Docker 部署springboot项目
使用docker-maven-plugin maven插件
服务器安装docker
略
Docker开启远程访问
- 查看docker服务状态(查看docker.service位置)
pi@raspberrypi:~ $ service docker status
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-04-17 17:28:04 CST; 1 months 2 days ago
...
...
...
- 编辑docker.service
vim /lib/systemd/system/docker.service
- 修改[Service]下的ExecStart,添加-H tcp://0.0.0.0:2375;对外开放docker服务(建议不要使用默认端口2375)
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H fd:// --containerd=/run/containerd/containerd.sock
- 重新加载Docker配置生效
systemctl daemon-reload
systemctl restart docker
- 服务器防火墙开放端口
- 浏览器访问http://ip:2375/version,测试是否成功
使用TLS(HTTPS)保证Docker服务安全
1. 服务器端生成CA共钥和私钥
# 创建目录存放CA证书
pi@raspberrypi:~ $ mkdir ca
# 进入目录
pi@raspberrypi:~ $ cd ca
# 生成私钥(会提示输入密码)
pi@raspberrypi:~/ca $ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..........................++++
.......++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
# 生成证书信息(需要输入上面的密码以及一些其他信息【注意Common Name填写服务器外网IP】)
pi@raspberrypi:~/ca $ openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZheJiang
Locality Name (eg, city) []:HangZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yanghao
Organizational Unit Name (eg, section) []:yanghao
Common Name (e.g. server FQDN or YOUR name) []:192.168.3.3
Email Address []:yh.124@qq.com
有了CA之后,就可以创建服务器密钥和证书签名请求(CSR)了。确保“Common Name”与你连接Docker时使用的主机名匹配
2. 创建服务器密钥和证书签名请求
# 创建服务器密钥
pi@raspberrypi:~/ca $ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
................................................................++++
.........++++
e is 65537 (0x010001)
# 证书签名请求(注意修改为你的服务器IP)
openssl req -subj "/CN=192.168.3.3" -sha256 -new -key server-key.pem -out server.csr
3. 配置白名单
配置白名单,允许连接的ip(通过证书);IP可以配置多个
echo subjectAltName = IP:192.168.3.3,IP::192.168.3.5 >> extfile.cnf
4. 设置Docker守护进程密钥的扩展使用属性,仅用于服务器身份验证
echo extendedKeyUsage = serverAuth >> extfile.cnf
5. 生成签名证书(需要输入密码)
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
6. 对于客户端身份验证,创建一个客户端密钥和证书签名请求
# 生成 key.pem
openssl genrsa -out key.pem 4096
# 生成 csr
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
# 创建配置文件
echo extendedKeyUsage = clientAuth > extfile-client.cnf
# 生成签名证书
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
# 将服务器端的ca.pem cert.pem key.pem复制到本地
scp ca.pem cert.pem key.pem yh@192.168.3.5:/Users/yh/ca
7. 删除不需要的文件
# 服务器(服务端)
rm -rf server.csr extfile.cnf client.csr extfile-client.cnf
8. 修改文件权限,防止误删
# 服务端
chmod -v 0400 ca-key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem
# 客户端
chmod -v 0400 key.pem
chmod -v 0444 ca.pem cert.pem
9. 再次修改服务器docker.service
vim /lib/systemd/system/docker.service
# 修改ExecStart(添加证书的路径)
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/home/pi/ca/ca.pem --tlscert=/home/pi/ca/server-cert.pem --tlskey=/home/pi/ca/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
10. 重新加载daemon并重启docker
systemctl daemon-reload && systemctl restart docker
11. 配置本地环境变量
mkdir -pv ~/.docker
# 将证书copy到.docker下
cp -v {ca,cert,key}.pem ~/.docker
chmod -v 0400 key.pem
chmod -v 0444 ca.pem cert.pem
# 配置环境变量
export DOCKER_HOST=tcp://0.0.0.0:2376 DOCKER_TLS_VERIFY=1
12. 客户端测试
# 配置了环境变量后就可以访问服务器docker服务
docker ps
# 没有配置环境变量
docker --tlsverify --tlscacert=/Users/yh/.docker/ca.pem --tlscert=/Users/yh/.docker/cert.pem --tlskey=/Users/yh/.docker/key.pem -H=tcp://192.168.3.3:2376 version
项目配置
配置docker-file-maven-plugin插件
<build>
<plugins>
<!-- dockerfile maven -->
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<executions>
<execution>
<id>default</id>
<goals>
<goal>build</goal>
<goal>push</goal>
</goals>
<configuration>
</configuration>
</execution>
</executions>
<!--docker镜像相关的配置信息-->
<configuration>
<contextDirectory>${project.basedir}</contextDirectory>
<dockerfile>${project.basedir}/Dockerfile</dockerfile>
<!--使用username和password标签,也可以使用useMavenSettingsForAuth,在settings.xml文件中的配置 servers-->
<useMavenSettingsForAuth>false</useMavenSettingsForAuth>
<username>xxx</username>
<password>xxx</password>
<!--远程仓库地址-->
<repository>${docker.repository.registry}/${docker.repository.namespace}/${project.artifactId}</repository>
<tag>${project.version}</tag>
<buildArgs>
<JAR_FILE>${project.build.finalName}.jar</JAR_FILE>
</buildArgs>
</configuration>
</plugin>
</plugins>
Dockerfile
FROM houwm/jdk8:arm64
MAINTAINER yanghao<yh.124@qq.com>
# 参数
ARG JAR_FILE
# 环境变量
ENV TZ=Asia/Shanghai LANG=C.UTF-8
ENV PARAMS="--server.port=8080 --spring.profiles.active=prod -Xms512m -Xmx512m"
# 设置时区
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
# 复制jar包
COPY target/${JAR_FILE} /app.jar
# 暴露端口
EXPOSE 8080
# 工作目录
WORKDIR /
# 执行命令
ENTRYPOINT ["/bin/sh","-c","java -jar /app.jar ${PARAMS}"]
部署项目
# 会自动在远程服务器构建镜像
mvn package
# 就可以省略这个步骤
mvn dockerfile:build
# 会自动推送镜像到远程仓库
mvn deploy
# 就可以省略这个步骤
mvn dockerfile:push
# 如果要临时跳过所有的Dockerfile相关的目标,执行如下Maven命令
mvn clean install -Ddockerfile.skip
# 想跳过某一个goal
mvn clean package -Ddockerfile.build.skip
mvn clean package -Ddockerfile.tag.skip
mvn clean deploy -Ddockerfile.push.skip