為什么使用容器？

1.上線流程繁瑣

開發->測試->申請資源->審批->部署->測試等環節

2.資源利用率低

普遍服務器利用率低，造成過多浪費

3.擴容/縮容不及時

業務高峰期擴容流程繁瑣，上線不及時

4.服務器環境臃腫

服務器越來越臃腫，對維護、遷移帶來困難

Docker設計目標：

• 提供簡單的應用程序打包工具
• 開發人員和運維人員職責邏輯分離
• 多環境保持一致性

Kubernetes設計目標：

• 集中管理所有容器
• 資源編排
• 資源調度
• 彈性伸縮
• 資源隔離

容器 vs 虛擬機

優點：
1、環境治理
2、提高服務器資源利用率
3、快速搭建新技術環境，不用學習復雜的部署環境
4、輕量級
5、虛擬化滿足不了一些業務場景
6、完美構建微服務部署環境
7、一次構建，多地方部署
8、快速部署、遷移、回滾，不依賴底層環境
9、高度保持多個環境一致性

缺點：
1、安全性不如VM
2、隔離性不如VM
3、大規模不易管理，K8s應用而生
4、不易有狀態應用部署
5、排查問題比較難
6、不支持Windows

原理
cgroups 資源限制:比如CPU/內存
namespace 資源隔離：進程、文件系統、用戶等
ufs 聯合文件系統：鏡像增量式存儲，提高磁盤利用率

Docker 基本使用

curl -o /etc/yum.repos.d/docker-ce.repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repohttp://mirrors.aliyun.com/repo/Centos-7.repo安裝docker注意事項： 1、替換國內yum源 2、服務器時區和時間保持國內 3、selinux和firewalld關閉sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-'EOF' {"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart dockerdocker inspect image nginx view CentOS7.x安裝Docker # 安裝依賴包 yum install -y yum-utils device-mapper-persistent-data lvm2 # 添加Docker軟件包源 yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo # 安裝Docker CE yum install -y docker-ce # 啟動Docker服務并設置開機啟動 systemctl start docker systemctl enable docker官方文檔：https://docs.docker.com 阿里云源：http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

理解容器鏡像

鏡像是什么？

• 一個分層存儲的文件
• 一個軟件的環境
• 一個鏡像可以創建N個容器
• 一種標準化的交付
• 一個不包含Linux內核而又精簡的Linux操作系統
  鏡像不是一個單一的文件，而是有多層構成。我們可以通過docker history <ID/NAME> 查看鏡像中各層內容及大小，每層 對應著Dockerfile中的一條指令。Docker鏡像默認存儲在/var/lib/docker/\<storage-driver\>中。

鏡像從哪里來？
Docker Hub是由Docker公司負責維護的公共注冊中心，包含大量的容器鏡像，Docker工具默認從這個公共鏡像庫下載鏡像。 地址：https://hub.docker.com

配置鏡像加速器：https://www.daocloud.io/mirror
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io

如圖，容器其實是在鏡像的最上面加了一層讀寫層，在運行容器里文件改動時， 會先從鏡像里要寫的文件復制到容器自己的文件系統中(讀寫層)。

如果容器刪除了，最上面的讀寫層也就刪除了，改動也就丟失了。所以無論多少個容器共享一個鏡像，所做的寫操作都是從鏡像的文件系統中復制過來操作 的，并不會修改鏡像的源文件，這種方式提高磁盤利用率。

若想持久化這些改動，可以通過docker commit 將容器保存成一個新鏡像。

• 一個鏡像創建多個容器
• 鏡像增量式存儲
• 創建的容器里面修改不會影響到鏡像

管理鏡像常用命令表

編寫Dockerfile的技巧：
1、如果追求鏡像更小，選擇alpine
2、運行的Shell命令盡可能寫到一個RUN里面，減少鏡像層
3、清理部署時產生留的緩存或者文件

FROM centos:7 RUN yum install -y gcc gcc-c++ make openssl-devel pcre-devel RUN ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module && \ make -j 4 && \ make install

創建應用容器并做資源限制

?創建容器常用選項

?

容器資源限制參數表

示例：

內存限額： 允許容器最多使用500M內存和100M的Swap，并禁用 OOM Killer： docker run -d --name nginx03 --memory="500m" --memory-swap="600m" --oom-kill-disable nginx CPU限額： 允許容器最多使用一個半的CPU： docker run -d --name nginx04 --cpus="1.5" nginx 允許容器最多使用50%的CPU： docker run -d --name nginx05 --cpus=".5" nginx

