一、使用Docker Stack部署应用-简介¶
Stack能够在单个声明文件中定义复杂的多服务应用,并且提供了简单的方式来部署应用并管理其完整的生命周期:初始化部署>健康检查>扩容>更新>回滚,以及其他功能。
使用Docker Stack部署应用步骤如下: 1、在Compose文件中定义应用,其中Compose文件中包含了构成应用所需的完整服务栈,还包括了卷、网络、安全以及应用所需的其他基础架构 2、通过docker stack deploy命令完成部署和管理
总结来说,Docker适用于开发和测试。Docker Stack则适用于大规模场景和生产环境。
二、使用Docker Stack部署应用-详解¶
从体系结构上讲,Stack位于Docker应用层级的最顶端。Stack基于服务进行构建,而服务又基于容器。
2.1 简单应用¶
2.1.1 获取源代码文件¶
1、执行以下语句获取源代码文件
zq@zq-virtual-machine:~/Desktop$ git clone https://github.com/nigelpoulton/atsea-sample-shop-app.git
2.1.2 分析docker-stack.yml文件¶
root@zq-virtual-machine:/home/zq/Desktop/atsea-sample-shop-app# cat docker-stack.yml
version: "3.2"
services:
reverse_proxy:
image: dockersamples/atseasampleshopapp_reverse_proxy
ports:
- "80:80"
- "443:443"
secrets:
- source: revprox_cert
target: revprox_cert
- source: revprox_key
target: revprox_key
networks:
- front-tier
database:
image: dockersamples/atsea_db
environment:
POSTGRES_USER: gordonuser
POSTGRES_DB_PASSWORD_FILE: /run/secrets/postgres_password
POSTGRES_DB: atsea
networks:
- back-tier
secrets:
- postgres_password
deploy:
placement:
constraints:
- 'node.role == worker'
appserver:
image: dockersamples/atsea_app
networks:
- front-tier
- back-tier
- payment
deploy:
replicas: 2
update_config:
parallelism: 2
failure_action: rollback
placement:
constraints:
- 'node.role == worker'
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
secrets:
- postgres_password
visualizer:
image: dockersamples/visualizer:stable
ports:
- "8001:8080"
stop_grace_period: 1m30s
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == manager'
payment_gateway:
image: dockersamples/atseasampleshopapp_payment_gateway
secrets:
- source: staging_token
target: payment_token
networks:
- payment
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == worker'
- 'node.labels.pcidss == yes'
networks:
front-tier:
back-tier:
payment:
driver: overlay
driver_opts:
encrypted: 'yes'
secrets:
postgres_password:
external: true
staging_token:
external: true
revprox_key:
external: true
revprox_cert:
external: true
在该文件整体结构中,定义了4种顶级关键字。 1、version 代表了compose文件格式的版本号,为了应用Stack,需要3.0或者更高的版本 2、services 定义了组成当前应用的服务都有哪些, 3、networks 列出了所需的网络 4、secrets 定义了应用用到的密钥
Stack文件由5个服务构成,分别是reverse_proxy、database、appserver、visualizer、payment_gateway;Stack文件中包含3个网络,分别为front-tier、back-tier、payment;Stack文件中有4个密钥,分别为postgres_password、staging_token、revprox_key、revprox_cert。
2.2 深入分析Stack文件¶
Stack文件就是Docker Compose文件,唯一要求就是version:需要3.0以上版本。
在Docker根据某个Stack文件部署应用的时候,首先会检查并创建networks:关键字对应的网络。如果网络不存在,Docker会自动进行创建。
2.2.1 网络¶
1、文件内容如下:
networks:
front-tier:
back-tier:
payment:
driver: overlay
driver_opts:
encrypted: 'yes'
2、文件分析 该文件定义了3个网络:front-tier、back-tier、payment。默认情况下,这些网络都会采用overlay驱动,新建对应的覆盖类型的网络。其中payment比较特殊,需要对数据层进行加密。
