day057-docker-compose案例与docker镜像仓库
文章目录
- 0. 老男孩思想-根据人性十大需求搞定面试官
- 1. 逆向获取自定义镜像的Dockerfile
- 2. 案例:docker-compose部署kodbox(可道云)
- 2.1 nginx+php镜像
- 2.1.1 Dockerfile文件
- 2.1.2 nginx子配置文件
- 2.2 编写docker-compose文件
- 2.3 启动docker-compose
- 2.4 编写docker-compose变量文件
- 3. docker镜像仓库
- 3.1 registry镜像仓库
- 3.1.1 启动registry镜像仓库
- 3.1.2 上传镜像到仓库
- 3.1.3 从镜像仓库拉取镜像
- 3.2 harbor镜像仓库
- 3.2.1 部署harbor镜像仓库
- 3.2.2 访问webUI界面
- 3.2.3 上传镜像到仓库
- 3.2.4 为harbor镜像仓库配置HTTPS
- 3.3 阿里云镜像仓库ACR
- 3.3.1 创建镜像仓库
- 3.3.2 本地上传镜像,并查看
- 4. 踩坑记录
- 1. 部署可道云,发现请求都是https
- 5. 思维导图
0. 老男孩思想-根据人性十大需求搞定面试官
| 人性十大需求 | 面试官 | 领导 |
|---|---|---|
| 1.生理需求 | 面试了十分钟/面试官的杯子几乎没水了: 你从包里拿出水来递给面试官 | 天气炎热,或其他情况,给领导买咖啡/ 水果等(领导与其他人一起时, 不要只给领导一人买,要买多些送给其他人, 这样能给领导长面子) |
| 2.金钱需求 | 面试完后,可以给面试官发个奶茶券(美团) | |
| 3.安全需求 | 不要威胁领导的地位 | |
| 4.重要需求 | 衣服整洁、头发整齐、坐姿端正、眼神诚恳、 面试过程中有回答不上来的问题,回去总结好,发给面试官, 语气要诚恳,文件中要写自己名字和联系方式, 最后发个奶茶券(最好不要发红包,负责别人认为你太过谄媚) | 开会时,要认真听,记笔记 |
| 5.情感需求 | 语气稳重,语速适中,不要急切、语调平和、 | 时常跟领导问问题,以满足领导好为人师的需求 |
| 6.赞美与鼓励需求 | 夸赞公司、HR | 赞美领导技术太牛 |
| 7.自由需求 | 领导周末可能不想上班, 询问领导有啥自己能效力的工作 |
1. 逆向获取自定义镜像的Dockerfile
docker history 镜像名称
[root@docker01 ~]# docker history --format "{{.CreatedBy}}" --no-trunc web:bird_v2 |tac
ADD alpine-minirootfs-3.22.0-x86_64.tar.gz / # buildkit
CMD ["/bin/sh"]
LABEL maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>
ENV NGINX_VERSION=1.29.0
ENV PKG_RELEASE=1
ENV DYNPKG_RELEASE=1
RUN /bin/sh -c set -x && addgroup -g 101 -S nginx && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx && apkArch="$(cat /etc/apk/arch)" && nginxPackages=" nginx=${NGINX_VERSION}-r${PKG_RELEASE} " && apk add --no-cache --virtual .checksum-deps openssl && case "$apkArch" in x86_64|aarch64) set -x && KEY_SHA512="e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655" && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub && if echo "$KEY_SHA512 */tmp/nginx_signing.rsa.pub" | sha512sum -c -; then echo "key verification succeeded!"; mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; else echo "key verification failed!"; exit 1; fi && apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages ;; *) set -x && tempDir="$(mktemp -d)" && chown nobody:nobody $tempDir && apk add --no-cache --virtual .build-deps gcc libc-dev make openssl-dev pcre2-dev zlib-dev linux-headers bash alpine-sdk findutils curl && su nobody -s /bin/sh -c " export HOME=${tempDir} && cd ${tempDir} && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && PKGOSSCHECKSUM=\"400593da45fc0195a01138c0c23a06059da1c6a2e26959f2c4c95fbaf63436ff211665ef01392d2b775a0133d5b57680dabe51b840a55f82e89621e84cf651d1 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then echo \"pkg-oss tarball checksum verification succeeded!\"; else echo \"pkg-oss tarball checksum verification failed!\"; exit 1; fi && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} && cd alpine && make base && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz " && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ && apk del --no-network .build-deps && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages ;; esac && apk del --no-network .checksum-deps && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi && apk add --no-cache gettext-envsubst && apk add --no-cache tzdata && ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log && mkdir /docker-entrypoint.d # buildkit
