Docker构建NTP服务器 在实际工作中，我们可能在内网需要一个ntp的时间服务器来同步时间，那么准备一台docker的时间服务器是很有必要的，至于为什么要用docker部署，这里就不多做说明了快速部署curl -Lk https://raw.githubusercontent.com/LinuxEA-Mark/docker-ntp/master/create_ntp.sh|bash Dockerfile仍然使用centos作为基础镜像，直接yum安装即可，而后下载gitalb上的配置文件和启动脚本FROM centos MAINTAINER www.linuxea.com mark RUN yum install ntp curl -y && rm -rf /etc/ntp.conf\ #&& curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-ntp/master/ntp.conf -o /etc/ntp.conf \ && curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-ntp/master/start.sh -o /start.sh && mkdir /data \ && yum clean all && chmod +x /start.sh ENTRYPOINT ["/start.sh"]启动脚本：如果ntp.conf不存在这下载文件并且启动，如果存在则每次启动即可#!/bin/bash directory="/data/ntp.conf" if [ "$(ls $directory)" ]; then /usr/sbin/ntpd -c /data/ntp.conf -p /tmp/ntpd.pid -d else curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-ntp/master/ntp.conf -o /data/ntp.conf /usr/sbin/ntpd -c /data/ntp.conf -p /tmp/ntpd.pid -d fintp.conf在conf文件中我们需要注意restrict 10.10.0.0 mask 255.0.0.0 nomodify notrap这里的ip则是可以允许的iprestrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery #restrict default nomodify #restrict 210.72.145.44 #restrict 133.100.11.8 restrict 127.0.0.1 restrict -6 ::1 restrict 10.10.0.0 mask 255.0.0.0 nomodify notrap server 2.cn.pool.ntp.org prefer server 1.cn.pool.ntp.org #driftfile /var/lib/ntp/drift keys /etc/ntp/keys logfile /data/ntp.logdocker-compose将data目录挂载，其中有日志文件和配置文件，比较省事就路径一致了version: '2' services: ntp: build: context: https://raw.githubusercontent.com/LinuxEA-Mark/docker-ntp/master/Dockerfile container_name: ntp restart: always privileged: true network_mode: "host" volumes: - /data/docker/ntp:/data日志如下：

docker-Portusv2.1镜像仓库快速部署使用 1.简介安装Portus,Portus和harbor都是开源的Registry服务器，官方站点http://port.us.org/docker-harbor0.5.0镜像仓库快速部署:http://www.linuxea.com/1547.html1.克隆git[root@linuxea.com /data]# git clone https://github.com/SUSE/Portus.git 正克隆到 'Portus'... remote: Counting objects: 18528, done. remote: Total 18528 (delta 0), reused 0 (delta 0), pack-reused 18528 接收对象中: 100% (18528/18528), 21.80 MiB | 104.00 KiB/s, done.国内下载较慢，我们可以先下载镜像，在docker-compose中，分别有library/mariadb:10.0.23，library/registry:2.3.1，我们可以先手动pull2.开始安装[root@linuxea.com /data/Portus]# ./compose-setup.sh -f -e 10.57.57.57 ########### # WARNING # ########### This deployment method is intended for testing/development purposes. To deploy Portus on production please take a look at: http://port.us.org/documentation.html The setup will destroy the containers used by Portus, removing also their volumes. No stopped containers Creating portus_db_1 Creating portus_crono_1 Creating portus_web_1 Creating portus_registry_1 Waiting for mariadb to be ready in 5 seconds Portus: configuring database... failed, will retry Waiting for mariadb to be ready in 5 seconds Portus: configuring database... [SUCCESS] ################### # SUCCESS # ################### Make sure port 3000 and 5000 are open on host 10.57.57.57 Open http://10.57.57.57:3000 with your browser and perform the following steps: 1. Create an admin account 2. You will be redirected to a page where you have to register the registry. In this form: - Choose a custom name for the registry. - Enter 10.57.57.57:5000 as the hostname. - Do *not* check the "Use SSL" checkbox, since this setup is not using SSL. Perform the following actions on the docker hosts that need to interact with your registry: - Ensure the docker daemon is started with the '--insecure-registry 10.57.57.57:5000' - Perform the docker login. To authenticate against your registry using the docker cli do: $ docker login -u <portus username> -p <password> -e <email> 10.57.57.57:5000 To push an image to the private registry: $ docker pull busybox $ docker tag busybox 10.57.57.57:5000/<username>/busybox $ docker push 10.57.57.57:5000/<username>/busybox [root@linuxea.com /data/Portus]#3.添加iptables[root@linuxea.com /data/Portus]# iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp -m multiport --dports 3000,5000 -m comment --comment "Portus" -j ACCEPT可以看到已经启动了4个容器[root@linuxea.com /data/Portus]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 181713ebf12a library/registry:2.3.1 "/bin/registry /etc/d" 31 minutes ago Up 3 minutes 0.0.0.0:5000-5001->5000-5001/tcp portus_registry_1 4613cb2b2ee7 portus_web "bin/crono" 31 minutes ago Up 3 minutes 3000/tcp portus_crono_1 c8bdba50f542 portus_web "puma -b tcp://0.0.0." 31 minutes ago Up 3 minutes 0.0.0.0:3000->3000/tcp portus_web_1 0a989947a943 library/mariadb:10.0.23 "/docker-entrypoint.s" 31 minutes ago Up 3 minutes 3306/tcp portus_db_12.创建管理员账户1.打开ip:port，默认第一个注册的则是管理员!3.上传镜像1.push镜像到admin用户下[root@linuxea.com /data/Portus]# docker tag alpine 10.57.57.57:5000/admin/alpine [root@linuxea.com /data/Portus]# docker push 10.57.57.57:5000/admin/alpine The push refers to a repository [10.57.57.57:5000/admin/alpine] 7cbcbac42c44: Pushed latest: digest: sha256:a4104316f43c73146f1c0af4747d88047a808e58238bcad6506a7fbbf3b30b90 size: 528 [root@linuxea.com /data/Portus]# 4.创建组创建teams，加入到namespaces创建ops团队后，创建一个nginx的namespaces,也就是项目，将ops加入到namaspaces中。我们上传一个nginx镜像到nginx项目下[root@linuxea.com /data/Portus]# docker tag nginx:1.11.5 10.57.57.57:5000/nginx/nginx:1.11.5 [root@linuxea.com /data/Portus]# docker push 10.57.57.57:5000/nginx/nginx:1.11.5 The push refers to a repository [10.57.57.57:5000/nginx/nginx] 3f117c44afbb: Pushed c4a8b7411af4: Pushed fe4c16cbf7a4: Pushed 1.11.5: digest: sha256:9038d5645fa5fcca445d12e1b8979c87f46ca42cfb17beb1e5e093785991a639 size: 948已经上传至5.验证create普通用户权限1，创建用户2，把linuxea添加到nginx中3，测试普通用户权限：[root@linuxea.com ~]# echo '{ "insecure-registries":["10.57.57.57:5000"] }' > /etc/docker/daemon.json [root@linuxea.com ~]# systemctl restart docker [root@linuxea.com ~]# docker login -u linuxea -p 12345678 10.57.57.57:5000 Login Succeeded [root@linuxea.com ~]# docker pull 10.57.57.57:5000/nginx/nginx:1.11.5 1.11.5: Pulling from nginx/nginx 386a066cd84a: Pull complete 7bdb4b002d7f: Pull complete 49b006ddea70: Pull complete Digest: sha256:9038d5645fa5fcca445d12e1b8979c87f46ca42cfb17beb1e5e093785991a639 Status: Downloaded newer image for 10.57.57.57:5000/nginx/nginx:1.11.54，普通用户尝试上传unauthorized: authentication required[root@linuxea.com ~]# docker tag mariadb:10.0.23 10.57.57.57:5000/nginx/mariadb:10.0.23 [root@linuxea.com ~]# docker push 10.57.57.57:5000/nginx/mariadb:10.0.23 The push refers to a repository [10.57.57.57:5000/nginx/mariadb] 5f70bf18a086: Preparing 5f70bf18a086: Preparing 978a35efaa8c: Preparing 494fda86ea11: Preparing 577a7512a96d: Preparing 1f5651eebf56: Waiting 38b6325acdbb: Waiting 1fd270dc6ea8: Waiting c2bf450a065b: Waiting ddef881aeaff: Waiting unauthorized: authentication required

