Colima容器化开发环境
备注
在colima环境中快速构建了一个基于 Debian 的开发容器,综合整理作为快速指南
Colima快速起步 启动VZ虚拟机:
使用
vz 模式虚拟化的 4c8g 虚拟机运行 colimacolima start --runtime containerd --cpu 4 --memory 8 --vm-type=vz
备注
如果是早期的Intel架构mac,则不支持 --vm-type 参数,原因是只有Apple Silicon架构才支持 Apple Virtualization (VZ)。所以实际上在Intel架构mac,还需要安装 qemu 来运行虚拟化 Lima: Linux Machines
修订
~/.colima/default/colima.yaml的 Colima存储管理 管理部分:
colima 存储挂载配置 docs 和 secrets# Configure volume mounts for the virtual machine.
# Colima mounts user's home directory by default to provide a familiar
# user experience.
#
# EXAMPLE
# mounts:
# - location: ~/secrets
# writable: false
# - location: ~/projects
# writable: true
#
# Colima default behaviour: $HOME and /tmp/colima are mounted as writable.
# Default: []
mounts:
- location: ~/secrets
writable: false
- location: ~/docs
writable: true
确保发起启动的用户的环境变量如下(配置到
~/.zshrc中,或者直接在SHELL中执行):
macOS的host环境
colima start 用户的环境变量配置代理export HTTP_PROXY="http://127.0.0.1:3128"
export HTTPS_PROXY="http://127.0.0.1:3128"
export NO_PROXY="*.baidu.com,192.168.0.0/16,10.0.0.0/8"
export http_proxy="http://127.0.0.1:3128"
export https_proxy="http://127.0.0.1:3128"
export no_proxy="*.baidu.com,192.168.0.0/16,10.0.0.0/8"
重启
colima服务,此时会挂载HOST主机上指定目录,并且注入HOST主机的代理配置
重启 colima 虚拟机
colima stop
colima start
进入虚拟机( colima ssh ) 可以看到目录挂载:
在
colima 虚拟机内部通过 df -h 检查 docs 目录映射Filesystem Size Used Avail Use% Mounted on
/dev/root 58G 1.4G 56G 3% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 1.6G 736K 1.6G 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
efivarfs 56K 5.7K 46K 12% /sys/firmware/efi/efivars
mount0 234G 123G 111G 53% /Users/huatai/Library/Caches/colima
mount1 234G 123G 111G 53% /Users/huatai/secrets
/dev/vda16 881M 42M 778M 6% /boot
/dev/vda15 105M 6.1M 99M 6% /boot/efi
mount2 234G 123G 111G 53% /Users/huatai/docs
tmpfs 794M 4.0K 794M 1% /run/user/501
/dev/vdb 39M 39M 0 100% /mnt/lima-cidata
进入虚拟机( colima ssh )检查 /etc/environment 可以看到代理配置:
Colima启动时会自动将HOST物理主机proxy环境变量注入到虚拟机
/etc/environmentPATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
#LIMA-START
HTTPS_PROXY=http://192.168.5.2:3128
HTTP_PROXY=http://192.168.5.2:3128
NO_PROXY=*.baidu.com,192.168.0.0/16,10.0.0.0/8
http_proxy=http://192.168.5.2:3128
https_proxy=http://192.168.5.2:3128
no_proxy=*.baidu.com,192.168.0.0/16,10.0.0.0/8
#LIMA-END
(物理主机)在HOST主机上 SSH隧道 构建一个本地到远程服务器代理服务端口(服务器上代理服务器仅监听回环地址)的SSH加密连接。我实际采用的是在
~/.ssh/config配置如下:
Host *
ServerAliveInterval 60
ControlMaster auto
ControlPath ~/.ssh/%h-%p-%r
ControlPersist yes
StrictHostKeyChecking no
Compression yes
Host MyProxy
HostName <SERVER_IP>
User admin
LocalForward 3128 127.0.0.1:3128
LocalForward 172.17.0.1:3128 127.0.0.1:3128
