Last active
January 22, 2020 16:10
-
-
Save 7error/a2f1415a54a95b385df00ffd397c866a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grep -e "^docker" /etc/group >& /dev/null | |
if [ $? -ne 0 ] | |
then | |
groupadd docker | |
fi | |
#usermod -aG docker $USER | |
#newgrp docker | |
mkdir -p /etc/systemd/system/docker.service.d | |
mkdir -p /etc/docker/ | |
mkdir -p /etc/cni/net.d | |
mkdir -p /opt/cni/bin | |
mkdir -p /var/lib/docker/ | |
mkdir -p /var/lib/containerd/ | |
mkdir -p /etc/containerd/ | |
curl -sSLk -o /tmp/docker.tgz https://download.docker.com/linux/static/stable/x86_64/docker-19.03.5.tgz && tar xvf /tmp/docker.tgz -C /tmp && cp /tmp/docker/* /usr/bin/ && rm /tmp/docker.tgz && rm -rf /tmp/docker | |
cat > /etc/sysctl.d/mysysctl.conf <<EOF | |
fs.file-max = 1024000 | |
fs.inotify.max_user_instances = 8192 | |
fs.inotify.max_user_watches=89100 | |
### | |
net.core.default_qdisc = fq | |
net.core.netdev_max_backlog = 262144 | |
net.core.somaxconn = 262144 | |
net.ipv4.ip_forward=1 | |
net.ipv4.tcp_congestion_control = bbr | |
net.ipv4.tcp_max_orphans = 262144 | |
net.ipv4.tcp_max_syn_backlog = 262144 | |
net.ipv4.tcp_synack_retries = 1 | |
net.ipv4.tcp_syn_retries = 1 | |
net.ipv4.tcp_timestamps = 0 | |
net.ipv4.tcp_tw_reuse = 0 | |
#net.ipv4.tcp_tw_recycle = 0 | |
#/proc/sys/net/ipv4/tcp_tw_recycle: No such file or directory | |
net.ipv4.tcp_notsent_lowat = 16384 | |
net.ipv4.tcp_slow_start_after_idle = 0 | |
net.ipv4.tcp_fastopen = 3 | |
net.bridge.bridge-nf-call-ip6tables=1 | |
net.bridge.bridge-nf-call-iptables=1 | |
### | |
user.max_user_namespaces=15000 | |
vm.max_map_count=262144 | |
EOF | |
sysctl --system | |
cat>/lib/systemd/system/docker.service<<EOF | |
[Unit] | |
Description=Docker Application Container Engine | |
Documentation=https://docs.docker.com | |
BindsTo=containerd.service | |
After=network-online.target firewalld.service containerd.service | |
Wants=network-online.target | |
Requires=docker.socket | |
[Service] | |
Type=notify | |
# the default is not to use systemd for cgroups because the delegate issues still | |
# exists and systemd currently does not support the cgroup feature set required | |
# for containers run by docker | |
#ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT | |
#ExecStopPost=/bin/bash -c '/sbin/iptables -D FORWARD -s 0.0.0.0/0 -j ACCEPT &> /dev/null || :' | |
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock | |
ExecReload=/bin/kill -s HUP $MAINPID | |
TimeoutSec=0 | |
RestartSec=2 | |
Restart=always | |
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. | |
# Both the old, and new location are accepted by systemd 229 and up, so using the old location | |
# to make them work for either version of systemd. | |
StartLimitBurst=3 | |
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. | |
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make | |
# this option work for either version of systemd. | |
StartLimitInterval=60s | |
# Having non-zero Limit*s causes performance problems due to accounting overhead | |
# in the kernel. We recommend using cgroups to do container-local accounting. | |
LimitNOFILE=infinity | |
LimitNPROC=infinity | |
LimitCORE=infinity | |
# Comment TasksMax if your systemd version does not support it. | |
# Only systemd 226 and above support this option. | |
TasksMax=infinity | |
# set delegate yes so that systemd does not reset the cgroups of docker containers | |
Delegate=yes | |
# kill only the docker process, not all processes in the cgroup | |
KillMode=process | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
cat>/lib/systemd/system/docker.socket<<EOF | |
[Unit] | |
Description=Docker Socket for the API | |
PartOf=docker.service | |
[Socket] | |
ListenStream=/var/run/docker.sock | |
SocketMode=0660 | |
SocketUser=root | |
SocketGroup=docker | |
[Install] | |
WantedBy=sockets.target | |
EOF | |
cat>/lib/systemd/system/containerd.service<<EOF | |
[Unit] | |
Description=containerd container runtime | |
Documentation=https://containerd.io | |
After=network.target local-fs.target | |
[Service] | |
ExecStartPre=-/sbin/modprobe overlay | |
ExecStart=/usr/bin/containerd | |
Delegate=yes | |
KillMode=process | |
Restart=always | |
# Having non-zero Limit*s causes performance problems due to accounting overhead | |
# in the kernel. We recommend using cgroups to do container-local accounting. | |
LimitNPROC=infinity | |
LimitCORE=infinity | |
LimitNOFILE=1048576 | |
# Comment TasksMax if your systemd version does not supports it. | |
# Only systemd 226 and above support this version. | |
TasksMax=infinity | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
cat>/etc/docker/daemon.json<<EOF | |
{ | |
"metrics-addr": "0.0.0.0:1337", | |
"experimental": true, | |
"insecure-registries": [], | |
"live-restore": true, | |
"registry-mirrors": ["https://fz5yth0r.mirror.aliyuncs.com"], | |
"max-concurrent-downloads": 20, | |
"exec-opts": [""], | |
"storage-driver": "overlay2", | |
"storage-opts": [ | |
"overlay2.override_kernel_check=true" | |
], | |
"log-driver": "json-file", | |
"log-opts": { | |
"max-size": "100m", | |
"max-file": "10" | |
} | |
} | |
EOF | |
systemctl enable --now docker |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment