4.3.tgz -C /usr/local/src -
配置harbor.yml文件
cd /usr/local/src/harbor #egrep -v '^\s*#|^$' harbor.yml.tmpl > harbor.yml cp harbor.yml.tmpl harbor.yml根据实际修改hostnanme、harbor_admin_password、database等
若无https证书,需将https配置注释
sed -i "s/hostname: reg.mydomain.com/hostname: `hostname -I|awk '{print $1}'`/" harbor.yml [root@harbor harbor]#egrep -v '^\s*#|^$' harbor.yml hostname: 10.0.0.22 http: port: 80 harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data trivy: ignore_unfixed: false skip_update: false offline_scan: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.4.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
-
执行harbor安装脚本
[root@harbor harbor]#./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 19.03.15 [Step 1]: checking docker-compose is installed ... /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " Note: docker-compose version: 1.29.2 [Step 2]: loading Harbor images ... c84d341a47f7: Loading layer [==================================================>] 37.68MB/37.68MB ...... Loaded image: goharbor/nginx-photon:v2.4.3 a3e0b41de875: Loading layer [==================================================>] 5.75MB/5.75MB ...... Loaded image: goharbor/chartmuseum-photon:v2.4.3 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /usr/local/src/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " [Step 5]: starting Harbor ... /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating harbor-portal ... done Creating registryctl ... done Creating redis ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.----安装完成后会生成docker-compose.yml文件
[root@harbor harbor]#ls /usr/local/src/harbor/ LICENSE common common.sh docker-compose.yml harbor.v2.4.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare
-
若更新配置,可执行prepare
# 修改harbor.yml配置文件 [root@harbor harbor]# vim /usr/local/src/harbor/harbor.yml # 执行prepare [root@harbor harbor]#/usr/local/src/harbor/prepare
-
查看本地镜像
[root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB goharbor/redis-photon v2.4.3 b168e9750dc8 3 months ago 154MB goharbor/trivy-adapter-photon v2.4.3 a406a715461c 3 months ago 251MB goharbor/notary-server-photon v2.4.3 da89404c7cf9 3 months ago 109MB goharbor/notary-signer-photon v2.4.3 38468ac13836 3 months ago 107MB goharbor/harbor-registryctl v2.4.3 61243a84642b 3 months ago 135MB goharbor/registry-photon v2.4.3 9855479dd6fa 3 months ago 77.9MB goharbor/nginx-photon v2.4.3 0165c71ef734 3 months ago 44.4MB goharbor/harbor-log v2.4.3 57ceb170dac4 3 months ago 161MB goharbor/harbor-jobservice v2.4.3 7fea87c4b884 3 months ago 219MB goharbor/harbor-core v2.4.3 d864774a3b8f 3 months ago 197MB goharbor/harbor-portal v2.4.3 85f00db66862 3 months ago 53.4MB goharbor/harbor-db v2.4.3 7693d44a2ad6 3 months ago 225MB goharbor/prepare v2.4.3 c882d74725ee 3 months ago 268MB -
查看端口
[root@harbor harbor]#ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 64 0.0.0.0:2049 0.0.0.0:* LISTEN 0 4096 127.0.0.1:1514 0.0.0.0:* LISTEN 0 4096 0.0.0.0:54861 0.0.0.0:* LISTEN 0 64 0.0.0.0:37775 0.0.0.0:* LISTEN 0 4096 0.0.0.0:50383 0.0.0.0:* LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 4096 0.0.0.0:39353 0.0.0.0:* LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* LISTEN 0 64 [::]:34879 [::]:* LISTEN 0 64 [::]:2049 [::]:* LISTEN 0 4096 [::]:33513 [::]:* LISTEN 0 4096 [::]:111 [::]:* LISTEN 0 4096 *:80 *:* LISTEN 0 4096 [::]:39537 [::]:* LISTEN 0 4096 [::]:41683 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:6010 [::]:* -
Web登录Harbor管理界面
用户名:admin
密码:Harbor12345
-
进入管理界面首页
上传镜像
-
配置docker文件,实现连接harbor仓库
注意:若使用HTTP连接harbor仓库必须进行如下设置
