docker with device-mapper和luks

时间:2015-12-23 15:37:25

标签: docker luks

我试图将docker容器存储在luks设备中,但是使用下面的命令它不起作用。

我还试图让一个docker容器使用(也许打开)一个luks文件作为卷数据,但我不知道如何将它绑定到容器

我做了以下事情:

dd if=/dev/urandom of=/tmp/key bs=4K count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.00126301 s, 3.2 MB/s

cryptsetup luksFormat --batch-mode --key-file=/tmp/key /dev/vgluks/lvdocker-data 
cryptsetup luksFormat --batch-mode --key-file=/tmp/key /dev/vgluks/lvdocker-metadata

cryptsetup luksOpen --key-file=/tmp/key /dev/vgluks/lvdocker-data cryptfs-data
cryptsetup luksOpen --key-file=/tmp/key /dev/vgluks/lvdocker-metadata cryptfs-metadata

创建了一个密钥

mkfs.ext4 /dev/mapper/cryptfs-data
mkfs.ext4 /dev/mapper/cryptfs-metadata

在ext4中格式化

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker daemon -H fd:// $OPTIONS
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

我的docker.service看起来像这样:

OPTIONS="--storage-driver=devicemapper --storage-opt dm.datadev=/dev/vgluks/lvdocker-data --storage-opt dm.metadatadev=/dev/vgluks/lvdocker-metadata --insecure-registry myregistryhost:443 -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"

/ etc / sysconfig / docker 类似:

systemctl status -l docker.service
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2015-12-23 16:05:28 CET; 25min ago
     Docs: https://docs.docker.com
 Main PID: 6544 (code=exited, status=1/FAILURE)

Dec 23 16:05:28 localhost.localdomain systemd[1]: Starting Docker Application Container Engine...
Dec 23 16:05:28 localhost.localdomain docker[6544]: time="2015-12-23T16:05:28.457356524+01:00" level=warning msg="/!\\ DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING /!\\"
Dec 23 16:05:28 localhost.localdomain docker[6544]: time="2015-12-23T16:05:28.478448525+01:00" level=fatal msg="Error starting daemon: error initializing graphdriver: Error running deviceCreate (CreatePool) dm_task_run failed"
Dec 23 16:05:28 localhost.localdomain systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Dec 23 16:05:28 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine.
Dec 23 16:05:28 localhost.localdomain systemd[1]: Unit docker.service entered failed state.
Dec 23 16:05:28 localhost.localdomain systemd[1]: docker.service failed.

systemctl的输出是:

{{1}}

0 个答案:

没有答案