Dockers¶
Install¶
可以使用别的安装方式,但是最简单的还是 清华的安装链接
export DOWNLOAD_URL="https://mirrors.tuna.tsinghua.edu.cn/docker-ce"
curl -fsSL https://get.docker.com/ | sh
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
可以使用别的安装方式,但是最简单的还是
curl -fsSL https://get.docker.com -o install-docker.sh
sh install-docker.sh
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
我尝试过Docker-desktop, 只能说体验很差,经常斯基。 改用了 orbstack , 世界一下就变美好了。
Windows
Install docker-compose¶
refer to https://docs.docker.com/compose/install/standalone/
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
Miscellaneous¶
Proxy Settings¶
这个问题在 SJTUG(上海交通大学 Linux 用户组)发布公告称已下架 Docker Hub 镜像 后更加致命, 再看了 如何为终端、docker 和容器设置代理 | Moralok 的博客描述后,感觉有了以下认识:
按照文档说明,如果你想要 docker-compose up
或者 docker build
的时候使用proxy。
see Docker daemon configuration
see Configure daemon with systemd
具体来说就是
编辑 /etc/docker/daemon.json
{
"default-address-pools": [
{
"base": "172.28.0.0/16",
"size": 24
}
],
"proxies": {
"http-proxy": "http://xxx",
"https-proxy": "http://xxx",
"no-proxy": "*.cn,*.edu.cn,127.0.0.0/8,172.0.0.0/8,10.0.0.0/8"
}
}
如果你想要docker跑在proxy下面,这里的意思是docker内部的网络是跑在proxy下面
see Configure Docker to use a proxy server
编辑 ~/.docker/config.json
文件
{
"proxies": {
"default": {
"httpProxy": "http://xxx",
"httpsProxy": "http://xxx",
"noProxy": "*.cn,*.edu.cn,127.0.0.0/8,172.0.0.0/8,10.0.0.8/8"
}
}
}
Docker-composes¶
关于docker-compose,我个人是更支持的,因为不用每次都从头跑docker命令,很多时候还会忘记,写一个 run_docker.sh
也没必要,还不如直接写 docker-compose up -d --build
多么简单方便。
可以考虑从 fatedier/frp 这个页面查看当前的版本号和OS操作系统的名字。 例如,
ENV FRP_VERSION 0.49.0
ENV OS linux_arm64
frp¶
frp主要包括客户端的 frpc
和 服务端的 frps
, 其主要是实现内网穿透的工具。这里是他的项目链接 frp/github
虽然有一些frp的docker, 但是有时候更新不是很及时。所以自己写了一个简单的,查看如下。
frpc¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/frp/frpc/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/frp/frpc/docker-compose.yml
Dockerfile
FROM alpine:latest
ENV FRP_VERSION 0.49.0
ENV OS linux_arm64
RUN apk update \
&& apk add --no-cache curl
RUN cd /root \
&& curl -OL https://github.com/fatedier/frp/releases/download/v${FRP_VERSION}/frp_${FRP_VERSION}_${OS}.tar.gz \
&& tar zxvf frp_${FRP_VERSION}_${OS}.tar.gz \
&& cd frp_${FRP_VERSION}_${OS}/ \
&& cp frpc /usr/bin/ \
&& cd /root \
&& rm frp_${FRP_VERSION}_${OS}.tar.gz \
&& rm -rf frp_${FRP_VERSION}_${OS}/
ENTRYPOINT /usr/bin/frpc -c /etc/frp/frpc.ini
docker-compose.yml
version: "3"
services:
frpc:
image: my-frpc
build:
context: .
