Docker on Kang's Blog https://blog.coderkang.top/tags/docker/ Recent content in Docker on Kang's Blog Hugo -- gohugo.io zh Wed, 17 Sep 2025 00:00:00 +0000 自定义 Redroid 镜像:从源码构建到功能增强 https://blog.coderkang.top/p/custom_redroid/ Wed, 17 Sep 2025 00:00:00 +0000 https://blog.coderkang.top/p/custom_redroid/ <img src="https://blog.coderkang.top/" alt="Featured image of post 自定义 Redroid 镜像:从源码构建到功能增强" /><h2 id="概述">概述 </h2><p>Redroid(Remote Android)是一个基于容器技术的 Android 运行时环境,可以在 Linux 服务器上运行完整的 Android 系统。本文将详细介绍如何从 AOSP 源码开始,构建一个功能完整的自定义 Redroid 镜像,并集成 GPS 定位、电池管理、Magisk Root 等高级功能。</p> <h3 id="适用场景">适用场景 </h3><ul> <li>移动应用开发测试</li> <li>自动化测试环境搭建</li> <li>Android 逆向工程和安全研究</li> <li>云端 Android 服务部署</li> </ul> <h2 id="前置条件">前置条件 </h2><p>在开始之前,请确保您的环境满足以下要求:</p> <h3 id="硬件要求">硬件要求 </h3><ul> <li><strong>CPU</strong>: 推荐 8 核心以上,支持 x86_64 架构</li> <li><strong>内存</strong>: 至少 16GB RAM,推荐 32GB</li> <li><strong>存储</strong>: 至少 100GB 可用空间(SSD 推荐)</li> </ul> <h3 id="软件环境">软件环境 </h3><ul> <li><strong>操作系统</strong>: Ubuntu 20.04/22.04 LTS 或其他现代 Linux 发行版</li> <li><strong>Docker</strong>: 版本 20.10 以上</li> <li><strong>Git</strong>: 版本 2.25 以上</li> <li><strong>Python 3</strong>: 用于运行构建脚本</li> </ul> <h3 id="网络要求">网络要求 </h3><ul> <li>稳定的网络连接(需要下载大量源码)</li> <li>如遇网络问题,建议使用清华镜像源</li> </ul> <h2 id="步骤一环境准备与源码下载">步骤一:环境准备与源码下载 </h2><h3 id="创建工作目录">创建工作目录 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 创建专用的工作目录</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /data </span></span><span class="line"><span class="cl">mkdir redroid <span class="o">&amp;&amp;</span> <span class="nb">cd</span> redroid </span></span></code></pre></td></tr></table> </div> </div><h3 id="安装-google-repo-工具">安装 Google Repo 工具 </h3><p>Repo 是 Google 开发的用于管理多个 Git 仓库的工具,AOSP 项目必需。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 下载并安装 repo 工具</span> </span></span><span class="line"><span class="cl">curl -k https://storage.googleapis.com/git-repo-downloads/repo &gt; /usr/local/bin/repo </span></span><span class="line"><span class="cl">chmod a+x /usr/local/bin/repo </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 配置 Git 用户信息(必需)</span> </span></span><span class="line"><span class="cl">git config --global user.email <span class="s2">&#34;your-email@example.com&#34;</span> </span></span><span class="line"><span class="cl">git config --global user.name <span class="s2">&#34;YourName&#34;</span> </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>注意</strong>: 请将邮箱和用户名替换为您的实际信息。</p> </blockquote> <h3 id="初始化-aosp-源码仓库">初始化 AOSP 源码仓库 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 初始化 repo,使用清华镜像源加速下载</span> </span></span><span class="line"><span class="cl">repo init -u https://mirrors.tuna.tsinghua.edu.cn/git/AOSP/platform/manifest <span class="se">\ </span></span></span><span class="line"><span class="cl"> --git-lfs --depth<span class="o">=</span><span class="m">1</span> -b android-15.0.0_r36 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 添加 Redroid 专用的本地 manifest 配置</span> </span></span><span class="line"><span class="cl">git clone https://git.coderkang.top/Android/local_manifests.git <span class="se">\ </span></span></span><span class="line"><span class="cl"> .repo/local_manifests -b 15.0.0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="同步源码">同步源码 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 开始同步源码(耗时较长,请耐心等待)</span> </span></span><span class="line"><span class="cl">repo sync -c </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>提示</strong>: 首次同步可能需要 2-4 小时,具体时间取决于网络状况。建议使用 <code>screen</code> 或 <code>tmux</code> 在后台运行。</p> </blockquote> <h2 id="步骤二magisk-模块集成">步骤二:Magisk 模块集成 </h2><p>Magisk 是流行的 Android Root 解决方案,提供系统级权限管理。</p> <h3 id="提取-magisk-组件">提取 Magisk 组件 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 进入 Magisk 目录并执行提取脚本</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /data/redroid/vendor/magisk </span></span><span class="line"><span class="cl">python3 magisk.py </span></span></code></pre></td></tr></table> </div> </div><p>该脚本会自动下载最新版本的 Magisk APK 并提取必要的二进制文件和模块,集成到系统镜像中。</p> <h2 id="步骤三应用定制补丁">步骤三:应用定制补丁 </h2><h3 id="下载并应用-redroid-补丁">下载并应用 Redroid 补丁 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 回到主目录</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /data </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 获取 Redroid 专用补丁集</span> </span></span><span class="line"><span class="cl">git clone https://git.coderkang.top/Android/redroid-patches.git </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 应用所有补丁到源码</span> </span></span><span class="line"><span class="cl">./redroid-patches/apply-patch.sh /data/redroid </span></span></code></pre></td></tr></table> </div> </div><p>这些补丁包含:</p> <ul> <li><strong>GPS 功能</strong>: 启用定位服务支持</li> <li><strong>电池管理</strong>: 模拟电池状态和电源管理</li> <li><strong>网络增强</strong>: 改进网络连接稳定性</li> <li><strong>性能优化</strong>: 针对容器环境的性能调优</li> </ul> <h2 id="步骤四docker-构建环境搭建">步骤四:Docker 构建环境搭建 </h2><h3 id="创建构建容器">创建构建容器 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 获取构建工具</span> </span></span><span class="line"><span class="cl">git clone https://git.coderkang.top/Android/redroid-doc.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> redroid-doc/android-builder-docker </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 构建 Docker 镜像(包含所有构建依赖)</span> </span></span><span class="line"><span class="cl">docker build <span class="se">\ </span></span></span><span class="line"><span class="cl"> --build-arg <span class="nv">userid</span><span class="o">=</span><span class="k">$(</span>id -u<span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --build-arg <span class="nv">groupid</span><span class="o">=</span><span class="k">$(</span>id -g<span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --build-arg <span class="nv">username</span><span class="o">=</span><span class="k">$(</span>id -un<span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -t redroid-builder . </span></span></code></pre></td></tr></table> </div> </div><h3 id="启动构建环境">启动构建环境 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 启动构建容器,挂载源码目录</span> </span></span><span class="line"><span class="cl">docker run -it --rm <span class="se">\ </span></span></span><span class="line"><span class="cl"> --hostname redroid-builder <span class="se">\ </span></span></span><span class="line"><span class="cl"> --name redroid-builder <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /data/redroid:/src <span class="se">\ </span></span></span><span class="line"><span class="cl"> redroid-builder </span></span></code></pre></td></tr></table> </div> </div><h2 id="步骤五编译-android-系统">步骤五:编译 Android 系统 </h2><h3 id="配置构建环境">配置构建环境 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 在容器内执行以下命令</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /src </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 初始化构建环境</span> </span></span><span class="line"><span class="cl">. build/envsetup.