# 添加harbor仓库信息 [root@harbor harbor]#cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "registry-mirrors": ["https://ung2thfc.mirror.aliyuncs.com", "https://registry.docker-cn.com", "http://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"], "insecure-registries": ["10.0.0.22:80"] } # 重启docker [root@harbor harbor]#systemctl restart docker或者在service添加
--insecure-registry[root@harbor harbor]#vim /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.22 # 重启docker [root@harbor1 harbor]#systemctl daemon-reload [root@harbor1 harbor]#systemctl restart docker重启harbor
[root@harbor harbor]#ls LICENSE common common.sh docker-compose.yml harbor.v2.4.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare # 停止harbor [root@harbor harbor]#docker-compose down -v # 启动harbor [root@harbor harbor]#docker-compose up -d
-
登录harbor
[root@harbor harbor]#docker login 10.0.0.22:80 Username: admin Password: #Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
-
上传镜像
-
导入镜像
# 先将制作好的nginx镜像导出,并拷到harbor服务器上 [root@docker ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx v1 64370d6d6ee0 4 days ago 607MB ...... [root@docker ~]#docker save nginx:v1 > /opt/test-nginx.tar.gz [root@docker ~]#scp /opt/test-nginx.tar.gz 10.0.0.22:/opt/ test-nginx.tar.gz 100% 592MB 95.9MB/s 00:06 # 将nginx镜像导入harbor仓库 [root@harbor harbor]#docker load </opt/test-nginx.tar.gz 174f56854903: Loading layer [==================================================>] 211.7MB/211.7MB 2f73541ad3ee: Loading layer [==================================================>] 385.1MB/385.1MB 2ecc78d434d9: Loading layer [==================================================>] 6.579MB/6.579MB da35a500cd65: Loading layer [==================================================>] 16.7MB/16.7MB b7e2706360c6: Loading layer [==================================================>] 4.096kB/4.096kB 5ebbae150dfc: Loading layer [==================================================>] 383.5kB/383.5kB Loaded image: nginx:v1 -
验证镜像导入成功
[root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx v1 64370d6d6ee0 4 days ago 607MB goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB goharbor/redis-photon v2.4.3 b168e9750dc8 3 months ago 154MB goharbor/trivy-adapter-photon v2.4.3 a406a715461c 3 months ago 251MB ...... -
镜像打tag,即修改images名称,须符合harbor仓库格式,格式为Harbor IP:Port/项目名/image名称:版本号,否则镜像无法上传至harbor仓库
[root@harbor harbor]#docker tag nginx:v1 10.0.0.22:80/nginx/test-nginx:v1 [root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE 10.0.0.22:80/nginx/test-nginx v1 64370d6d6ee0 4 days ago 607MB nginx v1 64370d6d6ee0 4 days ago 607MB goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB -
在harbor管理界面创建项目(必须先创建项目,否则镜像将上传失败)
-
上传镜像至harbor仓库
[root@harbor harbor]#docker push 10.0.0.22:80/nginx/test-nginx:v1 The push refers to repository [10.0.0.22:80/nginx/test-nginx] 5ebbae150dfc: Pushed b7e2706360c6: Pushed da35a500cd65: Pushed 2ecc78d434d9: Pushed 2f73541ad3ee: Pushed 174f56854903: Pushed v1: digest: sha256:ae893c5462b52fe51a34ee0a39c3c3cc7316854089242d4c0ad733c1c9c27539 size: 1579 -
登录harbor web界面验证镜像上传成功
-
下载镜像
-
配置登录harbor仓库连接信息
# 添加harbor仓库信息 [root@harbor2 harbor]#cat /etc/docker/daemon.json {"insecure-registries":["10.0.0.22:80"]} # 重启docker [root@harbor2 harbor]#systemctl restart docker
-
登录harbor
[root@server ~]#docker login 10.0.0.22:80 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded若项目设置为公开,则无须进行docke login登录harbor仓库
-
使用docker pull下载镜像
[root@server ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE # 下载镜像 [root@server ~]#docker pull 10.0.0.22:80/nginx/test-nginx:v1 v1: Pulling from nginx/test-nginx 2d473b07cdd5: Pull complete 0e116f4e7e10: Pull complete 5769256df076: Pull complete 33e7e8019bcb: Pull complete 0523cf308c94: Pull complete 7e7e7639b29a: Pull complete Digest: sha256:ae893c5462b52fe51a34ee0a39c3c3cc7316854089242d4c0ad733c1c9c27539 Status: Downloaded newer image for 10.0.0.22:80/nginx/test-nginx:v1 10.0.0.22:80/nginx/test-nginx:v1 # 查看下载镜像 [root@server ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE 10.0.0.22:80/nginx/test-nginx v1 64370d6d6ee0 4 days ago 607MB -