管理容器常用命令表

創建一個容器： 1、設置容器名為hello 2、暴露88端口讓外部訪問 3、傳入一個test=123456變量 4、設置開機啟動docker run -d --name hello -e test=123456 -p 88:80 --restart=always nginxdocker run [OPTIONS] IMAGE [COMMAND] [ARG...]docker exec -it nginx bash docker run -it centos bashnginx -g daemon off;資源限制：內存、CPU、硬盤、網絡需要持久化的數據： 1、日志，一般用于方便日志采集和故障排查 2、配置文件，比如nginx配置文件 3、業務數據，比如mysql，網站程序 4、臨時緩存數據，比如nginx-proxy-cache-v 數據卷名稱或者源目錄:容器目標bind mounts注意點: 1、宿主機文件或者目錄必須存在才能成功掛載 2、宿主機文件或者目錄覆蓋容器中內容鏡像分類： 1、基礎鏡像，例如centos(yum)、ubuntu(apt)、alpine(apk) 2、環境鏡像，例如php、jdk、python 3、項目鏡像，打包好的可部署鏡像制作鏡像： 1、選擇一個符合線上操作系統的基礎鏡像 2、用基礎鏡像創建一個容器，手動在容器里面跑一邊你要部署的應用 3、確認你啟動這個應用的前臺運行命令源碼安裝： 0. 安裝依賴包，例如gcc、make 1、./configure 2、make 3、make installPHP鏡像： 1、PHP環境，可以運行認可php腳本 2、PHP-FPMjava -jar xxx.jardocker-compose 單機容器編排工具 view code

持久化容器中應用程序數據

Docker提供三種方式將數據從宿主機掛載到容器中：

• volumes：Docker管理宿主機文件系統的一部分(/var/lib/docker/volumes)。保存數據的最佳方式。
• bind mounts：將宿主機上的任意位置的文件或者目錄掛載到容器中。
• tmpfs：掛載存儲在主機系統的內存中，而不會寫入主機的文件系統。如果不希望將數據持久存儲在任何位置，可以使用 tmpfs，同時避免寫入容器可寫層提高性能。

Dockerfile 構建常見基礎鏡像

[root@mysql dockerfile]# tree . ├── java │ └── Dockerfile ├── nginx │ ├── Dockerfile │ ├── nginx-1.15.5.tar.gz │ └── nginx.conf ├── php │ ├── Dockerfile │ ├── php-5.6.36.tar.gz │ ├── php-fpm.conf │ └── php.ini └── tomcat├── apache-tomcat-8.5.43.tar.gz└── Dockerfile View Code

構建Nginx基礎鏡像

FROM centos:7 LABEL maintainer www.ctnrs.com RUN yum install -y gcc gcc-c++ make \openssl-devel pcre-devel gd-devel \iproute net-tools telnet wget curl && \yum clean all && \rm -rf /var/cache/yum/*COPY nginx-1.15.5.tar.gz / RUN tar zxf nginx-1.15.5.tar.gz && \cd nginx-1.15.5 && \./configure --prefix=/usr/local/nginx \--with-http_ssl_module \--with-http_stub_status_module && \make -j 4 && make install && \rm -rf /usr/local/nginx/html/* && \echo "ok" >> /usr/local/nginx/html/status.html && \cd / && rm -rf nginx* && \ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtimeENV PATH $PATH:/usr/local/nginx/sbin COPY nginx.conf /usr/local/nginx/conf/nginx.conf WORKDIR /usr/local/nginx EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] View Code

