Linux 运维基础
systemd
|
1 2 3 4 5 |
find / -name systemd # 查看 systemd-analyze # 启动耗时 systemd-analyze blame # 每个服务的启动耗时 systemd-analyze critical-chain network.service # 具体服务的启动流 systemd-analyze plot > message.svg # 将 systemd 启动顺序及消耗时间生成 svg 图像 |
systemctl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
systemctl list-units # 列出正在运行的 Unit systemctl list-units --all # 列出所有的配置单元 systemctl list-units --all --state=inactive # 列出所有未运行的 Unit systemctl list-units --failed # 列出加载失败的 Unit systemctl list-units --type=service # 列出类型为 sevice 的 Unit systemctl status # 查看系统状态,接 Unit可查看具体Unit 的状态 systemctl -H {user}@{ip} status mysql.service # 查看远程主机具体 Unit的状态 systemctl show|start|stop|restart|kill|reload|enable|disable xxx systemctl show -p CPUShares mysql.service # 查看指定 Unit 指定属性的值 systemctl set-property mysql.service CPUShares=500 # 设置指定 Unit 指定属性的值 systemctl list-dependencies mysql.service # 查看指定 Unit的依赖 systemctl daemon-reload # 重载修改过的配置文件 systemctl list-unit-files # 列出所有配置文件 systemctl reboot|poweroff|suspend|hibernate|hybrid |
hostnamectl
|
1 |
hostnamectl set-hostname xxx # 设置主机名 |
timedatectl
|
1 2 |
timedatectl set-timezone Asia/Shanghai # 设置时区 timedatectl set-local-rtc true # 将硬件时钟设置为地方时 |
性能工具及系统命令
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
vmstat x y # 虚拟内存统计,x设定采样间隔秒数,y 为采样次数 dstat -cdlmnpsy --tcp # cpu, io 等 iostat -dx x y # 设备信息统计,x设定采样间隔秒数,y 为采样次数 iotop pidstat top htop mpstat -P ALL x y netstat -npl|-rn|-in lsof # list open files perf uptime strace |
nfs 配置
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# 服务主机 yum -y install nfs-utils #vi /etc/sysconfig/nfs LOCKD_TCPPORT=30001 # tcp锁使用端口 LOCKD_UDPPORT=30002 # udp锁使用端口 MOUNTD_PORT=30003 # 挂载使用端口 STATD_PORT=30004 # 状态使用端口 # vi /etc/exports /opt/mydir 192.168.0.0/24(rw,async)# 挂载目录&开放访问的网段 # /opt/mydir 192.168.0.0/24(rw,async,insecure,no_root_squash) # 挂载目录&开放访问的网段 # exportfs -a 重新加载配置 systemctl restart/enable rpcbind.service systemctl restart/enable nfs-server.service # 查看挂载状况 showmount -e localhost # 客户端主机 yum -y install nfs-utils showmount -e 192.168.0.x # 192.168.0.x为服务主机IP # 挂载 mount -t nfs 192.168.0.x:/opt/mydir /opt/mydir # 卸载 umount /opt/mydir |
自动化运维工具:Ansible, Puppet, Cfengine, Chef, Func, Fabric
Redis
官网下载配置文件放入/opt/redis/conf/redis.conf
按需要修改bind 127.0.0.1,添加requirepass xxxx设置密码,其它配置如 daemonize no, port 6379, logfile /logs/redis.log, dir /data
|
1 |
docker run -p 6379:6379 --name some-redis -v /opt/redis/data:/data -v /opt/redis/conf/redis.conf:/usr/local/etc/redis/redis.conf -d redis redis-server /usr/local/etc/redis/redis.conf --appendonly yes |
Ansible
|
1 2 3 4 5 6 7 8 9 |
# 安装方式 sudo apt-get install ansible sudo yum install ansible pip install ansible # 配置文件/etc/ansible/ansible.cfg # 管理主机 /etc/ansible/hosts # 大是不是任务使用 roles 的编排结构示例 sudo mkdir -p /etc/ansible/roles/curl/{files,templates,tasks,handlers,vars,defaults,meta} |
分布式文件存储系统:GlusterFS、CephFS
ipvsadm
|
1 2 3 4 5 6 7 |
# 安装 yum -y install ipvsadm apt-get install ipvsadm # 示例 ipvsadm -A -t 10.10.0.1:80 -s rr # 管理集群服务:ipvsadm -A|-E|-D|-C|-R|-S|-Z ipvsadm -a -t 10.10.0.3:80 -r 192.168.10.8 -m # 管理集群服务中的真实服务器:ipvsadm -a|-e|-d|-p ipvsadm -l # 查看 |
例:
调度器外网172.16.1.1,内网172.16.168.100,安装 ipvsadm
真实服务器1内网172.16.168.101,安装Nginx
真实服务器2内网172.16.168.102,安装 Nginx
lvs-nat.sh 脚本示例如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#!/bin/bash # 在调度器上开启路由转发功能: echo 1 > /proc/sys/net/ipv4/ip_forward # 关闭icmp 的重定向 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects # 调度器设置 nat 防火墙 iptables -t nat -F iptables -t nat -X iptables -t nat -A POSTROUTING -s 172.16.168.0/24 -j MASQUERADE # 设置 ipvsadm 路径 IPVSADM='/sbin/ipvsadm' # 清理所有规则 $IPVSADM -C # 添加调度器,设置超时为300秒,调试算法为轮询调试(rr) $IPVSADM -A -t 172.16.1.1:80 -s lc -p 300 -s rr # 添加真实服务器 $IPVSADM -a -t 172.16.1.1:80 -r 172.16.168.101:80 -m -w 1 $IPVSADM -a -t 172.16.1.1:80 -r 172.16.168.102:80 -m -w 1 |
nmtui 可视化设置网络网关工具
Nginx
|
1 2 3 4 5 6 7 |
upstream upstream.example.com { fair; # 要求安装 upstream_fair 模块,其它算法如 ip_hash server 172.17.1.1:80; server 172.17.1.2:8080 down; server 172.17.1.3:9999 max_fails=3 fail_timeout=20s max_conns=1000; server 172.17.1.4:2333 backup; } |
Docker 容器引擎
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ls -l /proc/$$/ns # 查看进程的 Namespace # 安装 Edge版本 curl -fsSL get.docker.com -o get-docker.sh curl sh get-docker.sh # 开启实验功能 vi /etc/docker/daemon.json vi /etc/docker/daemon.json { "experimental": true } docker save hello-world > hello.tar # 保存镜像到文件 docker history hello-world # 查看镜像历史 docker pull #拉取镜像:参数-a、--disable-content-trust=false docker inspect # 查看镜像详细信息 docker build # 构建镜像:-c 控制 CPU 使用;-f 选择 Dockerfile;-m 设置内存上限;-q 不显示构建过程信息;-t 为镜像创建标签 docker commit # 提交镜像:-a 作者信息;-c 修改 Dockerfile;-m 提交修改信息;-p 暂停 commit 操作 docker save -o xxx.tar xxx # 导出镜像,也可使用 docker save xxx > xxx.tar docker load -i xxx.tar # 导入镜像,也可使用 docker load < xxx.tar docker rmi $(docker images -q -f dangling=true) #删除所有未打 dangling 标签的镜像 docker rmi $(docker images -q) # 删除所有镜像 docker rm ${docker ps -a -q} # 删除所有已停止容器,-v 删除数据卷, -f 强制删除,-l 仅删除关联 |
Dockerfile
每一句命令都是一个镜像层,尽量把多条相关命令写在同一句中,可使用反斜杠 \ 来组合多条命令
- 解析器命令,如
1# escape=` - FROM
1FROM <imageName:tag> - MAINTAINER
1MAINTAINER Name <Email> # 已弃用 - RUN
12RUN echo Hello World # shell 格式RUN ["程序名", "参数 1", "参数2"] # exec 格式 - ENV
12ENV <key> <value>ENV <key>=<value>
使用方式:$variable 或${variable},可通过docker run –env <key> = <value>进行修改- ${variable:-password}:如 variable不存在,则使用 password
- ${variable:+password}:如 variable存在,则使用 password,否则为空字符串
- ARG
效果同 docker build –build-arg <varname>=<value>,不同于 ENV,ARG 在镜像构建结束后会消失
1ARG <name>[=<default value>] - COPY
1COPY /Local/Path/File /Images/Path/File - ADD
类似 COPY,但可以从 URL 地址下载,并且可以解压,同等情况体积会大于 COPY
12ADD file /Images/Path/FileADD latest.tar.gz /var/www - EXPOSE
1EXPOSE <端口> [<端口>...] - CMD
Dockerfile只允许使用一次 CMD 命令,多次使用仅最后一条生效,可通过 docker run 覆盖
12CMD ["executable", "param1", "param2"]CMD command param1 param2 - ENTRYPOINT
一般不可由 docker run 覆盖,但通过 docker run –entrypoint 可重置默认的 ENTRYPOINT
12ENTRYPOINT <command> <param1> <param2>ENTRYPOINT ["<executable>", "<param1>", "<param2"] - VOLUME
docker run -v /local:/Image…
12VOLUME ["/data", '/data2']VOLUME /data - USER
可通过 docker run的 -u 覆盖
123USER userUSER user:groupUSER uid:gid - WORKDIR
指定 RUN、CMD 和 ENTRYPOINT 命令的工作目录
1234WORKDIR /aWORKDIR bWORKDIR c# 后面的路径基于前面,以上最后一条的路径为/a/b/c - ONBUILD
ONBUILD 在构建镜像的子镜像(通过 FROM 指令引用)中执行 - LABEL
为镜像添加元数据,每个标签会生成一个 Layer,尽量使用一个 LABEL 标签,如:
12345LABEL multi.label1="value1" multi.label2="value2"...# 或LABEL multi.label1="value1" \multi.label2="value2" \... - STOPSIGNAL
定制化 docker stop 信号
1STOPSIGNAL SIGKILL - HEALTHCHECK
子镜像可通过 HEALTHCHECK NONE 来取消检查
12HEALTHCHECK --interval=5m --timeout=3s \CMD curl -f http://localhost/ || exit 1 - SHELL
更换 shell 环境
1SEHLL ["powershell", "-command"]
国内镜像加速
|
1 2 3 4 5 |
# /etc/docker/daemon.json # %programdata%\docker\config\daemon.json { "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"] } |
搭建自己的镜像加速器
|
1 2 3 4 5 |
docker run -d -p 5000:5000 \ -e STANDALONE=false \ -e MIRROR_SOURCE=https://registry-1.docker.io \ -e MIRROR_SOURCE_INDEX=https://index.docker.io \ registry |
搭建私有仓库
|
1 |
docker run -d -p 5000:5000 --restart=always --name registry registry:2 |
以上均可通过-v 指定数据卷
容器管理的命令
| 命令 | 说明 |
|---|---|
| attach | 依附到正在运行的容器 |
| cp | 从容器里复制文件或目录到宿主机文件系统,或以 STDOUT 形式输出 |
| create | 新建容器 |
| diff | 检查容器的文件系统变动 |
| events | 实时获得 Docker 服务器端的事件信息 |
| exec | 在运行的容器内运行命令 |
| export | 将容器的文件系统导出到一个归档文件中 |
| kill | 杀死一个运行中的容器 |
| logs | 获取容器的日志 |
| pause | 暂停容器内部的所有进程 |
| port | 输出容器的端口信息 |
| ps | 显示容器列表 |
| rename | 重命名一个容器 |
| restart | 重启容器 |
| rm | 删除一个或多个容器 |
| run | 运行一个新容器 |
| start | 启动一个或多个非运行状态的容器 |
| stats | 实时显示容器的资源使用情况 |
| stop | 停止正在运行的容器 |
| top | 显示容器内正在运行的进程 |
| unpause | 恢复容器内部的所有进程 |
| update | 更新一个或者多个容器的配置 |
| wait | 阻塞直至容器停止,然后打印退出代码 |
显示没有挂载到容器上的数据卷
|
1 |
docker volume ls -f dangling=true |
数据卷插件,知名的有 Flocker、Convoy、GlusterFS、Keywhiz、REX-Ray 等
Docker 插件
|
1 2 |
docker plugin install xxx docker plugin ls |
Docker 支持的存储驱动程序
| 技术 | 存储驱动程序的名称 |
|---|---|
| OverlayFS | overlay1 或 overlay2 |
| AUFS | aufs |
| Btrfs | btrfs |
| Device Mapper | devicemapper |
| VFS | vfs |
| ZFS | zfs |
|
1 2 |
dockerd --storage-driver=devicemapper # 设置存储驱动程序 docker info # 查看 |
容器网络
|
1 2 3 4 5 6 7 8 |
docker port xxx # 查看端口映射 docker network create -d bridge --subnet 172.25.0.0/16 demo_net # 自定义网络 docker network connect demo_net container1 # 加入自定义网络 docker network inspect demo_net # 查看自定义网络信息 docker run --network=demo_net --ip=172.25.x.x ... # 创建容器时指定网络和IP 地址 # 开启 tcp 连接,修改ExecStart=/usr/bin/dockerd ...为(/usr/lib/systemd/system/docker.service或/lib/systemd/system/docker.service): ExecStart=/usr/bin/dockerd ... -H tcp://0.0.0.0:2345 |
容器编排
安装 Docker Compose
|
1 2 3 4 5 6 7 8 |
curl -L https://github.com/docker/compose/releases/download/1.26.0-rc2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose # pip 安装 sudo pip install -U docker-compose # 避免在 shell 中暴露密码 docker run -e PASSWORD=$(cat pass.txt) docker-compose config -q # 检查配置 ,无语法问题则不输出信息 |
docker-compose.yml 示例
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