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 选择构建目标(ARM64 架构,用户调试版本)</span> </span></span><span class="line"><span class="cl">lunch redroid_arm64_only-ap3a-userdebug </span></span></code></pre></td></tr></table> </div> </div><h3 id="开始编译">开始编译 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 启动编译过程(时间较长,建议使用 -j 参数指定并行度)</span> </span></span><span class="line"><span class="cl">m -j<span class="k">$(</span>nproc<span class="k">)</span> </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>编译时间</strong>: 根据硬件配置,编译时间通常在 1-3 小时之间。</p> </blockquote> <h2 id="步骤六镜像打包与部署">步骤六:镜像打包与部署 </h2><h3 id="创建-docker-镜像">创建 Docker 镜像 </h3><p>编译完成后,需要将生成的系统文件打包为 Docker 镜像。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 退出构建容器,回到宿主机</span> </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 进入编译输出目录</span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /data/redroid/out/target/product/redroid_arm64_only </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 挂载系统镜像(只读)</span> </span></span><span class="line"><span class="cl">sudo mount system.img system -o ro </span></span><span class="line"><span class="cl">sudo mount vendor.img vendor -o ro </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 打包为 Docker 镜像</span> </span></span><span class="line"><span class="cl">sudo tar --xattrs -c vendor -C system --exclude<span class="o">=</span><span class="s2">&#34;./vendor&#34;</span> . <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> docker import -c <span class="s1">&#39;ENTRYPOINT [&#34;/init&#34;, &#34;androidboot.hardware=redroid&#34;, &#34;ro.setupwizard.mode=DISABLED&#34;]&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> - redroid:custom </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 卸载镜像文件</span> </span></span><span class="line"><span class="cl">sudo umount system vendor </span></span></code></pre></td></tr></table> </div> </div><h3 id="验证镜像">验证镜像 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查看创建的镜像</span> </span></span><span class="line"><span class="cl">docker images <span class="p">|</span> grep redroid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 测试启动容器</span> </span></span><span class="line"><span class="cl">docker run -itd --rm --memory-swappiness<span class="o">=</span><span class="m">0</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --name redroid-test <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 5555:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"> redroid:custom </span></span></code></pre></td></tr></table> </div> </div><h2 id="功能验证与使用">功能验证与使用 </h2><h3 id="验证-root-权限">验证 Root 权限 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 连接到 Redroid 容器</span> </span></span><span class="line"><span class="cl">adb connect localhost:5555 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 验证 Root 权限</span> </span></span><span class="line"><span class="cl">adb shell su -c <span class="s2">&#34;id&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="验证-gps-功能">验证 GPS 功能 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 检查 GPS 服务状态</span> </span></span><span class="line"><span class="cl">adb shell dumpsys location </span></span></code></pre></td></tr></table> </div> </div><h3 id="验证电池管理">验证电池管理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查看电池状态</span> </span></span><span class="line"><span class="cl">adb shell dumpsys battery </span></span></code></pre></td></tr></table> </div> </div><h2 id="常见问题与解决方案">常见问题与解决方案 </h2><h3 id="编译错误">编译错误 </h3><p><strong>问题</strong>: 内存不足导致编译失败</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 解决方案:减少并行度</span> </span></span><span class="line"><span class="cl">m -j4 <span class="c1"># 使用较少的并行任务</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>问题</strong>: 磁盘空间不足</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 解决方案:清理编译缓存</span> </span></span><span class="line"><span class="cl">make clean </span></span></code></pre></td></tr></table> </div> </div><h3 id="运行时问题">运行时问题 </h3><p><strong>问题</strong>: 容器无法启动</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 检查内核模块</span> </span></span><span class="line"><span class="cl">lsmod <span class="p">|</span> grep binder </span></span><span class="line"><span class="cl">lsmod <span class="p">|</span> grep ashmem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 如果缺失,加载模块</span> </span></span><span class="line"><span class="cl">sudo modprobe binder_linux </span></span><span class="line"><span class="cl">sudo modprobe ashmem_linux </span></span></code></pre></td></tr></table> </div> </div><p><strong>问题</strong>: ADB 连接失败</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 重启 ADB 服务</span> </span></span><span class="line"><span class="cl">adb kill-server </span></span><span class="line"><span class="cl">adb start-server </span></span></code></pre></td></tr></table> </div> </div><h2 id="优化建议">优化建议 </h2><h3 id="性能优化">性能优化 </h3><ol> <li><strong>内存配置</strong>: 为容器分配足够的内存(推荐 4GB+)</li> <li><strong>CPU 配置</strong>: 启用 CPU 热插拔支持</li> <li><strong>存储优化</strong>: 使用 SSD 存储提升 I/O 性能</li> </ol> <h3 id="安全考虑">安全考虑 </h3><ol> <li><strong>网络隔离</strong>: 使用自定义 Docker 网络</li> <li><strong>权限控制</strong>: 限制容器权限,避免特权模式</li> <li><strong>数据持久化</strong>: 合理配置数据卷挂载</li> </ol> <h2 id="总结">总结 </h2><p>通过本文的详细指导,您已经成功构建了一个功能完整的自定义 Redroid 镜像。这个镜像集成了 GPS、电池管理、Magisk Root 等高级功能,可以满足各种开发和测试需求。</p> <p>在实际使用中,您可以根据具体需求进一步定制系统配置,添加更多功能模块,或者优化性能参数。Redroid 的灵活性使其成为 Android 开发和测试的理想选择。</p> <h3 id="下一步">下一步 </h3><ul> <li>探索更多 Magisk 模块集成</li> <li>配置持续集成/持续部署(CI/CD)</li> <li>搭建多实例集群环境</li> <li>集成自动化测试框架</li> </ul> Docker 容器独立 IP 配置指南 - Macvlan 与 Pipework 实践 https://blog.coderkang.top/p/docker_macvlan_pipework_configuration/ Thu, 11 Jul 2024 00:00:00 +0000 https://blog.coderkang.top/p/docker_macvlan_pipework_configuration/ <h2 id="macvlan">Macvlan </h2><blockquote class="alert alert-note"> <div class="alert-header"> <span class="alert-icon">📝</span> <span class="alert-title">备注</span> </div> <div class="alert-body"> <p><a class="link" href="https://docs.docker.com/network/drivers/" target="_blank" rel="noopener" >Network drivers overview | Docker Docs</a></p> <p><a class="link" href="https://docs.docker.com/network/drivers/macvlan/" target="_blank" rel="noopener" >Macvlan network driver | Docker Docs</a></p> <p>一些应用程序,尤其是旧版应用程序或监视网络流量的应用程序,希望直接连接到物理网络。在这种情况下,你可以使用macvlan网络驱动程序为每个容器的虚拟网络接口分配一个MAC地址,使其看起来像是直接连接到物理网络的物理网络接口。在这种情况下,你需要在Docker主机上指定一个物理接口用于Macvlan,并设置网络的子网和网关。你甚至可以使用不同的物理网络接口来隔离你的Macvlan网络。