network_mode: host
volumes:
- ./frpc.ini:/etc/frp/frpc.ini
restart: unless-stopped
frps¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/frp/frps/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/frp/frps/docker-compose.yml
Dockerfile
FROM alpine:latest
ENV FRP_VERSION 0.45.0
ENV OS linux_arm64
RUN apk update \
&& apk add --no-cache curl
RUN cd /root \
&& curl -OL https://github.com/fatedier/frp/releases/download/v${FRP_VERSION}/frp_${FRP_VERSION}_${OS}.tar.gz \
&& tar zxvf frp_${FRP_VERSION}_${OS}.tar.gz \
&& cd frp_${FRP_VERSION}_${OS}/ \
&& cp frps /usr/bin/ \
&& cd /root \
&& rm frp_${FRP_VERSION}_${OS}.tar.gz \
&& rm -rf frp_${FRP_VERSION}_${OS}/
ENTRYPOINT /usr/bin/frps -c /etc/frp/frps.ini
docker-compose.yml
version: "3"
services:
frps:
image: my-frps
build:
context: .
network_mode: host
volumes:
- ./frps.ini:/etc/frp/frps.ini
restart: unless-stopped
server_status¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/server_status/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/server_status/docker-compose.yml
Dockerfile
FROM ubuntu:bionic-20200112 as builder
MAINTAINER Stille <stille@ioiox.com>
ENV VERSION 2.0
WORKDIR /
COPY . /
RUN apt-get update && \
apt-get -y install wget && \
/bin/bash -c '/bin/echo -e "1\n\nn\n" | ./status.sh' && \
cp -rf /web /usr/local/ServerStatus/
FROM nginx:1.17.8
MAINTAINER Stille <stille@ioiox.com>
COPY --from=builder /usr/local/ServerStatus/server /ServerStatus/server/
COPY --from=builder /usr/local/ServerStatus/web /usr/share/nginx/html/
EXPOSE 80 35601
CMD sh -c '/etc/init.d/nginx start && /ServerStatus/server/sergate --config=/ServerStatus/server/config.json --web-dir=/usr/share/nginx/html'
docker-compose.yml
version: "3"
services:
server_status:
image: my-server_status
build:
context: .
volumes:
- ./config.json:/ServerStatus/server/config.json
ports:
- 32011:80
- 35601:35601
restart: unless-stopped
tty: true
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "5"
server_status_rust¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/server_status_rust/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/server_status_rust/docker-compose.yml
Dockerfile
docker-compose.yml
version: "3"
services:
stat_server:
image: idoge/stat_server:latest
container_name: stat_server
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
- ./config.toml:/config.toml
- ./stats.json:/stats.json
ports:
- 32012:8080
- 29394:9394
rathole¶
rathole client¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/client/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/client/docker-compose.yml
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/client/client.toml
Dockerfile
FROM ubuntu:latest
ENV FILENAME rathole-x86_64-unknown-linux-gnu.zip
RUN apt update \
&& apt install curl zip -y
RUN cd /root \
&& curl -OL https://github.com/rapiz1/rathole/releases/latest/download/${FILENAME} \
&& unzip ${FILENAME} \
&& mv rathole /usr/bin/ \
&& cd /root \
&& rm ${FILENAME}
ENTRYPOINT /usr/bin/rathole /etc/rathole/client.toml
docker-compose.yml
version: "3"
services:
rathole-client:
image: my-rathole
build:
context: .
network_mode: host
volumes:
- ./client.toml:/etc/rathole/client.toml
restart: unless-stopped
tty: true
client.toml
# client.toml
[client]
remote_addr = "myserver.com:2333" # The address of the server. The port must be the same with the port in `server.bind_addr`
[client.services.my_nas_ssh]
token = "use_a_secret_that_only_you_know" # Must be the same with the server to pass the validation
local_addr = "127.0.0.1:22" # The address of the service that needs to be forwarded
rathole server¶
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/server/Dockerfile
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/server/docker-compose.yml
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/rathole/server/server.toml
Dockerfile
FROM alpine:latest
ENV FILENAME rathole-x86_64-unknown-linux-musl.zip
RUN apk update \
&& apk add --no-cache curl zip
RUN cd /root \
&& curl -OL https://github.com/rapiz1/rathole/releases/latest/download/${FILENAME} \
&& unzip ${FILENAME} \
&& mv rathole /usr/bin/ \
&& cd /root \
&& rm ${FILENAME}
ENTRYPOINT /usr/bin/rathole /etc/rathole/server.toml
docker-compose.yml
version: "3"
services:
rathole-server:
image: my-rathole
build:
context: .
