docker – David\'s blog

记录一个docker升级docker-ce问题

老系统装的docker发现很多镜像已经不再支持，查网上需要装docker-ce，卸载docker，添加源：https://download.docker.com/linux/centos/docker-ce.repo。安装docker-ce最后启动docker报异常：

journalctl -xe
-- The start-up result is done.
Dec 08 17:30:01 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: Starting Session 2097629 of user root.
-- Subject: Unit session-2097629.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-2097629.scope has begun starting up.
Dec 08 17:30:01 iZbp1j6nqn3qz7t3ojr1ccZ CROND[6511]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 08 17:30:13 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: Invalid user ftpadmin from 47.96.36.95 port 39610
Dec 08 17:30:13 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: input_userauth_request: invalid user ftpadmin [preauth]
Dec 08 17:30:13 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: pam_unix(sshd:auth): check pass; user unknown
Dec 08 17:30:13 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.96.36.95
Dec 08 17:30:15 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: Failed password for invalid user ftpadmin from 47.96.36.95 port 39610 ssh2
Dec 08 17:30:15 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: Received disconnect from 47.96.36.95 port 39610:11: Bye Bye [preauth]
Dec 08 17:30:15 iZbp1j6nqn3qz7t3ojr1ccZ sshd[6516]: Disconnected from 47.96.36.95 port 39610 [preauth]
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ polkitd[502]: Registered Authentication Agent for unix-process:6549:6800316710 (system bus name :1.4195603 [/usr/bin/pkttyagent --notify-fd 5 --fallback],
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has begun starting up.
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ dockerd[6555]: time="2023-12-08T17:31:08.763547319+08:00" level=info msg="Starting up"
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ dockerd[6555]: time="2023-12-08T17:31:08.798534673+08:00" level=error msg="[graphdriver] /var/lib/docker contains several valid graphdrivers: overlay2, de
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ dockerd[6555]: failed to start daemon: error initializing graphdriver: /var/lib/docker contains several valid graphdrivers: overlay2, devicemapper; cleanu
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has failed.
-- 
-- The result is failed.
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: Unit docker.service entered failed state.
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: docker.service failed.
Dec 08 17:31:08 iZbp1j6nqn3qz7t3ojr1ccZ polkitd[502]: Unregistered Authentication Agent for unix-process:6549:6800316710 (system bus name :1.4195603, object path /org/freedesktop/PolicyKit1/Auth
Dec 08 17:31:11 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: docker.service holdoff time over, scheduling restart.
Dec 08 17:31:11 iZbp1j6nqn3qz7t3ojr1ccZ systemd[1]: Starting Docker Application Container Engine...
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit docker.service has begun starting up.

最后看到这个贴：https://zhuanlan.zhihu.com/p/660028084。

rm -rf /var/lib/docker/*
systemctl start docker

终于能启动了

阿里云Kubernetes 托管版起步的经验

服务器原来是部署在swram集群的，后来阿里云不再支持，开始往k8s上迁移。

1，降低成本:
参考了网上的帖子，那贴后来被删了，还好有备份。服务器少的话，可以删掉NAT。只要自己的服务器有公网ip或eip就行了。如果使用NAT每年成本得3-4000元。我们只有2台服务器，就把NAT去掉了。负载均衡也会给分配个公网的，不过这个服务标记了禁止删除，就还是别删了。

2，日志服务。ingress如果一开始没勾选的话，自己配还有点麻烦，并且网页版本的管理命令行不好用。跟客服沟通改用服务器自己的了。改用ingress代替之前的nginx入口服务器。ingress是托管服务的系统组件，日志格式最好就别改了。问题是之前会有个总nginx记录post信息用于调试。现在只能改在应用里记录post信息。

3，ingress里可以配置目录转发。不过阿里云网页编辑的验证不够严谨。如果配置错误会影响全局的ingress路由配置。新增配置会不生效。我是发现不生效后查ingress的日志，在报错，才发现有的配置错了。

win中cmd调用npm脚本的办法

打docker包，需要打node环境的镜像
先用bat命令行编译vue的代码
直接用npm install 无法按正常顺序执行，每个npm命令没有阻塞会并发运行
之后改用start /wait 可以顺序执行完但每次会弹出个新窗口，并且子窗口完成后需要手动关闭，并且在主装口选择是否继续
最后改用call 很好用，能正常在一个窗口中顺序执行

aliyun在docker容器服务里配置elasticsearch5

第一步，制作镜像。官方镜像没有x-pack。

FROM kibana:5.6.3
ENV TIME_ZONE Asia/Shanghai
RUN cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& echo "${TIME_ZONE}" > /etc/timezone
RUN kibana-plugin install x-pack
EXPOSE 5601

第二部，多节点发布
这里举例发布一个主节点，一个数据节点。
aliyun的容器里配置

elasticsearch:
      container_name: elasticsearch
      restart: always
      environment:

        - LANG=C.UTF-8
        - JAVA_HOME=/docker-java-home/jre

        - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      expose:
        - '9200:9200/tcp'
        - '9300:9300/tcp'
      memswap_limit: 0
      labels:
        aliyun.scale: '1'
      command:

        - elasticsearch 
        - '-E'
        - cluster.name=searcher #所有节点设置成一样的
        - '-E'
        - node.master=true #主节点true，数据节点false
        - '-E'
        - node.name=elasticsearch #节点名不能一样
  
        - '-E'
        - network.host=172.19.0.27#这里需要些容器的ip否则互相找不到，而且不能加引号
        - '-E'
        - discovery.zen.ping.unicast.hosts=172.19.0.32:9300 #互相发现的节点和ip
      shm_size: 0
      #image: 'elasticsearch:5.6.3' #如果不装或手动装xpack的话可以用官方镜像。官方镜像安装xpack比较消内存，可能因内存不足提示killed安装失败。
      image: 'xx[这里是你的镜像]x/elastic_search:0.1.0'
      memswap_reservation: 0
      volumes:
        - esdata1:/usr/share/elasticsearch/data
      kernel_memory: 0
      mem_limit: 0

远程/集群/docker设置php-fpm无法访问的问题

php-fpm.conf或者php-conf.d/www.conf里有这样的配置

listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1

docker里设置后外部无法访问。
改成：

listen = 9000
;listen.allowed_clients = 127.0.0.1
所有ip可用，如果涉及到安全问题，需要单独设置ip.