极客时间运维进阶训练营第二周作业

FROM alpine:3.16
LABEL maintainer="Tony"
ENV NGINX_VERSION 1.22.1ENV PKG_RELEASE   1
RUN set -x \# create nginx user/group first, to be consistent throughout docker variants    && addgroup -g 101 -S nginx \    && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \    && apkArch="$(cat /etc/apk/arch)" \    && nginxPackages=" \        nginx=${NGINX_VERSION}-r${PKG_RELEASE} \    " \# install prerequisites for public key and pkg-oss checks    && apk add --no-cache --virtual .checksum-deps \        openssl \    && case "$apkArch" in \        x86_64|aarch64) \# arches officially built by upstream            set -x \            && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \            && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \            && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \                echo "key verification succeeded!"; \                mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \            else \                echo "key verification failed!"; \                exit 1; \            fi \            && apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \            ;; \        *) \# we're on an architecture upstream doesn't officially build for# let's build binaries from the published packaging sources            set -x \            && tempDir="$(mktemp -d)" \            && chown nobody:nobody $tempDir \            && apk add --no-cache --virtual .build-deps \                gcc \                libc-dev \                make \                openssl-dev \                pcre2-dev \                zlib-dev \                linux-headers \                bash \                alpine-sdk \                findutils \            && su nobody -s /bin/sh -c " \                export HOME=${tempDir} \                && cd ${tempDir} \                && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \                && PKGOSSCHECKSUM=\"7266f418dcc9d89a2990f504d99ec58d10febbaf078c03630d42843955cee7e50b0f90fb317360384a32473839dc42d8b329b737015ec8dd0d028f90d4d5ed25 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \                && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \                    echo \"pkg-oss tarball checksum verification succeeded!\"; \                else \                    echo \"pkg-oss tarball checksum verification failed!\"; \                    exit 1; \                fi \                && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \                && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \                && cd alpine \                && make base \                && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \                && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \                " \            && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \            && apk del .build-deps \            && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \            ;; \    esac \# remove checksum deps    && apk del .checksum-deps \# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)    && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \    && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \    && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \# Bring in gettext so we can get `envsubst`, then throw# the rest away. To do this, we need to install `gettext`# then move `envsubst` out of the way so `gettext` can# be deleted completely, then move `envsubst` back.    && apk add --no-cache --virtual .gettext gettext \    && mv /usr/bin/envsubst /tmp/ \    \    && runDeps="$( \        scanelf --needed --nobanner /tmp/envsubst \            | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \            | sort -u \            | xargs -r apk info --installed \            | sort -u \    )" \    && apk add --no-cache $runDeps \    && apk del .gettext \    && mv /tmp/envsubst /usr/local/bin/ \# Bring in tzdata so users could set the timezones through the environment# variables    && apk add --no-cache tzdata \# forward request and error logs to docker log collector    && ln -sf /dev/stdout /var/log/nginx/access.log \    && ln -sf /dev/stderr /var/log/nginx/error.log \# create a docker-entrypoint.d directory    && mkdir /docker-entrypoint.d
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]

#!/bin/sh# vim:sw=4:ts=4:et
set -e
entrypoint_log() {    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then        echo "$@"    fi}
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then        entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
        entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do            case "$f" in                *.envsh)                    if [ -x "$f" ]; then                        entrypoint_log "$0: Sourcing $f";                        . "$f"                    else                        # warn on shell scripts without exec bit                        entrypoint_log "$0: Ignoring $f, not executable";                    fi                    ;;                *.sh)                    if [ -x "$f" ]; then                        entrypoint_log "$0: Launching $f";                        "$f"                    else                        # warn on shell scripts without exec bit                        entrypoint_log "$0: Ignoring $f, not executable";                    fi                    ;;                *) entrypoint_log "$0: Ignoring $f";;            esac        done
        entrypoint_log "$0: Configuration complete; ready for start up"    else        entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"    fifi
exec "$@"

$ docker build -t local/nginx:v1.0.0 .
$ docker imagesREPOSITORY         TAG     IMAGE ID      CREATED       SIZElocal/nginx        v1.0.0  f80656b065fc  5 seconds ago 10.1MB
$ docker run -d local/nginx:v1.0.0f42df3f6277c11b24729d2ea249a3dae55cdbc10feea4bd6bd021c7380ecec21
$ docker psCONTAINER ID   IMAGE                COMMAND                  CREATED         STATUS        PORTS     NAMESf42df3f6277c   local/nginx:v1.0.0   "/docker-entrypoint.…"   2 seconds ago   Up 1 second   80/tcp    affectionate_chandrasekhar
$ docker exec -it f42df3f6277c sh/ # psPID   USER     TIME  COMMAND    1 root      0:00 nginx: master process nginx -g daemon off;   30 nginx     0:00 nginx: worker process   31 nginx     0:00 nginx: worker process   32 root      0:00 sh   38 root      0:00 ps/ #

$ docker run --cpus 2 -d local/nginx:v1.0.00b63d5a1bdb900c53f2bab4a548fb905118c91418ea03a0ea0e252e359d9d91e
$ docker psCONTAINER ID   IMAGE                COMMAND                  CREATED         STATUS         PORTS     NAMES0b63d5a1bdb9   local/nginx:v1.0.0   "/docker-entrypoint.…"   3 seconds ago   Up 2 seconds   80/tcp    sharp_allen

$ docker run -m 200m -d local/nginx:v1.0.095dc419aff2882cd966d5729976dfc682d7255f7a20cd6092e598ec198d27225
$ docker inspect 9 | grep -i memory            "Memory": 209715200,            "KernelMemory": 0,            "KernelMemoryTCP": 0,            "MemoryReservation": 0,            "MemorySwap": 419430400,            "MemorySwappiness": null,

# tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gzbin/bin/containerd-shim-runc-v2bin/containerd-shimbin/ctrbin/containerd-shim-runc-v1bin/containerdbin/containerd-stress

# cp containerd.service /usr/lib/systemd/system/# systemctl daemon-reload# systemctl enable --now containerdCreated symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/lib/systemd/system/containerd.service.

