一、简介
Docker Stack 是为了解决大规模场景下的多服务部署和管理,提供了期望状态,滚动升级,简单易用,扩缩容,健康检查等特性,并且都封装在一个声明式模型当中。
- Docker Stack 部署应用的生命周期:
初始化部署 > 健康检查 > 扩容 > 更新 > 回滚。 - 使用单一声明式文件即可完成部署,即只需要
docker-stack.yml文件,使用docker stack deploy命令即可完成部署。 - stack 文件其实就是 Docker compose 文件,唯一的要求就是 version 需要为 3.0 或者更高的值。
- Stack 完全集成到了 Docker 中,不像 compose 还需要单独安装。
Docker 适用于开发和测试,而 Docker Stack 则适用于大规模场景和生产环境
二、docker-stack.yml文件详解
从 GitHub 中拉取示例代码,分析其中的 docker-stack.yml 文件
[root@huanzi-001 daemon]# git clone https://github.com/dockersamples/atsea-sample-shop-app.git可以看到有 5 个服务,3 个网络,4 个秘钥,3 组端口映射;
services:reverse_proxy:database:appserver:visualizer:payment_gateway:
networks:front-tier:back-tier:payment:
secrets:postgres_password:staging_token:revprox_key:revprox_cert:2.1 网络
Docker 根据 stack 文件部署的时候,第一步会检查并创建 networks:关键字对应的网络。默认会创建覆盖网络(overlay),并且控制层会加密,如果需要对数据层加密,可以在 stack 文件的 driver_opts 之下指定 encrypted:'yes',数据层加密会导致额外开销,但是一般不会超过10%,3 个网络都会先于秘钥和服务被创建
networks:front-tier:back-tier:payment:driver: overlaydriver_opts:encrypted: 'yes'2.2 秘钥
当前 Stack 文件中定义了 4 个秘钥,并且都是external,这表示在 Stack 部署前,这些秘钥必须已存在
secrets:postgres_password:external: truestaging_token:external: truerevprox_key:external: truerevprox_cert:external: true2.3 服务
总共有 5 个服务,我们依次进行分析1、reverse_proxy 服务
reverse_proxy:image: dockersamples/atseasampleshopapp_reverse_proxyports:- "80:80"- "443:443"secrets:- source: revprox_certtarget: revprox_cert- source: revprox_keytarget: revprox_keynetworks:- front-tierimage:必填项,指定了用于构建服务副本的 Docker 镜像ports:Swarm 节点的 80 端口映射到副本的 80 端口,443 端口映射到副本的 443 端口secrets:2 个秘钥以普通文件形式挂载至服务副本中,文件名称就是 target 属性的值,路径为/run/secretsnetworks:所有副本都会连接到 front-tier 网络,如果定义的网络不存在,Docker 会以 Overlay 的网络方式新建一个
2、database 服务
database:image: dockersamples/atsea_dbenvironment:POSTGRES_USER: gordonuserPOSTGRES_DB_PASSWORD_FILE: /run/secrets/postgres_passwordPOSTGRES_DB: atseanetworks:- back-tiersecrets:- postgres_passworddeploy:placement:constraints:- 'node.role == worker'多了以下几项:
environment:环境变量,定义了数据库用户,密码位置,数据库名称deploy:部署约束,服务只运行在 Swarm 集群的 Worker 节点上
Swarm 目前允许以下几种部署约束方式:
- 节点 ID :
node.id == 85v90bioyy4s2fst4fa5vrlvf - 节点名称:
node.hostname == huanzi-002 - 节点角色:
node.role != manager - 节点引擎标签:
engine.labels.operatingsystem == Centos 7.5 - 节点自定义标签:
node.labels.zone == test01
支持==和!=操作
3、appserver 服务
appserver:image: dockersamples/atsea_appnetworks:- front-tier- back-tier- paymentdeploy:replicas: 2update_config:parallelism: 2failure_action: rollbackplacement:constraints:- 'node.role == worker'restart_policy:condition: on-failuredelay: 5smax_attempts: 3window: 120ssecrets:- postgres_passworddeploy-replicas:部署的服务副本数量deploy-update_config:滚动升级时的操作,每次更新 2 个副本(parallelism:2),升级失败以后回滚(failure_action: rollback)failure_action默认为 pause ,即服务升级失败后阻止其它副本的升级,还支持 continuerestart_policy:容器异常退出的重启策略,当前策略为:如果某个副本以非 0 返回值退出(condition: on-failure),会立即重启当前副本,重启最多重试 3 次,每次最多等待 120s,每次重启间隔是 5s。
4、visualizer 服务