version: "3" services: web: image: username/repository:tag deploy: replicas: 5 resources: limits: cpus: "0.1" memory: 50M restart_policy: condition: on-failure ports: - "80:80" networks: - webnet networks: webnet: |
Wordpress示例
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
version: '3' services: db: image: mysql:5.7 volumes: - "./.data/db:/var/lib/mysql" restart: always environment: MYSQL_ROOT_PASSWORD: wordpress MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: wordpress wordpress: depends_on: - db image: wordpress:latest links: - db ports: - "8000:80" restart: always environment: WORDPRESS_DB_HOST: db:3306 WORDPRESS_DB_PASSWORD: wordpress # 运行 docker-compose up -d 启动 |
Docker 集群管理
Docker Swarm 命令说明
| 命令 | 说明 |
|---|---|
| docker swarm init | 初始化一个 Swarm 集群 |
| docker swarm join | 加入一个集群,包括普通 节点和管理节点 |
| docker swarm join-token | 管理加入集群的口令 |
| docker swarm leave | 离开当前集群 |
| docker swarm unlock | 解锁集群 |
| docker swarm unlock-key | 管理解锁集群的密钥 |
| docker swarm update | 更新集群 |
集群节点管理命令说明
| 命令 | 说明 |
|---|---|
| docker node demote | 将一个或多个管理节点降级为普通 节点 |
| docker node inspect | 显示节点的详细信息 |
| docker node ls | 查看集群的所有节点 |
| docker node promote | 将普通节点提升为管理节点 |
| docker node ps | 显示一个或多个节点的正在运行的任务列 Shell,默认为当前节点 |
| docker node rm | 移除一个或者多个节点 |
| docker node update | 更新节点 |
Docker Stack 子命令
| 命令 | 说明 |
|---|---|
| docker stack deploy | 部署一个新的 Docker 栈或更新再有的 Docker 栈 |
| docker stack ls | 显示所有的 Docker 栈 |
| docker stack ps | 显示指定栈的任务 |
| docker stack rm | 删除指定的 Docker 栈 |
| docker stack services | 显示指定栈的服务列 Shell |
集群搭建示例
安装 Docker Machine
安装 Virtualbox(CentOS 7为例)
国内提速:https://mirror.tuna.tsinghua.edu.cn/help/virtualbox/
注:如版本不匹配需要安装 kernel(yum install kernel) 时,请记得重启机器
|
1 2 3 |
curl -L https://github.com/docker/machine/releases/download/v0.16.2/docker-machine-`uname -s`-`uname -m` >/tmp/docker-machine && chmod +x /tmp/docker-machine && sudo cp /tmp/docker-machine /usr/local/bin/docker-machine |
|
1 2 3 4 5 6 7 8 9 10 |
docker-machine create --driver virtualbox manager1 # 创建 Manager 节点(192.168.99.100:2376) docker-machine env manager1 # 查看虚拟机环境变量等信息 docker-machine create --driver virtualbox worker1 # 创建工作节点(192.168.99.102:2376) docker-machine ssh manager1 docker swarm init --listen-addr 192.168.99.100:2377 --advertise-addr 192.168.99.100 # 初始化 Docker Swarm,根据输出命令把 work1加入集群 docker-machine ssh worker1 docker swarm join --token SWMTKN-1-xxx 192.168.99.100:2377 # token请自行拷贝替换 docker-machine ssh manager1 docker node ls # 查看节点信息 # 按前述方法新建 manager2、worker2、worker3并将worker2和 worker3加入到节点中 docker-machine ssh manager1 docker swarm join-token manager # 获取加入为 manager 的 token docker-machine ssh manager2 docker swarm join --token SWMTKN-1-xxx 192.168.99.100:2377 |
集群管理面板
Shipyard
|
1 |
curl -sSl https://shipyard-project.com/deploy | TLS_CERT_PATH=$(pwd) bash -s |
Portainer
|
1 |
docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer |
Docker 生态
Docker Machine
容器编排调度:Marathon+Mesos、Swarm+Compose、Kubernetes
集群管理面板 Rancher
1.x 主攻容器编排,2.x 集群管理
https://rancher.com/docs/rancher/latest/zh/
https://rancher.com/docs/rancher/v2.x/en/
|
1 2 3 4 5 |
