UI之portainer的使用简介
1、配置防火墙示例:
iptables -A INPUT -s 192.168.200.0/24 -p tcp -m tcp --dport 2375 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2375 -j DROP
最好是通过安全组之类的来限制,不要暴露到外网,以免未授权访问。
2、调整docker访问,允许内网访问 API 接口
sed -i "/^ExecStart/c ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://$(ip a |grep global |grep eth0 |awk '{print $2}' |cut -d'/' -f1):2375" /usr/lib/systemd/system/docker.service
systemctl daemon-reload; systemctl restart docker
3、启动 portainer
首先,引用以下一段话,来表达数据持久化时要考虑的细节:
https://docs.docker.com/engine/admin/volumes/bind-mounts/#choosing-the--v-or-mount-flag
Differences between -v and --mount behavior
Because the -v and --volume flags have been a part of Docker for a long time, their behavior cannot be changed. This means that there is one behavior that is different between -v and --mount.
If you use -v or --volume to bind-mount a file or directory that does not yet exist on the Docker host, -v will create the endpoint for you. It is always created as a directory.
If you use --mount to bind-mount a file or directory that does not yet exist on the Docker host, Docker does not automatically create it for you, but generates an error.
(本次示例仅在swarm集群的其中一个节点创建该目录即可,这样一来,没有该目录的节点,启动服务时将报错)
# mkdir -p /data/portainer
使用 swarm 集群的方式运行:
# docker service create \
--name portainer \
--detach=true \
--publish 9000:9000 \
--constraint 'node.role == manager' \
--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
--mount type=bind,src=/data/portainer,dst=/data \
portainer/portainer \
-H unix:///var/run/docker.sock
或直接运行一个容器:
# docker run --restart=unless-stopped -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v /data/portainer:/data portainer/portainer -H unix:///var/run/docker.sock
4、请求UI界面
http://服务器IP:9000
设置管理员密码。
ZYXW、参考
1、doc
https://portainer.readthedocs.io/en/latest/deployment.html
页:
[1]