在小伙伴使用该脚本时,需要先使用优化防火墙配置的脚本,不然在执行脚本时会报错
- 防火墙优化脚本
#!/bin/bash
# 快速修复firewalld Docker服务问题
# 解决 "INVALID_SERVICE: Zone 'public': 'docker' not among existing services" 错误
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
echo -e "${YELLOW}=== 快速修复firewalld Docker服务问题 ===${NC}"
# 检查权限
if [ "$EUID" -ne 0 ]; then
echo -e "${RED}需要root权限,请使用sudo运行${NC}"
exit 1
fi
# 检查firewalld
if ! systemctl is-active --quiet firewalld; then
echo -e "${YELLOW}启动firewalld...${NC}"
systemctl start firewalld
fi
echo -e "${YELLOW}步骤1: 创建docker服务定义...${NC}"
# 创建docker服务定义文件
cat > /etc/firewalld/services/docker.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Docker</short>
<description>Docker daemon</description>
<port protocol="tcp" port="2375"/>
<port protocol="tcp" port="2376"/>
<port protocol="tcp" port="2377"/>
<port protocol="tcp" port="7946"/>
<port protocol="udp" port="7946"/>
<port protocol="udp" port="4789"/>
</service>
EOF
echo -e "${YELLOW}步骤2: 重新加载firewalld配置...${NC}"
firewall-cmd --reload
echo -e "${YELLOW}步骤3: 添加docker服务到防火墙...${NC}"
firewall-cmd --permanent --zone=public --add-service=docker
echo -e "${YELLOW}步骤4: 配置Docker网络规则...${NC}"
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.17.0.0/16" accept'
firewall-cmd --permanent --zone=public --add-masquerade
echo -e "${YELLOW}步骤5: 应用配置...${NC}"
firewall-cmd --reload
echo -e "${GREEN}✅ 修复完成!${NC}"
echo ""
echo "验证配置:"
echo "Docker服务: $(firewall-cmd --zone=public --query-service=docker && echo '已添加' || echo '未添加')"
echo "当前服务: $(firewall-cmd --zone=public --list-services)"
echo ""
echo -e "${GREEN}现在可以正常使用firewalld配置Docker了${NC}"
2.在使用一键脚本进行部署docker
#!/bin/bash
# Rocky Linux Docker安装和配置脚本
# 专门针对Rocky Linux 8/9系统优化
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
log_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# 检测Rocky Linux版本
detect_rocky_version() {
if [ ! -f /etc/rocky-release ]; then
log_error "这不是Rocky Linux系统"
exit 1
fi
ROCKY_VERSION=$(grep -oE '[0-9]+' /etc/rocky-release | head -1)
ROCKY_FULL_VERSION=$(cat /etc/rocky-release)
log_info "检测到系统: $ROCKY_FULL_VERSION"
if [[ "$ROCKY_VERSION" != "8" && "$ROCKY_VERSION" != "9" ]]; then
log_warning "未测试的Rocky Linux版本: $ROCKY_VERSION"
log_info "脚本支持Rocky Linux 8和9,继续安装..."
fi
}
# 检查权限
check_permissions() {
if [ "$EUID" -ne 0 ]; then
log_error "需要root权限来安装Docker"
log_info "请使用: sudo $0"
exit 1
fi
}
# 检查系统要求
check_system_requirements() {
log_info "检查系统要求..."
# 检查内核版本
KERNEL_VERSION=$(uname -r)
log_info "内核版本: $KERNEL_VERSION"
# 检查架构
ARCH=$(uname -m)
if [ "$ARCH" != "x86_64" ] && [ "$ARCH" != "aarch64" ]; then
log_error "不支持的系统架构: $ARCH"
exit 1
fi
log_info "系统架构: $ARCH"
# 检查内存
MEMORY_GB=$(free -g | awk '/^Mem:/{print $2}')
if [ "$MEMORY_GB" -lt 2 ]; then
log_warning "系统内存少于2GB,可能影响Docker性能"
fi
log_info "系统内存: ${MEMORY_GB}GB"
# 检查磁盘空间
DISK_SPACE=$(df / | awk 'NR==2{print int($4/1024/1024)}')
if [ "$DISK_SPACE" -lt 10 ]; then
log_warning "根分区可用空间少于10GB"
fi
log_info "可用磁盘空间: ${DISK_SPACE}GB"
log_success "系统要求检查完成"
}
# 配置防火墙
configure_firewall() {
log_info "配置防火墙..."
if systemctl is-active --quiet firewalld; then
log_info "配置firewalld防火墙规则..."
