记录一下在CentOS7上搭建Docker的过程,防止忘记。

------------------------------------------------ centos ----------------------------------------------------
一、切换yum 源
	mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
	wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
	yum makecache
二、VNC Server
	yum install tigervnc-server -y
	cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service
	vim /etc/systemd/system/vncserver@:1.service
	
ExecStart=/sbin/runuser -l xxx -c "/usr/bin/vncserver %i"
PIDFile=/home/xxx/.vnc/%H%i.pid

	rm -rf /tmp/.X11-unix
	# /etc/systemd/system/vncserver@:1.service 是多少就删除多少
	rm -rf /tmp/.tX1-lock
	
	# 设置密码
	su xxx
	sudo vncpasswd
	
	systemctl daemon-reload
	systemctl enable vncserver@:1.service
	systemctl start vncserver@:1.service
	
	# 防火墙
	firewall-cmd --permanent --add-service vnc-server
	systemctl restart firewalld.service
	
	# 设置vnc拷贝等功能
	vncconfig &
	

------------------------------------------------ docker ----------------------------------------------------
一、docker安装
	1. 安装docker
	yum update
tee /etc/yum.repos.d/docker.repo <<-'EOF'
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/7/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF

	yum install docker-engine
	
	!!! docker 一些问题解决
	1. 报
		WARN:docker bridge-nf-call-iptables is disabled,
		WARN:docker bridge-nf-call-ip6tables is disabled
	解决:
		vim /etc/sysctl.conf 
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
	
	2. docker centos 正式环境存储设置
	# pvcreate命令用于将物理硬盘分区初始化为物理卷,以便LVM使用。
	pvcreate /dev/sda4
	vgcreate docker /dev/sda4
	lvcreate --wipesignatures y -n thinpool docker -l 95%VG
	lvcreate --wipesignatures y -n thinpoolmeta docker -l 1%VG
	lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta
	vim /etc/lvm/profile/docker-thinpool.profile

activation {
    thin_pool_autoextend_threshold=80
    thin_pool_autoextend_percent=20
}
	lvchange --metadataprofile docker-thinpool docker/thinpool
	lvs -o+seg_monitor
	
	# daemon.json 配置
	mkdir -p /etc/docker
	vim /etc/docker/daemon.json
{
  "storage-driver": "devicemapper",
   "storage-opts": [
     "dm.thinpooldev=/dev/mapper/docker-thinpool",
     "dm.use_deferred_removal=true",
     "dm.use_deferred_deletion=true"
   ]
}
	
	3. 配置registry镜像(阿里云)
	vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://yirp6far.mirror.aliyuncs.com"]
}
	
	4. 配置docker远程操作(使用Shipyard时不需要!!这里忽略了TLS进行安全认证,如果不适用Shipyard外网环境需要注意使用TLS)
	vim /etc/docker/daemon.json
{
  "hosts": ["unix:///var/run/docker.sock", "tcp://192.168.199.228:2376"]
}
	# 开放相应端口
	firewall-cmd --zone=public --add-port=2376/tcp --permanent
	systemctl restart firewalld.service

	99. 服务配置
	systemctl daemon-reload
	systemctl restart docker
	systemctl enable docker.service

	
二、安装docker-compose
	1. 地址 https://github.com/docker/compose/releases
	2. 具体命令看上面地址
	curl -L https://github.com/docker/compose/releases/download/1.9.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

三、搭建私有仓库registry
	1. 生成相关目录;
	mkdir -p /data/registry/images
	mkdir -p /data/registry/auth
	mkdir -p /data/registry/certs
	
	2. 生成证书
	openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/registry/certs/domain.key -x509 -days 365 -out /data/registry/certs/domain.crt
	3. 生成认证文件
	docker run --entrypoint htpasswd registry:2 -Bbn admin 123456 > /data/registry/auth/htpasswd
	3. 启动register
	mkdir -p /tmp/registry-tmp
	vim /tmp/registry-tmp/docker-compose.yml
	
	文件内容
registry:
  restart: always
  image: registry:2
  ports:
    - 5000:5000
  environment:
    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
    REGISTRY_HTTP_TLS_KEY: /certs/domain.key
    REGISTRY_AUTH: htpasswd
    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
  volumes:
    - /data/registry/images:/var/lib/registry
    - /data/registry/certs:/certs
    - /data/registry/auth:/auth
	
	cd /tmp/registry-tmp
	docker-compose -p iw up -d 
	
	4. 端口
	firewall-cmd --zone=public --add-port=5000/tcp --permanent
	systemctl restart firewalld.service

------------------------------------------ Shipyard ------------------------------------------
1. 主节点安装准备
yum install curl

# 打开防火墙
firewall-cmd --zone=public --add-port=8101/tcp --permanent
firewall-cmd --zone=public --add-port=7001/tcp --permanent
firewall-cmd --zone=public --add-port=4001/tcp --permanent
firewall-cmd --zone=public --add-port=3376/tcp --permanent
firewall-cmd --zone=public --add-port=2376/tcp --permanent
# 不要安全认证时用
firewall-cmd --zone=public --add-port=2375/tcp --permanent
systemctl restart firewalld.service

2. TLS 安全
# 直接使用CertM 快速生成(多个节点使用下方swarm证书生成)
docker run --rm \
 -v /data/certs:/certs \
 ehazlett/certm \
 -d /certs \
 bundle \
 generate \
 -o shipyard \
 --host proxy \
 --host 192.168.199.228
	
