blog
Table des matières
0 billet(s) pour février 2026
Docker-compose
Voir :
- podman-compose
docker-compose.yml
version: "3.7" services: memcached: image: memcached:1.5.19-alpine container_name: pm-memcached ports: - "11211" networks: - backend restart: unless-stopped php: image: acme/app1-www:1.01.02 container_name: pm-www volumes: - src:/opt/acme/dir1/app1 - /mnt/data:/mnt/data ports: - "8000" networks: - backend restart: unless-stopped depends_on: - memcached httpd: image: acme/app1-httpd:1.01.02 container_name: pm-httpd volumes: - src:/opt/acme/dir1/app1 - /var/log/app1:/var/log/app1 ports: - "443:443" networks: - backend restart: unless-stopped depends_on: - php networks: backend: # ipam: # driver: default # config: # - subnet: 192.168.10.0/24 volumes: src:
docker-compose.yml
version: "3.7" services: webapp: build: context: . args: - http_proxy=http://192.168.56.1:3128 - https_proxy=http://192.168.56.1:3128 network_mode: "host"
docker-compose.yml
version: "3.7" services: webapp: image: webapp container_name: webapp1 network_mode: "host"
docker-compose build --no-cache
docker-compose up
Autres
volumes:
- "/etc/timezone:/etc/timezone:ro"
- "/etc/localtime:/etc/localtime:ro"
Pb
docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object
# mount -o remount,noexec /tmp # docker-compose docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object
Solution
mkdir /plop chmod 1777 /plop export TMPDIR=/plop docker-compose
Faire un wrapper
mv /usr/local/bin/docker-compose /usr/local/bin/docker-compose-bin
/usr/local/bin/docker-compose
#! /bin/bash DIR=$(dirname "$(realpath "$0")") TMPDIR=/tmp2 if [ ! -d "$TMPDIR" ] then mkdir "$TMPDIR" chmod 1777 "$TMPDIR" fi export TMPDIR ${DIR}/docker-compose-bin "$@"
Docker volume storage
Voir :
- rclone
- Container Storage Interface (CSI)
NFS
/etc/nfs.conf
[nfsd] tcp=y vers2=n vers3=n vers4=y vers4.0=y vers4.1=y vers4.2=y
systemctl restart nfs-server.service
exportfs -rav
/etc/exports
/export *(rw,sync,fsid=0,crossmnt,no_subtree_check) /export/partage *(rw,sync,nohide,insecure,no_subtree_check)
docker volume create --driver local --opt type=nfs4 --opt o=addr=172.19.0.1,rw --opt device=:/partage data-nfs docker run -ti -v data-nfs:/data debian /bin/bash
Docker Swarm
Voir :
Notes générales
Vous allez avoir besoin d'au moins trois serveurs ou machines virtuelles avec Docker d'installé
The network ports required for a Docker Swarm to function correctly are:
TCP port 2376 for secure Docker client communication. This port is required for Docker Machine to work. Docker Machine is used to orchestrate Docker hosts. TCP port 2377. This port is used for communication between the nodes of a Docker Swarm or cluster. It only needs to be opened on manager nodes. TCP and UDP port 7946 for communication among nodes (container network discovery). UDP port 4789 for overlay network traffic (container ingress networking).
