Docker 管理监控平台
当Docker中管理的镜像、容器、网络等变得很多时,通过命令管理就很吃力,于是就应该使用Docker 可视化管理平台,下面介绍几种常用的平台。
Docker UI
Docker UI是一个开源的基于Docker API的web应用程序,其支持容器管理,镜像管理,但不支持集群管理。
-
安装
docker pull uifd/ui-for-docker # 拉取 docker ui 的镜像。 -
启动docker ui 容器
docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock uifd/ui-for-docker然后通过IP:9000 就可以访问管理页面了。
Portainer
Portainer是一个可视化的容器镜像的图形管理工具,利用Portainer 可轻松构建,管理和维护Docker 环境。其完全免费,基于容器化的安装方式。
-
安装
docker pull portainer/portainer-ce # 拉取镜像 docker volume create portainer_data # 新建一个数据卷 # 启动容器 docker run -dp 8000:8000 -p 9443:9443 -p 7100:9000 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest然后就可以使用IP:7100 进行访问了。
第一次访问设置好密码后就可以进入系统了。
shipyard
shipyard 是docker的web可视化界面管理工具,是建立在docker集群管理工具Citadel之上,可以管理镜像、容器、主机等资源,其包括core 和 extension 两个版本。
core 版本:把多个Docker host 上containers统一管理(主持跨越多个host);
extension 版本:即shipyard-extension 添加了应用路由和负载均衡、集中化日志、部署等。
-
安装,有两种安装方式:手动安装和自动安装。
手动安装:比较麻烦,要拉取很多镜像
自动安装:运行一个部署脚本文件,实现自动拉取全部镜像并启动这些容器。(推荐)
在Linux系统的/root/shipyard 目录下新建deploy文件,其内容如下:
#!/bin/bash if [ "$1" != "" ] && [ "$1" = "-h" ]; then echo "Shipyard Deploy uses the following environment variables:" echo " ACTION: this is the action to use (deploy, upgrade, node, remove)" echo " DISCOVERY: discovery system used by Swarm (only if using 'node' action)" echo " IMAGE: this overrides the default Shipyard image" echo " PREFIX: prefix for container names" echo " SHIPYARD_ARGS: these are passed to the Shipyard controller container as controller args" echo " TLS_CERT_PATH: path to certs to enable TLS for Shipyard" echo " PORT: specify the listen port for the controller (default: 8080)" echo " IP: specify the address at which the controller or node will be available (default: eth0 ip)" echo " PROXY_PORT: port to run docker proxy (default: 2375)" exit 1 fi if [ -z "`which docker`" ]; then echo "You must have the Docker CLI installed on your \$PATH" echo " See http://docs.docker.com for details" exit 1 fi ACTION=${ACTION:-deploy} IMAGE=${IMAGE:-dockerclub/shipyard:latest} PREFIX=${PREFIX:-shipyard} SHIPYARD_ARGS=${SHIPYARD_ARGS:-""} TLS_CERT_PATH=${TLS_CERT_PATH:-} CERT_PATH="/etc/shipyard" PROXY_PORT=${PROXY_PORT:-2376} SWARM_PORT=3375 SHIPYARD_PROTOCOL=http SHIPYARD_PORT=${PORT:-8080} SHIPYARD_IP=${IP} DISCOVERY_BACKEND=etcd DISCOVERY_PORT=4001 DISCOVERY_PEER_PORT=7001 ENABLE_TLS=0 CERT_FINGERPRINT="" LOCAL_CA_CERT="" LOCAL_SSL_CERT="" LOCAL_SSL_KEY="" LOCAL_SSL_CLIENT_CERT="" LOCAL_SSL_CLIENT_KEY="" SSL_CA_CERT="" SSL_CERT="" SSL_KEY="" SSL_CLIENT_CERT="" SSL_CLIENT_KEY="" check_certs() { if [ -z "$TLS_CERT_PATH" ]; then return fi if [ ! -e $TLS_CERT_PATH ]; then echo "Error: unable to find certificates in $TLS_CERT_PATH" show_cert_help exit 1 fi if [ "$PROXY_PORT" = "2375" ]; then PROXY_PORT=2376 fi SWARM_PORT=3376 SHIPYARD_PROTOCOL=https