構建PHP基礎鏡像

FROM centos:7 MAINTAINER www.ctnrs.com RUN yum install epel-release -y && \yum install -y gcc gcc-c++ make gd-devel libxml2-devel \libcurl-devel libjpeg-devel libpng-devel openssl-devel \libmcrypt-devel libxslt-devel libtidy-devel autoconf \iproute net-tools telnet wget curl && \yum clean all && \rm -rf /var/cache/yum/*COPY php-5.6.36.tar.gz / RUN tar zxf php-5.6.36.tar.gz && \cd php-5.6.36 && \./configure --prefix=/usr/local/php \--with-config-file-path=/usr/local/php/etc \--enable-fpm --enable-opcache \--with-mysql --with-mysqli --with-pdo-mysql \--with-openssl --with-zlib --with-curl --with-gd \--with-jpeg-dir --with-png-dir --with-freetype-dir \--enable-mbstring --with-mcrypt --enable-hash && \make -j 4 && make install && \cp php.ini-production /usr/local/php/etc/php.ini && \cp sapi/fpm/php-fpm.conf /usr/local/php/etc/php-fpm.conf && \sed -i "90a \daemonize = no" /usr/local/php/etc/php-fpm.conf && \mkdir /usr/local/php/log && \cd / && rm -rf php* && \ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtimeENV PATH $PATH:/usr/local/php/sbin COPY php.ini /usr/local/php/etc/ COPY php-fpm.conf /usr/local/php/etc/ WORKDIR /usr/local/php EXPOSE 9000 CMD ["php-fpm"] View Code ;;;;;;;;;;;;;;;;;;;;; ; FPM Configuration ; ;;;;;;;;;;;;;;;;;;;;;; All relative paths in this configuration file are relative to PHP's install ; prefix (/usr/local/php). This prefix can be dynamically changed by using the ; '-p' argument from the command line.; Include one or more files. If glob(3) exists, it is used to include a bunch of ; files from a glob(3) pattern. This directive can be used everywhere in the ; file. ; Relative path can also be used. They will be prefixed by: ; - the global prefix if it's been set (-p argument) ; - /usr/local/php otherwise ;include=etc/fpm.d/*.conf;;;;;;;;;;;;;;;;;; ; Global Options ; ;;;;;;;;;;;;;;;;;;[global] ; Pid file ; Note: the default prefix is /usr/local/php/var ; Default Value: none pid = /var/run/php-fpm.pid; Error log file ; If it's set to "syslog", log is sent to syslogd instead of being written ; in a local file. ; Note: the default prefix is /usr/local/php/var ; Default Value: log/php-fpm.log error_log = /usr/local/php/log/php-fpm.log; syslog_facility is used to specify what type of program is logging the ; message. This lets syslogd specify that messages from different facilities ; will be handled differently. ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) ; Default Value: daemon ;syslog.facility = daemon; syslog_ident is prepended to every message. If you have multiple FPM ; instances running on the same server, you can change the default value ; which must suit common needs. ; Default Value: php-fpm ;syslog.ident = php-fpm; Log level ; Possible Values: alert, error, warning, notice, debug ; Default Value: notice log_level = warning; If this number of child processes exit with SIGSEGV or SIGBUS within the time ; interval set by emergency_restart_interval then FPM will restart. A value ; of '0' means 'Off'. ; Default Value: 0 ;emergency_restart_threshold = 0; Interval of time used by emergency_restart_interval to determine when ; a graceful restart will be initiated. This can be useful to work around ; accidental corruptions in an accelerator's shared memory. ; Available Units: s(econds), m(inutes), h(ours), or d(ays) ; Default Unit: seconds ; Default Value: 0 emergency_restart_interval = 24h; Time limit for child processes to wait for a reaction on signals from master. ; Available units: s(econds), m(inutes), h(ours), or d(ays) ; Default Unit: seconds ; Default Value: 0 process_control_timeout = 5s; The maximum number of processes FPM will fork. This has been design to control ; the global number of processes when using dynamic PM within a lot of pools. ; Use it with caution. ; Note: A value of 0 indicates no limit ; Default Value: 0 ; process.max = 128; Specify the nice(2) priority to apply to the master process (only if set) ; The value can vary from -19 (highest priority) to 20 (lower priority) ; Note: - It will only work if the FPM master process is launched as root ; - The pool process will inherit the master process priority ; unless it specified otherwise ; Default Value: no set ; process.priority = -19; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. ; Default Value: yes daemonize = no; Set open file descriptor rlimit for the master process. ; Default Value: system defined value rlimit_files = 10240; Set max core size rlimit for the master process. ; Possible Values: 'unlimited' or an integer greater or equal to 0 ; Default Value: system defined value ;rlimit_core = 0; Specify the event mechanism FPM will use. The following is available: ; - select (any POSIX os) ; - poll (any POSIX os) ; - epoll (linux >= 2.5.44) ; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) ; - /dev/poll (Solaris >= 7) ; - port (Solaris >= 10) ; Default Value: not set (auto detection) ;events.mechanism = epoll; When FPM is build with systemd integration, specify the interval, ; in second, between health report notification to systemd. ; Set to 0 to disable. ; Available Units: s(econds), m(inutes), h(ours) ; Default Unit: seconds ; Default value: 10 ;systemd_interval = 10;;;;;;;;;;;;;;;;;;;; ; Pool Definitions ; ;;;;;;;;;;;;;;;;;;;;; Multiple pools of child processes may be started with different listening ; ports and different management options. The name of the pool will be ; used in logs and stats. There is no limitation on the number of pools which ; FPM can handle. Your system will tell you anyway :); Start a new pool named 'www'. ; the variable $pool can we used in any directive and will be replaced by the ; pool name ('www' here) [www]; Per pool prefix ; It only applies on the following directives: ; - 'access.log' ; - 'slowlog' ; - 'listen' (unixsocket) ; - 'chroot' ; - 'chdir' ; - 'php_values' ; - 'php_admin_values' ; When not set, the global prefix (or /usr/local/php) applies instead. ; Note: This directive can also be relative to the global prefix. ; Default Value: none ;prefix = /path/to/pools/$pool; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = nobody group = nobody; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on ; a specific port; ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on ; a specific port; ; 'port' - to listen on a TCP socket to all IPv4 addresses on a ; specific port; ; '[::]:port' - to listen on a TCP socket to all addresses ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. ;listen = 127.0.0.1:9000 listen = 0.0.0.0:9000; Set listen(2) backlog. ; Default Value: 65535 (-1 on FreeBSD and OpenBSD) ;listen.backlog = 65535; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = nobody listen.group = nobody ;listen.mode = 0660 ; When POSIX Access Control Lists are supported you can set them using ; these options, value is a comma separated list of user/group names. ; When