docker-harbor0.5.0镜像仓库快速部署 1.环境装备：Portus,Portus和harbor都是开源的Registry服务器 ,Portusv可以参考：docker-Portusv2.1镜像仓库快速部署使用http://www.linuxea.com/1547.html当然，还有gitlab8.8.0提供的docker Registry，也是非常好用的,可参考https://about.gitlab.com/2016/05/23/gitlab-container-registry/centos7.2.1511,python2.7以上版本，docker引擎1.10或者更高版本，docker compose需要1.6.0或者更高版本harbor安装参考：https://github.com/vmware/harbor/blob/master/docs/installation_guide.mdharbor下载地址：https://github.com/vmware/harbor/releasesvmware安装参考：https://github.com/vmware/harbor/blob/master/docs/installation_guide_ova.md安装包分为离线，网络，源码安装网络安装包：https://github.com/vmware/harbor/releases/download/0.5.0/harbor-online-installer-0.5.0.tgz离线安装包：https://github.com/vmware/harbor/releases/download/0.5.0/harbor-offline-installer-0.5.0.tgz源代码；https://github.com/vmware/harbor/archive/0.5.0.tar.gz2.配置参数：在harbor.cfg中修改hostname = 域名配置参数位于文件harbor.cfg。参数说明如下-请注意，最起码，你需要改变主机属性。主机：目标主机的主机名，这是用于访问用户界面和注册表服务。它应该是IP地址或目标计算机的完全限定域名（FQDN），例如，192.168.1.10或reg.yourdomain.com。不要使用localhost或127.0.0.1作为主机名-注册表服务需要由外部客户端访问！ui_url_protocol：（HTTP或HTTPS，默认为HTTP）用于访问用户界面和令牌/通知服务的协议。默认情况下，这是HTTP。要建立HTTPS协议，请参阅配置与港HTTPS访问。电子邮件设置：需要对港这些参数，以便能够向用户发送一个“密码重设”电子邮件，以及是否需要该功能只是必要的。还有，千万注意，在默认情况下SSL连接是没有启用-如果你的SMTP服务器需要SSL，但不支持STARTTLS，那么你应该通过设置启用SSL email_ssl = TRUE。email_server = smtp.mydomain.comemail_server_port = 25email_username = sample_admin@mydomain.comemail_password = abcEMAIL_FROM =管理员sample_admin@mydomain.comemail_ssl = falseharbor_admin_password：管理员的初始密码。此密码仅在港口首次发布时生效。之后，将忽略此设置，并且应在UI中设置管理员的密码。需要注意的是默认的用户名/密码管理/ Harbor12345。auth_mode：用于身份验证的类型。缺省情况下，它是db_auth，即凭证存储在数据库中。对于LDAP身份验证，此设置了ldap_auth。ldap_url：本LDAP端点URL（例如ldaps://ldap.mydomain.com）。 仅当使用auth_mode设为了ldap_auth。ldap_searchdn：谁有权搜索LDAP / AD服务器（例如权限的用户的DN uid=admin,ou=people,dc=mydomain,dc=com）。ldap_search_pwd：由指定的用户的密码ldap_searchdn。LDAP_BASEDN：基本DN来查找用户，例如ou=people,dc=mydomain,dc=com。 仅当使用auth_mode设为了ldap_auth。ldap_filter：用于查找用户，例如搜索筛选器(objectClass=person)。LDAP_UID：用于一个LDAP搜索期间用户匹配的属性，也可以是流体，CN，电子邮件或其他属性。ldap_scope：范围以搜索用户，1- LDAP_SCOPE_BASE，2- LDAP_SCOPE_ONELEVEL，3- LDAP_SCOPE_SUBTREE。默认值为3。DB_PASSWORD：对于用于MySQL数据库的root密码db_auth。更改此密码以用于任何生产使用！self_registration：（上或关闭，默认为上）启用/禁用用户注册自己的能力。禁用时，新用户只能由管理员用户创建，只有管理员用户才能在Harbor中创建新用户。 注：当auth_mode设为了ldap_auth，自注册功能总是禁用，这个标志将被忽略。use_compressed_js：（上或关闭，默认为上），供生产使用，把这个标志上。在开发模式下，将其设置为关闭，这样的JS文件可以单独进行修改。max_job_workers：（默认值为3）复制工人就业服务的最大数量。对于每个图像复制作业，工作程序将存储库的所有标记同步到远程目标。增加此数目允许系统中更多的并发复制作业。但是，由于每个工人消耗一定量的网络/ CPU / IO资源，请根据主机的硬件资源仔细选择此属性的值。token_expiration：到期时间（分钟）通过令牌服务创建的令牌，默认为30分钟。verify_remote_cert：（上或关闭，默认为上）该标志决定是否验证SSL / TLS证书时，港口，远程注册表实例通信。设置这个属性关绕过SSL / TLS验证，这是通常用在远程实例有自签名或不受信任的证书。customize_crt：（上或关闭，默认为上），如果此属性上，在准备脚本创建注册表的令牌生成/验证私钥和根证书。以下属性：crt_country，crt_state，crt_location，crt_organization，crt_organizationalunit，crt_commonname，crt_email被用作用于产生密钥的参数。该属性设置为关闭时，密钥和根证书是由外部来源提供。请参阅自定义键和港令牌服务证书获取更多信息。3.开始安装[root@linuxea.com ~]# yum install openssl openssl-devel [root@linuxea.com ~]# mkdir -p /data/cert && cd /data/cert/ [root@linuxea.com /data/cert/]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/L=London/O=Company Ltd/CN=nginx-docker" [root@linuxea.com /data/cert/]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout linuxea.reg.com.key -out server.csr -subj "/C=CN/L=London/O=Company Ltd/CN=linuxea.reg.com" [root@linuxea.com /data/cert/]# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out linuxea.reg.com.crt [root@linuxea.com /data/cert/]# cd ..download harbor5.0harbor git地址：https://github.com/vmware/harbor/releases离线安装包[root@linuxea.com /data/]# wget -c https://github.com/vmware/harbor/releases/download/0.5.0/harbor-offline-installer-0.5.0.tgz在线安装包[root@linuxea.com /data/]# wget -c https://github.com/vmware/harbor/releases/download/0.5.0/harbor-online-installer-0.5.0.tgz修改配置文件[root@linuxea.com /data/]# cd harbor [root@linuxea.com /data/harbor/]# sed -i 's/ui_url_protocol = http/ui_url_protocol = https/' harbor.cfg [root@linuxea.com /data/harbor/]# sed -i 's/hostname = reg.mydomain.com/hostname = linuxea.reg.com/' harbor.cfg [root@linuxea.com /data/harbor/]# sed -i 's@ssl_cert = /data/cert/server.crt@ssl_cert = /data/cert/linuxea.reg.com.crt@g' harbor.cfg [root@linuxea.com /data/harbor/]# sed -i 's@ssl_cert_key = /data/cert/server.key@ssl_cert_key = /data/cert/linuxea.reg.com.key@g' harbor.cfg [root@DS-VM-Node49 /data/harbor]# ./prepare loaded secret key Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/ui/app.conf Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/private_key.pem Generated configuration file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service.执行.install 会运行docker-compose，其中会去dockerhub拉取镜像，如果链接dockerhub较卡，可使用离线安装包[root@linuxea.com /data/harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.12.3 Note: docker-compose version: 1.8.0 [Step 1]: preparing environment ... loaded secret key Clearing the configuration file: ./common/config/jobservice/app.conf Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/nginx/cert/linuxea.reg.com.crt Clearing the configuration file: ./common/config/nginx/cert/linuxea.reg.com.key Clearing the configuration file: ./common/config/ui/app.conf Clearing the configuration file: ./common/config/ui/private_key.pem Clearing the configuration file: ./common/config/ui/env Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/ui/app.conf Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/private_key.pem Generated configuration file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [Step 2]: checking existing instance of Harbor ... [Step 3]: starting Harbor ... Creating network "harbor_default" with the default driver Pulling log (vmware/harbor-log:0.5.0)... 0.5.0: Pulling from vmware/harbor-log 93b3dcee11d6: Pull complete 5c14e4bdfb0b: Pull complete e4dee8a574ca: Pull complete 64897311fadc: Pull complete 9b18f82d0181: Pull complete Digest: sha256:81db268fa32ed35274f88f0e9f6e8c8fe36fdfe3247a7c75cef3d526814755ad Status: Downloaded newer image for vmware/harbor-log:0.5.0 Pulling ui (vmware/harbor-ui:0.5.0)... 0.5.0: Pulling from vmware/harbor-ui a91de92f52f5: Pull complete 341612b46e3b: Pull complete c1a53f812656: Pull complete 9a9aa413559a: Pull complete e1b377650dfc: Pull complete be5517028022: Pull complete 726f4e0b4799: Pull complete 08639f4ec97a: Pull complete Digest: sha256:677776af19c774f665565486ef0ec3ab37e55c6738a471942e3ea841b3e1821c Status: Downloaded newer image for vmware/harbor-ui:0.5.0 Pulling mysql (vmware/harbor-db:0.5.0)... 