极客时间运维进阶训练营第二周作业
- 2022-10-28 美国
本文字数:8648 字
阅读完需:约 28 分钟
Nginx Dockerfile
Dockerfile
FROM alpine:3.16
LABEL maintainer="Tony"
ENV NGINX_VERSION 1.22.1
ENV PKG_RELEASE 1
RUN set -x \
# create nginx user/group first, to be consistent throughout docker variants
&& addgroup -g 101 -S nginx \
&& adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \
&& apkArch="$(cat /etc/apk/arch)" \
&& nginxPackages=" \
nginx=${NGINX_VERSION}-r${PKG_RELEASE} \
" \
# install prerequisites for public key and pkg-oss checks
&& apk add --no-cache --virtual .checksum-deps \
openssl \
&& case "$apkArch" in \
x86_64|aarch64) \
# arches officially built by upstream
set -x \
&& KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \
&& wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \
&& if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \
echo "key verification succeeded!"; \
mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \
else \
echo "key verification failed!"; \
exit 1; \
fi \
&& apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from the published packaging sources
set -x \
&& tempDir="$(mktemp -d)" \
&& chown nobody:nobody $tempDir \
&& apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
openssl-dev \
pcre2-dev \
zlib-dev \
linux-headers \
bash \
alpine-sdk \
findutils \
&& su nobody -s /bin/sh -c " \
export HOME=${tempDir} \
&& cd ${tempDir} \
&& curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& PKGOSSCHECKSUM=\"7266f418dcc9d89a2990f504d99ec58d10febbaf078c03630d42843955cee7e50b0f90fb317360384a32473839dc42d8b329b737015ec8dd0d028f90d4d5ed25 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
&& if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
echo \"pkg-oss tarball checksum verification succeeded!\"; \
else \
echo \"pkg-oss tarball checksum verification failed!\"; \
exit 1; \
fi \
&& tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make base \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
&& apk del .build-deps \
&& apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \
;; \
esac \
# remove checksum deps
&& apk del .checksum-deps \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
&& if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \
&& if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \
&& if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \
# Bring in gettext so we can get `envsubst`, then throw
# the rest away. To do this, we need to install `gettext`
# then move `envsubst` out of the way so `gettext` can
# be deleted completely, then move `envsubst` back.
&& apk add --no-cache --virtual .gettext gettext \
&& mv /usr/bin/envsubst /tmp/ \
\
&& runDeps="$( \
scanelf --needed --nobanner /tmp/envsubst \
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
| sort -u \
| xargs -r apk info --installed \
| sort -u \
)" \
&& apk add --no-cache $runDeps \
&& apk del .gettext \
&& mv /tmp/envsubst /usr/local/bin/ \
# Bring in tzdata so users could set the timezones through the environment
# variables
&& apk add --no-cache tzdata \
# forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
# create a docker-entrypoint.d directory
&& mkdir /docker-entrypoint.d
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]
docker-entrypoint.sh
#!/bin/sh
# vim:sw=4:ts=4:et
set -e
entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.envsh)
if [ -x "$f" ]; then
entrypoint_log "$0: Sourcing $f";
. "$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*.sh)
if [ -x "$f" ]; then
entrypoint_log "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*) entrypoint_log "$0: Ignoring $f";;
esac
done
entrypoint_log "$0: Configuration complete; ready for start up"
else
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
fi
exec "$@"
To build:
$ docker build -t local/nginx:v1.0.0 .
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
local/nginx v1.0.0 f80656b065fc 5 seconds ago 10.1MB
$ docker run -d local/nginx:v1.0.0
f42df3f6277c11b24729d2ea249a3dae55cdbc10feea4bd6bd021c7380ecec21
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f42df3f6277c local/nginx:v1.0.0 "/docker-entrypoint.…" 2 seconds ago Up 1 second 80/tcp affectionate_chandrasekhar
$ docker exec -it f42df3f6277c sh
/ # ps
PID USER TIME COMMAND
1 root 0:00 nginx: master process nginx -g daemon off;
30 nginx 0:00 nginx: worker process
31 nginx 0:00 nginx: worker process
32 root 0:00 sh
38 root 0:00 ps
/ #
CPU and Memory limit For container
Set CPU limit for container
$ docker run --cpus 2 -d local/nginx:v1.0.0
0b63d5a1bdb900c53f2bab4a548fb905118c91418ea03a0ea0e252e359d9d91e
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b63d5a1bdb9 local/nginx:v1.0.0 "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 80/tcp sharp_allen
Set MEM limit for container
$ docker run -m 200m -d local/nginx:v1.0.0
95dc419aff2882cd966d5729976dfc682d7255f7a20cd6092e598ec198d27225
$ docker inspect 9 | grep -i memory
"Memory": 209715200,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 419430400,
"MemorySwappiness": null,
Install Containerd
Download the containerd-<VERSION>-<OS>-<ARCH>.tar.gz
archive from https://github.com/containerd/containerd/releases , verify its sha256sum, and extract it under /usr/local
:
# tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gz
bin/
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/ctr
bin/containerd-shim-runc-v1
bin/containerd
bin/containerd-stress
Install containerd as systemd service
Download the containerd.service
unit file from https://github.com/containerd/containerd/blob/main/containerd.service into /usr/lib/systemd/system/containerd.service
, and run the following commands:
# cp containerd.service /usr/lib/systemd/system/
# systemctl daemon-reload
# systemctl enable --now containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/lib/systemd/system/containerd.service.