set, listen.owner and listen.group are ignored ;listen.acl_users = ;listen.acl_groups =; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address ; must be separated by a comma. If this value is left blank, connections will be ; accepted from any ip address. ; Default Value: any ; listen.allowed_clients = 127.0.0.1; Specify the nice(2) priority to apply to the pool processes (only if set) ; The value can vary from -19 (highest priority) to 20 (lower priority) ; Note: - It will only work if the FPM master process is launched as root ; - The pool processes will inherit the master process priority ; unless it specified otherwise ; Default Value: no set ; process.priority = -19; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user ; or group is differrent than the master process user. It allows to create process ; core dump and ptrace the process for the pool user. ; Default Value: no ; process.dumpable = yes; Choose how the process manager will control the number of child processes. ; Possible Values: ; static - a fixed number (pm.max_children) of child processes; ; dynamic - the number of child processes are set dynamically based on the ; following directives. With this process management, there will be ; always at least 1 children. ; pm.max_children - the maximum number of children that can ; be alive at the same time. ; pm.start_servers - the number of children created on startup. ; pm.min_spare_servers - the minimum number of children in 'idle' ; state (waiting to process). If the number ; of 'idle' processes is less than this ; number then some children will be created. ; pm.max_spare_servers - the maximum number of children in 'idle' ; state (waiting to process). If the number ; of 'idle' processes is greater than this ; number then some children will be killed. ; ondemand - no children are created at startup. Children will be forked when ; new requests will connect. The following parameter are used: ; pm.max_children - the maximum number of children that ; can be alive at the same time. ; pm.process_idle_timeout - The number of seconds after which ; an idle process will be killed. ; Note: This value is mandatory. pm = dynamic; The number of child processes to be created when pm is set to 'static' and the ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. ; This value sets the limit on the number of simultaneous requests that will be ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP ; CGI. The below defaults are based on a server without much resources. Don't ; forget to tweak pm.* to fit your needs. ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: This value is mandatory. pm.max_children = 200; The number of child processes created on startup. ; Note: Used only when pm is set to 'dynamic' ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 50; The desired minimum number of idle server processes. ; Note: Used only when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic' pm.min_spare_servers = 50; The desired maximum number of idle server processes. ; Note: Used only when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic' pm.max_spare_servers = 100; The number of seconds after which an idle process will be killed. ; Note: Used only when pm is set to 'ondemand' ; Default Value: 10s ;pm.process_idle_timeout = 10s;; The number of requests each child process should execute before respawning. ; This can be useful to work around memory leaks in 3rd party libraries. For ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. ; Default Value: 0 pm.max_requests = 51200; The URI to view the FPM status page. If this value is not set, no URI will be ; recognized as a status page. It shows the following informations: ; pool - the name of the pool; ; process manager - static, dynamic or ondemand; ; start time - the date and time FPM has started; ; start since - number of seconds since FPM has started; ; accepted conn - the number of request accepted by the pool; ; listen queue - the number of request in the queue of pending ; connections (see backlog in listen(2)); ; max listen queue - the maximum number of requests in the queue ; of pending connections since FPM has started; ; listen queue len - the size of the socket queue of pending connections; ; idle processes - the number of idle processes; ; active processes - the number of active processes; ; total processes - the number of idle + active processes; ; max active processes - the maximum number of active processes since FPM ; has started; ; max children reached - number of times, the process limit has been reached, ; when pm tries to start more children (works only for ; pm 'dynamic' and 'ondemand'); ; Value are updated in real time. ; Example output: ; pool: www ; process manager: static ; start time: 01/Jul/2011:17:53:49 +0200 ; start since: 62636 ; accepted conn: 190460 ; listen queue: 0 ; max listen queue: 1 ; listen queue len: 42 ; idle processes: 4 ; active processes: 11 ; total processes: 15 ; max active processes: 12 ; max children reached: 0 ; ; By default the status page output is formatted as text/plain. Passing either ; 'html', 'xml' or 'json' in the query string will return the corresponding ; output syntax. Example: ; http://www.foo.bar/status ; http://www.foo.bar/status?json ; http://www.foo.bar/status?html ; http://www.foo.bar/status?xml ; ; By default the status page only outputs short status. Passing 'full' in the ; query string will also return status for each pool process. ; Example: ; http://www.foo.bar/status?full ; http://www.foo.bar/status?json&full ; http://www.foo.bar/status?html&full ; http://www.foo.bar/status?xml&full ; The Full status returns for each process: ; pid - the PID of the process; ; state - the state of the process (Idle, Running, ...); ; start time - the date and time the process has started; ; start since - the number of seconds since the process has started; ; requests - the number of requests the process has served; ; request duration - the duration in μs of the requests; ; request method - the request method (GET, POST, ...); ; request URI - the request URI with the query string; ; content length - the content length of the request (only with POST); ; user - the user (PHP_AUTH_USER) (or '-' if not set); ; script - the main script called (or '-' if not set); ; last request cpu - the %cpu the last request consumed ; it's always 0 if the process is not in Idle state ; because CPU calculation is done when the request ; processing has terminated; ; last request memory - the max amount of memory the last request consumed ; it's always 0 if the process is not in Idle state ; because memory calculation is done when the request ; processing has terminated; ; If the process is in Idle state, then informations are related to the ; last request the process has served. Otherwise informations are related to ; the current request being served. ; Example output: ; ************************ ; pid: 31330 ; state: Running ; start time: 01/Jul/2011:17:53:49 +0200 ; start since: 63087 ; requests: 12808 ; request duration: 1250261 ; request method: GET ; request URI: /test_mem.php?N=10000 ; content length: 0 ; user: - ; script: /home/fat/web/docs/php/test_mem.php ; last request cpu: 0.00 ; last request memory: 0 ; ; Note: There is a real-time FPM status monitoring sample web page available ; It's available in: /usr/local/php/share/php/fpm/status.html ; ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it ; may conflict with a real PHP file. ; Default Value: not set pm.status_path = /status; The ping URI to call the monitoring page of FPM. If this value is not set, no ; URI will be recognized as a ping page. This could be used to test from outside ; that FPM is alive and responding, or to ; - create a graph of FPM availability (rrd or such); ; - remove a server from a group if it is not responding (load balancing); ; - trigger alerts for the operating team (24/7). ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it ; may conflict with a real PHP file. ; Default Value: not set ;ping.path = /ping; This directive may be used to customize the response of a ping request. The ; response is formatted as text/plain with a 200 response code. ; Default Value: pong ;ping.response = pong; The access log file ; Default: not set ;access.log = log/$pool.access.log; The access log format. ; The following syntax is allowed ; %%: the '%' character ; %C: %CPU used by the request ; it can accept the following format: ; - %{user}C for user CPU only ; - %{system}C for system CPU only ; - %{total}C for user + system CPU (default) ; %d: time taken to serve the request ; it can accept the following format: ; - %{seconds}d (default) ; - %{miliseconds}d ; - %{mili}d ; - %{microseconds}d ; - %{micro}d ; %e: an environment variable (same as $_ENV or $_SERVER) ; it must be associated with embraces to specify the name of the env ; variable. Some exemples: ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e ; %f: script filename ; %l: content-length of the request (for POST request only) ; %m: request method ; %M: peak of memory allocated by PHP ; it can accept the following format: ; - %{bytes}M (default) ; - %{kilobytes}M ; - %{kilo}M ; - %{megabytes}M ; - %{mega}M ; %n: pool name ; %o: output header ; it must be associated with embraces to specify the name of the header: ; - %{Content-Type}o ; - %{X-Powered-By}o ; - %{Transfert-Encoding}o ; - .... ; %p: PID of the child that serviced the request ; %P: PID of the parent of the child that serviced the request ; %q: the query string ; %Q: the '?' character if query string exists ; %r: the request URI (without the query string, see %q and %Q) ; %R: remote IP address ; %s: status (response code) ; %t: server time the request was received ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) ; %T: time the log has been written (the request has finished) ; it can accept a strftime(3) format: ; %d/%b/%Y:%H:%M:%S %z (default) ; %u: remote user ; ; Default: "%R - %u %t \"%m %r\" %s" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"; The log file for slow requests ; Default Value: not set ; Note: slowlog is mandatory if request_slowlog_timeout is set slowlog = log/$pool.log.slow; The timeout for serving a single request after which a PHP backtrace will be ; dumped to the 'slowlog' file. A value of '0s' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 request_slowlog_timeout = 10; The timeout for serving a single request after which the worker process will ; be killed. This option should be used when the 'max_execution_time' ini option ; does not stop script execution for some reason. A value of '0' means 'off'. ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) ; Default Value: 0 request_terminate_timeout = 600; Set open file descriptor rlimit. ; Default Value: system defined value rlimit_files = 10240; Set max core size rlimit. ; Possible Values: 'unlimited' or an integer greater or equal to 0 ; Default Value: system defined value ;rlimit_core = 0; Chroot to this directory at the start. This value must be defined as an ; absolute path. When this value is not set, chroot is not used. ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one ; of its subdirectories. If the pool prefix is not set, the global prefix ; will be used instead. ; Note: chrooting is a great security feature and should be used whenever ; possible. However, all PHP paths will be relative to the chroot ; (error_log, sessions.save_path, ...). ; Default Value: not set ;chroot =; Chdir to this directory at the start. ; Note: relative path can be used. ; Default Value: current directory or / when chroot ;chdir = /var/www; Redirect worker stdout and stderr into main error log. If not set, stdout and ; stderr will be redirected to /dev/null according to FastCGI specs. ; Note: on highloaded environement, this can cause some delay in the page ; process time (several ms). ; Default Value: no ;catch_workers_output = yes; Clear environment in FPM workers ; Prevents arbitrary environment variables from reaching FPM worker processes ; by clearing the environment in workers before env vars specified in this ; pool configuration are added. ; Setting to "no" will make all environment variables available to PHP code ; via getenv(), $_ENV and $_SERVER. ; Default Value: yes ;clear_env = no; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to ; exectute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php ;security.limit_extensions = .php .php3 .php4 .php5; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env ;env[HOSTNAME] = $HOSTNAME ;env[PATH] = /usr/local/bin:/usr/bin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp; Additional php.ini defines, specific to this pool of workers. These settings ; overwrite the values previously defined in the php.ini. The directives are the ; same as the PHP SAPI: ; php_value/php_flag - you can set classic ini defines which can ; be overwritten from PHP call 'ini_set'. ; php_admin_value/php_admin_flag - these directives won't be overwritten by ; PHP call 'ini_set' ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.; Defining 'extension' will load the corresponding shared extension from ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not ; overwrite previously defined php.ini values, but will append the new value ; instead.; Note: path INI options can be relative and will be expanded with the prefix ; (pool, global or /usr/local/php); Default Value: nothing is defined by default except the values in php.ini and ; specified at startup with the -d argument ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com ;php_flag[display_errors] = off ;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_flag[log_errors] = on ;php_admin_value[memory_limit] = 32M php-fpm.conf

