dockerfile arg 动态参数 docker 动态链接库

1. 背景

为了统一mysql管控和审计工作，所内分配了一台高配置物理机作为资源池（172.16.80.23），从此资源池创建mysql数据库

2. 资源池部署步骤

（1）安装docker

下载二进制包docker-19.03.9.tgz

（https://download.docker.com/linux/static/test/x86_64/），上传到/soft并解压

tar -xvf docker-19.03.9.tgz

把二进制命令拷贝到/usr/bin下

cp /soft/docker/* /usr/bin/

创建docker服务

cat /etc/systemd/system/docker.service

[Unit]

Description=Docker Application Container Engine

Documentation=https://docs.docker.com

After=network-online.target firewalld.service

Wants=network-online.target

[Service]

Type=notify

# the default is not to use systemd for cgroups because the delegate issues still

# exists and systemd currently does not support the cgroup feature set required

# for containers run by docker

ExecStart=/usr/bin/dockerd

ExecReload=/bin/kill -s HUP $MAINPID

# Having non-zero Limit*s causes performance problems due to accounting overhead

# in the kernel. We recommend using cgroups to do container-local accounting.

LimitNOFILE=infinity

LimitNPROC=infinity

LimitCORE=infinity

# Uncomment TasksMax if your systemd version supports it.

# Only systemd 226 and above support this version.

#TasksMax=infinity

TimeoutStartSec=0

# set delegate yes so that systemd does not reset the cgroups of docker containers

Delegate=yes

# kill only the docker process, not all processes in the cgroup

KillMode=process

# restart the docker process if it exits prematurely

Restart=on-failure

StartLimitBurst=3

StartLimitInterval=60s

[Install]

WantedBy=multi-user.target

重新加载服务配置文件

systemctl daemon-reload

启动docker

systemctl start docker

查看docker是否启动

docker ps

（2）加载mysql企业版镜像

下载官方镜像

https://hub.docker.com/search?image_filter=official&type=image

选择MySQL Server Enterprise Edition

将下载的mysql-enterprise-server-5.7.31.tar上传到/soft下，加载mysql镜像

docker load -i mysql-enterprise-server-5.7.31.tar

docker images确认镜像是否上传成功

（3）创建mysql单实例环境

规划的mysql映射的宿主机端口号：3001--3100

执行/mysql/init/init_mysql.sh 端口号，会自动创建mysql单实例容器，容器名mysql_端口号（脚本内容见附件）

此脚本主要是创建mysql相关目录、配置文件初始化、创建mysql容器和初始化root密码（默认为123）

docker ps 查看容器是否成功创建和启动

docker logs mysql_端口号，查看容器日志

如创建映射端口为3001的mysql实例，会在/mysql下创建data3001目录

/mysql/init/init_mysql.sh 3001

若目录已存在，会报错，容器创建失败，需要手动处理，要么换个端口，要么检查下此实例是否running（docker ps  -a），docker stop然后docker rm 然后手动删除目录，再重新跑/mysql/init/init_mysql.sh 3001

📎init_mysql.sh

（4）创建mgr环境

规划的mgr映射的宿主机端口号：3101--3200

执行/mgr/init/init_mgr.sh 端口号，会自动创建mgr容器，容器名mgr_端口号（脚本内容见附件）

此脚本主要是创建mgr相关目录、配置文件初始化、创建mgr容器、初始化root密码（默认为123）、起组复制（单节点）等

docker ps 查看容器是否成功创建和启动

docker logs mgr_端口号，查看容器日志

如创建映射端口为3101的mysql实例，会在/mgr下创建data3101目录

/mgr/init/init_mgr.sh 3101

若目录已存在，会报错，容器创建失败，需要手动处理，要么换个端口，要么检查下此实例是否running（docker ps  -a），docker stop然后docker rm 然后手动删除目录，再重新跑/mgr/init/init_mgr.sh 3101

📎init_mgr.sh

3. 容器图形化管理工具--portainer

（1）portainer简介

Portainer是Docker的图形化管理工具，提供状态显示面板、应用模板快速部署、容器镜像网络数据卷的基本操作（包括上传下载镜像，创建容器等操作）、事件日志显示、容器控制台操作、Swarm集群和服务等集中管理和操作、登录用户管理和控制等功能，基本能满足中小型单位对容器管理的全部需求

（2）portainer安装

加载portainer镜像

docker load -i portainer.tar

起portainer容器

docker run -d -p 9000:9000 --restart=always -v /var/run/docker.sock:/var/run/docker.sock --name portainer -d portainer/portainer

