1、基于 dockerfile,实现分层构建的 nginx 业务镜像
1)vim Dockerfile #第一个镜像,制作系统base镜像
FROM centos:7.2.1511
maintainer "hy 13693204832@163.com" #维护者信息,可不写
LABEL writer=hy #LABEL标签,可不写,key=vulue格式
LABEL date=20221026
RUN yum install -y iproute2 tcpdump telnet traceroute nfs-kernel-server nfs-common lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate telnet gcc openssh-server iotop unzip zip make #安装环境依赖包
[root@VM-4-6-centos day02]# docker build -t jeek02-centos-base:v1 . #制作系统base镜像jeek02-centos-base:v1
[root@VM-4-6-centos day02]# docker images | grep jeek02
jeek02-centos-base v1 76cec9cb98f7 14 seconds ago 456MB
2)vim Dockerfile #做第2个镜像,采用上次制作的系统base镜像,制作nginx基础base镜像
FROM jeek02-centos-base:v1
maintainer "hy 13693204832@163.com" #维护者信息,可不写
LABEL writer=hy #LABEL标签,可不写,key=vulue格式
LABEL date=20221026
ADD nginx-1.22.1.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.22.1 && ./configure --prefix=/apps/nginx && make && make install && ln -sv /apps/nginx/sbin/nginx /usr/bin
[root@VM-4-6-centos day02]# docker build -t jeek02-nginx-base:v2 . #制作nginx基础base镜像
3)vim Dockerfile #做第3个镜像,采用上次制作的nginx-base镜像,制作nginx业务镜像
FROM jeek02-nginx-base:v2
maintainer "hy 13693204832@163.com" #维护者信息,可不写
LABEL writer=hy #LABEL标签,可不写,key=vulue格式
LABEL date=20221026
RUN groupadd -g 2088 nginx && useradd -g nginx -s /usr/sbin/nologin -u 2088 nginx && chown -R nginx.nginx /apps/nginx
ADD nginx.conf /apps/nginx/conf/ #nginx配置文件,可自己根据实际情况修改,替换默认配置
ADD frontend.tar.gz /apps/nginx/html/ #开发提供
EXPOSE 80 443 #声明该容器暴露的端口为80和443
#COPY docker-entrypoint.sh /docker-entrypoint.sh
#RUN chmod a+x /docker-entrypoint.sh
#ENTRYPOINT ["/docker-entrypoint.sh"] #这三行与下面CMD ["nginx","-g","daemon off;"]意思一样
CMD ["nginx","-g","daemon off;"] #启动命令
[root@VM-4-6-centos day02]# docker build -t jeek02-nginx:v3 . #制作nginx业务镜像
[root@VM-4-6-centos day02]# docker images | grep jeek
jeek02-nginx v3 4e9bdabc83ab About a minute ago 432MB
验证:
[root@VM-4-6-centos day02]#docker run -it --name=nginx-vv -p 1212:80 -d jeek02-nginx:v3
[root@VM-4-6-centos day02]# curl 10.0.4.6:1212 #测试业务连接成功
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Nginx 测试页面</title>
</head>
<body>
<h2>Nginx 测试web页面</h2>
<img src="./images/1.jpg">
<p>
<a href="http://www.jd.com" target="_blank">app跳转</a>
</p>
</body>
</html>
2、基于 docker 实现对容器的 CPU 和内存的资源限制
1)不限制容器内存:
[root@VM-4-6-centos day02]# docker run -it --rm --name jeek02-cgroup-test docker.io/lorel/docker-stress-ng:latest --vm 2 --vm-bytes 256M
#启动两个内存工作进程(--vm 2),每个内存工作进程使用内存256M(--vm-bytes 256M),且宿主机不限制当前容器最大内存
再开一个终端:docker stats 显示容器资源的使用情况,包括:CPU、内存、网络 I/O 等
[root@VM-4-6-centos ~]# docker stats | grep jeek02-cgroup-test
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
e25172711776 jeek02-cgroup-test 197.86% 512.2MiB / 15.51GiB 3.22% 656B / 0B 0B / 0B 5
#可以看出:占用了197.86%的cpu(两核);512M内存(2个256M);系统对该容器的限制时15.51G(系统最大内存);
2)限制容器最大内存:
