Docker-in-Docker shine yanayin Docker daemon da aka kirkira wanda ke gudana a cikin akwati da kanta don gina hotunan kwantena. Babban manufar ƙirƙirar Docker-in-Docker shine don taimakawa haɓaka Docker kanta. Mutane da yawa suna amfani da shi don gudanar da Jenkins CI. Wannan da alama al'ada ce da farko, amma sai matsalolin sun taso waɗanda za a iya guje wa ta hanyar shigar da Docker a cikin akwati na Jenkins CI. Wannan labarin ya gaya muku yadda ake yin wannan. Idan kuna sha'awar bayani na ƙarshe ba tare da cikakkun bayanai ba, kawai karanta sashin ƙarshe na labarin, "Warware Matsala."
Docker-in-Docker: "Mai kyau"
Fiye da shekaru biyu da suka wuce na sanya Docker - gata kuma ya rubuta . Manufar ita ce don taimakawa ƙwararrun ƙungiyar haɓaka Docker da sauri. Kafin Docker-in-Docker, yanayin ci gaba na yau da kullun yayi kama da haka:
- hackity;
- gina;
- dakatar da Docker daemon mai gudana;
- ƙaddamar da sabon Docker daemon;
- gwaji;
- maimaita sake zagayowar.
Idan kuna son yin taro mai kyau, wanda za'a iya maimaitawa (wato, a cikin akwati), to ya zama mai rikitarwa:
- hackity;
- tabbatar da cewa nau'in Docker mai aiki yana gudana;
- gina sabon Docker tare da tsohon Docker;
- dakatar da Docker daemon;
- fara sabon Docker daemon;
- gwaji;
- dakatar da sabon Docker daemon;
- maimaita.
Tare da zuwan Docker-in-Docker, tsarin ya zama mai sauƙi:
- hackity;
- taro + ƙaddamar a mataki ɗaya;
- maimaita sake zagayowar.
Ashe bai fi haka ba?
Docker-in-Docker: "Bad"
Koyaya, akasin sanannen imani, Docker-in-Docker ba 100% taurari bane, doki da unicorns. Abin da nake nufi shi ne, akwai batutuwa da dama da mai haɓakawa ya kamata ya sani.
Ɗaya daga cikinsu ya shafi LSMs (Modules Tsaro na Linux) kamar AppArmor da SELinux: lokacin gudanar da akwati, "Docker na ciki" na iya ƙoƙarin yin amfani da bayanan martaba na tsaro wanda zai yi rikici ko rikitar da "Docker na waje". Wannan ita ce matsala mafi wuyar warwarewa yayin ƙoƙarin haɗa ainihin aiwatar da tuta mai gata. Canje-canje na sun yi aiki kuma duk gwaje-gwajen za su wuce na'ura ta Debian da gwajin VM na Ubuntu, amma za su yi karo da ƙonewa akan na'urar Michael Crosby (yana da Fedora kamar yadda na tuna). Ba zan iya tuna ainihin dalilin matsalar ba, amma yana iya kasancewa saboda Mike mutum ne mai hikima wanda ke aiki tare da SELINUX = tilastawa (Na yi amfani da AppArmor) kuma canje-canje na ba su dauki bayanan bayanan SELinux ba.
Docker-in-Docker: "Mugunta"
Batu na biyu shine tare da direbobin ajiya na Docker. Lokacin da kuke gudanar da Docker-in-Docker, Docker na waje yana gudana akan tsarin fayil na yau da kullun (EXT4, BTRFS, ko duk abin da kuke da shi) kuma Docker na ciki yana gudana akan tsarin kwafin-kan-rubutu (AUFS, BTRFS, Taswirar Na'ura). , da sauransu), dangane da abin da aka saita don amfani da Docker na waje). Wannan yana haifar da haɗuwa da yawa waɗanda ba za su yi aiki ba. Misali, ba za ku iya gudanar da AUFS a saman AUFS ba.
Idan kuna gudanar da BTRFS a saman BTRFS, yakamata yayi aiki da farko, amma da zarar an sami ƙaramin juzu'i na gida, share ƙaramin ƙarar iyaye zai gaza. Na'urar Mapper ɗin na'ura ba ta da sarari suna, don haka idan yawancin lokuta Docker suna gudana akan na'ura iri ɗaya, duk za su iya gani (da tasiri) hotuna akan juna da kuma kan na'urorin ajiyar kwantena. Wannan ba daidai ba ne.
Akwai hanyoyin magance yawancin waɗannan matsalolin. Misali, idan kuna son amfani da AUFS a cikin Docker na ciki, kawai juya /var/lib/docker babban fayil zuwa ƙara kuma zaku kasance lafiya. Docker ya kara wasu wuraren sunaye zuwa na'urar Mapper sunaye don haka idan kiran Docker da yawa suna gudana akan na'ura ɗaya, ba za su taka juna ba.
Koyaya, irin wannan saitin ba koyaushe bane mai sauƙi, kamar yadda ake iya gani daga waɗannan a cikin wurin ajiyar dind akan GitHub.
Docker-in-Docker: Yana kara muni
Me game da ginin cache? Wannan kuma na iya zama da wahala sosai. Mutane sukan tambaye ni "idan ina gudu Docker-in-Docker, ta yaya zan iya amfani da hotunan da aka shirya akan mai masaukina maimakon ja da komai a cikin Docker na ciki"?