Install runc
Download the runc.<ARCH>
binary from https://github.com/opencontainers/runc/releases , verify its sha256sum, and install it as /usr/local/sbin/runc
.
# install -m 755 runc.amd64 /usr/local/sbin/runc
Installing CNI plugins
Download the cni-plugins-<OS>-<ARCH>-<VERSION>.tgz
archive from https://github.com/containernetworking/plugins/releases , verify its sha256sum, and extract it under /opt/cni/bin
:
# mkdir -p /opt/cni/bin
# tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
./
./macvlan
./static
./vlan
./portmap
./host-local
./vrf
./bridge
./tuning
./firewall
./host-device
./sbr
./loopback
./dhcp
./ptp
./ipvlan
./bandwidth
Install HTTP Based Harbor
Install docker-compose
$ curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
$ docker-compose version
Docker Compose version v2.12.2
Download harbor from https://github.com/goharbor/harbor/releases
Create and update harbor.yml
Run
install.sh
$ ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.12.2
[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...
prepare base dir is set to /tmp/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrad e to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
...
✔ ----Harbor has been installed and started successfully.----
Install nerdctl
$ nerdctl run -d -p 8999:80 --name=nginx-web1 nginx:latest
docker.io/library/nginx:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:943c25b4b66b332184d5ba6bb18234273551593016c0e0ae906bab111548239f: done |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:06aa2038b42f1502b59b3a862b1f5980d3478063028d8e968f0810b9b0502380: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:76c69feac34e85768b284f84416c3546b240e8cb4f68acbbe5ad261a8b36f39f: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8e3ed6a9e43aaf17bc2175fa2c7ae2ee24cff4d32bf82adf1ea689db4dcf15e1: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f88a23025338bc64e97dc350efac90275df227949d7c835b8b1f6fbc4d2439c0: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e9995326b091af7b3ce352fad4d76cf3a3cb62b7a0c35cc5f625e8e649d23c50: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0df440342e265c89de536643c3376dadf44c810fe2fb2b2ee44711f8661ce531: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:71689475aec267fae8891b2b3d2bef78c6b3d57c077129ff9cd69b6e5253dfa7: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:eef26ceb3309d6e72a4402c3f16b047416adecaf91bc5360ebd4205d1ef5e310: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 6.5 s total: 54.2 M (8.3 MiB/s)
ccb3747da87c7a2ac6dc914a8d315c364d1ffecc222e51fafe9e2e7ae8bfed5d
$ nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ccb3747da87c docker.io/library/nginx:latest "/docker-entrypoint.…" 4 seconds ago Up 0.0.0.0:8999->80/tcp nginx-web1
$ nerdctl rm -fv ccb3747da87c
ccb3747da87c
$ nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Tips
Delete all docker containers
# Get all container IDs
$ docker ps -aq
# Delete all
$ docker rm -fv `(docker ps -aq)`
Check listening TCP port
$ ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 127.0.0.1:49152 0.0.0.0:*
LISTEN 0 128 127.0.0.1:38915 0.0.0.0:*
LISTEN 0 128 127.0.0.1:36587 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 127.0.0.1:5555 0.0.0.0:*
LISTEN 0 128 127.0.0.1:40243 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1%lo:20311 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
Check iptables DNAT
$ iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 11 packets, 660 bytes)
pkts bytes target prot opt in out source destination
28 1680 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 11 packets, 660 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 532 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 7 packets, 532 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
Check route
$ ip route
default via 10.229.36.1 dev eth0
default via 10.229.36.1 dev eth1 metric 10001
10.229.36.0/25 dev eth0 proto kernel scope link src 10.229.36.54
10.229.36.0/25 dev eth1 proto kernel scope link src 10.229.36.34
169.254.169.254 dev eth0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
Check MAC address
$ arp -a
版权声明: 本文为 InfoQ 作者【9527】的原创文章。
原文链接:【http://xie.infoq.cn/article/9fa4a342632164d7a6497865e】。文章转载请联系作者。
9527
还未添加个人签名 2020-04-22 加入
还未添加个人简介
评论