0.5.0: Pulling from vmware/harbor-db 43c265008fae: Pull complete d7abd54d3b34: Pull complete 92b527830a1b: Pull complete 44839710d611: Pull complete 3828a16bed5c: Pull complete fb91763f6b4e: Pull complete 892bfb27c685: Pull complete 02874ec7a2dc: Pull complete 861c1296cc0d: Pull complete d611998d5598: Pull complete 09037dc5a941: Pull complete 448973dd2180: Pull complete c0a51ede01de: Pull complete 54c4b53ba168: Pull complete Digest: sha256:4bc45566b8aab9288e76ac8a36e604aecf05ba9b25e22f5a9cd5e9686978b78b Status: Downloaded newer image for vmware/harbor-db:0.5.0 Pulling jobservice (vmware/harbor-jobservice:0.5.0)... 0.5.0: Pulling from vmware/harbor-jobservice 93b3dcee11d6: Already exists cdeb4de41efe: Pull complete ce3594a70659: Pull complete Digest: sha256:9c2d927f6e59fafcc930a5f738d713bde7d101cecd4e110a570a7b499d69ff68 Status: Downloaded newer image for vmware/harbor-jobservice:0.5.0 Pulling registry (library/registry:2.5.0)... 2.5.0: Pulling from library/registry 2ee5ed28ffa7: Pull complete d1562c23a8aa: Pull complete 06ba8e23299f: Pull complete 802d2a9c64e8: Pull complete Digest: sha256:1b68f0d54837c356e353efb04472bc0c9a60ae1c8178c9ce076b01d2930bcc5d Status: Downloaded newer image for registry:2.5.0 Pulling proxy (nginx:1.11.5)... 1.11.5: Pulling from library/nginx 386a066cd84a: Pull complete 7bdb4b002d7f: Pull complete 49b006ddea70: Pull complete Digest: sha256:9038d5645fa5fcca445d12e1b8979c87f46ca42cfb17beb1e5e093785991a639 Status: Downloaded newer image for nginx:1.11.5 Creating harbor-log Creating harbor-ui Creating registry Creating harbor-db Creating harbor-jobservice Creating nginx ERROR: for proxy Cannot create container for service proxy: Conflict. The name "/nginx" is already in use by container b88cbd48d16a3e52c77b24763bb241063ed2fb94eca467308f7fab31a1fbd403. You have to remove (or rename) that container to be able to reuse that name. ERROR: Encountered errors while bringing up the project. [root@linuxea.com /data/harbor]# 最后上面报错说容器已经存在，我们将以前的nginx容器删掉，然后重新./install[root@linuxea.com /data/harbor]# docker rm nginx nginx [root@linuxea.com /data/harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.12.3 Note: docker-compose version: 1.8.0 [Step 1]: preparing environment ... loaded secret key Clearing the configuration file: ./common/config/jobservice/app.conf Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/nginx/cert/linuxea.reg.com.crt Clearing the configuration file: ./common/config/nginx/cert/linuxea.reg.com.key Clearing the configuration file: ./common/config/ui/app.conf Clearing the configuration file: ./common/config/ui/private_key.pem Clearing the configuration file: ./common/config/ui/env Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/ui/env Generated configuration file: ./common/config/ui/app.conf Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/app.conf Generated configuration file: ./common/config/ui/private_key.pem Generated configuration file: ./common/config/registry/root.crt The configuration files are ready, please use docker-compose to start the service. [Step 2]: checking existing instance of Harbor ... Note: stopping existing Harbor instance ... Stopping harbor-jobservice ... done Stopping harbor-db ... done Stopping registry ... done Stopping harbor-ui ... done Stopping harbor-log ... done Removing harbor-jobservice ... done Removing harbor-db ... done Removing registry ... done Removing harbor-ui ... done Removing harbor-log ... done Removing network harbor_default [Step 3]: starting Harbor ... Creating network "harbor_default" with the default driver Creating harbor-log Creating harbor-db Creating harbor-ui Creating registry Creating harbor-jobservice Creating nginx ?.----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://linuxea.reg.com. For more details, please visit https://github.com/vmware/harbor . [root@linuxea.com /data/harbor]# 3.1 web登陆和创建项目admin / Harbor12345创建项目4.push尝试登陆:[root@linuxea.com /data/harbor]# docker login -u admin -p Harbor12345 linuxea.reg.com Error response from daemon: Get https://linuxea.reg.com/v1/users/: x509: certificate signed by unknown authority509: certificate signed by unknown authority解决如下：[root@linuxea.com /data/harbor]# mkdir -p /etc/docker/certs.d/linuxea.reg.com [root@linuxea.com /data/harbor]# cp /data/cert/ca.crt /etc/docker/certs.d/linuxea.reg.com [root@linuxea.com /data/harbor]# docker login -u admin -p Harbor12345 linuxea.reg.com Login Succeeded [root@linuxea.com /data/harbor]#打包上传[root@DS-VM-Node57 /data/harbor]# docker tag kep linuxea.reg.com/linuxea/keepalived [root@DS-VM-Node57 /data/harbor]# docker push linuxea.reg.com/linuxea/keepalived The push refers to a repository [linuxea.reg.com/linuxea/keepalived] 78c3ec04b8b3: Pushed 7cbcbac42c44: Pushed latest: digest: sha256:f0382263e44b1d9fc7233f44b6cd92652f9fecf8e44dfd55ec49c05fed553ffb size: 739 [root@DS-VM-Node57 /data/harbor]# docker tag docker_nginx linuxea.reg.com/linuxea/nginx:1.11 [root@DS-VM-Node57 /data/harbor]# docker push linuxea.reg.com/linuxea/nginx The push refers to a repository [linuxea.reg.com/linuxea/nginx] ab0f3282dd72: Pushed dbe4e1a4c160: Pushed 93d40cd73394: Pushed 4fe15f8d0ae6: Pushed 1.11: digest: sha256:6d7bc5796fe8d1259459762eb8423f34d1a6bf48b1617c6d6f0b58e4194e19df size: 1158 [root@DS-VM-Node57 /data/harbor]# 查看：5.pull换一台机器pull1，首先需要harbor的ca信任，创建路径后，在harbor将ca传递过来[root@LinuxEA-COM /data/harbor/cert]# mkdir -p /etc/docker/certs.d/linuxea.reg.com2，在harbor上把ca复制到pull的机器上[root@LinuxEA-COM /data/harbor]# scp /data/cert/ca.crt 10.0.1.49:/etc/docker/certs.d/linuxea.reg.com The authenticity of host '10.0.1.49 (10.0.1.49)' can't be established. ECDSA key fingerprint is 0b:26:0a:e4:1f:04:b5:71:64:a3:0f:e6:e7:11:ee:b0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.49' (ECDSA) to the list of known hosts. root@10.0.1.49's password: ca.crt 100% 1935 1.9KB/s 00:00 3，非公开项目需要登陆，公开项目不需要登陆[root@LinuxEA-COM /data/harbor/cert]# docker login -u admin -p Harbor12345 linuxea.reg.com WARNING: Error loading config file:/root/.docker/config.json - EOF Login Succeeded4，开始pull[root@LinuxEA-COM /data/harbor/cert]# docker pull linuxea.reg.com/linuxea/nginx:1.11 1.11: Pulling from linuxea/nginx e110a4a17941: Already exists a91b6045bb20: Already exists 8e1413698bdb: Pull complete Digest: sha256:6d7bc5796fe8d1259459762eb8423f34d1a6bf48b1617c6d6f0b58e4194e19df Status: Downloaded newer image for linuxea.reg.com/linuxea/nginx:1.115，查看[root@LinuxEA-COM /data/harbor/cert]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE linuxea.reg.com/linuxea/nginx 1.11 7543cf287f61 9 days ago 231.2 MB 10.0.1.49/keepalived latest 7bf39df0e969 5 days ago 11.73 MB keepalived_keepalived latest 7bf39df0e969 5 days ago 11.73 MB haproxy_haproxy latest a3e7eec9950f 6 days ago 282.8 MB 10.0.1.49:5000/nginx_83f8645 latest 7c2b1677f82e 8 days ago 225.5 MB 10.0.1.49/nginx_83f8645 latest 7c2b1677f82e 8 days ago 225.5 MB 10.0.1.49:5000/nginx_3d56146 latest 7e8691bb5e6c 8 days ago 225.5 MB 10.0.1.49:5000/nginx_c98a1b2 latest 659dfd0f871c 8 days ago 225.5 MB 10.0.1.49:5000/nginx_03fef24 latest 0a289aac1bdc 9 days ago 225.5 MB 10.0.1.49:5000/nginx_b2cbed8 latest f0a1b955313c 9 days ago 225.5 MB 10.0.1.49:5000/nginx_eb5b609 latest e4f7adaf8eab 9 days ago 225.5 MB 10.0.1.49:5000/nginx_40629bd latest 3408138f55e5 9 days ago 225.5 MB 10.0.1.49:5000/nginx_9c104e3 latest 743caf8e9447 9 days ago 225.5 MB registry latest 182810e6ba8c 12 days ago 37.62 MB docker_svb1.9.4 latest 331d234e3bbd 13 days ago 14.46 MB tomcat_tomcat latest eda0380486d8 2 weeks ago 728.7 MB jenkins latest f61635651954 2 weeks ago 714.2 MB docker_php-fpm latest ded2b5ca5aaa 3 weeks ago 796 MB [root@LinuxEA-COM /data/harbor/cert]# 出现unauthorized: authentication required解决办法，一般在web中创建了项目是不会出现的则可以在/data/harborcommon/config/nginx/nginx.conf中添加proxy_set_header X-Forwarded-Proto https;

