Shulou(Shulou.com)06/03 Report--

Weave-Scope service is used to monitor the resource usage of docker containers, K8s, etc. (including hosts). Fundamentally speaking, some monitoring services are similar to monitoring services such as Zabbix. This service is based on container deployment and is easy to deploy but powerful. The only drawback may be that there are some hidden dangers in its security. (about its security issues, I will explain after verification.) for a detailed introduction, you can go to the Weave-Scope official documentation for a detailed understanding of Weave-Scope services. I will write down how to deploy the service in this blog post.

First, deploy Weave-Scope

The environment is prepared as follows:

There are two Centos 7.5 servers, both of which are running docker service (for the installation of docker service, please refer to the documentation for the installation of Docker). The IP address and hostname of the server are: docker01--192.168.20.6 and docker02--192.168.20.7 (the hostnames to be monitored must not conflict to avoid accidents). 1 、 The configuration of the docker01 server is as follows: [root@docker01 ~] # wget https://github.com/weaveworks/scope/archive/v1.11.0.tar.gz# download scope command [root@docker01 ~] # tar zxf v1.11.0.tar.gz # decompress the downloaded source package [root@docker01 ~] # cd scope-1.11.0/ # into the unzipped directory [root@docker01 scope-1.11.0] # mv scope / usr / local/bin/ # move the command to the specified directory # all operations so far In fact, you can use an official command "curl-L git.io/scope-o / usr/local/bin/scope" instead of [root@docker01 scope-1.11.0] # chmod + x / usr/local/bin/scope # to give the command execution permission [root@docker01 ~] # scope launch 192.168.20.6 192.168.20.7 # specify the IP address of the docker server to be monitored. . # omit part of the content * http://192.168.122.1:4040/ * http://192.168.20.6:4040/# after executing the above command The above two URL will be returned. What we need is to access the local IP+4040 port # after executing the above command, the docker service will automatically download the weaveworks/scope:latest image and run it # Note: the above command is followed by the IP address, followed by the local IP and the second docker server IP address # for unnecessary trouble, the local IP address must be at the front. If you need to monitor multiple docker servers, simply write the IP at the end. # then run two nginx containers, nginx01 and nginx02, in order to verify the above configuration [root@docker01 ~] # docker run-d-- name nginx01 nginx [root@docker01 ~] # docker run-d-name nginx02 nginx2, docker02 server configuration is as follows (basically similar to the configuration of docker01)

For relevant explanations, please refer to the notes of the docker01 server.

[root@docker02 ~] # curl-L git.io/scope-o / usr/local/bin/scope [root@docker02 scope-1.11.0] # chmod + x / usr/local/bin/scope [root@docker02 ~] # scope launch 192.168.20.7 192.168.20.7 run the above command It should also be noted that the IP address of this machine must be written in front. # omit part * http://192.168.122.1:4040/ * http://192.168.20.7:4040/# also runs two nginx containers, nginx03 and nginx04, to test [root@docker02] # docker run-d-name nginx03 nginx [root@docker02] # docker run-d-name nginx04 nginx.

At this point, the scope service is deployed, but running a container on each server based on the weaveworks/scope image (running nginx is easy and optional, just for testing). Does it feel too simple? If you think that its function is as simple and simple as deployment, you are wrong. Personally, the function of scope is still very powerful. The above configuration only monitors two docker servers. If you need to monitor multiple servers, you only need to configure the above configuration on other docker servers. When you only need each docker server to run the "scope launch" command, the native IP address must be first.

At this point, in fact, docker01 and docker02 have formed a "cluster". No matter which docker server we visit, we can see the same page.

3. The client accesses the docker server IP+ port

So far, that's all I know about the basic functions of Weave-Scope services. At the beginning of the article, it is mentioned that there are security risks, because if we open the terminal of the container or even the terminal of the docker server on the web page, we will find that we are using root users, while in the production environment, the most taboo thing is to use root identity for operation, right? Moreover, if only the intranet staff is not a big problem, what if the 4040 port of the server is hacked? Therefore, be sure to make a good firewall strategy, and it is not recommended to use it easily in a production environment until you get through with this service.

All in all, there is no 100% security. I will update this blog post after I verify my idea.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.