這篇文章主要介紹“nginx+docker怎么實(shí)現(xiàn)paas”����,在日常操作中�����,相信很多人在nginx+docker怎么實(shí)現(xiàn)paas問題上存在疑惑�����,小編查閱了各式資料����,整理出簡單好用的操作方法,希望對大家解答”nginx+docker怎么實(shí)現(xiàn)paas”的疑惑有所幫助��!接下來���,請跟著小編一起來學(xué)習(xí)吧!
創(chuàng)新互聯(lián) - 聯(lián)通機(jī)房服務(wù)器托管�,四川服務(wù)器租用�,成都服務(wù)器租用���,四川網(wǎng)通托管,綿陽服務(wù)器托管�,德陽服務(wù)器托管�����,遂寧服務(wù)器托管���,綿陽服務(wù)器托管�,四川云主機(jī)�,成都云主機(jī),西南云主機(jī)����,聯(lián)通機(jī)房服務(wù)器托管,西南服務(wù)器托管���,四川/成都大帶寬��,成都機(jī)柜租用�,四川老牌IDC服務(wù)商
前置
更新了安裝說明���。集中化了全局變量��,注意deps prepare部分��,bridge-utils是為了控制cni制造的那個(gè)openfaas0虛擬網(wǎng)卡用�����。安裝docker.io����,是ubuntu上它可以同時(shí)安裝containerd1.3.3和runc
從Docker 1.11開始,Docker容器運(yùn)行已經(jīng)不是簡單的通過Docker daemon來啟動(dòng)�����,而是集成了containerd�����、runC等多個(gè)組件�。如果去搜索一番,就會(huì)發(fā)現(xiàn):docker-containerd 就是 containerd���,而 docker-runc 就是 runc�。containerd是真正管控容器的daemon�����,執(zhí)行容器的時(shí)候用的是runc�����。 為什么 要分的七零八散呢��?為了防止docker一家獨(dú)大,docker當(dāng)年的實(shí)現(xiàn)被拆分出了幾個(gè)標(biāo)準(zhǔn)化的模塊,,標(biāo)準(zhǔn)化的目的是模塊是可被其他實(shí)現(xiàn)替換的,其實(shí)也是為了實(shí)現(xiàn)類llvm的組件化可開發(fā)效果(軟件抽象上����,源頭如果有分才能合,如果一開始就是合的就難分)�����。也是為了分布式效果����。docker也像git一樣做分布式部件化了,分布式就是設(shè)置2個(gè)部件�����,cliserver,這樣在本地和遠(yuǎn)程都可這樣架構(gòu)��。
而為什么是dockerio而不是docker-ce: 事實(shí)是我還發(fā)現(xiàn)�,有些系統(tǒng)上,安裝了docker-ce再安裝containerd�。會(huì)導(dǎo)致系統(tǒng)出問題Cannot connect to the Docker daemon at 。docker與containerd不兼容���,所以只好安裝ubuntu維護(hù)的docker.io這種解決了containerd依賴的���,它默認(rèn)依賴containerd和runc(不過稍后我們會(huì)提到替換升級containerd的版本)。我們選用加入了最新cn ubuntu deb src后apt-get update得到的sudo apt install docker.io=19.03.6-0ubuntu1~18.04.1�����,sudo apt-cache madison docker.io出來的版本.
