CentOS7 Docker 服务器搭建记录
记录一下在CentOS7上搭建Docker的过程,防止忘记。
------------------------------------------------ centos ----------------------------------------------------
一、切换yum 源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum makecache
二、VNC Server
yum install tigervnc-server -y
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
vim /etc/systemd/system/vncserver@:1.service
ExecStart=/sbin/runuser -l xxx -c "/usr/bin/vncserver %i"
PIDFile=/home/xxx/.vnc/%H%i.pid
rm -rf /tmp/.X11-unix
# /etc/systemd/system/vncserver@:1.service 是多少就删除多少
rm -rf /tmp/.tX1-lock
# 设置密码
su xxx
sudo vncpasswd
systemctl daemon-reload
systemctl enable vncserver@:1.service
systemctl start vncserver@:1.service
# 防火墙
firewall-cmd --permanent --add-service vnc-server
systemctl restart firewalld.service
# 设置vnc拷贝等功能
vncconfig &
------------------------------------------------ docker ----------------------------------------------------
一、docker安装
1. 安装docker
yum update
tee /etc/yum.repos.d/docker.repo <<-'EOF'
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/7/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF
yum install docker-engine
!!! docker 一些问题解决
1. 报
WARN:docker bridge-nf-call-iptables is disabled,
WARN:docker bridge-nf-call-ip6tables is disabled
解决:
vim /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
2. docker centos 正式环境存储设置
# pvcreate命令用于将物理硬盘分区初始化为物理卷,以便LVM使用。
pvcreate /dev/sda4
vgcreate docker /dev/sda4
lvcreate --wipesignatures y -n thinpool docker -l 95%VG
lvcreate --wipesignatures y -n thinpoolmeta docker -l 1%VG
lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta
vim /etc/lvm/profile/docker-thinpool.profile
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
}
lvchange --metadataprofile docker-thinpool docker/thinpool
lvs -o+seg_monitor
# daemon.json 配置
mkdir -p /etc/docker
vim /etc/docker/daemon.json
{
"storage-driver": "devicemapper",
"storage-opts": [
"dm.thinpooldev=/dev/mapper/docker-thinpool",
"dm.use_deferred_removal=true",
"dm.use_deferred_deletion=true"
]
}
3. 配置registry镜像(阿里云)
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://yirp6far.mirror.aliyuncs.com"]
}
4. 配置docker远程操作(使用Shipyard时不需要!!这里忽略了TLS进行安全认证,如果不适用Shipyard外网环境需要注意使用TLS)
vim /etc/docker/daemon.json
{
"hosts": ["unix:///var/run/docker.sock", "tcp://192.168.199.228:2376"]
}
# 开放相应端口
firewall-cmd --zone=public --add-port=2376/tcp --permanent
systemctl restart firewalld.service
99. 服务配置
systemctl daemon-reload
systemctl restart docker
systemctl enable docker.service
二、安装docker-compose
1. 地址 https://github.com/docker/compose/releases
2. 具体命令看上面地址
curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
三、搭建私有仓库registry
1. 生成相关目录;
mkdir -p /data/registry/images
mkdir -p /data/registry/auth
mkdir -p /data/registry/certs
2. 生成证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/registry/certs/domain.key -x509 -days 365 -out /data/registry/certs/domain.crt
3. 生成认证文件
docker run --entrypoint htpasswd registry:2 -Bbn admin 123456 > /data/registry/auth/htpasswd
3. 启动register
mkdir -p /tmp/registry-tmp
vim /tmp/registry-tmp/docker-compose.yml
文件内容
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /data/registry/images:/var/lib/registry
- /data/registry/certs:/certs
- /data/registry/auth:/auth
cd /tmp/registry-tmp
docker-compose -p iw up -d
4. 端口
firewall-cmd --zone=public --add-port=5000/tcp --permanent
systemctl restart firewalld.service
------------------------------------------ Shipyard ------------------------------------------
1. 主节点安装准备
yum install curl
# 打开防火墙
firewall-cmd --zone=public --add-port=8101/tcp --permanent
firewall-cmd --zone=public --add-port=7001/tcp --permanent
firewall-cmd --zone=public --add-port=4001/tcp --permanent
firewall-cmd --zone=public --add-port=3376/tcp --permanent
firewall-cmd --zone=public --add-port=2376/tcp --permanent
# 不要安全认证时用
firewall-cmd --zone=public --add-port=2375/tcp --permanent
systemctl restart firewalld.service
2. TLS 安全
# 直接使用CertM 快速生成(多个节点使用下方swarm证书生成)
docker run --rm \
-v /data/certs:/certs \
ehazlett/certm \
-d /certs \
bundle \
