应用背景
近年来,随着网络信息安全问题日益凸显,越来越多的企业和机构选择将核心业务系统部署在内网环境中,没有对外网的访问。这对我们软件的开发和部署带来了一定的挑战。
以往,我们开发软件时,经常依靠外网环境来进行调试、测试和最终的上线部署。但对内网系统而言,这套流程已不再适用。我们需要采取离线方式来完成软件的安装和部署工作。
linux Docker离线安装
- 下载安装包
- 选择版本安装
- 上传到离线服务器
创建系统配置文件
- mkdir /opt/docker
- 上传docker-23.0.3.tgz到/opt/docker
- vi /opt/docker/docker.service
内容如下:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
创建安装脚本
vi /opt/docker/install.sh
chmod +x /opt/docker/install.sh
内容如下:
echo '解压tar包...'
tar -xvf docker-23.0.3.tgz
echo '将docker目录移到/usr/bin目录下...'
cp docker/* /usr/bin/
echo '将docker.service 移到/etc/systemd/system/ 目录...'
cp docker.service /etc/systemd/system/
echo '添加文件权限...'
chmod +x /etc/systemd/system/docker.service
echo '重新加载配置文件...'
systemctl daemon-reload
echo '启动docker...'
systemctl start docker
echo '设置开机自启...'
systemctl enable docker.service
echo 'docker安装成功...'
docker -v
离线安装docker-compose
- 下载安装包
- 上传到服务器
mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose
- 添加可执行权限:
chmod +x /usr/local/bin/docker-compose
- 验证是否安装成功
docker-compose -v
离线容器镜像制作
1. emqx
docker save -o emqx.tar emqx:4.4.18
2. redis
docker save -o redis.tar redis:latest
3. mysql
docker save -o mysql.tar mysql:8.0
4. node-red
docker save -o node-red.tar nodered/node-red:latest
5. nginx
docker save -o nginx.tar docker.io/nginx:latest
6. jdk镜像/java项目镜像
docker save -o openjdk8.tar docker.io/openjdk:8u201-jdk-alpine
将上面所有打包的tar文件存储,后续通过 docker load -i xxxx.tar 加载到离线服务器
容器挂载卷存储
docker-compose文件编写
#网桥
networks:
701-bridge:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
services:
emqx:
image: emqx:4.4.18
restart: unless-stopped
container_name: emqx
environment:
EMQX_ADMIN_PASSWORD: emqx701pwd # 设置admin账户,密码为admin
TZ: Asia/Shanghai
EMQX_NODE_NAME: emqx@172.20.0.20
ports:
- "1883:1883"
- "8083:8083"
- "8084:8084"
- "8883:8883"
- "8081:8081"
- "18083:18083"
volumes:
- "/kingdom/emqx/etc:/opt/emqx/etc"
- "/kingdom/emqx/data:/opt/emqx/data"
- "/kingdom/emqx/lib:/opt/emqx/lib"
- "/kingdom/emqx/log:/opt/emqx/log"
networks:
701-bridge:
ipv4_address: 172.20.0.20
# redis
redis:
image: redis:lalest
container_name: redis
restart: unless-stopped
ports:
- "6379:6379"
volumes:
- "/kingdom/redis/conf/redis.conf:/etc/redis/redis.conf"
- "/kingdom/redis/data:/data"
command: redis-server /etc/redis/redis.conf --appendonly yes
environment:
- TZ=Asia/Shanghai
networks:
701-bridge:
ipv4_address: 172.20.0.10
# mysql
mysql:
image: registry.cn-hangzhou.aliyuncs.com/zhengqing/mysql:8.0 # 原镜像`mysql:8.0`
container_name: mysql8 # 容器名为'mysql8'
restart: unless-stopped
# 指定容器退出后的重启策略为始终重启,但是不考虑在Docker守护进程启动时就已经停止了的容器
volumes:
- "./mysql/my.cnf:/etc/mysql/my.cnf"
- "./mysql/data:/var/lib/mysql"
# - "./mysql/conf.d:/etc/mysql/conf.d"
- "./mysql/mysql-files:/var/lib/mysql-files"
environment: # 设置环境变量,相当于docker run命令中的-e
TZ: Asia/Shanghai
LANG: en_US.UTF-8
MYSQL_ROOT_PASSWORD: root # 设置root用户密码
MYSQL_DATABASE: demo # 初始化的数据库名称
privileged: true
user: root
ports: # 映射端口
- "3308:3306"
networks:
701-bridge:
ipv4_address: 172.20.0.11
# node-red
node-red:
image: nodered/node-red:latest
container_name: node-red
restart: unless-stopped
ports:
- "1880:1880"
volumes:
- "/kingdom/node_red_data:/data"
environment:
- TZ=Asia/Shanghai
networks:
701-bridge:
ipv4_address: 172.20.0.12
# nginx
nginx:
image: docker.io/nginx:latest
container_name: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/localtime:/etc/localtime"
- "/kingdom/nginx/html:/usr/share/nginx/html"
- "/kingdom/nginx/conf.d:/etc/nginx/conf.d"
- "/kingdom/nginx/logs:/var/log/nginx"
environment:
- TZ=Asia/Shanghai
networks:
701-bridge:
ipv4_address: 172.20.0.13
depends_on:
- 701-server
#701-server
701-server:
container_name: 701-server
build:
context: /kingdom/701-server
image: server-701:v1
restart: unless-stopped
ports:
- "8888:8888"
environment:
TZ: Asia/Shanghai
volumes:
- "/kingdom/701-server:/data"
- "/etc/localtime:/etc/localtime"
networks:
701-bridge:
ipv4_address: 172.20.0.15
depends_on:
- redis
- mysql
离线部署
- 上传镜像文件 以及相应挂载卷
- 个别文件权限设置
- 执行
docker load -i xxxx.tar加载容器到离线服务器 - 执行
docker-compose up -d
mysql
配置my.cnf
# 服务端参数配置
[mysqld]
# 跳过密码登录 **修改密码后注释并重启**
skip-grant-tables
user=mysql # MySQL启动用户
default-storage-engine=INNODB # 创建新表时将使用的默认存储引擎
character-set-server=utf8mb4 # 设置mysql服务端默认字符集
collation-server=utf8mb4_general_ci # 数据库字符集对应一些排序等规则,注意要和character-set-server对应
default-authentication-plugin=mysql_native_password
max_connections=1000 # 允许最大连接数
max_connect_errors=100 # 最大错误连接数
[mysql]
default-character-set=utf8mb4
[client]
default-character-set=utf8mb4 # 设置mysql客户端默认字符集
修改密码并开启远程登录
- docker exec -it mysql8.0 /bin/bash
- mysql -uroot -p
ALTER USER 'root'@'%' IDENTIFIED BY 'mysql1024.' PASSWORD EXPIRE NEVER;ALTER USER 'root'@'localhost' IDENTIFIED BY 'mysql1024.';flush privileges;
[简单方式]导出全部镜像
docker save $(docker images --format '{{.Repository}}:{{.Tag}}') -o dockerImages.tar
[简单方式]# 导入全部镜像
docker load -i dockerImages.tar