默认情况下,覆盖网络的所有控制层都是加密的。如果需要加密数据层,有两种选择: (1)在docker network create命令中指定-o encryted参数 (2)在Stack文件中的driver_opts之下指定encrypted: 'yes'
2.2.2 密钥¶
密钥属于顶级对象 1、文件内容如下:
secrets:
postgres_password:
external: true
staging_token:
external: true
revprox_key:
external: true
revprox_cert:
external: true
2、文件分析 4个密钥都被定义为external,这意味着在Stack部署之前,密钥必须存在。
在应用部署时按需创建密钥也是可以的,只需要将file:<filename>替换成external:true。但该方式生效的前提是,需要在主机文件系统的对应路径下有一个文本文件,其中包含密钥所需的值,并且是未加密的。
2.2.3 服务¶
每个服务都是JSON集合(字典),其中包含了一系列关键字。 2.2.3.1 reverse_proxy服务 1、文件内容如下:
reverse_proxy:
image: dockersamples/atseasampleshopapp_reverse_proxy
ports:
- "80:80"
- "443:443"
secrets:
- source: revprox_cert
target: revprox_cert
- source: revprox_key
target: revprox_key
networks:
- front-tier
2、文件分析 reverse_proxy服务定义了镜像、端口、密钥以及网络。
(1)image关键字 服务对象中唯一的必填项。该关键字定义了将要用于构建服务副本的Docker镜像。 (2)ports关键字 定义了两个映射,80:80将Swarm节点的80端口映射到每个服务副本的80端口;443:443将Swarm节点的443端口映射到每个服务副本的443端口。(默认情况下,所有端口映射都采用Ingress模式) (3)secrets关键字 定义了两个密钥:revprox_cert和revprox_key,这两个密钥必须在顶级关键字secrets下定义,并且在系统上已经存在
密钥以普通文件的形式被挂载到服务副本中,文件名称就是stack文件定义的target属性的值。本服务中密钥定义的内容会在每个服务副本中被挂载,具体路径为/run/secrets/revprox_cert和/run/secrets/revprox_key。 (4)networks关键字 确保服务所有副本都会连接到front-tier网络。
2.2.3.2 database服务 数据库服务也在Stack文件中定义,包括镜像、网络以及密钥。数据库服务还引入了环境变量和部署约束。 1、文件内容如下:
database:
image: dockersamples/atsea_db
environment:
POSTGRES_USER: gordonuser
POSTGRES_DB_PASSWORD_FILE: /run/secrets/postgres_password
POSTGRES_DB: atsea
networks:
- back-tier
secrets:
- postgres_password
deploy:
placement:
constraints:
- 'node.role == worker'
2、文件分析 (1)environment关键字 允许在服务副本中注入环境变量。在该服务中,使用了3个环境变量来定义数据库用户、数据库密码的位置(挂载到每个服务副本中的密钥)以及数据库服务的名称。 (2)deploy关键字 定义了部署约束,保证了当前服务只会运行在Swarm集群的worker节点之上。
2.2.3.3 appserver服务 1、文件内容如下:
appserver:
image: dockersamples/atsea_app
networks:
- front-tier
- back-tier
- payment
deploy:
replicas: 2
update_config:
parallelism: 2
failure_action: rollback
placement:
constraints:
- 'node.role == worker'
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
window: 120s
secrets:
- postgres_password
2、文件分析 appserver服务使用1个镜像,连接到3个网络,并且挂载了一个密钥。同时该服务在deploy关键字下引入了一些额外的特性。 (1)services.appserver.deploy.replicas=2 设置期望服务的副本数量为2,缺省情况下为1 (2)services.appserver.deploy.update_config 定义了Docker在服务滚动升级时候具体如何操作。当前服务下,Docker每次更新两个副本,并且在升级失败后,自动回滚。其中failure_action默认操作是pause(会在服务升级失败后阻止其他副本升级) (3)services.appserver.deploy.restart_policy 定义了Swarm针对容器异常退出的重启策略。当前重启策略,如果某个副本以非0返回值退出(condition: on-failure),会立即重启当前副本。重启最多重试3次,每次都会等待至多120s来检测是否启动成功,每次重启间隔为5s。
2.2.3.4 visualizer服务 1、文件内容如下:
visualizer:
image: dockersamples/visualizer:stable
ports:
- "8001:8080"
stop_grace_period: 1m30s
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == manager'
