#### 安装rancher库 ```sh $ helm repo add rancher-stable https://releases.rancher.com/server-charts/stable $ helm search repo --versions|grep rancher $ helm fetch rancher-stable/rancher ``` #### 安装TLS证书 ```sh $ kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=5024509__example.com.pem --key=5024509__example.com.key ``` #### 安装rancher ```sh $ helm install rancher rancher-stable/rancher --namespace cattle-system --set hostname=trancher.example.com --set replicas=3 --set ingress.tls.source=secret ``` #### 查看部署状态 ```sh $ kubectl -n cattle-system rollout status deploy/rancher ```

#### 环境介绍 ```sh kubernetes 1.18.20 rook-ceph 1.6.10 ceph version 15.2.13 ``` `注意:kubernetes的节点要准备未使用的磁盘，供ceph集群使用。kubernetes版本要匹配对应的rook-ceph版本` #### 安装rook ##### 下载rook ```sh $ git clone --single-branch --branch v1.6.10 https://github.com/rook/rook.git #当前kubernetes 1.18.20不支持1.7.x ``` ##### 安装rook ```sh $ cd cluster/examples/kubernetes/ceph $ kubectl create -f crds.yaml -f common.yaml -f operator.yaml # verify the rook-ceph-operator is in the `Running` state before proceeding $ kubectl -n rook-ceph get pod ``` #### 安装ceph集群 ```sh $ kubectl create -f cluster.yaml ``` 查看集群状态 ```sh $ kubectl -n rook-ceph get pod NAME READY STATUS RESTARTS AGE csi-cephfsplugin-6tfqr 3/3 Running 0 6m45s csi-cephfsplugin-nldks 3/3 Running 0 6m45s csi-cephfsplugin-provisioner-6c59b5b7d9-lnddw 6/6 Running 0 6m44s csi-cephfsplugin-provisioner-6c59b5b7d9-lvdtc 6/6 Running 0 6m44s csi-cephfsplugin-zkt2x 3/3 Running 0 6m45s csi-rbdplugin-2kwhg 3/3 Running 0 6m46s csi-rbdplugin-7j9hw 3/3 Running 0 6m46s csi-rbdplugin-provisioner-6d455d5677-6qcn5 6/6 Running 0 6m46s csi-rbdplugin-provisioner-6d455d5677-8xp6r 6/6 Running 0 6m46s csi-rbdplugin-qxv4m 3/3 Running 0 6m46s rook-ceph-crashcollector-k8s-master1-7bf874dc98-v9bj9 1/1 Running 0 2m8s rook-ceph-crashcollector-k8s-master2-6698989df9-7hsfr 1/1 Running 0 2m16s rook-ceph-crashcollector-k8s-node1-8578585676-9tf5w 1/1 Running 0 2m16s rook-ceph-mgr-a-5c4759947f-47kbk 1/1 Running 0 2m19s rook-ceph-mon-a-647877db88-629bt 1/1 Running 0 6m56s rook-ceph-mon-b-c44f7978f-p2fq6 1/1 Running 0 5m11s rook-ceph-mon-c-588b48b74c-bbkn8 1/1 Running 0 3m42s rook-ceph-operator-64845bd768-55dkc 1/1 Running 0 13m rook-ceph-osd-0-64f9fc6c65-m7877 1/1 Running 0 2m8s rook-ceph-osd-1-584bf986c7-xj75p 1/1 Running 0 2m8s rook-ceph-osd-2-d59cdbd7f-xcwgf 1/1 Running 0 2m8s rook-ceph-osd-prepare-k8s-master1-vstkq 0/1 Completed 0 2m16s rook-ceph-osd-prepare-k8s-master2-zdjk2 0/1 Completed 0 2m16s rook-ceph-osd-prepare-k8s-node1-wmzj9 0/1 Completed 0 2m16s ``` #### 卸载ceph集群 https://github.com/rook/rook/blob/master/Documentation/ceph-teardown.md ```sh kubectl delete -f cluster.yaml ``` 清楚rook目录 ```sh $ rm /var/lib/rook/* -rf ``` #### 安装Rook toolbox ```SH $ kubectl create -f toolbox.yaml $ kubectl -n rook-ceph rollout status deploy/rook-ceph-tools $ kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash ``` #### 安装dashboard ```sh $ kubectl -n rook-ceph get service ``` 获取登录密码 ```sh $ kubectl -n rook-ceph get secret rook-ceph-dashboard-password -o jsonpath="{['data']['password']}" | base64 --decode && echo ``` #### 配置外网访问 ```sh $ kubectl create -f dashboard-external-https.yaml ``` ```sh $ kubectl -n rook-ceph get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE rook-ceph-mgr ClusterIP 10.101.238.49 <none> 9283/TCP 47m rook-ceph-mgr-dashboard ClusterIP 10.107.124.177 <none> 8443/TCP 47m rook-ceph-mgr-dashboard-external-https NodePort 10.102.110.16 <none> 8443:30870/TCP 14s ``` 访问:https://172.16.100.100:30870/ #### rook提供RBD服务 创建pool和StorageClass ```sh $ kubectl create -f cluster/examples/kubernetes/ceph/csi/rbd/storageclass.yaml ``` ```sh $ kubectl apply -f rook/cluster/examples/kubernetes/mysql.yaml $ kubectl apply -f rook/cluster/examples/kubernetes/wordpress.yaml ``` ```sh kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE cephfs-test-pvc-1 Bound pvc-571ae252-b080-4a67-8f3d-40bda1304fe3 500Mi RWX cephfs 2d23h mysql-pv-claim Bound pvc-6f6d70ba-6961-42b5-aa9d-db13c1aeec7c 20Gi RWO rook-ceph-block 15m test-claim Bound pvc-c51eef14-1454-4ddf-99e1-db483dec42c6 1Mi RWX managed-nfs-storage 3d5h wp-pv-claim Bound pvc-d5eb4142-532f-4704-9d15-94ffc7f35dd1 20Gi RWO rook-ceph-block 13m ``` 查看插件日志 ```sh $ kubectl logs csi-rbdplugin-provisioner-85c58fcfb4-nfnvd -n rook-ceph -c csi-provisioner I0925 07:13:27.761137 1 csi-provisioner.go:138] Version: v2.2.2 I0925 07:13:27.761189 1 csi-provisioner.go:161] Building kube configs for running in