环境准备
Docker 要求 CentOS 系统的内核版本高于 3.10 ,查看CentOS 版本
uname -r
https://yeasy.gitbook.io/docker_practice/
Docker文件下载
其他版本下载地址
https://download.docker.com/linux/static/stable/x86_64/
安装二进制包,解压到/usr/bin
tar zxf docker-17.12.1-ce.tgz
cp docker/* /usr/bin
创建Docker启动脚本
vim /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd \
--insecure-registry=http://172.16.45.9
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
需要什么参数自行添加
| 详解 | 参数 |
|---|---|
| 更改Docker文件驱动 | --exec-opt native.cgroupdriver=cgroupfs |
| 忽略https协议连接目标镜像库 | --insecure-registry=http://172.16.45.9 |
| 修改默认容器存储路径 | --graph /home/docker |
配置daemon.json
在/etc下创建名为docker的文件夹
mkdir -p /etc/docker
vim /etc/docker/daemon.json
配置remote API
{
"iptables": false,
"hosts": ["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"tlsverify":true,
"tlscacert":"/etc/docker/certs.d/ca-dp.pem",
"tlscert":"/etc/docker/certs.d/server-cert-dp.pem",
"tlskey":"/etc/docker/certs.d/server-key-dp.pem",
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
| 详解 | 参数 |
|---|---|
| 配置remote API | "hosts": ["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"], |
| 是否启用tls | "tlsverify":true, |
| docker镜像仓库 | "registry-mirrors" |
| 容器端口绕过的防火墙 | "iptables" |
配置tls
http://www.dockerinfo.net/1416.html
创建一个名为auto-tls-certs.sh脚本
#!/bin/bash
#
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------
# 以下是配置信息
# --[BEGIN]------------------------------
CODE="dp"
IP="192.168.1.50"
PASSWORD="密码"
COUNTRY="CN"
STATE="BEIJING"
CITY="BEIJING"
ORGANIZATION="公司"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="邮箱"
# --[END]--
# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf
# Generate Client Certs.
rm -f extfile.cnf
openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf
rm -vf client.csr server.csr
chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"
# 打包客户端证书
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"
# 拷贝服务端证书
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/
为脚本添加执行权限
chmod +x auto-tls-certs.sh
执行脚本即可看到当前目前下生成的配置密钥
启动Docker
systemctl daemon-reload
systemctl restart docker
测试tls
然后将客户端的几个pem(tls-client-certs-dp.tar.gz 里面的就是客户端的pem)文件发送到客户端。随便你怎么发送。然后解压,进入到客户端的pem的文件夹,并执行如下命令
curl https://192.168.1.50:2376/info --cert ./cert-dp.pem --key ./key-dp.pem --cacert ./ca-dp.pem
如果你能成功看到一个json字符串,就表示成功了。
如果你看到的是curl: (35) gnutls_handshake() failed: Certificate is bad那就是哪里没有配置配置正确,慢慢找问题吧!
docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.09.9
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.84GiB
Name: qwq
ID: M5LD:CM5Z:PCGP:XCE6:TQEH:PF35:JWBL:23L4:HC6H:CYEL:J7LU:M3AA
Docker Root Dir: /home/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
172.16.45.9
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
查看网络是否有docker虚拟网卡
ifconfig 或 ip a 命令
查看网络是否有名为`docker0`虚拟网卡
安装docker-compose
上传docker-compose到/usr/bin目录下并授执行权限
mv docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/
查看Docker版本是否为1.8:
docker-compose -v
输出结果
docker-compose version 1.8.1, build 878cff1
非root权限启动Docker
需要在服务器添加docker组
groupadd docker
将非root权限用户添加到docker用户组内
usermod -aG docker user1 user2
组 用户1 用户2