2、文件分析 visualizer服务指定了镜像,定义了端口映射规则、更新配置以及部署约束。此外还挂载了一个指定卷,并且定义了容器的优雅停止方式。 (1)volumes关键字 用于挂载提前创建的卷或者主机目录到某个服务副本中,在本例中,会挂载Docker主机的/var/run/docker.sock目录到每个服务副本的/var/run/docker.sock路径。
2.2.3.5 payment_gateway服务 1、文件内容如下:
payment_gateway:
image: dockersamples/atseasampleshopapp_payment_gateway
secrets:
- source: staging_token
target: payment_token
networks:
- payment
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == worker'
- 'node.labels.pcidss == yes'
2、文件分析 payment_gateway服务指定了镜像,挂载了一个密钥,连接到网络,定义了部分部署策略,并且使用了两个部署约束。
2.3 部署应用¶
2.3.1 准备工作¶
1、Swarm模式 应用将采用Docker Stack部署,而Stack依赖Swarm模式 2、标签 某个Swarm worker节点需要自定义标签 3、密钥 应用所需的密钥需要在部署前创建完成 4、三台Linux主机需要开放以下端口: (1)2377/tcp 用于客户端与Swarm进行安全通信 (2)7946/tcp和7946/udp 用于节点之间的通信 (3)4789/udp 用于基于VXLAN的覆盖网络
Centos7主机开放端口,可参考Centos7如何开放指定端口 Ubuntu20.04主机开放端口,可参考Ubuntu20.04如何开放指定端口
2.3.2 主机介绍¶
| 主机名称 | 地址 | 版本 | 数量 |
|---|---|---|---|
| mgr1 | 192.168.100.110/24 | Ubuntu20.0.4 | 1台 |
| wrk1 | 192.168.100.100/24 | Centos7-X86_64-Eeverything2009 | 1台 |
| wrk2 | 192.168.100.101/24 | Centos7-X86_64-Eeverything2009 | 1台 |
2.3.3 搭建思路¶
1、创建新的Swarm 2、添加新的节点标签 3、创建密钥
2.3.4 搭建应用实验环境¶
2.3.3.1 创建新的Swarm 1、在mgr1上执行docker swarm init命令使其成为管理节点
root@docker-virtual-machine:~# docker swarm init
Swarm initialized: current node (m4jzzetxd.....womt50cfqlp) is now a manager.
2、在wrk1上执行以下命令使其成功工作节点,这里说明一下,以下执行命令都是在mgr1上执行docker swarm init命令后返回的内容。
[root@localhost ~]# docker swarm join --token SWMTKN-1-4ud9mb9ed1h5qqoy1c40n6c60wrdl24fn12kncibsisxm5i0rk-a59wlrmz6574vdv198h25kb5c 192.168.100.110:2377
This node joined a swarm as a worker.
3、在wrk2上执行以下命令使其成功工作节点,这里说明一下,以下执行命令都是在mgr1上执行docker swarm init命令后返回的内容。
[root@localhost ~]# docker swarm join --token SWMTKN-1-4ud9mb9ed1h5qqoy1c40n6c60wrdl24fn12kncibsisxm5i0rk-a59wlrmz6574vdv198h25kb5c 192.168.100.110:2377
This node joined a swarm as a worker.
4、在mgr1上执行docker node ls命令查看当前swam节点。
root@docker-virtual-machine:~# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
m4jzzetxdmtcnewomt50cfqlp * docker-virtual-machine Ready Active Leader 20.10.21
07c04nmvybeqj5m2nas00gz2k localhost.localdomain Ready Active 20.10.21
yoy2fv0wuigv1kftphyzk3aoc localhost.localdomain Ready Active 20.10.21
5、至此,Swarm集群搭建完成。
2.3.3.2 添加新的节点标签 1、在mgr1上执行docker node update --label-add pcidss=yes wrk1命令添加节点标签到wrk1
root@docker-virtual-machine:~# docker node update --label-add pcidss=yes wrk1
wrk1
2、在mgr1上执行docker node inspect wrk1命令确认节点标签,这里观察到节点标签已成功添加。
root@docker-virtual-machine:~# docker node inspect wrk1
[
{
"ID": "07c04nmvybeqj5m2nas00gz2k",
"Version": {
"Index": 24
},
"CreatedAt": "2022-11-06T05:24:39.933665813Z",
"UpdatedAt": "2022-11-06T05:38:22.318176748Z",
"Spec": {
"Labels": {
"pcidss": "yes"
},
"Role": "worker",
"Availability": "active"
},
...
...