验证从镜像启动容器
[root@server ~]#docker run -d -p 80:80 10.0.0.22:80/nginx/test-nginx:v1 02ac63de6d0473843db5c9f182b12fa67a4d1fa2737e810fa08500b6c09222ee [root@server ~]#hostname -I 10.0.0.32 172.17.0.1 -
验证web访问
高可用方案参考:https://www.cnblogs.com/areke/p/16592981.html#:~:text=五、安装docker镜像仓库harbor%2C并实现高可用
二、掌握docker网络
docker主要有bridge、host、container、none四种网络模式,提供网络隔离、端口映射、容器间互通网络等各种支持。
| 网络模式 | 参数 | 说明 |
|---|---|---|
| Bridge(默认模式) | -–net=bridge | 此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。 |
| Host | -–net=host | 容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。 |
| Container | –-net={id} | 创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定的容器共享IP、端口范围。 |
| None | –-net=none | 该模式关闭了容器的网络功能,与宿主机、与其他容器都不连通的. |
安装Docker后,会自动创建三个网络(bridge、host、none),使用docker network ls命令查看
[root@server opt]#docker network ls
NETWORK ID NAME DRIVER SCOPE
96adc4158429 bridge bridge local
1396ef3fcca6 host host local
f2e6e64dfcf5 none null local
bridge
使用参数--net=bridge指定,不指定默认就是bridge模式,也是使用比较多的模式。
当Docker server启动时,会在主机上创建一个名为docker0的虚拟网桥,此主机上启动的Docker容器会连接到这个虚拟网桥上。虚拟网桥的工作方式和物理交换机类似,这样主机上的所有容器就通过交换机连在了一个二层网络中。
当新建一个 Docker 容器时还会创建一对 veth pair接口(当数据包发送到一个接口时,另外一个接口也可以收到相同的数据包)。这对接口一端在容器内,即 eth0;另一端在本地并被挂载到docker0 网桥,名称以 veth 开头(例如 vethAQI2QT)。通过这种方式,主机可以跟容器通信,容器之间也可以相互通信。Docker 就创建了在主机和所有容器之间一个虚拟共享网络。
示例:
# 创建容器
[root@server ~]#docker run -it -d --name nginx-web1 -p 80:80 test-nginx:v1
5bc984629fb53231375ab694739bbac34471c090ff5d4b96c76dc2bc55d834a0
[root@server ~]#docker run -it -d --name tomcat-web1 -p 8080:8080 test-tomcat:v1
dafa62b915a0171095acdb9f28c73e1da5a11ce33d5659e12b395b01435bfc68
# 进入容器nginx
[root@server ~]#docker exec -it nginx-web1 /bin/bash
[root@5bc984629fb5 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@5bc984629fb5 /]#
# 进入容器tomcat
[root@server ~]#docker exec -it tomcat-web1 /bin/bash
root@dafa62b915a0:/usr/local/tomcat# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
root@dafa62b915a0:/usr/local/tomcat#
# 容器nginx与tomcat网络互通正常
[root@5bc984629fb5 /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.064 ms
^C
--- 172.17.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2025ms
rtt min/avg/max/mdev = 0.062/0.063/0.064/0.006 ms
root@dafa62b915a0:/usr/local/tomcat# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.067 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.064 ms
^C
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2046ms
rtt min/avg/max/mdev = 0.047/0.059/0.067/0.008 ms
host模式
使用参数--net=host指定。
启动的容器如果指定了使用host模式,那么新创建的容器不会创建自己的虚拟网卡,而是直接使用宿主机的网卡和IP地址,因此在容器里面查看到的IP信息就是宿主机的信息,访问容器的时候直接使用宿主机IP+容器端口即可,不过容器的文件系统、系统进程等其他资源还是和宿主机保持隔离。
此模式的网络性能最高,但是各容器之间端口不能相同,适用于运行容器端口比较固定的业务。
为避免端口冲突,可先删除所有容器确认宿主机端口没有占用80端口。
示例:
# 查看宿主机网络信息
[root@server opt]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:73:f8:58 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.32/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe73:f858/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:30:6a:59:ca brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
启动新容器,并指定网络模式为host
[root@server opt]#docker run -d --net=host test-nginx:v1
6c6f5c87c9a38efc5a14d0ff0a626be7e582e764dd42330b357b89a717358c70
# 查看容器的网络信息,与宿主机网络信息一致
[root@server opt]#docker exec -it 6c6f5c87c9a3 bash
