#---------------------------------------------
# --> 二进制安装Docker
# -- aarch64 就是arm 架构CPU
#---------------------------------------------
## 删除原有的docker版本,请谨慎
yum list installed | grep docker
yum -y remove docker*
#-- Docker是使用root用户运行容器的默认设置,这可能会存在安全问题。因此,我们应该学习如何为Docker增加使用的用户,并禁用root用户。
#-- 在操作过程中,我们创建了新的非root用户,并将其添加到docker组中,最后配置了Docker服务以使用该用户。
#-- 这样,我们就成功地增加了Docker的安全性,保护了我们的应用程序和系统资源。
useradd -u 1000 docker
sed -ri 's#docker:x:1000:1000::/home/docker:/bin/bash#docker:x:1000:1000::/usr/local/docker:/sbin/nologin#' /etc/passwd
cat /etc/passwd|grep docker
# 下载地址 https://download.docker.com/linux/static/stable/aarch64/
cd /root && wget https://download.docker.com/linux/static/stable/aarch64/docker-24.0.0.tgz
tar -zxvf docker-24.0.0.tgz && mv docker /usr/local/docker;
cd /usr/local/bin && (for i in `ls /usr/local/docker`;do ln -s /usr/local/docker/$i .;done);
#cd /usr/bin && (for i in `ls /usr/local/docker`;do ln -s /usr/local/docker/$i .;done);
whereis docker
mkdir -p /data/docker_data/docker_root
--------------------------
#创建containerd的service文件,并且启动
cat >/usr/lib/systemd/system/containerd.service <<EOF
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
EOF
##---------
systemctl daemon-reload;systemctl start containerd;systemctl enable containerd;systemctl status containerd
# 添加 systemd管理docker(docker节点)开机自启动
cat > /usr/lib/systemd/system/docker.service << EOF
###########################################
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket containerd.service
[Service]
Type=notify
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin:/usr/local/bin
ExecStart=/usr/local/bin/dockerd --group=docker --data-root=/opt/docker_root -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.target
EOF
##------------------------------
## 准备docker的socket文件
cat > /usr/lib/systemd/system/docker.socket <<EOF
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
EOF
-----------------------------------
systemctl daemon-reload;systemctl start docker.socket;systemctl enable docker.socket;systemctl status docker.socket
## 创建配置文件(docker节点)
#"graph": "/data/docker_data/docker_root",
mkdir /etc/docker;
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://mirror.aliyuncs.com"],
"insecure-registries": ["10.16.13.104:8443"],
"exec-opts": ["native.cgroupdriver=systemd"],
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file":"10"
}
}
EOF
##------------------------------
systemctl daemon-reload;
systemctl start docker;
systemctl enable docker;
systemctl status docker;
docker version;
docker info|grep 'Docker Root Dir';
docker info | grep -i cgroup;
## 2021年5月31日,阿里云应急响应中心监测到国外安全研究人员披露 CVE-2021-30465 runc 符号链接挂载与容器逃逸漏洞。
## --修复
https://github.com/opencontainers/runc/releases/download/v1.1.0/runc.amd64
ARM架构二进制docker-compose下载地址:
https://github.com/docker/compose/releases/download/v2.18.0/docker-compose-linux-aarch64