cluster... W0925 07:13:37.769467 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:13:47.769515 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:13:57.769149 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:07.769026 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:17.768966 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:27.768706 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:37.769526 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:47.769001 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock W0925 07:14:57.769711 1 connection.go:172] Still connecting to unix:///csi/csi-provisioner.sock I0925 07:15:01.978682 1 common.go:111] Probing CSI driver for readiness I0925 07:15:01.980980 1 csi-provisioner.go:284] CSI driver does not support PUBLISH_UNPUBLISH_VOLUME, not watching VolumeAttachments I0925 07:15:01.982474 1 leaderelection.go:243] attempting to acquire leader lease rook-ceph/rook-ceph-rbd-csi-ceph-com... I0925 07:15:02.001351 1 leaderelection.go:253] successfully acquired lease rook-ceph/rook-ceph-rbd-csi-ceph-com I0925 07:15:02.102184 1 controller.go:835] Starting provisioner controller rook-ceph.rbd.csi.ceph.com_csi-rbdplugin-provisioner-85c58fcfb4-nfnvd_c5346baf-02b2-4983-9405-45bbc31c216a! I0925 07:15:02.102243 1 volume_store.go:97] Starting save volume queue I0925 07:15:02.102244 1 clone_controller.go:66] Starting CloningProtection controller I0925 07:15:02.102299 1 clone_controller.go:84] Started CloningProtection controller I0925 07:15:02.202672 1 controller.go:884] Started provisioner controller rook-ceph.rbd.csi.ceph.com_csi-rbdplugin-provisioner-85c58fcfb4-nfnvd_c5346baf-02b2-4983-9405-45bbc31c216a! I0925 07:46:47.261147 1 controller.go:1332] provision "default/mysql-pv-claim" class "rook-ceph-block": started I0925 07:46:47.261389 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"mysql-pv-claim", UID:"6f6d70ba-6961-42b5-aa9d-db13c1aeec7c", APIVersion:"v1", ResourceVersion:"2798560", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/mysql-pv-claim" I0925 07:46:49.310382 1 controller.go:1439] provision "default/mysql-pv-claim" class "rook-ceph-block": volume "pvc-6f6d70ba-6961-42b5-aa9d-db13c1aeec7c" provisioned I0925 07:46:49.310419 1 controller.go:1456] provision "default/mysql-pv-claim" class "rook-ceph-block": succeeded I0925 07:46:49.319422 1 controller.go:1332] provision "default/mysql-pv-claim" class "rook-ceph-block": started I0925 07:46:49.319446 1 controller.go:1341] provision "default/mysql-pv-claim" class "rook-ceph-block": persistentvolume "pvc-6f6d70ba-6961-42b5-aa9d-db13c1aeec7c" already exists, skipping I0925 07:46:49.319615 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"mysql-pv-claim", UID:"6f6d70ba-6961-42b5-aa9d-db13c1aeec7c", APIVersion:"v1", ResourceVersion:"2798560", FieldPath:""}): type: 'Normal' reason: 'ProvisioningSucceeded' Successfully provisioned volume pvc-6f6d70ba-6961-42b5-aa9d-db13c1aeec7c I0925 07:48:52.230183 1 controller.go:1332] provision "default/wp-pv-claim" class "rook-ceph-block": started I0925 07:48:52.230656 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"wp-pv-claim", UID:"d5eb4142-532f-4704-9d15-94ffc7f35dd1", APIVersion:"v1", ResourceVersion:"2799324", FieldPath:""}): type: 'Normal' reason: 'Provisioning' External provisioner is provisioning volume for claim "default/wp-pv-claim" I0925 07:48:52.289747 1 controller.go:1439] provision "default/wp-pv-claim" class "rook-ceph-block": volume "pvc-d5eb4142-532f-4704-9d15-94ffc7f35dd1" provisioned I0925 07:48:52.289790 1 controller.go:1456] provision "default/wp-pv-claim" class "rook-ceph-block": succeeded I0925 07:48:52.295778 1 controller.go:1332] provision "default/wp-pv-claim" class "rook-ceph-block": started I0925 07:48:52.295798 1 controller.go:1341] provision "default/wp-pv-claim" class "rook-ceph-block": persistentvolume "pvc-d5eb4142-532f-4704-9d15-94ffc7f35dd1" already exists, skipping I0925 07:48:52.295844 1 event.go:282] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"wp-pv-claim", UID:"d5eb4142-532f-4704-9d15-94ffc7f35dd1", APIVersion:"v1", ResourceVersion:"2799324", FieldPath:""}): type: 'Normal' reason: 'ProvisioningSucceeded' Successfully provisioned volume pvc-d5eb4142-532f-4704-9d15-94ffc7f35dd1 ``` #### rook提供cephFS服务 ```sh $ kubectl create -f filesystem.yaml ``` ```sh $ kubectl -n rook-ceph get pod -l app=rook-ceph-mds NAME READY STATUS RESTARTS AGE rook-ceph-mds-myfs-a-6dd59747f5-2qjtk 1/1 Running 0 38s