</p> </div> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cat <span class="s">&lt;&lt;EOF &gt; docker_network_macvlan.yaml </span></span></span><span class="line"><span class="cl"><span class="s">name: docker_network_macvlan </span></span></span><span class="line"><span class="cl"><span class="s">services: </span></span></span><span class="line"><span class="cl"><span class="s"> docker_network_macvlan: </span></span></span><span class="line"><span class="cl"><span class="s"> image: busybox </span></span></span><span class="line"><span class="cl"><span class="s"> container_name: docker_network_macvlan </span></span></span><span class="line"><span class="cl"><span class="s"> networks: </span></span></span><span class="line"><span class="cl"><span class="s"> macvlan_net: </span></span></span><span class="line"><span class="cl"><span class="s"> ipv4_address: 192.168.142.234 # 配置静态 IP </span></span></span><span class="line"><span class="cl"><span class="s"> privileged: true </span></span></span><span class="line"><span class="cl"><span class="s"> cap_add: </span></span></span><span class="line"><span class="cl"><span class="s"> - NET_ADMIN # 添加网络权限 </span></span></span><span class="line"><span class="cl"><span class="s"> command: sleep infinity </span></span></span><span class="line"><span class="cl"><span class="s"> ports: </span></span></span><span class="line"><span class="cl"><span class="s"> - &#34;17000:17000&#34; </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">networks: </span></span></span><span class="line"><span class="cl"><span class="s"> macvlan_net: </span></span></span><span class="line"><span class="cl"><span class="s"> driver: macvlan # 使用 macvlan 类型网络 </span></span></span><span class="line"><span class="cl"><span class="s"> # Macvlan 网络允许你为容器分配一个MAC地址,使其在网络中像物理设备一样存在。 </span></span></span><span class="line"><span class="cl"><span class="s"> # Docker 守护程序可以通过容器的 MAC 地址来路由流量。 </span></span></span><span class="line"><span class="cl"><span class="s"> # 使用 macvlan 驱动器通常是处理那些期望直接连接到物理网络而不是通过 Docker 主机网络堆栈路由的旧应用程序时的最佳选择。 </span></span></span><span class="line"><span class="cl"><span class="s"> driver_opts: </span></span></span><span class="line"><span class="cl"><span class="s"> parent: eno1 # 指定网卡 </span></span></span><span class="line"><span class="cl"><span class="s"> ipam: </span></span></span><span class="line"><span class="cl"><span class="s"> config: </span></span></span><span class="line"><span class="cl"><span class="s"> - subnet: 192.168.142.0/24 # 子网 </span></span></span><span class="line"><span class="cl"><span class="s"> ip_range: 192.168.142.0/24 # IP 范围 </span></span></span><span class="line"><span class="cl"><span class="s"> gateway: 192.168.142.1 # 网关 </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker-compose -f docker_network_macvlan.yaml up -d </span></span></code></pre></td></tr></table> </div> </div><blockquote class="alert alert-important"> <div class="alert-header"> <span class="alert-icon">📌</span> <span class="alert-title">重要</span> </div> <div class="alert-body"> <p>该容器目前无法与使用 eno1 网卡的宿主机或其他容器通信。</p> </div> </blockquote> <h2 id="pipework">Pipework </h2> <blockquote> <p><a class="link" href="https://github.com/jpetazzo/pipework" target="_blank" rel="noopener" >jpetazzo/pipework: Software-Defined Networking tools for LXC (LinuX Containers) (github.com)</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker run -itd --name <span class="nb">test</span> ubuntu /bin/bash </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo docker <span class="nb">exec</span> <span class="nb">test</span> ip addr show </span></span></code></pre></td></tr></table> </div> </div><p>宿主机网络为<code>172.16.0.100</code>,下面配置容器 test 的网络,并连接到网桥 br0 上,其中@后面是网关地址:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo pipework br0 <span class="nb">test</span> 172.16.0.156/24@172.16.0.1 </span></span><span class="line"><span class="cl"><span class="c1"># ip addr add 172.16.0.254/24 dev br0</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo ip addr add 172.16.0.100/24 dev br0<span class="p">;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sudo ip addr del 172.16.0.100/24 dev enp1s0<span class="p">;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sudo brctl addif br0 enp1s0<span class="p">;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sudo ip route del default<span class="p">;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sudo ip route add default via 172.16.0.1 dev br0 </span></span></code></pre></td></tr></table> </div> </div> 使用 ACME 在 DNSPod 上自动配置 SSL 证书指南 https://blog.coderkang.top/p/acme_dnspod_ssl_certificate_guide/ Mon, 18 Sep 2023 00:00:00 +0000 https://blog.coderkang.top/p/acme_dnspod_ssl_certificate_guide/ <img src="https://blog.coderkang.top/" alt="Featured image of post 使用 ACME 在 DNSPod 上自动配置 SSL 证书指南" /><h2 id="docker-部署-acmesh">Docker 部署 acme.sh </h2><p>docker-compose.yml,将 DNSPod API ID 和 Key 替换为实际值。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acme-sh</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">neilpang/acme.sh:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">acme</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">daemon</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TZ=Asia/Shanghai</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">DP_Id=****** </span><span class="w"> </span><span class="c"># DNSPod API ID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">DP_Key=****************</span><span class="w"> </span><span class="c"># DNSPod API Key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./certs/:/acme.sh/</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="配置-acmesh">配置 acme.sh </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 启动 acme.sh</span> </span></span><span class="line"><span class="cl">docker compose up -d </span></span><span class="line"><span class="cl"><span class="c1"># 进入 acme.sh 容器</span> </span></span><span class="line"><span class="cl">docker compose <span class="nb">exec</span> -it acme sh </span></span><span class="line"><span class="cl"><span class="c1"># 设置默认 CA</span> </span></span><span class="line"><span class="cl">acme.sh --set-default-ca --server letsencrypt </span></span></code></pre></td></tr></table> </div> </div><h2 id="申请证书">申请证书 </h2><p>生成证书,将 <code>www.example.com</code> 替换为实际域名。证书会挂载到 <code>./certs/</code> 目录下。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">acme.sh --issue --dns dns_dp -d www.example.com </span></span></code></pre></td></tr></table> </div> </div> Docker中apt update的GPG签名问题及解决方法 https://blog.coderkang.top/p/docker_apt_update_gpg_issue/ Mon, 05 Jun 2023 00:00:00 +0000 https://blog.coderkang.top/p/docker_apt_update_gpg_issue/ <h2 id="问题">问题 </h2><p>我在ubuntu22.04的容器里面运行<code>apt update</code>的时候出现了以下报错</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="p">[</span><span class="n">root</span><span class="err">@</span><span class="n">VM</span><span class="o">-</span><span class="mi">16</span><span class="o">-</span><span class="mi">9</span><span class="o">-</span><span class="n">centos</span> <span class="n">docker</span><span class="o">-</span><span class="n">kubuntu</span><span class="p">]</span><span class="c1"># docker run --rm -it ubuntu:22.04 bash</span> </span></span><span class="line"><span class="cl"><span class="n">root</span><span class="err">@</span><span class="mi">8</span><span class="n">ac245b487e6</span><span class="p">:</span><span class="o">/</span><span class="c1"># apt update</span> </span></span><span class="line"><span class="cl"><span class="n">Get</span><span class="p">:</span><span class="mi">1</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">security</span> <span class="n">InRelease</span> <span class="p">[</span><span class="mi">110</span> <span class="n">kB</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Get</span><span class="p">:</span><span class="mi">2</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span> <span