DOCKER总结3：containerd介绍、harbor证书配置、compose应用

1、安装containerd及CNI组件

# 二进制方式安装
# 提前上传安装包
[root@docker-master soft]# ls
containerd-1.7.2-linux-amd64.tar.gz  harbor-offline-installer-v2.8.2.tgz  nginx-1.24.0.tar.gz
cni-plugins-linux-amd64-v1.3.0.tgz  crictl-v1.27.1-linux-amd64.tar.gz    nerdctl-1.4.0-linux-amd64.tar.gz     runc.amd64
# 安装containerd并创建service⽂件
[root@docker-master soft]# tar -xvf containerd-1.7.2-linux-amd64.tar.gz 
bin/
bin/containerd-shim-runc-v1
bin/containerd-shim-runc-v2
bin/containerd-stress
bin/containerd
bin/containerd-shim
bin/ctr
[root@docker-master soft]# cp bin/* /usr/local/bin/
[root@docker-master soft]# containerd -v
containerd github.com/containerd/containerd v1.7.2 0cae528dd6cb557f7201036e9f43420650207b58
#创建service⽂件
[root@docker-master soft]# vim /lib/systemd/system/containerd.service
[root@docker-master soft]# cat /lib/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/usr/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
# 生成配置文件
[root@docker-master soft]# mkdir  /etc/containerd
[root@docker-master soft]# containerd config default > /etc/containerd/config.toml
# 修改配置文件后重启
[root@docker-master soft]# vim /etc/containerd/config.toml 
    sandbox_image = "registry.cn-hangzhou.aliyuncs.com/zhangshijie/pause:3.9" # 65行
          [plugins."io.containerd.grpc.v1.cri".registry.mirrors] # 168行
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint=["https://9916w1ow.mirror.aliyuncs.com"]
[root@docker-master soft]# systemctl restart containerd.service 
# 部署runc
[root@docker-master soft]# chmod  a+x runc.amd64 
[root@docker-master soft]# mv runc.amd64 /usr/bin/runc
# 使用ctr下载镜像验证
[root@docker-master soft]# ctr images pull docker.io/library/alpine:latest
# 默认使用的命名空间为default
[root@docker-master soft]# ctr  images  ls
[root@docker-master soft]# ctr -n k8s.io images  ls

# 启动容器验证
[root@docker-master soft]# ctr run -t --net-host  docker.io/library/alpine:latest test-container sh

# CNI网络组件安装  /opt/cni/bin为默认路径，也可以修改/etc/containerd/config.toml 配置文件参数自行指定  bin_dir = "/opt/cni/bin"
[root@docker-master soft]# mkdir  /opt/cni/bin -p   # 保存cni插件的路径
[root@docker-master soft]# tar xvf cni-plugins-linux-amd64-v1.3.0.tgz -C /opt/cni/bin/
./
./loopback
./bandwidth
./ptp
./vlan
./host-device
./tuning
./vrf
./sbr
./tap
./dhcp
./static
./firewall
./macvlan
./dummy
./bridge
./ipvlan
./portmap
./host-local
# 客户端工具nerdct
[root@docker-master soft]# tar xvf nerdctl-1.4.0-linux-amd64.tar.gz  -C /usr/local/bin/
nerdctl
containerd-rootless-setuptool.sh
containerd-rootless.sh
[root@docker-master soft]# nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH 
Client:
 Version:       v1.4.0
 OS/Arch:       linux/amd64
 Git commit:    7e8114a82da342cdbec9a518c5c6a1cce58105e9
 buildctl:
  Version:

Server:
 containerd:
  Version:      v1.7.2
  GitCommit:    0cae528dd6cb557f7201036e9f43420650207b58
 runc:
  Version:      1.1.8
  GitCommit:    v1.1.8-0-g82f18fe0
# 生成配置文件
[root@docker-master soft]# mkdir  /etc/nerdctl/
[root@docker-master soft]# vim /etc/nerdctl/nerdctl.toml
namespace="k8s.io"    # 指定的命名空间
debug=false
debug_full=false
insecure_registry=true  # 信任非安全的镜像仓库

2、使用基于nerdctl创建并管理容器

# 拉取镜像
[root@docker-master soft]# nerdctl pull nginx
# 查看镜像
[root@docker-master soft]# nerdctl images
# 启动nginx容器验证
[root@docker-master soft]# nerdctl run -d -p 80:80 --name nginx-web nginx
bd0c1d1d8c5bce7c77c0a5346aaeb1c5458f8ef6a0afb45dd123ddad531ba251

# 启动mysql容器
[root@docker-master soft]# nerdctl run -t -d -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -d mysql:5.6.39
# 验证

3、部署https的harbor服务器

# 自签名CA机构
[root@docker-master certs]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................++
.......................................................................................++
e is 65537 (0x10001)
[root@docker-master certs]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.com" -key ca.key -out ca.crt
# harbor域名证书申请
[root@docker-master certs]# openssl genrsa -out magedu.net.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................++
....................................................++
e is 65537 (0x10001)
[root@docker-master certs]# openssl req -sha512 -new \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.net" \
> -key magedu.net.key \
> -out magedu.net.csr
[root@docker-master certs]# ll
总用量 16
-rw-r--r--. 1 root root 2025 7月  27 05:25 ca.crt
-rw-r--r--. 1 root root 3243 7月  27 05:23 ca.key
-rw-r--r--. 1 root root 1704 7月  27 05:28 magedu.net.csr
-rw-r--r--. 1 root root 3243 7月  27 05:27 magedu.net.key
# 准备签发环境 主题别名，可以让一个证书适配于多个域名
[root@docker-master certs]# cat >v3.ext<< EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=magedu.com
DNS.2=harbor.magedu.net
DNS.3=harbor.magedu.local
EOF
# 使用自签名CA签发证书
[root@docker-master certs]# openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in magedu.net.csr -out magedu.net.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.net
Getting CA Private Key
[root@docker-master certs]# ll
总用量 28
-rw-r--r--. 1 root root 2025 7月  27 05:25 ca.crt
-rw-r--r--. 1 root root 3243 7月  27 05:23 ca.key
-rw-r--r--. 1 root root   17 7月  27 05:36 ca.srl
-rw-r--r--. 1 root root 2110 7月  27 05:36 magedu.net.crt
-rw-r--r--. 1 root root 1704 7月  27 05:28 magedu.net.csr
-rw-r--r--. 1 root root 3243 7月  27 05:27 magedu.net.key
-rw-r--r--. 1 root root  276 7月  27 05:36 v3.ext
# 安装habor
[root@docker-master opt]# cd /opt/soft/harbor-install
[root@docker-master harbor-install]# tar -xf harbor-offline-installer-v2.8.2.tgz 
[root@docker-master harbor-install]# cd harbor/
[root@docker-master harbor]# vim harbor.yml
# 修改配置文件
[root@docker-master harbor]# vim harbor.yml

# 安装
[root@docker-master harbor]# ./install.sh --with-trivy
# 访问验证 https://172.18.10.13/

# 客户端配置
# 将公钥分发的docker主机
[root@docker-master harbor]# mkdir -p /etc/docker/certs.d/harbor.magedu.net/
[root@docker-master harbor]# cp /apps/harbor/certs/magedu.net.crt  /etc/docker/certs.d/harbor.magedu.net/
[root@docker-master harbor]# vim /etc/hosts
127.18.10.13 harbor.magedu.net
# 登录harbor
[root@docker-master harbor]# docker login harbor.magedu.net
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
# 上传镜像测试
[root@docker-master harbor]# docker tag nginx:1.14.2 harbor.magedu.net/library/nginx:1.14.2
[root@docker-master harbor]# docker push harbor.magedu.net/library/nginx:1.14.2