# 检查docker服务是否存在,如果不存在则创建
if ! firewall-cmd --get-services | grep -q docker; then
log_info "创建docker服务定义..."
cat > /etc/firewalld/services/docker.xml << 'EOF'
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Docker</short>
<description>Docker daemon</description>
<port protocol="tcp" port="2375"/>
<port protocol="tcp" port="2376"/>
<port protocol="tcp" port="2377"/>
<port protocol="tcp" port="7946"/>
<port protocol="udp" port="7946"/>
<port protocol="udp" port="4789"/>
</service>
EOF
# 重新加载服务定义
firewall-cmd --reload
log_success "docker服务定义已创建"
fi
# 添加Docker服务到防火墙
if ! firewall-cmd --zone=public --query-service=docker &>/dev/null; then
firewall-cmd --permanent --zone=public --add-service=docker
log_success "已添加docker服务到防火墙"
else
log_info "docker服务已在防火墙中"
fi
# 添加Docker网络规则
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.17.0.0/16" accept' 2>/dev/null || true
firewall-cmd --permanent --zone=public --add-masquerade
# 重新加载防火墙规则
firewall-cmd --reload
log_success "防火墙配置完成"
else
log_info "firewalld未运行,跳过防火墙配置"
fi
}
# 配置SELinux
configure_selinux() {
log_info "配置SELinux..."
SELINUX_STATUS=$(getenforce)
log_info "当前SELinux状态: $SELINUX_STATUS"
if [ "$SELINUX_STATUS" = "Enforcing" ]; then
log_info "SELinux处于强制模式,安装container-selinux..."
# 安装container-selinux
dnf install -y container-selinux
# 设置SELinux布尔值
setsebool -P container_manage_cgroup on
log_success "SELinux配置完成"
elif [ "$SELINUX_STATUS" = "Permissive" ]; then
log_warning "SELinux处于宽松模式"
else
log_info "SELinux已禁用"
fi
}
# 卸载旧版本Docker
remove_old_docker() {
log_info "移除旧版本Docker..."
# 停止Docker服务
systemctl stop docker 2>/dev/null || true
systemctl stop docker.socket 2>/dev/null || true
# 卸载旧版本
dnf remove -y \
docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine \
podman \
buildah \
skopeo \
runc 2>/dev/null || true
log_success "旧版本Docker已移除"
}
# 安装必要依赖
install_dependencies() {
log_info "安装必要依赖..."
# 更新系统
dnf update -y
# 安装依赖包
dnf install -y \
dnf-plugins-core \
device-mapper-persistent-data \
lvm2 \
curl \
wget \
yum-utils \
ca-certificates \
gnupg
log_success "依赖安装完成"
}
# 添加Docker仓库
add_docker_repository() {
log_info "添加Docker官方仓库..."
# 添加Docker CE仓库
dnf config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 启用仓库
dnf config-manager --set-enabled docker-ce-stable
# 更新仓库缓存
dnf makecache
log_success "Docker仓库添加完成"
}
# 安装Docker
install_docker() {
log_info "安装Docker CE..."
# 安装最新版本的Docker CE
dnf install -y \
docker-ce \
docker-ce-cli \
containerd.io \
docker-buildx-plugin \
docker-compose-plugin
log_success "Docker安装完成"
}
# 配置Docker守护进程
configure_docker_daemon() {
log_info "配置Docker守护进程..."
# 创建Docker配置目录
mkdir -p /etc/docker
# 创建daemon.json配置文件
cat > /etc/docker/daemon.json << 'EOF'
{
"registry-mirrors": [
"https://docker.mirrors.ustc.edu.cn",
"https://hub-mirror.c.163.com",
"https://mirror.baidubce.com"
],
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
EOF
log_success "Docker守护进程配置完成"
}
# 优化系统参数
optimize_system_parameters() {
log_info "优化系统参数..."
# 内核参数优化
cat >> /etc/sysctl.conf << 'EOF'
# Docker优化参数
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.max_map_count = 262144
fs.may_detach_mounts = 1
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 5000
EOF
# 应用参数
sysctl -p
# 设置文件描述符限制
cat >> /etc/security/limits.conf << 'EOF'
# Docker优化
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
EOF
log_success "系统参数优化完成"
}
# 启动Docker服务
start_docker_service() {
log_info "启动Docker服务..."
# 重新加载systemd配置
sudo systemctl daemon-reload
# 启动Docker服务
sudo systemctl start docker
# 设置开机自启
sudo systemctl enable docker
# 启动Docker socket
sudo systemctl enable docker.socket
# 等待服务启动
sleep 3
if systemctl is-active --quiet docker; then
log_success "Docker服务启动成功"
else
log_error "Docker服务启动失败"
return 1
fi
}
# 配置用户权限
configure_user_permissions() {
log_info "配置用户权限..."
# 获取当前用户(如果通过sudo运行)
if [ -n "$SUDO_USER" ]; then
CURRENT_USER=$SUDO_USER
else
CURRENT_USER=$(whoami)
fi
if [ "$CURRENT_USER" != "root" ]; then
# 添加用户到docker组
usermod -aG docker $CURRENT_USER
log_success "用户 $CURRENT_USER 已添加到docker组"
log_warning "请重新登录或运行 'newgrp docker' 使权限生效"
else
log_info "当前为root用户,跳过用户组配置"
fi
}
# 安装Docker Compose(独立版本)
install_docker_compose_standalone() {
log_info "安装Docker Compose独立版本..."
# 获取最新版本
COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4)
if [ -z "$COMPOSE_VERSION" ]; then
COMPOSE_VERSION="v2.24.0" # 备用版本
log_warning "无法获取最新版本,使用备用版本: $COMPOSE_VERSION"
fi
# 下载并安装
curl -L "https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# 设置执行权限
chmod +x /usr/local/bin/docker-compose
# 创建符号链接
ln -sf /usr/local/bin/docker-compose /usr/bin/docker-compose
log_success "Docker Compose安装完成: $COMPOSE_VERSION"
}
# 验证安装
verify_installation() {
log_info "验证Docker安装..."
# 检查Docker版本
if command -v docker &> /dev/null; then
DOCKER_VERSION=$(docker --version)
log_success "Docker安装成功: $DOCKER_VERSION"
else
log_error "Docker命令未找到"
return 1
fi
# 检查Docker服务状态
if systemctl is-active --quiet docker; then
log_success "Docker服务运行正常"
else
log_error "Docker服务未运行"
return 1
fi
# 检查Docker Compose
if command -v docker-compose &> /dev/null; then
COMPOSE_VERSION=$(docker-compose --version)
log_success "Docker Compose可用: $COMPOSE_VERSION"
elif docker compose version &> /dev/null; then
COMPOSE_VERSION=$(docker compose version)
log_success "Docker Compose Plugin可用: $COMPOSE_VERSION"
else
log_warning "Docker Compose未安装"
fi
# 运行测试容器
log_info "运行Hello World测试容器..."
if docker run --rm hello-world > /dev/null 2>&1; then
log_success "Docker测试容器运行成功"
else
log_warning "Docker测试容器运行失败,但Docker已安装"
fi
# 显示系统信息
echo ""
log_info "Docker系统信息:"
docker system info | grep -E "Server Version|Storage Driver|Logging Driver|Cgroup Driver|Kernel Version|Operating System"
}
# 创建Rocky Linux特定的优化脚本
create_rocky_optimization_scripts() {
log_info "创建Rocky Linux优化脚本..."
# 创建Docker优化脚本
cat > /usr/local/bin/docker-rocky-optimize.sh << 'EOF'
#!/bin/bash
# Rocky Linux Docker优化脚本
echo "=== Rocky Linux Docker优化 ==="
# 检查并优化存储驱动
STORAGE_DRIVER=$(docker info --format '{{.Driver}}')
echo "当前存储驱动: $STORAGE_DRIVER"
if [ "$STORAGE_DRIVER" != "overlay2" ]; then
echo "建议使用overlay2存储驱动"
fi
# 检查cgroup驱动
CGROUP_DRIVER=$(docker info --format '{{.CgroupDriver}}')
echo "当前cgroup驱动: $CGROUP_DRIVER"
# 优化内核参数
echo "优化内核参数..."
sysctl -w vm.max_map_count=262144
sysctl -w fs.may_detach_mounts=1
# 清理Docker资源
echo "清理Docker资源..."
docker system prune -f
echo "优化完成!"
EOF
chmod +x /usr/local/bin/docker-rocky-optimize.sh
# 创建Docker监控脚本
cat > /usr/local/bin/docker-rocky-monitor.sh << 'EOF'
#!/bin/bash
# Rocky Linux Docker监控脚本
echo "=== Rocky Linux Docker监控 ==="
echo "时间: $(date)"
echo ""
# 系统信息
echo "系统信息:"
echo " 发行版: $(cat /etc/rocky-release)"
echo " 内核: $(uname -r)"
echo " 架构: $(uname -m)"
echo ""
# Docker信息
echo "Docker信息:"
echo " 版本: $(docker --version | cut -d' ' -f3 | cut -d',' -f1)"
echo " 存储驱动: $(docker info --format '{{.Driver}}')"
echo " 日志驱动: $(docker info --format '{{.LoggingDriver}}')"
echo ""
# 容器统计
echo "容器统计:"
echo " 运行中: $(docker ps -q | wc -l)"
echo " 总数: $(docker ps -a -q | wc -l)"
echo " 镜像数: $(docker images -q | wc -l)"
echo ""
# 资源使用
echo "资源使用:"
echo " 内存: $(free -h | grep Mem | awk '{print $3"/"$2}')"
echo " 磁盘: $(df -h / | awk 'NR==2{print $3"/"$2" ("$5")"}')"
echo ""
# Docker磁盘使用
echo "Docker磁盘使用:"
docker system df
# 检查服务状态
echo ""
echo "服务状态:"
systemctl is-active docker && echo " Docker: 运行中" || echo " Docker: 未运行"
systemctl is-active firewalld && echo " Firewalld: 运行中" || echo " Firewalld: 未运行"
EOF
chmod +x /usr/local/bin/docker-rocky-monitor.sh
log_success "Rocky Linux优化脚本创建完成"
}
# 配置日志轮转
configure_log_rotation() {
log_info "配置Docker日志轮转..."
cat > /etc/logrotate.d/docker << 'EOF'
/var/lib/docker/containers/*/*.log {
rotate 7
daily
compress
size=10M
missingok
delaycompress
copytruncate
notifempty
}
EOF
log_success "日志轮转配置完成"
}
# 显示安装后信息
show_post_install_info() {
echo ""
log_success "Rocky Linux Docker安装完成!"
echo ""
echo "系统信息:"
echo " 操作系统: $(cat /etc/rocky-release)"
echo " 内核版本: $(uname -r)"
echo " Docker版本: $(docker --version | cut -d' ' -f3 | cut -d',' -f1)"
echo ""
echo "常用命令:"
echo " docker --version # 查看Docker版本"
echo " docker info # 查看Docker系统信息"
echo " docker run hello-world # 运行测试容器"
echo " docker ps # 查看运行中的容器"
echo " docker images # 查看本地镜像"
echo " systemctl status docker # 查看Docker服务状态"
echo ""
echo "Docker Compose命令:"
echo " docker compose --version # 查看Compose版本"
echo " docker compose up -d # 启动服务"
echo " docker compose down # 停止服务"
echo ""
echo "Rocky Linux专用工具:"
echo " docker-rocky-optimize.sh # 运行系统优化"
echo " docker-rocky-monitor.sh # 系统监控"
echo ""
echo "配置文件位置:"
echo " /etc/docker/daemon.json # Docker守护进程配置"
echo " /etc/systemd/system/docker.service.d/ # systemd配置"
echo ""
if [ -n "$SUDO_USER" ] && [ "$SUDO_USER" != "root" ]; then
log_warning "请重新登录或运行以下命令使docker组权限生效:"
echo " newgrp docker"
echo " 或者重新登录系统"
fi
}
# 显示帮助信息
show_help() {
echo "Rocky Linux Docker安装脚本"
echo ""
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " -h, --help 显示此帮助信息"
echo " -v, --version 显示脚本版本"
echo " --no-compose 不安装Docker Compose"
echo " --no-optimize 不进行系统优化"
echo " --uninstall 卸载Docker"
echo ""
echo "支持的Rocky Linux版本:"
echo " - Rocky Linux 8.x"
echo " - Rocky Linux 9.x"
}
# 卸载Docker
uninstall_docker() {
log_info "卸载Docker..."
# 停止Docker服务
systemctl stop docker 2>/dev/null || true
systemctl disable docker 2>/dev/null || true
# 卸载Docker包
dnf remove -y \
docker-ce \
docker-ce-cli \
containerd.io \
docker-buildx-plugin \
docker-compose-plugin
# 删除Docker数据目录
rm -rf /var/lib/docker
rm -rf /var/lib/containerd
rm -rf /etc/docker
# 删除用户组
groupdel docker 2>/dev/null || true
# 删除创建的脚本
rm -f /usr/local/bin/docker-rocky-optimize.sh
rm -f /usr/local/bin/docker-rocky-monitor.sh
rm -f /usr/local/bin/docker-compose
log_success "Docker已卸载"
}
# 主函数
main() {
echo "========================================"
echo " Rocky Linux Docker安装脚本 v1.0"
echo "========================================"
echo ""
# 解析命令行参数
INSTALL_COMPOSE=true
OPTIMIZE_SYSTEM=true
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
show_help
exit 0
;;
-v|--version)
echo "Rocky Linux Docker安装脚本 v1.0"
exit 0
;;
--no-compose)
INSTALL_COMPOSE=false
shift
;;
--no-optimize)
OPTIMIZE_SYSTEM=false
shift
;;
--uninstall)
check_permissions
uninstall_docker
exit 0
;;
*)
log_error "未知选项: $1"
show_help
exit 1
;;
esac
done
# 执行安装流程
check_permissions
detect_rocky_version
check_system_requirements
configure_selinux
remove_old_docker
install_dependencies
add_docker_repository
install_docker
configure_docker_daemon
if [ "$OPTIMIZE_SYSTEM" = true ]; then
optimize_system_parameters
fi
start_docker_service
configure_user_permissions
configure_firewall
if [ "$INSTALL_COMPOSE" = true ]; then
install_docker_compose_standalone
fi
configure_log_rotation
create_rocky_optimization_scripts
# 验证安装
if verify_installation; then
show_post_install_info
else
log_error "Docker安装验证失败"
exit 1
fi
}
# 运行主函数
main "$@"
给脚本执行权限
chmod +x rockylinux_docker_install.sh
完整安装
sudo ./rockylinux_docker_install.sh
不安装Docker Compose
sudo ./rockylinux_docker_install.sh --no-compose
不进行系统优化
sudo ./rockylinux_docker_install.sh --no-optimize
卸载Docker
sudo ./rockylinux_docker_install.sh --uninstall
查看帮助
./rockylinux_docker_install.sh --help