[root@server /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:73:f8:58 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.32/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe73:f858/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:30:6a:59:ca brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:30ff:fe6a:59ca/64 scope link
valid_lft forever preferred_lft forever
访问宿主机验证
说明
host模式不支持端口映射
[root@server opt]#docker run -d --net=host -p 81:80 test-nginx:v1
WARNING: Published ports are discarded when using host network mode
d38b27cfbf258ca554fefdd7e946d3e363df7df48d906a4c704a99fc9ba659d5
container模式
使用参数--net=container:容器名称或ID指定。
此模式是指定其和已经存在的某个容器共享一个 Network Namespace,新创建的容器不会创建自己的网卡也不会配置自己的IP,此时这两个容器共同使用同一网卡、主机名、IP 地址,容器间通讯可直接通过本地回环 lo 接口通讯。但这两个容器在其他的资源上,如文件系统、进程信息等仍然保持隔离的。
示例:
# 创建容器nginx
[root@server opt]#docker run -it -d --name nginx-web1 -p 80:80 --net=bridge test-nginx:v1
ced7341d4a33698337210ea1e342b35e0971301d8cc495b9814a7bf979422d79
# 创建容器tomcat
[root@server opt]#docker run -it -d --name tomcat-web1 --net=container:nginx-web1 test-tomcat:v1
4e9c1a91a46b24c30728227e88689d91c5d46a9c40d280b79c7baa25efe79c6e
# 进入容器nginx,查看IP、端口
[root@server opt]#docker exec -it nginx-web1 /bin/bash
[root@ced7341d4a33 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@ced7341d4a33 /]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 1 127.0.0.1:8005 *:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 511 *:80 *:*
[root@ced7341d4a33 /]#
# 进入容器tomcat,查看IP、端口
[root@server ~]#docker exec -it tomcat-web1 /bin/bash
root@ced7341d4a33:/usr/local/tomcat# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 1951 bytes 8888261 (8.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1710 bytes 95101 (92.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@ced7341d4a33:/usr/local/tomcat# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1/java
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
none模式
使用参数--net=none指定
在使用none模式后,docker容器不会进行任何网络配置,其没有网卡、没有IP、没有路由,因此默认无法与外界通信,需要手动添加网卡配置IP等。
示例:
[root@server opt]#docker run -it --net=none test-nginx:v1 /bin/bash
[root@eb525afef2ff /]# ifconfig -a
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@eb525afef2ff /]#
三、安装docker-compose并利用它组装一个多容器的服务:如nginx、mysql、php
官方说明:https://docs.docker.com/compose/reference/
docker-compose.yaml配置常用字段
-
build
指定Dockerfile文件名,要指定Dockerfile文件需要在build标签的子级标签中使用dockerfile标签指定
-
dockerfile
构建镜像上下文路径
-
context
可以是dockerfile的路径,或者是指向git仓库的url地址
-
image
指定镜像
-
command
执行命令,覆盖容器启动后默认执行的命令
-
container name
指定容器名称,由于容器名称是唯一的,如果指定自定义名称,则无法scale
-
deploy
指定部署和运行服务相关配置,只能在Swarm模式使用
-
environment
添加环境变量
-
networks
加入网络,引用顶级networks下条目
-
ports
暴露容器端口,与-p相同,但端口不能低于60
-
volumes
挂载一个宿主机目录或命令卷到容器,命名卷要在顶级volume定义卷名称
-
volumes_from
从另一个服务或容器挂载卷,可选参数:ro和:rw
-
hostname
容器主机名
-
sysctls
在容器内设置内核参数
-
links
连接到另外一个容器,- 服务名称[:服务别名]
-
restart
重启策略,默认为no,另有always/no-failure/unless-stoped no,默认策略,在容器退出时不重启容器。 no-failure,在容器非正常退出时(退出状态非0),才会重启容器。 on-failure:3,在容器非正常退出时重启容器,最多重启3次。 always,在容器退出时总是重启容器。 unless-stopped,在容器退出时总是重启容器,但是不考虑在Docker守护进程启动时就已经停止了的容器
-
depends_on
在使用Compose时,最大的好处就是少打启动命令,但一般项目容器启动的顺序是由要求的,如果直接从上到下启动容器,可能会因为容器依赖问题而启动失败。例如在没启动数据库容器的时候启动应用容器,应用容器会因为找不到数据库而退出。depends_on标签用于解决容器的依赖、启动先后的问题。
docker-compose常用命令
-
docker-compose build
重新构建服务
-
docker-compose ps
列出容器
-
docker-compose up
创建和启动容器,-d 在后台运行服务容器
-
docker-compose exec
在容器里面执行命令
-
docker-compose scale
指定一个服务容器启动数量
-
docker-compose top
显示容器进程
-
docker-compose logs
查看容器输出
-
docker-compose down
down -v 删除容器、网络、数据卷和镜像
-
docker-compose stop/start/restart
停止/启动/重启服务
安装docker-compose
# 安装pip
apt install python3-pip -y
# 安装docker-compose
pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
查看docker-compose版本
docker-compose version 1.29.2, build unknown