LOCAL_SSL_CA_CERT="$TLS_CERT_PATH/ca.pem" LOCAL_SSL_CERT="$TLS_CERT_PATH/server.pem" LOCAL_SSL_KEY="$TLS_CERT_PATH/server-key.pem" LOCAL_SSL_CLIENT_CERT="$TLS_CERT_PATH/cert.pem" LOCAL_SSL_CLIENT_KEY="$TLS_CERT_PATH/key.pem" SSL_CA_CERT="$CERT_PATH/ca.pem" SSL_CERT="$CERT_PATH/server.pem" SSL_KEY="$CERT_PATH/server-key.pem" SSL_CLIENT_CERT="$CERT_PATH/cert.pem" SSL_CLIENT_KEY="$CERT_PATH/key.pem" CERT_FINGERPRINT=$(openssl x509 -noout -in $LOCAL_SSL_CERT -fingerprint -sha256 | awk -F= '{print $2;}') if [ ! -e $LOCAL_SSL_CA_CERT ] || [ ! -e $LOCAL_SSL_CERT ] || [ ! -e $LOCAL_SSL_KEY ] || [ ! -e $LOCAL_SSL_CLIENT_CERT ] || [ ! -e $LOCAL_SSL_CLIENT_KEY ]; then echo "Error: unable to find certificates" show_cert_help exit 1 fi ENABLE_TLS=1 } # container functions start_certs() { ID=$(docker run \ -ti \ -d \ --restart=always \ --name $PREFIX-certs \-v $CERT_PATH \ alpine \ sh) if [ $ENABLE_TLS = 1 ]; then docker cp $LOCAL_SSL_CA_CERT $PREFIX-certs:$SSL_CA_CERT docker cp $LOCAL_SSL_CERT $PREFIX-certs:$SSL_CERT docker cp $LOCAL_SSL_KEY $PREFIX-certs:$SSL_KEY docker cp $LOCAL_SSL_CLIENT_CERT $PREFIX-certs:$SSL_CLIENT_CERT docker cp $LOCAL_SSL_CLIENT_KEY $PREFIX-certs:$SSL_CLIENT_KEY fi } remove_certs() { docker rm -fv $PREFIX-certs > /dev/null 2>&1 } get_ip() { if [ -z "$SHIPYARD_IP" ]; then SHIPYARD_IP=`docker run --rm --net=host alpine ip route get 8.8.8.8 | awk '{ print $7; }'` fi } start_discovery() { get_ip ID=$(docker run \ -ti \ -d \ -p 4001:4001 \ -p 7001:7001 \ --restart=always \ --name $PREFIX-discovery \ microbox/etcd:latest -addr $SHIPYARD_IP:$DISCOVERY_PORT -peer-addr $SHIPYARD_IP:$DISCOVERY_PEER_PORT) } remove_discovery() { docker rm -fv $PREFIX-discovery > /dev/null 2>&1 } start_rethinkdb() { ID=$(docker run \ -ti \ -d \ --restart=always \ --name $PREFIX-rethinkdb \ rethinkdb) } remove_rethinkdb() { docker rm -fv $PREFIX-rethinkdb > /dev/null 2>&1 } start_proxy() { TLS_OPTS="" if [ $ENABLE_TLS = 1 ]; then TLS_OPTS="-e SSL_CA=$SSL_CA_CERT -e SSL_CERT=$SSL_CERT -e SSL_KEY=$SSL_KEY -e SSL_SKIP_VERIFY=1" fi # Note: we add SSL_SKIP_VERIFY=1 to skip verification of the client # certificate in the proxy image. this will pass it to swarm that # does verify. this helps with performance and avoids certificate issues # when running through the proxy. ultimately if the cert is invalid # swarm will fail to return. ID=$(docker run \ -ti \ -d \ -p $PROXY_PORT:$PROXY_PORT \ --hostname=$HOSTNAME \ --restart=always \ --name $PREFIX-proxy \ -v /var/run/docker.sock:/var/run/docker.sock \ -e PORT=$PROXY_PORT \ --volumes-from=$PREFIX-certs $TLS_OPTS\ shipyard/docker-proxy:latest) } remove_proxy() { docker rm -fv $PREFIX-proxy > /dev/null 2>&1 } start_swarm_manager() { get_ip TLS_OPTS="" if [ $ENABLE_TLS = 1 ]; then TLS_OPTS="--tlsverify --tlscacert=$SSL_CA_CERT --tlscert=$SSL_CERT--tlskey=$SSL_KEY" fi EXTRA_RUN_OPTS="" if [ -z "$DISCOVERY" ]; then DISCOVERY="$DISCOVERY_BACKEND://discovery:$DISCOVERY_PORT" EXTRA_RUN_OPTS="--link $PREFIX-discovery:discovery" fi ID=$(docker run \ -ti \ -d \ --restart=always \ --name $PREFIX-swarm-manager \ --volumes-from=$PREFIX-certs $EXTRA_RUN_OPTS \ swarm:latest \ m --replication --addr $SHIPYARD_IP:$SWARM_PORT --host tcp://0.0.0.0:$SWARM_PORT $TLS_OPTS $DISCOVERY) } remove_swarm_manager() { docker rm -fv $PREFIX-swarm-manager > /dev/null 2>&1 } start_swarm_agent() { get_ip if [ -z "$DISCOVERY" ]; then DISCOVERY="$DISCOVERY_BACKEND://discovery:$DISCOVERY_PORT" EXTRA_RUN_OPTS="--link $PREFIX-discovery:discovery" fi ID=$(docker run \ -ti \ -d \ --restart=always \ --name $PREFIX-swarm-agent $EXTRA_RUN_OPTS \ swarm:latest \ j --addr $SHIPYARD_IP:$PROXY_PORT $DISCOVERY) } remove_swarm_agent() { docker rm -fv $PREFIX-swarm-agent > /dev/null 2>&1 } start_controller() { #-v $CERT_PATH:/etc/docker:ro \ TLS_OPTS="" if [ $ENABLE_TLS = 1 ]; then TLS_OPTS="--tls-ca-cert $SSL_CA_CERT --tls-cert=$SSL_CERT --tls-key=$SSL_KEY --shipyard-tls-ca-cert=$SSL_CA_CERT --shipyard-tls-cert=$SSL_CERT --shipyard-tls-key=$SSL_KEY" fi ID=$(docker run \ -ti \ -d \ --restart=always \ --name $PREFIX-controller \ --link $PREFIX-rethinkdb:rethinkdb \ --link $PREFIX-swarm-manager:swarm \ -p $SHIPYARD_PORT:$SHIPYARD_PORT \ --volumes-from=$PREFIX-certs \ $IMAGE \ --debug \ server \ --listen :$SHIPYARD_PORT \ -d tcp://swarm:$SWARM_PORT $TLS_OPTS $SHIPYARD_ARGS) } wait_for_available() { set +e IP=$1 PORT=$2 echo Waiting for Shipyard on $IP:$PORT docker pull ehazlett/curl > /dev/null 2>&1 TLS_OPTS="" if [ $ENABLE_TLS = 1 ]; then TLS_OPTS="-k" fi until $(docker run --rm ehazlett/curl --output /dev/null --connect-timeout 1 --silent --head --fail $TLS_OPTS $SHIPYARD_PROTOCOL://$IP:$PORT/ > /dev/null 2>&1); do printf '.' sleep 1 done printf '\n' } remove_controller() { docker rm -fv $PREFIX-controller > /dev/null 2>&1 } if [ "$ACTION" = "deploy" ]; then set -e check_certs get_ip echo "Deploying Shipyard" echo " -> Starting Database" start_rethinkdb echo " -> Starting Discovery" start_discovery echo " -> Starting Cert Volume" start_certs echo " -> Starting Proxy" start_proxy echo " -> Starting Swarm Manager" start_swarm_manager echo " -> Starting Swarm Agent" start_swarm_agent echo " -> Starting Controller" start_controller wait_for_available $SHIPYARD_IP $SHIPYARD_PORT echo "Shipyard available at $SHIPYARD_PROTOCOL://$SHIPYARD_IP:$SHIPYARD_PORT" if [ $ENABLE_TLS = 1 ] && [ ! -z "$CERT_FINGERPRINT" ]; then echo "SSL SHA-256 Fingerprint: $CERT_FINGERPRINT" fi echo "Username: admin Password: shipyard" elif [ "$ACTION" = "node" ]; then set -e if [ -z "$DISCOVERY" ]; then echo "You must set the DISCOVERY environment variable" echo "with the discovery system used with Swarm" exit 1 fi check_certs echo "Adding