COPY docker-entrypoint.sh / # buildkit
COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d # buildkit
COPY 15-local-resolvers.envsh /docker-entrypoint.d # buildkit
COPY 20-envsubst-on-templates.sh /docker-entrypoint.d # buildkit
COPY 30-tune-worker-processes.sh /docker-entrypoint.d # buildkit
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE map[80/tcp:{}]
STOPSIGNAL SIGQUIT
CMD ["nginx" "-g" "daemon off;"]
ENV NJS_VERSION=0.9.0
ENV NJS_RELEASE=1
RUN /bin/sh -c set -x && apkArch="$(cat /etc/apk/arch)" && nginxPackages=" nginx=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-r${DYNPKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-r${DYNPKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-r${DYNPKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${NJS_RELEASE} " && apk add --no-cache --virtual .checksum-deps openssl && case "$apkArch" in x86_64|aarch64) apk add -X "https://nginx.org/packages/mainline/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" --no-cache $nginxPackages ;; *) set -x && tempDir="$(mktemp -d)" && chown nobody:nobody $tempDir && apk add --no-cache --virtual .build-deps gcc libc-dev make openssl-dev pcre2-dev zlib-dev linux-headers libxslt-dev gd-dev geoip-dev libedit-dev bash alpine-sdk findutils curl && su nobody -s /bin/sh -c " export HOME=${tempDir} && cd ${tempDir} && curl -f -L -O https://github.com/nginx/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && PKGOSSCHECKSUM=\"400593da45fc0195a01138c0c23a06059da1c6a2e26959f2c4c95fbaf63436ff211665ef01392d2b775a0133d5b57680dabe51b840a55f82e89621e84cf651d1 *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then echo \"pkg-oss tarball checksum verification succeeded!\"; else echo \"pkg-oss tarball checksum verification failed!\"; exit 1; fi && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} && cd alpine && make module-geoip module-image-filter module-njs module-xslt && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz " && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ && apk del --no-network .build-deps && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages ;; esac && apk del --no-network .checksum-deps && if [ -n "$tempDir" ]; then rm -rf "$tempDir"; fi && if [ -f "/etc/apk/keys/abuild-key.rsa.pub" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi && apk add --no-cache curl ca-certificates # buildkit
LABEL author=skx desc=自定义小鸟飞飞镜像
RUN /bin/sh -c mkdir -p /app/code/bird # buildkit
ADD bird.tar.gz /app/code/bird # buildkit