docker构建keepalived思路 准备工作镜像使用alpine，我们需要添加apk源，进行apk add安装[root@linuxea-com ~]# echo "http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories [root@linuxea-com ~]# apk --update -t add keepalived curl iproute2 dockerfile参考：https://raw.githubusercontent.com/LinuxEA-Mark/Docker-keepalived/master/Dockerfile其中，在run脚本中启动keepalived时用tail放一个前台进程确保容器upMaster配置文件：[root@linuxea-com ~]# cat keeplived.conf ! Configuration File for keepalived global_defs { } router_id { LVS_DEVEL_1 } #vrrp_script chk_nginx_service { # script "/root/check.sh" # interval 3 # weight -50 # fall 3 # rise 2 # user keepalived #} vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 51 priority 150 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.0.1.50/8 } }Backup配置文件：[root@linuxea-com ~]# cat keeplived.conf ! Configuration File for keepalived global_defs { } router_id { LVS_DEVEL_2 } #vrrp_script chk_nginx_service { # script "/root/check.sh" # interval 3 # weight -50 # fall 3 # rise 2 # user keepalived #} vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 51 riority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 10.0.1.50/8 } }脑裂判断：在单个keepalived在容器中没有好的办法来判断脑裂的，我们可以写计划任务，每分钟运行一次即可，脚本如下：[root@linuxea-com ~]# cat 1.sh #!/bin/bash if [ "$(ss -tlnp|grep -e 1180|wc -l)" -ne '1' ]||[ "$(ss -tlnp|grep -E 8765|wc -l)" -ne '2' ]; then docker rm -f keepalived1.3.2 ip addr del 10.0.1.50/8 dev eth0 fi安装脚本:[root@linuxea-com ~]# curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/Docker-keepalived/master/create_docker-keepalived.sh |bash延伸阅读linuxea: 三小时快速入门docker指南linuxea:白话容器之Registry与Harbor的构建和使用 (26)学习更多学习如何使用Docker CLI命令，Dockerfile命令，使用这些命令可以帮助你更有效地使用Docker应用程序。查看Docker文档和我的其他帖子以了解更多信息。docker目录白话容器docker-compose

jenkins+gitlab+docker快速部署发布回滚示例 本章简单介绍docker+jenkins+gitlab发布和回滚，相比较上一篇中git+jenkins http://www.linuxea.com/1537.html来说，加入了docker，加入docker后，发布和回滚变得将是很简单，容器本身一次构建后，存放在docker仓库中，回滚只需要拉取仓库的镜像后直接run起来即可，回滚也是如此，而且他的备份可以直接打包成tar.gz压缩包，解压到其他机器，部署docker应用后，即可恢复。一，本地仓库下载1.1，参考本站中docker本地仓库搭建，链接：Docker本地仓库简单使用1.2，安装docker run -d -p 5000:5000 registry这时候可以看到运行了两个容器[root@linuxea-com ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ebe95cb71671 registry "/entrypoint.sh /etc/" 2 minutes ago Up 2 minutes 0.0.0.0:5000->5000/tcp tender_wright ca797ad15342 centos "bash" 20 hours ago Up 20 hours test [root@linuxea-com ~]# 二，构建一个docker的nginx镜像首先，构建一个nginx基础镜像， 只需要将日志放出来即可。当构建完成后，在编写一个Dockerfile，在本地通过git pull拉取代码到，COPY将本地代码复制到容器中后，build镜像并且push到本地仓库，此时。便可以使用远端docker pull拉取。其中每次构建会拿git reflog中的版本好做标记，回滚也是需要用上标记的版本号。如下图：docker基础镜像Dockfile和代码构建的Dockfile，在github上存储，直接可以拿来使用#!/bin/bash ######################################################################### # File Name: jc.sh:wq # Author: www.linuxea.com # Email: usertzc@gmail.com # Version: # Created Time: 2016年12月31日 星期六 16时15分16秒 ######################################################################### wwwp=/wwwroot/docker mkdir -p $wwwp curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/jenkins_gitlab/master/Dockerfile -o $wwwp/Dockerfile cd $wwwp && docker build -t nginx . && rm -rf Dockerfile culr -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/jenkins_gitlab/master/jenkins/Dockerfile -o $wwwp/Dockerfile我们下载一个脚本[root@linuxea-com ~]# curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/jenkins_gitlab_Docker/master/docker_fabu.sh -o /wwwroot/docker/docker_fabu.sh [root@linuxea-com ~]# chmod +x /wwwroot/docker/docker_fabu.sh [root@linuxea-com ~]# chown jenkins.jenkins /wwwroot/docker/docker_fabu.sh脚本最终是由jenkins运行，需要在visudo中注释掉Defaults requiretty，添加jenkins的命令权限，如下：[root@linuxea-com ~]# sed -i '/requiretty /s/^/#&/' /etc/visudoer [root@linuxea-com ~]# echo jenkins ALL = (root)NOPASSWD:/usr/bin/docker,(root)NOPASSWD:/usr/local/bin/docker-compose,(root)NOPASSWD:/bin/rm,(root)NOPASSWD:/bin/cp,(ALL)NOPASSWD:/usr/bin/git >> /etc/visudoer在wwwroot目录下，克隆一次代码[root@linuxea-com /wwwroot]# git clone git@10.0.1.61:root/docker_test.git 正克隆到 'docker_test'... remote: Counting objects: 6, done. remote: Compressing objects: 100% (3/3), done. remote: Total 6 (delta 0), reused 0 (delta 0) 接收对象中: 100% (6/6), done.三，jenkins构建和之前的几乎一样，创建自由风格,细节可参考git+jenkins发布和回滚示例 将jenkins和gitlab关联!这里指向脚本存放位置可以参考上一篇文章中的步骤，本章只是换了docker，加了docker仓库，其他没变：git+jenkins发布和回滚示例

docker构建subversion1.9.4 github地址:https://github.com/LinuxEA-Mark/docker-subversion1.9.4一键安装：curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-subversion1.9.4/master/docker-create-svn.sh |bashDockerfileDockerfile非常简单，就是安装和创建目录，以及初始化脚本在构建好后会放在/下，启动时会执行FROM alpine MAINTAINER mark www.linuxea.com ENV SPA /data/docker/svn RUN apk add --update subversion curl\ && rm /var/cache/apk/* \ && mkdir $SPA -p \ && curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-subversion1.9.4/master/initialization.sh -o /initialization.sh \ && chmod +x /initialization.sh ENTRYPOINT ["/initialization.sh"]initialization初始化脚本，初始化脚本主要在启动时会判断目录是否空，如果空则执行，但是这里需要注意的是启动前我的目录是已经挂在好的#!/bin/sh ######################################################################### # File Name: initialization.sh # Author: mark www.linuxea.com # Email: usertzc@gmail.com # Version: # Created Time: 2016年12月26日 星期一 14时03分46秒 ######################################################################### SPA=/data/docker/svn if [ "$(ls -A $SPA)" ];then svnserve -d -r /data/docker/svn && tail -f /etc/passwd else svnadmin create $SPA sed -i 's/# anon-access = read/anon-access = none/g' $SPA/conf/svnserve.conf && sed -i 's/# password-db = passwd/password-db = passwd/g' $SPA/conf/svnserve.conf && sed -i 's/# auth-access = write/auth-access = write/g' $SPA/conf/svnserve.conf && sed -i 's/# realm = My First Repository/realm = web1/g' $SPA/conf/svnserve.conf && sed -i 's/# authz-db = authz/authz-db = authz/g' $SPA/conf/svnserve.conf && echo linuxea=mark >> $SPA/conf/passwd && curl -Lks4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-subversion1.9.4/master/authz >> $SPA/conf/authz && svnserve -d -r /data/docker/svn && tail -f /etc/passwd fidocker-composeversion: '2' services: svb1.9.4: build: context: https://raw.githubusercontent.com/LinuxEA-Mark/docker-subversion1.9.4/master/Dockerfile container_name: svn restart: always network_mode: "host" volumes: - /data/docker/subversion:/data/docker/svn/

