Docker与Kubernetes完整实践指南
目录
概述
容器化技术已成为现代应用部署的标准方式,Docker作为容器技术的代表,配合Kubernetes等编排工具,为应用提供了高效、可扩展的部署解决方案。本指南详细介绍Docker容器化和Kubernetes编排的完整实践,包括镜像构建、容器运行、集群管理、服务发现、负载均衡、存储管理和监控等方面。
Docker基础与实践
Docker核心概念
- 镜像(Image): 只读的模板,用于创建容器
- 容器(Container): 镜像的运行实例
- 仓库(Registry): 存储和分发镜像的服务
- Dockerfile: 构建镜像的脚本文件
- 数据卷(Volume): 持久化数据存储
- 网络(Network): 容器间通信机制
Dockerfile最佳实践
Node.js应用Dockerfile
# 多阶段构建 - 构建阶段
FROM node:18-alpine AS builder
# 设置工作目录
WORKDIR /app
# 复制package文件
COPY package*.json ./
# 安装依赖
RUN npm ci --only=production && npm cache clean --force
# 复制源代码
COPY . .
# 构建应用
RUN npm run build
# 运行阶段
FROM node:18-alpine AS runner
# 创建非root用户
RUN addgroup -g 1001 -S nodejs && \
adduser -S nextjs -u 1001
# 设置工作目录
WORKDIR /app
# 复制构建产物
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package*.json ./
# 切换到非root用户
USER nextjs
# 暴露端口
EXPOSE 3000
# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:3000/health || exit 1
# 启动命令
CMD ["npm", "start"]
Python应用Dockerfile
# 多阶段构建
FROM python:3.11-slim AS builder
# 设置工作目录
WORKDIR /app
# 安装系统依赖
RUN apt-get update && apt-get install -y \
gcc \
&& rm -rf /var/lib/apt/lists/*
# 复制requirements文件
COPY requirements.txt .
# 安装Python依赖
RUN pip install --no-cache-dir -r requirements.txt
# 运行阶段
FROM python:3.11-slim AS runner
# 创建非root用户
RUN groupadd -r appuser && useradd -r -g appuser appuser
# 设置工作目录
WORKDIR /app
# 复制依赖
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin
# 复制应用代码
COPY . .
# 切换到非root用户
USER appuser
# 暴露端口
EXPOSE 8000
# 启动命令
CMD ["python", "app.py"]
Docker镜像优化
1. 多阶段构建
# 构建阶段
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
# 运行阶段
FROM node:18-alpine AS runner
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY . .
USER node
EXPOSE 3000
CMD ["npm", "start"]
2. 镜像层优化
# 优化前
COPY . .
RUN npm install
RUN npm run build
# 优化后
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
3. 使用.dockerignore
node_modules
npm-debug.log
.git
.gitignore
README.md
.env
.nyc_output
coverage
.nyc_output
.coverage
Docker网络配置
1. 网络模式
# 桥接网络(默认)
docker run --network bridge nginx
# 主机网络
docker run --network host nginx
# 无网络
docker run --network none nginx
# 自定义网络
docker network create mynetwork
docker run --network mynetwork nginx
2. 容器间通信
# 创建网络
docker network create app-network
# 运行数据库容器
docker run -d --name db --network app-network \
-e POSTGRES_PASSWORD=password postgres:13
# 运行应用容器
docker run -d --name app --network app-network \
-e DB_HOST=db -p 3000:3000 myapp:latest
Docker存储管理
1. 数据卷
# 创建数据卷
docker volume create mydata
# 使用数据卷
docker run -v mydata:/data nginx
# 绑定挂载
docker run -v /host/path:/container/path nginx
2. 数据卷备份
# 备份数据卷
docker run --rm -v mydata:/data -v $(pwd):/backup \
alpine tar czf /backup/backup.tar.gz -C /data .
