标签:集群 user back ops rop article complete put this
制作一个可以build docker镜像的docker镜像,jenkins CI服务节点,部署到阿里云的容器服务集群里.
阿里云官方有完整的镜像,master和slave的都有,时间稍微久远了一点,所以自己研究一下build个最新的版本.
dood的好处是内部容器并不需要真正的安装docker而是挂载父级docker的socket和执行文件就可以,但是缺点也非常明显,就是内部容器必须和外部的docker环境保持一致,不然会报各种错误,缺少库文件什么的,而且安全性有很大问题,Docker-in-Docker ,贴吧翻译版本, 这个项目的作者本身就不建议这么去使用docker(dind的方式),有安全性问题,存储问题
原文
Let’s take a step back here. Do you really want Docker-in-Docker? Or do you just want to be able to run Docker (specifically: build, run, sometimes push containers and images) from your CI system, while this CI system itself is in a container?
I’m going to bet that most people want the latter. All you want is a solution so that your CI system like Jenkins can start containers.
And the simplest way is to just expose the Docker socket to your CI container, by bind-mounting it with the -v flag.
Simply put, when you start your CI container (Jenkins or other), instead of hacking something together with Docker-in-Docker, start it with:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
Now this container will have access to the Docker socket, and will therefore be able to start containers. Except that instead of starting “child” containers, it will start “sibling” containers.
Try it out, using the docker official image (which contains the Docker binary):
docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker
This looks like Docker-in-Docker, feels like Docker-in-Docker, but it’s not Docker-in-Docker: when this container will create more containers, those containers will be created in the top-level Docker. You will not experience nesting side effects, and the build cache will be shared across multiple invocations.
Former versions of this post advised to bind-mount the docker binary from the host to the container. This is not reliable anymore, because the Docker Engine is no longer distributed as (almost) static libraries.
If you want to use e.g. Docker from your Jenkins CI system, you have multiple options:
翻译后
退一步, 是需要一个真正的 docker in docker,还是只想在类似jenkins这样的CI系统里要运行docker命令(build push images)
我想大部分人只是需要后者,你所需要的是你的ci系统可以启动容器,或者构建容器(这是我加的)
最简单的方式是启动容器的时候以-v的方式挂载宿主机的docker的socket给含有jenkins这种CI的容器使用
简单的说,启动你的CI 容器(jenkins或者其他), 而不是用docker-in-docker上hacking, 启动方法:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
这样这个容器就会可以访问到宿主机的docker socket并使用它,因为这个容器就有能力启动容器,这样他启动和操作的容器和他本身是兄弟关系,是平级的而不是父子关系.
试试官方的docker镜像, 包含二进制可执行程序
docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker
? jenkins docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker:17.05
Unable to find image ‘docker:17.05‘ locally
17.05: Pulling from library/docker
cfc728c1c558: Pull complete
81d7b2e827ca: Pull complete
144b6478a622: Pull complete
e04c57814bdc: Pull complete
Digest: sha256:da22b37a64e68f7b2199ba619f61e0b82f95d6fa4ed812b2d6c19e486d933ed0
Status: Downloaded newer image for docker:17.05
/ # which docker
/usr/local/bin/docker
/ # docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cae7df10f791 docker:17.05 "docker-entrypoint..." 20 seconds ago Up 19 seconds hungry_banach
d0c7c57ee2c9 jenkinsci/jenkins:lts "/bin/tini -- /usr..." 18 hours ago Up 8 hours 50000/tcp, 0.0.0.0:49001->8080/tcp vigilant_pasteur
/ # docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cae7df10f791 docker:17.05 "docker-entrypoint..." 23 seconds ago Up 22 seconds hungry_banach
512c903e80da django:test03 "/bin/bash" 10 hours ago Exited (0) 6 hours ago testdjango01
d0c7c57ee2c9 jenkinsci/jenkins:lts "/bin/tini -- /usr..." 18 hours ago Up 8 hours 50000/tcp, 0.0.0.0:49001->8080/tcp vigilant_pasteur
cb5527ee98c5 jenkinsci/jenkins:lts "/bin/tini -- /usr..." 18 hours ago Created vigilant_easley
fcd7e2089a0d 12c901436f44 "/bin/sh -c ‘echo ..." 19 hours ago Exited (127) 19 hours ago amazing_easley
0fb85d775afc 04b5d101ead1 "/bin/sh -c ‘set -..." 20 hours ago Exited (2) 19 hours ago gracious_swirles
2ff8dce9c205 ee4682994d35 "/bin/bash" 20 hours ago Exited (0) 19 hours ago testpython2
可以清楚的看到,这些结果都是宿主机上的docker的结果,所以这里使用的docker命令实际上的空间和进程都是在宿主机上的.