ufw allow 22/tcp ufw allow 2376/tcp # Que sur le Manager ufw allow 2377/tcp ufw allow 7946/tcp ufw allow 7946/udp ufw allow 4789/udp ufw reload ufw enable systemctl restart docker
docker system info
and looking for a message Swarm: active
Sur le Manager
# docker swarm init --advertise-addr 192.168.99.121
docker swarm init
docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377
Voir l'état des nœuds
docker node ls
https://www.grottedubarbu.fr/introduction-docker-swarm/
$ openstack server create --image "Ubuntu 20.04" --flavor "s1-4" --key-name "MyKey" --net "Ext-Net" --user-data=docker.yaml my-manager $ openstack server create --image "Ubuntu 20.04" --flavor "s1-4" --key-name "MyKey" --net "Ext-Net" --user-data=docker.yaml my-worker1 $ openstack server create --image "Ubuntu 20.04" --flavor "s1-4" --key-name "MyKey" --net "Ext-Net" --user-data=docker.yaml my-worker2
docker-compose.yaml
version: "3" services: viz: image: dockersamples/visualizer volumes: - "/var/run/docker.sock:/var/run/docker.sock" ports: - "8080:8080"
docker stack deploy -c docker-compose.yaml visualizer
Pour vérifier que votre service fonctionne :
docker service ls
docker service ps --no-trunc visualizer docker service inspect visualizer
Registry
Voir https://docs.docker.com/engine/swarm/stack-deploy/
docker service create --name registry --publish published=5000,target=5000 registry:2
docker service ls curl http://localhost:5000/v2/
Test the app with Compose
docker-compose up
docker-compose down --volumes
Push the generated image to the registry
docker-compose push
Déinstall
docker service ls docker stack rm plop docker swarm leave --force
Autres
docker swarm update --snapshot-interval 10000 systemctl restart docker
Ansible add mount option for hardening - loop on ansible mounts
- name: add nodev mount option for all LVM mounts exept root part mount: name: '{{ item.mount }}' src: '{{ item.device }}' # UUID not needed when LVM state: mounted fstype: '{{ item.fstype }}' opts: "{{ item.options |regex_replace(',nodev','') }},nodev" # Fix duplicate when: item.options.find("nodev") != -1 and item.device.find("mapper") != -1 and not item.mount in [ "/" ] with_items: '{{ ansible_mounts }}' - name: add nodev mount option for all non-LVM mounts exept root part mount: name: '{{ item.mount }}' src: 'UUID={{ item.uuid }}' state: mounted fstype: '{{ item.fstype }}' opts: "{{ item.options |regex_replace(',nodev','') }},nodev" # Fix duplicate when: item.options.find("nodev") != -1 and item.device.find("mapper") == -1 and not item.mount in [ "/" ] with_items: '{{ ansible_mounts }}'
ou encore mieux
- name: add nodev mount option for all except root part mount: name: '{{ item.mount }}' # Pour les partitions non LVM, on utilise UUID, sinon on prend le device src: "{{ 'UUID=%s' % item.uuid if item.device.find('mapper') == -1 else item.device }}" state: present fstype: '{{ item.fstype }}' opts: "{{ item.options |regex_replace(',nodev','') }},nodev" # Fix duplicate when: item.options is not search("nodev") and not item.mount in [ "/", "/var/tmp" ] with_items: '{{ ansible_mounts }}' register: nodev_mounts
Docker nproc nombre maximum de process
Docker nproc Nombre maximum de process
Erreur java.lang.OutOfMemoryError: unable to create new native thread
Exemple SystemD Docker
# CTR=`docker run --pids-limit 111 --detach --rm busybox /bin/sleep 8h`
# cat /sys/fs/cgroup/pids/system.slice/docker-${CTR}.scope/pids.max
111
# systemctl show docker-$CTR.scope | grep TasksMax
TasksMax=18446744073709551615
# systemctl disable --now postfix
# systemctl enable --now postfix
# cat /sys/fs/cgroup/pids/system.slice/docker-${CTR}.scope/pids.max
max
Exemple de configuration du daemon Dockerd
Option --default-pids-limit=-1
/etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled --log-driver=json-file --signature-verification=false --default-pids-limit=-1'
Diag sur OpenShift
# oc debug node/$NODE_NAME # chroot /host # cgroup=$(awk -F: '/:pids:/{print $3}' /proc/self/cgroup) # cat /sys/fs/cgroup/pids/"${cgroup}"/pids.max 4096
Exemple de création de conteneur
sudo docker create --name bankapp-inst -it \ --sysctl fs.mqueue.msg_max=10000 \ --sysctl fs.mqueue.msgsize_max=1049600 \ --sysctl fs.mqueue.queues_max=10000 \ --ulimit msgqueue=-1 \ --ulimit nproc=256:512 \ bankapp
blog.txt · Dernière modification : de 127.0.0.1