Docker学习(14) 使用Docker Stack部署应用(下)
部署Docker Stack应用
- 部署Stack之前,需要部署前置环境:
-
- swarm模式: 应用将采用Docker Stack 部署,stack依赖swarm模式
- 标签: 某个swarm worker节点需要自定义标签
- 密钥: 应用所需要的密钥需要在部署之前完成
搭建应用试验环境
- 分布式集群存储:
-
- 密钥:1. revprox_cert
-
- revprox_key
- postgres_password
- staging_token
| 节点名称 | IP |
|---|---|
| mgr-1 | 192.168.13.136 |
| wrk-1 | 192.168.13.144 |
| wrk-2 | 192.168.13.147 |
创建新的swarm
- 初始化swarm
lhf@mgr-1:~$ docker swarm init
Swarm initialized: current node (l564anfboh0ne59d8vet8pzzz) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join --token SWMTKN-1-0ql6lh4yj69ahb8j3ilxiytg9fenft9lfprcbr60xlib8ozwgy-5x2zi0y7fbn8ut7tnwpm19s2t 192.168.13.136:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
- 添加工作节点
lhf@wrk-1:~$ docker swarm join --token SWMTKN-1-0ql6lh4yj69ahb8j3ilxiytg9fenft9lfprcbr60xlib8ozwgy-5x2zi0y7fbn8ut7tnwpm19s2t 192.168.13.136:2377
This node joined a swarm as a worker.
lhf@wrk-2:~$ docker swarm join --token SWMTKN-1-0ql6lh4yj69ahb8j3ilxiytg9fenft9lfprcbr60xlib8ozwgy-5x2zi0y7fbn8ut7tnwpm19s2t 192.168.13.136:2377
This node joined a swarm as a worker.
- 确认当前的swarm是由一个管理节点和两个工作节点组成
lhf@mgr-1:~$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
l564anfboh0ne59d8vet8pzzz * mgr-1 Ready Active Leader 19.03.4
szshmjtsr8rk3p0f5ndes9ix5 wrk-1 Ready Active 19.03.4
v55vt8rd0yer087hh3pcqnc5v wrk-2 Ready Active 19.03.5
- payment_gateway服务配置了约束条件,限制了服务了只能运行了pcidss=yes标签在工作节点上
wrk-1添加节点标签
-
- 添加节点标签到wrk-1
lhf@mgr-1:~$ docker node update --label-add pcidss=yes wrk-1
wrk-1
- 确认节点标签
lhf@mgr-1:~$ docker node inspect wrk-1
[
{
"ID": "szshmjtsr8rk3p0f5ndes9ix5",
"Version": {
"Index": 27
},
"CreatedAt": "2019-11-15T13:51:01.803874429Z",
"UpdatedAt": "2019-11-15T14:05:09.242972321Z",
"Spec": {
"Labels": {
"pcidss": "yes"
},
"Role": "worker",
"Availability": "active"
},
部署服务定义了4个密钥
-
- revprox_cert
-
- revprox_key
- postfress_password
- staging_token
- 创建新的密钥对
lhf@mgr-1:~/docker/stack$ openssl req -newkey rsa:4096 -nodes -sha256 \
> -keyout domain.key -x509 -days 365 -out domain.crt
Generating a 4096 bit RSA private key
...................................++
.....................................................................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
- 创建revprox_cert、revprox_key以及postgres_password
lhf@mgr-1:~/docker/stack$ docker secret create revprox_cert domain.crt
i9wvc84oebgh0k4ar34s29gfd
lhf@mgr-1:~/docker/stack$ docker secret create revprox_key domain.crt
ddvgoc7p0ca22hwiuazp800bq
lhf@mgr-1:~/docker/stack$ docker secret create postgres_password domain.crt
oqjec46gd3e7ij1cc3t8brwct
- 创建stage_token密钥
lhf@mgr-1:~/docker/stack$ echo staging | docker secret create staging_token -
g0kmte12zf9dnuqcvrzo86eeb
- 列出所有密钥
lhf@mgr-1:~/docker/stack$ docker secret ls
ID NAME DRIVER CREATED UPDATED
oqjec46gd3e7ij1cc3t8brwct postgres_password 4 minutes ago 4 minutes ago
i9wvc84oebgh0k4ar34s29gfd revprox_cert 5 minutes ago 5 minutes ago
ddvgoc7p0ca22hwiuazp800bq revprox_key 5 minutes ago 5 minutes ago
g0kmte12zf9dnuqcvrzo86eeb staging_token About a minute ago About a minute ago
部署实例应用
- 下载代码
$ git clone https://github.com/dockersamples/atsea-sample-shop-app
$ lhf@mgr-1:~/docker/stack$ cd atsea-sample-shop-app/
- 通过docker stack deploy 命令完成部署
- 部署stack应用
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker stack deploy -c docker-stack.yml seastack
Creating network seastack_front-tier
Creating network seastack_payment
Creating network seastack_default
Creating network seastack_back-tier
Creating service seastack_visualizer
- 查看应用的网络与服务的情况
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker network ls
NETWORK ID NAME DRIVER SCOPE
fa23ec97174a bridge bridge local
8b95e29168fa counter-app-master_counter-net bridge local
dd3be5988773 docker_gwbridge bridge local
682a75797ba4 host host local
prculxlvuozk ingress overlay swarm
2b5ed819e933 localnet bridge local
596066e2fd78 none null local
x0ratplnjk6v seastack_back-tier overlay swarm
mupfp2vqmbjj seastack_default overlay swarm
an24a86vo71n seastack_front-tier overlay swarm
70lp675qrwbo seastack_payment overlay swarm
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
9fw07t2ff8q9 seastack_appserver replicated 1/2 dockersamples/atsea_app:latest
6c7k8x0u14l2 seastack_database replicated 1/1 dockersamples/atsea_db:latest
