docker安装
docker网址:https://docs.docker.com/engine/install/centos/#prerequisites
1.删除旧版本
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
yum install -y yum-utils
3.设置镜像的仓库
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#更新yum软件包索引
yum makecache fast
4.下载docker引擎
yum install -y docker-ce docker-ce-cli containerd.io
5.启动docker
systemctl start docker
6.确认安装成功
docker run hello-world
7.查看镜像
docker images
8.设置镜像加速
vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
systemctl daemon-reload #重启加速配置文件
systemctl restart docker #重启docker后台服务
容器命令
#启动并进入容器
docker run -it centos /bin/bash
#退出
exit
docker私有仓库安装
#这边建议安装下方的harbor
#直接运行docker提供的容器运行
docker run -d -p 5000:5000 --name registry --restart=always -v /home/harbor/registry:/var/lib/registry registry
vim /etc/docker/daemon.json
"insecure-registries":["192.168.70.168:5000"] <!--添加此行-->
systemctl daemon-reload #重启加速配置文件
systemctl restart docker #重启docker后台服务
离线安装
有时候要在内网安装部署服务,下面是自己的尝试安装过程
安装Docker-compose
https://github.com/docker/compose/releases/ 下载适合版本
我这里的链接地址:https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 推荐用迅雷下载,速度很快。改名成docker-compose。
拷贝到 /usr/local/bin/docker-compose
将可执行权限应用于二进制文件:
$ sudo chmod +x /usr/local/bin/docker-compose
创建软链:
$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
测试是否安装成功:
$ docker-compose --version
安装harbor
https://github.com/goharbor/harbor/releases 下载适合版本
我这里的链接地址:https://github.com/goharbor/harbor/releases/download/v2.1.2/harbor-offline-installer-v2.1.2.tgz
下载后解压出来,到对应目录
cp harbor.yml.tmpl harbor.yml vim harbor.yml
主要修改如下内容:
hostname: 你的服务器IP或域名 http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 你的端口号 #默认是80端口 harbor_admin_password: Harbor12345 #Harbor超级管理员密码 database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 #数据库管理员密码 data_volume: /data #配置harbor数据文件,也就是未来镜像文件的存储位置,建议修改,不然直接占用系统盘空间。 #同时注释如下内容,默认启用http,而不是https证书除非你有配置https证书 # https related config #https: # https port for harbor, default is 443 #port: 443 # The path of cert and key files for nginx #certificate: /your/certificate/path #private_key: /your/private/key/path
./install.sh
界面登陆 admin/Harbor12345 (harbor.yml可查看/修改admin 密码)
配置https
harbor.yml的hostname也改成 192.168.70.168"
certificate: /your/certificate/path private_key: /your/private/key/path #换成 certificate: /data/cert/192.168.70.168.crt private_key: /data/cert/192.168.70.168.key
Generate a Certificate Authority Certificate
1.Generate a CA certificate private key.
openssl genrsa -out ca.key 4096
2.Generate the CA certificate.
Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute.
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.70.168" \ -key ca.key \ -out ca.crt
Generate a Server Certificate
The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.
1.Generate a private key.
openssl genrsa -out 192.168.70.168.key 4096
2.Generate a certificate signing request (CSR).
Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.70.168" \
-key 192.168.70.168.key \
-out 192.168.70.168.csr
3.Generate an x509 v3 extension file.
Regardless of whether you’re using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the DNS entries to reflect your domain.
#域名方式用下面这种 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=192.168.70.168 DNS.2=192.168.70.171 EOF #IP方式: cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = IP:192.168.70.168 EOF
4.Use the v3.ext file to generate a certificate for your Harbor host.
Replace the yourdomain.com in the CRS and CRT file names with the Harbor host name.
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168.70.168.csr \
-out 192.168.70.168.crt
Provide the Certificates to Harbor and Docker
After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.
-
Copy the server certificate and key into the certficates folder on your Harbor host.
mkdir -p /data/cert/ cp 192.168.70.168.crt /data/cert/ cp 192.168.70.168.key /data/cert/
-
Convert
yourdomain.com.crttoyourdomain.com.cert, for use by Docker.The Docker daemon interprets
.crtfiles as CA certificates and.certfiles as client certificates.openssl x509 -inform PEM -in 192.168.70.168.crt -out 192.168.70.168.cert
-
Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
mkdir -p /etc/docker/certs.d/192.168.70.168/ cp 192.168.70.168.cert /etc/docker/certs.d/192.168.70.168/ cp 192.168.70.168.key /etc/docker/certs.d/192.168.70.168/ cp ca.crt /etc/docker/certs.d/192.168.70.168/
If you mapped the default
nginxport 443 to a different port, create the folder/etc/docker/certs.d/yourdomain.com:port, or/etc/docker/certs.d/harbor_IP:port. -
Restart Docker Engine.
systemctl restart docker
You might also need to trust the certificate at the OS level. See
The following example illustrates a configuration that uses custom certificates.
