Customizing docker

The Docker systemd unit can be customized by overriding the unit that ships with the default CoreOS settings. Common use-cases for doing this are covered below.

Enable the remote API on a new socket (Test on Centos .latest docker 1.12)

新版的 Docker 使用 /etc/docker/daemon.json(Linux) 或者 %programdata%\docker\config\daemon.json(Windows) 来配置 Daemon。

请在该配置文件中加入(没有该文件的话,请先建一个):

{

  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:8400", "tcp://0.0.0.0:2375"],
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]

}

Enable the remote API on a new socket

Create a file called /etc/systemd/system/docker-tcp.socket to make Docker available on a TCP socket on port 2375.

[Unit]

Description=Docker Socket for the API

[Socket]

ListenStream=2375

BindIPv6Only=both

Service=docker.service

[Install]

WantedBy=sockets.target

Then enable this new socket:

systemctl enable docker-tcp.socket

systemctl stop docker

systemctl start docker-tcp.socket

systemctl start docker

Test that it’s working:

docker -H tcp://127.0.0.1:2375 ps

Cloud-config

To enable the remote API on every CoreOS machine in a cluster, use cloud-config. We need to provide the new socket file and Docker’s socket activation support will automatically start using the socket:

#cloud-config

coreos:

  units:

    - name: docker-tcp.socket

      command: start

      enable: true

      content: |

        [Unit]

        Description=Docker Socket for the API

        [Socket]

        ListenStream=2375

        BindIPv6Only=both

        Service=docker.service

        [Install]

        WantedBy=sockets.target

To keep access to the port local, replace the ListenStream configuration above with:

        [Socket]

        ListenStream=127.0.0.1:2375

Enable the remote API with TLS authentication

Docker TLS configuration consists of three parts: keys creation, configuring new systemd socket unit and systemd drop-in configuration.

TLS keys creation

Please follow the instruction to know how to create self-signed certificates and private keys. Then copy with following files into /etc/docker CoreOS’ directory and fix their permissions:

scp ~/cfssl/{server.pem,server-key.pem,ca.pem} coreos.example.com:

ssh core@coreos.example.com

sudo mv {server.pem,server-key.pem,ca.pem} /etc/docker/

sudo chown root:root /etc/docker/{server-key.pem,server.pem,ca.pem}

sudo chmod 0600 /etc/docker/server-key.pem

On your local host copy certificates into ~/.docker:

mkdir ~/.docker

chmod 700 ~/.docker

cd ~/.docker

cp -p ~/cfssl/ca.pem ca.pem

cp -p ~/cfssl/client.pem cert.pem

cp -p ~/cfssl/client-key.pem key.pem

Enable the secure remote API on a new socket

NOTE: For CoreOS releases older than 949.0.0 you must follow this guide.

Create a file called /etc/systemd/system/docker-tls-tcp.socket to make Docker available on a secured TCP socket on port 2376.

[Unit]

Description=Docker Secured Socket for the API

[Socket]

ListenStream=2376

BindIPv6Only=both

Service=docker.service

[Install]

WantedBy=sockets.target

Then enable this new socket:

systemctl enable docker-tls-tcp.socket

systemctl stop docker

systemctl start docker-tls-tcp.socket

Drop-in configuration

Create /etc/systemd/system/docker.service.d/10-tls-verify.conf drop-in for systemd Docker service:

[Service]

Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"

Reload systemd config files and restart docker service:

sudo systemctl daemon-reload

sudo systemctl restart docker.service

Now you can access your Docker’s API through TLS secured connection:

docker --tlsverify -H tcp://server:2376 images

# or

docker --tlsverify -H tcp://server.example.com:2376 images

If you’ve experienceed problems connection to remote Docker API using TLS connection, you can debug it with curl:

curl -v --cacert ~/.docker/ca.pem --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://server:2376

Or on your CoreOS host:

journalctl -f -u docker.service

In addition you can export environment variables and use docker client without additional options:

export DOCKER_HOST=tcp://server.example.com:2376 DOCKER_TLS_VERIFY=1

docker images

Cloud-config

Cloud-config for Docker TLS authentication will look like:

#cloud-config

write_files:

    - path: /etc/docker/ca.pem

      permissions: 0644

      content: |

        -----BEGIN CERTIFICATE-----

        MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQswLTEMMAoGA1UEBhMDVVNBMRAw

        DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNTA5MDIxMDExMDhaFw0y

        NTA5MDIxMDExMThaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL

        ... ... ...

    - path: /etc/docker/server.pem

      permissions: 0644

      content: |

        -----BEGIN CERTIFICATE-----

        MIIFajCCA1SgAwIBAgIBBTALBgkqhkiG9w0BAQswLTEMMAoGA1UEBhMDVVNBMRAw

        DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNTA5MDIxMDM3MDFaFw0y

        NTA5MDIxMDM3MDNaMEQxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEQ

        ... ... ...

    - path: /etc/docker/server-key.pem

      permissions: 0600

      content: |

        -----BEGIN RSA PRIVATE KEY-----

        MIIJKAIBAAKCAgEA23Q4yELhNEywScrHl6+MUtbonCu59LIjpxDMAGxAHvWhWpEY

        P5vfas8KgxxNyR+U8VpIjEXvwnhwCx/CSCJc3/VtU9v011Ir0WtTrNDocb90fIr3

        YeRWq744UJpBeDHPV9opf8xFE7F74zWeTVMwtiMPKcQDzZ7XoNyJMxg1wmiMbdCj

        ... ... ...

coreos:

  units:

    - name: docker-tls-tcp.socket

      command: start

      enable: true

      content: |

        [Unit]

        Description=Docker Secured Socket for the API

        [Socket]

        ListenStream=2376

        BindIPv6Only=both

        Service=docker.service

        [Install]

        WantedBy=sockets.target

    - name: docker.service

      drop-ins:

        - name: 10-tls-verify.conf

          content: |

            [Service]

            Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"

Use attached storage for Docker images

Docker containers can be very large and debugging a build process makes it easy to accumulate hundreds of containers. It’s advantageous to use attached storage to expand your capacity for container images. Check out the guide to mounting storage to your CoreOS machine for an example of how to bind mount storage into /var/lib/docker.

Enabling the Docker debug flag

First, copy the existing unit from the read-only file system into the read/write file system, so we can edit it:

cp /usr/lib/systemd/system/docker.service /etc/systemd/system/

Edit the ExecStart line to add the -D flag:

ExecStart=/usr/bin/docker -d -s=btrfs -r=false -H fd:// -D

Now lets tell systemd about the new unit and restart Docker:

systemctl daemon-reload

systemctl restart docker

To test our debugging stream, run a Docker command and then read the systemd journal, which should contain the output:

docker ps

journalctl -u docker

Cloud-config

If you need to modify a flag across many machines, you can provide the new unit with cloud-config:

#cloud-config

coreos:

  units:

    - name: docker.service

      command: restart

      content: |

        [Unit]

        Description=Docker Application Container Engine

        Documentation=http://docs.docker.io

        After=network.target

        [Service]

        ExecStartPre=/bin/mount --make-rprivate /

        # Run docker but don't have docker automatically restart

        # containers. This is a job for systemd and unit files.

        ExecStart=/usr/bin/docker -d -s=btrfs -r=false -H fd:// -D

        [Install]

        WantedBy=multi-user.target

Use an HTTP proxy

If you’re operating in a locked down networking environment, you can specify an HTTP proxy for Docker to use via an environment variable. First, create a directory for drop-in configuration for Docker:

mkdir /etc/systemd/system/docker.service.d

Now, create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the environment variable:

[Service]

Environment="HTTP_PROXY=http://proxy.example.com:8080"

To apply the change, reload the unit and restart Docker:

systemctl daemon-reload

systemctl restart docker

Cloud-config

The easiest way to use this proxy on all of your machines is via cloud-config:

#cloud-config

coreos:

  units:

    - name: docker.service

      drop-ins:

        - name: 20-http-proxy.conf

          content: |

            [Service]

            Environment="HTTP_PROXY=http://proxy.example.com:8080"

      command: restart

Increase ulimits

If you need to increase certain ulimits that are too low for your application by default, like memlock, you will need to modify the Docker service to increase the limit. First, create a directory for drop-in configuration for Docker:

mkdir /etc/systemd/system/docker.service.d

Now, create a file called /etc/systemd/system/docker.service.d/increase-ulimit.conf that adds increased limit:

[Service]

LimitMEMLOCK=infinity

To apply the change, reload the unit and restart Docker:

systemctl daemon-reload

systemctl restart docker

Cloud-config

The easiest way to use these new ulimits on all of your machines is via cloud-config:

#cloud-config

coreos:

  units:

    - name: docker.service

      drop-ins:

        - name: 30-increase-ulimit.conf

          content: |

            [Service]

            LimitMEMLOCK=infinity

      command: restart

Using a dockercfg file for authentication

A json file .dockercfg can be created in your home directory that holds authentication information for a public or private Docker registry.

Read more about registry authentication.

https://coreos.com/os/docs/latest/customizing-docker.html

Customizing docker的更多相关文章

  1. 非节点主机通过内网远程管理docker swarm集群

    这是今天使用 docker swarm 遇到的一个问题,终于在睡觉前解决了,在这篇随笔中记录一下. 在 docker swarm 集群的 manager 节点上用 docker cli 命令可以正常管 ...

  2. Docker Network Configuration 高级网络配置

    Network Configuration TL;DR When Docker starts, it creates a virtual interface named docker0 on the ...

  3. 基于Github Actions + Docker + Git 的devops方案实践教程

    目录 为什么需要Devops 如何实践Devops 版本控制工具(Git) 学习使用 配置环境 源代码仓库 一台配置好环境的云服务器 SSH远程登录 在服务器上安装docker docker技术准备工 ...

  4. docker——容器安装tomcat

    写在前面: 继续docker的学习,学习了docker的基本常用命令之后,我在docker上安装jdk,tomcat两个基本的java web工具,这里对操作流程记录一下. 软件准备: 1.jdk-7 ...

  5. Docker笔记一:基于Docker容器构建并运行 nginx + php + mysql ( mariadb ) 服务环境

    首先为什么要自己编写Dockerfile来构建 nginx.php.mariadb这三个镜像呢?一是希望更深入了解Dockerfile的使用,也就能初步了解docker镜像是如何被构建的:二是希望将来 ...

  6. Docker 第一篇--初识docker

    已经多年不写博客, 看完<晓松奇谈>最后一期猛然觉醒, 决定仔细梳理下自己这几年的知识脉络. 既然决定写, 那么首先就从最近2年热门的开源项目Docker开始.Docker 这两年在国内很 ...

  7. 在docker中运行ASP.NET Core Web API应用程序(附AWS Windows Server 2016 widt Container实战案例)

    环境准备 1.亚马逊EC2 Windows Server 2016 with Container 2.Visual Studio 2015 Enterprise(Profresianal要装Updat ...

  8. docker for mac 学习记录

    docker基本命令 docker run -d -p 80:80 --name webserver nginx 运行容器并起别名 docker ps 展示目前启动的容器 docker ps -a 展 ...

  9. scrapy爬虫docker部署

    spider_docker 接我上篇博客,为爬虫引用创建container,包括的模块:scrapy, mongo, celery, rabbitmq,连接https://github.com/Liu ...

随机推荐

  1. linux-python在vim下的自动补全功能

    linux-python在vim下的自动补全功能 安装配置: wget https://github.com/rkulla/pydiction/archive/master.zipunzip -q m ...

  2. git命令行的操作实例教程

    Git 常用命令常用命令 创建新仓库 创建新文件夹,打开,然后执行 git init 1 以创建新的 git 仓库. 检出仓库 执行如下命令以创建一个本地仓库的克隆版本: git clone /pat ...

  3. 前端开发 - HTML/CSS

    概述 HTML是英文HyperText Mark-up Language(超文本标记语言)的缩写,他是一种制作万维网页面标准语言(标记). 相当于定义统一的一套规则,大家都来遵守他,这样就可以让浏览器 ...

  4. Android-Java构造代码块&构造方法隐式三行

    构造代码块: 描述Teacher对象/实体: package android.java.oop06; public class Teacher { private int id = 007; priv ...

  5. 分形之龙形曲线(Dragon Curve)

    龙形曲线(Dragon Curve)又叫分形龙,是一种自相似碎形曲线的统称,因形似龙的蜿蜒盘曲而得名. 一种简单的生成分形龙的方式是:拿着一条细长的纸带,把它朝下的一头拿上来,与上面的一头并到一起.用 ...

  6. 在windows10上创建ASP.NET mvc5+Memcached服务

    感谢两位两位大佬: https://blog.csdn.net/l1028386804/article/details/61417166 https://www.cnblogs.com/running ...

  7. qt在windows下编译遇到的一些问题

    软件是在linux上写的,然而搬到windows上来遇到了好多问题.... 想跪.... 首先就是压根编译不了的问题....这个问题困扰我好久了....一直报错undefined reference ...

  8. git fetch 、git pull 与 git pull --rebase

    1. git fetch 与 git pull 都是从远程拉取代码到本地,git fetch只是拉取到本地,git pull不仅拉取到本地还merge到本地分支中.所以git pull是git fet ...

  9. Liferay-Activiti 功能介绍 (新版Liferay7基本特性)

    一句话简介 Liferay是世界领先的开源企业门户(也可作为综合门户),是最强大(没有之一)的JAVA开源门户,在Gartner和Forrester和评价非常高,近几年已经超越了微软门户Sharepo ...

  10. 【2019北京集训2】duck 线段树优化建图+tarjan

    题目大意:给你$n$个点,第$i$个点有点权$v_i$.你需要将这$n$个点排成一排,第$i$个点的点权能被累加当且仅当这个点前面存在编号在$[l_i,r_i]$中的点,问你这些点应该如何排列,点权和 ...