Linux cloud computing architecture-docker container configures static IP address, configures registry private warehouse, configures harbor private warehouse, uses aliyun's container mirroring service
1. Configure the static IP address of the docker container
Docker network mode:
| Docker network mode | Usage and remarks |
|---|---|
| host mode | --net=host |
| container mode | --net=container:NAME_OR_ID |
| none mode | --net-none |
| bridge mode | --net=bridge, The bridge mode is selected by default, and the container obtains a dynamic IP address through DHCP after startup. It is equivalent to the NAT mode in VMware. |
| Pipework script assigns a fixed IP | It is equivalent to the bridging mode in VMware. After the container restarts, the IP settings will automatically disappear and need to be reset. |
Example 1: Start a docker instance, network mode is none, enable docker privilege mode
# 开启特权,则容器内的root用户拥有root权限。未开启特权,容器内的root用户仅拥有普通用户的权限。
# 若要执行mount操作,必须开启特权
# --privileged=true
[root@server ~]# docker run -itd --net=none --name docker1 --privileged=true centos:latest /bin/bash
daf14e2544b1001523fd7dc08e3e324d2f698d5f970947fc9540ec176d9d1989
[root@server ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
daf14e2544b1 centos:latest "/bin/bash" 24 seconds ago Up 23 seconds docker1
[root@server ~]# docker exec -it daf14e2544b1 /bin/bash
[root@daf14e2544b1 /]# mount -o bind /etc /opt
[root@daf14e2544b1 /]# ls /opt # 可以看到/opt目录下的文件就是/etc下的文件,即将/etc目录挂载到/opt目录下
BUILDTIME inputrc rc.d
GREP_COLORS iproute2 rc.local
NetworkManager issue rc0.d
X11 issue.net rc1.d
# 可以对目标目录取消挂载
[root@daf14e2544b1 /]# umount /opt
[root@daf14e2544b1 /]# ls /opt
[root@daf14e2544b1 /]# mount -o bind /etc /opt
[root@daf14e2544b1 /]# ls /opt
BUILDTIME inputrc rc.d
GREP_COLORS iproute2 rc.local
NetworkManager issue rc0.d
X11 issue.net rc1.d
Configure the bridge and use the pipework script to configure a static IP address:
# 下载bridge-utils工具搭建网桥
[root@server ~]# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/bridge-utils-1.5-9.el7.x86_64.rpm
[root@server ~]# ll bridge-utils-1.5-9.el7.x86_64.rpm
-rw-r--r-- 1 root root 32480 7月 4 2014 bridge-utils-1.5-9.el7.x86_64.rpm
[root@server ~]# rpm -ivh bridge-utils-1.5-9.el7.x86_64.rpm
# 备份本地网卡ens32,然后修改ens32网卡配置文件使用br0网桥上网
[root@server ~]# cd /etc/sysconfig/network-scripts/
[root@server network-scripts]# cp ifcfg-ens32 /opt/
[root@server network-scripts]# ll /opt/ifcfg-ens32
-rw-r--r-- 1 root root 321 10月 11 22:27 /opt/ifcfg-ens32
# 编辑网卡配置文件,注释IP地址、子网掩码、网关地址、DNS地址
# 最后一行加上BRIDGE=br0
[root@server network-scripts]# vim ifcfg-ens32
BOOTPROTO=none
BRIDGE=br0
# 创建网卡配置文件ifcfg-br0【br0网桥】
[root@server network-scripts]# vim ifcfg-br0
DEVICE="br0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Bridge"
BOOTPROTO=none
IPADDR=192.168.43.10 # 192.168.43.网段的IP地址
NETMASK=255.255.255.0
GATEWAY=192.168.43.1
DNS1=114.114.114.114
# 重启网络,并查看网卡情况
[root@server network-scripts]# systemctl restart network
[root@server network-scripts]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.10 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::20c:29ff:feeb:d724 prefixlen 64 scopeid 0x20<link>
inet6 2408:84f3:c43:e4a3:20c:29ff:feeb:d724 prefixlen 64 scopeid 0x0<global>
ether 00:0c:29:eb:d7:24 txqueuelen 1000 (Ethernet)
RX packets 16 bytes 1541 (1.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 50 bytes 6344 (6.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server network-scripts]# ping -c 2 www.baidu.com # 可以看到网卡设备br0已经通过网桥ens32连接外网了。
PING www.a.shifen.com (163.177.151.109) 56(84) bytes of data.