sudo docker run -d --restart=unless-stopped --name rc -p 8080:8080 rancher/server # rancher 2 sudo docker run -d --privileged --name=rancher --restart=unless-stopped -p 8080:80 -p 8443:443 -v /home/xxx/rancher:/var/lib/rancher rancher/rancher:stable<!--5f39ae17-8c62-4a45-bc43-b32064c9388a:W3siYmxvY2tJZCI6IjIzOTEtMTYxOTAwNzc1MTI1NiIsImJsb2NrVHlwZSI6ImNvZGUiLCJzdHlsZXMiOnsiYmFjay1jb2xvciI6IiJ9LCJ0eXBlIjoiY29kZSIsInJpY2hUZXh0Ijp7ImRhdGEiOlt7ImNoYXIiOiJzIn0seyJjaGFyIjoidSJ9LHsiY2hhciI6ImQifSx7ImNoYXIiOiJvIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6ImQifSx7ImNoYXIiOiJvIn0seyJjaGFyIjoiYyJ9LHsiY2hhciI6ImsifSx7ImNoYXIiOiJlIn0seyJjaGFyIjoiciJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoidSJ9LHsiY2hhciI6Im4ifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6ImQifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InMifSx7ImNoYXIiOiJ0In0seyJjaGFyIjoiYSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJ0In0seyJjaGFyIjoiPSJ9LHsiY2hhciI6InUifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoibCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJzIn0seyJjaGFyIjoicyJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJzIn0seyJjaGFyIjoidCJ9LHsiY2hhciI6Im8ifSx7ImNoYXIiOiJwIn0seyJjaGFyIjoicCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJkIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiItIn0seyJjaGFyIjoibiJ9LHsiY2hhciI6ImEifSx7ImNoYXIiOiJtIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiYyJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiItIn0seyJjaGFyIjoicCJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiI4In0seyJjaGFyIjoiMCJ9LHsiY2hhciI6IjgifSx7ImNoYXIiOiIwIn0seyJjaGFyIjoiOiJ9LHsiY2hhciI6IjgifSx7ImNoYXIiOiIwIn0seyJjaGFyIjoiOCJ9LHsiY2hhciI6IjAifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiciJ9LHsiY2hhciI6ImEifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoiYyJ9LHsiY2hhciI6ImgifSx7ImNoYXIiOiJlIn0seyJjaGFyIjoiciJ9LHsiY2hhciI6Ii8ifSx7ImNoYXIiOiJzIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJ2In0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJcbiJ9LHsiY2hhciI6IlxuIn0seyJjaGFyIjoiIyJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiYSJ9LHsiY2hhciI6Im4ifSx7ImNoYXIiOiJjIn0seyJjaGFyIjoiaCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6IjIifSx7ImNoYXIiOiJcbiJ9LHsiY2hhciI6InMifSx7ImNoYXIiOiJ1In0seyJjaGFyIjoiZCJ9LHsiY2hhciI6Im8ifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiZCJ9LHsiY2hhciI6Im8ifSx7ImNoYXIiOiJjIn0seyJjaGFyIjoiayJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJ1In0seyJjaGFyIjoibiJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiItIn0seyJjaGFyIjoiZCJ9LHsiY2hhciI6IiAifSx7ImNoYXIiOiItIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6InAifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiaSJ9LHsiY2hhciI6InYifSx7ImNoYXIiOiJpIn0seyJjaGFyIjoibCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJnIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6ImQifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoiYSJ9LHsiY2hhciI6Im0ifSx7ImNoYXIiOiJlIn0seyJjaGFyIjoiPSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJhIn0seyJjaGFyIjoibiJ9LHsiY2hhciI6ImMifSx7ImNoYXIiOiJoIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InMifSx7ImNoYXIiOiJ0In0seyJjaGFyIjoiYSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJ0In0seyJjaGFyIjoiPSJ9LHsiY2hhciI6InUifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoibCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJzIn0seyJjaGFyIjoicyJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJzIn0seyJjaGFyIjoidCJ9LHsiY2hhciI6Im8ifSx7ImNoYXIiOiJwIn0seyJjaGFyIjoicCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJkIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6Ii0ifSx7ImNoYXIiOiJwIn0seyJjaGFyIjoiICJ9LHsiY2hhciI6IjgifSx7ImNoYXIiOiIwIn0seyJjaGFyIjoiOCJ9LHsiY2hhciI6IjAifSx7ImNoYXIiOiI6In0seyJjaGFyIjoiOCJ9LHsiY2hhciI6IjAifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6InAifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiOCJ9LHsiY2hhciI6IjQifSx7ImNoYXIiOiI0In0seyJjaGFyIjoiMyJ9LHsiY2hhciI6IjoifSx7ImNoYXIiOiI0In0seyJjaGFyIjoiNCJ9LHsiY2hhciI6IjMifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLSJ9LHsiY2hhciI6InYifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiLyJ9LHsiY2hhciI6ImgifSx7ImNoYXIiOiJvIn0seyJjaGFyIjoibSJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiIvIn0seyJjaGFyIjoibSJ9LHsiY2hhciI6ImEifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoiYSJ9LHsiY2hhciI6Ii8ifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiYSJ9LHsiY2hhciI6Im4ifSx7ImNoYXIiOiJjIn0seyJjaGFyIjoiaCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiOiJ9LHsiY2hhciI6Ii8ifSx7ImNoYXIiOiJ2In0seyJjaGFyIjoiYSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiIvIn0seyJjaGFyIjoibCJ9LHsiY2hhciI6ImkifSx7ImNoYXIiOiJiIn0seyJjaGFyIjoiLyJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiJhIn0seyJjaGFyIjoibiJ9LHsiY2hhciI6ImMifSx7ImNoYXIiOiJoIn0seyJjaGFyIjoiZSJ9LHsiY2hhciI6InIifSx7ImNoYXIiOiIgIn0seyJjaGFyIjoiciJ9LHsiY2hhciI6ImEifSx7ImNoYXIiOiJuIn0seyJjaGFyIjoiYyJ9LHsiY2hhciI6ImgifSx7ImNoYXIiOiJlIn0seyJjaGFyIjoiciJ9LHsiY2hhciI6Ii8ifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiYSJ9LHsiY2hhciI6Im4ifSx7ImNoYXIiOiJjIn0seyJjaGFyIjoiaCJ9LHsiY2hhciI6ImUifSx7ImNoYXIiOiJyIn0seyJjaGFyIjoiOiJ9LHsiY2hhciI6InMifSx7ImNoYXIiOiJ0In0seyJjaGFyIjoiYSJ9LHsiY2hhciI6ImIifSx7ImNoYXIiOiJsIn0seyJjaGFyIjoiZSJ9XSwiaXNSaWNoVGV4dCI6dHJ1ZSwia2VlcExpbmVCcmVhayI6dHJ1ZX0sImlzU2VsZWN0ZWRCbG9jayI6ZmFsc2UsInRoZW1lIjoiZGVmYXVsdCIsImxhbmd1YWdlIjoiamF2YXNjcmlwdCJ9XQ==--> # 使用局域网 IP 添加 Agent需设置环境变量 -e CATTLE_AGENT_IP=xxx.xxx.xxx.xxx |
拉取私有仓库报错:repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied
|
1 2 |
sudo docker login ... sudo cp ~/.docker/config.json /var/lib/kubelet/config.json |
调度系统 Nomad、DC/OS
服务发现:etcd、consul、zookeeper、crypt、confd
私有镜像仓库
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