2.3.3.3 创建密钥 1、在mgr1上执行执行openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt命令创建新的键值对,并将加密key放到Docker密钥文件中。
root@docker-virtual-machine:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Generating a RSA private key
.....................................................................................++++
...........................................................................................................................++++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:AN^H
Locality Name (eg, city) []:HF
Organization Name (eg, company) [Internet Widgits Pty Ltd]:22
Organizational Unit Name (eg, section) []:section
Common Name (e.g. server FQDN or YOUR name) []:zq
Email Address []:123456.qq.com
2、在mgr1上执行执行以下命令分别创建revprox_cert、revprox_key以及postgres_password密钥
root@docker-virtual-machine:~# docker secret create revprox_cert domain.crt
13wrw12qu9z1on09wtvdcaax7
root@docker-virtual-machine:~# docker secret create revprox_key domain.key
62pw9msu3g4gatmje7awaqbys
root@docker-virtual-machine:~# docker secret create postgres_password domain.key
mhehvz7h097c146txphfzfxgr
3、在mgr1上执行执行echo staging | docker secret create staging_token -命令创建staging_token密钥
root@docker-virtual-machine:~# echo staging | docker secret create staging_token -
4nlqsjz5zjry0g7aq9wej2vst
4、在mgr1上执行docker secret ls命令列出所有的密钥
root@docker-virtual-machine:~# docker secret ls
ID NAME DRIVER CREATED UPDATED
mhehvz7h097c146txphfzfxgr postgres_password 21 seconds ago 21 seconds ago
13wrw12qu9z1on09wtvdcaax7 revprox_cert 48 seconds ago 48 seconds ago
62pw9msu3g4gatmje7awaqbys revprox_key 40 seconds ago 40 seconds ago
4nlqsjz5zjry0g7aq9wej2vst staging_token 8 seconds ago 8 seconds ago
2.3.5 部署示例应用¶
2.3.3.1 提取源码 1、在mgr1上执行以下命令从Github下载源码
docker@docker-virtual-machine:~/Desktop$ git clone https://github.com/nigelpoulton/atsea-sample-shop-app.git
Cloning into 'atsea-sample-shop-app'...
remote: Enumerating objects: 632, done.
remote: Counting objects: 100% (92/92), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 632 (delta 69), reused 63 (delta 63), pack-reused 540
Receiving objects: 100% (632/632), 7.23 MiB | 9.38 MiB/s, done.
Resolving deltas: 100% (198/198), done.
2.3.3.2 部署stack应用 1、在mgr1上进入docker-stack.yml所在目录下执行docker stack deploy -c docker-stack.yml teststack命令部署stack应用,应用名为teststack
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack deploy -c docker-stack.yml teststack
Creating network teststack_back-tier
Creating network teststack_front-tier
Creating network teststack_payment
Creating network teststack_default
Creating service teststack_database
Creating service teststack_appserver
Creating service teststack_visualizer
Creating service teststack_payment_gateway
Creating service teststack_reverse_proxy
2.3.3.3 在线验证 1、在mgr1上执行docker network ls命令查看网络情况
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker network ls
NETWORK ID NAME DRIVER SCOPE
1jtmz0kf909x teststack_back-tier overlay swarm
olwj0anj8a3z teststack_default overlay swarm
n8rz810wgxgz teststack_front-tier overlay swarm
c4h265wy25w0 teststack_payment overlay swarm
2、在mgr1上执行docker service ls命令查看服务情况
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
yi4vlfzufyc8 teststack_appserver replicated 0/2 dockersamples/atsea_app:latest
sp2hl3tg2blp teststack_database replicated 0/1 dockersamples/atsea_db:latest
vj8aobjp6dvo teststack_payment_gateway replicated 0/1 dockersamples/atseasampleshopapp_payment_gateway:latest
uvpgdphy5dp3 teststack_reverse_proxy replicated 0/1 dockersamples/atseasampleshopapp_reverse_proxy:latest *:80->80/tcp, *:443->443/tcp
g27l3ov83ua2 teststack_visualizer replicated 0/1 dockersamples/visualizer:stable *:8001->8080/tcp
3、在mgr1上执行docker stack ls命令列出系统中全部的stack,其中包括每个stack包含多少服务。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack ls
NAME SERVICES ORCHESTRATOR
teststack 5 Swarm
4、在mgr1上执行docker stack ps teststack命令查看teststack的详细信息,包括服务副本所在节点、当前状态、期望状态以及异常信息。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack ps teststack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1f80jbkd55f0 teststack_appserver.1 dockersamples/atsea_app:latest wrk2 Running Preparing 9 minutes ago
621hriyuir0x teststack_appserver.2 dockersamples/atsea_app:latest wrk1 Running Preparing 9 minutes ago
4zweihu6kz56 teststack_database.1 dockersamples/atsea_db:latest wrk2 Running Preparing 9 minutes ago
4af2sb6rk59j teststack_payment_gateway.1 dockersamples/atseasampleshopapp_payment_gateway:latest wrk1 Running Preparing 9 minutes ago
gwlpkgzafmy9 teststack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest docker-virtual-machine Running Preparing 8 minutes ago
pek8qxvuwdv3 teststack_visualizer.1 dockersamples/visualizer:stable docker-virtual-machine Running Preparing 9 minutes ago
5、在mgr1上执行docker service logs teststack_reverse_proxy命令查看teststack_reverse_proxy服务日志
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker service logs teststack_reverse_proxy
2.4 管理应用¶
Stack是一组相关联的服务和基础设施,需要进行统一的部署和管理。当我们管理Stack中某个服务时,推荐通过声明方式进行修改,即将Stack文件作为配置的唯一声明。
下面针对Stack进行两个声明式修改,一个是增加appserver副本数,数量为2~10;另一个是将visualizer服务的优雅停止时间增加到2min。
1、执行vim docker-stack.yml命令打开文件,修改内容如下
deploy:
replicas: 10
visualizer:
stop_grace_period: 2m
2、修改完成后,执行cat docker-stack.yml命令进行查看
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# cat docker-stack.yml
...