rook-ceph-mds-myfs-b-56488764f9-n6fzf 1/1 Running 0 37s ``` ```tex $ kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash [root@rook-ceph-tools-5b85cb4766-8wj5c /]# ceph status cluster: id: 1c545199-7a68-46df-9b21-2a801c1ad1af health: HEALTH_OK services: mon: 3 daemons, quorum a,b,c (age 50m) mgr: a(active, since 70m) mds: myfs:1 {0=myfs-a=up:active} 1 up:standby-replay #mds元数据服务 osd: 3 osds: 3 up (since 71m), 3 in (since 71m) data: pools: 4 pools, 97 pgs objects: 132 objects, 340 MiB usage: 4.0 GiB used, 296 GiB / 300 GiB avail pgs: 97 active+clean io: client: 1.2 KiB/s rd, 2 op/s rd, 0 op/s wr ``` 创建存储类 ```sh $ cat >storageclass-cephfs.yaml <<EOF apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: rook-cephfs # Change "rook-ceph" provisioner prefix to match the operator namespace if needed provisioner: rook-ceph.cephfs.csi.ceph.com parameters: # clusterID is the namespace where operator is deployed. clusterID: rook-ceph # CephFS filesystem name into which the volume shall be created fsName: myfs # Ceph pool into which the volume shall be created # Required for provisionVolume: "true" pool: myfs-data0 # The secrets contain Ceph admin credentials. These are generated automatically by the operator # in the same namespace as the cluster. csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph reclaimPolicy: Delete EOF ``` ```sh $ kubectl create -f storageclass-cephfs.yaml ``` 测试cephfs ```sh $ cat >test-cephfs-pvc.yaml <<EOF apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cephfs-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi storageClassName: rook-cephfs EOF ``` ```sh $ kubectl apply -f test-cephfs-pvc.yaml ``` ```sh $ kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE cephfs-pvc Bound pvc-4e200767-9ed9-4b47-8505-3081b8de6893 1Gi RWX rook-cephfs 8s ``` #### 问题 `1.[WRN] MON_CLOCK_SKEW: clock skew detected on mon.b ?` ```tex $ kubectl -n rook-ceph edit ConfigMap rook-config-override -o yaml config: | [global] mon clock drift allowed = 0.5 $ kubectl -n rook-ceph delete pod $(kubectl -n rook-ceph get pods -o custom-columns=NAME:.metadata.name --no-headers| grep mon) $ kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash [root@rook-ceph-tools-75cf595688-hrtmv /]# ceph -s cluster: id: 023baa6d-8ec1-4ada-bd17-219136f656b4 health: HEALTH_OK services: mon: 3 daemons, quorum a,b,c (age 2m) mgr: a(active, since 24m) osd: 3 osds: 3 up (since 25m), 3 in (since 25m) data: pools: 1 pools, 128 pgs objects: 0 objects, 0 B usage: 19 MiB used, 300 GiB / 300 GiB avail pgs: 128 active+clean ``` `2.type: 'Warning' reason: 'ProvisioningFailed' failed to provision volume with StorageClass "rook-ceph-block": rpc error: code = Aborted desc = an operation with the given Volume ID pvc-34167041-eb16-4f03-b01e-6b915089488d already exists` 删除下面的pod ```sh kubectl get po -n rook-ceph | grep csi-cephfsplugin-provisioner- kubectl get po -n rook-ceph | grep csi-rbdplugin-provisioner- kubectl get po -n rook-ceph | grep csi-rbdplugin- kubectl get po -n rook-ceph | grep csi-cephfsplugin- ``` `3.创建pvc一直pengding状态，查看csi-rbdplugin-provisioner日志提示provision volume with StorageClass "rook-ceph-block": rpc error: code = DeadlineExceeded desc = context deadline exceeded` ```sh K8S和rook-ceph的版本不匹配问题,我使用的是kubernetes 1.18.20之前安装rook-ceph 1.7.x就会报这个错,改成v1.6.10就可以了 ```

#### **项目目录结构** ```bash competitionShare |-- docker-compose.yml #docker-compose编排文件 |-- fastdfs #fastdfs文件服务器目录 | |-- build #编译目录 | | `-- Dockerfile #编译文件 | |-- data #数据存放目录 | | |-- storage #文件数据存储目录 | | | |-- data | | | `-- logs | | `-- tracker #tracker日志和元数据目录 | | |-- data | | `-- logs | `-- nginx | `-- logs |-- mysql | |-- conf | | `-- mysqld.cnf #mysql配置文件 | |-- data #mysql数据存放目录 | |-- db_init_sql | | `-- competitionShare.sql #项目的表结构和初始化数据sql | `-- log |-- nginx | |-- conf | | |-- mysite.template #nginx模板文件 | | `-- nginx.conf #nginx配置文件 | |-- html | | `-- competitionShare_web #项目静态站点目录 | | |-- index.html | | `-- static | |-- log | `-- ssl #ssl证书目录 | |-- demo.xxxxx.org.cn | | |-- fullchain.pem | | `-- privkey.pem | `-- fastdfs.xxxxx.org.cn | |-- fullchain.pem | `-- privkey.pem `-- tomcat #tomcat目录 |-- conf | `-- server.xml #tomcat的server.xml文件 |-- log `-- webapps |-- competitionShare #项目API接口 `-- competitionShareBackstage #项目后台 ``` #### **创建fastdfs容器使用的目录** ```bash $ mkdir fastdfs/{build,data,nginx} -p ``` build：存放fastdfs构建目录 data：存放fastdfs数据的目录 nginx：存放nginx日志 #### **创建fastdfs/build/Dockerfile** ```bash FROM alpine:3.6 MAINTAINER ynotes <admin@ynotes.cn> #编译参数 ARG HOME=/root ARG FASTDFS_VERSION=5.11 ARG LIBFASTCOMMON_VERSION=1.0.38 ARG FASTDFS_NGINX_MODULE_VERSION=1.20 ARG NGINX_VERSION=1.12.1 ARG FDFS_NGX_PORT #添加FDFS_NGX_PORT参数 ARG TRACKER_PORT #环境变量 ENV FDFS_NGX_PORT "$FDFS_NGX_PORT" #读取docker-compose的变量FDFS_NGX_PORT ENV TRACKER_PORT "$TRACKER_PORT" #读取docker-compose的变量TRACKER_PORT #下载包 RUN cd ${HOME} \ && sed -i 's#http://[^/]*/\(.