代码改变世界

天行健,君子以自强不息
  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
Docker图形化管理工具:Portainer

简介

安装一个Portainer,把所有服务器上的Dockers容器集中管理。

安装

根据官网文章编排下述文件:

version: '3.6'
services:
  portainer:
    image: portainer/portainer-ce:latest
    restart: always
    container_name: portainer-ce
    ports:
      - 18000:8000
      - 19443:9443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data

有3处和官网不同:

  • 官网使用的企业版,我们换成了社区版
  • 两个端口号都修改了,避免与其它容器冲突

首次使用

img

管理其它服务器

1、安装portainer-agent

在这里点添加按钮:
img

img

img

根据上图的docker run语句,编排出如下文件

version: '3.6'
services:
  portainer_agent:
    image: portainer/agent:2.19.4
    restart: always
    container_name: portainer_agent
    ports:
      - 9001:9001
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/lib/docker/volumes:/var/lib/docker/volumes

在其它服务器上安装portainer的代理:(注意,安装是在另外待管理的服务器上,不是在安装Portianer的机器上)

root@gateway:/mnt/data# mkdir portainer.agent
root@gateway:/mnt/data# cd portainer.agent
root@gateway:/mnt/data/portainer.agent# vi docker-compose.yml
root@gateway:/mnt/data/portainer.agent# docker-compose up -d
Creating network "portaineragent_default" with the default driver
Pulling portainer_agent (portainer/agent:2.19.4)...
2.19.4: Pulling from portainer/agent
379538b6d68e: Pull complete
4ea3e2c3a39b: Pull complete
e4cf4834d5bd: Pull complete
62056f49a10b: Pull complete
77db319e1026: Pull complete
fd7b75f7e3f2: Pull complete
c78d1de2268e: Pull complete
23e4142483c1: Pull complete
99c6abc3acd6: Pull complete
736c88414884: Pull complete
Digest: sha256:558676e1e8a019023ec2d9fe10644e82c5ee12405694841098e2f429552a5e48
Status: Downloaded newer image for portainer/agent:2.19.4
Creating portainer_agent ... done

用docker ps查看了一下,发现容器是正常运行的。

2、连接Portainer代理

img

成功了:
img

3、连接其它服务器

在Portainer的首页:
img

下图中红色这一列的图标是打开这个容器的日志:
img

非常方便:

img

4、Portainer Agent的安全性

当一个Agent被Portainer连接后,再在其它Portainer连接这个代理时,Portainer中会受到如下警告:
img

官网有详细的安全机制介绍,摘抄一小部分:

Signature verification
The signature verification process can follow two different paths based on how the agent was deployed.
Default mode
By default, the agent will wait for a valid request from a Portainer instance and automatically associate the first Portainer instance that communicates with it by registering the public key found in the X-PortainerAgent-PublicKey header inside memory.
During the association process, the agent will first decode the specified public key from hexadecimal and then parse the public key. Only if these steps are successfull then the key will be associated to the agent.
Once a Portainer instance is registered by the agent, the agent will not try to decode/parse the public key associated to a request anymore and will assume that only signatures associated to this public key are authorized (preventing any other Portainer instance to communicate with this agent).
Finally, the agent uses the associated public key and a default message that is known by both entities to verify the signature available in the X-PortainerAgent-Signature header.

后记

初步实现了集中式图形化管理所有服务器上的Docker,方便了很多,步用到处去ssh再查看了。

posted on 2024-03-21 01:46  终南山人  阅读(188)  评论(0)    收藏  举报