class="n">InRelease</span> <span class="p">[</span><span class="mi">270</span> <span class="n">kB</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Err</span><span class="p">:</span><span class="mi">1</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">security</span> <span class="n">InRelease</span> </span></span><span class="line"><span class="cl"> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">Err</span><span class="p">:</span><span class="mi">2</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span> <span class="n">InRelease</span> </span></span><span class="line"><span class="cl"> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">Get</span><span class="p">:</span><span class="mi">3</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">updates</span> <span class="n">InRelease</span> <span class="p">[</span><span class="mi">109</span> <span class="n">kB</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Err</span><span class="p">:</span><span class="mi">3</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">updates</span> <span class="n">InRelease</span> </span></span><span class="line"><span class="cl"> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">Get</span><span class="p">:</span><span class="mi">4</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">backports</span> <span class="n">InRelease</span> <span class="p">[</span><span class="mf">90.7</span> <span class="n">kB</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Err</span><span class="p">:</span><span class="mi">4</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">backports</span> <span class="n">InRelease</span> </span></span><span class="line"><span class="cl"> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">Reading</span> <span class="n">package</span> <span class="n">lists</span><span class="o">...</span> <span class="n">Done</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">security</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2012</span><span class="o">-</span><span class="n">cdimage</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">security</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2018</span><span class="o">-</span><span class="n">archive</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">GPG</span> <span class="n">error</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">security</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">security</span> <span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">The</span> <span class="n">repository</span> <span class="s1">&#39;http://security.ubuntu.com/ubuntu jammy-security InRelease&#39;</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">signed</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">Updating</span> <span class="n">from</span> <span class="n">such</span> <span class="n">a</span> <span class="n">repository</span> <span class="n">can</span><span class="s1">&#39;t be done securely, and is therefore disabled by default.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">See</span> <span class="n">apt</span><span class="o">-</span><span class="n">secure</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="n">manpage</span> <span class="k">for</span> <span class="n">repository</span> <span class="n">creation</span> <span class="ow">and</span> <span class="n">user</span> <span class="n">configuration</span> <span class="n">details</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2012</span><span class="o">-</span><span class="n">cdimage</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2018</span><span class="o">-</span><span class="n">archive</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">GPG</span> <span class="n">error</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span> <span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">The</span> <span class="n">repository</span> <span class="s1">&#39;http://archive.ubuntu.com/ubuntu jammy InRelease&#39;</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">signed</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">Updating</span> <span class="n">from</span> <span class="n">such</span> <span class="n">a</span> <span class="n">repository</span> <span class="n">can</span><span class="s1">&#39;t be done securely, and is therefore disabled by default.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">See</span> <span class="n">apt</span><span class="o">-</span><span class="n">secure</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="n">manpage</span> <span class="k">for</span> <span class="n">repository</span> <span class="n">creation</span> <span class="ow">and</span> <span class="n">user</span> <span class="n">configuration</span> <span class="n">details</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">updates</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2012</span><span class="o">-</span><span class="n">cdimage</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">updates</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2018</span><span class="o">-</span><span class="n">archive</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">GPG</span> <span class="n">error</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">updates</span> <span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">The</span> <span class="n">repository</span> <span class="s1">&#39;http://archive.ubuntu.com/ubuntu jammy-updates InRelease&#39;</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">signed</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">Updating</span> <span class="n">from</span> <span class="n">such</span> <span class="n">a</span> <span class="n">repository</span> <span class="n">can</span><span class="s1">&#39;t be done securely, and is therefore disabled by default.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">See</span> <span class="n">apt</span><span class="o">-</span><span class="n">secure</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="n">manpage</span> <span class="k">for</span> <span class="n">repository</span> <span class="n">creation</span> <span class="ow">and</span> <span class="n">user</span> <span class="n">configuration</span> <span class="n">details</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">backports</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2012</span><span class="o">-</span><span class="n">cdimage</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">/</span><span class="n">dists</span><span class="o">/</span><span class="n">jammy</span><span class="o">-</span><span class="n">backports</span><span class="o">/</span><span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">key</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">keyring</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apt</span><span class="o">/</span><span class="n">trusted</span><span class="o">.</span><span class="n">gpg</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">ubuntu</span><span class="o">-</span><span class="n">keyring</span><span class="o">-</span><span class="mi">2018</span><span class="o">-</span><span class="n">archive</span><span class="o">.