Docker 私有服务部署指南
本文整合了常用私有服务的 Docker 部署配置,包括制品仓库、CI/CD、身份认证和密码管理。
Nexus 制品仓库
Nexus 支持 Docker、Helm、npm、PyPI、Maven 等多种格式的制品管理。
Docker 部署
version: '2.0'
services:
nexus:
image: sonatype/nexus3
container_name: nexus
restart: always
ports:
- "127.0.0.1:8081:8081" # Web UI
- "127.0.0.1:5000:5000" # Docker Registry
volumes:
- ${HOME}/nexus-data:/nexus-data# 获取初始密码
docker exec nexus cat /nexus-data/admin.passwordNginx 反向代理
server {
listen 443 ssl;
server_name repo.example.com;
ssl_certificate /etc/letsencrypt/live/repo.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/repo.example.com/privkey.pem;
client_max_body_size 10G; # Docker 镜像可能很大
location / {
proxy_pass http://localhost:8081/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}使用示例
# Docker Registry
docker login docker.example.com
docker tag myapp:latest docker.example.com/myapp:latest
docker push docker.example.com/myapp:latest
# Helm 仓库
helm repo add myrepo https://repo.example.com/repository/helm-hosted/ \
--username admin --password password
# npm 仓库
npm config set registry https://repo.example.com/repository/npm-group/Jenkins CI/CD
Docker 部署
version: '3'
services:
jenkins:
image: jenkins/jenkins:lts
user: root
restart: always
container_name: jenkins
ports:
- "127.0.0.1:8080:8080"
- "127.0.0.1:50000:50000" # Agent 连接
volumes:
- ${HOME}/jenkins/jenkins_home:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock # Docker in Docker
- ${HOME}/.ssh:/root/.ssh
environment:
- JENKINS_OPTS=--sessionTimeout=43200# 查看初始密码
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPasswordNginx 反向代理(含 WebSocket)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream jenkins {
keepalive 32;
server 127.0.0.1:8080;
}
server {
listen 443 ssl;
server_name jenkins.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ignore_invalid_headers off;
location / {
sendfile off;
proxy_pass http://jenkins;
proxy_http_version 1.1;
# WebSocket 支持
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
}Pipeline 示例
pipeline {
agent any
environment {
DOCKER_REGISTRY = 'docker.example.com'
IMAGE_NAME = 'myapp'
}
stages {
stage('Build') {
steps {
sh 'docker build -t ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_NUMBER} .'
}
}
stage('Push') {
steps {
sh 'docker push ${DOCKER_REGISTRY}/${IMAGE_NAME}:${BUILD_NUMBER}'
}
}
}
}OpenLDAP 身份认证
Docker 部署
version: '3.8'
services:
openldap:
image: osixia/openldap:1.5.0
restart: always
container_name: ldap
hostname: ldap.example.com
ports:
- "389:389"
- "636:636"
environment:
- LDAP_ORGANISATION=MyCompany
- LDAP_DOMAIN=example.com
- LDAP_ADMIN_PASSWORD=adminPassword
volumes:
- ${PWD}/ldap:/var/lib/ldap
- ${PWD}/slapd.d:/etc/ldap/slapd.d
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
ports:
- "8080:80"
environment:
- PHPLDAPADMIN_LDAP_HOSTS=ldap
- PHPLDAPADMIN_HTTPS=false
depends_on:
- openldap添加用户
add-user.ldif:
dn: uid=john,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
uid: john
cn: John Doe
sn: Doe
mail: [email protected]
userPassword: {SSHA}xxxxx
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/john# 生成密码
docker exec ldap slappasswd
# 添加用户
docker exec ldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w adminPassword -f /tmp/add-user.ldif
# 搜索用户
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=com" -w adminPassword \
-b "dc=example,dc=com" "(uid=john)"应用集成示例
Grafana:
[[servers]]
host = "ldap.example.com"
port = 389
bind_dn = "cn=admin,dc=example,dc=com"
bind_password = "adminPassword"
search_filter = "(uid=%s)"
search_base_dns = ["ou=Users,dc=example,dc=com"]Vaultwarden 密码管理
Vaultwarden 是 Bitwarden 的轻量级开源替代,资源占用极低。
Docker 部署
version: "3.9"
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- WEBSOCKET_ENABLED=true
- SIGNUPS_ALLOWED=false
- ADMIN_TOKEN=your-secure-random-token
- DOMAIN=https://vault.example.com
volumes:
- ${HOME}/vaultwarden:/data
ports:
- "127.0.0.1:8080:80"
- "127.0.0.1:3012:3012" # WebSocket# 生成管理员 Token
openssl rand -base64 48Nginx 反向代理
server {
listen 443 ssl http2;
server_name vault.example.com;
ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;
client_max_body_size 128M;
# Web UI
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# WebSocket
location /notifications/hub {
proxy_pass http://localhost:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://localhost:8080;
}
}客户端使用
- 安装 Bitwarden 浏览器扩展/App
- 设置 → 自托管环境
- 服务器 URL:
https://vault.example.com - 登录使用
服务对比
| 服务 | 用途 | 端口 | 资源占用 |
|---|---|---|---|
| Nexus | 制品仓库 | 8081, 5000 | 中等 |
| Jenkins | CI/CD | 8080, 50000 | 较高 |
| OpenLDAP | 身份认证 | 389, 636 | 低 |
| Vaultwarden | 密码管理 | 80, 3012 | 极低 |
通用注意事项
安全配置
- HTTPS:所有服务通过 Nginx 反向代理启用 HTTPS
- 防火墙:只开放必要端口,内部服务绑定 127.0.0.1
- 密码:使用强密码,定期更换
备份策略
# 通用备份脚本
#!/bin/bash
BACKUP_DIR=~/backups
DATE=$(date +%Y%m%d)
# Nexus
tar -czf $BACKUP_DIR/nexus-$DATE.tar.gz ~/nexus-data
# Jenkins
tar -czf $BACKUP_DIR/jenkins-$DATE.tar.gz ~/jenkins/jenkins_home
# LDAP
docker exec ldap slapcat > $BACKUP_DIR/ldap-$DATE.ldif
# Vaultwarden
tar -czf $BACKUP_DIR/vault-$DATE.tar.gz ~/vaultwarden
# 清理 30 天前的备份
find $BACKUP_DIR -name "*.tar.gz" -mtime +30 -deleteSSL 证书
使用 Let’s Encrypt 自动证书:
certbot certonly --nginx -d repo.example.com -d jenkins.example.com -d vault.example.com