practice: 容器化系统服务haproxy/chrony

2019-06-23 09:24:08 +08:00 · 2019-06-23 09:24:08 +08:00 · c662ba1df6
parent eb6ff79735
commit c662ba1df6
1 changed files with 141 additions and 0 deletions
--- a/docs/practice/dockerize_system_service.md
+++ b/docs/practice/dockerize_system_service.md
@ -0,0 +1,141 @@
+# 容器化系统服务
+
+## 容器化 haproxy
+
+本例使用 [docker hub 官方](https://github.com/docker-library/haproxy) 维护的 haproxy 镜像；haproxy 配置举例如下
+
+```
+global
+        log stdout format raw local1 notice
+        nbproc 1
+
+defaults
+        log     global
+        timeout connect 5s
+        timeout client  10m
+        timeout server  10m
+
+listen apiservers
+        bind 0.0.0.0:6443
+        mode tcp
+        option tcplog
+        option dontlognull
+        option dontlog-normal
+        balance roundrobin 
+        server 192.168.1.1 192.168.1.1:6443 check inter 10s fall 2 rise 2 weight 1
+        server 192.168.1.2 192.168.1.2:6443 check inter 10s fall 2 rise 2 weight 1
+```
+
+在 systemd 系统上编写服务文件如下 /etc/systemd/system/haproxy.service
+
+```
+[Unit]
+Description=haproxy
+Documentation=https://github.com/docker-library/haproxy
+After=docker.service
+Requires=docker.service
+
+[Service]
+User=root
+ExecStart=/bin/docker run \
+  --name haproxy \
+  --publish 6443:6443 \
+  --volume /etc/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg \
+  docker.io/library/haproxy:1.9.8-alpine
+ExecStop=/bin/docker rm -f haproxy
+ExecReload=/bin/docker kill -s HUP haproxy
+Restart=always
+RestartSec=10
+Delegate=yes
+LimitNOFILE=50000
+LimitNPROC=50000
+
+[Install]
+WantedBy=multi-user.target
+```
+
+## 容器化 chrony
+
+- chrony 服务器端配置（假设chrony服务器端192.168.1.1）
+
+```
+$ cat /etc/chrony.conf
+# Use public servers from the pool.ntp.org project.
+server ntp1.aliyun.com iburst
+server ntp2.aliyun.com iburst
+pool pool.ntp.org iburst
+
+# Ignor source level
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first five updates
+# if its offset is larger than 1 second.
+makestep 1 5
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Allow NTP client access from local network.
+allow 0.0.0.0/0
+
+# Serve time even if not synchronized to a time source.
+local stratum 10
+
+# Select which information is logged.
+#log measurements statistics tracking
+
+#
+noclientlog
+```
+- chrony 客户端配置
+
+```
+$ cat /etc/chrony.conf
+# Use local chrony server.
+server 192.168.1.1 iburst
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first five updates
+# if its offset is larger than 1 second.
+makestep 1 5
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Select which information is logged.
+#log measurements statistics tracking
+```
+
+- 在 systemd 系统上编写服务文件如下 /etc/systemd/system/chrony.service
+
+```
+[Unit]
+Description=chrony
+Documentation=https://github.com/kubeasz/dockerfiles/chrony
+After=docker.service
+Requires=docker.service
+
+[Service]
+User=root
+ExecStart=/opt/kube/bin/docker run \
+  --cap-add SYS_TIME \
+  --name chrony \
+  --network host \
+  --volume /etc/chrony.conf:/etc/chrony/chrony.conf \
+  --volume /var/lib/chrony:/var/lib/chrony \
+  easzlab/chrony:0.1.0
+ExecStartPost=/sbin/iptables -t raw -A PREROUTING -p udp -m udp --dport 123 -j NOTRACK
+ExecStartPost=/sbin/iptables -t raw -A OUTPUT -p udp -m udp --sport 123 -j NOTRACK
+ExecStop=/opt/kube/bin/docker rm -f chrony
+Restart=always
+RestartSec=10
+Delegate=yes
+
+[Install]
+WantedBy=multi-user.target
+```