Gentoo Docker¶
Docker Atlas 作为容器化运行环境,可以方便开发和部署,并且由于不是 KVM Atlas 这样的完全虚拟化,直接使用了物理主机 Kernel Atlas ,能够获得轻量级和高性能的优势。
备注
我的Docker存储引擎采用 Docker ZFS 存储驱动 ,所以部署会在 Gentoo上运行ZFS 完成之后进行
内核¶
备注
我准备重新实践一次 Gentoo内核编译(MacBook Pro Late 2013) 来构建使用容器化运行的内核(兼顾虚拟化)。目前实践采用通用内核
运行Docker的内核支持配置¶
General setup --->
[*] POSIX Message Queues
BPF subsystem --->
[*] Enable bpf() system call (<span style="color:green;">Optional</span>)
[*] Control Group support --->
[*] Memory controller
[*] Swap controller (<span style="color:green;">Optional</span>)
[*] Swap controller enabled by default (<span style="color:green;">Optional</span>)
[*] IO controller (<span style="color:green;">Optional</span>)
[*] CPU controller --->
[*] Group scheduling for SCHED_OTHER (<span style="color:green;">Optional</span>)
[*] CPU bandwidth provisioning for FAIR_GROUP_SCHED (<span style="color:green;">Optional</span>)
[*] Group scheduling for SCHED_RR/FIFO (<span style="color:green;">Optional</span>)
[*] PIDs controller (<span style="color:green;">Optional</span>)
[*] Freezer controller
[*] HugeTLB controller (<span style="color:green;">Optional</span>)
[*] Cpuset controller
[*] Include legacy /proc/<pid>/cpuset file (<span style="color:green;">Optional</span>)
[*] Device controller
[*] Simple CPU accounting controller
[*] Perf controller (<span style="color:green;">Optional</span>)
[*] Support for eBPF programs attached to cgroups (<span style="color:green;">Optional</span>)
[*] Namespaces support
[*] UTS namespace
[*] IPC namespace
[*] User namespace (<span style="color:green;">Optional</span>)
[*] PID Namespaces
[*] Network namespace
General architecture-dependent options --->
[*] Enable seccomp to safely execute untrusted bytecode (<span style="color:green;">Optional</span>)
[*] Enable the block layer --->
[*] Block layer bio throttling support (<span style="color:green;">Optional</span>)
[*] Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
[*] Advanced netfilter configuration
[*] Bridged IP/ARP packets filtering
Core Netfilter Configuration --->
[*] Netfilter connection tracking support
[*] Network Address Translation support
[*] MASQUERADE target support
[*] Netfilter Xtables support
[*] "addrtype" address type match support
[*] "conntrack" connection tracking match support
[*] "ipvs" match support (<span style="color:green;">Optional</span>)
[*] "mark" match support
[*] IP virtual server support ---> (<span style="color:green;">Optional</span>)
[*] TCP load balancing support (<span style="color:green;">Optional</span>)
[*] UDP load balancing support (<span style="color:green;">Optional</span>)
[*] round-robin scheduling (<span style="color:green;">Optional</span>)
[*] Netfilter connection tracking (<span style="color:green;">Optional</span>)
IP: Netfilter Configuration --->
[*] IP tables support
[*] Packet filtering
[*] iptables NAT support
[*] MASQUERADE target support
[*] REDIRECT target support (<span style="color:green;">Optional</span>)
[*] 802.1d Ethernet Bridging
[*] VLAN filtering
[*] QoS and/or fair queueing ---> (<span style="color:green;">Optional</span>)
[*] Control Group Classifier (<span style="color:green;">Optional</span>)
[*] L3 Master device support
[*] Network priority cgroup (<span style="color:green;">Optional</span>)
Device Drivers --->
[*] Multiple devices driver support (RAID and LVM) --->
[*] Device mapper support (<span style="color:green;">Optional</span>)
[*] Thin provisioning target (<span style="color:green;">Optional</span>)
[*] Network device support --->
[*] Network core drive support
[*] Dummy net driver support
[*] MAC-VLAN net driver support
[*] IP-VLAN support
