Portainer学习笔记2

使用portainer添加docker swarm集群，然后部署redis主从集群

docker swarm集群部署参考：https://blog.csdn.net/backtwo/article/details/143334089

需要提前在swarm 的manage节点上生成TLS证书，用来加密开启docker远程连接协议。

[root@park2-0006 uniapply]# mkdir /etc/docker/certs
[root@park2-0006 uniapply]# cd /etc/docker/certs
[root@park2-0006 certs]# vim gen-TLS.sh
[root@park2-0006 certs]# chmod +x gen-TLS.sh 
[root@park2-0006 certs]# ./gen-TLS.sh 
当前目录：/etc/docker/certs/ 证书文件将保存在此文件夹下
请输入证书使用的 IP 地址或者 HOST: 192.168.0.100
您输入的是：192.168.0.100 证书只能在这个 IP 或者 HOST 下使用,证书密码和输入的一致
Generating RSA private key, 4096 bit long modulus
...................................................................++
................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
......................++
..................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=10.9.102.61
Getting CA Private Key
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................++
.................................................................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=client
Getting CA Private Key
证书生成完成
客户端使用文件：key.pem ca.pem cert.pem
Docker 端使用文件：ca.pem server-cert.pem server-key.pem
Docker 推荐配置内容：-H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem

脚本内容如下：

#!/bin/bash
#
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# wget https://gitee.com/dromara/Jpom/raw/master/script/docker-tls.sh
# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
# systemctl daemon-reload && systemctl restart docker
# -------------------------------------------------------------
# 以下是配置信息
# --[BEGIN]------------------------------
NOW_PATH=$(cd "$(dirname "$0")" || exitpwd
)"/"
echo "当前目录：${NOW_PATH} 证书文件将保存在此文件夹下"
read -p "请输入证书使用的 IP 地址或者 HOST: " HOST
#
echo "您输入的是：${HOST} 证书只能在这个 IP 或者 HOST 下使用,证书密码和输入的一致"
# --[INIT PARAMETER]------------------------------
PASSWORD="$HOST"
COUNTRY="CN"
STATE="$HOST"
CITY="$HOST"
ORGANIZATION="$HOST"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$HOST"
EMAIL="$HOST@docker-tls.com"
# --[END]--
# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key.pem" -sha256 -out "ca.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr
rm -f extfile.cnf
echo "subjectAltName = DNS.1:$HOST,IP.1:127.0.0.1,IP.2:$HOST" >>extfile.cnf
echo "extendedKeyUsage = serverAuth" >>extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "server-cert.pem" -extfile extfile.cnf
# Generate Client Certs.
rm -f extfile.cnf
openssl genrsa -out "key.pem" 4096
openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
echo "extendedKeyUsage = clientAuth" >>extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfile.cnf
rm -f client.csr server.csr ca.srl extfile.cnf# check
if [ -f "${NOW_PATH}key.pem" -a -f "${NOW_PATH}ca.pem" -a -f "${NOW_PATH}ca-key.pem" -a -f "${NOW_PATH}server-cert.pem" -a -f "${NOW_PATH}server-key.pem" ]; thenecho "证书生成完成"echo "客户端使用文件：key.pem ca.pem cert.pem"echo "Docker 端使用文件：ca.pem server-cert.pem server-key.pem"echo "Docker 推荐配置内容：-H tcp://0.0.0.0:2375 --tlsverify --tlscacert=${NOW_PATH}ca.pem --tlscert=${NOW_PATH}server-cert.pem --tlskey=${NOW_PATH}server-key.pem"
elseecho "证书生成不完成,请检查配置和根据错误日志排查"
fi

执行此脚本会提升让输入IP，此IP为你开启远程docker权限的IP，被管理的远程docker的IP

脚本执行结果如下

修改swarm manage节点的docker daemon配置，重启开启远程服务

# vim /usr/lib/systemd/system/docker.service
...
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem
...# 推出保存，重启dokcer
systemctl daemon-reload
systemctl restart docker 

 回到Portainer页面添加环境

 选择API的方式，输入swarm manage节点的ip和证书信息

 添加完成之后如下所示

 选择Stacks，Web Editer方式输入docker-compose内容

version: '3'
services:# Redis 主节点redis-master:image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/redis:5.0.14ports:- "6379:6379"command: redis-server --requirepass aTPTF6An*jX5volumes:- redis-master-data:/datadeploy:replicas: 1placement:constraints:- node.hostname == park2-0007.novalocalrestart_policy:condition: on-failurenetworks:- swarm-overlay# Redis 从节点 1redis-slave:image: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/redis:5.0.14ports:- "6380:6379"  # 修改为不同的宿主机端口command: redis-server --slaveof redis-master 6379 --requirepass aTPTF6An*jX5 --masterauth aTPTF6An*jX5volumes:- redis-slave-data:/datadeploy:replicas: 1placement:constraints:- node.hostname == park2-0008.novalocalrestart_policy:condition: on-failurenetworks:- swarm-overlayvolumes:redis-master-data:driver: localredis-slave-data:driver: localnetworks:swarm-overlay:driver: overlay    

部署验证

# 连接到主节点
redis-cli -h <主节点 IP> -p 6379 -a aTPTF6An*jX5# 设置键值对
set mykey "Hello, Redis!"# 连接到从节点
redis-cli -h <从节点 IP> -p 6380 -a aTPTF6An*jX5# 获取键值对
get mykey