Docker Swarm
# Installation RHEL
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install vagrant
sudo yum install VirtualBox-7.0
## Créer la configuration de la première machine (dans un dossier e.g. vm1)
vagrant init debian/bookworm64
## Configure network (configurer le réseau)
nano ./Vagrantfile
# ajouter la ligne dans les configurations
=> config.vm.network "private_network", ip: "192.168.56.10"
## Démarer la vm
vagrant up
## Créer la configuration de la deuxième machine (dans un dossier e.g. vm2)
vagrant init debian/bookworm64
## Configure network (configurer le réseau)
nano ./Vagrantfile
# ajouter la ligne dans les configurations
=> config.vm.network "private_network", ip: "192.168.56.11"
## Démarer la vm
vagrant up
## Connection a la machine (dans le répertoire de la machine)
vagrant ssh
## Destruction d'une machine
vagrant destroy
## Installation Docker
sudo apt install curl
curl https://get.docker.com | sudo bash -
## Master
docker swarm init
## --advertise-addr <ip>
## Worker
docker swarm join --token <token> <ip_master>
## Passer un noeud en maitre
docker node promote <noeud>
Config Seccomp
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": ["read", "write", "exit", "sigreturn"],
"action": "SCMP_ACT_ALLOW"
}
]
}
Config apparmor
#include <tunables/global>
profile docker-nginx-profile flags=(attach_disconnected,mediate_deleted) {
capability net_bind_service,
capability setuid,
deny network inet,
}
Config Prometheus
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
cAdvisor run
sudo docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:ro \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--volume=/dev/disk/:/dev/disk:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
--privileged \
--device=/dev/kmsg \
gcr.io/cadvisor/cadvisor
Docker Daemon Config
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
Logstash.conf
input {
file {
path => "/var/lib/docker/containers/*/*.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "docker-logs-%{+YYYY.MM.dd}"
}
}
Logstash & Kibana run
docker run -d --name logstash -p 5000:5000 \
--user=root \
-v $(pwd)/logstash.conf:/usr/share/logstash/pipeline/logstash.conf \
-v /var/lib/docker/containers:/var/lib/docker/containers:ro \
logstash:7.9.3
docker run -d --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" elastic:7.9.3
docker run -d --name kibana \
-p 5601:5601 \
-e "ELASTICSEARCH_HOSTS=http://elasticsearch:9200" \
kibana:7.9.3
docker network create logs
docker network connect logs logstash
docker network connect logs elasticsearch
docker network connect logs kibana
Dockerfile (multi-stage build)
FROM golang:1.23 AS build
WORKDIR /src
COPY <<EOF ./main.go
package main
import "fmt"
func main() {
fmt.Println("hello, world")
}
EOF
RUN go build -o /bin/hello ./main.go
FROM scratch
COPY --from=build /bin/hello /bin/hello
CMD ["/bin/hello"]
Modifier / Créer le fichier /etc/docker/daemon.json
{
"builder": {
"gc": {
"defaultKeepStorage": "20GB",
"enabled": true
}
},
"debug": true,
"experimental": true
}
systemctl restart docker
docker buildx create --name mybuilder
docker buildx use mybuilder
docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 .
Monitoring avec Portainer
docker volume create portainer_data
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.21.5
https://localhost:9443
Docker Compose wordpress
Créer le fichier docker-compose.yaml
services:
db:
image: mariadb:10.6.4-focal
command: '--default-authentication-plugin=mysql_native_password'
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
- MYSQL_ROOT_PASSWORD=somewordpress
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wordpress
- MYSQL_PASSWORD=wordpress
expose:
- 3306
- 33060
wordpress:
image: wordpress:latest
ports:
- 80:80
restart: always
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_PASSWORD=wordpress
- WORDPRESS_DB_NAME=wordpress
volumes:
db_data:
Vlan in Docker
Example d'usage
docker network create -d ipvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o ipvlan_mode=l2 \
-o parent=eth0 db_net
docker run --net=db_net -it --rm alpine /bin/sh
