CentOS7 Docker 服务器搭建记录
记录一下在CentOS7上搭建Docker的过程,防止忘记。
------------------------------------------------ centos ---------------------------------------------------- 一、切换yum 源 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum makecache 二、VNC Server yum install tigervnc-server -y cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service vim /etc/systemd/system/vncserver@:1.service ExecStart=/sbin/runuser -l xxx -c "/usr/bin/vncserver %i" PIDFile=/home/xxx/.vnc/%H%i.pid rm -rf /tmp/.X11-unix # /etc/systemd/system/vncserver@:1.service 是多少就删除多少 rm -rf /tmp/.tX1-lock # 设置密码 su xxx sudo vncpasswd systemctl daemon-reload systemctl enable vncserver@:1.service systemctl start vncserver@:1.service # 防火墙 firewall-cmd --permanent --add-service vnc-server systemctl restart firewalld.service # 设置vnc拷贝等功能 vncconfig & ------------------------------------------------ docker ---------------------------------------------------- 一、docker安装 1. 安装docker yum update tee /etc/yum.repos.d/docker.repo <<-'EOF' [dockerrepo] name=Docker Repository baseurl=https://yum.dockerproject.org/repo/main/centos/7/ enabled=1 gpgcheck=1 gpgkey=https://yum.dockerproject.org/gpg EOF yum install docker-engine !!! docker 一些问题解决 1. 报 WARN:docker bridge-nf-call-iptables is disabled, WARN:docker bridge-nf-call-ip6tables is disabled 解决: vim /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 2. docker centos 正式环境存储设置 # pvcreate命令用于将物理硬盘分区初始化为物理卷,以便LVM使用。 pvcreate /dev/sda4 vgcreate docker /dev/sda4 lvcreate --wipesignatures y -n thinpool docker -l 95%VG lvcreate --wipesignatures y -n thinpoolmeta docker -l 1%VG lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta vim /etc/lvm/profile/docker-thinpool.profile activation { thin_pool_autoextend_threshold=80 thin_pool_autoextend_percent=20 } lvchange --metadataprofile docker-thinpool docker/thinpool lvs -o+seg_monitor # daemon.json 配置 mkdir -p /etc/docker vim /etc/docker/daemon.json { "storage-driver": "devicemapper", "storage-opts": [ "dm.thinpooldev=/dev/mapper/docker-thinpool", "dm.use_deferred_removal=true", "dm.use_deferred_deletion=true" ] } 3. 配置registry镜像(阿里云) vim /etc/docker/daemon.json { "registry-mirrors": ["https://yirp6far.mirror.aliyuncs.com"] } 4. 配置docker远程操作(使用Shipyard时不需要!!这里忽略了TLS进行安全认证,如果不适用Shipyard外网环境需要注意使用TLS) vim /etc/docker/daemon.json { "hosts": ["unix:///var/run/docker.sock", "tcp://192.168.199.228:2376"] } # 开放相应端口 firewall-cmd --zone=public --add-port=2376/tcp --permanent systemctl restart firewalld.service 99. 服务配置 systemctl daemon-reload systemctl restart docker systemctl enable docker.service 二、安装docker-compose 1. 地址 https://github.com/docker/compose/releases 2. 具体命令看上面地址 curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose 三、搭建私有仓库registry 1. 生成相关目录; mkdir -p /data/registry/images mkdir -p /data/registry/auth mkdir -p /data/registry/certs 2. 生成证书 openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/registry/certs/domain.key -x509 -days 365 -out /data/registry/certs/domain.crt 3. 生成认证文件 docker run --entrypoint htpasswd registry:2 -Bbn admin 123456 > /data/registry/auth/htpasswd 3. 启动register mkdir -p /tmp/registry-tmp vim /tmp/registry-tmp/docker-compose.yml 文件内容 registry: restart: always image: registry:2 ports: - 5000:5000 environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key REGISTRY_AUTH: htpasswd REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm volumes: - /data/registry/images:/var/lib/registry - /data/registry/certs:/certs - /data/registry/auth:/auth cd /tmp/registry-tmp docker-compose -p iw up -d 4. 端口 firewall-cmd --zone=public --add-port=5000/tcp --permanent systemctl restart firewalld.service ------------------------------------------ Shipyard ------------------------------------------ 1. 主节点安装准备 yum install curl # 打开防火墙 firewall-cmd --zone=public --add-port=8101/tcp --permanent firewall-cmd --zone=public --add-port=7001/tcp --permanent firewall-cmd --zone=public --add-port=4001/tcp --permanent firewall-cmd --zone=public --add-port=3376/tcp --permanent firewall-cmd --zone=public --add-port=2376/tcp --permanent # 不要安全认证时用 firewall-cmd --zone=public --add-port=2375/tcp --permanent systemctl restart firewalld.service 2. TLS 安全 # 直接使用CertM 快速生成(多个节点使用下方swarm证书生成) docker run --rm \ -v /data/certs:/certs \ ehazlett/certm \ -d /certs \ bundle \ generate \ -o shipyard \ --host proxy \ --host 192.168.199.228 3. 