可以看一些这个镜像的Dockfile
这看起来像是docker-in-docker,但是实际上不是,当你要在这个容器里创建新的容器的时候,这些容器并不是在容器里被创建的,而是在host机器上创建的,你将不会受到内嵌的影响,构建缓存也在多实例间共享.
这篇文章的老版本建议bind docker的二进制文件从host到容器,这个说法已经不再可靠,因为docker 引擎不再发布静态库,所以单纯用挂载的方式使docker的二进制文件在容器和host间共享的方式不存在了,取而代之的是直接在容器内解压一个编译好的docker.
所以现在如果你想使用docker在jenkins CI的容器里,你有以下选择:
好了看了这么多,是时候自己构建一个供jenkins子节点使用的镜像了,包含docker,可以build和push镜像
我的场景如下
FROM ubuntu:xenial
MAINTAINER Vincent Wantchalk <ohergal@gmail.com>
RUN apt-get update
RUN apt-get -y install wget \
apt-utils locales tzdata build-essential apt-transport-https ca-certificates curl git openssh-server zlib1g zlib1g.dev openssl libssl-dev iptables && rm -rf /var/lib/apt/lists/*
RUN locale-gen en_US.UTF-8
RUN dpkg-reconfigure locales
RUN echo "Asia/shanghai" > /etc/timezone
RUN ln -fs /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
&& dpkg-reconfigure -f noninteractive tzdata
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
# To avoid annoying "perl: warning: Setting locale failed." errors,
# do not allow the client to pass custom locals, see:
# http://stackoverflow.com/a/2510548/15677
# RUN sed -i ‘s/^AcceptEnv LANG LC_\*$//g‘ /etc/ssh/sshd_config
RUN apt-get -q update && DEBIAN_FRONTEND="noninteractive" apt-get -q install -y -o Dpkg::Options::="--force-confnew" --no-install-recommends software-properties-common && add-apt-repository -y ppa:openjdk-r/ppa && apt-get -q update && DEBIAN_FRONTEND="noninteractive" apt-get -q install -y -o Dpkg::Options::="--force-confnew" --no-install-recommends openjdk-8-jdk && apt-get -q clean -y && rm -rf /var/lib/apt/lists/* && rm -f /var/cache/apt/*.bin && sed -i ‘s|session required pam_loginuid.so|session optional pam_loginuid.so|g‘ /etc/pam.d/sshd && mkdir -p /var/run/sshd
# clean compile tools
RUN apt-get purge -y --auto-remove build-essential libssl-dev
RUN useradd -m -d /home/jenkins -s /bin/bash jenkins && echo "jenkins:jenkins" | chpasswd
# install docker binary files
ENV DOCKER_BUCKET get.docker.com
ENV DOCKER_VERSION 17.05.0-ce
ENV DOCKER_SHA256_x86_64 340e0b5a009ba70e1b644136b94d13824db0aeb52e09071410f35a95d94316d9
ENV DOCKER_SHA256_armel 59bf474090b4b095d19e70bb76305ebfbdb0f18f33aed2fccd16003e500ed1b7
RUN curl -fSL "https://${DOCKER_BUCKET}/builds/Linux/x86_64/docker-${DOCKER_VERSION}.tgz" -o docker.tgz && echo "${DOCKER_SHA256_x86_64} *docker.tgz" | sha256sum -c - && tar -xzvf docker.tgz && mv docker/* /usr/local/bin/ && rmdir docker && rm docker.tgz && chmod +x /usr/local/bin/docker
# && docker -v # && docker ps -a
RUN echo "jenkins ALL=NOPASSWD: ALL" >> /etc/sudoers
# Standard SSH port
EXPOSE 22
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
# Default command
CMD ["/usr/sbin/sshd", "-D"]
[转帖]Docker里运行Docker docker in docker(dind)
标签:集群 user back ops rop article complete put this
原文地址:https://www.cnblogs.com/jinanxiaolaohu/p/9337914.html