構建Tomcat基礎鏡像

FROM centos:7 MAINTAINER www.ctnrs.comENV VERSION=8.5.43RUN yum install java-1.8.0-openjdk wget curl unzip iproute net-tools -y && \yum clean all && \rm -rf /var/cache/yum/*COPY apache-tomcat-${VERSION}.tar.gz / RUN tar zxf apache-tomcat-${VERSION}.tar.gz && \mv apache-tomcat-${VERSION} /usr/local/tomcat && \rm -rf apache-tomcat-${VERSION}.tar.gz /usr/local/tomcat/webapps/* && \mkdir /usr/local/tomcat/webapps/test && \echo "ok" > /usr/local/tomcat/webapps/test/status.html && \sed -i '1a JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom"' /usr/local/tomcat/bin/catalina.sh && \ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtimeENV PATH $PATH:/usr/local/tomcat/binWORKDIR /usr/local/tomcatEXPOSE 8080 CMD ["catalina.sh", "run"] View Code

構建Java基礎鏡像

FROM java:8-jdk-alpine LABEL maintainer www.ctnrs.com ENV JAVA_OPTS="$JAVA_OPTS -Dfile.encoding=UTF8 -Duser.timezone=GMT+08" RUN apk add -U tzdata && \ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime COPY ./target/eureka-service.jar ./ EXPOSE 8888 CMD java -jar $JAVA_OPTS /eureka-service.jar View Code

企業級 Harbor 鏡像倉庫

Harbor 是由VMWare公司開源的容器鏡像倉庫。事實上，Harbor是在Docker Registry上進行了相應 的企業級擴展，從而獲得了更加廣泛的應用，這些新的企業級特性包括：管理用戶界面，基于角色的 訪問控制 ，AD/LDAP集成以及審計日志等，足以滿足基本企業需求。官方地址：https://vmware.github.io/harbor/cn/

1、安裝docker與docker-compose 依賴Python環境 wget http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo yum install docker-ce -y systemctl start docker systemctl enable docker 2、解壓離線包部署 tar zxvf harbor-offline-installer-v1.9.1.tgz cd harbor vi harbor.yml hostname: 10.0.0.70 ./prepare ./install.sh 在Jenkins主機配置Docker可信任由于habor未配置https，還需要在docker配置可信任。# cat /etc/docker/daemon.json {"registry-mirrors": ["http://f1361db2.m.daocloud.io"],"insecure-registries": ["10.0.0.0.70"] } # systemctl restart docker [root@mysql harbor]# docker-compose psName Command State Ports --------------------------------------------------------------------------------------------- harbor-core /harbor/harbor_core Up (healthy) harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp harbor-jobservice /harbor/harbor_jobservice ... Up (healthy) harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp redis redis-server /etc/redis.conf Up (healthy) 6379/tcp registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp registryctl /harbor/start.sh Up (healthy) 查看啟動情況

admin? 默認密碼：Harbor12345

創建用戶

終端登錄 Harbor

# 報錯 [root@mysql harbor]# docker login 10.0.0.70 Username: admin Password: Error response from daemon: Get http://10.0.0.70/v2/: dial tcp 10.0.0.70:80: connect: connection refused # 重啟 docker-compose down -v docker-compose up -d