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
注意:
如果windows:把ca.crt拷贝到电脑,右键安装证书到受信任,访问时就不回跳不安全连接的提示了。
centos:
cd /etc/pki/ca-trust/source/anchors
#把ca.crt拷贝到该目录
update-ca-trust
systemctl restart docker
#此时就能登录成功,不然会报错:certificate signed by unknown authority
Deploy or Reconfigure Harbor
push 镜像到harbor 私有仓库
-
登陆 到 harbor (类似登陆github)
docker login 192.168.70.168
命令行会提示 输入 username/password,可以是 admin/Harbor12345
[root@k8s-node1 docker]# docker login 192.168.70.168
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node1 docker]#
-
push 镜像到 harbor 私服
[root
注意: 192.168.229.20/user/user-setvice:v2.0 镜像的tag 必须是 私服ip[域名]/项目名称/自定义:tag 192.168.x.20 : 私服ip user :harbor 创建的项目名称 user user-sertvice: 自定义 名称
image
docker push 192.168.229.20/user/user-setvice:v2.0 #pull docker pull 192.168.229.20/user/user-setvice:v2.0
设置harbor开机自启动
vim /usr/lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /home/harbor/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /home/harbor/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
#然后按以下命令执行
cd /usr/lib/systemd/system
chmod +x harbor.service
systemctl daemon-reload
其中 /home/harbor/harbor 换成自己的 harbor 安装路径。 还有 docker-compose 的绝对路径,请通过 which docker-compose 查看。
然后启动该项服务:
sudo systemctl enable harbor
sudo systemctl start harbor
sudo systemctl stop harbor
idea一键部署发布docker
一、修改配置文件,打开2375端口
vim /usr/lib/systemd/system/docker.service
#注释原来的ExecStart那行,改成这行代码
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
#重新加载配置文件和启动:
systemctl daemon-reload
systemctl start docker
二、idea安装docker插件(Docker integration)并配置:
电脑环境变量增加:DOCKER_HOST https://192.168.70.168 可能需要重启电脑
pom.xml配置如下
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<packaging>jar</packaging>
<groupId>com.pj</groupId>
<artifactId>hello</artifactId>
<version>1.0</version>
<name>hello</name>
<description>Demo project for Spring Boot</description>
<properties>
<build.final.name>hello</build.final.name>
<java.version>1.8</java.version>
<docker.image.prefix>192.168.70.168/hello</docker.image.prefix>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<finalName>${build.final.name}</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<version>1.4.3</version>
<executions>
<execution>
<id>default</id>
<goals>
<goal>build</goal>
<goal>push</goal>
</goals>
</execution>
</executions>
<configuration>
<username>admin</username>
<password>Harbor12345</password>
<repository>${docker.image.prefix}/${project.artifactId}</repository>
<!-- <repository>${docker.image.prefix}/${project.artifactId}</repository>-->
<tag>${project.version}</tag>
<buildArgs>
<JAR_FILE>target/${project.build.finalName}.jar</JAR_FILE>
<IMAGE_PREFIX>${docker.image.prefix}</IMAGE_PREFIX>
</buildArgs>
</configuration>
</plugin>
</plugins>
</build>
</project>
Dockerfile如下:
ARG IMAGE_PREFIX
FROM ${IMAGE_PREFIX}/java:8
ARG JAR_FILE
ADD ${JAR_FILE} /app.jar
EXPOSE 17005
ENTRYPOINT ["java","-jar","/app.jar"]
Dockerfile和pom.xml放在同级目录
然后直接点击lifecycle中的package,镜像就放到docker服务中了,然后edit configurations中增加docker image的配置,active tool window中增加这句话clean package -DskipTests=true dockerfile:push,直接idea中就可以运行容器。记得settings中配置docker服务
创建删除none的镜像的shell脚本
1.1 创建clear.sh
# 编辑clear.sh
vi /opt/clear.sh
将下面的内容添加到clearnoneimages.sh文件中,wq保存。
docker images|grep none|awk '{print $3}'|xargs docker rmi
1.2 给该shell脚本增加可执行权限
chmod 777 /opt/clear.sh
增加定时任务
2.1 编辑crontab
vi /etc/crontab
将下面的内容添加到crontab文件中,wq保存。
# 每天1:00执行该脚本
0 1 * * * root bash /opt/clear.sh
2.2 重启crontab
systemctl restart crond
Jenkins安装
官网:https://pkg.jenkins.io/redhat-stable/
按官网的命令安装
sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
yum install jenkins -y
systemctl start jenkins #默认是8080端口
vim /var/lib/jenkins/updates/default.json #如果插件安装的时候卡着,第一行的google换成baidu
vim /var/lib/jenkins/hudson.model.UpdateCenter.xml #如果插件安装失败,url换成http://mirror.xmission.com/jenkins/updates/update-center.json,也可以去管理插件中去改
visudo #加入下面这行
jenkins ALL=(root) NOPASSWD: /usr/bin/docker
Defaults:jenkins !requiretty
# http://updates.jenkins-ci.org/download/plugins/ 插件可以这里下载,需要:authorize-project和Role-based Authorization Strategy(role-strategy)和maven integration(maven-plugin)和ssh plugin(ssh)和Gitlab Hook Plugin和Build Authorization Token Root Plugin(gitlab-hook)和gitlab-plugin插件
全局安全配置-授权策略 选中 Role-Based Strategy
全局安全配置-安全域 选中 允许用户注册
全局安全配置-manage and assign roles 管理角色
全局工具配置-配置jdk git maven目录
chmod 777 /var/run/docker.sock
chmod 777 /var/lib/jenkins/workspace/
#卸载
rpm卸载
1、rpm -e jenkins
rpm -ql jenkins 检查是否卸载成功
2、彻底删除残留文件:
find / -iname jenkins | xargs -n 1000 rm -rf
注意这一步一定要进行!!!
系统管理-系统配置-ssh remote hosts 添加对应的docker应用服务器,需要添加对应的凭据
jenkins新建maven任务
gitlab设置
业务服务器配置
yum install jq -y#若失败,则 wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -ivh epel-release-latest-7.noarch.rpm yum repolist -y ,然后重新安装jq
visudo #加入下面这行
Defaults:root !requiretty