Customizing docker
Customizing docker
The Docker systemd unit can be customized by overriding the unit that ships with the default CoreOS settings. Common use-cases for doing this are covered below.
Enable the remote API on a new socket (Test on Centos .latest docker 1.12)
新版的 Docker 使用 /etc/docker/daemon.json(Linux) 或者 %programdata%\docker\config\daemon.json(Windows) 来配置 Daemon。
请在该配置文件中加入(没有该文件的话,请先建一个):
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:8400", "tcp://0.0.0.0:2375"],
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
Enable the remote API on a new socket
Create a file called /etc/systemd/system/docker-tcp.socket
to make Docker available on a TCP socket on port 2375.
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=2375
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
Then enable this new socket:
systemctl enable docker-tcp.socket
systemctl stop docker
systemctl start docker-tcp.socket
systemctl start docker
Test that it’s working:
docker -H tcp://127.0.0.1:2375 ps
Cloud-config
To enable the remote API on every CoreOS machine in a cluster, use cloud-config. We need to provide the new socket file and Docker’s socket activation support will automatically start using the socket:
#cloud-config
coreos:
units:
- name: docker-tcp.socket
command: start
enable: true
content: |
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=2375
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
To keep access to the port local, replace the ListenStream
configuration above with:
[Socket]
ListenStream=127.0.0.1:2375
Enable the remote API with TLS authentication
Docker TLS configuration consists of three parts: keys creation, configuring new systemd socket unit and systemd drop-in configuration.
TLS keys creation
Please follow the instruction to know how to create self-signed certificates and private keys. Then copy with following files into /etc/docker
CoreOS’ directory and fix their permissions:
scp ~/cfssl/{server.pem,server-key.pem,ca.pem} coreos.example.com:
ssh core@coreos.example.com
sudo mv {server.pem,server-key.pem,ca.pem} /etc/docker/
sudo chown root:root /etc/docker/{server-key.pem,server.pem,ca.pem}
sudo chmod 0600 /etc/docker/server-key.pem
On your local host copy certificates into ~/.docker
:
mkdir ~/.docker
chmod 700 ~/.docker
cd ~/.docker
cp -p ~/cfssl/ca.pem ca.pem
cp -p ~/cfssl/client.pem cert.pem
cp -p ~/cfssl/client-key.pem key.pem
Enable the secure remote API on a new socket
NOTE: For CoreOS releases older than 949.0.0 you must follow this guide.
Create a file called /etc/systemd/system/docker-tls-tcp.socket
to make Docker available on a secured TCP socket on port 2376.
[Unit]
Description=Docker Secured Socket for the API
[Socket]
ListenStream=2376
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
Then enable this new socket:
systemctl enable docker-tls-tcp.socket
systemctl stop docker
systemctl start docker-tls-tcp.socket
Drop-in configuration
Create /etc/systemd/system/docker.service.d/10-tls-verify.conf
drop-in for systemd Docker service:
[Service]
Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"
Reload systemd config files and restart docker service:
sudo systemctl daemon-reload
sudo systemctl restart docker.service
Now you can access your Docker’s API through TLS secured connection:
docker --tlsverify -H tcp://server:2376 images
# or
docker --tlsverify -H tcp://server.example.com:2376 images
If you’ve experienceed problems connection to remote Docker API using TLS connection, you can debug it with curl
:
curl -v --cacert ~/.docker/ca.pem --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://server:2376
Or on your CoreOS host:
journalctl -f -u docker.service
In addition you can export environment variables and use docker client without additional options:
export DOCKER_HOST=tcp://server.example.com:2376 DOCKER_TLS_VERIFY=1
docker images
Cloud-config
Cloud-config for Docker TLS authentication will look like:
#cloud-config
write_files:
- path: /etc/docker/ca.pem
permissions: 0644
content: |
-----BEGIN CERTIFICATE-----
MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQswLTEMMAoGA1UEBhMDVVNBMRAw
DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNTA5MDIxMDExMDhaFw0y
NTA5MDIxMDExMThaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL
... ... ...
- path: /etc/docker/server.pem
permissions: 0644
content: |
-----BEGIN CERTIFICATE-----
MIIFajCCA1SgAwIBAgIBBTALBgkqhkiG9w0BAQswLTEMMAoGA1UEBhMDVVNBMRAw
DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNTA5MDIxMDM3MDFaFw0y
NTA5MDIxMDM3MDNaMEQxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEQ
... ... ...