visualizer:image: dockersamples/visualizer:stableports:- "8001:8080"stop_grace_period: 1m30svolumes:- "/var/run/docker.sock:/var/run/docker.sock"deploy:update_config:failure_action: rollbackplacement:constraints:- 'node.role == manager'stop_grace_period:设置容器优雅停止时长(Docker 停止某个容器时,会给容器内 PID 为 1 的进程发送一个 SIGTERM 信号,容器内 PID 为 1 的进程有 10s 的优雅停止时长来执行清理操作)volumes:挂载提前创建的卷或者主机目录至某个服务副本中,本例中/var/run/docker.sock为Docker 的 IPC 套接字,Docker daemon 通过该套接字对其它进程暴露 API 终端,如果某个容器有该文件的访问权限,即允许该容器访问所有的 API 终端,并且可以查询及管理 Docker daemon。生产环境严禁使用该操作
5、payment_gateway 服务
payment_gateway:image: dockersamples/atseasampleshopapp_payment_gatewaysecrets:- source: staging_tokentarget: payment_tokennetworks:- paymentdeploy:update_config:failure_action: rollbackplacement:constraints:- 'node.role == worker'- 'node.labels.pcidss == yes'node.labels:自定义节点标签,可以通过docker node update自定义,并添加至 Swarm 集群的指定节点。这说明,node.labels 配置只适用于 Swarm 集群中指定的节点。
三、部署docker stack
1、准备工作
- 自定义标签(payment_gateway 服务需要用到)
- 密钥(提前创建 4 个)
给工作节点 huanzi-002 新建一个自定义标签,在管理节点上操作
[root@huanzi-001 atsea-sample-shop-app]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
8bet9fg0tnoqlfp0ebrrqdapn * huanzi-001 Ready Active Leader 19.03.5
85v90bioyy4s2fst4fa5vrlvf huanzi-002 Ready Active 19.03.5
8hxs2p5iblj19xg9uqpu8ar8g huanzi-003 Ready Active 19.03.5
[root@huanzi-001 atsea-sample-shop-app]# docker node update --label-add pcidss=yes huanzi-002
huanzi-002
[root@huanzi-001 atsea-sample-shop-app]# docker node inspect huanzi-002
[{"ID": "85v90bioyy4s2fst4fa5vrlvf","Version": {"Index": 726},"CreatedAt": "2020-02-02T08:11:34.982719258Z","UpdatedAt": "2020-02-06T10:22:25.44331302Z","Spec": {"Labels": {"pcidss": "yes"<...>可以看到自定义标签已经成功创建。
接下来创建密钥,先创建加密 key
[root@huanzi-001 daemon]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout damain.key -x509 -days 365 -out domain.crt
Generating a 4096 bit RSA private key
....................................++
...........................................++
writing new private key to 'damain.key'
-----
<...>
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@huanzi-001 daemon]# ls
atsea-sample-shop-app damain.key domain.crt
[root@huanzi-001 daemon]# 创建需要加密 key 的revprox_cert,revprox_key,postgres_password这 3 个密钥
[root@huanzi-001 daemon]# docker secret create revprox_cert domain.crt
lue5qk6ophxrr6aspyhnkhvsv
[root@huanzi-001 daemon]# docker secret create revprox_key damain.key
glvfk78kn6665lmkci7tslrw6
[root@huanzi-001 daemon]# docker secret create postgres_password damain.key
pxdfs28hb2897xuu7f3bub7ex
[root@huanzi-001 daemon]# 创建不需要加密 key 的staging_token密钥
[root@huanzi-001 daemon]# echo staging | docker secret create staging_token -
cyqfn9jocvnxd2vr57gn5pioj
[root@huanzi-001 daemon]# docker secret ls
ID NAME DRIVER CREATED UPDATED
pxdfs28hb2897xuu7f3bub7ex postgres_password 15 minutes ago 15 minutes ago
lue5qk6ophxrr6aspyhnkhvsv revprox_cert 16 minutes ago 16 minutes ago
glvfk78kn6665lmkci7tslrw6 revprox_key 16 minutes ago 16 minutes ago
cyqfn9jocvnxd2vr57gn5pioj staging_token About a minute ago About a minute ago
[root@huanzi-001 daemon]# 现在自定义标签,及密钥全部创建完毕
2、开始部署
命令:docker stack deploy -c <docker-stack.yml> <stack name>