*\)$#http://mirrors.aliyun.com/\1#g' /etc/apk/repositories \ && apk update \ && apk add --no-cache --virtual .build-deps bash gcc libc-dev make openssl-dev pcre-dev zlib-dev linux-headers curl gnupg libxslt-dev gd-dev geoip-dev \ && curl -fLS https://github.com/happyfish100/fastdfs/archive/V${FASTDFS_VERSION}.tar.gz -o V${FASTDFS_VERSION}.tar.gz \ && curl -fLS https://github.com/happyfish100/libfastcommon/archive/V${LIBFASTCOMMON_VERSION}.tar.gz -o V${LIBFASTCOMMON_VERSION}.tar.gz \ && curl -fLS https://github.com/happyfish100/fastdfs-nginx-module/archive/V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz -o V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz \ && curl -fSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz \ && tar xf V${FASTDFS_VERSION}.tar.gz \ && tar xf V${LIBFASTCOMMON_VERSION}.tar.gz \ && tar xf V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz \ && tar zxf nginx-${NGINX_VERSION}.tar.gz #安装包 RUN cd ${HOME}/libfastcommon-${LIBFASTCOMMON_VERSION}/ \ && ./make.sh \ && ./make.sh install \ && cd ${HOME}/fastdfs-${FASTDFS_VERSION}/ \ && ./make.sh \ && ./make.sh install \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/tracker@g" /etc/fdfs/tracker.conf.sample > /etc/fdfs/tracker.conf \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/storage@g" /etc/fdfs/storage.conf.sample > /etc/fdfs/storage.conf \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/storage@g" /etc/fdfs/client.conf.sample > /etc/fdfs/client.conf \ && sed -i 's#CORE_INCS=.*#CORE_INCS="$CORE_INCS /usr/include/fastdfs /usr/include/fastcommon/"#g' ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && sed -i 's#ngx_module_incs=.*#ngx_module_incs="/usr/include/fastdfs /usr/include/fastcommon/"#g' ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && chmod u+x ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && cd ${HOME}/nginx-${NGINX_VERSION} \ && ./configure --add-module=${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src \ && make && make install #配置包 RUN cp ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/mod_fastdfs.conf /etc/fdfs/ \ && sed -i "s#^store_path0.*#store_path0 = /data/fastdfs/storage#g" /etc/fdfs/mod_fastdfs.conf \ && sed -i "s#^url_have_group_name.*#url_have_group_name = true#g" /etc/fdfs/mod_fastdfs.conf \ && cd ${HOME}/fastdfs-${FASTDFS_VERSION}/conf/ \ && cp http.conf mime.types /etc/fdfs/ \ && echo -e "worker_processes 2;\nevents { \nworker_connections 10240; \n}\nhttp { \ninclude mime.types;\ndefault_type application/octet-stream;\nsendfile on;\nkeepalive_timeout 65;\nserver {\nlisten $FDFS_NGX_PORT;\nserver_name localhost;\nlocation ~/group([0-9])/M00 {\nngx_fastdfs_module;\n}\n}\n}">/usr/local/nginx/conf/nginx.conf #清理包 RUN rm -rf ${HOME}/* \ && apk del .build-deps gcc libc-dev make openssl-dev linux-headers curl gnupg libxslt-dev gd-dev geoip-dev \ && apk add bash pcre-dev zlib-dev #安装脚本 RUN echo -e "mkdir -p /data/fastdfs/storage/data\nmkdir -p /data/fastdfs/tracker\nln -s /data/fastdfs/storage/data /data/fastdfs/storage/data/M00\nsed -i "s/^tracker_server=.*$/tracker_server=\$HOST_IP:$TRACKER_PORT/g" /etc/fdfs/storage.conf\nsed -i "s/^tracker_server=.*$/tracker_server=\$HOST_IP:$TRACKER_PORT/g" /etc/fdfs/mod_fastdfs.conf\n/etc/init.d/fdfs_trackerd start \n/etc/init.d/fdfs_storaged start\n/usr/local/nginx/sbin/nginx\ntail -f /usr/local/nginx/logs/access.log" >/start.sh \ && chmod +x /start.sh ENTRYPOINT ["/bin/bash","/start.sh"] ``` #### **创建mysql容器使用的目录** ```bash $ mkdir mysql/{conf,data,db_init_sql,log} -p $ chmod 777 mysql/log ``` conf：存放mysql配置文件 data：存放mysql数据的目录 log：存放mysql日志,修改权限为777 　 #### **编辑mysql配置文件mysql/conf/mysqld.cnf** ```bash [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid default-time-zone = '+08:00' character-set-server=utf8 character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci character-set-client-handshake = FALSE innodb_buffer_pool_size = 128M sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES [client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 ``` #### **创建nginx容器使用的目录** ```bash $ mkdir nginx/{conf,html,log,ssl} $ mkdir