写点什么

极客时间运维进阶训练营第二周作业

作者:9527
  • 2022-10-28
    美国
  • 本文字数:8648 字

    阅读完需:约 28 分钟

Nginx Dockerfile

  • Dockerfile

FROM alpine:3.16
LABEL maintainer="Tony"
ENV NGINX_VERSION 1.22.1ENV PKG_RELEASE 1
RUN set -x \# create nginx user/group first, to be consistent throughout docker variants && addgroup -g 101 -S nginx \ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ && apkArch="$(cat /etc/apk/arch)" \ && nginxPackages=" \ nginx=${NGINX_VERSION}-r${PKG_RELEASE} \ " \# install prerequisites for public key and pkg-oss checks && apk add --no-cache --virtual .checksum-deps \ openssl \ && case "$apkArch" in \ x86_64|aarch64) \# arches officially built by upstream set -x \ && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ else \ echo "key verification failed!"; \ exit 1; \ fi \ && apk add -X "https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages \ ;; \ *) \# we're on an architecture upstream doesn't officially build for# let's build binaries from the published packaging sources set -x \ && tempDir="$(mktemp -d)" \ && chown nobody:nobody $tempDir \ && apk add --no-cache --virtual .build-deps \ gcc \ libc-dev \ make \ openssl-dev \ pcre2-dev \ zlib-dev \ linux-headers \ bash \ alpine-sdk \ findutils \ && su nobody -s /bin/sh -c " \ export HOME=${tempDir} \ && cd ${tempDir} \ && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ && PKGOSSCHECKSUM=\"7266f418dcc9d89a2990f504d99ec58d10febbaf078c03630d42843955cee7e50b0f90fb317360384a32473839dc42d8b329b737015ec8dd0d028f90d4d5ed25 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \ && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \ echo \"pkg-oss tarball checksum verification succeeded!\"; \ else \ echo \"pkg-oss tarball checksum verification failed!\"; \ exit 1; \ fi \ && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make base \ && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ && apk del .build-deps \ && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages \ ;; \ esac \# remove checksum deps && apk del .checksum-deps \# if we have leftovers from building, let's purge them (including extra, unnecessary build deps) && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi \ && if [ -n "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi \ && if [ -n "/etc/apk/keys/nginx_signing.rsa.pub" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi \# Bring in gettext so we can get `envsubst`, then throw# the rest away. To do this, we need to install `gettext`# then move `envsubst` out of the way so `gettext` can# be deleted completely, then move `envsubst` back. && apk add --no-cache --virtual .gettext gettext \ && mv /usr/bin/envsubst /tmp/ \ \ && runDeps="$( \ scanelf --needed --nobanner /tmp/envsubst \ | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ | sort -u \ | xargs -r apk info --installed \ | sort -u \ )" \ && apk add --no-cache $runDeps \ && apk del .gettext \ && mv /tmp/envsubst /usr/local/bin/ \# Bring in tzdata so users could set the timezones through the environment# variables && apk add --no-cache tzdata \# forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \# create a docker-entrypoint.d directory && mkdir /docker-entrypoint.d
COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]
复制代码
  • docker-entrypoint.sh

#!/bin/sh# vim:sw=4:ts=4:et
set -e
entrypoint_log() { if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then echo "$@" fi}
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do case "$f" in *.envsh) if [ -x "$f" ]; then entrypoint_log "$0: Sourcing $f"; . "$f" else # warn on shell scripts without exec bit entrypoint_log "$0: Ignoring $f, not executable"; fi ;; *.sh) if [ -x "$f" ]; then entrypoint_log "$0: Launching $f"; "$f" else # warn on shell scripts without exec bit entrypoint_log "$0: Ignoring $f, not executable"; fi ;; *) entrypoint_log "$0: Ignoring $f";; esac done
entrypoint_log "$0: Configuration complete; ready for start up" else entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" fifi
exec "$@"
复制代码