#!/bin/bash
## currently tested under ubuntu1804 64b,easy to be ported to centos(can be tested with replacing apt-get and /etc/systemd/system)
## How to use this script in a cloudhost
## su root and then: ./panel.sh -d 'your domain to be binded' -m 'email you use to pass to certbot' -p 'your inital passwords'(email and passwords are not neccessary,feed email only if you encount the "toomanyrequestofagivetype" error)
## (no prefix https/http needed,should bind to the right ip ahead for laster certbot working)
export DOMAIN_NAME=''
export EMAIL_NAME='some@some.com'
export PANEL_TYPE='0'
export PASS_INIT='5cTWUsD75ZgL3VJHdzpHLfcvJyOrUnza1jr6KXry5pXUUNmGtqmCZU4yGoc9yW4'
MIRROR_PATH="http://default-8g95m46n2bd18f80.service.tcloudbase.com/d/demos"
# the pai backend
SERVER_PATH=${MIRROR_PATH}/pai/pai-agent/stable/pai_agent_framework
PAI_MATE_SERVER_PATH=${MIRROR_PATH}/pai/pai-mate/stable/install
# the openfaas backend
OPENFAAS_PATH=${MIRROR_PATH}/faasd
# the code-server web ide
CODE_SERVER_PATH=${MIRROR_PATH}/codeserver
#install dir
INSTALL_DIR="/root/.local"
CONFIG_DIR="/root/.config"
# datadir only for pai and common data
DATA_DIR="/data"
while [[ $# -ge 1 ]]; do
case $1 in
-d|--domain)
shift
DOMAIN_NAME="$1"
shift
;;
-m|--mail)
shift
EMAIL_NAME="$1"
shift
;;
-t|--paneltype)
shift
PANEL_TYPE="$1"
shift
;;
-p|--passinit)
shift
PASS_INIT="$1"
shift
;;
*)
if [[ "$1" != 'error' ]]; then echo -ne "\nInvaild option: '$1'\n\n"; fi
echo -ne " Usage(args are self explained):\n\tbash $(basename $0)\t-d/--domain\n\t\t\t\t\-m/--mail\n\t\t\t\t\-t/--paneltype\n\t\t\t\t-p/--passinit\n\t\t\t\t\n"
exit 1;
;;
esac
done
[[ "$EUID" -ne '0' ]] && echo "Error:This script must be run as root!" && exit 1;
beginTime=$(date +%s)
# write log with time
writeProgressLog() {
echo "[`date '+%Y-%m-%d %H:%M:%S'`][$1][$2]"
echo "[`date '+%Y-%m-%d %H:%M:%S'`][$1][$2]" >> ${DATA_DIR}/h6/access.log
}
# update install progress
updateProgress() {
progress=$1
message=$2
status=$3
installType=$4
# echo "=====================$installType progress======================="
echo "=======================$installType progress=======================" >> ${DATA_DIR}/h6/access.log
writeProgressLog "installType" $installType
writeProgressLog "progress" $progress
writeProgressLog "status" $status
echo $message >> ${DATA_DIR}/h6/access.log
if [ $status == "0" ]; then
code=0
message="success"
else
code=1
message="$installType error"
# exit 1
fi
cat << EOF > ${DATA_DIR}/h6/progress.json
{
"code": $code,
"message": "$message",
"data": {
"installType": "$installType",
"progress": $progress
}
}
EOF
if [ $status == "0" ]; then
code=0
message="success"
else
code=1
message="$installType error"
# exit 1
fi
if [ $status != "0" ]; then
echo $message >> ${DATA_DIR}/h6/installErr.log
fi
}
echo "=====================begin .....====================="
echo "PANEL_TYPE: ${PANEL_TYPE}"
echo "DOMAIN_NAME: ${DOMAIN_NAME}"
echo "SERVER_PATH: ${MIRROR_PATH}"
echo "OPENFAAS_PATH: ${OPENFAAS_PATH}"
echo "PAI_MATE_SERVER_PATH: ${PAI_MATE_SERVER_PATH}"
echo "CODE_SERVER_PATH: ${CODE_SERVER_PATH}"
echo "INSTALL_DIR: ${INSTALL_DIR}"
rm -rf ${DATA_DIR}/h6
mkdir -p ${DATA_DIR}/h6
rm -rf ${DATA_DIR}/h6/index.json
rm -rf ${DATA_DIR}/logs
mkdir -p ${DATA_DIR}/logs
mkdir -p ${INSTALL_DIR}/bin
mkdir -p ${CONFIG_DIR}
echo "=====================deps prepare progress(this may take long...)======================="
msg=$( #begin
if [ $PANEL_TYPE == "0" ]; then
apt-key adv --recv-keys --keyserver keyserver.Ubuntu.com 3B4FE6ACC0B21F32
echo deb http://cn.archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse >> /etc/apt/sources.list
echo deb http://cn.archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse >> /etc/apt/sources.list
echo deb http://cn.archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse >> /etc/apt/sources.list
echo deb http://cn.archive.ubuntu.com/ubuntu/ bionic-proposed main restricted universe multiverse >> /etc/apt/sources.list
echo deb http://cn.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse >> /etc/apt/sources.list
apt-get update
apt-get install docker.io=19.03.6-0ubuntu1~18.04.1 --no-install-recommends bridge-utils -y
apt-get install nginx python git python-certbot-nginx -y
# sed '1{:a;N;5!b a};$d;N;P;D' -i /etc/apt/sources.list
# apt-get update
else
apt-get update && apt-get install git nginx gcc python3.6 python3-pip python3-virtualenv python-certbot-nginx golang -y
fi 2>&1)
status=$?