xy98djzqhamb seastack_payment_gateway replicated 1/1 dockersamples/atseasampleshopapp_payment_gateway:latest
iao9nmtdw84p seastack_reverse_proxy replicated 0/1 dockersamples/atseasampleshopapp_reverse_proxy:latest *:80->80/tcp, *:443->443/tcp
qxauxhtjog5d seastack_visualizer replicated 1/1 dockersamples/visualizer:stable *:8001->8080/tcp
- 网络是先于服务创建的,因为服务依赖网络,,所有网络需要在服务之前创建。
- 确认当前stack的状态
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker stack ls
NAME SERVICES ORCHESTRATOR
seastack 5 Swarm
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker stack ps seastack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
a5m6db82v7y0 seastack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest mgr-1 Ready Ready 1 second ago
x0fgka89h61j \_ seastack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest wrk-2 Shutdown Failed 1 second ago "task: non-zero exit (1)"
qnp9zoptbeik \_ seastack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest mgr-1 Shutdown Failed 8 seconds ago "task: non-zero exit (1)"
sp10f4uy3f0t \_ seastack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest mgr-1 Shutdown Failed 14 seconds ago "task: non-zero exit (1)"
po418ky3cum3 \_ seastack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest wrk-1 Shutdown Failed 20 seconds ago "task: non-zero exit (1)"
zfoq5uw35bls seastack_appserver.1 dockersamples/atsea_app:latest wrk-2 Running Running 3 minutes ago
q15qxsibco5b seastack_database.1 dockersamples/atsea_db:latest wrk-1 Running Running 5 minutes ago
2gvwl6wcutkr seastack_payment_gateway.1 dockersamples/atseasampleshopapp_payment_gateway:latest wrk-1 Running Running 7 minutes ago
cfxni0k96qcu seastack_visualizer.1 dockersamples/visualizer:stable mgr-1 Running Running 7 minutes ago
vhcrp8zqwy79 seastack_appserver.2 dockersamples/atsea_app:latest wrk-1 Running Running 4 minutes ago
- 如果想查看某个服务的详细信息:docker service logs命令
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker service logs seastack_reverse_proxy
seastack_reverse_proxy.1.vm29ps8toahd@mgr-1 | 2019/11/15 14:51:15 [warn] 1#1: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/nginx.conf:38
seastack_reverse_proxy.1.vm29ps8toahd@mgr-1 | nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/nginx.conf:38
seastack_reverse_proxy.1.vm29ps8toahd@mgr-1 | 2019/11/15 14:51:15 [emerg] 1#1: SSL_CTX_use_PrivateKey_file("/run/secrets/revprox_key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
seastack_reverse_proxy.1.vm29ps8toahd@mgr-1 | nginx: [emerg] SSL_CTX_use_PrivateKey_file("/run/secrets/revprox_key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
seastack_reverse_proxy.1.nl7if9o9t49q@mgr-1 | 2019/11/15 14:51:28 [warn] 1#1: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/nginx.conf:38
seastack_reverse_proxy.1.nl7if9o9t49q@mgr-1 | nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/nginx.conf:38
seastack_reverse_proxy.1.nl7if9o9t49q@mgr-1 | 2019/11/15 14:51:28 [emerg] 1#1: SSL_CTX_use_PrivateKey_file("/run/secrets/revprox_key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
seastack_reverse_proxy.1.nl7if9o9t49q@mgr-1 | nginx: [emerg] SSL_CTX_use_PrivateKey_file("/run/secrets/revprox_key") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
继续跟踪日志(--follow)、查看日志尾部信息(--tail)、获取额外的项目信息(--details)
reverse_proxy服务报错没有起来: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
管理应用
- Stack 是一组关联服务和基础设施,需要进行统一的部署和管理。
- Stack 是由docker资源来构建的:网络、卷、密钥、服务等
- 对服务进行扩容可以使用docker service scale 命令,但是并不推荐这种方式
- 可以通过修改声明式文件,将stack文件作为配置的唯一声明
- 所有的变更都应该通过stack文件进行声明,然后通过docker stack deploy进行部署。
- 删除某个stack方式是docker stack rm,
lhf@mgr-1:~/docker/stack/atsea-sample-shop-app$ docker stack rm seastack
Removing service seastack_appserver
Removing service seastack_database
Removing service seastack_payment_gateway
Removing service seastack_reverse_proxy
Removing service seastack_visualizer
Removing network seastack_payment
Removing network seastack_front-tier
Removing network seastack_default
Removing network seastack_back-tier
- 网络和服务会被删除,但是密钥不会删除
使用Docker Stack 部署应用——命令
- docker stack deploy: 用于根据stack文件部署和更新stack服务
- docker stack ls :列出swarm集群中所有的stack
- docker stack ps: 列出某个已经部署的stack的相关信息。
- docker stack rm:从swarm集群中移除stack