# 恢复数据卷
docker run --rm -v mydata:/data -v $(pwd):/backup \
alpine tar xzf /backup/backup.tar.gz -C /data
Kubernetes基础与实践
Kubernetes核心概念
- Pod: 最小的部署单元,包含一个或多个容器
- Service: 为Pod提供稳定的网络访问
- Deployment: 管理Pod的副本和更新
- ConfigMap: 存储配置数据
- Secret: 存储敏感数据
- Namespace: 资源隔离和分组
基础资源定义
1. Pod定义
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:latest
ports:
- containerPort: 3000
env:
- name: NODE_ENV
value: "production"
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
2. Deployment定义
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
labels:
app: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:latest
ports:
- containerPort: 3000
env:
- name: NODE_ENV
value: "production"
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 5
3. Service定义
apiVersion: v1
kind: Service
metadata:
name: myapp-service
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 3000
type: LoadBalancer
高级功能
1. ConfigMap和Secret
# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp-config
data:
database_url: "postgresql://localhost:5432/mydb"
log_level: "info"
---
# Secret
apiVersion: v1
kind: Secret
metadata:
name: myapp-secret
type: Opaque
data:
username: YWRtaW4= # base64编码
password: cGFzc3dvcmQ= # base64编码
2. 使用ConfigMap和Secret
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
template:
spec:
containers:
- name: myapp
image: myapp:latest
env:
- name: DATABASE_URL
valueFrom:
configMapKeyRef:
name: myapp-config
key: database_url
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: myapp-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: myapp-secret
key: password
3. 持久化存储
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myapp-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
template:
spec:
containers:
- name: myapp
image: myapp:latest
volumeMounts:
- name: storage
mountPath: /data
volumes:
- name: storage
persistentVolumeClaim:
claimName: myapp-pvc
服务发现和负载均衡
1. Ingress配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp-service
port:
number: 80
2. 服务网格(Istio)
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: myapp-vs
spec:
hosts:
- myapp.example.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: myapp-service
port:
number: 80
Docker与Kubernetes集成
镜像构建和推送
1. 自动化构建
# .github/workflows/docker-build.yml
name: Docker Build and Push
on:
push:
branches: [ main ]
tags: [ 'v*' ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to Container Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: |
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:${{ github.sha }}
2. 多架构构建
# 使用buildx构建多架构镜像
docker buildx create --name multiarch --use
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push .
容器编排最佳实践
1. 资源管理
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
replicas: 3
template:
spec:
containers:
- name: myapp
image: myapp:latest
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 5
2. 滚动更新
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
template:
spec:
containers:
- name: myapp
image: myapp:latest
3. 健康检查
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
template:
spec:
containers:
- name: myapp
image: myapp:latest
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
生产环境最佳实践
安全配置
1. Pod安全策略
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
2. 网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
3. RBAC配置
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
监控和日志
1. Prometheus监控
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-config
data:
prometheus.yml: |
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
2. 日志收集
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
data:
fluent-bit.conf: |
[SERVICE]
Flush 1
Log_Level info
Daemon off
Parsers_File parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
[INPUT]
Name tail
Path /var/log/containers/*.log
Parser docker
Tag kube.*
Refresh_Interval 5
Mem_Buf_Limit 50MB
Skip_Long_Lines On
监控与运维
应用监控
1. 指标收集
apiVersion: v1
kind: Service
metadata:
name: myapp-service
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "3000"
prometheus.io/path: "/metrics"
spec:
selector:
app: myapp
ports:
- port: 3000
targetPort: 3000
2. 告警配置
apiVersion: v1
kind: ConfigMap
metadata:
name: alertmanager-config
data:
alertmanager.yml: |
global:
smtp_smarthost: 'localhost:587'
smtp_from: 'alertmanager@example.com'
route:
group_by: ['alertname']
group_wait: 10s
group_interval: 10s
repeat_interval: 1h
receiver: 'web.hook'
receivers:
- name: 'web.hook'
webhook_configs:
- url: 'http://127.0.0.1:5001/'
故障排查
1. 常用命令
# 查看Pod状态
kubectl get pods
# 查看Pod详细信息
kubectl describe pod <pod-name>
# 查看Pod日志
kubectl logs <pod-name>
# 进入Pod
kubectl exec -it <pod-name> -- /bin/bash
# 查看事件
kubectl get events
# 查看资源使用情况
kubectl top pods
kubectl top nodes
2. 调试技巧
# 查看Pod的YAML配置
kubectl get pod <pod-name> -o yaml
# 查看Service端点
kubectl get endpoints
# 查看Ingress状态
kubectl describe ingress <ingress-name>
# 查看ConfigMap和Secret
kubectl get configmap
kubectl get secret
通过遵循这些最佳实践,可以构建一个高效、可靠、安全的容器化应用平台,实现应用的快速部署、扩展和运维。