...
appserver:
image: dockersamples/atsea_app
networks:
- front-tier
- back-tier
- payment
deploy:
replicas: 10 #修改内容
update_config:
parallelism: 2
...
...
visualizer:
image: dockersamples/visualizer:stable
ports:
- "8001:8080"
stop_grace_period: 2m #修改内容
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == manager'
payment_gateway:
image: dockersamples/atseasampleshopapp_payment_gateway
secrets:
- source: staging_token
target: payment_token
networks:
- payment
deploy:
update_config:
failure_action: rollback
placement:
constraints:
- 'node.role == worker'
- 'node.labels.pcidss == yes'
3、执行docker stack deploy -c docker-stack.yml teststack命令重新部署应用,这里注意,重新部署的话只会更新存在变更的部分。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack deploy -c docker-stack.yml teststack
Updating service teststack_payment_gateway (id: vj8aobjp6dvomh631xpylvdg9)
Updating service teststack_reverse_proxy (id: uvpgdphy5dp30vha44itefd9a)
Updating service teststack_database (id: sp2hl3tg2blpzesljwcu1veb3)
Updating service teststack_appserver (id: yi4vlfzufyc8rb9cmo63aa437)
Updating service teststack_visualizer (id: g27l3ov83ua267kydklyhnj2a)
4、执行docker stack ps teststack命令观察到appserver副本数量增加到10
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack ps teststack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1f80jbkd55f0 teststack_appserver.1 dockersamples/atsea_app:latest wrk2 Running Preparing 38 minutes ago
621hriyuir0x teststack_appserver.2 dockersamples/atsea_app:latest wrk1 Running Preparing 38 minutes ago
h0j81cc1pndw teststack_appserver.3 dockersamples/atsea_app:latest wrk2 Running Preparing about a minute ago
ndkdlzgy2xo9 teststack_appserver.4 dockersamples/atsea_app:latest wrk1 Running Preparing about a minute ago
bgj1onx3kdsw teststack_appserver.5 dockersamples/atsea_app:latest wrk2 Running Preparing about a minute ago
ip0no4fq0oe9 teststack_appserver.6 dockersamples/atsea_app:latest wrk1 Running Preparing about a minute ago
xmf61o3zz73q teststack_appserver.7 dockersamples/atsea_app:latest wrk2 Running Preparing about a minute ago
lcseqw6ds40v teststack_appserver.8 dockersamples/atsea_app:latest wrk1 Running Preparing about a minute ago
io7stw5fwpcl teststack_appserver.9 dockersamples/atsea_app:latest wrk2 Running Preparing about a minute ago
rov20lfga41i teststack_appserver.10 dockersamples/atsea_app:latest wrk1 Running Preparing about a minute ago
2.4.1 小结¶
1、所有的变更都应该通过stack文件进行声明,然后通过docker stack deploy进行部署。 2、当删除某个stack后,其密钥(密钥在stack部署前就已经存在了)和卷不会被删除。
三、使用Docker Stack部署应用-相关操作¶
3.1 添加节点标签¶
1、在mgr1上执行docker node update --label-add pcidss=yes wrk1命令添加节点标签到wrk1,其中wrk1是节点主机名
root@docker-virtual-machine:~# docker node update --label-add pcidss=yes wrk1
wrk1
3.2 查看节点标签¶
1、在mgr1上执行docker node inspect wrk1命令确认节点标签,这里观察到节点标签已成功添加。
root@docker-virtual-machine:~# docker node inspect wrk1
[
{
"ID": "07c04nmvybeqj5m2nas00gz2k",
"Version": {
"Index": 24
},
"CreatedAt": "2022-11-06T05:24:39.933665813Z",
"UpdatedAt": "2022-11-06T05:38:22.318176748Z",
"Spec": {
"Labels": {
"pcidss": "yes"
},
"Role": "worker",
"Availability": "active"
},
...