64 bytes from 163.177.151.109 (163.177.151.109): icmp_seq=1 ttl=53 time=50.8 ms
64 bytes from 163.177.151.109 (163.177.151.109): icmp_seq=2 ttl=53 time=57.8 ms
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 50.828/54.319/57.810/3.491 ms
# 下载并配置pipework脚本
下载地址:https://github.com/jpetazzo/pipework/archive/master.zip
[root@server ~]# wget https://github.com/jpetazzo/pipework/archive/master.zip
[root@server ~]# ll master.zip
-rw-r--r-- 1 root root 19668 10月 11 22:45 master.zip
[root@server ~]# unzip master.zip
[root@server ~]# ll /root/pipework-master/pipework
-rwxr-xr-x 1 root root 15675 10月 11 22:46 /root/pipework-master/pipework
[root@server ~]# cp /root/pipework-master/pipework /usr/local/bin/ # 复制到该目录下方便使用。
# pipework语法:pipework 网桥名 容器实例ID 分配给容器的静态IP/掩码@网关
# DNS地址和docker服务器的DNS地址是一样的,故无需指定。
# 该容器是之前创建的,具有特殊权限【--privileged=true】
# 为该容器指定静态IP地址
[root@server ~]# pipework br0 daf14e2544b1 192.168.43.11/[email protected]
[root@server ~]# ping -c 2 192.168.43.11
PING 192.168.43.11 (192.168.43.11) 56(84) bytes of data.
64 bytes from 192.168.43.11: icmp_seq=1 ttl=64 time=2.60 ms
64 bytes from 192.168.43.11: icmp_seq=2 ttl=64 time=0.130 ms
--- 192.168.43.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.130/1.366/2.602/1.236 ms
# 进入容器并查看IP地址
[root@server ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
daf14e2544b1 centos:latest "/bin/bash" 48 minutes ago Up 48 minutes docker1
[root@server ~]# docker exec -it daf14e2544b1 /bin/bash
[root@daf14e2544b1 /]# ifconfig
bash: ifconfig: command not found
[root@daf14e2544b1 /]# yum install net-tools -y
[root@daf14e2544b1 /]# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.11 netmask 255.255.255.0 broadcast 192.168.43.255
ether 42:b9:53:08:43:cc txqueuelen 1000 (Ethernet)
RX packets 4966 bytes 9105161 (8.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3220 bytes 221698 (216.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# 安装httpd服务,并配置index.html,启动并加入开机自启动
[root@daf14e2544b1 /]# yum install httpd -y
[root@daf14e2544b1 /]# vi /etc/httpd/conf/httpd.conf
98 ServerName localhost:80
[root@daf14e2544b1 /]# /usr/sbin/httpd
[root@daf14e2544b1 /]# netstat -antup |grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 136/httpd
[root@daf14e2544b1 /]# echo "image httpd" >> /var/www/html/index.html
[root@daf14e2544b1 /]# exit
exit
# 浏览器打开网页,看是否能够正常打开。
# 可以看到是可以直接访问容器中的apache的。
http://192.168.43.11/
2. Create a private registry warehouse
Configuring docker private warehouse can reduce bandwidth and personalize the system. [It Docker hubis a public warehouse. 】
1. 关闭防火墙、关闭selinux
[root@registry ~]# systemctl stop firewalld
[root@registry ~]# systemctl disable firewalld
[root@registry ~]# vim /etc/selinux/config
SELINUX=disabled
能重启服务器的可以重启服务器,不可以重启服务器的就临死设置selinux策略为Permissive。
[root@registry ~]# getenforce
Enforcing
[root@registry ~]# setenforce 0
[root@registry ~]# getenforce
Permissive
2. 安装docker服务
# 不懂安装docker服务的可以看我另一篇博客。
# 若有如下报错,可以单独下载依赖包并安装。
错误:软件包:containerd.io-1.3.7-3.1.el7.x86_64 (docker-ce-stable)
需要:container-selinux >= 2:2.74
[root@registry ~]# wget http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm
[root@registry ~]# rpm -ivh container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm
3. 拉取registry镜像
本地导入:docker load -i registry.tar
在线拉取:docker pull registry
[root@registry ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The Docker Registry 2.0 implementation for s… 3088 [OK]
[root@registry ~]# docker pull registry
4. 查看registry镜像
[root@registry ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2d4f4b5309b1 3 months ago 26.2MB
5. 使用registry镜像创建一个docker实例
[root@registry ~]# docker run -itd --name docker1 --restart=always -h registry_server -p 5000:5000 -v /opt/registry:/var/lib/registry registry:latest
f36ffb13f2f20ee7588d0a88a16051331e4499934a049e4690570a2a643ea660
[root@registry ~]# netstat -antup |grep 5000
tcp6 0 0 :::5000 :::* LISTEN 10961/docker-proxy
[root@registry ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f36ffb13f2f2 registry:latest "/entrypoint.sh /etc…" 23 seconds ago Up 22 seconds 0.0.0.0:5000->5000/tcp docker1
[root@registry ~]# ls /opt/registry/
6. 查看私有仓库的镜像列表,建议使用谷歌浏览器,IE浏览器打开默认会直接下载json文件。
http://192.168.43.76:5000/v2/_catalog
至此,docker私有仓库已经配置完毕。
The first time it is opened as follows, there is no image stored.