nginx/ssl/{demo.xxxxx.org.cn,fastdfs.xxxxx.org.cn} $ chmod 777 nginx/log ``` conf：存放nginx的配置文件 html: 静态站点存放目录 log：存放日志目录 ssl: ssl证书存放目录 #### **编辑nginx/conf/nginx.conf** ```nginx user nginx; worker_processes 2; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { use epoll; worker_connections 10240; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/demo.xxxxx.org.cn.conf; } ``` #### **编辑nginx/conf/mysite.template** ```nginx upstream my_tomcat{ server $TOMCAT:8080; } upstream my_fdfs{ server $FASTDFS:8888; } server { listen $NGINX_PORT; server_name $NGINX_HOST; charset utf-8; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen $NGINX_SSL_PORT ssl http2; server_name $NGINX_FASTDFS_HOST; add_header X-Frame-Options SAMEORIGIN; access_log /var/log/nginx/fastdfs.xxxxx.org.cn.access.log main; location ~ .*.(svn|Git|cvs) { deny all; } ssl_certificate "/etc/nginx/ssl/fastdfs.xxxxx.org.cn/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/fastdfs.xxxxx.org.cn/privkey.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location ~ /group1/M00 { add_header Strict-Transport-Security max-age=86400; proxy_next_upstream http_502 http_504 error timeout invalid_header; proxy_pass http://my_fdfs; } } server { listen $NGINX_SSL_PORT ssl http2 default_server; server_name $NGINX_HOST; add_header X-Frame-Options SAMEORIGIN; access_log /var/log/nginx/demo.xxxxx.org.cn.access.log main; location ~ .*.(svn|Git|cvs) { deny all; } location / { add_header Strict-Transport-Security max-age=86400; root /var/www/html/competitionShare_web; index index.html index.htm; try_files $uri $uri/ /index.html =404; } ssl_certificate "/etc/nginx/ssl/demo.xxxxx.org.cn/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/demo.xxxxx.org.cn/privkey.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; # max upload size client_max_body_size 75M; # adjust to taste # Django media # Finally, send all non-media requests to the Django server. error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } location /competitionShare { add_header Strict-Transport-Security max-age=86400; proxy_set_header Host $host; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_pass http://my_tomcat; } location ^~ /competitionShareBackstage { add_header Strict-Transport-Security max-age=86400; proxy_set_header Host $host:$server_port; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_pass http://my_tomcat; } } ``` #### **拷贝SSL证书到对应的nginx/ssl/{demo.xxxxx.org.cn,fastdfs.xxxxx.org.cn}目录** ```bash $ scp fullchain.pem root@docker-host:/root/docker_compose_demo/competitionShare/nginx/ssl/demo.xxxxx.org.cn $ scp privkey.pem root@docker-host:/root/docker_compose_demo/competitionShare/nginx/ssl/demo.xxxxx.org.cn $ scp fullchain.pem root@docker-host:/root/docker_compose_demo/competitionShare/nginx/ssl/fastdfs.xxxxx.org.cn $ scp privkey.pem root@docker-host:/root/docker_compose_demo/competitionShare/nginx/ssl/fastdfs.xxxxx.org.cn ``` #### **创建tomcat容器使用的目录** ```bash $ mkdir tomcat/{conf,log,webapps} ``` conf：tomcat配置存放目录 log：存放日志目录 webapps: 项目存放目录 #### **编辑tomcat/conf/server.xml** ```xml <?xml version='1.0' encoding='utf-8'?> <Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> <Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https"/> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t &quot;%r&quot; %s %b" /> </Host> </Engine> </Service> </Server> ``` #### **拷贝项目到tomcat/webapps目录** ```bash $ scp competitionShare root@docker-host:/root/docker_compose_demo/competitionShare/tomcat/webapps $ scp competitionShareBackstage root@docker-host:/root/docker_compose_demo/competitionShare/tomcat/webapps ``` #### **替换tomcat项目中mysql和fastdfs配置** 数据库配置 ```bash env=${PROJECT_ENV} demo.jdbc_url=${DEMO_JDBC_URL} demo.jdbc_username=${DEMO_JDBC_USER} demo.jdbc_password=${DEMO_JDBC_PASS} ``` fastdfs配置 ```bash tracker_server = fastdfs:22122 ``` #### **编辑docker-compose.yml** ```xml version: '3' services: db: image: mysql:5.7 restart: always container_name: cs_web-db environment: MYSQL_ROOT_PASSWORD: abc123456 MYSQL_DATABASE: competitionShare MYSQL_USER: demo MYSQL_PASSWORD: abc123456 volumes: - ./mysql/conf/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf - ./mysql/db_init_sql:/docker-entrypoint-initdb.d - ./mysql/data:/var/lib/mysql - ./mysql/log:/var/log fastdfs: build: context: ./fastdfs/build/ dockerfile: Dockerfile args: TRACKER_PORT: 22122 FDFS_NGX_PORT: 8888 image: fastdfs-nginx:5.11 restart: always container_name: cs_web-fastdfs environment: TRACKER_PORT: 22122 FDFS_NGX_PORT: 