</span><span class="n">gpg</span> <span class="n">are</span> <span class="n">ignored</span> <span class="n">as</span> <span class="n">the</span> <span class="n">file</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">readable</span> <span class="n">by</span> <span class="n">user</span> <span class="s1">&#39;_apt&#39;</span> <span class="n">executing</span> <span class="n">apt</span><span class="o">-</span><span class="n">key</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">W</span><span class="p">:</span> <span class="n">GPG</span> <span class="n">error</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">archive</span><span class="o">.</span><span class="n">ubuntu</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubuntu</span> <span class="n">jammy</span><span class="o">-</span><span class="n">backports</span> <span class="n">InRelease</span><span class="p">:</span> <span class="n">The</span> <span class="n">following</span> <span class="n">signatures</span> <span class="n">couldn</span><span class="s1">&#39;t be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">The</span> <span class="n">repository</span> <span class="s1">&#39;http://archive.ubuntu.com/ubuntu jammy-backports InRelease&#39;</span> <span class="n">is</span> <span class="ow">not</span> <span class="n">signed</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">Updating</span> <span class="n">from</span> <span class="n">such</span> <span class="n">a</span> <span class="n">repository</span> <span class="n">can</span><span class="s1">&#39;t be done securely, and is therefore disabled by default.</span> </span></span><span class="line"><span class="cl"><span class="n">N</span><span class="p">:</span> <span class="n">See</span> <span class="n">apt</span><span class="o">-</span><span class="n">secure</span><span class="p">(</span><span class="mi">8</span><span class="p">)</span> <span class="n">manpage</span> <span class="k">for</span> <span class="n">repository</span> <span class="n">creation</span> <span class="ow">and</span> <span class="n">user</span> <span class="n">configuration</span> <span class="n">details</span><span class="o">.</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">Problem</span> <span class="n">executing</span> <span class="n">scripts</span> <span class="n">APT</span><span class="p">::</span><span class="n">Update</span><span class="p">::</span><span class="n">Post</span><span class="o">-</span><span class="n">Invoke</span> <span class="s1">&#39;rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">E</span><span class="p">:</span> <span class="n">Sub</span><span class="o">-</span><span class="n">process</span> <span class="n">returned</span> <span class="n">an</span> <span class="n">error</span> <span class="n">code</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="原因">原因 </h2><p>经过查询,发现是ubuntu21.10和fedora35开始使用glibc2.34甚至更高的版本。在glibc2.34版本里面,开始使用一个名为clone3的系统调用。通常情况下,容器里面所有的系统调用都会被docker捕获,然后docker决定如何处理它们。如果docker中没有为特定系统调用指定策略,则默认的策略会通知容器这边&quot;Permission Denied&quot;。但是,如果 Glibc 收到此错误,它不会回退。它仅在收到响应“此系统调用不可用”时才执行此操作。</p> <h2 id="解决">解决 </h2><h3 id="办法一">办法一 </h3><p>运行容器的时候,加上这个参数来绕过docker系统调用限制</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">--security-opt <span class="nv">seccomp</span><span class="o">=</span>unconfined </span></span></code></pre></td></tr></table> </div> </div><p>不过这会有很大的问题,一个是你的容器将变得不安全,另一个是这些参数在构建镜像的时候是不可用的。所以,请参考办法二</p> <h3 id="办法二">办法二 </h3><p>将docker升级到20.10.8以上的版本(&gt; 20.10.8)</p> <p>由于生产环境调整docker版本不是一件容易的事情,所以生产环境在构建镜像时候要避免使用ubuntu21.10和fedora35以更高版本的镜像,以及使用它们作为基础镜像的其他镜像。目前官方大部分镜像基于debian,后续要确认debian系列镜像是否受此影响</p> <h3 id="办法三">办法三 </h3><p>升级<code>runc</code>。</p> <p><a class="link" href="https://github.com/opencontainers/runc/releases/" target="_blank" rel="noopener" >https://github.com/opencontainers/runc/releases/</a></p> <p>升级前使用<strong>docker version</strong>查看runc命令</p> <p><img alt="img" class="gallery-image" data-flex-basis="444px" data-flex-grow="185" height="541" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0.png" srcset="https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0_hu_ea966affbd28af5e.png 800w, https://blog.coderkang.top/p/docker_apt_update_gpg_issue/uda096-0.png 1003w" width="1003"></p> <p><strong>1.选择1.0.0-rc95版本,下载runc.amd64</strong></p> <p><img alt="img" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px"></p> <p><strong>2. 上传服务器,修改名字并赋予权限</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mv runc.amd64 runc <span class="o">&amp;&amp;</span> chmod +x runc </span></span></code></pre></td></tr></table> </div> </div><p><strong>3.备份原有的runc</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">which runc </span></span><span class="line"><span class="cl">mv </span></span></code></pre></td></tr></table> </div> </div><p><strong>4.停止docker</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">systemctl stop docker </span></span></code></pre></td></tr></table> </div> </div><p><strong>5.替换新版本runc</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">cp runc /usr/bin/runc </span></span></code></pre></td></tr></table> </div> </div><p><strong>6. 启动docker</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">systemctl start docker </span></span></code></pre></td></tr></table> </div> </div><p><strong>7.检查runc是否升级成功</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker version </span></span></code></pre></td></tr></table> </div> </div> 使用Docker搭建Confluence指南 https://blog.coderkang.top/p/docker_confluence_setup_guide/ Wed, 22 Mar 2023 00:00:00 +0000 https://blog.coderkang.top/p/docker_confluence_setup_guide/ <p>所需文件下载:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">wget https://minio-console.coderkang.top/files/atlassian-agent.jar </span></span><span class="line"><span class="cl">wget https://minio-console.coderkang.top/files/mysql-connector-j-8.3.0.jar </span></span></code></pre></td></tr></table> </div> </div><p>docker-compose.yaml</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;3.8&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">atlassian</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">confluence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">atlassian/confluence-server:8.5.2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">atlassian-confluence</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TZ=Asia/Shanghai</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">JVM_MINIMUM_MEMORY=4096m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">JVM_MAXIMUM_MEMORY=8192m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ATL_DB_TYPE=mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ATL_JDBC_URL=jdbc:mysql://db:3306/confluence?sessionVariables=transaction_isolation=&#39;READ-COMMITTED&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ATL_JDBC_USER=root</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ATL_JDBC_PASSWORD=******</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">JAVA_OPTS=&#39;-javaagent:/opt/atlassian-agent.jar&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">38090</span><span class="p">:</span><span class="m">8090</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">38091</span><span class="p">:</span><span class="m">8091</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./application-data/:/var/atlassian/application-data/confluence/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./setenv.sh:/opt/atlassian/confluence/bin/setenv.sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./atlassian-agent.jar:/opt/atlassian-agent.jar</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./mysql-connector-j-8.3.0.