docker安裝
docker網址:https://docs.docker.com/engine/install/centos/#prerequisites
1.刪除舊版本
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
yum install -y yum-utils
3.設置鏡像的倉庫
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#更新yum軟件包索引
yum makecache fast
4.下載docker引擎
yum install -y docker-ce docker-ce-cli containerd.io
5.啟動docker
systemctl start docker
6.確認安裝成功
docker run hello-world
7.查看鏡像
docker images
8.設置鏡像加速
vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
systemctl daemon-reload #重啟加速配置文件
systemctl restart docker #重啟docker后台服務
容器命令
#啟動並進入容器
docker run -it centos /bin/bash
#退出
exit
docker私有倉庫安裝
#這邊建議安裝下方的harbor
#直接運行docker提供的容器運行
docker run -d -p 5000:5000 --name registry --restart=always -v /home/harbor/registry:/var/lib/registry registry
vim /etc/docker/daemon.json
"insecure-registries":["192.168.70.168:5000"] <!--添加此行-->
systemctl daemon-reload #重啟加速配置文件
systemctl restart docker #重啟docker后台服務
離線安裝
有時候要在內網安裝部署服務,下面是自己的嘗試安裝過程
安裝Docker-compose
https://github.com/docker/compose/releases/ 下載適合版本
我這里的鏈接地址:https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 推薦用迅雷下載,速度很快。改名成docker-compose。
拷貝到 /usr/local/bin/docker-compose
將可執行權限應用於二進制文件:
$ sudo chmod +x /usr/local/bin/docker-compose
創建軟鏈:
$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
測試是否安裝成功:
$ docker-compose --version
安裝harbor
https://github.com/goharbor/harbor/releases 下載適合版本
我這里的鏈接地址:https://github.com/goharbor/harbor/releases/download/v2.1.2/harbor-offline-installer-v2.1.2.tgz
下載后解壓出來,到對應目錄
cp harbor.yml.tmpl harbor.yml vim harbor.yml
主要修改如下內容:
hostname: 你的服務器IP或域名 http: # port for http, default is 80. If https enabled, this port will redirect to https port port: 你的端口號 #默認是80端口 harbor_admin_password: Harbor12345 #Harbor超級管理員密碼 database: # The password for the root user of Harbor DB. Change this before any production use. password: root123 #數據庫管理員密碼 data_volume: /data #配置harbor數據文件,也就是未來鏡像文件的存儲位置,建議修改,不然直接占用系統盤空間。 #同時注釋如下內容,默認啟用http,而不是https證書除非你有配置https證書 # https related config #https: # https port for harbor, default is 443 #port: 443 # The path of cert and key files for nginx #certificate: /your/certificate/path #private_key: /your/private/key/path
./install.sh
界面登陸 admin/Harbor12345 (harbor.yml可查看/修改admin 密碼)
配置https
harbor.yml的hostname也改成 192.168.70.168"
certificate: /your/certificate/path private_key: /your/private/key/path #換成 certificate: /data/cert/192.168.70.168.crt private_key: /data/cert/192.168.70.168.key
Generate a Certificate Authority Certificate
1.Generate a CA certificate private key.
openssl genrsa -out ca.key 4096
2.Generate the CA certificate.
Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute.
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.70.168" \ -key ca.key \ -out ca.crt
Generate a Server Certificate
The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.
1.Generate a private key.
openssl genrsa -out 192.168.70.168.key 4096
2.Generate a certificate signing request (CSR).
Adapt the values in the -subj option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (CN) attribute and use it in the key and CSR filenames.
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.70.168" \
-key 192.168.70.168.key \
-out 192.168.70.168.csr
3.Generate an x509 v3 extension file.
Regardless of whether you’re using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the DNS entries to reflect your domain.
#域名方式用下面這種 cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=192.168.70.168 DNS.2=192.168.70.171 EOF #IP方式: cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = IP:192.168.70.168 EOF
4.Use the v3.ext file to generate a certificate for your Harbor host.