8888 HOST_IP: fastdfs volumes: - ./fastdfs/data:/data/fastdfs - ./fastdfs/nginx/logs:/usr/local/nginx/logs/ nginx: image: nginx:stable restart: always container_name: cs_web-nginx environment: NGINX_HOST: demo.xxxxx.org.cn NGINX_FASTDFS_HOST: fastdfs.xxxxx.org.cn NGINX_PORT: 80 NGINX_SSL_PORT: 443 TOMCAT: cs_web-tomcat FASTDFS: cs_web-fastdfs ports: - 80:80 - 443:443 volumes: - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf - ./nginx/conf/mysite.template:/etc/nginx/conf.d/mysite.template - ./nginx/ssl/demo.xxxxx.org.cn/fullchain.pem:/etc/nginx/ssl/demo.xxxxx.org.cn/fullchain.pem - ./nginx/ssl/demo.xxxxx.org.cn/privkey.pem:/etc/nginx/ssl/demo.xxxxx.org.cn/privkey.pem - ./nginx/ssl/fastdfs.xxxxx.org.cn/fullchain.pem:/etc/nginx/ssl/fastdfs.xxxxx.org.cn/fullchain.pem - ./nginx/ssl/fastdfs.xxxxx.org.cn/privkey.pem:/etc/nginx/ssl/fastdfs.xxxxx.org.cn/privkey.pem - ./nginx/log/:/var/log/nginx/ - ./nginx/html/competitionShare_web/:/var/www/html/competitionShare_web/ command: /bin/bash -c "envsubst '$$NGINX_HOST $$NGINX_PORT $$NGINX_SSL_PORT $$TOMCAT $$FASTDFS $$NGINX_FASTDFS_HOST' < /etc/nginx/conf.d/mysite.template > /etc/nginx/conf.d/demo.xxxxx.org.cn.conf && nginx -g 'daemon off;'" tomcat: image: tomcat:8.0.53-jre8 restart: always depends_on: - db - fastdfs container_name: cs_web-tomcat environment: PROJECT_ENV: demo JAVA_OPTS: "-Dsupplements.host=supplements" CATALINA_OPTS: "-server -Xms256M -Xmx1024M -XX:MaxNewSize=256m" DEMO_JDBC_URL: jdbc:mysql://db:3306/competitionShare??characterEncoding=UTF-8 DEMO_JDBC_USER: demo DEMO_JDBC_PASS: abc123456 FDFS_URL: https://fastdfs.demo.org.cn/ volumes: - ./tomcat/webapps:/usr/local/tomcat/webapps - ./tomcat/conf/server.xml:/usr/local/tomcat/conf/server.xml - ./tomcat/log:/log ``` #### **启动** ```bash $ docker-compose up ```  #### **浏览器访问** 

#### **环境:** 系统: **Centos7** Docker版本: **18.03.1-ce, build 9ee9f40** 容器网络: **桥接docker0** 容器网段: **10.10.0.0/24** #### **Dockerfile文件** ```bash FROM alpine:3.6 MAINTAINER ynotes.cn <admin@ynotes.cn> #环境变量 ENV NGINX_PORT 80 ENV FASTDFS_PORT 22122 #编译参数 ARG HOME=/root ARG FASTDFS_VERSION=5.11 ARG LIBFASTCOMMON_VERSION=1.0.38 ARG FASTDFS_NGINX_MODULE_VERSION=1.20 ARG NGINX_VERSION=1.12.1 #下载包 RUN cd ${HOME} \ && sed -i 's#http://[^/]*/\(.*\)$#http://mirrors.aliyun.com/\1#g' /etc/apk/repositories \ && apk update \ && apk add --no-cache --virtual .build-deps bash gcc libc-dev make openssl-dev pcre-dev zlib-dev linux-headers curl gnupg libxslt-dev gd-dev geoip-dev \ && curl -fLS https://github.com/happyfish100/fastdfs/archive/V${FASTDFS_VERSION}.tar.gz -o V${FASTDFS_VERSION}.tar.gz \ && curl -fLS https://github.com/happyfish100/libfastcommon/archive/V${LIBFASTCOMMON_VERSION}.tar.gz -o V${LIBFASTCOMMON_VERSION}.tar.gz \ && curl -fLS https://github.com/happyfish100/fastdfs-nginx-module/archive/V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz -o V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz \ && curl -fSL http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx-${NGINX_VERSION}.tar.gz \ && tar xf V${FASTDFS_VERSION}.tar.gz \ && tar xf V${LIBFASTCOMMON_VERSION}.tar.gz \ && tar xf V${FASTDFS_NGINX_MODULE_VERSION}.tar.gz \ && tar zxf nginx-${NGINX_VERSION}.tar.gz #安装包 RUN cd ${HOME}/libfastcommon-${LIBFASTCOMMON_VERSION}/ \ && ./make.sh \ && ./make.sh install \ && cd ${HOME}/fastdfs-${FASTDFS_VERSION}/ \ && ./make.sh \ && ./make.sh install \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/tracker@g" /etc/fdfs/tracker.conf.sample > /etc/fdfs/tracker.conf \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/storage@g" /etc/fdfs/storage.conf.sample > /etc/fdfs/storage.conf \ && sed "s@/home/yuqing/fastdfs@/data/fastdfs/storage@g" /etc/fdfs/client.conf.sample > /etc/fdfs/client.conf \ && sed -i 's#CORE_INCS=.*#CORE_INCS="$CORE_INCS /usr/include/fastdfs /usr/include/fastcommon/"#g' ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && sed -i 's#ngx_module_incs=.*#ngx_module_incs="/usr/include/fastdfs /usr/include/fastcommon/"#g' ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && chmod u+x ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/config \ && cd ${HOME}/nginx-${NGINX_VERSION} \ && ./configure --add-module=${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src \ && make && make install #配置包 RUN cp ${HOME}/fastdfs-nginx-module-${FASTDFS_NGINX_MODULE_VERSION}/src/mod_fastdfs.conf /etc/fdfs/ \ && sed -i "s#^store_path0.*#store_path0 = /data/fastdfs/storage#g" /etc/fdfs/mod_fastdfs.conf \ && sed -i "s#^url_have_group_name.*#url_have_group_name = true#g" /etc/fdfs/mod_fastdfs.conf \ && cd ${HOME}/fastdfs-${FASTDFS_VERSION}/conf/ \ && cp http.conf mime.types /etc/fdfs/ \ && echo -e "worker_processes 2;\nevents { \nworker_connections 10240; \n}\nhttp { \ninclude mime.types;\ndefault_type application/octet-stream;\nsendfile on;\nkeepalive_timeout 65;\nserver {\nlisten NGINX_PORT;\nserver_name localhost;\nlocation ~/group([0-9])/M00 {\nngx_fastdfs_module;\n}\n}\n}">/usr/local/nginx/conf/nginx.conf #清理包 RUN rm -rf ${HOME}/* \ && apk del .build-deps gcc libc-dev make openssl-dev linux-headers curl gnupg libxslt-dev gd-dev geoip-dev \ && apk add bash pcre-dev zlib-dev #安装脚本 RUN sed -i "s/NGINX_PORT/$NGINX_PORT/g" /usr/local/nginx/conf/nginx.conf \ && echo -e "mkdir -p /data/fastdfs/storage/data\nmkdir -p /data/fastdfs/tracker\nln -s /data/fastdfs/storage/data /data/fastdfs/storage/data/M00\nHOST_IP=\$(ip addr |grep 'scope global eth0'|awk '{ print \$2}'|awk -F/ '{ print \$1 }')\nsed -i "s/^tracker_server=.*$/tracker_server=\$HOST_IP:$FASTDFS_PORT/g" /etc/fdfs/storage.conf\nsed -i "s/^tracker_server=.*$/tracker_server=\$HOST_IP:$FASTDFS_PORT/g" /etc/fdfs/mod_fastdfs.conf\n/etc/init.d/fdfs_trackerd start \n/etc/init.d/fdfs_storaged start\n/usr/local/nginx/sbin/nginx\ntail -f /usr/local/nginx/logs/access.log" >/start.sh \ && chmod +x /start.sh EXPOSE 80 22122 23000 ENTRYPOINT ["/bin/bash","/start.sh"] ``` #### **编译镜像文件** ```bash $ docker build -t fastdfs-nginx:v5.11 . ``` #### **启动容器** ```bash $ docker run -p 80:80 -p 22122:22122 -p 23000:23000 -v /root/docker_demo/fastdfs/data:/data/fastdfs fastdfs-nginx:v5.11 ``` 　　　　 #### **测试机1(Centos7)** 添加路由 ```bash $ route add -net 10.10.0.0 netmask 255.255.255.0 gw 192.168.50.252 ``` 上传图片 ```bash $ fdfs_test /etc/fdfs/client.conf upload zzzz.jpg ``` ``` group_name=group1, remote_filename=M00/00/00/CgoAAVtxAhqAWpxyAAE7WHOlIPs425.jpg source ip address: 10.10.0.1 file timestamp=2018-08-13 11:59:22 file size=80728 file crc32=1940201723 example file url: http://10.10.0.1/group1/M00/00/00/CgoAAVtxAhqAWpxyAAE7WHOlIPs425.jpg storage_upload_slave_by_filename group_name=group1, remote_filename=M00/00/00/CgoAAVtxAhqAWpxyAAE7WHOlIPs425_big.jpg source ip address: 10.10.0.1 file timestamp=2018-08-13 11:59:22 file size=80728 file crc32=1940201723 example file url: http://10.10.0.1/group1/M00/00/00/CgoAAVtxAhqAWpxyAAE7WHOlIPs425_big.jpg ``` 　　 #### **测试机2(window7)** 添加路由 ```cmd > route add 10.10.0.0 mask 255.255.255.0 192.168.50.252 ``` 访问图片 

#### **开通阿里云的容器服务** #### **创建专有网络**  #### **创建交换机**  #### **创建swarm集群**       #### **创建编排模板** ```yaml version: '2' services: db: image: mysql:5.7 restart: always container_name: blog-db environment: MYSQL_ROOT_PASSWORD: 123456 MYSQL_DATABASE: blog MYSQL_USER: blog MYSQL_PASSWORD: 123456 volumes: - /root/blog/mysql/conf/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf - /root/blog/mysql/db_init_sql:/docker-entrypoint-initdb.d - /root/blog/mysql/data:/var/lib/mysql - /root/blog/mysql/log:/var/log networks: default: aliases: - db uwsgi-django: image: 'registry.cn-shenzhen.aliyuncs.com/sys/uwsgi-django:1.9.5' restart: always depends_on: - db container_name: blog-uwsgi-django environment: DB_NAME: blog DB_USER: blog DB_PASS: 123456 DB_PORT: 3306 WEB_URL: www.ynotes.cn volumes: - /root/blog/uwsgi-django/my_project:/usr/src/app/my_project - /root/blog/uwsgi-django/conf:/usr/src/app/uwsgi/conf command: uwsgi /usr/src/app/uwsgi/conf/config.ini networks: default: aliases: - uwsgi-django nginx: image: nginx:stable restart: always depends_on: - uwsgi-django container_name: blog-nginx environment: NGINX_HOST: www.ynotes.cn NGINX_PORT: 80 NGINX_SSL_PORT: 443 UWSGI_PORT: 8888 ports: - 8080:80 volumes: - /root/blog/nginx/conf/nginx.conf:/etc/nginx/nginx.conf - /root/blog/nginx/conf/mysite.template:/etc/nginx/conf.d/mysite.template - /root/blog/nginx/ssl/fullchain.pem:/etc/nginx/ssl/blog.itisme.co/fullchain.pem - /root/blog/nginx/ssl/privkey.pem:/etc/nginx/ssl/blog.itisme.co/privkey.pem - /root/blog/uwsgi-django/my_project/my_project/upload:/data/app/my_project/my_project/upload - /root/blog/uwsgi-django/my_project/my_project/static_all:/data/app/my_project/my_project/static_all - /root/blog/uwsgi-django/my_project/my_project/uwsgi_params:/data/app/my_project/my_project/uwsgi_params - /root/blog/nginx/log/:/var/log/nginx/ command: /bin/bash -c "envsubst < /etc/nginx/conf.d/mysite.template > /etc/nginx/conf.d/blog.itisme.co.conf && nginx -g 'daemon