updateProgress 30 "$msg" "$status" "deps prepare"基礎(chǔ)組件代碼:nginx front and docker backend
這部分雖然寫死了各條轉(zhuǎn)發(fā)��。但重點(diǎn)在于如何根據(jù)具體的轉(zhuǎn)發(fā)需要布置代碼���。這里的理論在于:如果代理服務(wù)器地址(proxy_pass后面那個(gè))中是帶有URI的��,此URI會(huì)替換掉 location 所匹配的URI部分�����。 而如果代理服務(wù)器地址中是不帶有URI的��,則會(huì)用完整的請求URL來轉(zhuǎn)發(fā)到代理服務(wù)器�。
confignginx() {
echo "=====================certbot renew+start+init progress======================="
systemctl enable nginx.service
systemctl start nginx
#cp -f /lib/systemd/system/certbot.service /etc/systemd/system/certbot-renew.service
#echo '[Install]' >> /etc/systemd/system/certbot-renew.service
#echo 'WantedBy=multi-user.target' >> /etc/systemd/system/certbot-renew.service
#cp -f /lib/systemd/system/certbot.timer /etc/systemd/system/certbot-renew.timer
# sed -i "s/renew/renew --nginx/g" /etc/systemd/system/certbot-renew.service
rm -rf /etc/systemd/system/certbot-renew.service
cat << 'EOF' > /etc/systemd/system/certbot-renew.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
rm -rf /etc/systemd/system/certbot-renew.timer
cat << 'EOF' > /etc/systemd/system/certbot-renew.timer
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target
EOF
msg=$(
#first time renew
certbot certonly --quiet --standalone --agree-tos --non-interactive -m ${EMAIL_NAME} -d ${DOMAIN_NAME} --pre-hook "systemctl stop nginx"
systemctl daemon-reload
systemctl enable certbot-renew.service
systemctl start certbot-renew.service
systemctl start certbot-renrew.timer 2>&1)
status=$?
updateProgress 40 "$msg" "$status" "certbot renew+start+init"
echo "=====================nginx reconfig progress======================="
# add nginx conf
rm -rf /etc/nginx/conf.d/default.conf
cat << 'EOF' > /etc/nginx/conf.d/default.conf
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name DOMAIN_NAME;
ssl on;
ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:PORT;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
}
location /pai/ {
proxy_pass http://localhost:5523;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
}
location /faasd/ {
proxy_pass http://localhost:8080/ui/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
}
location /codeserver/ {
proxy_pass http://localhost:5000/;
proxy_redirect http:// https://;
proxy_set_header Host $host:443/codeserver;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
}
}
server {
listen 80;
server_name DOMAIN_NAME;
if ($host = DOMAIN_NAME) {
return 301 https://$host$request_uri;
}
return 404;
}
EOF
sed -i "s#DOMAIN_NAME#${DOMAIN_NAME}#g" /etc/nginx/conf.d/default.conf
if [ $PANEL_TYPE == "0" ]; then
sed -i "s#PORT#8080/functions/#g" /etc/nginx/conf.d/default.conf
else
sed -i "s#PORT#3000#g" /etc/nginx/conf.d/default.conf
fi
# restart nginx
msg=$( #begin
[[ $(systemctl is-active nginx.service) == "activating" ]] && systemctl reload nginx.service
systemctl restart nginx 2>&1)
status=$?