ADD default.conf /etc/nginx/conf.d/ # buildkit
EXPOSE map[443/tcp:{} 80/tcp:{}]
CMD ["nginx" "-g" "daemon off;"]2. 案例:docker-compose部署kodbox(可道云)
- 容器:
- nginx+php
- db
2.1 nginx+php镜像
2.1.1 Dockerfile文件
[root@docker01 /server/docker-compose/03-kodbox]# cat Dockfile
FROM ubuntu:22.04
LABEL author=skx desc="kodbox镜像-ngx-php"ENV SRC sources.list
ENV CODE /app/code/
ENV TZ=Asia/ShanghaiADD ${SRC} /etc/apt/sources.listRUN apt update \&& DEBIAN_FRONTEND=noninteractive apt install -y tzdata \&& ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \&& echo $TZ > /etc/timezone \&& apt install -y nginx \ && apt install -y php8.1-common php8.1-bcmath php8.1-cli php8.1-curl php8.1-dev php8.1-fpm php8.1-gd php8.1-mysql php8.1-mbstring php8.1-redis \&& mkdir -p ${CODE} \&& ln -sf /var/log/nginx/access.log /dev/stdout \&& ln -sf /var/log/nginx/error.log /dev/stderr \&& rm -f /etc/nginx/sites-enabled/default \&& sed -i 's#^listen =.*#listen = 127.0.0.1:9000#g' /etc/php/8.1/fpm/pool.d/www.conf#删除默认站点 #暴漏服务日志ADD kodbox.oldboy.cn.conf /etc/nginx/conf.d/
ADD entry.sh /
ADD kodbox.tar.gz ${CODE}
RUN chown -R www-data.www-data ${CODE}EXPOSE 80 443 CMD ["/entry.sh"]
2.1.2 nginx子配置文件
[root@docker01 /server/docker-compose/03-kodbox]# cat kodbox.oldboy.cn.conf
server {listen 80;server_name kodbox.oldboy.cn;root /app/code/kodbox;location / {index index.php;}location ~ \.php$ {fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_param HTTPS off; # 一定要关闭httpsinclude fastcgi_params;}
}
2.2 编写docker-compose文件
[root@docker01 /server/docker-compose/03-kodbox]# cat docker-compose.yaml
services:kodbox_web:image: "web:kodbox" # 自定义镜像build:context: .dockerfile: Dockerfilecontainer_name: "kodbox_web_v1"ports:- 80:80restart: alwaysdepends_on: # 该服务依赖于数据库,先启动数据库- kodbox_dbkodbox_db:image: "mysql:8.0-debian"container_name: "kodbox_db_v1"ports: # 这两个容器都被同一个docker-compose管理,默认被docker-compose做了解析,可以不暴露端口;- 3306:3306restart: alwaysenvironment: # 配置容器环境变量;相当于docker run -eMYSQL_ROOT_PASSWORD: "1"MYSQL_DATABASE: "kodbox" # 添加新数据库MYSQL_USER: "kodbox" # 添加数据库用户MYSQL_PASSWORD: "1" # 设置用户密码volumes: # 数据卷挂载- kodbox_db:/var/lib/mysqlvolumes:kodbox_db: # 定义名为 "kodbox_db" 的数据卷
2.3 启动docker-compose
2.4 编写docker-compose变量文件
- docker-compose文件可能多次使用同一个变量
- 可以把变量写在文件中,再去调用变量即可
[root@docker01 /server/docker-compose/03-kodbox]# cat .env
ROOT_PASS=2
U=kodbox
PASS=kodbox123
DB=kodbox
- 修改docker-compose.yaml文件
[root@docker01 /server/docker-compose/03-kodbox]# cat docker-compose.yaml
……environment:MYSQL_ROOT_PASSWORD: ${ROOT_PASS}MYSQL_DATABASE: ${DB}MYSQL_USER: ${U}MYSQL_PASSWORD: ${PASS}
……
3. docker镜像仓库
| 镜像仓库 | 应用场景 |
|---|---|
| registry镜像仓库 | 使用方便,适合小型网站集群; 命令行操作,没有认证功能,没有页面 |
| harbor镜像仓库 | 企业级镜像仓库(docker、k8s)都可用; 有图形化界面 |
| 公有云镜像仓库 | 阿里云(ACR) |
3.1 registry镜像仓库
3.1.1 启动registry镜像仓库
- 上传registry文件:
registery.tar 链接: https://pan.baidu.com/s/1JLCmdegCUrp5pZD2ngXSHg?pwd=3mf3 提取码: 3mf3