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-j-8.3.0.jar</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">healthcheck</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">test</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CMD&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;curl&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-f&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;http://localhost:8090&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">10s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">timeout</span><span class="p">:</span><span class="w"> </span><span class="l">5s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retries</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">start_period</span><span class="p">:</span><span class="w"> </span><span class="l">30s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">depends_on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">db</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">service_healthy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">db</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">mysql:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">atlassian-db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">MYSQL_ROOT_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="cp">******</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">MYSQL_DATABASE</span><span class="p">:</span><span class="w"> </span><span class="l">confluence</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span>--<span class="l">character-set-server=utf8mb4 --collation-server=utf8mb4_bin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./application-db/data/:/var/lib/mysql/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./application-db/conf.d/:/etc/mysql/conf.d/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">healthcheck</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">test</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CMD&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;mysqladmin&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;ping&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-h&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;localhost&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-u&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;root&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;-p******&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">10s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">timeout</span><span class="p">:</span><span class="w"> </span><span class="l">5s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retries</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">start_period</span><span class="p">:</span><span class="w"> </span><span class="l">30s</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker compose up -d </span></span><span class="line"><span class="cl"><span class="c1"># 启动时间可能会比较长,因为要等待 MySQL 服务完全启动</span> </span></span></code></pre></td></tr></table> </div> </div><p>访问页面获取 <code>Server ID</code>。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker compose <span class="nb">exec</span> -it confluence java -jar /opt/atlassian-agent.jar -m &lt;邮箱&gt; -n &lt;用户名&gt; -o &lt;组织名称&gt; -p conf -s <span class="s1">&#39;&lt;Server ID&gt;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># docker compose exec -it confluence java -jar /opt/atlassian-agent.jar -m CoderKang@hotmail.com -n CoderKang -o NiKo -p conf -s &#39;BHE8-N86V-SW29-TDDO&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>输入后点及 Next,等待……</p> <blockquote class="alert alert-important"> <div class="alert-header"> <span class="alert-icon">📌</span> <span class="alert-title">重要</span> </div> <div class="alert-body"> <p>安装过程中遇到问题,down 掉容器后,最好删除 <code>application-db</code> 和 <code>application-data</code> 目录后重建容器</p> </div> </blockquote> 基于Docker的OpenVPN客户端与代理集成解决方案 https://blog.coderkang.top/p/docker_openvpn_client_proxy_integration/ Wed, 03 Aug 2022 00:00:00 +0000 https://blog.coderkang.top/p/docker_openvpn_client_proxy_integration/ <blockquote> <p>为了解决 OpenVPN 与 代理软件冲突的问题</p> <p><a class="link" href="https://github.com/wfg/docker-openvpn-client" target="_blank" rel="noopener" >wfg/docker-openvpn-client: OpenVPN client with killswitch and proxy servers; built on Alpine (github.com)</a></p> </blockquote> <h2 id="构建文件">构建文件 </h2><h3 id="dockerfile">Dockerfile </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">alpine:3.17</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apk add --no-cache <span class="se">\ </span></span></span><span class="line"><span class="cl"> bash <span class="se">\ </span></span></span><span class="line"><span class="cl"> bind-tools <span class="se">\ </span></span></span><span class="line"><span class="cl"> iptables <span class="se">\ </span></span></span><span class="line"><span class="cl"> ip6tables <span class="se">\ </span></span></span><span class="line"><span class="cl"> openvpn<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . /usr/local/bin<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">KILL_SWITCH</span><span class="o">=</span>on </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">ENTRYPOINT</span> <span class="p">[</span> <span class="s2">&#34;entry.sh&#34;</span> <span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="killswitch">killswitch </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o errexit </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o nounset </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables --insert OUTPUT <span class="se">\ </span></span></span><span class="line"><span class="cl"> ! --out-interface tun0 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --match addrtype ! --dst-type LOCAL <span class="se">\ </span></span></span><span class="line"><span class="cl"> ! --destination <span class="s2">&#34;</span><span class="k">$(</span>ip -4 -oneline addr show dev eth0 <span class="p">|</span> awk <span class="s1">&#39;NR == 1 { print $4 }&#39;</span><span class="k">)</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --jump REJECT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 创建静态路由,允许访问指定的子网</span> </span></span><span class="line"><span class="cl"><span class="c1"># 例如:ALLOWED_SUBNETS 在 docker-compose.yaml 中配置</span> </span></span><span class="line"><span class="cl"><span class="nv">default_gateway</span><span class="o">=</span><span class="k">$(</span>ip -4 route <span class="p">|</span> awk <span class="s1">&#39;$1 == &#34;default&#34; { print $3 }&#39;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> subnet in <span class="si">${</span><span class="nv">1</span><span class="p">//,/ </span><span class="si">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> ip route add <span class="s2">&#34;</span><span class="nv">$subnet</span><span class="s2">&#34;</span> via <span class="s2">&#34;</span><span class="nv">$default_gateway</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> iptables --insert OUTPUT --destination <span class="s2">&#34;</span><span class="nv">$subnet</span><span class="s2">&#34;</span> --jump ACCEPT </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 为 OpenVPN 服务器地址打洞</span> </span></span><span class="line"><span class="cl"><span class="c1"># $config 是 OpenVPN 设置的:</span> </span></span><span class="line"><span class="cl"><span class="c1"># “第一个 --config 文件的名称。