network_mode: host
volumes:
- ./server.toml:/etc/rathole/server.toml
restart: unless-stopped
tty: true
server.toml
# server.toml
[server]
bind_addr = "0.0.0.0:2333" # `2333` 配置了服务端监听客户端连接的端口
[server.services.my_nas_ssh]
token = "use_a_secret_that_only_you_know" # 用于验证的 token
bind_addr = "0.0.0.0:5202" # `5202` 配置了将 `my_nas_ssh` 暴露给互联网的端口
Adhomeguard¶
这个服务主要是用来改进dns服务。 可以去广告,并且通过多个dns的整合和缓存,加速。
一些有用的链接:
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/adguradhome/docker-compose.yml
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/adguradhome/AdGuardHome.yaml
docker-compose.yml
version: '3.7'
services:
adguardhome: # 服务名称
container_name: adguardhome # 容器名称
image: adguard/adguardhome:latest
restart: always
# network_mode: host
environment:
TZ: Asia/Shanghai
volumes:
- "./conf:/opt/adguardhome/conf"
- "./data:/opt/adguardhome/work/data"
ports:
- 53:53/tcp
- 53:53/udp
- 84:80/tcp
- 3000:3000/tcp
- 67:67/udp
- 68:68/tcp
- 68:68/udp
- 444:443/tcp
- 853:853/tcp
配置文件, 这个可以帮助快速设置一些常见的过滤器, 放在 docker-compose.yml
对应的文件夹下面的 conf
目录下:
AdGuardHome.yaml
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:3000
session_ttl: 720h
users:
- name: admin
password: xxx
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: zh-cn
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 53
anonymize_client_ip: false
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- tls://dns.alidns.com
- https://dns.alidns.com/dns-query
- 223.5.5.5
- 119.29.29.29
- 114.114.114.114
upstream_dns_file: ""
bootstrap_dns:
- 223.5.5.5
fallback_dns:
- 223.5.5.5
- 119.29.29.29
- 114.114.114.114
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: false
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams: []
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 784
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
ignored: []
interval: 24h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
ignored: []
interval: 24h
enabled: true
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard Simplified Domain Names filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway
id: 2
- enabled: true
url: https://easylist-downloads.adblockplus.org/easyprivacy.txt
name: easyprivacy隐私
id: 1633345725
- enabled: true
url: https://www.i-dont-care-about-cookies.eu/abp/
name: I don't care about cookies
id: 1633345726
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylistchina.txt
name: easylistchina
id: 1633345727
- enabled: true
url: https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
name: CJX’s Annoyance List
id: 1637754807
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylist.txt
name: EasyList
id: 1698895129
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: Asia/Shanghai
ids: []
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: default
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites: []
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 24
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 27
Aria filebrowser(TODO)¶
这个是设置的aria-pro和filebrowser
docker-compose.yml
version: "3.8"
services:
filebrowser:
image: hurlenko/filebrowser
user: "${UID}:${GID}"
ports:
- 44443:8080
volumes:
- ${PWD}/filebrowser_config:/config
- ${PWD}/aria2-downloads:/data
- /root/ssl:/ssl
environment:
- FB_BASEURL=/filebrowser
restart: always
Aria2-Pro:
container_name: aria2-pro
image: p3terx/aria2-pro
environment:
- PUID=65534
- PGID=65534
- UMASK_SET=022
- RPC_PORT=6800
- LISTEN_PORT=6888
- DISK_CACHE=64M
- IPV6_MODE=true
- UPDATE_TRACKERS=true
- CUSTOM_TRACKER_URL=
- TZ=Asia/Shanghai
- RPC_SECRET=bytedance
- RPC_SECURE=true
- RPC_CERTIFICATE=/ssl/us-45.xxx.xxx/us-45.xxx.xxx.cer
- RPC_PRIVATE_KEY=/ssl/us-45.xxx.xxx/us-45.xxx.xxx.key
volumes:
- ${PWD}/aria2-config:/config
- ${PWD}/aria2-downloads:/downloads
- /root/ssl:/ssl
# If you use host network mode, then no port mapping is required.
# This is the easiest way to use IPv6 networks.
network_mode: host
# network_mode: bridge
# ports:
# - 6800:6800
# - 6888:6888
# - 6888:6888/udp
restart: unless-stopped
# Since Aria2 will continue to generate logs, limit the log size to 1M to prevent your hard disk from running out of space.