[root@docker2 ~]# docker load -i registery.tar
63ec0bd56cf3: Loading layer 7.64MB/7.64MB
a1276679d720: Loading layer 792.6kB/792.6kB
d07ff08f9625: Loading layer 17.55MB/17.55MB
c2dcc11d9708: Loading layer 3.584kB/3.584kB
b6e508f6792e: Loading layer 2.048kB/2.048kB
Loaded image: registry:latest
[root@docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 6a3edb1d5eb6 21 months ago 25.4MB
- 添加registry仓库地址
- 其他docker镜像仓库客户端也要添加
[root@docker2 /etc/docker]# cat /etc/docker/daemon.json
{"insecure-registries": ["10.0.0.11:5000","harbor.oldboy.cn"], # 增加该行"registry-mirrors" : ["https://do.nark.eu.org","https://dc.j8.work","https://docker.m.daocloud.io","https://dockerproxy.com",
……
[root@docker2 /etc/docker]# systemctl restart docker.service
- 启动仓库:
[root@docker2 ~]# docker run -d --name "oldboy_registry" -p 5000:5000 -v registry:/var/lib/registry --restart=always registry:latest
ca6654134745a8f8c9be707bda5a096d8b334cf6b3be7d545d75d4d49e8081d1
[root@docker2 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ca6654134745 registry:latest "/entrypoint.sh /etc…" 2 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp oldboy_registry
3.1.2 上传镜像到仓库
- 先修改镜像标签,再上传
docker tag 本地镜像名称 镜像仓库地址:端口/命名空间(分类)/镜像名称docker push 镜像名称
[root@docker01 ~]# docker images |grep web |head -n 3
web kodbox_v1 9925fbc83845 3 hours ago 860MB
web kodbox 84788d2accf5 4 hours ago 860MB
web bird_v2 02c222e4257e 8 hours ago 52.6MB
[root@docker01 ~]# docker tag web:bird_v2 10.0.0.11:5000/oldboy/web:bird_v2
[root@docker01 ~]# docker images |grep bird_v2
10.0.0.11:5000/oldboy/web bird_v2 02c222e4257e 8 hours ago 52.6MB
web bird_v2 02c222e4257e 8 hours ago 52.6MB
[root@docker01 ~]# docker push 10.0.0.11:5000/oldboy/web:bird_v2
The push refers to repository [10.0.0.11:5000/oldboy/web]
a01db637e575: Pushed
158758300782: Pushed
8a168d4da96f: Pushed
640e06e412a9: Pushed
bd66bdd2f47f: Pushed
4f313ed230a0: Pushed
36acb230000e: Pushed
2aaacff968bc: Pushed
bbbd2d1aea89: Pushed
7b97c641cb43: Pushed
fd2758d7a50e: Pushed
bird_v2: digest: sha256:7c0e1088dca8a27817cb49ebe4d1115515ed4d86486382a0c7f13667ed12f616 size: 2612
3.1.3 从镜像仓库拉取镜像
[root@docker01 ~]# docker images |grep bird_v2
[root@docker01 ~]# docker pull 10.0.0.11:5000/oldboy/web:bird_v2
bird_v2: Pulling from oldboy/web
fe07684b16b8: Already exists
3b7062d09e02: Already exists
fb746e72516f: Already exists
a9ff9baf1741: Already exists
2c127093dfc7: Already exists
63dda2adf85b: Already exists
b55ed7d7b2de: Already exists
92971aeb101e: Already exists
7ce86ac31905: Already exists
c90f932541e1: Already exists
174ad810b761: Already exists
Digest: sha256:7c0e1088dca8a27817cb49ebe4d1115515ed4d86486382a0c7f13667ed12f616
Status: Downloaded newer image for 10.0.0.11:5000/oldboy/web:bird_v2
10.0.0.11:5000/oldboy/web:bird_v2
[root@docker01 ~]# docker images |grep bird_v2
10.0.0.11:5000/oldboy/web bird_v2 02c222e4257e 8 hours ago 52.6MB
3.2 harbor镜像仓库
