一、docker-compose
Docker compose可以方便我们快捷高效地管理容器的启动、停止、重启等操作,它类似于linux下的shell脚本,基于yaml语法,在该文件里我们可以描述应用的架构,比如用什么镜像、数据卷、网络模式、监听端口等信息。
我们可以在一个compose文件中定义一个多容器的应用(比如wordpress),然后通过该compose来启动这个应用。
1)安装docker-compose
官方地址 Releases · docker/compose · GitHub
https://github.com/docker/compose/releases/download/v2.12.2/docker-compose-linux-x86_64
chmod a+x /usr/local/bin/docker-compose
如果无法从官方下载,可以用pip,首先建议升级python3版本
#安装 Python3 和 pip
yum install -y python3-pip
# 升级 pip 到最新版本
pip3 install --upgrade pip
#安装 docker-compose
pip3 install docker-compose
测试并查看版本
docker-compose version
[root@bogon ~]# docker-compose version
/usr/local/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.backends import default_backend
docker-compose version 1.29.2, build unknown
docker-py version: 5.0.3
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
[root@bogon ~]#
2)用docker-compose快速部署应用
编辑wordpress的compose yaml文件
vi docker-compose.yml ##写入如下内容
services:
db: # 服务1:db
image: mysql:5.7 # 使用镜像 mysql:5.7版本
volumes:
- db_data:/var/lib/mysql # 数据持久化
restart: always # 容器服务宕机后总是重启
environment: # 环境配置
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress: # 服务2:wordpress
depends_on: # wordpress服务启动时依赖db服务,所以会自动先启动db服务
- db
image: wordpress:latest # 使用镜像 wordpress:latest最新版
ports:
- "8000:80" #端口映射8000:80
restart: always
environment: # 环境
WORDPRESS_DB_HOST: db:3306 # wordpress连接db的3306端口
WORDPRESS_DB_USER: wordpress # wordpress的数据库用户为wordpress
WORDPRESS_DB_PASSWORD: wordpress # wordpress的数据库密码是wordpress
WORDPRESS_DB_NAME: wordpress # wordpress的数据库名字是wordpress
volumes:
db_data: {}
#Version: '3'
services:
planka:
image: registry.cn-hangzhou.aliyuncs.com/*/planka:latest
command: >
bash -c
"for i in `seq 1 30`; do
./start.sh &&
s=$$? && break || s=$$?;
echo \"Tried $$i times. Waiting 5 seconds...\";
sleep 5;
done; (exit $$s)"
restart: unless-stopped
volumes:
- /containers/planka/user-avatars:/app/public/user-avatars
- /containers/planka/project-background-images:/app/public/project-background-images
- /containers/planka/attachments:/app/private/attachments
ports:
- 53001:1337
environment:
- BASE_URL=http://192.168.1.1:8000
- DATABASE_URL=postgresql://postgres@postgres/planka
- SECRET_KEY=notsecretkey
- TRUST_PROXY=0
- TOKEN_EXPIRES_IN=365
- DEFAULT_ADMIN_EMAIL=demo@demo.demo
- DEFAULT_ADMIN_PASSWORD=demo
- DEFAULT_ADMIN_NAME=Demo Demo
- DEFAULT_ADMIN_USERNAME=demo
depends_on:
- postgres
postgres:
image: registry.cn-hangzhou.aliyuncs.com/*/postgres:14.12-alpine
restart: unless-stopped
volumes:
- /containers/postgres/db-data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=planka
- POSTGRES_HOST_AUTH_METHOD=trust
[root@bogon vikunja]#
启动
docker-compose up -d
[root@bogon vikunja]# vi docker-compose.yml
[root@bogon vikunja]# docker-compose up -d
/usr/local/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.backends import default_backend
Pulling postgres (registry.cn-hangzhou.aliyuncs.com/*/postgres:14.12-alpine)...
14.12-alpine: Pulling from daliyused/postgres
ec99f8b99825: Pull complete
5fd3ad402992: Pull complete
f0ab9af71a6b: Pull complete
e9cba7ca7950: Pull complete
139743f5c94c: Pull complete
f911f649f1ba: Pull complete
fc587d9bdaf7: Pull complete
2e365e8460cb: Pull complete
99527f5236c5: Pull complete
5813a5c812be: Pull complete
5feaa8906c37: Pull complete
Digest: sha256:7bafc946763fd203b54a711a0f57f4935cbd39446633ea0b6e67429ff3289937
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/daliyused/postgres:14.12-alpine
Pulling planka (registry.cn-hangzhou.aliyuncs.com/*/planka:latest)...
