理想情况下,我们在一个物理节点只会安装一个软件包,但是很多时候,我们提供的服务都需要与其它组件共存,我们不能假设客户机器上有什么或者没有什么,因此几乎所有 Linux 发行版所引以为傲的包管理系统在生产环境的部署实际上都是彻彻底底的噩梦。显然,容器运行时也是一样,如果我们在产品中直接使用发行版的 docker,很多时候都会和别的组件产生冲突(别的组件可能需要定制的版本,可能要求特定的版本),因此重新打包,或者直接使用可执行程序显得特别重要。
docker/podman
Golang 的加持,让 docker 真正做到了开箱即用:
$ sudo groupadd docker
$ sudo gpasswd -a runsisi docker
Adding user runsisi to group docker
注意将用户加入 docker 用户组之后,需要退出当前终端生效。
$ wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.2.tgz
$ tar xvzf docker-19.03.2.tgz
$ sudo su
# export PATH=$PWD/docker:$PATH
# export PATH=$PWD/docker:$PATH
# ./dockerd -D
$ export PATH=$PWD/docker:$PATH
$ docker info
$ docker pull alpine
systemd-nspawn
当然,如果需要更简单的容器创建方案,完全可以使用 systemd-nspawn 工具来解决,与 systemd service 也结合的更好,而且由于 docker/podman 虚机也可以导出 systemd-nspawn 所需要的 chroot 环境,因此会比 docker/podman 更轻量级,在某些场景下可能也会更适用。
导出 docker 容器
$ docker create --name centos7.4 centos:7.4.1708
a03a759311555813f43f3a352130f680f644abcf7156700cca63f3d8142d7ad5
$ docker export centos7.4 -o centos7.4.tar
$ docker rm centos7.4
centos7.4
$ ll -h centos7.4.tar
-rw------- 1 runsisi runsisi 196M Nov 26 10:36 centos7.4.tar
创建 systemd-nspawn 容器
$ mkdir centos7.4
$ tar -C centos7.4/ -xvf centos7.4.tar
$ sudo systemd-nspawn -D centos7.4/
Spawning container centos7.4 on /home/runsisi/centos7.4.
Press ^] three times within 1s to kill container.
[root@centos7 ~]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
## 删除 /etc/securetty 或者加上 pts/[0-9]*,这样后面才能实现 login 登录
[root@centos7 ~]# rm -f /etc/securetty
[root@centos7 ~]# logout
Container centos7.4 exited successfully.
$ machinectl list
No machines.
$ sudo systemd-nspawn -b -D centos7.4/
Spawning container centos7.4 on /home/runsisi/centos7.4.
Press ^] three times within 1s to kill container.
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
Initializing machine ID from container UUID.
...
CentOS Linux 7 (Core)
Kernel 5.4.0-52-generic on an x86_64
centos7 login: root
Password:
Last login: Thu Nov 26 10:59:00 on pts/0
## ctrl + ] 三次结束当前容器
[root@centos7 ~]#
Container centos7.4 terminated by signal KILL.
$ machinectl status centos7.4
centos7.4(544cad3a92264c82b07a2846a04bb0bb)
Since: Thu 2020-11-26 11:11:59 CST; 3h 47min ago
Leader: 2258548 (systemd)
Service: systemd-nspawn; class container
Root: /home/runsisi/centos7.4
OS: CentOS Linux 7 (Core)
Unit: machine-centos7.4.scope
└─payload
├─2258548 /usr/lib/systemd/systemd
├─2258583 /usr/lib/systemd/systemd-journald
├─2258593 /usr/lib/systemd/systemd-logind
├─2258594 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─2258596 login -- root
└─2258743 -bash
$ sudo machinectl login centos7.4
Connected to machine centos7.4. Press ^] three times within 1s to exit session.
CentOS Linux 7 (Core)
Kernel 5.4.0-52-generic on an x86_64
centos7 login: root
Password:
Last login: Thu Nov 26 14:55:07 on pts/1
具体的细节可以参考 Running containers and OS images with systemd-nspawn 。
参考资料
Install Docker Engine - Community from binaries
https://docs.docker.com/install/linux/docker-ce/binaries/
Install docker from binary distribution
http://weng-blog.com/2017/02/docker-binary-install/
How can I use docker without sudo?
https://askubuntu.com/questions/477551/how-can-i-use-docker-without-sudo
rhel7 k3s start not working with containerd - failed to find snapshotter overlayfs
https://github.com/rancher/k3s/issues/495
Use the OverlayFS storage driver
https://docs.docker.com/storage/storagedriver/overlayfs-driver/
Container root “Login incorrect” when run from ‘/usr/lib/systemd/system/systemd-nspawn@.service’
https://github.com/systemd/systemd/issues/852
Effect of entries in /etc/securetty
https://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty
最后修改于 2019-09-12