Configure the image acceleration node for the docker server:
7. 为docker服务器配置docker私有仓库镜像加速节点
insecure-registries 不安全注册,通过http协议传输,一般在局域网中使用。如果需要安全传输镜像,需要使用https协议。【docker默认使用https协议】
[root@server ~]# vim /etc/docker/daemon.json
{
"insecure-registries":["192.168.43.76:5000"]
}
8. 重启docker服务
[root@server ~]# systemctl daemon-reload
[root@server ~]# systemctl restart docker
The directory where the registry program stores image information is /var/lib/registry, assuming that 100 images have been stored, when this container is deleted, the 100 images will also be deleted, which of course is not what we want to see. Therefore, when using the registry image to create a container instance, you can use the -v parameter to do a data mapping, and /var/lib/registrysynchronize the images stored in the container's directory to the specified local directory, so that when the container is deleted, you only need to create a new container. .
The registry program occupies port 5000 by default.
Test push, pull, rmi, run and other operations:
# 查询并拉取镜像busybox
[root@server ~]# docker search busybox
[root@server ~]# docker pull busybox
# 为镜像打标签,打上标签就可以push到私有仓库中
[root@server ~]# docker images
busybox latest 6858809bf669 4 weeks ago 1.23MB
[root@server ~]# docker tag busybox:latest 192.168.43.76:5000/busybox:latest
[root@server ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.43.76:5000/busybox latest 6858809bf669 4 weeks ago 1.23MB
busybox latest 6858809bf669 4 weeks ago 1.23MB
# 推送镜像到私有仓库
[root@server ~]# docker push 192.168.43.76:5000/busybox:latest
The push refers to repository [192.168.43.76:5000/busybox]
be8b8b42328a: Pushed
latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527
You can see that there is already a mirror in the private warehouse.
Pull the image from the private warehouse and create a container:
[root@server ~]# docker rmi 192.168.43.76:5000/busybox:latest
Untagged: 192.168.43.76:5000/busybox:latest
Untagged: 192.168.43.76:5000/busybox@sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
[root@server ~]# docker pull 192.168.43.76:5000/busybox:latest
latest: Pulling from busybox
Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Status: Downloaded newer image for 192.168.43.76:5000/busybox:latest
192.168.43.76:5000/busybox:latest
[root@server ~]# docker images
192.168.43.76:5000/busybox latest 6858809bf669 4 weeks ago 1.23MB
[root@server ~]# docker run -it 192.168.43.76:5000/busybox:latest echo "haha"
haha
3. Create Harbor Private Warehouse
The Harbor project is an enterprise-level Docker Registry management project open sourced by VMWare. It includes functions such as authority management, LDAP, log audit, management interface, self-registration, mirror replication, and support for Chinese.
The docker-compose project is an official open source project of Docker, responsible for the rapid orchestration of Docker container clusters. 配置文件为docker-compose.yml, There must be a configuration file in the docker-compose running directory. Can manage multiple docker container instances.
Official website address :https://github.com/goharbor/harbor
# 以下进入py3的虚拟环境中安装
1. 安装docker服务【同上】
[root@registry ~]# source /root/py3/bin/activate
(py3) [root@registry ~]# python -V
Python 3.9.0a1
(py3) [root@registry ~]# docker --version
Docker version 19.03.13, build 4484c46d9d
2. 安装docker-compose
# 下载python-pip慢的话,可以参考我的博客,有解决方法。
(py3) [root@registry ~]# yum install epel-release -y
(py3) [root@registry ~]# yum install python-pip -y
(py3) [root@registry ~]# pip install --upgrade pip # 第一次升级失败,可以多试几次。
(py3) [root@registry ~]# pip --version
pip 20.2.3 from /root/py3/lib/python3.9/site-packages/pip (python 3.9)
# 安装docker-compose报错了可以参考我的博客,或留言评论。
(py3) [root@registry ~]# pip install -U -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
(py3) [root@registry ~]# docker-compose -version
docker-compose version 1.27.4, build unknown
3. 下载harbor私有仓库
下载站点:https://github.com/goharbor/harbor/releases
下载地址:https://github.com/goharbor/harbor/releases/download/v2.1.0/harbor-offline-installer-v2.1.0.tgz
4. 上传harbor离线包到服务器,并配置安装harbor私有仓库
(py3) [root@registry ~]# ll harbor-offline-installer-v2.1.0.tgz
-rw-r--r-- 1 root root 556130191 10月 14 21:12 harbor-offline-installer-v2.1.0.tgz