- path: /etc/docker/server-key.pem
permissions: 0600
content: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA23Q4yELhNEywScrHl6+MUtbonCu59LIjpxDMAGxAHvWhWpEY
P5vfas8KgxxNyR+U8VpIjEXvwnhwCx/CSCJc3/VtU9v011Ir0WtTrNDocb90fIr3
YeRWq744UJpBeDHPV9opf8xFE7F74zWeTVMwtiMPKcQDzZ7XoNyJMxg1wmiMbdCj
... ... ...
coreos:
units:
- name: docker-tls-tcp.socket
command: start
enable: true
content: |
[Unit]
Description=Docker Secured Socket for the API
[Socket]
ListenStream=2376
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
- name: docker.service
drop-ins:
- name: 10-tls-verify.conf
content: |
[Service]
Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"
Use attached storage for Docker images
Docker containers can be very large and debugging a build process makes it easy to accumulate hundreds of containers. It’s advantageous to use attached storage to expand your capacity for container images. Check out the guide to mounting storage to your CoreOS machine for an example of how to bind mount storage into /var/lib/docker
.
Enabling the Docker debug flag
First, copy the existing unit from the read-only file system into the read/write file system, so we can edit it:
cp /usr/lib/systemd/system/docker.service /etc/systemd/system/
Edit the ExecStart
line to add the -D flag:
ExecStart=/usr/bin/docker -d -s=btrfs -r=false -H fd:// -D
Now lets tell systemd about the new unit and restart Docker:
systemctl daemon-reload
systemctl restart docker
To test our debugging stream, run a Docker command and then read the systemd journal, which should contain the output:
docker ps
journalctl -u docker
Cloud-config
If you need to modify a flag across many machines, you can provide the new unit with cloud-config:
#cloud-config
coreos:
units:
- name: docker.service
command: restart
content: |
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
[Service]
ExecStartPre=/bin/mount --make-rprivate /
# Run docker but don't have docker automatically restart
# containers. This is a job for systemd and unit files.
ExecStart=/usr/bin/docker -d -s=btrfs -r=false -H fd:// -D
[Install]
WantedBy=multi-user.target
Use an HTTP proxy
If you’re operating in a locked down networking environment, you can specify an HTTP proxy for Docker to use via an environment variable. First, create a directory for drop-in configuration for Docker:
mkdir /etc/systemd/system/docker.service.d
Now, create a file called /etc/systemd/system/docker.service.d/http-proxy.conf
that adds the environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080"
To apply the change, reload the unit and restart Docker:
systemctl daemon-reload
systemctl restart docker
Cloud-config
The easiest way to use this proxy on all of your machines is via cloud-config:
#cloud-config
coreos:
units:
- name: docker.service
drop-ins:
- name: 20-http-proxy.conf
content: |
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:8080"
command: restart
Increase ulimits
If you need to increase certain ulimits that are too low for your application by default, like memlock, you will need to modify the Docker service to increase the limit. First, create a directory for drop-in configuration for Docker:
mkdir /etc/systemd/system/docker.service.d
Now, create a file called /etc/systemd/system/docker.service.d/increase-ulimit.conf
that adds increased limit:
[Service]
LimitMEMLOCK=infinity
To apply the change, reload the unit and restart Docker:
systemctl daemon-reload
systemctl restart docker
Cloud-config
The easiest way to use these new ulimits on all of your machines is via cloud-config:
#cloud-config
coreos:
units:
- name: docker.service
drop-ins:
- name: 30-increase-ulimit.conf
content: |
[Service]
LimitMEMLOCK=infinity
command: restart
Using a dockercfg file for authentication
A json file .dockercfg
can be created in your home directory that holds authentication information for a public or private Docker registry.
Read more about registry authentication.
https://coreos.com/os/docs/latest/customizing-docker.html
Customizing docker的更多相关文章
- 非节点主机通过内网远程管理docker swarm集群
这是今天使用 docker swarm 遇到的一个问题,终于在睡觉前解决了,在这篇随笔中记录一下. 在 docker swarm 集群的 manager 节点上用 docker cli 命令可以正常管 ...
- Docker Network Configuration 高级网络配置
Network Configuration TL;DR When Docker starts, it creates a virtual interface named docker0 on the ...