latest: Pulling from daliyused/planka
d25f557d7f31: Pull complete
f61249306349: Pull complete
22a81a0f8d1c: Pull complete
bd06542006fd: Pull complete
281ec57bb9e9: Pull complete
a589e8575ef4: Pull complete
6042df8e320d: Pull complete
f74577210f8d: Pull complete
990120403651: Pull complete
95628ffb5b63: Pull complete
4cc546faf5a7: Pull complete
2aef5149df4e: Pull complete
4eace37cd102: Pull complete
Digest: sha256:30c3cc6fd95b19673b5f79faebc7194c88ad10e52ebde698ff0010bd9d129780
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/daliyused/planka:latest
Creating vikunja_postgres_1 ... done
Creating vikunja_planka_1 ... done
[root@bogon vikunja]#
查看
docker-compose ps
[root@bogon vikunja]# docker-compose ps
/usr/local/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.backends import default_backend
Name Command State Ports
---------------------------------------------------------------------------------------------------------------
vikunja_planka_1 docker-entrypoint.sh bash ... Up (healthy) 0.0.0.0:8000->1337/tcp,:::53001->1337/tcp
vikunja_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp
还可以停止
docker-compose stop
[root@bogon vikunja]# docker-compose stop
/usr/local/lib/python3.6/site-packages/paramiko/transport.py:32: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.backends import default_backend
Stopping vikunja_planka_1 ... done
Stopping vikunja_postgres_1 ... done
[root@bogon vikunja]#
私有镜像仓库harbor搭建
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的。Harbor是 由VMware公司开源的企业级的Docker Registry管理项目,它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、镜像复制和中文支持等功能。
harbor官方地址: https://goharbor.io
0)提前准备一个ca证书
如果有自己的域名,可以到FreeSSL.cn - 一个提供免费HTTPS证书申请的网站 申请免费的ssl证书
安装好docker-compose
1)下载harbor离线包
Releases · goharbor/harbor · GitHub
我这里下载的是2.6.2
wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz | tar zxvf harbor-offline-installer-v2.11.0.tgz #####建议下载离线包,否则配置安装过程会有问题。可以用迅雷下载,再上传服务器
2)将下载的包上传到linux,解压
tar zxf harbor-offline-installer-v2.6.2.tgz -C /opt/
tar xvf harbor-offline-installer-v2.11.0.tgz
cd harbor
mv harbor.yml.tmpl harbor.yml
3)准备配置文件
cd /opt/harbor
cp harbor.yml.tmpl harbor.yml ##将模板配置文件拷贝一份为正式的配置文件
4)编辑配置文件
vi harbor.yml
修改 hostname: reg.mydomain.com 为 hostname: harbor.yuankeedu.com
修改 certificate: /your/certificate/path 和 private_key: /your/private/key/path 为具体的证书地址
修改 harbor_admin_password 为合适的密码
root@server:/home/*/harbor# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.1.1 ####可以用自己的IP和域名
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# https port for harbor, default is 443 ###没有证书可注释掉
#port: 443
如果不使用证书,仅使用80端口,除了注释https和证书的参数外,还要修改daemon.json并重启docker
root@server:/home/*/harbor# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://nol6uuul.mirror.aliyuncs.com"],
"insecure-registries": ["http://192.168.1.1:80"]
}
root@server:/home/*/harbor#
5)安装
sh install.sh
6)服务的停止和启动
cd /opt/harbor
docker-compose ps ##查看服务
docker-compose stop ##关闭
docker-compose up -d ##启动
7)访问web界面
8)拉取公共镜像
docker pull tomcat
docker tag tomcat harbor.yuankeedu.com/aminglinux/tomcat:latest
9)把tomcat镜像推送到harbor
docker login https://harbor.yuankeedu.com
输入用户名和密码
root@server:/home/*/harbor# docker login 192.168.1.1:80
Username: *
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
docker push harbor.yuankeedu.com/aminglinux/tomcat:latest
root@server:/home/*/harbor# docker push 192.168.1.1:80/study/planka:latest
The push refers to repository [192.168.1.1:80/study/planka]
f0c154507b27: Pushed
1723a67dc1b2: Pushed
bae987e83e2e: Pushed
4f870f6513fa: Pushed
6c39fdc47532: Pushed
cfe35d72b430: Pushed
d8a7b3831760: Pushed
9f0e64e83222: Pushed
8a71bd4ec09c: Pushed
13445afc82dd: Pushed
ae4f266e60f1: Pushed
f56b0e3560a1: Pushed
02f2bcb26af5: Pushed
latest: digest: sha256:30c3cc6fd95b19673b5f79faebc7194c88ad10e52ebde698ff0010bd9d129780 size: 3038
root@server:/home/*/harbor#
root@server:/home/*/harbor# docker pull 192.168.1.1:80/study/planka:latest
latest: Pulling from study/planka
Digest: sha256:30c3cc6fd95b19673b5f79faebc7194c88ad10e52ebde698ff0010bd9d129780
Status: Image is up to date for 192.168.1.1:80/study/planka:latest
192.168.1.1:80/study/planka:latest
root@server:/home/yeyunyi/harbor#
问题: x509: certificate signed by unknown authority
需要在客户端机器上(也就是你执行docker login的机器上)执行
1) echo -n | openssl s_client -showcerts -connect harbor.yuankeedu.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/ssl/certs/ca-bundle.trust.crt
2)systemctl restart docker