# install -m 755 runc.amd64 /usr/local/sbin/runc

# mkdir -p /opt/cni/bin# tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz././macvlan./static./vlan./portmap./host-local./vrf./bridge./tuning./firewall./host-device./sbr./loopback./dhcp./ptp./ipvlan./bandwidth

$ curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
$ docker-compose versionDocker Compose version v2.12.2

$ ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.12.2

[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...prepare base dir is set to /tmp/harborWARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrad                                                e to httpsGenerated configuration file: /config/portal/nginx.confGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/registryctl/config.ymlGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlGenerated and saved secret to file: /data/secret/keys/secretkeySuccessfully called func: create_root_certGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir...✔ ----Harbor has been installed and started successfully.----

$ nerdctl run -d -p 8999:80 --name=nginx-web1 nginx:latestdocker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|index-sha256:943c25b4b66b332184d5ba6bb18234273551593016c0e0ae906bab111548239f:    done           |++++++++++++++++++++++++++++++++++++++|manifest-sha256:06aa2038b42f1502b59b3a862b1f5980d3478063028d8e968f0810b9b0502380: done           |++++++++++++++++++++++++++++++++++++++|config-sha256:76c69feac34e85768b284f84416c3546b240e8cb4f68acbbe5ad261a8b36f39f:   done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:8e3ed6a9e43aaf17bc2175fa2c7ae2ee24cff4d32bf82adf1ea689db4dcf15e1:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:f88a23025338bc64e97dc350efac90275df227949d7c835b8b1f6fbc4d2439c0:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:e9995326b091af7b3ce352fad4d76cf3a3cb62b7a0c35cc5f625e8e649d23c50:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:0df440342e265c89de536643c3376dadf44c810fe2fb2b2ee44711f8661ce531:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:71689475aec267fae8891b2b3d2bef78c6b3d57c077129ff9cd69b6e5253dfa7:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:eef26ceb3309d6e72a4402c3f16b047416adecaf91bc5360ebd4205d1ef5e310:    done           |++++++++++++++++++++++++++++++++++++++|elapsed: 6.5 s                                                                    total:  54.2 M (8.3 MiB/s)                                     ccb3747da87c7a2ac6dc914a8d315c364d1ffecc222e51fafe9e2e7ae8bfed5d
$ nerdctl psCONTAINER ID    IMAGE                             COMMAND                   CREATED          STATUS    PORTS                   NAMESccb3747da87c    docker.io/library/nginx:latest    "/docker-entrypoint.…"    4 seconds ago    Up        0.0.0.0:8999->80/tcp    nginx-web1
$ nerdctl rm -fv ccb3747da87cccb3747da87c
$ nerdctl psCONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

# Get all container IDs$ docker ps -aq
# Delete all$ docker rm -fv `(docker ps -aq)`

$  ss -tnlState             Recv-Q            Send-Q                         Local Address:Port                          Peer Address:Port            ProcessLISTEN            0                 100                                127.0.0.1:49152                              0.0.0.0:*LISTEN            0                 128                                127.0.0.1:38915                              0.0.0.0:*LISTEN            0                 128                                127.0.0.1:36587                              0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:111                                0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:80                                 0.0.0.0:*LISTEN            0                 128                                127.0.0.1:5555                               0.0.0.0:*LISTEN            0                 128                                127.0.0.1:40243                              0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:22                                 0.0.0.0:*LISTEN            0                 128                             127.0.0.1%lo:20311                              0.0.0.0:*LISTEN            0                 100                                127.0.0.1:25                                 0.0.0.0:*LISTEN            0                 128                                     [::]:111                                   [::]:*LISTEN            0                 128                                     [::]:80                                    [::]:*LISTEN            0                 128                                     [::]:22                                    [::]:*

$ iptables -t nat -vnLChain PREROUTING (policy ACCEPT 11 packets, 660 bytes) pkts bytes target     prot opt in     out     source               destination   28  1680 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 11 packets, 660 bytes) pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 7 packets, 532 bytes) pkts bytes target     prot opt in     out     source               destination    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 7 packets, 532 bytes) pkts bytes target     prot opt in     out     source               destination    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80
Chain DOCKER (2 references) pkts bytes target     prot opt in     out     source               destination    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80

$ ip routedefault via 10.229.36.1 dev eth0default via 10.229.36.1 dev eth1 metric 1000110.229.36.0/25 dev eth0 proto kernel scope link src 10.229.36.5410.229.36.0/25 dev eth1 proto kernel scope link src 10.229.36.34169.254.169.254 dev eth0172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

$ arp -a