• daemon配置

  sudo mkdir -p /etc/docker
  sudo tee /etc/docker/daemon.json <<-'EOF'
  {
  "registry-mirrors": ["https://g4idqtjc.mirror.aliyuncs.com","http://harbor.od.com:5000"],
  "insecure-registries": ["harbor.od.com:5000"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
  }
  EOF
  sudo systemctl daemon-reload
  sudo systemctl restart docker

  root@worker1:~# cat /etc/docker/daemon.json 
  {
  "max-concurrent-downloads": 10,
  "max-concurrent-uploads": 10,
  "insecure-registries": ["0.0.0.0/0"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m",
    "max-file": "3"
    }
  }
  

  配置和优化

  对于通过systemd来管理服务的系统, Docker有两处可以配置参数: 一个是docker.service服务配置文件,一个是Docker daemon配置文件daemon.json.
  一般通过/etc/docker/daemon.json修改配置.

  // touch /etc/docker/daemon.json
  // cat > /etc/docker/daemon.json <<EOF
  {
    "log-driver": "json-file",
    "log-opts": {
    "max-size": "100m",
    "max-file": "3"
    }, // 容器在运行时会产生大量日志文件，很容易占满磁盘空间。通过配置日志驱动来限制文件大小与文件的数量。 >限制单个日志文件为100M,最多产生3个日志文件
    "max-concurrent-downloads": 10,
    "max-concurrent-uploads": 10,
    "registry-mirrors": ["https://7bezldxe.mirror.aliyuncs.com"],
    "storage-driver": "overlay2", // overlayFS是一个新一代的联合文件系统, 类似aufs, 但是更快实现更简单, refer: https://docs.docker.com/storage/storagedriver/overlayfs-driver/
    "storage-opts": [
    "overlay2.override_kernel_check=true"
    ],
    "insecure-registries": ["192.168.1.100","IP:PORT"]
  }
  

  Ubuntu\Debian系统 ，docker info提示WARNING: No swap limit support

  Ubuntu\Debian系统下，默认cgroups未开启swap account功能，这样会导致设置容器内存或者swap资源限制不生效。可以通过以下命令解决:

  # 统一网卡名称为ethx
  sudo sed -i 's/en[[:alnum:]]*/eth0/g' /etc/network/interfaces;
  sudo sed -i 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="net.ifnames=0 cgroup_enable=memory swapaccount=1 biosdevname=0 \1"/g' /etc/default/grub;
  sudo update-grub;
  

  docker.service配置

• 防止docker服务OOM:

  • OOMScoreAdjust=-1000
• 开启iptables转发链：
  • ExecStartPost=iptables -P FORWARD ACCEPT ```bash [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket

[Service] OOMScoreAdjust=-1000 # note 这里开启的 Type=notify

the default is not to use systemd for cgroups because the delegate issues still

exists and systemd currently does not support the cgroup feature set required

for containers run by docker

ExecStart=/usr/bin/dockerd -H fd:// —containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID ExecStartPost = iptables -P FORWARD ACCEPT # toooooooooooooooooooooo TimeoutSec=0 RestartSec=2 Restart=always

Note that StartLimit* options were moved from “Service” to “Unit” in systemd 229.

Both the old, and new location are accepted by systemd 229 and up, so using the old location

to make them work for either version of systemd.

StartLimitBurst=3

Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.

Both the old, and new name are accepted by systemd 230 and up, so using the old name to make

this option work for either version of systemd.

StartLimitInterval=60s

Having non-zero Limit*s causes performance problems due to accounting overhead

in the kernel. We recommend using cgroups to do container-local accounting.

LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity

Comment TasksMax if your systemd version does not supports it.

Only systemd 226 and above support this option.

TasksMax=infinity

set delegate yes so that systemd does not reset the cgroups of docker containers

Delegate=yes

kill only the docker process, not all processes in the cgroup

KillMode=process

[Install] WantedBy=multi-user.target ```