配置上傳鏡像

1、配置http鏡像倉庫可信任[root@mysql harbor]# cat /etc/docker/daemon.json {"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],"insecure-registries": ["10.0.0.70"] } systemctl restart docker2、打標簽 docker tag tomcat:v1 10.0.0.70/library/tomcat:v13、上傳for i in {nginx,php};do docker push 10.0.0.70/library/${i}:v1;done4、下載 # docker pull 10.0.0.70/library/nginx:v1

上傳完畢后查看

基于 Docker 構建企業 Jenkins CI平臺

持續集成(Continuous Integration，CI)：代碼合并、構建、部署、測試都在一起，不斷地執行這個過程，并對結果反饋。
持續部署(Continuous Deployment，CD)：部署到測試環境、預生產環境、生產環境。
持續交付(Continuous Delivery，CD)：將最終產品發布到生產環境，給用戶使用。

高效的CI/CD環境可以獲得：

?及時發現問題
?大幅度減少故障率
?加快迭代速度
?減少時間成本

CI 工作流程

CI流程：
1、拉取代碼
2、代碼編譯(java項目)，產出war包
3、打包項目鏡像并推送到鏡像倉庫
4、部署鏡像測試

部署gitlab

docker run -d \--name gitlab \-p 8443:443 \-p 9999:80 \-p 9998:22 \-v $PWD/config:/etc/gitlab \-v $PWD/logs:/var/log/gitlab \-v $PWD/data:/var/opt/gitlab \-v /etc/localtime:/etc/localtime \lizhenliang/gitlab-ce-zh:latestgitlab/gitlab-ce:latest

訪問地址：http://IP:9999

初次會先設置管理員密碼 ，然后登陸，默認管理員用戶名root，密碼就是剛設置的。

創建項目，提交測試代碼

進入后先創建項目，提交代碼，以便后面測試。

git remote add pb http://10.0.0.70:9999/root/java-demo.git[root@mysql tomcat-java-demo-master]# cat .git/config [core]repositoryformatversion = 0filemode = truebare = falselogallrefupdates = true [remote "pb"]url = http://10.0.0.70:9999/root/java-demo.gitfetch = +refs/heads/*:refs/remotes/pb/*git config --global user.email "fadewalk@163.com" git config --global user.name "fadewalk"[root@mysql tomcat-java-demo-master]# git push pb master Username for 'http://10.0.0.70:9999': root Password for 'http://root@10.0.0.70:9999': Counting objects: 179, done. Delta compression using up to 4 threads. Compressing objects: 100% (166/166), done. Writing objects: 100% (179/179), 1.12 MiB | 0 bytes/s, done. Total 179 (delta 4), reused 0 (delta 0) remote: Resolving deltas: 100% (4/4), done. To http://10.0.0.70:9999/root/java-demo.git* [new branch] master -> master 代碼push

準備JDK和Maven環境

解壓相應的包到宿主機的目錄

tar zxvf jdk-8u45-linux-x64.tar.gz mv jdk1.8.0_45 /usr/local/jdk tar zxf apache-maven-3.5.0-bin.tar.gz mv apache-maven-3.5.0 /usr/local/maven

啟動Jenkins容器

docker run -d --name jenkins -p 8099:8080 -p 50000:50000 -u root \-v /opt/jenkins_home:/var/jenkins_home \-v /var/run/docker.sock:/var/run/docker.sock \-v /usr/bin/docker:/usr/bin/docker \-v /usr/local/maven:/usr/local/maven \-v /usr/local/jdk:/usr/local/jdk \-v /etc/localtime:/etc/localtime \--name jenkins jenkins/jenkins:lts

將宿主機中的環境目錄直接掛載到Jenkins容器的目錄中，實現利用宿主機的環境構建性能

[root@mysql tools]# docker exec -it jenkins bash root@d413a8199d28:/# cat /var/jenkins_home/secrets/initialAdminPassword 813c4d8fc29f45c7b898e73a79f03283

使用/root/.ssh中私鑰訪問gitlab。 更加的方便安全。在Jenkins中配置私鑰訪問gitlab代碼倉庫。

安裝插件

系統管理-->插件管理-->Installed

搜索git/pipeline，點擊安裝。 在線安裝不行，可以離線安裝，或者在初始化Jenkins的頁面就把插件都安裝好，只是要多等幾分鐘。

插件頁面這里配置了以后，一直是報錯，沒有用

修改國內源： cd /opt/jenkins_home/updates sed -i 's/http:\/\/updates.jenkins-ci.org\/download/https:\/\/mirrors.tuna.tsinghua.edu.cn\/jenkins/g' default.json && \ sed -i 's/http:\/\/www.google.com/https:\/\/www.baidu.com/g' default.json 然后重啟jenkins容器生效。 or 修改國內源