updateProgress 50 "$msg" "$status" "nginx reconfig"
}
confignginx為了讓docker能覆蓋安裝���,接下來腳本開頭處邏輯的清空了配置����,這里的重點(diǎn)問題是containerd與cni��,與openfaasd的復(fù)雜關(guān)系:
Container Network Interface (CNI) 最早是由CoreOS發(fā)起的容器網(wǎng)絡(luò)規(guī)范��,是Kubernetes網(wǎng)絡(luò)插件的基礎(chǔ)����。其基本思想為:Container Runtime在創(chuàng)建容器時(shí),先創(chuàng)建好network namespace��,然后調(diào)用CNI插件為這個(gè)netns配置網(wǎng)絡(luò)���,其后再啟動(dòng)容器內(nèi)的進(jìn)程?����,F(xiàn)已加入CNCF����,成為CNCF主推的網(wǎng)絡(luò)模型。CNI負(fù)責(zé)了在容器創(chuàng)建或刪除期間的所有與網(wǎng)絡(luò)相關(guān)的操作�,它將創(chuàng)建所有規(guī)則以確保從容器進(jìn)和出的網(wǎng)絡(luò)連接正常,但它并不負(fù)責(zé)設(shè)置網(wǎng)絡(luò)介質(zhì)���,例如創(chuàng)建網(wǎng)橋或分發(fā)路由以連接位于不同主機(jī)中的容器����。
這個(gè)工作由openfaasd等完成���。docker的這些組件->containerd+cni+ctr+runc�����,是由faasd來配置運(yùn)行的����。單獨(dú)啟動(dòng)第一次安裝完的containerd+cni+ctr+runc并不會(huì)啟動(dòng)cni和開啟網(wǎng)卡(單獨(dú)啟動(dòng)containerd提示cni conf not found沒關(guān)系它依然會(huì)啟動(dòng))���,需要openfaasd中的動(dòng)作給后者帶來cni和網(wǎng)卡配置�����。但這種結(jié)合很緊密���,使得接下來容器的完全清理工作有難度。
對于容器的清除���,用ctr tasks kill && ctr tasks delete && ctr container delete可以看到ps aux|grep manual看到主機(jī)空間的shim任務(wù)和/proc/id號/ns都被刪掉了��,但還是某些地方有殘留�。這是因?yàn)檫@二者很難分開,shim開啟的task關(guān)聯(lián)容器和/var/run/containerd無法清理����,導(dǎo)致前者很難單獨(dú)拔插/進(jìn)行配置卸載,也難于在下一次覆蓋安裝時(shí)能從0全新開始���。
而這其實(shí)是一個(gè)bug導(dǎo)致的,containerd cannot properly do "clean-up" with shim process during start up? #3971(https://github.com/containerd/containerd/issues/3971)�����,直到1.4.0beta才被解決(https://github.com/containerd/containerd/pull/4100/commits/488d6194f2080709d9667e00ff244fbdc7ff95b2)�����,但我測試了(cd /var/lib/faasd/ faasd up)��,只是效果好點(diǎn)��,1.3.3是提示id exists不能重建container�,1.40是提示/run/container下的files exists,同樣沒解決完全清理以全新覆蓋安裝containerd的需求����,所以我腳本中提示了“containerd install+start progress(this may hang long and if you over install the script you may encount /run/containerd device busy error,for this case you need to reboot to fix after scripts finished”,這個(gè)基本如果你遇到了var/run刪不掉錯(cuò)誤����,等安裝程序跑完,重啟即可����。
因此我選擇了1.40的containerd,它也同時(shí)解決了我開頭提到的�,gateway失效的問題。用的cni plugins還是0.8.5��,本來想用那個(gè)cri-containerd-cni-1.4.0-linux-amd64.tar.gz,但里面的cni是0.7.1��,與faasd要求的0.4.0不符。
對于cni的卸載和清除�����,則不屬于ctr的能控制范疇�����,cni沒有宿主機(jī)上的控制����,除非將進(jìn)程網(wǎng)絡(luò)命名空間恢復(fù)到主機(jī)目錄����,或在在容器網(wǎng)絡(luò)空間內(nèi)運(yùn)行IP命令來檢查網(wǎng)絡(luò)接口是否已正確設(shè)置,都挺麻煩�,用上面刪容器的ctr tasks kill && ctr tasks delete && ctr container delete三部曲刪可以看到ifconfig中五個(gè)task對應(yīng)的虛擬網(wǎng)卡也被干掉了,所以我也就沒有再深入研究cni的卸載邏輯�。
configdocker() {
[[ $(systemctl is-active faasd-provider) == "activating" ]] && systemctl stop faasd-provider
[[ $(systemctl is-active faasd) == "activating" ]] && systemctl stop faasd
