環境准備
Docker 要求 CentOS 系統的內核版本高於 3.10 ,查看CentOS 版本
uname -r
https://yeasy.gitbook.io/docker_practice/
Docker文件下載
其他版本下載地址
https://download.docker.com/linux/static/stable/x86_64/
安裝二進制包,解壓到/usr/bin
tar zxf docker-17.12.1-ce.tgz
cp docker/* /usr/bin
創建Docker啟動腳本
vim /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd \
--insecure-registry=http://172.16.45.9
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
需要什么參數自行添加
| 詳解 | 參數 |
|---|---|
| 更改Docker文件驅動 | --exec-opt native.cgroupdriver=cgroupfs |
| 忽略https協議連接目標鏡像庫 | --insecure-registry=http://172.16.45.9 |
| 修改默認容器存儲路徑 | --graph /home/docker |
配置daemon.json
在/etc下創建名為docker的文件夾
mkdir -p /etc/docker
vim /etc/docker/daemon.json
配置remote API
{
"iptables": false,
"hosts": ["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"tlsverify":true,
"tlscacert":"/etc/docker/certs.d/ca-dp.pem",
"tlscert":"/etc/docker/certs.d/server-cert-dp.pem",
"tlskey":"/etc/docker/certs.d/server-key-dp.pem",
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
| 詳解 | 參數 |
|---|---|
| 配置remote API | "hosts": ["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"], |
| 是否啟用tls | "tlsverify":true, |
| docker鏡像倉庫 | "registry-mirrors" |
| 容器端口繞過的防火牆 | "iptables" |
配置tls
http://www.dockerinfo.net/1416.html
創建一個名為auto-tls-certs.sh腳本
#!/bin/bash
#
# -------------------------------------------------------------
# 自動創建 Docker TLS 證書
# -------------------------------------------------------------
# 以下是配置信息
# --[BEGIN]------------------------------
CODE="dp"
IP="192.168.1.50"
PASSWORD="密碼"
COUNTRY="CN"
STATE="BEIJING"
CITY="BEIJING"
ORGANIZATION="公司"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="郵箱"
# --[END]--
# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf
# Generate Client Certs.
rm -f extfile.cnf
openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf
rm -vf client.csr server.csr
chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"
# 打包客戶端證書
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"
# 拷貝服務端證書
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/
為腳本添加執行權限
chmod +x auto-tls-certs.sh
執行腳本即可看到當前目前下生成的配置密鑰
啟動Docker
systemctl daemon-reload
systemctl restart docker
測試tls
然后將客戶端的幾個pem(tls-client-certs-dp.tar.gz 里面的就是客戶端的pem)文件發送到客戶端。隨便你怎么發送。然后解壓,進入到客戶端的pem的文件夾,並執行如下命令
curl https://192.168.1.50:2376/info --cert ./cert-dp.pem --key ./key-dp.pem --cacert ./ca-dp.pem
如果你能成功看到一個json字符串,就表示成功了。
如果你看到的是curl: (35) gnutls_handshake() failed: Certificate is bad那就是哪里沒有配置配置正確,慢慢找問題吧!
docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.09.9
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.84GiB
Name: qwq
ID: M5LD:CM5Z:PCGP:XCE6:TQEH:PF35:JWBL:23L4:HC6H:CYEL:J7LU:M3AA
Docker Root Dir: /home/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
172.16.45.9
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
查看網絡是否有docker虛擬網卡
ifconfig 或 ip a 命令
查看網絡是否有名為`docker0`虛擬網卡
安裝docker-compose
上傳docker-compose到/usr/bin目錄下並授執行權限
mv docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/
查看Docker版本是否為1.8:
docker-compose -v
輸出結果
docker-compose version 1.8.1, build 878cff1
非root權限啟動Docker
需要在服務器添加docker組
groupadd docker
將非root權限用戶添加到docker用戶組內
usermod -aG docker user1 user2
組 用戶1 用戶2