标签归档:docker

CentOS 离线安装 docker

发表评论

一、引言

生产环境中,很多时候都无法访问互联网,如何安装 docker 服务,官方推荐使用编译好的二进制包方案。本文以 CentOS 7 为例

二、先决条件

  • 64 位安装
  • 版本 3.10 或更高版本的 Linux 内核, 建议使用适用于您的平台的最新版本的内核
  • iptables 1.4 或更高版本
  • git 版本 1.7 或更高版本
  • ps 可执行文件,通常由 procps 或类似包提供
  • XZ Utils 4.9 或更高版本
  • 正确安装的 cgroupfs 层次结构

三、让我们开始吧

1.下载(官方安装包在这里
$ curl -LO https://download.docker.com/linux/static/stable/x86_64/docker-20.10.17.tgz
2.解压
$ tar -zxvf docker-20.10.17.tgz
3.移动二进制可执行文件至 /usr/bin 【官方推荐的 executable path, 一定要在这里,否则可能在 systemd 执行中有些问题】
$ sudo cp docker/* /usr/bin
4.编辑守护进程启动文件 /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
  
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/docker/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
  
[Install]
WantedBy=multi-user.target
5.重载守护进程文件
$ systemctl daemon-reload
6.加入开机自启
$ systemctl enable docker.service

docker配置代理

发表评论

背景

在一些实验室环境,服务器没有访问外网的权限,需要通过http代理。我们通常会将网络代理直接配置/etc/profile的配置文件中,这对于大部分操作都是可行的。然而,docker命令却使用不了这些代理。比如docker pull时需要从外网下载镜像,就会出现如下错误:

$ sudo docker pull hello-world

Unable to find image 'hello-world:latest' locally
Pulling repository docker.io/library/hello-world
docker: Network timed out while trying to connect to https://index.docker.io/v1/repositories/library/hello-world/images. You may want to check your internet connection or if you are behind a proxy..
See 'docker run --help'.

解决方案

# 创建 /etc/systemd/system/docker.service.d
$ sudo mkdir -p /etc/systemd/system/docker.service.d

# 
$ sudo vim /etc/systemd/system/docker.service.d/http_proxy.conf
[Service]
Environment="HTTP_PROXY=http://${proxy-addr}:${proxy-port}/" "HTTPS_PROXY=https://${proxy-addr}:${proxy-port}/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"

# 更新配置并重启 docker 服务
$ sudo systemctl daemon-reload && sudo systemctl restart docker.service

非root用戶沒有權限運行docker命令

发表评论

問題描述

[yuy@localhost ~]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.26/containers/json: dial unix /var/run/docker.sock: connect: permission denied

問題分析

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By
default that Unix socket is owned by the user root and other users can
only access it using sudo. The docker daemon always runs as the root
user.

If you don’t want to use sudo when you use the docker command, create
a Unix group called docker and add users to it. When the docker daemon
starts, it makes the ownership of the Unix socket read/writable by the
docker group.

解決辦法

# 添加docker用户组
[yuy@localhost ~]$ sudo groupadd docker

# 将登陆用户加入到docker用户组中
[yuy@localhost ~]$ sudo gpasswd -a $USER docker

# 更新用户组
[yuy@localhost ~]$ sudo newgrp docker

# 重啓 docker 服務
[yuy@localhost ~]$ sudo systemctl restart docker.service

# 授權 docker.sock 
[yuy@localhost ~]$ sudo chmod a+rw /var/run/docker.sock

批量新增用戶至docker用戶組脚本

#!/bin/bash
#author by Michael Ho

# 用戶列表
user_array=(
    zhouj
    zhangmy
    caimz
    yuy
)

# 新增用戶到docker群組中
add_user() {

    if [[ $EUID -ne 0 ]]; then
        echo -ne "\033[31mThis scripts must be run as root ..\033[0m"
        exit 1
    fi

    groupadd docker

    for i in ${user_array[*]}; do
        gpasswd -a $i docker
        echo -ne "\033[32m 已將 $i 加入到 docker 用戶組! \033[0m"
    done

    newgrp docker
}

# main函式
main() {
    add_user

    # 重啓 docker 服務
    systemctl restart docker.service

    # 授權 docker.sock 
    chmod a+rw /var/run/docker.sock
}

# 程式入口
main

docker运行目录/var/lib/docker目录迁移

发表评论

docker运行目录/var/lib/docker目录迁移

0.停止docker服务
systemctl stop docker
1.创建docker新目录
mkdir -p /data/docker/lib
2.开始迁移
rsync -avzP /var/lib/docker /data/docker/lib/
3.在docker守护进程文件中指定新的docker运行目录
vim /lib/systemd/system/docker.service
# 在ExecStart加入
--graph=/data/docker/lib/docker

4.重启docker服务

systemctl daemon-reload && systemctl start docker

5.检查docker服务状态

systemctl status docker