docker.service 修改指南

vi /lib/systemd/system/docker.service

docker.service默认内容如下：

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target

下面的配置都是在[Service]节点下的ExecStart属性后面加参数值，docker.service文件被修改后请执行systemctl daemon-reload && systemctl restart docker，如果配置未生效，请执行systemctl status docker查看服务状态。

开启远程API访问端口

添加-H 0.0.0.0:2375，端口可以随意指定，修改后的ExecStart如下：

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H 0.0.0.0:2375

重新加载配置并重启docker

systemctl daemon-reload && systemctl restart docker

访问http://127.0.0.1:2375/info进行验证

修改bridge网络的ip段

执行docker network inspect bridge命令可以发现bridge网络默认的IP段是172.17.0.0/16，添加--bip 10.0.0.1/16修改默认IP段

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip 10.0.0.1/16

重新加载配置并重启docker

systemctl daemon-reload && systemctl restart docker

启动一个nginx容器进行验证

docker run -dP --name nginx nginx
docker inspect --format '{{ .NetworkSettings.IPAddress }}' nginx
docker rm -f nginx

配置私有镜像仓库

以下示例配置develop-harbor.geostar.com.cn，test-harbor.geostar.com.cn，release-harbor.geostar.com.cn三个私有镜像仓库

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock \
    --insecure-registry develop-harbor.geostar.com.cn \
    --insecure-registry test-harbor.geostar.com.cn \
    --insecure-registry release-harbor.geostar.com.cn \

重新加载配置并重启docker

systemctl daemon-reload && systemctl restart docker

手动拉取私有镜像仓库中的镜像验证

配置dns

以下示例配置114.114.114.114 和8.8.8.8两个dns服务器地址

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock \
    --dns 114.114.114.114 \
    --dns 8.8.8.8

重新加载配置并重启docker

systemctl daemon-reload && systemctl restart docker

启动一个alpine容器镜像验证resolv.conf配置文件是否成功修改

docker run --rm alpine cat /etc/resolv.conf