在程序初始化时设置并在 SIGHUP 时重置。”</span> </span></span><span class="line"><span class="cl"><span class="nv">global_port</span><span class="o">=</span><span class="k">$(</span>awk <span class="s1">&#39;$1 == &#34;port&#34; { print $2 }&#39;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">config</span><span class="p">:?</span><span class="s2">&#34;config file not found by kill switch&#34;</span><span class="si">}</span><span class="s2">&#34;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">global_protocol</span><span class="o">=</span><span class="k">$(</span>awk <span class="s1">&#39;$1 == &#34;proto&#34; { print $2 }&#39;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">config</span><span class="p">:?</span><span class="s2">&#34;config file not found by kill switch&#34;</span><span class="si">}</span><span class="s2">&#34;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">remotes</span><span class="o">=</span><span class="k">$(</span>awk <span class="s1">&#39;$1 == &#34;remote&#34; { print $2, $3, $4 }&#39;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">config</span><span class="p">:?</span><span class="s2">&#34;config file not found by kill switch&#34;</span><span class="si">}</span><span class="s2">&#34;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">ip_regex</span><span class="o">=</span><span class="s1">&#39;^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$&#39;</span> </span></span><span class="line"><span class="cl"><span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r line<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 读取去除注释的行</span> </span></span><span class="line"><span class="cl"> <span class="nv">IFS</span><span class="o">=</span><span class="s2">&#34; &#34;</span> <span class="nb">read</span> -ra remote <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;</span><span class="si">${</span><span class="nv">line</span><span class="p">%%</span><span class="se">\#</span><span class="p">*</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">address</span><span class="o">=</span><span class="si">${</span><span class="nv">remote</span><span class="p">[0]</span><span class="si">}</span> </span></span><span class="line"><span class="cl"> <span class="nv">port</span><span class="o">=</span><span class="si">${</span><span class="nv">remote</span><span class="p">[1]</span><span class="k">:-</span><span class="si">${</span><span class="nv">global_port</span><span class="k">:-</span><span class="nv">1194</span><span class="si">}}</span> </span></span><span class="line"><span class="cl"> <span class="nv">protocol</span><span class="o">=</span><span class="si">${</span><span class="nv">remote</span><span class="p">[2]</span><span class="k">:-</span><span class="si">${</span><span class="nv">global_protocol</span><span class="k">:-</span><span class="nv">udp</span><span class="si">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[[</span> <span class="nv">$address</span> <span class="o">=</span>~ <span class="nv">$ip_regex</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> iptables --insert OUTPUT --destination <span class="s2">&#34;</span><span class="nv">$address</span><span class="s2">&#34;</span> --protocol <span class="s2">&#34;</span><span class="nv">$protocol</span><span class="s2">&#34;</span> --destination-port <span class="s2">&#34;</span><span class="nv">$port</span><span class="s2">&#34;</span> --jump ACCEPT </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> ip in <span class="k">$(</span>dig -4 +short <span class="s2">&#34;</span><span class="nv">$address</span><span class="s2">&#34;</span><span class="k">)</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> iptables --insert OUTPUT --destination <span class="s2">&#34;</span><span class="nv">$ip</span><span class="s2">&#34;</span> --protocol <span class="s2">&#34;</span><span class="nv">$protocol</span><span class="s2">&#34;</span> --destination-port <span class="s2">&#34;</span><span class="nv">$port</span><span class="s2">&#34;</span> --jump ACCEPT </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$ip</span><span class="s2"> </span><span class="nv">$address</span><span class="s2">&#34;</span> &gt;&gt; /etc/hosts </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">&#34;</span><span class="nv">$remotes</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="entrysh">entry.sh </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o errexit </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o nounset </span></span><span class="line"><span class="cl"><span class="nb">set</span> -o pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cleanup<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">kill</span> TERM <span class="s2">&#34;</span><span class="nv">$openvpn_pid</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">is_enabled<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="o">[[</span> <span class="si">${</span><span class="nv">1</span><span class="p">,,</span><span class="si">}</span> <span class="o">=</span>~ ^<span class="o">(</span>true<span class="p">|</span>t<span class="p">|</span>yes<span class="p">|</span>y<span class="p">|</span>1<span class="p">|</span>on<span class="p">|</span>enable<span class="p">|</span>enabled<span class="o">)</span>$ <span class="o">]]</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Either a specific file name or a pattern.