(py3) [root@registry ~]# tar xzf harbor-offline-installer-v2.1.0.tgz -C /opt
(py3) [root@registry ~]# cd /opt/harbor/
(py3) [root@registry harbor]# ll
总用量 545264
-rw-r--r-- 1 root root 3361 9月 16 10:48 common.sh
-rw-r--r-- 1 root root 558317240 9月 16 10:49 harbor.v2.1.0.tar.gz
-rw-r--r-- 1 root root 8136 9月 16 10:48 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2523 9月 16 10:48 install.sh
-rw-r--r-- 1 root root 11347 9月 16 10:48 LICENSE
-rwxr-xr-x 1 root root 1881 9月 16 10:48 prepare
# 复制一份harbor.yml文件,并进行配置
(py3) [root@registry harbor]# cp harbor.yml.tmpl harbor.yml
(py3) [root@registry harbor]# vim harbor.yml
5 hostname: 192.168.43.76 # 访问地址
8 http:
9 # port for http, default is 80. If https enabled, this port will redirect to https port
10 port: 80
11
12 # https related config
13 # https: # 这里由于没有给nginx配置https协议安全传输,故直接使用http,要把https的相关信息注释掉
14 # https port for harbor, default is 443
15 # port: 443
16 # The path of cert and key files for nginx
17 # certificate: /your/certificate/path
18 # private_key: /your/private/key/path
34 harbor_admin_password: 123456 # harbor管理员登录UI界面的密码,这里修改为123456
39 password: root123
# harbor准备
(py3) [root@registry ~]# cd /opt/harbor/
(py3) [root@registry harbor]# ./prepare
(py3) [root@registry harbor]# ./install.sh
At this point, the harbor private warehouse is installed successfully.
You can see that the mirrors that harbor depends on and the running containers are as follows:
Open the URL : The http://192.168.43.76/harbor/sign-in
default account password is: admin/123456
5. 为docker服务器配置为私有仓库的镜像加速节点
[root@server ~]# vim /etc/docker/daemon.json
{
"insecure-registries":["192.168.43.76"]
}
[root@server ~]# systemctl daemon-reload && systemctl restart docker
# 如果docker服务器和harbor私有仓库配置在同一台主机上,在重启docker服务后,会关闭harbor服务,故还需重启harbor服务。【可以理解为停止harbor依赖的镜像,然后启动harbor依赖的镜像】
[root@registry ~]# source /root/py3/bin/activate
(py3) [root@registry ~]# cd /opt/harbor/
(py3) [root@registry harbor]# docker-compose stop
Stopping harbor-jobservice ... done
Stopping nginx ... done
Stopping harbor-core ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-portal ... done
Stopping harbor-log ... done
(py3) [root@registry harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting portal ... done
Starting redis ... done
Starting core ... done
Starting jobservice ... done
Starting proxy ... done
Create project:
Log in to the private warehouse:
upload the image to the private warehouse
[root@server ~]# docker tag centos:latest 192.168.43.76/test/centos:latest
[root@server ~]# docker push 192.168.43.76/test/centos:latest
The push refers to repository [192.168.43.76/test/centos]
291f6e44771a: Pushed
latest: digest: sha256:fc4a234b91cc4b542bac8a6ad23b2ddcee60ae68fc4dbd4a52efb5f1b0baad71 size: 529
Download the image from the private warehouse:
[root@server ~]# docker rmi 192.168.43.76/test/centos:latest
Untagged: 192.168.43.76/test/centos:latest
Untagged: 192.168.43.76/test/centos@sha256:fc4a234b91cc4b542bac8a6ad23b2ddcee60ae68fc4dbd4a52efb5f1b0baad71
[root@server ~]# docker pull 192.168.43.76/test/centos:latest
latest: Pulling from test/centos
Digest: sha256:fc4a234b91cc4b542bac8a6ad23b2ddcee60ae68fc4dbd4a52efb5f1b0baad71
Status: Downloaded newer image for 192.168.43.76/test/centos:latest
192.168.43.76/test/centos:latest
[root@server ~]# docker images 192.168.43.76/test/centos
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.43.76/test/centos latest 0d120b6ccaa8 2 months ago 215MB
As you can see, the number of downloads has become 1.
4. Use Alibaba Cloud Private Warehouse
- Log in to the Alibaba Cloud Developer Service Platform and there is a container mirroring service.
https://developer.aliyun.com/service
Registration is required: After
registration, log in as follows, and set the registry login password:
2. Create a namespace and configure access credentials.
Create a namespace:
configure access credentials:
3. Create a mirror repository and
click on the mirror repository name, and you will see a Guide part, on how introduction登录镜像仓库,拉取镜像,推送镜像.
This is the end of the content of the docker private warehouse, and will continue to study in depth if necessary later.