...
3.3 创建新键值对¶
1、在mgr1上执行执行openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt命令创建新的键值对,并将加密key放到Docker密钥文件中。
root@docker-virtual-machine:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Generating a RSA private key
.....................................................................................++++
...........................................................................................................................++++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:AN^H
Locality Name (eg, city) []:HF
Organization Name (eg, company) [Internet Widgits Pty Ltd]:22
Organizational Unit Name (eg, section) []:section
Common Name (e.g. server FQDN or YOUR name) []:zq
Email Address []:123456.qq.com
3.4 创建密钥¶
1、在mgr1上执行docker secret create命令分别创建revprox_cert、revprox_key以及postgres_password密钥
root@docker-virtual-machine:~# docker secret create revprox_cert domain.crt
13wrw12qu9z1on09wtvdcaax7
root@docker-virtual-machine:~# docker secret create revprox_key domain.key
62pw9msu3g4gatmje7awaqbys
root@docker-virtual-machine:~# docker secret create postgres_password domain.key
mhehvz7h097c146txphfzfxgr
2、在mgr1上执行执行echo staging | docker secret create staging_token -命令创建staging_token密钥
root@docker-virtual-machine:~# echo staging | docker secret create staging_token -
4nlqsjz5zjry0g7aq9wej2vst
3.5 列出所有密钥¶
1、在mgr1上执行docker secret ls命令列出所有的密钥
root@docker-virtual-machine:~# docker secret ls
ID NAME DRIVER CREATED UPDATED
mhehvz7h097c146txphfzfxgr postgres_password 21 seconds ago 21 seconds ago
13wrw12qu9z1on09wtvdcaax7 revprox_cert 48 seconds ago 48 seconds ago
62pw9msu3g4gatmje7awaqbys revprox_key 40 seconds ago 40 seconds ago
4nlqsjz5zjry0g7aq9wej2vst staging_token 8 seconds ago 8 seconds ago
3.6 部署和更新Stack服务¶
1、在mgr1上进入docker-stack.yml所在目录下执行docker stack deploy -c docker-stack.yml teststack命令部署stack应用,应用名为teststack
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack deploy -c docker-stack.yml teststack
Creating network teststack_back-tier
Creating network teststack_front-tier
Creating network teststack_payment
Creating network teststack_default
Creating service teststack_database
Creating service teststack_appserver
Creating service teststack_visualizer
Creating service teststack_payment_gateway
Creating service teststack_reverse_proxy
3.7 查看Stack¶
1、在mgr1上执行docker stack ls命令列出系统中全部的stack,其中包括每个stack包含多少服务。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack ls
NAME SERVICES ORCHESTRATOR
teststack 5 Swarm
2、在mgr1上执行docker stack ps teststack命令查看teststack的详细信息,包括服务副本所在节点、当前状态、期望状态以及异常信息。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack ps teststack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
1f80jbkd55f0 teststack_appserver.1 dockersamples/atsea_app:latest wrk2 Running Preparing 9 minutes ago
621hriyuir0x teststack_appserver.2 dockersamples/atsea_app:latest wrk1 Running Preparing 9 minutes ago
4zweihu6kz56 teststack_database.1 dockersamples/atsea_db:latest wrk2 Running Preparing 9 minutes ago
4af2sb6rk59j teststack_payment_gateway.1 dockersamples/atseasampleshopapp_payment_gateway:latest wrk1 Running Preparing 9 minutes ago
gwlpkgzafmy9 teststack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest docker-virtual-machine Running Preparing 8 minutes ago
pek8qxvuwdv3 teststack_visualizer.1 dockersamples/visualizer:stable docker-virtual-machine Running Preparing 9 minutes ago
3.8 查看Stack服务日志¶
1、在mgr1上执行docker service logs teststack_reverse_proxy命令查看teststack_reverse_proxy服务日志
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker service logs teststack_reverse_proxy
3.9 删除Stack¶
1、在mgr1上执行docker stack rm teststack命令删除teststack,这里注意移除操作前不会进行二次确认。
root@docker-virtual-machine:/home/docker/Desktop/atsea-sample-shop-app-master# docker stack rm teststack