一、概述:
1、centos7下,默认firewalld为防火墙, systemctl status firewalld.service
2、关闭firewalld, systemctl stop firewalld.service && setenforce 0
3、安装iptables, yum install iptables-services #安装
systemctl restart iptables.service #最后重启防火墙使配置生效
systemctl enable iptables.service #设置防火墙开机启动
Docker配置文件:/etc/sysconfig/docker
主要参数解释:
- -H 表示Docker Daemon绑定的地址, -H=unix:///var/run/docker.sock 或者-H=tcp://0.0.0.0:2375
- --registry-mirror表示Docker Registry的镜像地址, --registry-mirror=http://xxxx
- --insecure-registry表示(本地)私用Docker Registry的地址, --insecure-registry ${privateRegistryHost}:5000
- --selinux-enabled是否开始SELinux,默认开启 --selinux-enabled=true; 开启SELinux
- --bip表示网桥docker0使用指定的CIDR网络地址, --bip=172.17.42.1
- -b 表示采用已经创建好的网桥, -b=xxx
下面是代理的设置:
http_proxy=xxxx:8080
https_proxy=xxxx:8080
Docker配置文件(Centos 7)
cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Environment="HTTP_PROXY=http://USRNAME:PASSWD@HOST:PORT/"
Environment="HTTPS_PROXY=http://USRENAME:PASSWD@HOST:PORT/"
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target