- 基于Github Actions + Docker + Git 的devops方案实践教程
目录 为什么需要Devops 如何实践Devops 版本控制工具(Git) 学习使用 配置环境 源代码仓库 一台配置好环境的云服务器 SSH远程登录 在服务器上安装docker docker技术准备工 ...
- docker——容器安装tomcat
写在前面: 继续docker的学习,学习了docker的基本常用命令之后,我在docker上安装jdk,tomcat两个基本的java web工具,这里对操作流程记录一下. 软件准备: 1.jdk-7 ...
- Docker笔记一:基于Docker容器构建并运行 nginx + php + mysql ( mariadb ) 服务环境
首先为什么要自己编写Dockerfile来构建 nginx.php.mariadb这三个镜像呢?一是希望更深入了解Dockerfile的使用,也就能初步了解docker镜像是如何被构建的:二是希望将来 ...
- Docker 第一篇--初识docker
已经多年不写博客, 看完<晓松奇谈>最后一期猛然觉醒, 决定仔细梳理下自己这几年的知识脉络. 既然决定写, 那么首先就从最近2年热门的开源项目Docker开始.Docker 这两年在国内很 ...
- 在docker中运行ASP.NET Core Web API应用程序(附AWS Windows Server 2016 widt Container实战案例)
环境准备 1.亚马逊EC2 Windows Server 2016 with Container 2.Visual Studio 2015 Enterprise(Profresianal要装Updat ...
- docker for mac 学习记录
docker基本命令 docker run -d -p 80:80 --name webserver nginx 运行容器并起别名 docker ps 展示目前启动的容器 docker ps -a 展 ...
- scrapy爬虫docker部署
spider_docker 接我上篇博客,为爬虫引用创建container,包括的模块:scrapy, mongo, celery, rabbitmq,连接https://github.com/Liu ...
随机推荐
- POJ1468 Sorting Slides
Sorting Slides Time Limit: 1000MS Memory Limit: 10000K Total Submissions: 4442 Accepted: 1757 De ...
- POJ2536 Gopher II(二分图最大匹配)
Gopher II Time Limit: 2000MS Memory Limit: 65536K Total Submissions: 9005 Accepted: 3724 Descrip ...
- AngularJS 事件广播与接收 $broadcast,$emit,$on 作用域间通信 封装factory服务 发布订阅
不同作用域之间通过组合使用$broadcast,$emit,$on的事件广播机制来进行通信. 一.说明 1.广播 $broadcast 说明:将事件从父级作用域传播至本作用域及子级作用域. 格式:$b ...
- day05_雷神_函数进阶
#day05 1.迭代器 1.1可迭代对象 str,list,tuple,dict,set,range,文件句柄 等都是可迭代对象 第一种方法:在该对象中,含有__iter__方法的就是可迭代对象,遵 ...
- MacOS统计TCP/UDP端口号与对应服务
1.TCP端口 echo "### TCP LISTEN ###" lsof -nP -iTCP -sTCP:LISTEN 2.UDP端口 echo "### UDP L ...
- 【VB.NET】利用纯真IP数据库查询IP地址及信息
几年前从某个博客抄来的,已经忘记原地址了,如果需要C#版的,可以在博客园搜到吧.我因为自己用,所以转换为了VBNET代码,而且也放置了很久,今天无意间翻出来,就分享给大家吧. 首先,先下载 纯真数据库 ...
- CefSharp.v49.0.1浏览器控件完全WPF版,实现禁止弹出新窗口,在同一窗口打开链接,并且支持带type="POST" target="_blank"的链接
需求场景:在查询页面,填写查询条件,查询条件包括上传的图片,根据图片的特征查询,这就需要在提交的时候,使用POST提交,因为GET提交无法提交图片数据,提交查询条件之后,在新的窗口展示查询结果.(当然 ...
- SQL2014 尝试读取或写入受保护的内存。这通常指示其他内存已损坏
管理员身份运行 cmd -> 输入 netsh winsock reset
- .gitignore文件常用写法
一般的项目代码中会涉及到密码.key/secret等隐私内容,不适合上传github公开.这时可以使用.gitignore文件来屏蔽这些文件的提交. 你可能用到的写法如下 写法 含义 /build/ ...
- 【kuangbin专题】计算几何基础
1.poj2318 TOYS 传送:http://poj.org/problem?id=2318 题意:有m个点落在n+1个区域内.问落在每个区域的个数. 分析:二分查找落在哪个区域内.叉积判断点与线 ...