3.2.1 部署harbor镜像仓库
- 80端口不要被占用
- 需要docker、docker-compose环境
- harbor软件包:
harbor-offline-installer-v2.3.1.tgz 链接: https://pan.baidu.com/s/1Ztb1QoLvS_IRTC8EpvsUwg?pwd=56j6 提取码: 56j6
# 修改ip_forward
[root@docker2 /app/tools/harbor]# grep "ip_forward" /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@docker2 ~]# mkdir -p /app/tools
[root@docker2 ~]# tar xf harbor-offline-installer-v2.3.1.tgz -C /app/tools
[root@docker2 ~]# ll /app/tools
总用量 0
drwxr-xr-x 2 root root 122 7月 19 21:10 harbor
- 修改harbor配置文件
[root@docker2 /app/tools/harbor]# mv harbor.yml.tmpl harbor.yml
[root@docker2 /app/tools/harbor]# vim harbor.yml
# 每次修改配置文件后,都要执行该文件
[root@docker2 /app/tools/harbor]# ./install.sh
3.2.2 访问webUI界面
- 本地配置hosts文件
- 浏览器访问
3.2.3 上传镜像到仓库
# 本地配置hosts
[root@docker01 ~]# tail -n 1 /etc/hosts
172.16.1.11 harbor.oldboy.cn
# 给镜像打标签
[root@docker01 ~]# docker tag mysql:8.0-debian harbor.oldboy.cn/oldboy/mysql:8.0-debian
# 登录harbor仓库
[root@docker01 ~]# docker login -uadmin -p1 harbor.oldboy.cn
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-storesLogin Succeeded
# push镜像
[root@docker01 ~]# docker push harbor.oldboy.cn/oldboy/mysql:8.0-debian
The push refers to repository [harbor.oldboy.cn/oldboy/mysql]
3e42ca488817: Pushed
44d443bf2ae3: Pushed
546d163aedf3: Pushed
ed81eb86c61e: Pushed
c5ebb69a902f: Pushed
2508d7c3be14: Pushed
2014e50e9084: Pushed
53619c7182d9: Pushed
4d271b603a9f: Pushed
7a4a02f7e3b0: Pushed
fd30b82d6ba3: Pushed
4b3ba104e9a8: Pushed
8.0-debian: digest: sha256:1db9b0e99314bae1b8285f369fff1291b8f911bfcbc0e93e3cf8e9aa2c884599 size: 2828
3.2.4 为harbor镜像仓库配置HTTPS
- 下载SSL证书
[root@docker2 /server/ssl]# ll
总用量 8
-rw-r--r-- 1 root root 1679 7月 20 13:14 harbor.520skx.com.key
-rw-r--r-- 1 root root 3842 7月 20 13:14 harbor.520skx.com.pem
- 修改harbor配置文件和hosts
./install.sh
- 浏览器访问:
3.3 阿里云镜像仓库ACR
3.3.1 创建镜像仓库
3.3.2 本地上传镜像,并查看
[root@docker1 ~]# docker login --username=孙克旭 registry.cn-hangzhou.aliyuncs.com
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-storesLogin Succeeded
[root@docker01 ~]# docker images |grep nginx
nginx alpine 77656422f700 3 weeks ago 52.5MB
web_nginx 1.29 77656422f700 3 weeks ago 52.5MB
nginx 1.24 b6c621311b44 2 years ago 142MB
nginx 1.24-alpine 55ba84d7d539 2 years ago 41.1MB
[root@docker01 ~]# docker tag nginx:1.24 registry.cn-hangzhou.aliyuncs.com/skx_img/web_app:nginx-1.24
[root@docker01 ~]# docker push registry.cn-hangzhou.aliyuncs.com/skx_img/web_app:nginx-1.24
The push refers to repository [registry.cn-hangzhou.aliyuncs.com/skx_img/web_app]
f62590d48fe5: Pushed
0b27f1638f81: Pushed
629fd7b81c65: Pushed
e543857b2aef: Pushed
6310117db5a7: Pushed
4b3ba104e9a8: Pushed
nginx-1.24: digest: sha256:5acfef6206beffd068c2f7c691cbd6c941627d91d995d97071303b5293f94585 size: 1570
4. 踩坑记录
1. 部署可道云,发现请求都是https
- nginx子配置文件中开启了HTTPS,关闭即可
fastcgi_param HTTPS off;
5. 思维导图
https://kdocs.cn/join/gpuxq6r?f=101\r\n邀请你加入共享群「老男孩教育Linux运维99期-孙克旭」一起进行文档协作