Node" echo " -> Starting Cert Volume" start_certs echo " -> Starting Proxy" start_proxy echo " -> Starting Swarm Manager" start_swarm_manager $DISCOVERY echo " -> Starting Swarm Agent" start_swarm_agent echo "Node added to Swarm: $SHIPYARD_IP" elif [ "$ACTION" = "upgrade" ]; then set -e check_certs get_ip echo "Upgrading Shipyard" echo " -> Pulling $IMAGE" docker pull $IMAGE echo " -> Upgrading Controller" remove_controller start_controller wait_for_available $SHIPYARD_IP $SHIPYARD_PORT echo "Shipyard controller updated" elif [ "$ACTION" = "remove" ]; then # ignore errors set +e echo "Removing Shipyard" echo " -> Removing Database" remove_rethinkdb echo " -> Removing Discovery" remove_discovery echo " -> Removing Cert Volume"remove_certs echo " -> Removing Proxy" remove_proxy echo " -> Removing Swarm Agent" remove_swarm_agent echo " -> Removing Swarm Manager" remove_swarm_manager echo " -> Removing Controller" remove_controller echo "Done" else echo "Unknown action $ACTION" exit 1 fi -
添加可执行权限:chmod +x deploy
-
执行脚本文件:./deploy
脚本运行完后给出访问地址和用户名密码
此时就可以访问了。
CIG监控系统
通过docker stats命令可以查看当前所有容器的CPU占用率、内存占用率等数据。
但是他只显示实时的数据,无法存储和查询历史数据,没有健康指标预警功能。
而CIG解决了这个问题。
CIG (CAdvisor、InfluxDB、Grafana),也称docker监控三剑客。
CAdvisor用于监控数据收集;InfluxDB存储数据;Grafana展示数据。
-
CAdvisor:对容器的内存、CPU、网络、磁盘IO等进行监控,同时提供web页面展示监控数据。它使用一个守护进程来收集数据。
默认情况下,CAdvisor对单个主机存储2分钟的监控数据。其提供了很多数据集成接口用来存储数据,支持InfluxDB、Redis、Kafka、Elasticsearch。官方推荐InfluxDB。
-
InfluxDB:是GO语言开发的、开源的、高性能、时序型数据库,专注于海量时许数据的高效读写、存储与实时分析,无需外部依赖。
-
Grafana:GO语言开发的、开源的、数据监控分析可视化平台。
安装
采用docker compose 安装,所以需要准备一个compose.yml文件!
-
#创建工作目录: mkdir /root/cig -
在这个目录下定义compose.yml
services:influxdb:image: tutum/influxdb:0.9container_name: mydbrestart: alwaysenvironment:- PRE_CREATE_DB=cadvisorports:- "8083:8083"- "8086:8086"volumes:- ./data/influxdb:/datacadvisor:image: google/cadvisorcontainer_name: mycollectorlinks:- influxdb:influxsrvcommand: -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_host=influxsrv:8086restart: alwaysports:- "8080:8080"volumes:- /:/rootfs:ro- /var/run:/var/run:rw- /sys:/sys:ro- /var/lib/docker/:/var/lib/docker:rografana:user: "104"image: grafana/grafanacontainer_name: myuirestart: alwayslinks:- influxdb:influxsrvports:- "3000:3000"volumes:- grafana_data:/var/lib/grafanaenvironment:- HTTP_USER=admin- HTTP_PASS=admin- INFLUXDB_HOST=influxsrv- INFLUXDB_PORT=8086- INFLUXDB_NAME=cadvisor- INFLUXDB_USER=root volumes: grafana_data: {} -
启动容器:docker compose up -d
注意:这里在启动的时候可能会超时,这时就需要手动把这三个镜像pull下来,然后执行docker compose pull ,然后再执行docker compose build .
然后重新启动 docker compose up -d ,就会启动成功。
我这里参考办法是:关于docker-compose up -d 出现超时情况处理 - 技术栈
-
然后就可以查看CIG各个页面了,启动比较慢,需要耐心等待!
- cadvisor页面:ip:8080
- influxDB 页面:ip:8083
- grafana页面:ip:3000,用户名和密码在compose.yml中配置的admin:admin
-
配置grafana,此时grafana和influxDB 没有连接,需要把influxDB 添加为数据源
- 配置Dashboards