</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="nv">$CONFIG_FILE</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">config_file</span><span class="o">=</span><span class="k">$(</span>find /config -name <span class="s2">&#34;</span><span class="nv">$CONFIG_FILE</span><span class="s2">&#34;</span> 2&gt; /dev/null <span class="p">|</span> sort <span class="p">|</span> shuf -n 1<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="nv">config_file</span><span class="o">=</span><span class="k">$(</span>find /config -name <span class="s1">&#39;*.conf&#39;</span> -o -name <span class="s1">&#39;*.ovpn&#39;</span> 2&gt; /dev/null <span class="p">|</span> sort <span class="p">|</span> shuf -n 1<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> -z <span class="nv">$config_file</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;no openvpn configuration file found&#34;</span> &gt;<span class="p">&amp;</span><span class="m">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;using openvpn configuration file: </span><span class="nv">$config_file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">openvpn_args</span><span class="o">=(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;--config&#34;</span> <span class="s2">&#34;</span><span class="nv">$config_file</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;--cd&#34;</span> <span class="s2">&#34;/config&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> is_enabled <span class="s2">&#34;</span><span class="nv">$KILL_SWITCH</span><span class="s2">&#34;</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">openvpn_args</span><span class="o">+=(</span><span class="s2">&#34;--route-up&#34;</span> <span class="s2">&#34;/usr/local/bin/killswitch.sh </span><span class="nv">$ALLOWED_SUBNETS</span><span class="s2">&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Docker secret that contains the credentials for accessing the VPN.</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="nv">$AUTH_SECRET</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">openvpn_args</span><span class="o">+=(</span><span class="s2">&#34;--auth-user-pass&#34;</span> <span class="s2">&#34;/run/secrets/</span><span class="nv">$AUTH_SECRET</span><span class="s2">&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">openvpn <span class="s2">&#34;</span><span class="si">${</span><span class="nv">openvpn_args</span><span class="p">[@]</span><span class="si">}</span><span class="s2">&#34;</span> <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"><span class="nv">openvpn_pid</span><span class="o">=</span><span class="nv">$!</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">trap</span> cleanup TERM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">wait</span> <span class="nv">$openvpn_pid</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="构建和启动">构建和启动 </h2><h3 id="docker-composeyaml">docker-compose.yaml </h3><ul> <li> <p>公网镜像:ghcr.io/wfg/openvpn-client</p> </li> <li> <p>构建镜像:</p> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> docker compose build </span></span></code></pre></td></tr></table> </div> </div><ul> <li>启动</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"> docker compose up -d </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">services</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">openvpn-client</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">openvpn-client:latest </span><span class="w"> </span><span class="c"># ghcr.io/wfg/openvpn-client</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">context</span><span class="p">:</span><span class="w"> </span><span class="l">./</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dockerfile</span><span class="p">:</span><span class="w"> </span><span class="l">Dockerfile</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">container_name</span><span class="p">:</span><span class="w"> </span><span class="l">openvpn-client</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cap_add</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">NET_ADMIN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - HTTP_PROXY=on</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">SOCKS_PROXY=on</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">devices</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/dev/net/tun:/dev/net/tun</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./local:/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./local:/data/vpn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - 8080:8080 # HTTP_PROXY port</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">1080</span><span class="p">:</span><span class="m">1080</span><span class="w"> </span><span class="c"># SOCKS_PROXY port</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restart</span><span class="p">:</span><span class="w"> </span><span class="l">unless-stopped</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="结合代理软件使用">结合代理软件使用 </h2> <blockquote> <p>使用 Clash 软件中的 <strong>规则配置</strong> 分流策略</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">proxies</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name: OpenVPN, server: 127.0.0.1, port: 1080, type</span><span class="p">:</span><span class="w"> </span><span class="l">socks5 }</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">IP-CIDR,192.168.142.0/24,OpenVPN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">IP-CIDR,10.10.10.0/24,OpenVPN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">IP-CIDR,172.16.0.0/24,OpenVPN</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><img alt="image-20231201162440422" class="gallery-image" data-flex-basis="328px" data-flex-grow="136" height="621" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://blog.coderkang.top/p/docker_openvpn_client_proxy_integration/db0e049de0e74a5b826c1cc7337d73f7.png" srcset="https://blog.coderkang.top/p/docker_openvpn_client_proxy_integration/db0e049de0e74a5b826c1cc7337d73f7_hu_8fb70f5c572b482f.png 800w, https://blog.coderkang.top/p/docker_openvpn_client_proxy_integration/db0e049de0e74a5b826c1cc7337d73f7.png 850w" width="850"></p> <h2 id="其他">其他 </h2><p>除了 OpenVPN,还可以将 EasyConnect 等校园网 VPN (访问知网免费)经常使用的代理软件客户端部署到 Docker 中,并暴露 HTTP 或者 Socks ,并配置分流规则,达到优雅的访问其他网络环境的效果。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span>- {<span class="w"> </span><span class="nt">name: &#39;CNKI&#39;, type: socks5, server: 10.10.10.45, port</span><span class="p">:</span><span class="w"> </span><span class="m">57080</span>}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;DOMAIN-SUFFIX,cnki.net,CNKI&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div> Docker 部署 ELK 指南 https://blog.coderkang.top/p/docker_elk_installation_guide/ Sun, 22 May 2022 00:00:00 +0000 https://blog.coderkang.top/p/docker_elk_installation_guide/ <blockquote class="alert alert-note"> <div class="alert-header"> <span class="alert-icon">📝</span> <span class="alert-title">备注</span> </div> <div class="alert-body"> <p><a class="link" href="https://github.com/deviantony/docker-elk" target="_blank" rel="noopener" >deviantony/docker-elk: The Elastic stack (ELK) powered by Docker and Compose. (github.com)</a></p> </div> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">git clone https://github.com/deviantony/docker-elk </span></span><span class="line"><span class="cl"><span class="nb">cd</span> docker-elk </span></span><span class="line"><span class="cl">vim .env </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker compose up setup </span></span><span class="line"><span class="cl">docker compose up </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker compose down -v setup </span></span><span class="line"><span class="cl">docker compose down -v </span></span></code></pre></td></tr></table> </div> </div>