3. 安装

!!! BUGFIX shipyard 使用deploy ssl 配置的certs目录始终在/etc/shipyard
修正:
ln -s /data/certs /etc/shipyard

curl -sSL https://shipyard-project.com/deploy | TLS_CERT_PATH=/data/certs PORT=8101 bash -s
# 卸载 curl -sSL https://shipyard-project.com/deploy | ACTION=remove bash -s

4. 默认用户名密码
admin/shipyard

5. 节点安装
curl -sSL https://shipyard-project.com/deploy | ACTION=node TLS_CERT_PATH=/data/certs DISCOVERY=etcd://192.168.199.228:4001 bash -s

------------------------------------------ 一些常用命令 ------------------------------------------
# 停止所有docker container
docker stop $(docker ps -a -q)
# 删除所有docker container
docker rm $(docker ps -a -q)
# 删除所有docker images
docker rmi $(docker images -q)
# 删除所有 tag 为 none 的镜像
docker images|grep none|awk ‘{print $3}’|xargs docker rmi
// 这种方式只有docker images 没有占用情况下 docker rmi $(docker images -q --filter "dangling=true")

------------------------------------------------ swarm 证书 ----------------------------------------------------
1. 准备
	# 建立证书文件夹
	mkdir -p /tmp/certs/client
	mkdir -p /tmp/certs/swarm
	mkdir -p /tmp/certs/swarm-node1
	# 修改hosts文件
	# swarm
	vim /etc/hosts
192.168.199.123 swarm-node1
	# swarm-node1
	vim /etc/hosts
192.168.199.228 swarm

1. 生成ca证书
	# ca 秘钥
	openssl genrsa -out /tmp/certs/ca-key.pem 2048
	# ca 证书
	openssl req -new -key /tmp/certs/ca-key.pem -x509 -out /tmp/certs/ca.pem
	# 验证
	openssl rsa -in /tmp/certs/ca-key.pem -noout -text
	openssl x509 -in /tmp/certs/ca.pem -noout -text

2. 节点证书(!!!注意一定要保留好ca相关证书)
	# swarm
	openssl genrsa -out /tmp/certs/swarm/swarm-key.pem 2048
	openssl req -subj "/CN=swarm" -new -key /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm.csr
	openssl x509 -req -in /tmp/certs/swarm/swarm.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm/swarm.pem -extensions v3_req
	openssl rsa -in /tmp/certs/swarm/swarm-key.pem -out /tmp/certs/swarm/swarm-key.pem
	# client
	openssl genrsa -out /tmp/certs/client/client-key.pem 2048
	openssl req -subj "/CN=swarm-client" -new -key /tmp/certs/client/client-key.pem -out /tmp/certs/client/client.csr
	openssl x509 -req -in /tmp/certs/client/client.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/client/client.pem -extensions v3_req
	openssl rsa -in /tmp/certs/client/client-key.pem -out /tmp/certs/client/client-key.pem
	# swarm-node1
	openssl genrsa -out /tmp/certs/swarm-node1/swarm-node1-key.pem 2048
	openssl req -new -key /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1.csr
	openssl x509 -req -in /tmp/certs/swarm-node1/swarm-node1.csr -CA /tmp/certs/ca.pem -CAkey /tmp/certs/ca-key.pem -CAcreateserial -out /tmp/certs/swarm-node1/swarm-node1.pem -extensions v3_req
	openssl rsa -in /tmp/certs/swarm-node1/swarm-node1-key.pem -out /tmp/certs/swarm-node1/swarm-node1-key.pem
	
	# 拷贝
	cp /tmp/certs/ca.pem /data/certs/ca.pem
	cp /tmp/certs/swarm/swarm-key.pem /data/certs/server-key.pem
	cp /tmp/certs/swarm/swarm.pem /data/certs/server.pem
	cp /tmp/certs/client/client-key.pem /data/certs/key.pem
	cp /tmp/certs/client/client.pem /data/certs/cert.pem
	
	cp "/run/media/TS/CentOS 7 x8/certs/ca.pem" /data/certs/ca.pem
	cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1-key.pem" /data/certs/server-key.pem
	cp "/run/media/TS/CentOS 7 x8/certs/swarm-node1/swarm-node1.pem" /data/certs/server.pem
	cp "/run/media/TS/CentOS 7 x8/certs/client/client-key.pem" /data/certs/key.pem
	cp "/run/media/TS/CentOS 7 x8/certs/client/client.pem" /data/certs/cert.pem
	
------------------------------------------------ docker toolbox ----------------------------------------------------
1. 下载https://download.docker.com/win/stable/InstallDocker.msi
2. docker 阿里云加速
	docker-machine stop default
	docker-machine rm default
	# 创建一台安装有Docker环境的Linux虚拟机,指定机器名称为default,同时配置Docker加速器地址。
	docker-machine create --engine-registry-mirror=https://yirp6far.mirror.aliyuncs.com -d virtualbox default
	# 如果需要,重新生成证书
	docker-machine regenerate-certs default
	# 查看机器的环境配置,并配置到本地。然后通过Docker客户端访问Docker服务。
	docker-machine env default
	eval "$(docker-machine env default)"
	docker info
3. 挂载共享目录
	3.1 修正Virtualbox 共享目录;
	3.2 虚拟机里执行
	mkdir /share
	mount -t vboxsf Share /share