IdentitiesOnly yes
IdentityFile ~/.ssh/proxy/id_rsa
(物理主机)执行构建SSL Tunnel:
登陆到
colima虚拟机内部:
通过SSH登陆到colima虚拟机内
colima ssh
执行以下命令,将
colima虚拟机内部的docker和containerd都配置为通过代理访问internet,这样才能正确下载镜像:
生成 /etc/systemd/system/docker.service.d/http-proxy.conf 为containerd添加代理配置
if [ ! -d /etc/systemd/system/docker.service.d ];then
mkdir -p /etc/systemd/system/docker.service.d
fi
cat <<EOF >/etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=${HTTP_PROXY:-}"
Environment="HTTPS_PROXY=${HTTPS_PROXY:-}"
Environment="NO_PROXY=${NO_PROXY:-localhost},${LOCAL_NETWORK}"
EOF
systemctl daemon-reload
systemctl restart docker
生成 /etc/systemd/system/containerd.service.d/http-proxy.conf 为containerd添加代理配置
if [ ! -d /etc/systemd/system/containerd.service.d ];then
mkdir -p /etc/systemd/system/containerd.service.d
fi
cat <<EOF >/etc/systemd/system/containerd.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=${HTTP_PROXY:-}"
Environment="HTTPS_PROXY=${HTTPS_PROXY:-}"
Environment="NO_PROXY=${NO_PROXY:-localhost},${LOCAL_NETWORK}"
EOF
systemctl daemon-reload
systemctl restart containerd
最后,还需要为
colima虚拟机内部用户的docker客户端配置代理(部分meta信息是通过docker客户端下载的),这里的docker本地用户是huatai,在这个用户身份下配置~/.docker/config.json如下:
配置
colima 虚拟机内部 docker 客户端使用代理 ~/.docker/config.json{
"proxies":
{
"default":
{
"httpProxy": "http://192.168.5.2:3128",
"httpsProxy": "http://192.168.5.2:3128",
"noProxy": "*.baidu.com,192.168.0.0/16,10.0.0.0/8"
}
}
}
一切准备就绪
现在可以执行 Debian镜像(tini进程管理器) 构建,执行的是 dev 容器构建:
debian-dev-tini包含了安装常用工具和开发环境:
包含常用工具和开发环境的debian镜像Dockerfile
FROM debian:latest
ENV container=docker
# 对于墙内用户需要构建完善的翻墙代理才能顺利执行这个Dockerfile
# 详情参考 https://cloud-atlas.readthedocs.io/zh-cn/latest/docker/colima/colima_socks_proxy.html
# 方法一: 强行让 apt-get 走内部专属的 socks5h 隧道,直接无视外界环境变量
#RUN echo 'Acquire::http::Proxy "socks5h://192.168.5.2:1080/";' > /etc/apt/apt.conf.d/proxy.conf && \
# echo 'Acquire::https::Proxy "socks5h://192.168.5.2:1080/";' >> /etc/apt/apt.conf.d/proxy.conf
# 方法二: 采用开始时CP进容器,结束时rm掉该文件
COPY apt_proxy.conf /etc/apt/apt.conf.d/proxy.conf
#RUN rm /etc/apt/apt.conf.d/proxy.conf
# 方法三: BuildKit 支持 --mount=type=bind ,可以在每一条RUN命令层动态将外部文件映射进容器,但是需要注意每一层(每一个RUN)都是独立无状态的,所以挂载在当前RUN结束时强制卸载
#RUN --mount=type=bind,source=apt_proxy.conf,target=/etc/apt/apt.conf.d/proxy.conf \
# apt update -y && apt upgrade -y
# 增加针对特定qemu的CPU模拟的编译设置
# 必须使用 ENV 固化,否则容器运行时 JIT 编译器(如 Ruby YJIT)无法继承该参数
#ENV CFLAGS="-march=x86-64-v3 -O2"
ENV LANG="en_US.UTF-8"
ENV LC_ALL="en_US.UTF-8"
ARG HTTP_PROXY="socks5h://192.168.5.2:1080"
ARG HTTPS_PROXY="socks5h://192.168.5.2:1080"
ARG ALL_PROXY="socks5h://192.168.5.2:1080"
ENV http_proxy=${HTTP_PROXY}
ENV https_proxy=${HTTPS_PROXY}