To build:

$ docker build -t local/nginx:v1.0.0 .
$ docker imagesREPOSITORY TAG IMAGE ID CREATED SIZElocal/nginx v1.0.0 f80656b065fc 5 seconds ago 10.1MB
$ docker run -d local/nginx:v1.0.0f42df3f6277c11b24729d2ea249a3dae55cdbc10feea4bd6bd021c7380ecec21
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESf42df3f6277c local/nginx:v1.0.0 "/docker-entrypoint.…" 2 seconds ago Up 1 second 80/tcp affectionate_chandrasekhar
$ docker exec -it f42df3f6277c sh/ # psPID USER TIME COMMAND 1 root 0:00 nginx: master process nginx -g daemon off; 30 nginx 0:00 nginx: worker process 31 nginx 0:00 nginx: worker process 32 root 0:00 sh 38 root 0:00 ps/ #
复制代码

CPU and Memory limit For container

Set CPU limit for container

$ docker run --cpus 2 -d local/nginx:v1.0.00b63d5a1bdb900c53f2bab4a548fb905118c91418ea03a0ea0e252e359d9d91e
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES0b63d5a1bdb9 local/nginx:v1.0.0 "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 80/tcp sharp_allen
复制代码


Set MEM limit for container

$ docker run -m 200m -d local/nginx:v1.0.095dc419aff2882cd966d5729976dfc682d7255f7a20cd6092e598ec198d27225
$ docker inspect 9 | grep -i memory "Memory": 209715200, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 419430400, "MemorySwappiness": null,
复制代码


Install Containerd

Download the containerd-<VERSION>-<OS>-<ARCH>.tar.gz archive from https://github.com/containerd/containerd/releases , verify its sha256sum, and extract it under /usr/local:

# tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gzbin/bin/containerd-shim-runc-v2bin/containerd-shimbin/ctrbin/containerd-shim-runc-v1bin/containerdbin/containerd-stress
复制代码

Install containerd as systemd service

Download the containerd.service unit file from https://github.com/containerd/containerd/blob/main/containerd.service into /usr/lib/systemd/system/containerd.service, and run the following commands:

# cp containerd.service /usr/lib/systemd/system/# systemctl daemon-reload# systemctl enable --now containerdCreated symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/lib/systemd/system/containerd.service.
复制代码


Install runc

Download the runc.<ARCH> binary from https://github.com/opencontainers/runc/releases , verify its sha256sum, and install it as /usr/local/sbin/runc.

# install -m 755 runc.amd64 /usr/local/sbin/runc
复制代码

Installing CNI plugins

Download the cni-plugins-<OS>-<ARCH>-<VERSION>.tgz archive from https://github.com/containernetworking/plugins/releases , verify its sha256sum, and extract it under /opt/cni/bin:

# mkdir -p /opt/cni/bin# tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz././macvlan./static./vlan./portmap./host-local./vrf./bridge./tuning./firewall./host-device./sbr./loopback./dhcp./ptp./ipvlan./bandwidth
复制代码


Install HTTP Based Harbor

  • Install docker-compose

$ curl -L https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
$ docker-compose versionDocker Compose version v2.12.2
复制代码
  • Download harbor from https://github.com/goharbor/harbor/releases

  • Create and update harbor.yml

  • Run install.sh

$ ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 20.10.17
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 2.12.2

[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...prepare base dir is set to /tmp/harborWARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrad e to httpsGenerated configuration file: /config/portal/nginx.confGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/registryctl/config.ymlGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlGenerated and saved secret to file: /data/secret/keys/secretkeySuccessfully called func: create_root_certGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir...✔ ----Harbor has been installed and started successfully.----
复制代码