4、基于Alpine和Ubuntu作为基础镜像实现的业务镜像构建

# 基于Alpine作为基础镜像构建业务镜像
[root@docker-master 2.alpine3.18-nginx1.24-dockerfile-case]# ll
总用量 1144
-rw-r--r--. 1 root root     280 7月  27 22:52 build-command.sh
-rw-r--r--. 1 root root     794 7月  27 23:06 Dockerfile
-rw-r--r--. 1 root root   38751 8月   5 2022 frontend.tar.gz
-rw-r--r--. 1 root root 1112471 4月  12 00:04 nginx-1.24.0.tar.gz
-rw-r--r--. 1 root root    2866 9月  12 2019 nginx.conf
-rw-r--r--. 1 root root     319 7月  27 23:04 repositories
# [root@docker-master alpine-nginx]# cat Dockerfile 
[root@docker-master 2.alpine3.18-nginx1.24-dockerfile-case]# cat Dockerfile 
FROM alpine:3.10.1

MAINTAINER zhangshijie 2973707860@qq.com

COPY repositories /etc/apk/repositories
RUN apk  update && apk add vim iotop  gcc libgcc libc-dev libcurl libc-utils gzip zlib zlib-dev libnfs make  pcre pcre2 pcre-dev zip unzip net-tools pstree wget libevent libevent-dev iproute2 

ARG VER=1.24.0
ADD nginx-${VER}.tar.gz /opt
RUN cd /opt/nginx-${VER} && ./configure --prefix=/apps/nginx  && make && make install && ln -sv /apps/nginx/sbin/nginx /usr/bin 

RUN addgroup  -g 2088 -S nginx
RUN adduser  nginx -u 2088 -D -S /bin/sh -G nginx
RUN echo -e  "123456\n123456" | passwd  nginx
RUN mkdir /data/nginx/html/ -pv

ADD nginx.conf /apps/nginx/conf/nginx.conf
ADD frontend.tar.gz /apps/nginx/html/

RUN chown nginx.nginx -R  /data/nginx/ /apps/nginx/

EXPOSE 80 443

CMD ["nginx"]
[root@docker-master 2.alpine3.18-nginx1.24-dockerfile-case]# cat build-command.sh 
#!/bin/bash
docker build -t harbor.magedu.net/myserver/nginx:alpine-v1 .
# 使用构建的镜像启动容器
[root@docker-master 2.alpine3.18-nginx1.24-dockerfile-case]# docker run -d --rm -p 80:80 harbor.magedu.net/myserver/nginx:alpine-v1 
# 验证

# 基于ubuntu构建业务基础镜像
[root@docker-master 1.ubuntu2204-nginx1.22-dockerfile-case]# ll
总用量 1108
-rw-r--r--. 1 root root     266 7月  27 23:21 build-command.sh
-rw-r--r--. 1 root root     892 7月  27 23:33 Dockerfile
-rw-r--r--. 1 root root   38751 8月   5 2022 frontend.tar.gz
drwxr-xr-x. 3 root root      38 7月  23 15:23 html
-rw-r--r--. 1 root root 1073322 5月  24 2022 nginx-1.22.0.tar.gz
-rw-r--r--. 1 root root    2812 10月  3 2020 nginx.conf
-rw-r--r--. 1 root root    2057 7月  27 23:21 sources.list
[root@docker-master 1.ubuntu2204-nginx1.22-dockerfile-case]# cat build-command.sh 
#!/bin/bash
docker build -t harbor.magedu.net/myserver/nginx:v1 .
[root@docker-master 1.ubuntu2204-nginx1.22-dockerfile-case]# cat Dockerfile 
FROM ubuntu:20.04
MAINTAINER "jack 2973707860@qq.com"


#ADD sources.list /etc/apt/sources.list

RUN apt update 
RUN  apt  install -y iproute2  ntpdate  tcpdump telnet traceroute nfs-kernel-server nfs-common  lrzsz tree  openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute  gcc openssh-server lrzsz tree  openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev ntpdate tcpdump telnet traceroute iotop unzip zip make vim


ADD nginx-1.22.0.tar.gz /usr/local/src/
RUN cd /usr/local/src/nginx-1.22.0 && ./configure --prefix=/apps/nginx && make && make install  && ln -sv /apps/nginx/sbin/nginx /usr/bin
RUN groupadd  -g 2088 nginx && useradd  -g nginx -s /usr/sbin/nologin -u 2088 nginx && chown -R nginx.nginx /apps/nginx
ADD nginx.conf /apps/nginx/conf/
ADD frontend.tar.gz /apps/nginx/html/