Replace the yourdomain.com in the CRS and CRT file names with the Harbor host name.
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168.70.168.csr \
-out 192.168.70.168.crt
Provide the Certificates to Harbor and Docker
After generating the ca.crt, yourdomain.com.crt, and yourdomain.com.key files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.
-
Copy the server certificate and key into the certficates folder on your Harbor host.
mkdir -p /data/cert/ cp 192.168.70.168.crt /data/cert/ cp 192.168.70.168.key /data/cert/
-
Convert
yourdomain.com.crttoyourdomain.com.cert, for use by Docker.The Docker daemon interprets
.crtfiles as CA certificates and.certfiles as client certificates.openssl x509 -inform PEM -in 192.168.70.168.crt -out 192.168.70.168.cert
-
Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
mkdir -p /etc/docker/certs.d/192.168.70.168/ cp 192.168.70.168.cert /etc/docker/certs.d/192.168.70.168/ cp 192.168.70.168.key /etc/docker/certs.d/192.168.70.168/ cp ca.crt /etc/docker/certs.d/192.168.70.168/
If you mapped the default
nginxport 443 to a different port, create the folder/etc/docker/certs.d/yourdomain.com:port, or/etc/docker/certs.d/harbor_IP:port. -
Restart Docker Engine.
systemctl restart docker
You might also need to trust the certificate at the OS level. See
The following example illustrates a configuration that uses custom certificates.
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
注意:
如果windows:把ca.crt拷貝到電腦,右鍵安裝證書到受信任,訪問時就不回跳不安全連接的提示了。
centos:
cd /etc/pki/ca-trust/source/anchors
#把ca.crt拷貝到該目錄
update-ca-trust
systemctl restart docker
#此時就能登錄成功,不然會報錯:certificate signed by unknown authority
Deploy or Reconfigure Harbor
push 鏡像到harbor 私有倉庫
-
登陸 到 harbor (類似登陸github)
docker login 192.168.70.168
命令行會提示 輸入 username/password,可以是 admin/Harbor12345
[root@k8s-node1 docker]# docker login 192.168.70.168
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-node1 docker]#
-
push 鏡像到 harbor 私服
[root
注意: 192.168.229.20/user/user-setvice:v2.0 鏡像的tag 必須是 私服ip[域名]/項目名稱/自定義:tag 192.168.x.20 : 私服ip user :harbor 創建的項目名稱 user user-sertvice: 自定義 名稱
image
docker push 192.168.229.20/user/user-setvice:v2.0 #pull docker pull 192.168.229.20/user/user-setvice:v2.0
設置harbor開機自啟動
vim /usr/lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /home/harbor/harbor/docker-compose.yml up
ExecStop=/usr/local/bin/docker-compose -f /home/harbor/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
#然后按以下命令執行
cd /usr/lib/systemd/system
chmod +x harbor.service
systemctl daemon-reload
其中 /home/harbor/harbor 換成自己的 harbor 安裝路徑。 還有 docker-compose 的絕對路徑,請通過 which docker-compose 查看。
然后啟動該項服務:
sudo systemctl enable harbor
sudo systemctl start harbor
sudo systemctl stop harbor
idea一鍵部署發布docker
一、修改配置文件,打開2375端口
vim /usr/lib/systemd/system/docker.service
#注釋原來的ExecStart那行,改成這行代碼
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
#重新加載配置文件和啟動:
systemctl daemon-reload
systemctl start docker
二、idea安裝docker插件(Docker integration)並配置:
電腦環境變量增加:DOCKER_HOST https://192.168.70.168 可能需要重啟電腦
pom.xml配置如下
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<packaging>jar</packaging>
<groupId>com.pj</groupId>
<artifactId>hello</artifactId>
<version>1.0</version>
<name>hello</name>
<description>Demo project for Spring Boot</description>
<properties>
<build.final.name>hello</build.final.name>
<java.version>1.8</java.version>
<docker.image.prefix>192.168.70.168/hello</docker.image.prefix>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<finalName>${build.final.name}</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<version>1.4.3</version>
<executions>
<execution>
<id>default</id>
<goals>
<goal>build</goal>
<goal>push</goal>
</goals>
</execution>
</executions>
<configuration>
<username>admin</username>
<password>Harbor12345</password>
<repository>${docker.image.prefix}/${project.artifactId}</repository>
<!-- <repository>${docker.image.prefix}/${project.artifactId}</repository>-->
<tag>${project.version}</tag>
<buildArgs>
<JAR_FILE>target/${project.build.finalName}.jar</JAR_FILE>
<IMAGE_PREFIX>${docker.image.prefix}</IMAGE_PREFIX>
</buildArgs>
</configuration>
</plugin>
</plugins>
</build>
</project>
Dockerfile如下:
ARG IMAGE_PREFIX
FROM ${IMAGE_PREFIX}/java:8
ARG JAR_FILE
ADD ${JAR_FILE} /app.jar
EXPOSE 17005
ENTRYPOINT ["java","-jar","/app.jar"]
Dockerfile和pom.xml放在同級目錄
然后直接點擊lifecycle中的package,鏡像就放到docker服務中了,然后edit configurations中增加docker image的配置,active tool window中增加這句話clean package -DskipTests=true dockerfile:push,直接idea中就可以運行容器。記得settings中配置docker服務
創建刪除none的鏡像的shell腳本
1.1 創建clear.sh
# 編輯clear.sh
vi /opt/clear.sh
將下面的內容添加到clearnoneimages.sh文件中,wq保存。
docker images|grep none|awk '{print $3}'|xargs docker rmi
1.2 給該shell腳本增加可執行權限
chmod 777 /opt/clear.sh
增加定時任務
2.1 編輯crontab
vi /etc/crontab
將下面的內容添加到crontab文件中,wq保存。
# 每天1:00執行該腳本
0 1 * * * root bash /opt/clear.sh
2.2 重啟crontab
systemctl restart crond
Jenkins安裝
官網:https://pkg.jenkins.io/redhat-stable/
按官網的命令安裝
sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
yum install jenkins -y
systemctl start jenkins #默認是8080端口
vim /var/lib/jenkins/updates/default.json #如果插件安裝的時候卡着,第一行的google換成baidu
vim /var/lib/jenkins/hudson.model.UpdateCenter.xml #如果插件安裝失敗,url換成http://mirror.xmission.com/jenkins/updates/update-center.json,也可以去管理插件中去改
visudo #加入下面這行
jenkins ALL=(root) NOPASSWD: /usr/bin/docker
Defaults:jenkins !requiretty
# http://updates.jenkins-ci.org/download/plugins/ 插件可以這里下載,需要:authorize-project和Role-based Authorization Strategy(role-strategy)和maven integration(maven-plugin)和ssh plugin(ssh)和Gitlab Hook Plugin和Build Authorization Token Root Plugin(gitlab-hook)和gitlab-plugin插件
全局安全配置-授權策略 選中 Role-Based Strategy
全局安全配置-安全域 選中 允許用戶注冊
全局安全配置-manage and assign roles 管理角色
全局工具配置-配置jdk git maven目錄
chmod 777 /var/run/docker.sock
chmod 777 /var/lib/jenkins/workspace/
#卸載
rpm卸載
1、rpm -e jenkins
rpm -ql jenkins 檢查是否卸載成功
2、徹底刪除殘留文件:
find / -iname jenkins | xargs -n 1000 rm -rf
注意這一步一定要進行!!!
系統管理-系統配置-ssh remote hosts 添加對應的docker應用服務器,需要添加對應的憑據
jenkins新建maven任務
gitlab設置
業務服務器配置
yum install jq -y#若失敗,則 wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -ivh epel-release-latest-7.noarch.rpm yum repolist -y ,然后重新安裝jq
visudo #加入下面這行
Defaults:root !requiretty