CentOS7部署DockerCompose：从零搭建容器编排环境

1. 环境准备与Docker安装在CentOS7上部署DockerCompose之前我们需要先确保系统环境符合要求。我遇到过不少新手直接跳过环境检查导致后续安装失败的案例所以这里特别强调准备工作的重要性。首先确认你的CentOS7系统是64位版本内核版本不低于3.10。这个要求其实绝大多数CentOS7系统都能满足但检查一下总没错uname -r如果看到类似3.10.0-1160.el7.x86_64的输出就说明内核版本OK。接下来建议更新系统所有包到最新版本这个步骤很多人会忽略但能避免很多奇怪的依赖问题yum update -y安装Docker的详细过程其实比想象中简单但有几个关键点需要注意。首先是卸载旧版本即使你确定没装过也建议执行一下yum remove -y docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine安装必要的依赖包时我发现很多教程漏掉了device-mapper-persistent-data和lvm2这两个包它们对Docker的存储驱动很重要yum install -y yum-utils device-mapper-persistent-data lvm2配置国内镜像源是必须的操作否则下载速度会让你怀疑人生。阿里云的源我用下来最稳定yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo sed -i sdownload.docker.commirrors.aliyun.com/docker-ce /etc/yum.repos.d/docker-ce.repo安装Docker CE社区版时建议明确指定版本号以避免兼容性问题。我习惯用这个命令查看可用版本yum list docker-ce --showduplicates | sort -r然后选择稳定版安装比如yum install -y docker-ce-20.10.122. Docker服务配置与优化安装完Docker后服务启动前的配置往往被新手忽视。首先是防火墙问题开发环境可以直接关闭生产环境需要单独配置规则systemctl stop firewalld systemctl disable firewalld启动Docker服务并设置开机自启systemctl start docker systemctl enable docker验证安装是否成功时别光看版本号我建议跑个测试容器docker run hello-world配置镜像加速器是提升体验的关键。阿里云、腾讯云等都有免费加速服务以阿里云为例先登录容器镜像服务控制台获取专属加速地址然后mkdir -p /etc/docker tee /etc/docker/daemon.json -EOF { registry-mirrors: [https://your-aliyun-mirror.mirror.aliyuncs.com] } EOF systemctl daemon-reload systemctl restart docker存储驱动选择也很重要特别是对生产环境。CentOS7默认使用devicemapper但 overlay2 性能更好# 查看当前存储驱动 docker info | grep Storage Driver # 如需修改为overlay2 vim /etc/docker/daemon.json # 添加storage-driver: overlay2日志管理是另一个需要关注的配置点避免日志文件撑爆磁盘# 在daemon.json中添加 log-driver: json-file, log-opts: { max-size: 100m, max-file: 3 }3. DockerCompose安装与配置DockerCompose的安装方式有多种我推荐直接下载二进制文件的方式比pip安装更干净。首先确认系统已安装curlyum install -y curl下载最新稳定版截至2023年7月是v2.18.1DOCKER_COMPOSE_VERSION$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep tag_name | cut -d\ -f4) curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose如果GitHub访问慢可以使用国内镜像curl -L https://get.daocloud.io/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose权限设置这一步很多人会忘记导致无法执行chmod x /usr/local/bin/docker-compose验证安装是否成功docker-compose --version命令补全功能虽然非必须但能极大提升效率。bash补全安装方法curl -L https://raw.githubusercontent.com/docker/compose/${DOCKER_COMPOSE_VERSION}/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose source ~/.bashrc如果遇到raw.githubusercontent.com无法访问的问题可以修改hostsecho 185.199.108.133 raw.githubusercontent.com /etc/hosts4. 私有镜像仓库搭建简化版私有仓库适合内部开发环境快速搭建一条命令即可docker run -d -p 5000:5000 --restartalways --name registry -v /opt/registry:/var/lib/registry registry:2测试仓库是否正常工作docker pull nginx:alpine docker tag nginx:alpine localhost:5000/my-nginx docker push localhost:5000/my-nginx curl http://localhost:5000/v2/_catalog带UI的私有仓库更直观推荐使用docker-compose部署。