EXPOSE 80 443
#ENTRYPOINT ["nginx"]
CMD ["nginx","-g","daemon off;"]
# 启动容器
[root@docker-master 1.ubuntu2204-nginx1.22-dockerfile-case]# docker run -d --rm -p 80:80 harbor.magedu.net/myserver/nginx:v1
# 验证

5、基于docker-compose单机编排运行Nginx+Java APP+MySQL服务

[root@docker-master case3-custom-network]# ll
总用量 4
-rw-r--r--. 1 root root 1840 7月  29 00:37 docker-compose.yml
[root@docker-master case3-custom-network]# cat docker-compose.yml 
version: '3.3'
services:
  nginx-server:
    image: harbor.magedu.net/myserver/nginx:v1
    container_name: nginx-web1
#    network_mode: bridge #网络1，使用docker安装后的默认网桥
    volumes:
      - db-data:/data/nginx
    expose:
      - 80
      - 443
    ports:
      - "80:80"
      - "443:443"
    networks: #网络2，使用自定义的网络，如果网络不存在则会自动创建该网络并分配子网,并且容器会有两块网卡
      - front
      - backend
    links:
      - tomcat-server

  tomcat-server:
    #image: tomcat:7.0.93-alpine
    image: registry.cn-hangzhou.aliyuncs.com/zhangshijie/tomcat-myapp:v1
    container_name: tomcat-app1
    ##network_mode: bridge #网络1，使用docker安装后的默认网桥
    #expose:
    #  - 8080
    #ports:
    #  - "8080:8080"
    networks: #网络2，使用自定义的网络，如果网络不存在则会自动创建该网络并分配子网,并且容器会有一块网卡
      - backend
    links:
      - mysql-server

  mysql-server:
    image: mysql:latest
    container_name: mysql-container
#    network_mode: bridge #网络1，使用docker安装后的默认网桥
    volumes:
      - /data/mysql:/var/lib/mysql
      #- /etc/mysql/conf/my.cnf:/etc/my.cnf:ro
    environment:
      - "MYSQL_ROOT_PASSWORD=12345678"
      - "TZ=Asia/Shanghai"
    expose:
      - 3306
    ports:
      - "3306:3306"
    networks: #网络2，使用自定义的网络，如果网络不存在则会自动创建该网络并分配子网,并且容器会有一块网卡
      - backend

volumes:
  db-data:

networks:
  front: #自定义前端服务网络,需要docker-compose创建
    driver: bridge
  backend:  #自定义后端服务的网络,要docker-compose创建
    driver: bridge
  default: #使用已经存在的docker0默认172.17.0.1/16的网络
    external:
      name: bridge
# 执行docker-comepose
[root@docker-master case3-custom-network]# docker-compose up -d
[root@docker-master case3-custom-network]# docker-compose ps
     Name                    Command               State                    Ports                  
---------------------------------------------------------------------------------------------------
mysql-container   docker-entrypoint.sh mysqld      Up      0.0.0.0:3306->3306/tcp, 33060/tcp       
nginx-web1        /docker-entrypoint.sh ngin ...   Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
tomcat-app1       /apps/tomcat/bin/docker-en ...   Up      8080/tcp, 8443/tcp  
# 验证nginx访问

# 修改nginx配置，使得nginx访问http://172.18.10.13/myapp/跳转到tomcat
[root@docker-master case3-custom-network]# docker exec -it nginx-web1 bash
root@2b458d520f55:/apps/nginx# cd /apps/nginx
root@2b458d520f55:/apps/nginx# vim /apps/nginx/conf/nginx.conf
       location /myapp {
           proxy_pass http://tomcat-server:8080;
       }
root@2b458d520f55:/apps/nginx# ./sbin/nginx -s reload
# 验证tomcat和mysql的通信
[root@docker-master case3-custom-network]# docker exec -it tomcat-app1 bash
[root@ca80528d3307 /]# ping mysql-container

# 验证mysql的可用性
[root@docker-master case3-custom-network]# docker exec -it  mysql-container bash
root@7722b05e3f3e:/# mysql -uroot -p12345678