Docker构建二进制mariaDB环境 基础镜像基于Centos，因此体积较大，可以在测试环境快速部署，Mariadb为二进制安装也可以直接访问github查看：https://github.com/LinuxEA-Mark/docker-mariaDB一键安装Mariadb：curl -LKs4 https://raw.githubusercontent.com/LinuxEA-Mark/docker-mariaDB/master/docker-mysql-create.sh|bash一键安装Docker&compose:curl -Lks https://get.docker.com/ | sh curl -LkO https://github.com/xiaoyawl/docker-shadowsocks_r/raw/master/docker-compose.yml docker-compose up -d这里需要注意是容器内的数据目录位置和挂载点位置,my.conf中的datadir位置和日志datadir=/data/mysql/ log_error = /data/logs/mysql/mysql-error.log其次，在启动第一次是否进行初始化#!/bin/bash # if the /data/data directory doesn't contain anything, then initialise it directory="/data/mysql" if [ "$(ls -A $directory)" ]; then /usr/local/mysql/bin/mysqld_safe else /usr/local/mysql/scripts/mysql_install_db --user=mysql --datadir=/data/mysql/ --basedir=/usr/local/mysql /usr/local/mysql/bin/mysqld --user=mysql --datadir=/data/mysql --basedir=/usr/local/mysql --init-file=/initialization.sql fi还有初次初始化DELETE FROM mysql.user WHERE User=''; DELETE FROM mysql.db WHERE Db LIKE 'test%'; DROP DATABASE test; UPDATE mysql.user SET password = password('abc123') WHERE user = 'root'; CREATE DATABASE jumpserver charset='utf8'; GRANT ALL PRIVILEGES ON jumpserver.* To 'jumpserver'@'%' IDENTIFIED BY 'password'; flush privileges;

Docker部署Redis cluster3.2.5集群 和之前一样，使用alpine的版本，redis 是3.2.5稳定版本[root@LinuxEA redis1]# cat Dockerfile FROM alpine MAINTAINER wwww.linuxea.com for mark RUN apk update \ && apk --no-cache add curl \ && curl -sO http://download.redis.io/releases/redis-3.2.5.tar.gz \ && tar xf redis-3.2.5.tar.gz -C /usr/local/ \ && rm -rf redis-3.2.5.tar.gz rm -rf /var/cache/apk/* \ && cd /usr/local/redis-3.2.5 \ && apk add --no-cache 'su-exec>=0.2' \ && apk add --no-cache --virtual .build-deps gcc linux-headers make musl-dev tar \ && make PREFIX=/usr/local/redis install \ && apk del .build-deps tar gcc make \ && cp utils/redis_init_script /etc/init.d/redis \ && chmod +x /etc/init.d/redis \ && sed -i 's@EXEC=/usr/local/bin/redis-server@EXEC=/usr/local/redis/bin/redis-server@' /etc/init.d/redis \ && sed -i 's@CLIEXEC=/usr/local/bin/redis-cli@CLIEXEC=/usr/local/redis/bin/redis-cli@' /etc/init.d/redis \ && cd /usr/local \ && rm -rf /var/cache/apk/* /usr/local/redis-3.2.5 EXPOSE 6379/tcp 6380/tcp 16379/tcp 16380/tcp ENTRYPOINT /usr/local/redis/bin/redis-server /etc/redis/redis.conf现将docker build，而后在做成仓库为其他机器提供：docker build -t redis3.2.5 .`docker tag reids3 10.10.242.23:5000/alpinedocker push 10.10.242.23:5000/alpinedocker仓库使用方法，可参考博客中docker仓库搭建文章：http://www.linuxea.com/1424.html通常需要6台主机，3主3从，我们是会用3台主机，每台主机2个redis容器，集群完成后，每台主机的两个redis不会是同一个主从配置文件示例：我们需要修改端口号，和ip地址，以及pid的名称等，这里的ip地址使用的docker的hosts模式，这样将会简单的多,拓扑如下：[root@LinuxEA 6379]# egrep -v "^$|^#" redis.conf bind 10.10.242.23 protected-mode yes port 6379 tcp-backlog 511 timeout 0 tcp-keepalive 300 daemonize no supervised no pidfile /var/run/redis_6379.pid loglevel notice logfile /var/log/redis.log databases 16 save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir ./ slave-serve-stale-data yes slave-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no slave-priority 100 appendonly yes appendfilename "appendonly.aof" appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes lua-time-limit 5000 cluster-enabled yes cluster-config-file nodes-6379.conf cluster-node-timeout 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 latency-monitor-threshold 0 notify-keyspace-events "" hash-max-ziplist-entries 512 hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10 aof-rewrite-incremental-fsync yes修改完成后，分别将3台服务器的docker run起来10.10.239.194 [root@LinuxEA ~]# docker run --name 6381 --network=host -v /root/redis/6381/redis.conf:/etc/redis/redis.conf -d -p 6381:6381 -p 16381:16381 10.10.242.23:5000/alpine [root@LinuxEA ~]# docker run --name 6382 --network=host -v /root/redis/6382/redis.conf:/etc/redis/redis.conf -d -p 6382:6382 -p 16382:16382 10.10.242.23:5000/alpine 10.10.239.185 [root@LinuxEA ~]# docker run --name 6383 --network=host -v /root/redis/6383/redis.conf:/etc/redis/redis.conf -d -p 6383:6383 -p 16383:16383 10.10.242.23:5000/alpine [root@LinuxEA ~]# docker run --name 6384 --network=host -v /root/redis/6384/redis.conf:/etc/redis/redis.conf -d -p 6384:6384 -p 16384:16384 10.10.242.23:5000/alpine 10.10.242.23 [root@LinuxEA ~]# docker run --name 6379 --network=host -v /root/redis/6379/redis.conf:/etc/redis/redis.conf -d -p 6379:6379 -p 16379:16379 10.10.242.23:5000/alpine [root@LinuxEA ~]# docker run --name 6380 --network=host -v /root/redis/6380/redis.conf:/etc/redis/redis.conf -d -p 6380:6380 -p 16380:16380 10.10.242.23:5000/alpine我们简单的添加一条规则放行：iptables -I INPUT -p tcp -j ACCEPT现在我们可以来进行创建集群!到此，基本上完成

Docker分离构建lnmp部署wordpress os：[root@LinuxEA lnmp]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) mariadb-10.0.27-linux nginx1.10:1 php5.6.26须知在Docker单机上分离LNMP在dockerfile之前已经将/mydata/data的数据目录放置在宿主机上存放，在run起mysql时挂载/mydata/data到容器内,以及其他日志文件和配置文件，在配置文件中需要指定datadir目录mysql Dockerfile[root@LinuxEA mysql]# cat Dockerfile FROM centos MAINTAINER wwww.linuxea.com and mark make RUN yum makecache \ && yum install libaio -y \ && curl -sO http://mirrors.ds.com/tar%E5%8C%85/mariadb-10.0.27-linux-x86_64.tar.gz \ && mv mariadb-10.0.27-linux-x86_64.tar.gz /usr/local \ && yum clean all \ && tar xf /usr/local/mariadb-10.0.27-linux-x86_64.tar.gz -C /usr/local/ \ && rm -rf /usr/local/mariadb-10.0.27-linux-x86_64.tar.gz \ && groupadd -r -g 306 mysql \ && useradd -r -g 306 -u 306 mysql \ && mkdir -p /mydata/data \ && chown -R mysql.mysql /mydata \ && chown -R root.mysql /usr/local/mariadb-10.0.27-linux-x86_64 \ && ln -s /usr/local/mariadb-10.0.27-linux-x86_64 /usr/local/mysql WORKDIR /usr/local/mysql RUN scripts/mysql_install_db --user=mysql --datadir=/mydata/data \ && rm -rf /mydata ENV PATH /usr/local/mysql/bin:$PATH EXPOSE 3306 ENTRYPOINT mysqld_safenginx Dockerfilenginx容器在前几章中还是有提到，dockerfile如下：仍然是将配置，日志文件和网站文件存放在宿主机而后挂载到容器中[root@LinuxEA nginx]# cat Dockerfile FROM marksugar/alpine MAINTAINER wwww.linuxea.com RUN addgroup -g 499 -S nginx \ && adduser -HDu 499 -s /sbin/nologin -g 'web server' -G nginx nginx \ && cd /usr/local \ && curl -sO