我正在尝试将 docker 容器存储在 luks 设备中,但使用以下命令无法正常工作。
我也试图让一个 docker 容器使用(并且可能打开)一个 luks 文件作为卷数据,但我不知道如何将它绑定到容器
我做了以下事情:
pvcreate /dev/sdb
Physical volume "/dev/sdb" successfully created
vgcreate vgluks /dev/sdb
Volume group "vgluks" successfully created
lvcreate -l 90%FREE -n lvdocker-data vgluks
WARNING: crypto_LUKS signature detected on /dev/vgluks/lvdocker-data at offset 0. Wipe it? [y/n]: y
Wiping crypto_LUKS signature on /dev/vgluks/lvdocker-data.
Logical volume "lvdocker-data" created.
lvcreate -l 100%FREE -n lvdocker-metadata vgluks
Logical volume "lvdocker-metadata" created.
创建了一个密钥
dd if=/dev/urandom of=/tmp/key bs=4K count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.00126301 s, 3.2 MB/s
cryptsetup luksFormat --batch-mode --key-file=/tmp/key /dev/vgluks/lvdocker-data
cryptsetup luksFormat --batch-mode --key-file=/tmp/key /dev/vgluks/lvdocker-metadata
cryptsetup luksOpen --key-file=/tmp/key /dev/vgluks/lvdocker-data cryptfs-data
cryptsetup luksOpen --key-file=/tmp/key /dev/vgluks/lvdocker-metadata cryptfs-metadata
ext4 格式
mkfs.ext4 /dev/mapper/cryptfs-data
mkfs.ext4 /dev/mapper/cryptfs-metadata
我的 docker.service 看起来像这样:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker daemon -H fd:// $OPTIONS
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
/ etc/sysconfig/docker就像:
OPTIONS="--storage-driver=devicemapper --storage-opt dm.datadev=/dev/vgluks/lvdocker-data --storage-opt dm.metadatadev=/dev/vgluks/lvdocker-metadata --insecure-registry myregistryhost:443 -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"
systemctl 的输出是:
systemctl status -l docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2015-12-23 16:05:28 CET; 25min ago
Docs: https://docs.docker.com
Main PID: 6544 (code=exited, status=1/FAILURE)
Dec 23 16:05:28 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
Dec 23 16:05:28 localhost.localdomain docker[6544]: time="2015-12-23T16:05:28.457356524+01:00" level=warning msg="/!\\ DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING /!\\"
Dec 23 16:05:28 localhost.localdomain docker[6544]: time="2015-12-23T16:05:28.478448525+01:00" level=fatal msg="Error starting daemon: error initializing graphdriver: Error running deviceCreate (CreatePool) dm_task_run failed"
Dec 23 16:05:28 localhost.localdomain systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Dec 23 16:05:28 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine.
Dec 23 16:05:28 localhost.localdomain systemd[1]: Unit docker.service entered failed state.
Dec 23 16:05:28 localhost.localdomain systemd[1]: docker.service failed.