[*] Virtual eXtensible Local Area Network (VXLAN)
[*] Virtual ethernet pair device
Character devices --->
-*- Enable TTY
-*- Unix98 PTY support
[*] Support multiple instances of devpts (option appears if you are using systemd)
File systems --->
[*] Btrfs filesystem support (<span style="color:green;">Optional</span>)
[*] Btrfs POSIX Access Control Lists (<span style="color:green;">Optional</span>)
[*] Overlay filesystem support
Pseudo filesystems --->
[*] HugeTLB file system support (<span style="color:green;">Optional</span>)
Security options --->
[*] Enable access key retention support
检查兼容性: Docker提供了一个内核配置兼容性检查工具:
Docker提供了一个检查内核配置兼容性工具¶
/usr/share/docker/contrib/check-config.sh
安装¶
安装docker和docker-cli:
安装docker和docker-cli¶
emerge --ask --verbose app-containers/docker app-containers/docker-cli
配置¶
在 /etc/docker/daemon.json 配置 docker 服务使用 Docker ZFS 存储驱动 :
/etc/docker/daemon.json 添加ZFS存储引擎配置¶
{
"storage-driver": "zfs"
}
警告
我实际没有配置这个 /etc/docker/daemon.json 而是使用下文 OpenRC 配置参数文件 /etc/conf.d/docker
服务¶
OpenRC¶
OpenRC可以使用 DOCKER_OPTS 变量来设置docker的存储引擎以及docker引擎的根目录,这里举例配置成使用 Docker btrfs 存储驱动 以及设置docker引擎的根目录为 /srv/vsr/lib/docker (不过我实际配置的是 Docker ZFS 存储驱动 ):
配置
/etc/conf.d/docker 可以设置 OpenRC 的docker运行参数,这里案例是 Docker btrfs 存储驱动¶DOCKER_OPTS="--storage-driver btrfs --data-root /srv/var/lib/docker"
我的实际配置: Docker ZFS 存储驱动
配置
/etc/conf.d/docker 可以设置 OpenRC 的docker运行参数: Docker ZFS 存储驱动¶# any other random options you want to pass to docker
DOCKER_OPTS="--storage-driver zfs --data-root /var/lib/docker"
启动docker服务(可选启动registry):
openrc 启动docker¶# 在OpenRC中启动Docker
rc-update add docker default
rc-service docker start
# 可选启动registry
rc-update add registry default
rc-service registry start
Systemd¶
如果使用 Systemd进程管理器 则使用如下命令启动Docker服务:
:Systemd进程管理器 中启动docker¶
systemctl enable docker.service
systemctl start docker.service
权限¶
将希望直接使用docker的用户加入
docker分组,例如这里加上我自己huatai:
将直接使用docker的用户加入
docker 分组¶usermod -aG docker huatai
存储引擎¶
上面配置了 ZFS 作为Docker的存储引擎,所以执行 docker info 可以看到 Docker ZFS 存储驱动 相关信息:
执行
docker info 可以看到 Docker ZFS 存储驱动 相关信息¶Client:
Version: 24.0.5
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 24.0.5
Storage Driver: zfs
Zpool: zpool-docker
Zpool Health: ONLINE
Parent Dataset: zpool-docker
Space Used By Parent: 606208
Space Available: 96753598464
Parent Quota: no
Compression: lz4
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
runc version: 4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
init version: de40ad007797e0dcd8b7126f27bb87401d224240
Security Options:
seccomp
Profile: builtin
Kernel Version: 6.1.67-gentoo-dist
Operating System: Gentoo Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.692GiB
Name: bcloud
ID: 86b18798-1f59-4e3b-99d0-8a47daacfd43
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
网络¶
需要启用网络的 IP 转发功能,这样才能实现网络的端口转发:
临时启用 IP 转发功能:
临时启用
ip_forward¶sudo sysctl net.ipv4.ip_forward=1
配置操作系统启动时激活 IP 转发:
配置sysctl的启动参数允许IP转发 配置文件
/etc/sysctl.d/local.conf¶net.ipv4.ip_forward=1
镜像¶
在完成了上述主机配置之后,就可以继续执行 Gentoo镜像
但是,我在后续容器内部 升级Gentoo 时遇到了 glibc 升级错误:
由于物理主机内核没有配置32位兼容,导致Gentoo Linux镜像中glibc无法升级的报错¶
* ERROR: sys-libs/glibc-2.38-r10::gentoo failed (unpack phase):
* CONFIG_IA32_EMULATION must be enabled in the kernel to compile a multilib glibc.
*
* Call stack:
* ebuild.sh, line 136: Called src_unpack
* environment, line 3640: Called sanity_prechecks
* environment, line 3362: Called die
* The specific snippet of code:
* [[ $STAT -eq 0 ]] || die "CONFIG_IA32_EMULATION must be enabled in the kernel to compile a multilib glibc.";
实际上,我在 在MacBook Pro上安装Gentoo Linux 特别采用了纯64位系统,所以内核配置去除了32位兼容。而Gentoo Linux官方提供的镜像默认是采用 multilib glibc ,需要32位内核兼容。
切换 multilib 和 no-multilib 是一个折腾的操作