访问portainer图形化界面

http://172.16.80.23:9000/#/auth

admin/1jian8Shu

可以进行各种容器操作

（3）portainer管理远程docker机器172.16.80.250

远程机器安装docker：

tar -xvf docker-19.03.9.tgz

把二进制命令拷贝到/usr/bin下

cp /soft/docker/* /usr/bin/

创建docker服务

cat /etc/systemd/system/docker.service

[Unit]

Description=Docker Application Container Engine

Documentation=https://docs.docker.com

After=network-online.target firewalld.service

Wants=network-online.target

[Service]

Type=notify

# the default is not to use systemd for cgroups because the delegate issues still

# exists and systemd currently does not support the cgroup feature set required

# for containers run by docker,远程docker地址 端口默认是2375

ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375

ExecReload=/bin/kill -s HUP $MAINPID

# Having non-zero Limit*s causes performance problems due to accounting overhead

# in the kernel. We recommend using cgroups to do container-local accounting.

LimitNOFILE=infinity

LimitNPROC=infinity

LimitCORE=infinity

# Uncomment TasksMax if your systemd version supports it.

# Only systemd 226 and above support this version.

#TasksMax=infinity

TimeoutStartSec=0

# set delegate yes so that systemd does not reset the cgroups of docker containers

Delegate=yes

# kill only the docker process, not all processes in the cgroup

KillMode=process

# restart the docker process if it exits prematurely

Restart=on-failure

StartLimitBurst=3

StartLimitInterval=60s

[Install]

WantedBy=multi-user.target

重新加载服务配置文件

systemctl daemon-reload

启动docker

systemctl start docker

查看docker是否启动

docker ps

登portainer机器，查看此docker机器是否可以远程访问

docker -H 172.16.80.250 ps

添加docker机器到portainer管控

（4）迁移容器到新的docker机器

原docker主机：

docker commit wordpress_db_1 wordpress_db_migrate

docker images|grep wordpress_db

docker save -o /soft/wordpress_db_migrate.tar wordpress_db_migrate

scp wordpress_db_migrate.tar 172.16.80.250:/soft/

新docker机器：

docker load -i wordpress_db_migrate.tar

docker run -d wordpress_db_migrate

（5）查看potainer

新docker主机的容器可以自动识别

 

（6）配置SSL远程安全访问docker

docker守护程序的主机上：

mkdir -p /usr/local/ca

cd /usr/local/ca

openssl genrsa -aes256 -out ca-key.pem 4096

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=dbres2" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:dbres2,IP:172.16.80.250,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
 -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
修改docker启动服务如下：
ExecStart=/usr/bin/dockerd  -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/usr/local/ca/ca.pem --tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem
systemctl daemon-reload
systemctl start docker
scp /usr/local/ca/*.pem 172.16.80.23:/root/.docker
docker --tlsverify -H 172.16.80.250 ps

参考文档：

https://www.yuque.com/gavinluo/blog/dgagz6#042f2f8a

4.配置keepalived实现vip固定

由于keepalived内置lvs功能，我们可以通过keepalived实现vip和反向代理两个功能

yum -y install keepalived
 
cat /etc/keepalived/keepalived.conf
 
! Configuration File for keepalived
global_defs {
  notification_email {
    acassen@firewall.loc
    failover@firewall.loc
    sysadmin@firewall.loc
  }
  notification_email_from Alexandre.Cassen@firewall.loc
  smtp_server 192.168.200.1
  smtp_connect_timeout 30
 router_id cluster1
  script_user root
  enable_script_security
}
vrrp_sync_group mysql  {
       group {
              mysql
       }
}
vrrp_instance mysql {
   state BACKUP
   nopreempt
   interface eth0
   virtual_router_id 66
   priority 100
   advert_int 1
   authentication {
       auth_type PASS
       auth_pass 1111
   }
   virtual_ipaddress {
    172.16.80.251/22 dev eth0 scope global brd 172.16.83.255 label eth0:1
   }
}
virtual_server 172.16.80.251 4000 {
 delay_loop 6
   lb_algo rr
   lb_kind NAT
   persistence_timeout 50
   protocol TCP
   real_server 172.16.80.250 3306 {
       weight 1
       TCP_CHECK {
          connect_timeout 3
       }
   }
}

可以看到172.16.80.251为vip，代理不同物理机（或虚拟机）的各个端口，需注意，virtual server对应的端口必须当前无其他占用。

由于 persistence_timeout是针对负载均衡的参数，所以此参数在当前场景用途不大;  connect_timeout也不是连接超时时间，待业务验证