http://nginx.org/download/nginx-1.10.1.tar.gz \ && tar xf nginx-1.10.1.tar.gz \ && rm -rf nginx-1.10.1.tar.gz \ && apk --update --no-cache add geoip geoip-dev pcre libxslt gd openssl-dev \ pcre-dev zlib-dev build-base linux-headers libxslt-dev gd-dev openssl-dev \ libstdc++ libgcc patch logrotate supervisor inotify-tools WORKDIR /usr/local/nginx-1.10.1 RUN ./configure \ --prefix=/usr/local/nginx \ --conf-path=/etc/nginx/nginx.conf \ --user=nginx \ --group=nginx \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --with-http_flv_module \ --with-http_mp4_module \ --http-client-body-temp-path=/var/tmp/nginx/client \ --http-proxy-temp-path=/var/tmp/nginx/proxy \ --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi \ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi \ && make && make install \ && mkdir -p /var/tmp/nginx/{client,fastcgi,proxy,uwsgi} \ && echo "daemon off;" >> /etc/nginx/nginx.conf \ && apk del wget \ && rm -rf /usr/local/nginx-1.10.1 \ && rm -rf /var/cache/apk/* \ && rm -rf /etc/nginx/nginx.conf ENV PATH /usr/local/nginx/sbin:$PATH EXPOSE 80 ENTRYPOINT /usr/local/nginx/sbin/nginxnginx配置文件：[root@LinuxEA nginx]# cat nginx.conf user nginx nginx; error_log /data/nginx/wwwlog/error_nginx.log crit; pid /var/run/nginx.pid; worker_rlimit_nofile 51200; events { use epoll; worker_connections 51200; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 50m; sendfile on; tcp_nopush on; keepalive_timeout 120; server_tokens off; tcp_nodelay on; # fastcgi_connect_timeout 300; # fastcgi_send_timeout 300; # fastcgi_read_timeout 300; # fastcgi_buffer_size 64k; # fastcgi_buffers 4 64k; # fastcgi_busy_buffers_size 128k; # fastcgi_temp_file_write_size 128k; # gzip on; # gzip_buffers 16 8k; # gzip_comp_level 6; # gzip_http_version 1.1; # gzip_min_length 256; # gzip_proxied any; # gzip_vary on; # gzip_types # text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml # text/javascript application/javascript application/x-javascript # text/x-json application/json application/x-web-app-manifest+json # text/css text/plain text/x-component # font/opentype application/x-font-ttf application/vnd.ms-fontobject # image/x-icon; # gzip_disable "msie6"; # open_file_cache max=1000 inactive=20s; # open_file_cache_valid 30s; # open_file_cache_min_uses 2; # open_file_cache_errors on; # log_format access '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" $http_x_forwarded_for'; # log_format upstream2 '$proxy_add_x_forwarded_for $remote_user [$time_local] "$request" $http_host' # '$body_bytes_sent "$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher' # '$request_time [$status] [$upstream_status] [$upstream_response_time] "$upstream_addr"'; ########################################################################################### server { listen 80; server_name localhost; location / { root /data/nginx/wwwroot; index index.php index.html index.htm; } # location /nginx_status { # stub_status on; # access_log off; # allow 127.0.0.1; # #deny all; # } location ~ \.php$ { root /data/nginx/wwwroot; fastcgi_pass phpfpm:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/nginx/wwwroot$fastcgi_script_name; include fastcgi.conf; } access_log /data/nginx/wwwlog/www.com.log; } include vhost/*.conf; } daemon off; [root@LinuxEA nginx]# php-fpm Dockerfile[root@LinuxEA php-fpm]# cat Dockerfile FROM centos MAINTAINER wwww.linuxea.com for mark RUN curl -sO http://ftp.ntu.edu.tw/php/distributions/php-5.5.26.tar.gz \ && tar xf php-5.5.26.tar.gz -C /usr/local/ \ && mv /usr/local/php-5.5.26 /usr/local/php \ && rm -rf php-5.5.26.tar.gz WORKDIR /usr/local/php RUN groupadd -g 499 -r nginx \ && useradd -u 499 -g nginx -r nginx -s /sbin/nologin \ && yum install epel* -y \ && yum install -y gcc automake autoconf libtool make \ libxml2-devel \ openssl \ openssl-devel \ bzip2 \ bzip2-devel \ libpng \ libpng-devel \ freetype \ freetype-devel \ libcurl-devel \ libcurl libjpeg \ libjpeg-devel \ libpng \ libpng-devel \ freetype \ freetype-devel \ libmcrypt-devel \ libmcrypt \ libtool-ltdl-devel \ libxslt-devel \ mhash \ mhash-devel \ && ./configure --prefix=/usr/local/php \ --disable-pdo \ --disable-debug \ --disable-rpath \ --enable-inline-optimization \ --enable-sockets \ --enable-sysvsem \ --enable-sysvshm \ --enable-pcntl \ --enable-mbregex \ --enable-xml \ --enable-zip \ --enable-fpm \ --enable-mbstring \ --with-pcre-regex \ --with-mysql \ --with-mysqli \ --with-gd \ --with-jpeg-dir \ --with-bz2 \ --with-zlib \ --with-mhash \ --with-curl \ --with-mcrypt \ --with-jpeg-dir \ --with-png-dir \ && make \ && make install \ && yum remove make -y\ && yum clean all #ENV PATH /usr/local/php/sbin:$PATH #EXPOSE 9000 ENTRYPOINT /usr/local/php/sbin/php-fpm --nodaemonizephp-fpm.conf[root@LinuxEA php-fpm]# cat php-fpm.conf ;;;;;;;;;;;;;;;;;;;;; ; FPM Configuration ; ;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;; ; Global Options ; ;;;;;;;;;;;;;;;;;; [global] pid = run/php-fpm.pid error_log = log/php-fpm.log log_level = warning emergency_restart_threshold = 30 emergency_restart_interval = 60s process_control_timeout = 5s daemonize = no ;;;;;;;;;;;;;;;;;;;; ; Pool Definitions ; ;;;;;;;;;;;;;;;;;;;; [php] ;listen = /dev/shm/php-cgi.sock listen = 9000 listen.backlog = -1 ;listen.allowed_clients = 127.0.0.1 listen.owner = nginx listen.group = nginx listen.mode = 0777 user = nginx group = nginx ;Come from www.linuxea.com for mark pm = dynamic pm.max_children = 12 pm.start_servers = 8 pm.min_spare_servers = 6 pm.max_spare_servers = 12 pm.max_requests = 2048 pm.process_idle_timeout = 10s request_terminate_timeout = 120 request_slowlog_timeout = 0 pm.status_path = /php-fpm_status slowlog = log/slow.log rlimit_files = 51200 rlimit_core = 0 catch_workers_output = yes ;env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp [root@LinuxEA php-fpm]# 我们在run php是需要将nginx网站根目录也挂载进来版权属于：www.linuxea.com转载时须注明出处及本声明目录结构：[root@LinuxEA lnmp]# tree -L 4 . ├── docker-compose.yml ├── log │   ├── nginx │   │   ├── wwwlog │   │   └── wwwroot │   │   └── index.php │   ├── php-fpm.log │   ├── php-fpm.log.slow │   └── www.linuxea.com ├── mysql │   ├── Dockerfile │   ├── mariadb-10.0.27-linux-x86_64.tar.gz │   ├── my.cnf │   └── mydata │   ├── data │   │   ├── 1033805cad2d.pid │   │   ├── 1639a5882354.pid │   │   ├── 2619917b9ae6.pid │   │   ├── 5c05812ed420.pid │   │   ├── 909d6ef97f04.pid │   │   ├── aria_log.00000001 │   │   ├── aria_log_control │   │   ├── b83f3b6a702f.pid │   │   ├── dff35cf18443.pid │   │   ├── ibdata1 │   │   ├── ib_logfile0 │   │   ├── ib_logfile1 │   │   ├── linuxea │   │   ├── multi-master.info │   │   ├── mysql │   │   ├── mysql-bin.000001 │   │   ├── mysql-bin.000002 │   │   ├── mysql-bin.000003 │   │   ├── mysql-bin.000004 │   │   ├── mysql-bin.000005 │   │   ├── mysql-bin.000006 │   │   ├── mysql-bin.000007 │   │   ├── mysql-bin.000008 │   │   ├── mysql-bin.000009 │   │   ├── mysql-bin.000010 │   │   ├── mysql-bin.index │   │   ├── performance_schema │   │   └── test │   └── log │   └── mysql-error.log ├── nginx │   ├── Dockerfile │   ├── log │   │   ├── error_nginx.log │   │   └── www.com.log │   ├── nginx.conf │   ├── www.conf │   └── wwwroot │   ├── helo.php │   ├── index.html │   ├── index.php │   └── mysql.php └── php-fpm ├── Dockerfile ├── log ├── php-fpm.conf ├── php-fpm.conf.bak ├── php-fpm.conf.default └── php.ini 17 directories, 47 files [root@LinuxEA lnmp]# 挂载相应的配置文件和数据目录mariadb启动启动顺序mysql->php->nginx[root@LinuxEA lnmp] docker run --name mysql1 \ -v /root/lnmp/mysql/my.cnf:/etc/mysql/my.cnf \ -v /root/lnmp/mysql/mydata/data:/mydata/data \ -v /root/lnmp/mysql/mydata/log:/mydata/log \ -e MYSQL_ROOT_PASSWORD=linuxea \ -d -p 3306:3306 mariadb:10.0.27 php-fpm启动[root@LinuxEA lnmp] docker run --name phpfpm \ --link mysql1:mysql1 \ -v /root/lnmp/php-fpm/php-fpm.conf:/usr/local/php/etc/php-fpm.conf:rw \ -v /root/lnmp/log:/data -v /root/lnmp/nginx/wwwroot:/data/nginx/wwwroot \ -d php-fpm:5.6.24如果php.ini需要挂载，位置：/usr/local/php/lib下nginx启动[root@LinuxEA lnmp] docker run --name nginx \ --link phpfpm:phpfpm \ -v /root/lnmp/nginx/nginx.conf:/etc/nginx/nginx.conf \ -v /root/lnmp/nginx/log:/data/nginx/wwwlog \ -v /root/lnmp/nginx/wwwroot:/data/nginx/wwwroot \ --volumes-from phpfpm \ -d -p 80:80 nginx1.10:1查看启动状态[root@LinuxEA lnmp]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a2d2a8e11454 nginx1.10:1 "/bin/sh -c /usr/loca" 42 hours ago Up 2 seconds 0.0.0.0:80->80/tcp nginx c89e724b0973 php-fpm:2 "/bin/sh -c '/usr/loc" 42 hours ago Up 3 seconds phpfpm 1639a5882354 mariadb:10.0.27 "/bin/sh -c mysqld_sa" 42 hours ago Up 25 seconds 0.0.0.0:3306->3306/tcp mysql1 [root@LinuxEA lnmp]# 验证phpinfo[root@LinuxEA wwwroot]# cat index.php <?php phpinfo(); ?> [root@LinuxEA wwwroot]# 验证mysql链接授权一个账户[root@1639a5882354 /]# /usr/local/mysql/bin/mysql -uroot -p -h127.0.0.1 Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 10.0.27-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE linuxea CHARACTER SET utf8; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL ON linuxea.* TO 'linuxea'@'%' IDENTIFIED BY 'linuxea'; Query OK, 0 rows affected (0.00 sec)创建一个mysql链接php文件[root@LinuxEA wwwroot]# cat mysql.php <?php $link=mysql_connect("mysql1","linuxea","linuxea"); if(!$link) echo "<center><h1>FAILD!\nlinks www.linuxea.com error username and passwd<h1></center>"; else echo "<center><br/><h1>OK!<br/>www.linuxea.com links normal<h1></center>"; ?> [root@LinuxEA wwwroot]# curl 10.10.239.194/mysql.php <center><br/><h1>Hello Docker!<br/>www.linuxea.com links normal<h1></center> [root@LinuxEA wwwroot]# 安装wordpress这里的ip可能需要手动指定，如果嫌麻烦可以直接使用hosts网络模式docker-compost[root@LinuxEA ~]# cat lnmp/docker-compose.yml version: '2' services: mysql: container_name: mysql-1 image: mariadb:10.0.27 ports: - "3306:3306" environment: - MYSQL_ROOT_PASSWORD=linuxea volumes: - /root/lnmp/mysql/my.cnf:/etc/mysql/my.cnf - /root/lnmp/mysql/mydata/data:/mydata/data - /root/lnmp/mysql/mydata/log:/mydata/log phpfpm: container_name: phpfpm-1 image: php-fpm:2 ports: - "9000:9000" links: - "mysql:mysql" volumes: - /root/lnmp/php-fpm/php-fpm.conf:/usr/local/php/etc/php-fpm.conf - /root/lnmp/log:/data/phplog - /root/lnmp/nginx/wwwroot:/data/nginx/wwwroot nginx: container_name: nginx-1 image: nginx1.10:1 ports: - "80:80" links: - "phpfpm:php" volumes_from: - "phpfpm" volumes: - /root/lnmp/nginx/nginx.conf:/etc/nginx/nginx.conf - /root/lnmp/nginx/log:/data/nginx/wwwlog - /root/lnmp/nginx/wwwroot:/data/nginx/wwwroot [root@LinuxEA ~]#

Docker指定网桥和指定网桥IP $ docker network ls NETWORK ID NAME DRIVER 7fca4eb8c647 bridge bridge 9f904ee27bf5 none null cf03ee007fb4 host hostBridge默认bridge网络,我们可以使用docker network inspect命令查看返回的网络信息，我们使用docker run 命令是将网络自动应用到新的容器Host如果是hosts模式，启动容器时不会获得独立的网络namespace，而是和宿主机使用同一个，容器不会有网卡和ip，但是除了网络其他方面还是独立的Container如果是container指定的新创建的会和已经存在的容器共享一个网络namespace，不和宿主机有共享网络，也不会有自己的网卡和ip,而是和指定的容器共享，除了网络之外其他都是独立的Nonedocker容器有自己的网络namespace,但是和docker容器的网络配置没有关系，这个none的容器是没有网卡，ip，路由等，我们要手动指定本章信息大部分参考官网:https://docker.github.io/engine/userguide/networking/#/the-default-bridge-network-in-detail你也可以参考本章的一些例子，大部分也来自网络，如下：一，指定网桥1.1创建网桥[root@linuxea ~]# docker network create linuxea.com af4526e387772f33b053ff2ab47e601ddf9618bc2d444770775723d76d3a1010 [root@linuxea ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 3ebf99e55db8 bridge bridge local 7eb855581296 host host local af4526e38777 linuxea.com bridge local 58d75a1a38bc none null local [root@linuxea ~]# 查看linuxea.com[root@linuxea ~]# docker network inspect linuxea.com [ { "Name": "linuxea.com", "Id": "af4526e387772f33b053ff2ab47e601ddf9618bc2d444770775723d76d3a1010", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1/16" } ] }, "Internal": false, "Containers": {}, "Options": {}, "Labels": {} } ] [root@linuxea ~]# 下载镜像[root@linuxea ~]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx 6a5a5368e0c2: Pull complete 4aceccff346f: Pull complete c8967f302193: Pull complete Digest: sha256:1ebfe348d131e9657872de9881fe736612b2e8e1630e0508c354acb0350a4566 Status: Downloaded newer image for nginx:latest1.2指定网桥[root@linuxea ~]# docker run --network=linuxea.com -itd --name=mynginx nginx b0ec2c7951fa5343d20218811005b16304f9ec5cb3107d06abbf60d5a94df248 [root@linuxea ~]# docker network inspect linuxea.com [ { "Name": "linuxea.com", "Id": "af4526e387772f33b053ff2ab47e601ddf9618bc2d444770775723d76d3a1010", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1/16" } ] }, "Internal": false, "Containers": { "b0ec2c7951fa5343d20218811005b16304f9ec5cb3107d06abbf60d5a94df248": { "Name": "mynginx", "EndpointID": "adaec00497b42ada6f6b251bff18a26623cfe96890a47df8b5da3c3d75582482", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/16", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] [root@linuxea ~]# linuxea二，指定网桥ip地址2.1 指定docker0网段内的ip我们手动指定--net=none，可以发现，容器中并没有网卡[root@linuxea ~]# docker run --net=none --name mynginx -d -p 80:80 nginx 09b9819234338e47a8df7d3eba8daf23bf919b9fa2ea114d60742c3318dc2d69 [root@linuxea ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 09b981923433 nginx "nginx -g 'daemon off" 7 seconds ago Up 5 seconds mynginx [root@linuxea ~]# /root/in.sh mynginx root@09b981923433:/# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever root@09b981923433:/# 查看docker0地址从172.17.0.0网段[root@LinuxEA ~]# ip addr show docker0 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:af:55:9a:54 