[[ $(systemctl is-active containerd) == "activating" ]] && ctr image remove docker.io/openfaas/basic-auth-plugin:0.18.18 docker.io/library/nats-streaming:0.11.2 docker.io/prom/prometheus:v2.14.0 docker.io/openfaas/gateway:0.18.18 docker.io/openfaas/queue-worker:0.11.2 && for i in basic-auth-plugin nats prometheus gateway queue-worker; do ctr tasks kill -s SIGKILL $i;ctr tasks delete $i;ctr container delete $i; done && systemctl stop containerd && sleep 10
ps -ef|grep containerd|awk '{print $2}'|xargs kill -9
rm -rf /var/run/containerd /run/containerd
[[ ! -z "$(brctl show|grep openfaas0)" ]] && ifconfig openfaas0 down && brctl delbr openfaas0
rm -rf /etc/cni
echo "===============================cniplugins installonly================================="
msg=$( #begin
if [ ! -f "/tmp/cni-plugins-linux-amd64-v0.8.5.tar.gz" ]; then
wget --no-check-certificate -qO- ${MIRROR_PATH}/docker/containernetworking/plugins/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tar.gz > /tmp/cni-plugins-linux-amd64-v0.8.5.tar.gz
fi
mkdir -p /opt/cni/bin
tar -xf /tmp/cni-plugins-linux-amd64-v0.8.5.tar.gz -C /opt/cni/bin
/sbin/sysctl -w net.ipv4.conf.all.forwarding=1 2>&1)
status=$?
updateProgress 50 "$msg" "$status" "cniplugins installonly"
echo "======containerd install+start progress(this may hang long and if you over install the script you may encount /run/containerd device busy error,for this case you need to reboot to fix after scripts finished)====="
msg=$( #begin
# del original deb by docker.io
rm -rf /usr/bin/containerd* /usr/bin/ctr
# replace with new bins
if [ ! -f "/tmp/containerd-1.4.0-linux-amd64.tar.gz" ]; then
wget --no-check-certificate -qO- ${MIRROR_PATH}/docker/containerd/v1.4.0/containerd-1.4.0-linux-amd64.tar.gz > /tmp/containerd-1.4.0-linux-amd64.tar.gz
fi
tar -xf /tmp/containerd-1.4.0-linux-amd64.tar.gz -C ${INSTALL_DIR}/bin/ --strip-components=1 && ln -sf ${INSTALL_DIR}/bin/containerd* /usr/local/bin/ && ln -sf ${INSTALL_DIR}/bin/ctr /usr/local/bin/ctr
rm -rf /etc/systemd/system/containerd.service
cat << 'EOF' > /etc/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
#After=network.target containerd.socket containerd.service
#Requires=containerd.socket containerd.service
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
#changed to mixed to let systemctl stop containerd kill shims
#KillMode=mixed
Restart=always
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable containerd
systemctl start containerd --no-pager 2>&1)
status=$?
updateProgress 50 "$msg" "$status" "containerd install+start"
}
configdocker到此,關(guān)于“nginx+docker怎么實(shí)現(xiàn)paas”的學(xué)習(xí)就結(jié)束了�,希望能夠解決大家的疑惑。理論與實(shí)踐的搭配能更好的幫助大家學(xué)習(xí)����,快去試試吧�����!若想繼續(xù)學(xué)習(xí)更多相關(guān)知識(shí)�����,請繼續(xù)關(guān)注創(chuàng)新互聯(lián)網(wǎng)站�����,小編會(huì)繼續(xù)努力為大家?guī)砀鄬?shí)用的文章��!
網(wǎng)頁題目:nginx+docker怎么實(shí)現(xiàn)paas
本文鏈接:
http://weahome.cn/article/pishej.html
重慶分公司
重慶分公司
