極客時間運維進階訓練營第一週作業-容器技術(1)

1、梳理各 Namespace 的作用

namespace：將不同類型的命名空間部署在內核並封裝在一起，實現資源隔離。
主要的隔離類型：
MNT Namespace(mount): 提供磁盤掛載點和文件系統的隔離能力
IPC Namespace(Inter-Process Communication):提供進程間通信的隔離能力
UTS Namespace(UNIX Timesharing System):提供主機名隔離能力
PID Namespace:提供進程隔離能力
Net Namespace:提供網絡隔離能力
User Namespace:提供用戶隔離能力
Time Namespace:提供時間隔離能力
Syslog Namespace:提供 syslog 隔離能力
Control group (cgroup) Namespace:提供進程所屬的控制組的身份隔離能力

2、使用 apt/yum/ 二進制安裝指定版本的 Docker 
2.1 apt 安裝

apt-get update
apt-get -y install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt-get -y update
apt-cache madison docker-ce
apt-cache madison docker-ce-cli

apt-get install -y docker-ce=5:20.10.17~3-0~ubuntu-jammy docker-ce-cli=5:20.10.17~3-0~ubuntu-jammy
tee -a /etc/docker/daemon.json  << "EOF"
{
  "graph": "/var/lib/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["harbor.magedu.com", "harbor.myserver.com", "172.31.7.105"],
  "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": false,
  "log-opts": {
    "max-file": "5",
    "max-size": "100m"
    }
}
EOF
systemctl daemon-reload
systemctl  start  docker &&  systemctl enable  docker

systemctl restart docker

　2.2 二進制文件安裝

PACKAGE_NAME="docker-20.10.19.tgz"
cd /usr/local/src/
curl -O https://download.docker.com/linux/static/stable/x86_64/${PACKAGE_NAME} &&\
tar xzf ${PACKAGE_NAME}
\cp /usr/local/src/docker/*  /usr/bin

tee -a /etc/security/limits.conf << "EOF"
*             soft    core            unlimited
*             hard    core            unlimited
*	      soft    nproc           1000000
*             hard    nproc           1000000
*             soft    nofile          1000000
*             hard    nofile          1000000
*             soft    memlock         32000
*             hard    memlock         32000
*             soft    msgqueue        8192000
*             hard    msgqueue        8192000
EOF

tee -a /etc/sysctl.conf << "EOF"

# add by docker_installer
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl -p

if [[ ! -d /etc/docker ]]; then
  mkdir /etc/docker
fi

tee -a /etc/docker/daemon.json  << "EOF"
{
  "graph": "/var/lib/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["harbor.magedu.com","harbor.myserver.com","172.31.7.105"],
  "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": false,
  "log-opts": {
      "max-file": "5",
      "max-size": "100m"
  }
}
EOF

tee -a /lib/systemd/system/containerd.service << "EOF"
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity

[Install]
WantedBy=multi-user.target

EOF

tee -a /lib/systemd/system/docker.service << "EOF"
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target

EOF

tee -a /lib/systemd/system/docker.socket << "EOF"
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target

EOF

systemctl daemon-reload

groupadd docker && useradd docker -r -m -s /sbin/nologin -g docker
usermod docker -G docker

systemctl  enable containerd.service && systemctl  restart containerd.service
systemctl  enable docker.service && systemctl  restart docker.service
systemctl  enable docker.socket && systemctl  restart docker.socket

 

3、熟練使用 Docker 數據卷

## 多容器掛在1個文件夾實現目錄共享
mkdir -p /data/testapp
echo  "testaaaa web page" > /data/testapp/index.html
#######讀寫掛載
docker run -d --name=web1 -v /data/testapp/:/usr/share/nginx/html/testapp -p 80:80 nginx:1.20.2
######只讀掛載
docker run -d --name=web2 -v /data/testapp/:/usr/share/nginx/html/testapp:ro -p 81:80 nginx:1.20.2

 4、熟練使用 Docker 的 bridge 和 container 模式網絡

## 創建容器指定網絡模式
docker run -it -d --name=my_srv01 centos:7 bash
docker run -it -d --name=my_srv02 centos:7 bash
docker run -d -p 80:80 --net=bridge nginx:1.23.1-alpine
docker run -d --net=host nginx:1.23.1-alpine
docker run -it --net=none nginx:1.23.1-alpine sh
docker network create -d bridge my-net4
docker network list
docker run -d --name=my_test1  --network my-net4 nginx:1.20.2
docker run -d --name=my_test2  --network my-net4 nginx:1.20.2
docker run -it -d --name=my_test3  --network my-net4 centos:7.9.2009 bash
docker run -it -d --name=my_test4  --network my-net4 ubuntu:20.04 bash
docker run -it -d --name=my_test5  --network my-net4 centos:7 bash

## 網絡容器模式
docker run -d --name nginx-container -p 80:80 --net=bridge nginx:1.22.0-alpine
docker run -d --name php-container --net=container:nginx-container php:7.4.30-fpm-alpine
docker run -d --name tomcat-container --net=container:nginx-container tomcat
docker run -d --name mysql-container --net=container:nginx-container -e MYSQL_ROOT_PASSWORD="Root@1234"  mysql:5.6.48

########### end #####################