[root@VM-4-6-centos ~]# docker run -it --rm --name=jeek02-cgroup-test -m 256m lorel/docker-stress-ng --vm=2 --vm-bytes 256M
#还是上面那个压测工具,两个工作进程使用512M内存,但是宿主机只给256M(-m 256m)
[root@VM-4-6-centos ~]# docker stats | grep jeek02-cgroup-test
7159b182872e jeek02-cgroup-test 189.52% 232.5MiB / 256MiB 90.81% 656B / 0B 0B / 0B 5
#这次还是用2个核的CPU;但是内存只能用宿主机允许的256M
3)[root@VM-4-6-centos ~]# docker run -it -d --oom-score-adj -1000 -p 3306:3306 mysql:5.7.39
#--oom-score-adj -1000相当于人为干预了内核评分,不推荐使用
4)CPU限制
CPU限制最主要的就一个--cpus参数,可以是整数,也可以是浮点数;
egg:docker run -it --rm --name=jeek02-cgroup-test --cpus 1.5 lorel/docker-stress-ng #表示最多给容器分1.5个cpu
[root@VM-4-6-centos ~]# docker run -it --rm --name=jeek02-cgroup-test -m 256m lorel/docker-stress-ng --cpu=4 --vm=4
#还是这个压测工具,启动4个worker进程,占用4个cpu
[root@VM-4-6-centos ~]# docker stats | grep jeek02-cgroup-test
4356a0a80982 jeek02-cgroup-test 324.98% CPU占用 1.008GiB / 15.51GiB 6.50% 656B / 0B 0B / 0B 13
#可以看出cpu使用率324.98%
[root@VM-4-6-centos ~]# docker run -it --rm --name=jeek02-cgroup-test --cpus 2 lorel/docker-stress-ng --cpu=4 --vm=4
#添加--cpus 2 对CPU进行限制,无论后面压测要多少资源;最多只给他2个cpu
[root@VM-4-6-centos ~]# docker stats | grep jeek02-cgroup-test
f744dad662e1 jeek02-cgroup-test 197.98% cpu占用稳定在2核左右 708.9MiB / 15.51GiB 4.46% 656B / 0B 0B / 0B 13
#可以看到cpu占用稳定在2核左右
5)指定消耗的cpu:
[root@VM-4-6-centos ~]# docker run -it --rm --name=jeek02-cgroup-test --cpus 2 lorel/docker-stress-ng --cpu=4 --vm=4
#占用2个CPU,未指定使用哪个cpu
执行top命令
top - 14:15:12 up 213 days, 14:46, 2 users, load average: 9.95, 6.13, 3.30
Tasks: 324 total, 9 running, 315 sleeping, 0 stopped, 0 zombie
%Cpu0 : 59.2 us, 5.4 sy, 0.0 ni, 35.1 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu1 : 59.4 us, 5.6 sy, 0.0 ni, 34.7 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu2 : 56.6 us, 7.4 sy, 0.0 ni, 36.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu3 : 54.3 us, 10.3 sy, 0.0 ni, 35.1 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st
#可以看到从4个cpu中各分了大概一半cpu,总共2核
[root@VM-4-6-centos ~]# docker run -it --rm --name=jeek02-cgroup-test --cpus 2 --cpuset-cpus 0,3 lorel/docker-stress-ng --cpu=4 --vm=4
#设置参数--cpuset-cpus 0,3;表示从第1和第4颗CPU分配资源
top - 14:18:58 up 213 days, 14:50, 2 users, load average: 8.39, 7.73, 4.62
Tasks: 324 total, 9 running, 315 sleeping, 0 stopped, 0 zombie
%Cpu0 : 99.7 us, 0.0 sy, 0.0 ni, 0.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu1 : 11.0 us, 8.8 sy, 0.0 ni, 78.6 id, 1.0 wa, 0.0 hi, 0.6 si, 0.0 st
%Cpu2 : 13.4 us, 7.5 sy, 0.0 ni, 77.8 id, 1.0 wa, 0.0 hi, 0.3 si, 0.0 st
%Cpu3 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
#可以看到是从第1 和第4颗CPU分配的资源
3、部署 http 协议的 harbor 镜像仓库
tar -xvf harbor-offline-installer-v2.6.1.tgz
cd harbor/
root@VM-4-6-centos harbor]# ll
total 743384
-rw-r--r-- 1 root root 3639 Oct 10 11:32 common.sh
-rw-r--r-- 1 root root 761180661 Oct 10 11:33 harbor.v2.6.1.tar.gz
-rw-r--r-- 1 root root 10491 Oct 10 11:32 harbor.yml.tmpl #配置文件的模板
