https://www.docker.com/
Docker Swarm
使用Docker Swarm做容器编排:
- Manager-Worker架构(Raft协议同步);
- Service-Replicas模式自动实现负载均衡;
- 自动同步Overlay网络,不需要借助共享存储;
- 生产环境更建议使用Kubernetes。
搭建
搭建模式
- Vagrant + VirtualBox
- Docker Machine + VirtualBox
- Play whth docker(最快,但只能维持4小时)
https://labs.play-with-docker.com/
swarm-manager
docker swarm init --advertise-addr=manager_ip # 指定本机IP初始化Swarm
docker node ls # 查看集群中的节点
swarm-worker
docker swarm join --token xxx manager_ip:manager_port # Worker加入Manager管理的集群
Service
docker service create --name demo busybox sh -c "while true; do sleep 3600; done" # 创建Service
docker service ls # 查看Service运行状态
docker service ps demo
docker ps # (在service运行的节点上执行)查看Container运行状态
docker service scale demo=5 # Service横向扩展(集群中平均分布)
docker -rm -f xxx # 指定id删除某个Container(Swarm会自动重新创建一个,确保总数为5个)
docker service rm demo # 删除Service(所有Container)
Routing Mesh
- Container之间通过name通信,是基于DNS服务发现实现的
- Swarm模式下处于不同节点的Container之间通信:接入Overlay网络的Container会自动添加一条DNS记录
- DNS记录对应一个虚拟IP(不会改变),所指的Container实际IP可以动态改变,实现负载均衡(LVS)
- Routing Mesh两种体现:
- Internal:Container之间通信,通过Overlay网络(VXLan Tunnel)
- Ingress:Service之间通信,如果服务绑定端口,则此服务可以通过任意Swarm节点相应端口访问(内部通过IPVS实现负载均衡)
docker network create -d overlay demo
docker service create --name whoami -p 8000:8000 --network demo -d xxx/whoami
docker service scale whoami=2
docker service ps whoami
nslookup whoami # 查看whoami虚拟IP
nslookup task.whoami # 查看whoami所有实际IP
Ingress
(暂时理解不了)
yum install -y ipvsadm
curl 127.0.0.1:8000 # 集群中即使没有运行whoami这个服务,也可以访问到(被iptables规则转发)
iptables -nL -t mangle
brctl show
dodker network ls
docker network inspect docker_gwbridge
ls /var/run/docker/netns
nsenter --net=/var/run/docker/netns/ingress_sbox
ipvsadm -l
docker exec xxx ip a
部署WordPress
Container部署
docker network create -d overlay demo
docker service create --name mysql --env MYSQL_ROOT_PASSWORD=root --env MYSQL_DATABASE=wordpress --network demo --mount type=volume,source=mysql-data,destination=/var/lib/mysql mysql
docker service crteate --name wordpress -p 80:80 --env WORDPRESS_DB_PASSWORD=root --env WORDPRESS_DB_HOST=mysql --network demo wordpress
docker service ls # 查看Service运行状态(在哪个节点上运行)
docker service ps mysql
docker service ps wordpress
docker ps
Docker Stack
stack模式部署(使用compose file,但不能使用build命令,只可以从repository拉取):
docker-compose.yml
version: '3'
services:
web:
image: wordpress
ports:
- 8080:80
environment:
WORDPRESS_DB_HOST: mysql
WORDPRESS_DB_PASSWORD: root
networks:
- my-network
depends_on:
- mysql
deploy:
# endpoint_mode: vip(LVS,默认)/dnsrr(轮询)
mode: replicated # 可通过scale横向扩展
replicas: 3 # 创建3个实例
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
update_config: # 更新程序相关配置(即修改配置文件后重新部署)
parallelism: 1 # 每次只更新1个
delay: 10s # 更新间隔
mysql:
image: mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: wordpress
volumes:
- mysql-data:/var/lib/mysql
networks:
- my-network
deploy:
mode: global # 服务只有1个,不支持横向扩展
placement:
constraints:
- node.role == manager # mysql必然会部署到manager上
volumes:
mysql-data:
networks:
my-network:
driver: overlay
docker stack deploy wordpress --compose-file=docker-compose.yml
docker stack ls
docker stack services wordpress
docker stack ps wordpress
docker stack rm wordpress
浏览器下:
manager_ip:8080 # Container管理可视化工具
Docker Secret
- 存放在Swarm Manager节点Raft databases中
- Secret可以assign给一个Service,使这个Service可以看到
- 在Container内部Secret看起来想文件,但实际上使在内存中
服务密码权限管理:
- 用户名密码
- SSH Key
- TLS认证
- 其他私密数据
echo "admin123" > password
docker secret create my_pw password # 通过文件创建Secret
echo "adminadmin" | docker secret create my_pw2 # 通过echo创建Secret
rm -rf password
docker secret ls
docker service create --name client --secret my_pw busybox sh -c "while true; do sleep 3600; done" # 创建Service,并传入Secret
docker exec -it xxx sh
cd /run/secrets
cat my_pw
docker service create --name db --secret my_pw -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_pw mysql # 为mysql container指定root密码文件
docker service ps db
docker execv -it xxx
cat /run/secrets/my_pw
mysql -uroot -pxxx
在Stack的compose file中使用Secret
version: '3'
services:
web:
image: wordpress
ports:
- 8080:80
secrets:
- my-pw
environment:
WORDPRESS_DB_HOST: mysql
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/my-pw
networks:
- my-network
depends_on:
- mysql
deploy:
mode: replicated
replicas: 3
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
update_config:
parallelism: 1
delay: 10s
mysql:
image: mysql
secrets:
- my-pw
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/my-pw
MYSQL_DATABASE: wordpress
volumes:
- mysql-data:/var/lib/mysql
networks:
- my-network
deploy:
mode: global
placement:
constraints:
- node.role == manager
volumes:
mysql-data:
networks:
my-network:
driver: overlay
# secrets:
# my-pw:
# file: ./password
Service热更新
doeker network create -d overlay demo # 创建overlay网络
docker service create --name web --publish 8080:5000 --network demo xxx/python-flask-demo:1.0 # 创建Service
docker service scale web=2 # 更新前创建多个实例
# 镜像更新(更新过程可能会新旧版本并存)
docker service update --image xxx/python-flask-demo:2.0 web
# 端口更新(业务会中断一段时间)
docker service update --publish-rm 8080:5000 --publish-add 8088:5000 web
# 一直访问,观察更新状态
sh -c "while true; do curl 127.0.0.1:8080 & sleep; done"
网友评论