安装 !!! BUGFIX shipyard 使用deploy ssl 配置的certs目录始终在/etc/shipyard 修正: ln -s /data/certs /etc/shipyard curl -sSL https://shipyard-project.com/deploy | TLS_CERT_PATH=/data/certs PORT=8101 bash -s # 卸载 curl -sSL https://shipyard-project.com/deploy | ACTION=remove bash -s 4. 默认用户名密码 admin/shipyard 5. 节点安装 curl -sSL https://shipyard-project.com/deploy | ACTION=node TLS_CERT_PATH=/data/certs DISCOVERY=etcd://192.168.199.228:4001 bash -s ------------------------------------------ 一些常用命令 ------------------------------------------ # 停止所有docker container docker stop $(docker ps -a -q) # 删除所有docker container docker rm $(docker ps -a -q) # 删除所有docker images docker rmi $(docker images -q) # 删除所有 tag 为 none 的镜像 docker images|grep none|awk ‘{print $3}’|xargs docker rmi // 这种方式只有docker images 没有占用情况下 docker rmi $(docker images -q --filter "dangling=true") ------------------------------------------------ swarm 证书 ---------------------------------------------------- 1. 准备 # 建立证书文件夹 mkdir -p /tmp/certs/client mkdir -p /tmp/certs/swarm mkdir -p /tmp/certs/swarm-node1 # 修改hosts文件 # swarm vim /etc/hosts 192.168.199.123 swarm-node1 # swarm-node1 vim /etc/hosts 192.168.199.228 swarm 1. 生成ca证书 # ca 秘钥 openssl genrsa -out /tmp/certs/ca-key.pem 2048 # ca 证书 openssl req -new -key /tmp/certs/ca-key.pem -x509 -out /tmp/certs/ca.pem # 验证 openssl rsa -in /tmp/certs/ca-key.pem -noout -text openssl x509 -in /tmp/certs/ca.pem -noout -text 2. 节点证书(!!!注意一定要保留好ca相关证书) # swarm openssl genrsa -out /tmp/certs/swarm/swarm-key.pem 2048 openssl req -subj "/CN=swarm" -new -key /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm.csr openssl x509 -req -in /tmp/certs/swarm/swarm.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm/swarm.pem -extensions v3_req openssl rsa -in /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm-key.pem # client openssl genrsa -out /tmp/certs/client/client-key.pem 2048 openssl req -subj "/CN=swarm-client" -new -key /tmp/certs/client/client-key.pem -out /tmp/certs/client/client.csr openssl x509 -req -in /tmp/certs/client/client.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/client/client.pem -extensions v3_req openssl rsa -in /tmp/certs/client/client-key.pem -out /tmp/certs/client/client-key.pem # swarm-node1 openssl genrsa -out /tmp/certs/swarm-node1/swarm-node1-key.pem 2048 openssl req -new -key /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1.csr openssl x509 -req -in /tmp/certs/swarm-node1/swarm-node1.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm-node1/swarm-node1.pem -extensions v3_req openssl rsa -in /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1-key.pem # 拷贝 cp /tmp/certs/ca.pem /data/certs/ca.pem cp /tmp/certs/swarm/swarm-key.pem /data/certs/server-key.pem cp /tmp/certs/swarm/swarm.pem /data/certs/server.pem cp /tmp/certs/client/client-key.pem /data/certs/key.pem cp /tmp/certs/client/client.pem /data/certs/cert.pem cp "/run/media/TS/CentOS 7 x8/certs/ca.pem" /data/certs/ca.pem cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1-key.pem" /data/certs/server-key.pem cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1.pem" /data/certs/server.pem cp "/run/media/TS/CentOS 7 x8/certs/client/client-key.pem" /data/certs/key.pem cp "/run/media/TS/CentOS 7 x8/certs/client/client.pem" /data/certs/cert.pem ------------------------------------------------ docker toolbox ---------------------------------------------------- 1. 下载https://download.docker.com/win/stable/InstallDocker.msi 2. docker 阿里云加速 docker-machine stop default docker-machine rm default # 创建一台安装有Docker环境的Linux虚拟机,指定机器名称为default,同时配置Docker加速器地址。 docker-machine create --engine-registry-mirror=https://yirp6far.mirror.aliyuncs.com -d virtualbox default # 如果需要,重新生成证书 docker-machine regenerate-certs default # 查看机器的环境配置,并配置到本地。然后通过Docker客户端访问Docker服务。 docker-machine env default eval "$(docker-machine env default)" docker info 3. 挂载共享目录 3.1 修正Virtualbox 共享目录; 3.2 虚拟机里执行 mkdir /share mount -t vboxsf Share /share