docker-compose管理方案
Ubuntu + Docker + Portainer + Traefik + Dozzle + File Browser
注意:此方案仅限于部署在本地服务器,如需部署到公网,请自行添加安全防护如添加 Authelia 认证
需求
通过Web界面管理docker服务和数据,使用docker-compose方式运行容器,使用域名访问容器服务
服务简介
Portainer: Web界面管理docker服务
Traefik: 反 向 代 理docker容器服务
Dozzle: 实时查看所有docker容器日志
File Browser: 轻量级文件管理器
whoami: 显示HTTP请求信息,用于测试
系统及软件版本
OS: Ubuntu Server 20.04 LTS
Docker Engine: 25.0.4
Docker Compose: 2.24.7
镜像版本
Portainer CE: portainer/portainer-ce:2.19.3
Traefik: traefik:v2.11.0
Dozzle: amir20/dozzle:v6.2.7
File Browser: filebrowser/filebrowser:v2.27.0
whoami: traefik/whoami:v1.10
部署
所有容器数据均保存在/data/docker
目录下,域名使用c.com
,自行配置DNS解析和生成自签名SSL证书
docker配置
$ cat /etc/docker/daemon.json
{
"insecure-registries": ["dockerhub.c.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
创建数据目录
$ sudo mkdir -p /data/docker/{portainer,traefik,filebrowser}/data
$ sudo chown -R $USER /data/docker
$ cd /data/docker
$ mkdir -p traefik/data/{cert,config,log} filebrowser/data/config
$ tree /data/docker
/data/docker
├── filebrowser
│ └── data
│ └── config
├── portainer
│ └── data
└── traefik
└── data
├── cert
├── config
└── log
通过命令行创建并运行portainer容器
$ cd /data/docker/portainer
$ vim docker-compose.yml
version: "3.8"
services:
portainer:
container_name: portainer
image: portainer/portainer-ce:2.19.3
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- 9443:9443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/docker/portainer/data:/data
labels:
- traefik.enable=true
- traefik.http.routers.portainer.rule=Host(`portainer.c.com`)
- traefik.http.routers.portainer.entrypoints=http,https
- traefik.http.routers.portainer.priority=10
- traefik.http.routers.portainer.tls=true
- traefik.http.routers.portainer.service=portainer
- traefik.http.services.portainer.loadbalancer.server.port=9000
#- traefik.http.services.portainer.loadbalancer.server.scheme=https
networks:
default:
name: traefik
# 运行容器
$ docker compose up -d
通过命令行创建traefik和filebrowser配置文件
点击查看traefik配置文件
$ cd /data/docker/traefik/data
# 主配置文件
$ vim traefik.yml
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
http:
address: :80
proxyProtocol:
insecure: true
forwardedHeaders:
insecure: true
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
priority: 20
https:
address: :443
proxyProtocol:
insecure: true
forwardedHeaders:
insecure: true
log:
level: WARN
filePath: /dev/stdout
#filePath: /data/log/traefik.log
format: common
accessLog:
filePath: /dev/stdout
#filePath: /data/log/access.log
format: common
api:
insecure: true
dashboard: true
ping:
entryPoint: traefik
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
defaultRule: Host(`{{ .ContainerName }}.c.com`)
file:
directory: /data/config
watch: true
# 动态配置文件
$ vim config/config.yml
tls:
stores:
default:
defaultCertificate:
certFile: /data/cert/cert.crt
keyFile: /data/cert/cert.key
certificates:
- certFile: /data/cert/cert.crt
keyFile: /data/cert/cert.key
# 复制域名证书和CA证书到cert目录
$ tree
├── cert
│ ├── cert.crt # 域名证书
│ ├── cert.key # 域名私钥
│ └── root.crt # CA证书
├── config
│ └── config.yml # 动态配置文件
├── log
└── traefik.yml # 主配置文件
点击查看filebrowser配置文件
$ cd /data/docker/filebrowser/data
$ vim config/filebrowser.json
{
"port": 80,
"baseURL": "",
"address": "",
"log": "stdout",
"database": "/config/database.db",
"root": "/data"
}
通过portainer的web界面创建并运行其他容器
先使用IP+端口号登录portainer
https://IP:9443
添加容器traefik
点击左侧菜单栏“Stacks”-“Add stack”-“Web editor”,Name为traefik,docker-compose配置如下
点击查看docker-compose配置
version: "3.8"
services:
traefik:
container_name: traefik
image: traefik:v2.11.0
