docker第四天
笔记
1、安装docker-compose
[ root@localhost ~]
[ root@localhost ~]
[ root@localhost ~]
[ root@localhost ~]
[ root@localhost ~]
2、docker-compose的使用
docker-compose up -d
参数:
-d :以守护进程方式运行
docker-compose down
在里面编写内容
vim docker-compose.yaml
vim docker-compose.yam
vim docker-compose.json
3、docker-compose的配置文件
version : 指定配置文件的版本号
services :指定项目 一个docker-compose只能有一个项目,项目里能有多个服务
xxx : 服务名(比如nginxweb)
image :指定镜像
version: "3"
services:
nginxweb:
image: nginx
3.1、build
根据Dockerfile,临时构建镜像,并运行。
build Dockerfile的路径
[ root@localhost work]
version: "3"
services:
django:
build: ./django
3.2、command
指定容器启动命令。
version: "3"
services:
nginxweb:
build: ./django
command: python manage.py runserver 0.0 .0.0:8080
3.3、container_name
指定容器名称,默认将会使⽤ 项⽬名称_服务名称_序号 这样的格式。
version: "3"
services:
django:
build: ./django
command: python manage.py runserver 0.0 .0.0:8080
container_name: djangovip
3.4、depends_on
解决容器的依赖、启动先后的问题
version : "3"
services :
django :
build : ./django
command : python manage.py runserver 0.0.0.0: 8080
container_name : djangovip
nginx :
image : nginx
depends_on :
- django
[ root@localhost work]
Creating network "work_default" with the default driver
Creating djangovip ... done
Creating work_nginx_1 ... done
3.5、env_file
指定一个环境变量文件名称。 指定多个环境变量用它
version: "3"
services:
django:
build: ./django
command: python manage.py runserver 0.0 .0.0:8080
container_name: djangovip
nginx:
image: nginx
depends_on:
- django
env_file:
- ./env
NGINX_NAME = nginx
AOTE_MAN = dijia
[ root@localhost work]
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME = e9e80bbb41b0
NGINX_NAME = nginx
AOTE_MAN = dijia
NGINX_VERSION = 1.21 .4
NJS_VERSION = 0.7 .0
PKG_RELEASE = 1 ~bullseye
HOME = /root
3.6、environment
设置单个环境变量。
version: "3"
services:
django:
build: ./django
command: python manage.py runserver 0.0 .0.0:8080
container_name: djangovip
nginx:
image: nginx
depends_on:
- django
env_file:
- ./env
environment:
NAME: zhang
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME = b4d706fd199c
NGINX_NAME = nginx
AOTE_MAN = dijia
NAME = zhang
NGINX_VERSION = 1.21 .4
NJS_VERSION = 0.7 .0
PKG_RELEASE = 1 ~bullseye
HOME = /root
3.7、healthcheck
健康检查
healthcheck:
test: [ "CMD" , "curl" , "-f" , "http://localhost" ]
interval: 1m
timeout: 10s
retries: 3
[ root@localhost work]
STATUS PORTS NAMES
Up 35 seconds ( health: starting) 80 /tcp work_nginx_1
Up 2 minutes ( healthy)
3.8、networks
nginx:
networks:
- sailuo
networks:
sailuo:
定义服务中的network,代表指定使用哪个网桥;
定义在顶级中的network,代表创建的networks
3.9、ports
映射端口 暴露端口
ports:
- 8092 :80 - 8093 :443
PORTS NAMES
0.0 .0.0:8092-> 80 /tcp, 0.0 .0.0:8093-> 443 /tcp work_nginx_1
3.10、sysctls
设置内核参数。
sysctls:
- net.core.somaxconn= 1024
- net.ipv4.tcp_syncookies= 0
3.11 ulimits
ulimits:
nproc: 65535
nofile:
soft: 20000
hard: 40000
40000 (系统硬限制,只能 root ⽤户提⾼)。
3.12、volumes(文件挂载,宿主主机和容器)
volumes:
- /opt:/usr/share/nginx/html
root@90c3f69e2eee:/usr/share/nginx/html
total 0
drwx--x--x. 4 root root 28 Dec 29 08:26 containerd
root@90c3f69e2eee:/usr/share/nginx/html
[ root@localhost work]
[ root@localhost opt]
total 0
-rw-r--r--. 1 root root 0 Dec 30 21 :08 1 .txt
drwx--x--x. 4 root root 28 Dec 29 16 :26 containerd
案例:
version : "3"
services :
django :
build : ./django
container_name : django
networks :
- nginx
nginx :
build : ./nginx
ports :
- 8098: 80
networks :
- nginx
depends_on :
- django
networks :
nginx :
bbs
version : "3"
services :
bbs :
build : ./bbs
container_name : bbs
networks :
- nginx
nginx :
build : ./nginx
ports :
- 8098: 80
depends_on :
- bbs
networks :
- nginx
networks :
nginx :
docker图形化
version: "3"
services:
portainer:
image: cr.portainer.io/portainer/portainer-ce:2.9.3
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./portainer_data:/data
ports:
- 8000 :8000
- 9443 :9443
container_name: portainer
4、Harbor
Harbor 是由 VMware 公司中国团队为企业用户设计的 Registry server 开源项目,包括了权限管理( RBAC) 、LDAP、审计、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,
设计镜像复制和中文支持等功能。作为一个企业级私有 Registry 服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor 支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中,
确保数据和知识产权在公司内部网络中管控。另外,Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
4.1、配置HTTPS
1 、生成CA证书私钥
mkdir /opt/cert
cd /opt/cert
openssl genrsa -out ca.key 4096
2 、生成CA证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \
-key ca.key \
-out ca.crt
3 、生成服务器证书
openssl genrsa -out 192.168 .15.101.key 4096
4 、生成证书签名请求
openssl req -sha512 -new \
-subj "/C=CN/ST=ShangHai/L=ShangHai/O=Oldboy/OU=Linux/CN=192.168.15.101" \
-key 192.168 .15.101.key \
-out 192.168 .15.101.csr
5 、生成一个x509 v3扩展文件
cat > v3.ext <<- EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
cat > v3.ext <<- EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.15.101
EOF
6 、使用该v3.ext文件生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168 .15.101.csr \
-out 192.168 .15.101.crt
7 、提供证书给Harbor和Docker
openssl x509 -inform PEM -in 192.168 .15.101.crt -out 192.168 .15.101.cert
mkdir -pv /etc/docker/certs.d/192.168.15.101/
cp 192.168 .15.101.cert /etc/docker/certs.d/192.168.15.101/
cp 192.168 .15.101.key /etc/docker/certs.d/192.168.15.101/
cp ca.crt /etc/docker/certs.d/192.168.15.101/
/etc/docker/certs.d/192.168.15.101:port
/etc/docker/certs.d/192.168.15.101:port
mkdir -p /data/cert
cp 192.168 .15.101.crt /data/cert
cp 192.168 .15.101.key /data/cert
cd /data/cert
8 、证书受信
在/etc/docker/daemon.json 中添加如下内容
{
"registry-mirrors" : [ "https://uksar295.mirror.aliyuncs.com" ] ,
"insecure-registries" : [ "192.168.15.101" ]
}
9 、docker加载证书
systemctl restart docker
4.2、安装Harbor
1 、安装harbor
[ root@localhost ~]
cd /usr/local/harbor
docker load < harbor.v2.3.3.tar.gz
2 、修改harbor的配置文件
cp harbor.yml.tmpl harbor.yml
vim harbor.yml
hostname: 192.168 .15.101
https:
certificate: /data/cert/192.168.15.101.crt
private_key: /data/cert/192.168.15.101.key
3 、安装启动
./install.sh
4.3、其他机器docker免密
mkdir -pv /etc/docker/certs.d/192.168.15.101/
cd /opt/cert
scp 192.168 .15.101.cert root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/
scp 192.168 .15.101.key root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/
scp ca.crt root@192.168.15.100:/etc/docker/certs.d/192.168.15.101/
在/etc/docker/daemon.json 中添加如下内容
{
"registry-mirrors" : [ "https://uksar295.mirror.aliyuncs.com" ] ,
"insecure-registries" : [ "192.168.15.101" ]
}
systemctl restart docker
1 .登录
docker login 192.168 .15.101
2 .打包
docker tag nginx:latest 192.168 .15.101/linux/nginx:latest
3 .上传
docker push 192.168 .15.101/linux/nginx:latest