-rwxr-xr-x 1 root root 3171 Oct 10 11:32 install.sh
-rw-r--r-- 1 root root 11347 Oct 10 11:32 LICENSE
-rwxr-xr-x 1 root root 1881 Oct 10 11:32 prepare
[root@VM-4-6-centos harbor]# cp harbor.yml.tmpl harbor.yml
[root@VM-4-6-centos harbor]# vim harbor.yml
5 hostname: hyhaha.harbor.com
10 port: 1122
47 data_volume: /apps/harbor2HY
[root@VM-4-6-centos harbor]# ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.----#做可信验证,依赖ssl
Please set --with-trivy if needs enable Trivy in Harbor----#对harbor中的镜像进行镜像扫描的组件,可开可不开
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor----------#helm使用的chart包格式镜像
[root@VM-4-6-centos harbor]# ./install.sh --with-trivy -with-chartmuseum
安装完成后,web页面可以打开
新建项目,存储容量默认为-1,表示不限制容量
4、掌握 containerd 的安装 A
[root@VM-4-6-centos ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@VM-4-6-centos ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@VM-4-6-centos ~]# yum -y install sudo
[root@VM-4-6-centos ~]# sudo sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
[root@VM-4-6-centos ~]# yum list containerd.io --showduplicates | sort –r
[root@VM-4-6-centos ~]# yum install containerd.io-1.6.8
[root@VM-4-6-centos ~]# containerd config default > /etc/containerd/config.toml #自定义配置
61 sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7”
153 [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
154 [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
155 endpoint = ["https://9916w1ow.mirror.aliyuncs.com"]
[root@VM-4-6-centos ~]# systemctl restart containerd && systemctl enable containerd
[root@VM-4-6-centos ~]# wget https://github.com/opencontainers/runc/releases/download/v1.1.4/runc.amd64 ##containerd中没有集成runc;runc需要自己安装
[root@VM-4-6-centos ~]# cp runc.amd64 /usr/bin/runc
[root@VM-4-6-centos ~]# chmod a+x /usr/bin/runc
[root@VM-4-6-centos ~]# runc -v
runc version 1.1.4
[root@VM-4-6-centos ~]# wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
#containerd不是docker,没有docker0,所以网络也要自己配置。安装cni插件
[root@VM-4-6-centos ~]# mkdir /opt/cni/bin -pv
[root@VM-4-6-centos ~]# tar xvf cni-plugins-linux-amd64-v1.1.1.tgz -C /opt/cni/bin/
#(默认路径,如果要改的话修改containerd配置文件,将路径告诉containerd)
[root@VM-4-6-centos ~]# vim /etc/containerd/condig.toml
72 bin_dir = "/opt/cni/bin" #若要更改cni路径,修改containerd配置文件这一行
5、基于 nerdctl 拉取镜像和创建容器 A
[root@VM-4-6-centos ~]# nerdctl pull tomcat:latest #拉取镜像,nerdctl于docker命令用法基本相同
[root@VM-4-6-centos ~]# [root@VM-4-6-centos ~]# nerdctl images
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
tomcat latest a24495b50762 2 minutes ago linux/amd64 456.8 MiB 240.8 MiB
lorel/docker-stress-ng latest 8dd29b9c9f2d 15 minutes ago linux/amd64 8.1 MiB 3.9 MiB
[root@VM-4-6-centos ~]# nerdctl -n k8s.io images #nerdctl 有分区的概念;其他分区下没有镜像
REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE
[root@VM-4-6-centos ~]# nerdctl run -it -d -p 3434:80 --name=nginx-web1 --restart=always nginx:1.22.0-alpine
#nerdctl命令创建容器,使用方法和docker一致