logging:
driver: json-file
options:
max-size: 1m
# AriaNg is just a static web page, usually you only need to deploy on a single host.
AriaNg:
container_name: ariang
image: p3terx/ariang
command: --port 6880 --ipv6
network_mode: host
# network_mode: bridge
# ports:
# - 6880:6880
restart: unless-stopped
logging:
driver: json-file
options:
max-size: 1m
traefik¶
这个服务可以很好配合docker完成不同域名的转发工作,从而替代nginx。
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/traefik/docker-compose.yml
docker-compose.yml
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.11
# Enables the web UI and tells Traefik to listen to docker
command:
- --log.level=DEBUG
- --api=true
- --api.insecure=true
- --api.dashboard=true
- --providers.docker=true
- --providers.file.directory=/traefik_conf
- --providers.file.watch=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
ports:
# The HTTP port
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "127.0.0.1:8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik_conf:/traefik_conf
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
container_name: "whoami"
ports:
- 9999:80
labels:
- traefik.enable=true
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
为了配合 authentik 的使用,还需要添加如下 中间件 tls.yml
和 route.yml
mkdir -p traefik_conf
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/traefik/traefik_conf/tls.yml
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/traefik/traefik_conf/route.yml
route.yml
tls:
certificates:
- certFile: /ssl/xx/cer.pem
keyFile: /ssl/xx/key.pem
http:
middlewares:
authentik:
forwardAuth:
address: http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
prom+grafana (TODO)¶
可视化监控,
curl -OL https://raw.githubusercontent.com/hotchilipowder/my_config/main/dockers/prom-grafana/docker-compose.yml
docker-compose.yml
version: '3'
volumes:
prometheus-data:
driver: local
grafana-data:
driver: local
networks:
default:
driver: bridge
traefik_default:
external: true
services:
prometheus:
image: prom/prometheus:latest
container_name: prometheus
ports:
- "127.0.0.1:9090:9090"
volumes:
- ./prometheus_confs:/etc/prometheus
- prometheus-data:/prometheus
restart: unless-stopped
command:
- "--config.file=/etc/prometheus/prometheus.yml"
networks:
- default
grafana:
image: grafana/grafana-oss:latest
container_name: grafana
# ports:
# - "3003:3000"
volumes:
- grafana-data:/var/lib/grafana
restart: unless-stopped
networks:
- default
- traefik_default
labels:
- traefik.enable=true
- traefik.port=3000
- traefik.docker.network=traefik_default
- traefik.http.routers.grafana-http.entrypoints=web
- traefik.http.routers.grafana-http.rule=Host(`grafana.xxx`)
- traefik.http.routers.grafana-http.service=grafana
- traefik.http.routers.grafana-https.entrypoints=websecure
- traefik.http.routers.grafana-https.rule=Host(`grafana.xxx`)
- traefik.http.routers.grafana-https.service=grafana
- traefik.http.routers.grafana-https.tls=true
- traefik.http.services.grafana.loadbalancer.server.port=3000
node_exporter:
image: quay.io/prometheus/node-exporter:latest
container_name: node_exporter
command:
- '--path.rootfs=/host'
pid: host
restart: unless-stopped
volumes:
- '/:/host:ro,rslave'
networks:
- default
cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.47.2
container_name: cadvisor
# ports
# - "8080:8080"
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
- /dev/disk/:/dev/disk:ro
devices:
- /dev/kmsg
networks:
- default
Build My Docker Dev¶
由于经常要开启一些data science的项目,因此编写了一套自己的 cookie-cutter的模板。请参见: :logo-github: