Docker基础知识 (26) - Docker 容器资源限制和监控(2)| Nginx + Prometheus + cAdvisor 部署需要安全验证的监控集成
在 “Docker基础知识 (25) - Docker 容器资源限制和监控” 一文的 “Docker 监控” 部分简单介绍了 cAdvisor 和 Prometheus,使用的 cAdvisor 运行在 Docker 容器内,Prometheus 作为独立程序运行在容器外。
本文将演示把 Nginx、Prometheus 和 cAdvisor 部署到 Docker 容器内,实现需要安全验证的监控集成。
cAdvisor Github: https://github.com/google/cadvisor
Prometheus: https://prometheus.io/
1. 部署环境
IP 地址(本地测试环境):192.168.0.10
操作系统:Linux CentOS 7.9
Docker 版本: 20.10.7
Docker Compose 版本: 2.6.1
Nginx 目录:/home/docker/monitor/nginx
Prometheus 目录:/home/docker/monitor/prometheus
Build 目录:/home/docker/monitor/build
HTML 目录:/home/docker/monitor/html
2. 创建配置文件
1) 创建 nginx.conf
在 /home/docker/monitor/nginx/conf.d 目录下,创建 nginx.conf 文件,内容如下:
server {
listen 80 default_server;
server_name localhost;
location / {
auth_basic "Basic Auth";
auth_basic_user_file /etc/nginx/conf.d/htpasswd;
proxy_pass http://prom-prometheus:9090;
}
}
2) 创建 htpasswd
运行如下命令创建密码:
$ openssl passwd -apr1
Password:
Verifying - Password:
$apr1$kB6nvL23$bjdqD9Evw.QKxbVicInUj0
注:命令 openssl passwd 提示用户输入两次密码,这里输入 654321,产生了一个 Apache MD5 密码 $apr1$kB6nvL23$bjdqD9Evw.QKxbVicInUj0 ,然后和用户名一起,以 [用户名]:[hash 密码] 的格式写入文本文件即可,这里设置用户名为 test。
不同密码格式的参数如下:
(1) -crypt 表示生成标准的 UNIX 密码,是默认选项;
(2) -apr1 表示生成 Apache MD5 密码;
(3) -1 表示生成 BSD MD5 密码;
在 /home/docker/monitor/nginx/conf.d 目录下,创建 htpasswd 文件,内容如下:
test:$apr1$kB6nvL23$bjdqD9Evw.QKxbVicInUj0
3) 创建 prometheus.yml
在 /home/docker/monitor/prometheus 目录下,创建 prometheus.yml 文件,内容如下:
# Global config
global:
scrape_interval: 60s
evaluation_interval: 60s
# scrape_timeout is set to the global default (10s).
# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: "prometheus"
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
static_configs:
- targets: ["localhost:9090"]
- job_name: "google-cadvisor"
static_configs:
- targets: ["google-cadvisor:8080"]
3. 创建 docker-compose.yml
$ cd /home/docker/monitor/build
$ vim docker-compose.yml
version: "3"
services:
nginx:
image: nginx
container_name: nginx-monitor
ports:
- "80:80"
deploy:
resources:
limits:
cpus: "2.00"
memory: 2G
reservations:
memory: 200M
restart: always
volumes:
- /home/docker/monitor/nginx/conf.d:/etc/nginx/conf.d
- /home/docker/monitor/nginx/logs:/var/log/nginx
- /home/docker/monitor/html:/usr/share/nginx/html
cadvisor:
image: google/cadvisor
container_name: google-cadvisor
#ports:
# - "8080:8080"
restart: always
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
- /dev/disk/:/dev/disk:ro
prometheus:
image: prom/prometheus
container_name: prom-prometheus
depends_on:
- nginx
- cadvisor
#ports:
# - "9090:9090"
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
- /home/docker/monitor/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
注:禁止 cadvisor 和 prometheus 被远程访问,注释了 8080 和 9090 端口的映射。nginx.deploy.resources.limits 限制 CPU 和内存资源。
4. 运行
$ cd /home/docker/monitor/build # 进入 docker-compose.yml 所在目录
$ docker-compose up # 执行 docker-compose.yml
$ docker-compose up -d # 在后台运行
[+] Running 4/4
⠿ Network build_default Created 0.1s
⠿ Container google-cadvisor Started 0.4s
⠿ Container nginx-monitor Started 0.5s
⠿ Container prom-prometheus Started 0.7s
$ docker ps # 查看容器运行情况
CONTAINER ID IMAGE COMMAND ... PORTS NAMES
c8db548de428 prom/prometheus "/bin/prometheus --c…" 9090/tcp prom-prometheus
4bdcb99c44fb nginx "/docker-entrypoint.…" 0.0.0.0:80->80/tcp,... nginx-monitor
ee4d15880f6a google/cadvisor "/usr/bin/cadvisor -…" 8080/tcp google-cadvisor
浏览器访问 http://192.168.0.10,弹出验证对话框,输入 test/654321(用户名/密码),显示 prometheus 页面。
浙公网安备 33010602011771号