docker run -d -p 5000:5000 -v /data/registry-conf/:/registry-conf -e DOCKER_REGISTRY_CONF=/registry-conf/config.yml --restart=always --name registry registry:2 # 推送 docker tag nginx:alpine localhost:5000/library/nginx:alpine docker push localhost:5000/library/nginx:alpine # 拉取 docker pull localhost:5000/library/nginx:alpine # 先删除docker rmi localhost:5000/library/nginx:alpine # 配置文件形式启动 docker run -d -p 5000:5000 --restart=always --name registry -v 'pwd'/config.yml:/etc/docker/registry/config.yml registry:2 # config.yml示例 version: 0.1 log: level: debug storage: filesystem: rootdirectory: /var/lib/registry http: addr: localhost:5000 secret: xxxxxx debug: addr: localhost:5001 proxy: remoteurl: https://registry-1.docker.io username: [username] password: [password] |
VMware Harbor:企业私有仓库
SUSE Portus:镜像仓库前端分布认证
Daemon 安全
|
1 2 |
docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376 # 启动 Daemon docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version # 客户端连接 |
详细配置:https://docs.docker.com/engine/security/https/
Docker 安全工具
- Docker Slim
- Imagelayers 镜像分析工具
- Clair
监控与日志
- cAdvisor
1docker run -d --name=cadvisor -v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys:ro -v /var/lib/docker/:/var/lib/docker:ro -p 8080:8080 google/cadvisor:latest - Logspout 日志处理
- Grafana 数据可视化
- 商业监控工具
- Scout Scout
- Datadog Datadog
基于 Docker 的 PaaS 平台
Docker 持续集成
- Drone:轻量级CI工具
- Travis CI
其它工具
- Watchtower:检测容器镜像变化 ,自动使用新镜像重启容器
- Docker-gc:自动清理不需要的容器和镜像
- Rocker:扩展 Dockerfile 的功能
别人整理的 Docker 生态相关项目:https://github.com/veggiemonk/awesome-docker
Docker Api: https://docs.docker.com/engine/api/sdk/
Kubernetes 入门
Master 模块
- APIServer
- Scheduler
- Controller Manager
- etcd
Node 模块
- Kubelet
- Kube-proxy
- runtime
Pod:自主式 Pod、控制器管理的 Pod
- ReplicationController, ReplicaSet,Deployment
- HPA(Horizontal Pod Autoscaling)
- StatefulSet
- DaemonSet
- Job, Cronjob
网络解决方案:Flannel
常用命令
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}' # 查看并发连接状况 ps -ef |grep 'shutting down' |awk '{print $2}'|xargs kill -9 # 杀死未关闭应用 cat /proc/sys/net/ipv4/tcp_fin_timeout # vi /etc/sysctl.conf net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 # 使用配置生效 sysctl -p sysctl -a | grep nf_conntrack_max # 推荐大小CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (ARCH / 32) # x86_64系统8GB内存 8*1024^3/16384/2=262144 # 配置 sudo sysctl -w net.netfilter.nf_conntrack_max=262144 sudo sysctl -w net.nf_conntrack_max=262144 netstat -anp | grep ':8080' | grep CLOSE_WAIT | awk '{print $7}' | cut -d \/ -f1 | grep -oE "[[:digit:]]{1,}" | xargs kill # GOARCH dpkg --print-architecture CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -o build/webserver main.go docker run --rm -it golang:1.15.10-alpine3.13 go env docker run --rm -it \ -v /home/alan/web:/app \ -v /home/alan/gopath:/go \ -w /app/src \ -e CGO_ENABLED=0 \ -e GOPROXY=https://goproxy.cn \ golang:1.15.10-alpine3.13 \ go build -o ../webserver main.go # 停止所有容器 docker stop $(docker ps -a -q) # 关闭SELINUX setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config # 关闭 swap swapoff -a |
Kubernetes生产级实践指南 从部署到核心应用:https://gitee.com/pa/kubernetes-ha-kubeadm-private
常见问题
1、Docker 启动 MySQL权限问题
|
1 2 3 |
# 查看用户组 docker run -it --rm --entrypoint="/bin/bash" mysql:5.7 -c "cat /etc/group" # 对相应的映射 log等目录执行 chown |
2、Can’t find gotests in GOPATH
|
1 |
go get github.com/cweill/gotests/... |