先创建docker-compose.ymlversion: 3 services: registry: image: registry:2 volumes: - ./registry-data:/var/lib/registry networks: - registry-net ui: image: joxit/docker-registry-ui:latest ports: - 8080:80 environment: - REGISTRY_URLhttp://registry:5000 depends_on: - registry networks: - registry-net networks: registry-net:启动服务docker-compose up -d配置非安全仓库时需要注意如果使用HTTP而不是HTTPS需要在daemon.json中添加{ insecure-registries: [your-registry-ip:5000] }生产环境建议配置HTTPS需要准备域名和SSL证书。这里分享一个我常用的自签名证书生成方法mkdir -p certs openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt然后修改docker-compose.yml中的registry服务配置registry: image: registry:2 ports: - 5000:5000 environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key volumes: - ./registry-data:/var/lib/registry - ./certs:/certs5. 实战DockerCompose应用部署编写第一个compose文件时建议从简单应用开始。比如部署WordPress博客系统version: 3 services: db: image: mysql:5.7 volumes: - db_data:/var/lib/mysql environment: MYSQL_ROOT_PASSWORD: example MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: wordpress wordpress: depends_on: - db image: wordpress:latest ports: - 8000:80 environment: WORDPRESS_DB_HOST: db:3306 WORDPRESS_DB_USER: wordpress WORDPRESS_DB_PASSWORD: wordpress WORDPRESS_DB_NAME: wordpress volumes: db_data:启动应用docker-compose up -d常用管理命令需要熟练掌握docker-compose ps查看服务状态docker-compose logs -f跟踪日志docker-compose down停止并删除容器docker-compose restart重启服务多环境配置是实际项目中的常见需求。我通常这样组织文件结构project/ ├── docker-compose.yml ├── .env ├── docker-compose.override.yml └── docker-compose.prod.yml通过环境变量文件(.env)管理敏感信息DB_PASSWORDsecurepassword CACHE_REDIS_URLredis://redis:6379然后在不同环境的compose文件中引用services: db: environment: MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}性能调优方面有几个实用技巧合理设置资源限制services: app: deploy: resources: limits: cpus: 0.5 memory: 512M使用健康检查确保服务可用性healthcheck: test: [CMD, curl, -f, http://localhost] interval: 30s timeout: 10s retries: 3优化构建缓存# 把变化频率低的层放在前面 FROM node:14 WORKDIR /app COPY package.json yarn.lock ./ RUN yarn install COPY . .6. 常见问题排查与维护网络问题排查是DockerCompose使用中的高频问题。当容器间无法通信时我通常这样排查# 查看网络列表 docker network ls # 查看具体网络详情 docker network inspect projectname_default # 进入容器测试连通性 docker-compose run --rm app ping db数据卷管理也很重要特别是备份恢复场景。备份MySQL数据卷示例docker run --rm --volumes-from project_db_1 -v $(pwd):/backup alpine tar cvf /backup/backup.tar /var/lib/mysql恢复则是反向操作docker run --rm --volumes-from project_db_1 -v $(pwd):/backup alpine sh -c cd /var/lib/mysql tar xvf /backup/backup.tar --strip 1日志收集方案我推荐ELK栈简单配置如下version: 3 services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.12.0 environment: - discovery.typesingle-node ports: - 9200:9200 logstash: image: docker.elastic.co/logstash/logstash:7.12.0 volumes: - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf depends_on: - elasticsearch kibana: image: docker.elastic.co/kibana/kibana:7.12.0 ports: - 5601:5601 depends_on: - elasticsearch对应的logstash.conf配置input { syslog { port 51415 } } output { elasticsearch { hosts [elasticsearch:9200] } }安全加固方面有几个必须做的措施定期更新镜像docker-compose pull docker-compose up -d使用非root用户运行容器services: app: user: 1000:1000限制容器能力cap_drop: - ALL cap_add: - NET_BIND_SERVICE配置只读文件系统read_only: true tmpfs: - /tmp