Install nerdctl

$ nerdctl run -d -p 8999:80 --name=nginx-web1 nginx:latestdocker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|index-sha256:943c25b4b66b332184d5ba6bb18234273551593016c0e0ae906bab111548239f:    done           |++++++++++++++++++++++++++++++++++++++|manifest-sha256:06aa2038b42f1502b59b3a862b1f5980d3478063028d8e968f0810b9b0502380: done           |++++++++++++++++++++++++++++++++++++++|config-sha256:76c69feac34e85768b284f84416c3546b240e8cb4f68acbbe5ad261a8b36f39f:   done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:8e3ed6a9e43aaf17bc2175fa2c7ae2ee24cff4d32bf82adf1ea689db4dcf15e1:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:f88a23025338bc64e97dc350efac90275df227949d7c835b8b1f6fbc4d2439c0:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:e9995326b091af7b3ce352fad4d76cf3a3cb62b7a0c35cc5f625e8e649d23c50:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:0df440342e265c89de536643c3376dadf44c810fe2fb2b2ee44711f8661ce531:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:71689475aec267fae8891b2b3d2bef78c6b3d57c077129ff9cd69b6e5253dfa7:    done           |++++++++++++++++++++++++++++++++++++++|layer-sha256:eef26ceb3309d6e72a4402c3f16b047416adecaf91bc5360ebd4205d1ef5e310:    done           |++++++++++++++++++++++++++++++++++++++|elapsed: 6.5 s                                                                    total:  54.2 M (8.3 MiB/s)                                     ccb3747da87c7a2ac6dc914a8d315c364d1ffecc222e51fafe9e2e7ae8bfed5d
$ nerdctl psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESccb3747da87c docker.io/library/nginx:latest "/docker-entrypoint.…" 4 seconds ago Up 0.0.0.0:8999->80/tcp nginx-web1
$ nerdctl rm -fv ccb3747da87cccb3747da87c
$ nerdctl psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
复制代码

Tips

  • Delete all docker containers


# Get all container IDs$ docker ps -aq
# Delete all$ docker rm -fv `(docker ps -aq)`
复制代码


  • Check listening TCP port


$  ss -tnlState             Recv-Q            Send-Q                         Local Address:Port                          Peer Address:Port            ProcessLISTEN            0                 100                                127.0.0.1:49152                              0.0.0.0:*LISTEN            0                 128                                127.0.0.1:38915                              0.0.0.0:*LISTEN            0                 128                                127.0.0.1:36587                              0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:111                                0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:80                                 0.0.0.0:*LISTEN            0                 128                                127.0.0.1:5555                               0.0.0.0:*LISTEN            0                 128                                127.0.0.1:40243                              0.0.0.0:*LISTEN            0                 128                                  0.0.0.0:22                                 0.0.0.0:*LISTEN            0                 128                             127.0.0.1%lo:20311                              0.0.0.0:*LISTEN            0                 100                                127.0.0.1:25                                 0.0.0.0:*LISTEN            0                 128                                     [::]:111                                   [::]:*LISTEN            0                 128                                     [::]:80                                    [::]:*LISTEN            0                 128                                     [::]:22                                    [::]:*
复制代码


  • Check iptables DNAT


$ iptables -t nat -vnLChain PREROUTING (policy ACCEPT 11 packets, 660 bytes) pkts bytes target     prot opt in     out     source               destination   28  1680 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 11 packets, 660 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 532 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 7 packets, 532 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
复制代码


  • Check route


$ ip routedefault via 10.229.36.1 dev eth0default via 10.229.36.1 dev eth1 metric 1000110.229.36.0/25 dev eth0 proto kernel scope link src 10.229.36.5410.229.36.0/25 dev eth1 proto kernel scope link src 10.229.36.34169.254.169.254 dev eth0172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
复制代码


  • Check MAC address


$ arp -a
复制代码


发布于: 刚刚阅读数: 2
用户头像

9527

关注

还未添加个人签名 2020-04-22 加入

还未添加个人简介

评论

发布
暂无评论
极客时间运维进阶训练营第二周作业_9527_InfoQ写作社区