1. 背景
为了统一mysql管控和审计工作,所内分配了一台高配置物理机作为资源池(172.16.80.23),从此资源池创建mysql数据库
2. 资源池部署步骤
(1)安装docker
下载二进制包docker-19.03.9.tgz
(https://download.docker.com/linux/static/test/x86_64/),上传到/soft并解压
tar -xvf docker-19.03.9.tgz
把二进制命令拷贝到/usr/bin下
cp /soft/docker/* /usr/bin/
创建docker服务
cat /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重新加载服务配置文件
systemctl daemon-reload
启动docker
systemctl start docker
查看docker是否启动
docker ps
(2)加载mysql企业版镜像
下载官方镜像
https://hub.docker.com/search?image_filter=official&type=image
选择MySQL Server Enterprise Edition
将下载的mysql-enterprise-server-5.7.31.tar上传到/soft下,加载mysql镜像
docker load -i mysql-enterprise-server-5.7.31.tar
docker images确认镜像是否上传成功
(3)创建mysql单实例环境
规划的mysql映射的宿主机端口号:3001--3100
执行/mysql/init/init_mysql.sh 端口号,会自动创建mysql单实例容器,容器名mysql_端口号(脚本内容见附件)
此脚本主要是创建mysql相关目录、配置文件初始化、创建mysql容器和初始化root密码(默认为123)
docker ps 查看容器是否成功创建和启动
docker logs mysql_端口号,查看容器日志
如创建映射端口为3001的mysql实例,会在/mysql下创建data3001目录
/mysql/init/init_mysql.sh 3001
若目录已存在,会报错,容器创建失败,需要手动处理,要么换个端口,要么检查下此实例是否running(docker ps -a),docker stop然后docker rm 然后手动删除目录,再重新跑/mysql/init/init_mysql.sh 3001
(4)创建mgr环境
规划的mgr映射的宿主机端口号:3101--3200
执行/mgr/init/init_mgr.sh 端口号,会自动创建mgr容器,容器名mgr_端口号(脚本内容见附件)
此脚本主要是创建mgr相关目录、配置文件初始化、创建mgr容器、初始化root密码(默认为123)、起组复制(单节点)等
docker ps 查看容器是否成功创建和启动
docker logs mgr_端口号,查看容器日志
如创建映射端口为3101的mysql实例,会在/mgr下创建data3101目录
/mgr/init/init_mgr.sh 3101
若目录已存在,会报错,容器创建失败,需要手动处理,要么换个端口,要么检查下此实例是否running(docker ps -a),docker stop然后docker rm 然后手动删除目录,再重新跑/mgr/init/init_mgr.sh 3101
3. 容器图形化管理工具--portainer
(1)portainer简介
Portainer是Docker的图形化管理工具,提供状态显示面板、应用模板快速部署、容器镜像网络数据卷的基本操作(包括上传下载镜像,创建容器等操作)、事件日志显示、容器控制台操作、Swarm集群和服务等集中管理和操作、登录用户管理和控制等功能,基本能满足中小型单位对容器管理的全部需求
(2)portainer安装
加载portainer镜像
docker load -i portainer.tar
起portainer容器
docker run -d -p 9000:9000 --restart=always -v /var/run/docker.sock:/var/run/docker.sock --name portainer -d portainer/portainer
访问portainer图形化界面
http://172.16.80.23:9000/#/auth
admin/1jian8Shu
可以进行各种容器操作
(3)portainer管理远程docker机器172.16.80.250
远程机器安装docker:
tar -xvf docker-19.03.9.tgz
把二进制命令拷贝到/usr/bin下
cp /soft/docker/* /usr/bin/
创建docker服务
cat /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker,远程docker地址 端口默认是2375
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重新加载服务配置文件
systemctl daemon-reload
启动docker
systemctl start docker
查看docker是否启动
docker ps
登portainer机器,查看此docker机器是否可以远程访问
docker -H 172.16.80.250 ps
添加docker机器到portainer管控
(4)迁移容器到新的docker机器
原docker主机:
docker commit wordpress_db_1 wordpress_db_migrate
docker images|grep wordpress_db
docker save -o /soft/wordpress_db_migrate.tar wordpress_db_migrate
scp wordpress_db_migrate.tar 172.16.80.250:/soft/
新docker机器:
docker load -i wordpress_db_migrate.tar
docker run -d wordpress_db_migrate
(5)查看potainer
新docker主机的容器可以自动识别
(6)配置SSL远程安全访问docker
docker守护程序的主机上:
mkdir -p /usr/local/ca
cd /usr/local/ca
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=dbres2" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:dbres2,IP:172.16.80.250,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
修改docker启动服务如下:
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/usr/local/ca/ca.pem --tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem
systemctl daemon-reload
systemctl start docker
scp /usr/local/ca/*.pem 172.16.80.23:/root/.docker
docker --tlsverify -H 172.16.80.250 ps
参考文档:
https://www.yuque.com/gavinluo/blog/dgagz6#042f2f8a
4.配置keepalived实现vip固定
由于keepalived内置lvs功能,我们可以通过keepalived实现vip和反向代理两个功能
yum -y install keepalived
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id cluster1
script_user root
enable_script_security
}
vrrp_sync_group mysql {
group {
mysql
}
}
vrrp_instance mysql {
state BACKUP
nopreempt
interface eth0
virtual_router_id 66
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.80.251/22 dev eth0 scope global brd 172.16.83.255 label eth0:1
}
}
virtual_server 172.16.80.251 4000 {
delay_loop 6
lb_algo rr
lb_kind NAT
persistence_timeout 50
protocol TCP
real_server 172.16.80.250 3306 {
weight 1
TCP_CHECK {
connect_timeout 3
}
}
}
可以看到172.16.80.251为vip,代理不同物理机(或虚拟机)的各个端口,需注意,virtual server对应的端口必须当前无其他占用。
由于 persistence_timeout是针对负载均衡的参数,所以此参数在当前场景用途不大; connect_timeout也不是连接超时时间,待业务验证