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:afff:fe55:9a54/64 scope link valid_lft forever preferred_lft forever2.2 获取pid创建连接文件后创建端到端网卡，将veth_db84e747c3绑定到docker0，并且启动[root@LinuxEA ~]# docker inspect -f '{{.State.Pid}}' mynginx 28383 [root@LinuxEA ~]# mkdir -p /var/run/netns [root@LinuxEA ~]# ln -s /proc/28383/ns/net /var/run/netns/28383 [root@LinuxEA ~]# ip link add veth_db84e747c3 type veth peer name x2.3安装brctl-toolsyum install bridge-utils[root@LinuxEA ~]# brctl addif docker0 veth_db84e747c3 [root@LinuxEA ~]# ip link set veth_db84e747c3 up [root@LinuxEA ~]# ip link set x netns 28383此时mynginx中已经有块网卡[root@LinuxEA mysql]# /root/in.sh mynginx root@e224723da286:/# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 47: x@if48: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 2a:bf:7a:75:58:5f brd ff:ff:ff:ff:ff:ff root@e224723da286:/# 2.4 给新加网卡配置ip[root@LinuxEA ~]# ip netns exec 28383 ip link set dev x name eth0 [root@LinuxEA ~]# ip netns exec 28383 ip link set eth0 up [root@LinuxEA ~]# ip netns exec 28383 ip addr add 172.17.0.100/24 dev eth0 [root@LinuxEA ~]# ip netns exec 28383 ip route add default via 172.17.0.1回到mynginx查看ip已经固定设置root@e224723da286:/# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 47: eth0@if48: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 2a:bf:7a:75:58:5f brd ff:ff:ff:ff:ff:ff inet 172.17.0.100/24 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::28bf:7aff:fe75:585f/64 scope link valid_lft forever preferred_lft forever root@e224723da286:/# ping -w 3 www.baidu.com PING www.a.shifen.com (103.235.46.39): 56 data bytes 64 bytes from 103.235.46.39: icmp_seq=0 ttl=46 time=197.858 ms 64 bytes from 103.235.46.39: icmp_seq=1 ttl=46 time=209.700 ms 64 bytes from 103.235.46.39: icmp_seq=2 ttl=46 time=196.508 ms --- www.a.shifen.com ping statistics --- 4 packets transmitted, 3 packets received, 25% packet loss round-trip min/avg/max/stddev = 196.508/201.355/209.700/5.926 ms root@e224723da286:/# 2.5 添加ip脚本如下[root@linuxea ~]# cat /root/ip.sh #!/bin/bash # filename: bind_addr.sh if [ `id -u` -ne 0 ];then echo '必须使用root权限' exit fi if [ $# != 2 ]; then echo "使用方法: $0 容器名字 IP" exit 1 fi container_name=$1 bind_ip=$2 container_id=`docker inspect -f '{{.Id}}' $container_name 2> /dev/null` if [ ! $container_id ];then echo "容器不存在" exit 2 fi bind_ip=`echo $bind_ip | egrep '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$'` if [ ! $bind_ip ];then echo "IP地址格式不正确" exit 3 fi container_minid=`echo $container_id | cut -c 1-10` container_netmask=`ip addr show docker0 | grep "inet\b" | awk '{print $2}' | cut -d / -f2` container_gw=`ip addr show docker0 | grep "inet\b" | awk '{print $2}' | cut -d / -f1` bridge_name="veth_$container_minid" container_ip=$bind_ip/$container_netmask pid=`docker inspect -f '{{.State.Pid}}' $container_name 2> /dev/null` if [ ! $pid ];then echo "获取容器$container_name的id失败" exit 4 fi if [ ! -d /var/run/netns ];then mkdir -p /var/run/netns fi ln -sf /proc/$pid/ns/net /var/run/netns/$pid ip link add $bridge_name type veth peer name X brctl addif docker0 $bridge_name ip link set $bridge_name up ip link set X netns $pid ip netns exec $pid ip link set dev X name eth0 ip netns exec $pid ip link set eth0 up ip netns exec $pid ip addr add $container_ip dev eth0 ip netns exec $pid ip route add default via $container_gw感谢http://yaxin-cn.github.io/docker网络可参考：https://opskumu.gitbooks.io/docker/content/chapter6.html三，指定网桥并且指定网桥内固定IP3.1 准备工作停掉docker,并且删除掉docker0，创建新的网桥linuxea0[root@linuxea ~]# service docker stop Redirecting to /bin/systemctl stop docker.service [root@linuxea ~]# ip link set dev docker0 down [root@linuxea ~]# brctl delbr docker0 [root@linuxea ~]# brctl addbr linuxea0ip段为192.168.100.0/24[root@linuxea ~]# ip addr add 192.168.100.1/24 dev linuxea0 [root@linuxea ~]# ip link set dev linuxea0 up[root@linuxea ~]# ip addr show linuxea0 63: linuxea0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether 1e:28:a7:71:19:46 brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 scope global linuxea0 valid_lft forever preferred_lft forever [root@linuxea ~]# 3.2 下载pipwork[root@linuxea docker]# git clone https://github.com/jpetazzo/pipework.git Cloning into 'pipework'... remote: Counting objects: 475, done. remote: Total 475 (delta 0), reused 0 (delta 0), pack-reused 475 Receiving objects: 100% (475/475), 158.46 KiB | 98.00 KiB/s, done. Resolving deltas: 100% (250/250), done. [root@linuxea docker]# cp -rp pipework/pipework /usr/local/bin/ [root@linuxea docker]# pipework Syntax: pipework <hostinterface> [-i containerinterface] [-l localinterfacename] [-a addressfamily] <guest> <ipaddr>/<subnet>[@default_gateway] [macaddr][@vlan] pipework <hostinterface> [-i containerinterface] [-l localinterfacename] <guest> dhcp [macaddr][@vlan] pipework route <guest> <route_command> pipework --wait [-i containerinterface] [root@linuxea docker]# 查看[root@linuxea docker]# brctl show bridge name bridge id STP enabled interfaces br-24418946eb12 8000.0242668f42e0 no linuxea0 8000.000000000000 no 写入内容如下：[root@linuxea docker]# cat /etc/sysconfig/docker | grep 'OPTIONS=' OPTIONS=' OPTIONS=--selinux-enabled -b=linuxea -H fd://删除了docker0后将默认桥指定了linuxea0，则在创建容器时加上net=none3.3 run一个服务后[root@linuxea docker]# docker run --rm -ti --net=none nginx /bin/bash root@b6d29d0accf0:/#使用pipwork将linuxea0指定ip到run起的服务上[root@linuxea ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b6d29d0accf0 nginx "/bin/bash" 38 seconds ago Up 35 seconds condescending_minsky [root@linuxea ~]# pipework linuxea0 -i eth0 b6d29d0accf0 192.168.100.100/24@192.168.100.1而后在查看root@b6d29d0accf0:/# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 65: eth0@if66: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 72:78:ef:7b:f2:9b brd ff:ff:ff:ff:ff:ff inet 192.168.100.100/24 brd 192.168.100.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::7078:efff:fe7b:f29b/64 scope link valid_lft forever preferred_lft forever root@b6d29d0accf0:/# # 默认不指定网卡设备名，则默认添加为 eth1 # 另外 pipework 不能添加静态路由，如果有需求则可以在 run 的时候加上 --privileged=true 权限在容器中手动添加， # 但这种安全性有缺陷，可以通过 ip netns 操作使用 ip netns 添加静态路由，避免创建容器使用 --privileged=true 选项造成一些不必要的安全问题[root@linuxea ~]# docker inspect --format="{{ .State.Pid }}" 9f28a3f40737 15142 [root@linuxea ~]# ln -s /proc/15142/ns/net /var/run/netns/15142 [root@linuxea ~]# ip netns exec 15142 ip route add 192.168.100.0/24 dev eth0 via 192.168.100.1 [root@linuxea ~]# ip netns exec 15142 ip route default via 192.168.100.1 dev eth0 192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100 [root@linuxea ~]# 到此为止虽然，IP或者网桥指定了，事实上使用起来并不是很方便，且每次都需要指定nat，本次到此为止1，在容器中route add default gw 10.0.0.12，在docker宿主机上route add -net 192.168.100.1 gw 10.0.0.1