部署dind(docker in docker)

現(xiàn)在在k8s來部署dind服務(wù)虱颗，提供整個(gè)CI（持續(xù)集成）的功能泥彤。

我們看看docker version列出的結(jié)果 Docker采取的是C/S架構(gòu) Docker進(jìn)程默認(rèn)不監(jiān)聽任何端口，它會(huì)生成一個(gè)socket（/var/run/docker.sock）文件來進(jìn)行本地進(jìn)程通信 Docker C/S 之間采取Rest API作為通信協(xié)議，我們可以讓Docker daemon進(jìn)程監(jiān)聽一個(gè)端口，這就為我們用docker client調(diào)用遠(yuǎn)程調(diào)用docker daemon進(jìn)程執(zhí)行鏡像構(gòu)建提供了可行性

image.png

docker-dind.yaml

# dind pip instll staus : kill -9  code 137(128+9) ,may be limits(cpu,memory) resources need change

# only have docker client ,use dind can be use normal
#dindSvc=$(kubectl -n kube-system get svc dind |awk 'NR==2{print $3}')
#export DOCKER_HOST="tcp://${dindSvc}:2375/"
#export DOCKER_DRIVER=overlay2
#export DOCKER_TLS_CERTDIR=""

---
# SVC
kind: Service
apiVersion: v1
metadata:
  name: dind
  namespace: kube-system
spec:
  selector:
    app: dind
  ports:
    - name: tcp-port
      port: 2375
      protocol: TCP
      targetPort: 2375

---
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dind
  namespace: kube-system
  labels:
    app: dind
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dind
  template:
    metadata:
      labels:
        app: dind
    spec:
      hostNetwork: true
      containers:
      - name: dind
        #image: docker:19-dind
        image: harbor.test.com/library/docker:19-dind
        lifecycle:
          postStart:
            exec:
              command: ["/bin/sh", "-c", "docker login harbor.test.com -u 'admin' -p 'test666'"]
           # 3. when delete this pod , use this keep kube-proxy to flush role done
          preStop:
            exec:
              command: ["/bin/sh", "-c", "sleep 5"]
        ports:
        - containerPort: 2375
#        resources:
#          requests:
#            cpu: 200m
#            memory: 256Mi
#          limits:
#            cpu: 0.5
#            memory: 1Gi
        readinessProbe:
          tcpSocket:
            port: 2375
          initialDelaySeconds: 10
          periodSeconds: 30
        livenessProbe:
          tcpSocket:
            port: 2375
          initialDelaySeconds: 10
          periodSeconds: 30
        securityContext: 
            privileged: true
        env: 
          - name: DOCKER_HOST 
            value: tcp://localhost:2375
          - name: DOCKER_DRIVER 
            value: overlay2
          - name: DOCKER_TLS_CERTDIR 
            value: ''
        volumeMounts: 
          - name: docker-graph-storage
            mountPath: /var/lib/docker
          - name: tz-config
            mountPath: /etc/localtime
           # kubectl -n kube-system create secret generic harbor-ca --from-file=harbor-ca=/data/harbor/ssl/tls.cert
          - name: harbor-ca
            mountPath: /etc/docker/certs.d/harbor.test.com/ca.crt
            subPath: harbor-ca
       # kubectl create secret docker-registry test-secret --docker-server=harbor.test.com --docker-username=admin --docker-password=test666 --docker-email=admin@test.com
      hostAliases:
      - hostnames:
        - harbor.test.com
        ip: 'k8s-node3的IP地址'
      imagePullSecrets:
      - name: testharbor
      volumes:
#      - emptyDir:
#          medium: ""
#          sizeLimit: 10Gi
      - hostPath:
          path: /var/lib/container/docker
        name: docker-graph-storage
      - hostPath:
          path: /usr/share/zoneinfo/Asia/Shanghai
        name: tz-config
      - name: harbor-ca
        secret:
          secretName: harbor-ca
          defaultMode: 0600
#
#        kubectl taint node k8s-node1 Ingress=:NoExecute
#        kubectl describe node k8s-node1 |grep -i taint
#        kubectl taint node k8s-node1 Ingress:NoExecute-
      nodeSelector:
        kubernetes.io/hostname: "k8s-node1"
      tolerations:
      - operator: Exists