In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
This article mainly introduces "how to restart service". In daily operation, I believe many people have doubts about how to restart service. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "how to restart service"! Next, please follow the editor to study!
When you start using Docker, people often ask, "how do I get into the container?" Others will say, "run a SSH server in your container." However, you will learn from this post that you don't need to run the SSHd daemon to get into your container at all. Unless of course your container is a SSH server.
Running the SSH server is natural because it provides an easy way to get into the container. Almost everyone in our company has used SSH at least once. A large number of us use it every day, and they are familiar with public and private keys, password-less login, key proxies, and sometimes even port forwarding and other infrequent features. For this reason, it is not surprising that you are advised to run SSH in a container. But you should think about it.
If you are assuming a Docker image of Redis Server or Java Webservice, I will ask you the following questions:
What do you need to do with SSH? In general, you want to make backups, check logs, or restart the process, adjust the configuration, and possibly use gdb, strace, or other similar tools to debug the server. Then we'll take a look at how we don't use SSH to do these things.
How do you manage your keys and passwords? Generally speaking, you can either write them in your mirror image or put them in a volume. Think about what you would do if you wanted to update these keys or passwords. If you write them into the image, you need to rebuild the images, redeploy them, and then restart the container. It's okay, it's not the end of the world, but it's not a high-end approach. It is much better to put them into volumes and then manage them by managing volumes. This method is available, but it has serious drawbacks. You must make sure that the container does not have write access to this volume; otherwise, the container may break the key (which prevents you from entering the container later), and the situation will get worse if you share one volume with multiple containers. If we didn't use SSH, wouldn't we have one less thing to worry about?
How do you manage security upgrades? The SSH server is quite secure, but there will still be security problems, and you will have to upgrade all containers that use SSH if necessary. This means a lot of rebuilding and restarting. In other words, even if you have a simple and small memcached service, you still have to ensure timely security updates, otherwise the dike may be destroyed by the ant nest. So again, if we didn't use SSH, wouldn't we have one less thing to worry about?
Do you need to "install only one SSH server" to achieve this? Certainly not. You need to install a process manager, such as Monit or Supervisor. This is because Docker itself monitors only one process. If you need to run multiple processes, you must add a layer on which you can watch their applications. In other words, you are complicating simple problems. If your application stops (exits normally or crashes), you have to check it from your process management log instead of simply looking at the information provided by Docker.
You can be responsible for putting applications in containers, but should you be responsible for managing access policies and security restrictions at the same time? In small institutions, it doesn't matter. But in a large organization, if you are the one responsible for setting up the application container, there is likely to be another person responsible for defining the remote access policy. Your company is likely to have strict policy definitions that specify who can access, how to access, or other requirements for review tracking. In that case, you will certainly not be allowed to throw an SSH server into your container.
But what am I supposed to do... Back up my data?
Your data should exist in volume. You can then use the-- volumes-from option to run another container and share the volume with the first container. The benefit of this: if you need to install a new tool (such as s75pxd) to keep your backed-up data for a long time, or to transfer the data to another permanent storage, you can do it in this particular backup container instead of in the main service container. It's simple.
Check the log?
Use volume again! If you write all the logs to a specific directory, and the directory is a volume, you can start another log inspection "container (using-- volumes-from, remember?) and do what you need to do in it. If you also need special tools (or just an interesting ack-grep), you can install them in this container to maintain the original environment of the main container.
Restart service?
Basically all service can be restarted by signal. When you use / etc/init.d/foo restart or service foo restart, they actually send a specific signal to the process. You can use docker kill-s to send this signal. Some service may not listen for these signals, but can accept commands on a specific socket. If it is a TCP socket, you only need to connect to it through the network. If it is a UNIX socket, you can use volume again. Set the control sockets of the container and service to a specific directory, and this directory is a volume. Then start a new container to access the volume; so that you can use the UNIX socket.
"but it's too complicated!" -but it's not. Suppose your servcie named foo creates a socket at / var/run/foo.sock and requires you to run fooctl restart to complete the restart. Just use-v / var/run (or add VOLUME / var/run in the Docker file) to start the service. When you want to restart, use the-- volumes-from option and reload the command to start the same image. Like this:
# Starting the serviceCID=$ (docker run-d-v / var/run fooservice) # Restarting the service with a sidekick containerdocker run-- volumes-from $CID fooservice fooctl restart
It's easy!
Modify my profile
If you are performing a persistent configuration change, you'd better put his change in image, because if you start another container, the service will still use the old configuration and your configuration changes will be lost. So, without your SSH access! "but I need to change my configuration while the service is alive; for example, add a new virtual site!" In this case, you need to use. Wait for. Volume! The configuration should be in volume, and the volume should be shared with a special purpose configuration Editor container. You can use anything you like in this container: SSH + your favorite editor, or a web service that accepts API calls, or a scheduled task to grab information from an external source, and so on. In addition, separate concerns: one container runs the service, and the other handles configuration updates. "but I'm making temporary changes because I'm testing different values!" In this case, check out the next chapter!
Debug my app?
This is probably the only scenario that needs to be entered into container. Because you want to run gdb, strace, tweak configuration, etc. In this case, you need nsenter.
Introduction to nsenter
Nsenter is a small tool for entering namespaces. Technically, it can enter an existing namespace or generate a process to enter a new set of namespaces. "what is a namespace?" They are an important part of the container. To put it simply: by using nsenter, you can enter an existing container, even though the container is not running ssh or any special-purpose daemon.
Where do I get nsenter?
View the jpetazzo/nsenter on GitHub. The simple installation is:
Docker run-v / usr/local/bin:/target jpetazzo/nsenter
It will install nsenter into / usr/local/bin and you can use it right away.
Nsenter is also available in your distribution (in the util-linux package).
How to use it?
First, calculate the PID you want to enter the container:
PID=$ (docker inspect-- format {{.State.Pid}})
Then enter the container:
Nsenter-- target $PID-- mount-- uts-- ipc-- net-- pid
In the container, you can manipulate the shell parser. If you want to run a particular script or program in an automated way, add it as a parameter to nsenter. Except that it uses containers instead of simple directories to work, it works a bit like chroot.
How about remote access?
If you need to access a container from a remote host, there are (at least) two ways:
SSH enters the Docker host and uses nsenter
SSH enters the Docker host and authorizes the esenter command (that is, nsenter) with a special key parameter.
The first method is relatively simple; however, you need root permission to access the Docker host (not very good from a security perspective). The second method uses the command= mode in the authorized_keys file of SSH. You may be familiar with the "classical" authorized_keys file, which looks like this:
Ssh-rsa AAAAB3N... QOID== jpetazzo@tarrasque
(of course, in fact, a real key is very long and usually occupies several lines. ) you can also enforce a proprietary command. If you want to see memory that can be used effectively on a remote host on your system, you can use the SSH key, but you don't want to hand over all shell permissions, you can enter the following in the authorized_keys file:
Command= "free" ssh-rsa AAAAB3N... QOID== jpetazzo@tarrasque
Now, when connecting with a proprietary key, replace the acquired shell, which can execute the free command. Other than that, you can't do anything else. (usually, you may also want to add no-port-forwarding;. If you want more information, please see the manual (manpage) of authorized_keys (5). The key to this mechanism is to separate responsibilities. Alice keeps the service inside the container; she doesn't have to handle remote access, login, and so on. Betty adds a SSH layer for use in special cases (debugging strange problems). Charlotte will consider logging in. Wait.
At this point, the study on "how to restart service" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.