Docker制作镜像并部署bind9(yum安装bind)--use

镜像制作

1.1 下载镜像

docker pull centos:centos7.9.2009

1.2 运行容器

[root@localhost ~]# docker run -d \
--privileged \
--name=bind9 \
--restart=always \
-p 53:53/udp \
-p 53:53/tcp \
-v /data/bind9:/etc/bind \
-v /sys/fs/cgroup:/sys/fs/cgroup \
centos:centos7.9.2009 /usr/sbin/init

# 查看容器日志
[root@localhost ~]# docker logs bind9

# 进入容器查看
[root@localhost ~]# docker exec -it bind9 bash

# 步骤七: 查看容器运行情况
root@ubuntu-vm1:/data/bind9# docker ps
CONTAINER ID   IMAGE                   COMMAND            CREATED          STATUS          PORTS                                                                  NAMES
3e12e7dd4439   centos:centos7.9.2009   "/usr/sbin/init"   42 seconds ago   Up 41 seconds   0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp, :::53->53/tcp, :::53->53/udp   bind9

1.3 部署named服务

# 1. 进入容器查看
[root@localhost ~]# docker exec -it bind9 bash

# 2. 关闭SELinux与防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
 
# 永久关闭
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# systemctl disable firewalld

# 3. yum 安装DNS服务
[root@localhost ~]# yum install -y bind* vim*
 
# 查看bind是否完成
[root@localhost yum.repos.d]# rpm -aq |grep bind
 
# 状态管理
systemctl enable named --now
systemctl status named
systemctl stop named
systemctl start named
systemctl restart named

1.4 配置文件

1.4.1 named.conf

# 在docker容器中执行
$. cp /etc/named.conf /etc/named.conf-bak
$. vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        // listen-on port 53 { 127.0.0.1; };
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        //allow-query     { localhost; };
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        forward first;
        forwarders { 8.8.8.8; };

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

// mine
include "/etc/bind/named.zones";

1.4.2 named.zones

# 宿主机中
[root@localhost ~]# cd /data/bind9
[root@localhost ~]# vi named.zones
// named.zones文件内容如下:
zone "lpf-test.com" IN {
    type master;
    file "/etc/bind/lpf-test.com.hosts";
};
 
zone "31.168.192.in-addr.arpa" IN {
    type master;
    file "/etc/bind/lpf-test.com.back";
};

1.4.3 lpf-test.com.hosts, lpf-test.com.back

[root@localhost ~]# cd /data/bind9/zones
[root@localhost ~]# vi lpf-test.com.hosts
$TTL 1D
@       IN SOA  @ root.lpf-test.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
 
@               NS      dns.lpf-test.com.
@               IN A    192.168.31.85
*               IN A    192.168.31.85

[root@localhost ~]# vi lpf-test.com.back
$TTL 1D
@       IN SOA  @ root.lpf-test.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS      dns.lpf-test.com.
100     IN      PTR     dns.lpf-test.com
101     IN      PTR     www.lpf-test.com
102     IN      PTR     smb.lpf-test.com
103     IN      PTR     ftp.lpf-test.com 

1.4.4 步骤四:检查

root@my-ubuntu-vm1:~# docker exec -it bind9 bash

# 查看状态
root@8d4b47ea885c:/# service named status
root@8d4b47ea885c:/# service named restart
root@8d4b47ea885c:/# service named status

$. named-checkconf -z "$NAMEDCONF"
$. named-checkconf /etc/named.conf


# 检查主配置文件: 
[root@localhost ~]# named-checkconf

# named-checkzone yourDNS域名和路径
# 检查正向解析文件
[root@localhost ~]# named-checkzone lpf-test.com \
/etc/bind/lpf-test.com.hosts

zone lpf-test.com/IN: loaded serial 0
 
OK

# 检查反向解析文件:
[root@localhost ~]# named-checkzone \
31.168.192.in-addr.arpa \
/etc/bind/lpf-test.com.back

zone 10.168.192.in-addr.arpa/IN: loaded serial 0
 
OK

# 问题排查
journalctl -xefu named
journalctl -xefu docker
journalctl -u named

1.4.5 开机启动执行

# 容器中执行如下命令
chmod +x /etc/rc.d/rc.local
vi /etc/rc.d/rc.local
# 添加如下内容  
mkdir -p /etc/bind
cp -p /opt/* /etc/bind

1.5 打包镜像

# 打包镜像
docker commit -p \
-a "langpf" \
-m "centos7.9.2009, bind-9.11.4" \
d46d528d2f97 centos/bind9:9.11.4-26 

# 推送到本地仓库
1) 
docker tag centos/bind9:9.11.4-26 \
k8s-harbor.com/my-project/centos-bind9:9.11.4-26

2) 
docker login \
https://k8s-harbor.com/harbor/projects \
-u admin -p Harbor12345

3) 
docker push k8s-harbor.com/my-project/centos-bind9:9.11.4-26

问题处理

问题:
    在docker中启动服务报错:
        New main PID 547 does not belong to service, 
        and PID file is not owned by root. Refusing.

解决:
    挂载宿主机 cgroup目录,启动时加上 -v /sys/fs/cgroup:/sys/fs/cgroup

    完整启动命令如下:
    
    docker run -itd --name=ldap --privileged=true \
    -v /sys/fs/cgroup:/sys/fs/cgroup \ 
    -p 80:80 -p 389:389 centos:7 /usr/sbin/init

你可能感兴趣的:(Linux,docker,容器,运维)