Wasu ƴan kasuwa sun yi ƙoƙarin ɗaure /var/lib/docker daga mai masaukin baki zuwa akwati na Docker-in-Docker. Wani lokaci suna raba /var/lib/docker tare da kwantena da yawa.
Kuna so ku lalata bayananku? Domin wannan shine ainihin abin da zai lalata bayanan ku!
An tsara Docker daemon a fili don samun keɓaɓɓen damar zuwa /var/lib/docker. Babu wani abu kuma da ya kamata "taba, poke, ko prod" kowane fayilolin Docker da ke cikin wannan babban fayil ɗin.
Me yasa haka haka? Domin wannan shine sakamakon ɗayan mafi wahalar darussan da aka koya yayin haɓaka dotCloud. Injin kwandon dotCloud yana gudana ta hanyar samun hanyoyin shiga /var/lib/dotcloud lokaci guda. Dabarun wayo irin su maye gurbin fayil ɗin atomic (maimakon gyare-gyaren wuri), lambar barkono tare da shawarwari da makullai na wajibi, da sauran gwaje-gwaje tare da amintattun tsarin kamar SQLite da BDB ba koyaushe suke aiki ba. Lokacin da muke sake fasalin injin kwandon mu, wanda a ƙarshe ya zama Docker, ɗayan manyan yanke shawarar ƙira shine haɓaka duk ayyukan kwantena a ƙarƙashin daemon guda ɗaya don kawar da duk maganar banza.
Kar a same ni ba daidai ba: yana yiwuwa gaba ɗaya yin wani abu mai kyau, abin dogaro da sauri wanda ya ƙunshi matakai da yawa da sarrafawa na zamani daidai gwargwado. Amma muna tsammanin ya fi sauƙi kuma mafi sauƙi don rubutawa da kiyaye lamba ta amfani da Docker a matsayin ɗan wasa kawai.
Wannan yana nufin cewa idan kun raba /var/lib/docker directory tsakanin lokuttan Docker da yawa, zaku sami matsaloli. Tabbas, wannan na iya aiki, musamman a farkon matakan gwaji. "Saurara, Ma, Zan iya tafiyar da ubuntu a matsayin docker!" Amma gwada wani abu mafi rikitarwa, kamar jawo hoto ɗaya daga lokuta biyu daban-daban, kuma za ku ga duniya ta ƙone.
Wannan yana nufin cewa idan tsarin CI ɗinku ya yi gini da sake ginawa, duk lokacin da kuka sake kunna akwati na Docker-in-Docker, kuna haɗarin jefar da nuke a cikin cache ɗin sa. Wannan ba dadi ko kadan!
Shirya matsala
Mu dau mataki baya. Shin da gaske kuna buƙatar Docker-in-Docker ko kuna son kawai ku sami damar gudanar da Docker da ginawa da gudanar da kwantena da hotuna daga tsarin CI ku yayin da tsarin CI da kansa ke cikin akwati?
Na ci amanar yawancin mutane suna son zaɓi na ƙarshe, ma'ana suna son tsarin CI kamar Jenkins ya sami damar sarrafa kwantena. Kuma hanya mafi sauƙi don yin wannan ita ce kawai saka soket ɗin Docker a cikin akwati na CI ɗin ku kuma haɗa shi da tutar -v.
A sauƙaƙe, lokacin da kake gudanar da akwati na CI (Jenkins ko wani), maimakon yin hacking wani abu tare da Docker-in-Docker, fara shi da layin:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...Wannan kwandon yanzu zai sami damar zuwa soket ɗin Docker don haka zai iya tafiyar da kwantena. Sai dai a maimakon gudanar da kwantena "yaro", za ta kaddamar da kwantena na "yan'uwa".
Gwada wannan ta amfani da hoton docker na hukuma (wanda ya ƙunshi binary Docker):
docker run -v /var/run/docker.sock:/var/run/docker.sock
-ti dockerYana kama da aiki kamar Docker-in-Docker, amma ba Docker-in-Docker ba: lokacin da wannan akwati ya haifar da ƙarin kwantena, za a ƙirƙira su a cikin babban matakin Docker. Ba za ku fuskanci illolin gida na gida ba kuma za a raba cache ɗin taron a cikin kira da yawa.
Lura: Sifofin da suka gabata na wannan labarin sun ba da shawarar haɗa binary Docker daga mai masaukin zuwa akwati. Wannan yanzu ya zama abin dogaro saboda injin Docker baya rufe dakunan karatu na tsaye ko kusa.
Don haka, idan kuna son amfani da Docker daga Jenkins CI, kuna da zaɓuɓɓuka 2:
shigar da Docker CLI ta amfani da tsarin marufi na asali (watau idan hotonku ya dogara akan Debian, yi amfani da fakitin .deb), ta amfani da Docker API.
Wasu tallace-tallace 🙂
Na gode da kasancewa tare da mu. Kuna son labaran mu? Kuna son ganin ƙarin abun ciki mai ban sha'awa? Goyon bayan mu ta hanyar ba da oda ko ba da shawara ga abokai, , analog na musamman na sabar matakin shigarwa, wanda mu muka ƙirƙira muku: (akwai tare da RAID1 da RAID10, har zuwa 24 cores kuma har zuwa 40GB DDR4).
Dell R730xd 2x mai rahusa a cibiyar bayanan Equinix Tier IV a Amsterdam? Nan kawai a cikin Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - daga $99! Karanta game da
source: www.habr.com