off;'" networks: default: driver: overlay ``` #### **配置安全组规则，增加22端口(方便远程拷贝项目)**  #### **上传blog项目到容器主机/root目录** ```bash $ tar xvf blog.tar.gz ``` #### **创建应用**   #### **查看启动的服务**  #### **配置SLB负载均衡证书(把申请的证书和私钥粘贴到下面的服务器证书相对应的文本框中)**  #### **配置SLB负载端口映射(443->8080)**    #### **配置dns解析 `www.ynotes.cn` 到slb** #### **访问`https://www.ynotes.cn`** 

 #### **项目目录结构** ```bash nextcloud/ ├── db.env ├── docker-compose.yml ├── mysql │   ├── conf │   │   └── mysqld.cnf │   ├── data │   └── log ├── nextcloud └── nginx ├── conf │   ├── conf.d │   │   ├── certs │   │   │   └── pan.itisme.co │   │   │   ├── fullchain1.pem │   │   │   └── privkey1.pem │   │   └── pan.itisme.co.conf │   └── nginx.conf └── log ``` #### **新建docker项目数据配置存放目录** ```bash $ mkdir /data/docker_project/nextcloud -p $ cd /data/docker_project/nextcloud ``` #### **创建mysql容器使用的目录** ```bash $ mkdir mysql/{conf,data,log} -p $ chmod 777 mysql/log ``` conf：存放mysql配置文件 data：存放mysql数据的目录 log：存放mysql日志,修改权限为777 　 #### **编辑mysql配置文件mysql/conf/mysqld.cnf** ```bash [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid default-time-zone = '+08:00' character-set-server=utf8 character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci character-set-client-handshake = FALSE innodb_buffer_pool_size = 128M sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES [client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 ``` #### **下载nextcloud-13.0.4** ```bash $ cd /data/docker_project/nextcloud $ wget https://download.nextcloud.com/server/releases/nextcloud-13.0.4.zip $ unzip nextcloud-13.0.4.zip #解压到项目的nextcloud目录 $ mkdir nextcloud/data #nextcloud数据目录 $ chmod 33.root nextcloud/{apps,config,data} -p #修改目录所属id,docker运行时生成的文件默认为uid 33，根据实际情况修改 $ chmod 0700 nextcloud/data #修改目录的权限为0700，nextcloud代码会检验是否为该权限 ``` #### **创建nginx容器使用的目录** ```bash $ mkdir nginx/conf/conf.d/certs/pan.itisme.co -p #证书存放目录 $ mkdir nginx/log $ chmod 777 nginx/log ``` conf：存放nginx的配置文件 log：存放日志目录 #### **编辑nginx/conf/nginx.conf** ```nginx user nginx; worker_processes 1; pid /var/run/nginx.pid; error_log /var/log/nginx.error.log warn; events { use epoll; worker_connections 10240; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #access_log /dev/null; access_log /var/log/nginx/nginx.access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } ``` #### **编辑nginx/conf/conf.d/pan.itisme.co.conf** ```nginx upstream php-handler { server app:9000; } server { listen 80; server_name pan.itisme.co; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name pan.itisme.co; ssl_certificate /etc/nginx/conf.d/certs/pan.itisme.co/fullchain1.pem; ssl_certificate_key /etc/nginx/conf.d/certs/pan.itisme.co/privkey1.pem; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; root /var/www/html; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json # last; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; # fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } } ``` #### **拷贝证书到nginx/conf/conf.d/certs/pan.itisme.co目录** ```bash $ scp fullchain.pem root@docker-host:/data/docker_project/nextcloud/nginx/conf/conf.d/certs/pan.itisme.co $ scp privkey.pem root@docker-host:/data/docker_project/nextcloud/nginx/conf/conf.d/certs/pan.itisme.co ``` #### **编辑docker-compose.yml (客户端->nginx->php->db)** ```bash $ vim docker-compose.yml ``` ```yaml version: '3' services: db: image: mysql:5.7 ports: - "3306:3306" volumes: - ./mysql/conf/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf - ./mysql/data:/var/lib/mysql/:rw - ./mysql/log:/var/log/ env_file: - db.env app: image: nextcloud:fpm depends_on: - db volumes: - ./nextcloud:/var/www/html restart: always web: image: nginx ports: - 80:80 - 443:443 depends_on: - app volumes: - ./nextcloud:/var/www/html - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx/conf/conf.d:/etc/nginx/conf.d/:ro - ./nginx/log/:/var/log/nginx/:rw restart: always ``` #### **增加db.env文件，数据库的环境变量** ```bash MYSQL_PASSWORD=123456 MYSQL_DATABASE=nextcloud MYSQL_USER=nextcloud MYSQL_ROOT_PASSWORD=123456 ``` #### **启动项目** ```bash $ docker-compose up ``` #### **启动项目后台运行** ```bash $ docker-compose up -d ``` #### **查看docker进程** ```bash $ docker-compose ps ``` ``` Name Command State Ports ------------------------------------------------------------------------------------------------ nextcloud_app_1 /entrypoint.sh php-fpm Up 9000/tcp nextcloud_db_1 docker-entrypoint.sh mysqld Up 0.0.0.0:3306->3306/tcp nextcloud_web_1 nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp ``` #### **浏览器访问https://pan.itisme.co/**