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /data/docker/traefik/data/traefik.yml:/etc/traefik/traefik.yml
- /data/docker/traefik/data:/data
labels:
- traefik.enable=true
- traefik.http.routers.ping.rule=Host(`traefik.c.com`) && PathPrefix(`/ping`)
- traefik.http.routers.ping.entrypoints=http,https
- traefik.http.routers.ping.service=ping@internal
- traefik.http.routers.ping.tls=true
- traefik.http.routers.traefik.rule=Host(`traefik.c.com`) && PathPrefix(`/`)
- traefik.http.routers.traefik.entrypoints=http,https
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.tls=true
networks:
default:
name: traefik
添加容器dozzle
Name为dozzle,docker-compose配置如下
点击查看docker-compose配置
version: "3.8"
services:
dozzle:
container_name: dozzle
image: amir20/dozzle:v6.2.7
restart: unless-stopped
environment:
- TZ=Asia/Shanghai
- DOZZLE_NO_ANALYTICS=true
- DOZZLE_LEVEL=info
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
- traefik.enable=true
- traefik.http.routers.dozzle.rule=Host(`dozzle.c.com`)
- traefik.http.routers.dozzle.entrypoints=http,https
- traefik.http.routers.dozzle.priority=10
- traefik.http.routers.dozzle.tls=true
networks:
default:
name: traefik
external: true
添加容器filebrowser
Name为filebrowser,docker-compose配置如下
点击查看docker-compose配置
version: "3.8"
services:
filebrowser:
container_name: filebrowser
image: filebrowser/filebrowser:v2.27.0
restart: unless-stopped
volumes:
- /data/docker/filebrowser/data/config/filebrowser.json:/.filebrowser.json
- /data/docker/filebrowser/data/config:/config
- /data/docker:/data
labels:
- traefik.enable=true
- traefik.http.routers.filebrowser.rule=Host(`filebrowser.c.com`)
- traefik.http.routers.filebrowser.entrypoints=http,https
- traefik.http.routers.filebrowser.priority=10
- traefik.http.routers.filebrowser.tls=true
networks:
default:
name: traefik
external: true
添加容器whoami
Name为whoami,docker-compose配置如下
点击查看docker-compose配置
version: "3.8"
services:
demo1:
container_name: demo1
image: traefik/whoami:v1.10
hostname: demo1
restart: unless-stopped
# 开启http和https
labels:
- traefik.enable=true
- traefik.http.routers.demo1.rule=Host(`demo1.c.com`)
- traefik.http.routers.demo1.entrypoints=http,https
- traefik.http.routers.demo1.priority=10
- traefik.http.routers.demo1.tls=true
# 增加一个域名whoami.c.com的配置
- traefik.http.routers.whoami.rule=Host(`whoami.c.com`)
- traefik.http.routers.whoami.entrypoints=http,https
- traefik.http.routers.whoami.priority=10
- traefik.http.routers.whoami.tls=true
demo2:
container_name: demo2
image: traefik/whoami:v1.10
hostname: demo2
restart: unless-stopped
# 开启http和https,但不强制跳转https
labels:
- traefik.enable=true
- traefik.http.routers.demo2.rule=Host(`demo2.c.com`)
- traefik.http.routers.demo2.entrypoints=http
- traefik.http.routers.demo2.priority=30
- traefik.http.routers.demo2-https.rule=Host(`demo2.c.com`)
- traefik.http.routers.demo2-https.entrypoints=https
- traefik.http.routers.demo2-https.priority=30
- traefik.http.routers.demo2-https.tls=true
networks:
default:
name: traefik
external: true
后续添加其他容器可参考whoami的labels配置,
是否跳转https取决于priority的数值,数值越大越优先,
traefik配置文件中已定义全局http跳转https,priority=20,
如果配置容器的priority小于20,如priority=10,则全局配置优先,
如果配置容器的priority大于20,如priority=30,则自定义配置优先,
另外注意如果不想强制跳转https,必须拆分为http和https两个entrypoints,如whoami的demo2和demo2-https。
如果容器的服务端口不是80端口,如portainer的服务端口为9000,则需要添加如下labels配置
- traefik.http.services.portainer.loadbalancer.server.port=9000
访问测试
https://portainer.c.com
https://traefik.c.com
https://dozzle.c.com
https://filebrowser.c.com
https://whoami.c.com
http://demo2.c.com
https://demo2.c.com
界面展示