添加參數化構建

This project is parameterized -> String Parameter

Name：Branch # 變量名，下面腳本中調用

Default Value：master # 默認分支

Description：發布的代碼分支 # 描述

Pipeline腳本

#!/usr/bin/env groovydef registry = "10.0.0.70" def project = "dev" def app_name = "java-demo" def image_name = "${registry}/${project}/${app_name}:${Branch}-${BUILD_NUMBER}" def git_address = "http://root:wyl606,git@10.0.0.70:9999/root/java-demo.git" def docker_registry_auth = "6041d04f-2b8f-4275-9dff-4c528a28c610" def git_auth = "'05562e63-b2bf-4e0b-bb2c-2513b10b599b"pipeline {agent anystages {stage('拉取代碼'){steps {checkout([$class: 'GitSCM', branches: [[name: '${Branch}']], userRemoteConfigs: [[credentialsId: "${git_auth}", url: "${git_address}"]]])}}stage('代碼編譯'){steps {sh """JAVA_HOME=/usr/local/jdkPATH=$JAVA_HOME/bin:/usr/local/maven/bin:$PATHmvn clean package -Dmaven.test.skip=true"""}}stage('構建鏡像'){steps {withCredentials([usernamePassword(credentialsId: "${docker_registry_auth}", passwordVariable: 'password', usernameVariable: 'username')]) {sh """echo 'FROM ${registry}/library/tomcat:v1LABEL maitainer lizhenliangRUN rm -rf /usr/local/tomcat/webapps/*ADD target/*.war /usr/local/tomcat/webapps/ROOT.war' > Dockerfiledocker build -t ${image_name} .docker login -u ${username} -p '${password}' ${registry}docker push ${image_name}"""}}}stage('部署到Docker'){steps {sh """REPOSITORY=${image_name}docker rm -f tomcat-java-demo |truedocker container run -d --name tomcat-java-demo -p 88:8080 ${image_name}"""}}} } Pipeline script

添加憑據

這里Jenkins 中 gitlab的用戶名和密碼生成的憑據id 通過http無法正常連接，
只好將用戶名和密碼寫到了連接中的方式解決

1、添加拉取git代碼憑據，并獲取id替換到上面git_auth變量值。
2、添加拉取harbor鏡像憑據，并獲取id替換到上面docker_registry_auth變量值。

憑據的id要與scripts 里面的變量一致

點擊進行構建

構建的時候
maven建議采用國內的源，這樣更快一些。
在配置文件中添加

maven 鏡像添加 [root@k8s-m1 conf]# grep ali settings.xml<name>aliyun maven</name><url>https://maven.aliyun.com/repository/public</url>

流水線構建完成后，在docker的鏡像倉庫Harbor 里面查看push 上來的鏡像

部署成功，在部署應用端查看

當修改代碼，或者提交新的分支。后gitlab倉庫的master會更新。

后面又觸發新的構建

Prometheus+Grafana 監控 Docker

• cAdvisor (Container Advisor) ：用于收集正在運行的容器資源使用和性能信息。 https://github.com/google/cadvisor
• Prometheus(普羅米修斯)：容器監控系統。 https://prometheus.io https://github.com/prometheus
• Grafana：是一個開源的度量分析和可視化系統。 https://grafana.com/grafana/download https://grafana.com/dashboards/193(監控Docker主機模板)

被監控端執行 10.0.0.70

Docker部署cAdvisor： docker run -d \ --volume=/:/rootfs:ro \ --volume=/var/run:/var/run:ro \ --volume=/sys:/sys:ro \ --volume=/var/lib/docker/:/var/lib/docker:ro \ --volume=/dev/disk/:/dev/disk:ro \ --publish=8080:8080 \ --detach=true \ --name=cadvisor \ google/cadvisor:latest

監控端執行 10.0.0.23

Docker部署Grafana： docker run -d \ --name=grafana \ -p 3000:3000 \ grafana/grafanaDocker部署Prometheus： docker run -d \ --name=prometheus \ -p 9090:9090 \ -v /tmp/prometheus.yml:/etc/prometheus/prometheus.yml \ prom/prometheus [root@k8s-m1 tmp]# cat prometheus.yml # my global config global:scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.# scrape_timeout is set to the global default (10s).# Alertmanager configuration alerting:alertmanagers:- static_configs:- targets:# - alertmanager:9093# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. rule_files:# - "first_rules.yml"# - "second_rules.yml"# A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. scrape_configs:# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.- job_name: 'prometheus'# metrics_path defaults to '/metrics'# scheme defaults to 'http'.static_configs:- targets: ['10.0.0.70:8080'] cat prometheus.yml

配置數據源

導入 官方的模板id

查看被監控的docker主機資源情況

總結

以上是生活随笔為你收集整理的02、Kubernetes 入门（上）-重新认识Docker的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。