[root@huanzi-001 atsea-sample-shop-app]# docker stack deploy -c docker-stack.yml huanzi-stack
Creating network huanzi-stack_front-tier
Creating network huanzi-stack_back-tier
Creating network huanzi-stack_default
Creating network huanzi-stack_payment
Creating service huanzi-stack_payment_gateway
Creating service huanzi-stack_reverse_proxy
Creating service huanzi-stack_database
Creating service huanzi-stack_appserver
Creating service huanzi-stack_visualizer
[root@huanzi-001 atsea-sample-shop-app]# 可以看出,先创建了 4 个网络,再创建的服务,我们验证一下网络是否创建了
[root@huanzi-001 atsea-sample-shop-app]# docker network ls
NETWORK ID NAME DRIVER SCOPE
34306420befb bridge bridge local
ac57c15024c7 docker_gwbridge bridge local
e863472805b3 host host local
ojt9cxg2qsxe huanzi-net overlay swarm
o74roe621idx huanzi-stack_back-tier overlay swarm
k55m237m11ct huanzi-stack_default overlay swarm
idpvc5xg2g2t huanzi-stack_front-tier overlay swarm
uvphcut0a825 huanzi-stack_payment overlay swarm
7d6iv5ilwbcn ingress overlay swarm
d302c895b455 lovehuanzi bridge local
eefd134326c4 none null local
[root@huanzi-001 atsea-sample-shop-app]# 看到了 4 个 huanzi-stack 前缀的网络。为什么多了一个huanzi-stack-default,因为visualizer 服务没有指定网络,因此 Docker 创建了一个 defalut 的网络给它用。
再验证下服务
root@huanzi-001 atsea-sample-shop-app]# docker stack ls
NAME SERVICES ORCHESTRATOR
huanzi-stack 5 Swarm
[root@huanzi-001 atsea-sample-shop-app]#
[root@huanzi-001 atsea-sample-shop-app]# docker stack ps huanzi-stack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ex55yaz21mra huanzi-stack_appserver.1 dockersamples/atsea_app:latest huanzi-003 Running Preparing 2 minutes ago
jshmzquzxi8p huanzi-stack_database.1 dockersamples/atsea_db:latest huanzi-002 Running Preparing 2 minutes ago
k7mi1419ahwd huanzi-stack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest huanzi-003 Running Preparing 2 minutes ago
09ocoutjfc70 huanzi-stack_payment_gateway.1 dockersamples/atseasampleshopapp_payment_gateway:latest huanzi-002 Running Preparing 2 minutes ago
y6lftn8g95b8 huanzi-stack_visualizer.1 dockersamples/visualizer:stable huanzi-001 Running Preparing 2 minutes ago
5twm1k4uj5ps huanzi-stack_appserver.2 dockersamples/atsea_app:latest huanzi-002 Running Preparing 2 minutes ago
[root@huanzi-001 atsea-sample-shop-app]#可以看到满足 stack 文件的要求:
reverse_proxy:副本数量1database:副本数量1,位于workerappserver:副本数量2,位于workervisualizer:副本数量1,位于managerpayment_gateway:副本数量1,位于worker,自定义标签pcidss == yes(即 huanzi-002 )
3、管理 Stack
1、扩容
将appserver的副本数从 2 扩至 10,有 2 种方式:
- 通过
docker service scale appserver=10 - 直接修改
docker-stack.yml文件,再通过docker stack deploy重新部署
所有的变更都应该通过 Stack 文件进行声明,然后通过 docker stack deploy 进行部署
2、修改docker-stack.yml文件
appserver:image: dockersamples/atsea_appnetworks:- front-tier- back-tier- paymentdeploy:replicas: 103、重新部署
[root@huanzi-001 atsea-sample-shop-app]# docker stack deploy -c docker-stack.yml huanzi-stack
Updating service huanzi-stack_reverse_proxy (id: i2yn8l50ofnmbx0a55mum1dw0)
Updating service huanzi-stack_database (id: ubrtixblmj685pnc97wql42cm)