ENV all_proxy=${ALL_PROXY}
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get clean
RUN apt-get update -y
RUN apt-get upgrade -y
# Debian仓库内置tini,可以直接安装
RUN apt-get -y install tini
# Copy tini entrypoint script
COPY entrypoint_ssh_cron_bash /entrypoint.sh
RUN chmod +x /entrypoint.sh
# SSH
RUN apt-get -y install sudo passwd openssh-client openssh-server curl ca-certificates
# Utilities
RUN apt-get -y install cron tmux vim locales net-tools iproute2 dnsutils plocate gnupg2 git tree unzip lsof wget
# 开发编译依赖
RUN apt-get -y install --no-install-recommends build-essential libssl-dev libyaml-dev zlib1g-dev libgmp-dev libreadline-dev libsqlite3-dev sqlite3 libffi-dev
# neovim依赖
RUN apt-get -y install --no-install-recommends ripgrep fd-find
# 非必须,用于支持我使用的sphinx doc
RUN apt-get -y install graphviz
RUN rm -rf /var/lib/apt/lists/*
# 补全locales
RUN echo "LC_ALL=en_US.UTF-8" >> /etc/environment
RUN echo "LANG=en_US.UTF-8" >> /etc/environment
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
RUN echo "LANG=en_US.UTF-8" > /etc/locale.conf
RUN locale-gen en_US.UTF-8
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# add account "admin" and give sudo privilege
# uid & gid follow colima system to access HOME directory
# "docker build --build-arg UID=$(id -u) GID=$(id -g)" will override it.
ARG USER=admin
ARG GROUP=admin
ARG UID=1000
ARG GID=1000
RUN groupadd -g ${GID} ${GROUP}
RUN useradd -g ${GID} -u ${UID} -m -d /home/${USER} -s /bin/bash ${USER}
RUN adduser ${USER} sudo
RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# set TIMEZONE to Shanghai
RUN unlink /etc/localtime
RUN ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# RUN mkdir /run/sshd
RUN ssh-keygen -A
USER admin
WORKDIR /home/admin
# 安装 Mise 核心,现代开发语言的万能管理器Mise托管语言栈
RUN curl https://mise.run | sh
RUN echo 'eval "$(~/.local/bin/mise activate)"' >> ~/.bashrc
# 动态将 Mise 垫片和二进制路径暴露给后续构建层和运行时环境
ENV PATH="/home/admin/.local/share/mise/shims:/home/admin/.local/bin:$PATH"
# C/C++ 在安装Cmake时会同时安装
# Rust, Go, Python, Ruby, Rails
# mise 支持命令行传递环境变量实现代理配置
#ARG PROXY_ADDRESS=192.168.5.2:1080
#RUN export all_proxy=socks5h://${PROXY_ADDRESS} && \
# export http_proxy=http://${PROXY_ADDRESS} && \
# export https_proxy=http://${PROXY_ADDRESS} && \
# mise use --global cmake@latest && \
# mise use --global rust@stable && \
# mise use --global go@1.23 && \
# mise use --global python@3.12 && \
# mise use --global ruby@3.3 && \
# gem install --no-document rails
# 采用动态挂载
RUN --mount=type=bind,source=mise_proxy.env,target=/home/admin/mise_proxy.env \
set -a && . /home/admin/mise_proxy.env && set +a && \
mise use --global cmake@latest && \
mise use --global rust@stable && \
mise use --global go@1.26 && \
mise use --global python@3.14 && \
mise use --global ruby@3 && \
mise use --global neovim@stable
# gem不支持socks代理,如果访问阻塞则改为国内源
RUN gem install --no-document rails
# LazyVim
# git 原生参数 -c http.proxy=,临时覆盖全局网络代理
RUN git clone -c http.proxy="socks5h://192.168.5.2:1080" \
https://github.com/LazyVim/starter /home/admin/.config/nvim && \
rm -rf /home/admin/.config/nvim/.git
# 通过无头模式(Headless)在构建期将插件和 LSP 彻底刷入镜像中
# 这会将所有的 LSP、Treesitter、关键插件在 Docker 构建期就物理下载到镜像的 /home/admin/.local/share/nvim 中
RUN nvim --headless "+Lazy! sync" +qa
# 预编译 Treesitter 语法树解析器(可选,防止启动时现场编译卡顿)
# 高频使用 Markdown (用于知识库) 或 Go/C++
RUN nvim --headless "+TSUpdateSync markdown python go cpp" +qa
# Mason 强行同步安装LSP,注意需要网络畅通
RUN nvim --headless -c ' \
local registry = require("mason-registry"); \
local lsp_list = { "clangd", "rust-analyzer", "gopls", "pyright", "ruff", "ruby-lsp" }; \
\
registry.refresh(function() \
for _, name in ipairs(lsp_list) do \
local p = registry.get_package(name); \
if not p:is_installed() then \
print("▶ [Mason Build-time] 正在物理拉取并编译: " .. name); \
p:install(); \
end \
end \
end); \
\
vim.wait(300000, function() \
for _, name in ipairs(lsp_list) do \
if not registry.is_installed(name) then return false end \
end \
return true \
end, 500); \
print("🎉 [Mason Build-time] 恭喜!所有多语言 LSP 语义专家已成功硬焊进镜像层!"); \
' +qa
# python program: virtualenv
RUN bash -c 'cd /home/admin && python3 -m venv venv3'
# 我使用Sphinx doc来撰写Cloud-Atlas文档,如不需要请注释
RUN bash -c 'source /home/admin/venv3/bin/activate && pip install sphinx sphinx_rtd_theme sphinxnotes-strike sphinxcontrib-video sphinxcontrib-youtube myst-parser jieba'
# entrypoint.sh 需要使用root身份执行
USER root
# run service when container started - sshd
EXPOSE 22:1122
# next.js nextra
EXPOSE 3000:13000
# Sphinx
EXPOSE 8080:18080
# Jekyll
EXPOSE 4000:14000
# HTTP
EXPOSE 80:1180
# HTTPS
EXPOSE 443:1443
# Run your program under Tini
# CMD ["/your/program", "-and", "-its", "arguments"]
CMD ["/entrypoint.sh"]
构建
debian-dev-tini镜像:
构建包含开发环境的debian镜像
docker build --no-cache \
--build-arg UID=$(id -u) \
--build-arg GID=$(id -g) \
--rm -t debian-dev .
运行
debian-dev-tini:
运行包含开发环境的debian容器
docker run -dt --name debian-dev --hostname debian-dev \
-p 1122:22 \
-p 13000:3000 \
-p 18080:8080 \
-p 14000:4000 \
-p 1180:80 \
-p 1443:443 \
-v /Users/admin/docs/ssh:/home/admin/.ssh \
-v /Users/admin/docs:/home/admin/docs \
debian-dev:latest
# 物理主机的 /Users/admin/secret 存放需要映射进容器的密钥以及ssh配置
# 如果需要在运行时注入环境变量,则添加类似如下参数(添加代理案例)
# -e HTTP_PROXY=http://172.17.0.1:3128 \
# -e HTTPS_PROXY=http://172.17.0.1:3128 \
# -e NO_PROXY=localhost,127.0.0.1,*.baidu.com,192.168.0.0/16,10.0.0.0/8 \