【实验环境】

1
2
3
4
5
6
7
# 防火墙和SELinux均已关闭

[root@centos7-mini3 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

[root@Rocky8 ~]# cat /etc/redhat-release
Rocky Linux release 8.8 (Green Obsidian)

【实验所需文件】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
[root@centos7-mini3 dockerInstall]# ls
containerd.service docker-24.0.2.tgz docker.service limits.conf
daemon.json docker-compose-Linux-x86_64_1.28.6 docker.socket sysctl.conf

# docker 二进制包下载地址
https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/static/stable/x86_64/

# docker-compose 下载地址
https://github.com/docker/compose/releases/tag/1.28.6

# 系统内核优化
[root@centos7-mini3 dockerInstall]# cat limits.conf
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000
[root@centos7-mini3 dockerInstall]# cat sysctl.conf
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0

# 相关服务自启动文件
[root@centos7-mini3 dockerInstall]# cat containerd.service
opyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target

[Service]
ExecStartPre=-/usr/sbin/modprobe overlay
ExecStart=/usr/bin/containerd

Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target
+--------------------------------------------------------------------------+
+--------------------------------------------------------------------------+
+--------------------------------------------------------------------------+
[root@centos7-mini3 dockerInstall]# cat docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target
+--------------------------------------------------------------------------+
+--------------------------------------------------------------------------+
+--------------------------------------------------------------------------+
[root@centos7-mini3 dockerInstall]# cat docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target

# docker 的配置
[root@centos7-mini3 dockerInstall]# cat daemon.json
{
"data-root": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["harbor.myserver.com","192.168.119.105"],
"registry-mirrors": ["https://frncu3gx.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": false,
"log-opts": {
"max-file": "5",
"max-size": "100m"
}
}

【实验脚本】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash

. /etc/init.d/functions

DIR=`pwd`
packageName="docker-24.0.2.tgz"

\cp ${DIR}/limits.conf /etc/security/limits.conf
\cp ${DIR}/sysctl.conf /etc/sysctl.conf
modprobe nf_conntrack && modprobe br_netfilter

tar xvf ${DIR}/${packageName} -C /usr/local/
\cp /usr/local/docker/* /usr/bin/
mkdir -p /etc/docker && \cp ${DIR}/daemon.json /etc/docker

\cp ${DIR}/containerd.service /lib/systemd/system/containerd.service
\cp ${DIR}/docker.service /lib/systemd/system/docker.service
\cp ${DIR}/docker.socket /lib/systemd/system/docker.socket

\cp ${DIR}/docker-compose-Linux-x86_64_1.28.6 /usr/bin/docker-compose && chmod +x /usr/bin/docker-compose

if ! id docker &> /dev/null;then
groupadd docker && useradd docker -s /sbin/nologin -g docker
fi

systemctl daemon-reload
systemctl enable --now docker.service && action "docker install success!" /bin/true || action "docker install failure!" /bin/false