generate \
-o shipyard \
--host proxy \
--host 192.168.199.228
3. 安装
!!! BUGFIX shipyard 使用deploy ssl 配置的certs目录始终在/etc/shipyard
修正:
ln -s /data/certs /etc/shipyard
curl -sSL https://shipyard-project.com/deploy | TLS_CERT_PATH=/data/certs PORT=8101 bash -s
# 卸载 curl -sSL https://shipyard-project.com/deploy | ACTION=remove bash -s
4. 默认用户名密码
admin/shipyard
5. 节点安装
curl -sSL https://shipyard-project.com/deploy | ACTION=node TLS_CERT_PATH=/data/certs DISCOVERY=etcd://192.168.199.228:4001 bash -s
------------------------------------------ 一些常用命令 ------------------------------------------
# 停止所有docker container
docker stop $(docker ps -a -q)
# 删除所有docker container
docker rm $(docker ps -a -q)
# 删除所有docker images
docker rmi $(docker images -q)
# 删除所有 tag 为 none 的镜像
docker images|grep none|awk ‘{print $3}’|xargs docker rmi
// 这种方式只有docker images 没有占用情况下 docker rmi $(docker images -q --filter "dangling=true")
------------------------------------------------ swarm 证书 ----------------------------------------------------
1. 准备
# 建立证书文件夹
mkdir -p /tmp/certs/client
mkdir -p /tmp/certs/swarm
mkdir -p /tmp/certs/swarm-node1
# 修改hosts文件
# swarm
vim /etc/hosts
192.168.199.123 swarm-node1
# swarm-node1
vim /etc/hosts
192.168.199.228 swarm
1. 生成ca证书
# ca 秘钥
openssl genrsa -out /tmp/certs/ca-key.pem 2048
# ca 证书
openssl req -new -key /tmp/certs/ca-key.pem -x509 -out /tmp/certs/ca.pem
# 验证
openssl rsa -in /tmp/certs/ca-key.pem -noout -text
openssl x509 -in /tmp/certs/ca.pem -noout -text
2. 节点证书(!!!注意一定要保留好ca相关证书)
# swarm
openssl genrsa -out /tmp/certs/swarm/swarm-key.pem 2048
openssl req -subj "/CN=swarm" -new -key /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm.csr
openssl x509 -req -in /tmp/certs/swarm/swarm.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm/swarm.pem -extensions v3_req
openssl rsa -in /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm-key.pem
# client
openssl genrsa -out /tmp/certs/client/client-key.pem 2048
openssl req -subj "/CN=swarm-client" -new -key /tmp/certs/client/client-key.pem -out /tmp/certs/client/client.csr
openssl x509 -req -in /tmp/certs/client/client.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/client/client.pem -extensions v3_req
openssl rsa -in /tmp/certs/client/client-key.pem -out /tmp/certs/client/client-key.pem
# swarm-node1
openssl genrsa -out /tmp/certs/swarm-node1/swarm-node1-key.pem 2048
openssl req -new -key /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1.csr
openssl x509 -req -in /tmp/certs/swarm-node1/swarm-node1.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm-node1/swarm-node1.pem -extensions v3_req
openssl rsa -in /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1-key.pem
# 拷贝
cp /tmp/certs/ca.pem /data/certs/ca.pem
cp /tmp/certs/swarm/swarm-key.pem /data/certs/server-key.pem
cp /tmp/certs/swarm/swarm.pem /data/certs/server.pem
cp /tmp/certs/client/client-key.pem /data/certs/key.pem
cp /tmp/certs/client/client.pem /data/certs/cert.pem
cp "/run/media/TS/CentOS 7 x8/certs/ca.pem" /data/certs/ca.pem
cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1-key.pem" /data/certs/server-key.pem
cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1.pem" /data/certs/server.pem
cp "/run/media/TS/CentOS 7 x8/certs/client/client-key.pem" /data/certs/key.pem
cp "/run/media/TS/CentOS 7 x8/certs/client/client.pem" /data/certs/cert.pem
------------------------------------------------ docker toolbox ----------------------------------------------------
1. 下载https://download.docker.com/win/stable/InstallDocker.msi
2. docker 阿里云加速
docker-machine stop default
docker-machine rm default
# 创建一台安装有Docker环境的Linux虚拟机,指定机器名称为default,同时配置Docker加速器地址。
docker-machine create --engine-registry-mirror=https://yirp6far.mirror.aliyuncs.com -d virtualbox default
# 如果需要,重新生成证书
docker-machine regenerate-certs default
# 查看机器的环境配置,并配置到本地。然后通过Docker客户端访问Docker服务。
docker-machine env default
eval "$(docker-machine env default)"
docker info
3. 挂载共享目录
3.1 修正Virtualbox 共享目录;
3.2 虚拟机里执行
mkdir /share
mount -t vboxsf Share /share