docker-py version: <module 'docker.version' from '/usr/local/lib/python3.8/dist-packages/docker/version.py'>
CPython version: 3.8.10
OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
准备镜像
[root@docker-compose lnmp]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
lnmp_php v1 b4f5067b2484 2 days ago 1.17GB
lnmp_nginx v1 1a4fc02b5746 3 days ago 607MB
mysql 5.7 c20987f18b13 11 months ago 448MB
编写docker-compose.yaml文件
service-nginx:
image: lnmp_nginx:v1
container_name: lnmp_nginx
expose:
- 80
- 443
ports:
- "80:80"
- "443:443"
volumes:
- /data/lnmp/nginx/nginx.conf:/usr/local/nginx/conf/nginx.conf
- /data/lnmp/html:/usr/local/nginx/html
links:
- service-php
- service-mysql
service-php:
image: lnmp_php:v1
container_name: lnmp_php
expose:
- 9000
ports:
- "9000:9000"
volumes:
- /data/lnmp/php/php.ini:/etc/php/php.ini
- /data/lnmp/php/php-fpm.conf:/usr/local/php/etc/php-fpm.conf
- /data/lnmp/php/www.conf:/usr/local/php/etc/php-fpm.d/www.conf
- /data/lnmp/html:/usr/local/nginx/html
links:
- service-mysql
service-mysql:
image: mysql:5.7
container_name: lnmp_mysql
expose:
- 3306
ports:
- "3306:3306"
environment:
MYSQL_ROOT_PASSWORD: 123456
准备配置文件
nginx
nginx.conf
user nginx;
worker_processes auto;
daemon off;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ { #实现php-fpm
root /usr/local/nginx/html; #php中的目录
fastcgi_pass lnmp_php:9000; #php容器的名称
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_hide_header X-Powered-By; #隐藏php版本信息
}
location /phpmyadmin {
root /usr/local/nginx/html;
index index.html index.htm index.php ;
}
location ~ /phpmyadmin/(?<after_ali>(.*)\.(php|php5)?$) {
root /usr/local/nginx/html;
fastcgi_pass lnmp_php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_hide_header X-Powered-By; #隐藏php版本信息
}
}
}
php
php.ini
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
zend.exception_ignore_args = On
zend.exception_string_param_max_len = 0
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[imap]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
[curl]
[openssl]
[ffi]
php-fpm.conf
[global]
pid = run/php-fpm.pid
include=/usr/local/php/etc/php-fpm.d/*.conf
www.conf
[www]
user = www
group = www
listen = 0.0.0.0:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
html
下载phpMyAdmin的数据库管理工具:https://files.phpmyadmin.net/phpMyAdmin/4.9.1/phpMyAdmin-4.9.1-all-languages.zip
解压并重命名
cd /data/lnmp/html
unzip phpMyAdmin-4.9.1-all-languages.zip
mv phpMyAdmin-4.9.1-all-languages phpmyadmin
修改配置
cd /data/lnmp/html/phpmyadmin
mv config.sample.inc.php config.inc.php
sed -i 's/localhost/lnmp_mysql/' config.inc.php
文件结构
[root@docker-compose lnmp]#tree -L 2 /data/lnmp
/data/lnmp
├── docker-compose.yaml
├── html
│ ├── phpmyadmin
│ └── test.php
├── mysql #可忽略
│ └── my.cnf
├── nginx
│ └── nginx.conf
└── php
├── php-fpm.conf
├── php.ini
└── www.conf
启动docker-compose
创建容器
[root@docker-compose lnmp]#cd /data/lnmp/
[root@docker-compose lnmp]#docker-compose up -d
Creating lnmp_mysql ... done
Creating lnmp_php ... done
Creating lnmp_nginx ... done
查看容器
[root@docker-compose lnmp]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4e135008270e lnmp_nginx:v1 "nginx" 33 seconds ago Up 32 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp lnmp_nginx
8b2c7019c5bc lnmp_php:v1 "/usr/local/php/sbin…" 34 seconds ago Up 33 seconds 0.0.0.0:9000->9000/tcp lnmp_php
44f18e3c8299 mysql:5.7 "docker-entrypoint.s…" 34 seconds ago Up 33 seconds 0.0.0.0:3306->3306/tcp, 33060/tcp lnmp_mysql
停止容器
[root@docker-compose lnmp]#docker-compose down -v
Stopping lnmp_nginx ... done
Stopping lnmp_php ... done
Stopping lnmp_mysql ... done
Removing lnmp_nginx ... done
Removing lnmp_php ... done
Removing lnmp_mysql ... done
验证测试
浏览器访问,输入数据库用户名密码
正常进入首页