Updating service huanzi-stack_appserver (id: yy447jdp1eiwb03ljdsqtyg1g)
Updating service huanzi-stack_visualizer (id: rhzzxov0jh1y38rxcj6bwe89y)
Updating service huanzi-stack_payment_gateway (id: niobpxv5vr1njoo37vnje8zic)
[root@huanzi-001 atsea-sample-shop-app]#
[root@huanzi-001 atsea-sample-shop-app]# docker stack ps huanzi-stack
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
wrser9r5bbrz huanzi-stack_visualizer.1 dockersamples/visualizer:stable huanzi-001 Running Preparing 3 minutes ago
ex55yaz21mra huanzi-stack_appserver.1 dockersamples/atsea_app:latest huanzi-003 Running Preparing 20 minutes ago
jshmzquzxi8p huanzi-stack_database.1 dockersamples/atsea_db:latest huanzi-002 Running Preparing 20 minutes ago
k7mi1419ahwd huanzi-stack_reverse_proxy.1 dockersamples/atseasampleshopapp_reverse_proxy:latest huanzi-003 Running Preparing 20 minutes ago
09ocoutjfc70 huanzi-stack_payment_gateway.1 dockersamples/atseasampleshopapp_payment_gateway:latest huanzi-002 Running Preparing 20 minutes ago
5twm1k4uj5ps huanzi-stack_appserver.2 dockersamples/atsea_app:latest huanzi-002 Running Preparing 20 minutes ago
aydzla0zzv3p huanzi-stack_appserver.3 dockersamples/atsea_app:latest huanzi-003 Running Preparing 2 minutes ago
n3312auusvxi huanzi-stack_appserver.4 dockersamples/atsea_app:latest huanzi-002 Running Preparing 2 minutes ago
kg8jy3ei0beo huanzi-stack_appserver.5 dockersamples/atsea_app:latest huanzi-003 Running Preparing 2 minutes ago
tgai33mhlxyv huanzi-stack_appserver.6 dockersamples/atsea_app:latest huanzi-002 Running Preparing 2 minutes ago
n69nunaur3lz huanzi-stack_appserver.7 dockersamples/atsea_app:latest huanzi-003 Running Preparing 2 minutes ago
mqubx8hoddn8 huanzi-stack_appserver.8 dockersamples/atsea_app:latest huanzi-002 Running Preparing 2 minutes ago
p3mo3k8a5jvs huanzi-stack_appserver.9 dockersamples/atsea_app:latest huanzi-003 Running Preparing 2 minutes ago
xw8tvi5bwh53 huanzi-stack_appserver.10 dockersamples/atsea_app:latest huanzi-002 Running Preparing 2 minutes ago
[root@huanzi-001 atsea-sample-shop-app]#扩容完成
4、删除
命令:docker stack rm <stack name>
[root@huanzi-001 atsea-sample-shop-app]# docker stack rm huanzi-stack
Removing service huanzi-stack_appserver
Removing service huanzi-stack_database
Removing service huanzi-stack_payment_gateway
Removing service huanzi-stack_reverse_proxy
Removing service huanzi-stack_visualizer
Removing network huanzi-stack_front-tier
Removing network huanzi-stack_default
Removing network huanzi-stack_back-tier
Removing network huanzi-stack_payment可以看出,rm会删除服务及网络,但是密钥和卷不会删除
root@huanzi-001 atsea-sample-shop-app]# docker secret ls
ID NAME DRIVER CREATED UPDATED
pxdfs28hb2897xuu7f3bub7ex postgres_password 53 minutes ago 53 minutes ago
lue5qk6ophxrr6aspyhnkhvsv revprox_cert 55 minutes ago 55 minutes ago
glvfk78kn6665lmkci7tslrw6 revprox_key 54 minutes ago 54 minutes ago
cyqfn9jocvnxd2vr57gn5pioj staging_token 40 minutes ago 40 minutes ago
[root@huanzi-001 atsea-sample-shop-app]#
一般一个环境需要一个stack文件。比如dev,test,prod。
