有些内部环境需要离线部署,以下做一些备忘。
环境:centos7.9
准备文件:
- docker-20.10.9.tgz,下载地址 https://download.docker.com/linux/static/stable/x86_64/
- docker.service,内容见下文
- daemon.json,内容见下文
- install.sh,内容见下文
- docker-compose-linux-x86_64,按需,有需要docker-compose则安装,下载地址https://github.com/docker/compose/releases
以上5个文件都放在同一个目录下
注意:由于此次服务器挂载盘在 /data,所以把docker的存储目录放在 /data/docker 下,可以按需修改 install.sh 和 daemon.json
1.创建docker.service
通过 vi docker.service,将以下内容拷贝进去
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
2.创建 daemon.json
通过 vi daemon.json ,将以下内容拷贝进去
{
"iptables":false,
"data-root":"/data/docker",
"storage-driver":"overlay2",
"log-level":"INFO",
"log-driver":"json-file",
"log-opts": {
"max-size": "100m",
"max-file":"5"
},
"registry-mirrors":["http://hub-mirror.c.163.com"]
}
3.创建 install.sh
通过 vi install.sh ,将以下内容拷贝进去
# install.sh
#!/bin/sh
echo '创建docker group'
groupadd docker
gpasswd -a root docker
# 还可以创建普通用户 lin 然后加入, useradd lin ; gpasswd -a lin docker
echo 'docker开始安装...'
echo '解压tar包...'
tar -xvf ./docker-20.10.9.tgz
chown root:docker docker/*
echo '将docker目录移到/usr/bin目录下...'
mv docker/* /usr/bin/
echo '将docker.service 移到/etc/systemd/system/ 目录...'
cp -f ./docker.service /etc/systemd/system
echo '添加文件权限...'
chmod +x /etc/systemd/system/docker.service
echo '创建docker root...'
# 这个目录根据自己修改,相应修改daemon.json的root属性
mkdir /data/docker
echo '创建docker daemon.json ...'
mkdir /etc/docker
cp daemon.js /etc/docker/
echo '重新加载配置文件...'
systemctl daemon-reload
echo '设置开机自启...'
systemctl enable docker.service
echo '启动docker...'
systemctl start docker
if ! docker -v; then
echo "docker 安装失败..."
exit -1
fi
echo 'docker安装成功...'
echo '防火墙添加 masquerade'
# daemon.json 配置了iptables: false,所以增加masquerade,让容器可以访问外部
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
# 按需安装docker-compose,不需要则不执行
echo '安装docker-compose...'
mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
echo '添加 docker-compose 执行权限...'
chmod +x /usr/local/bin/docker-compose
if ! docker-compose -v; then
echo "docker-compose 安装失败..."
exit -1
fi
echo 'docker-compose 安装成功...'
4.执行:
可以对着 install.sh 命令逐步执行,也可以直接执行install.sh,sh +x install
注意:
1.以上执行都是用户root下,,如果是普通用户,则需加sudo,且有root权限
2.daemon.json 加了 “iptables”:false,如果启动了防火墙firewall,那么docker容器的端口是封闭的,需要开放才能访问,例如pg数据库容器5432:
#方式1:完全开放
firewall-cmd --zone=public --add-port=5432/tcp --permanent
#方式2:针对ip段开放(推荐)
firewall-cmd --permanent --add-rich-rule=“rule family=“ipv4” source address=“192.168.16.1/24” port protocol=“tcp” port=“5432” accept”
最后 firewall-cmd --reload
当然,可以将"iptables":false 这个配置去掉,则docker容器暴露的端口不用开防火墙策略文章来源:https://www.toymoban.com/news/detail-635083.html
以此备忘!文章来源地址https://www.toymoban.com/news/detail-635083.html
到了这里,关于centos离线部署docker的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!