发表于 | 分类于
字数统计: 453 | 阅读时长 ≈ 2

Foreward

正好有业务场景需要使用分布式锁,读到这篇文章,非常好,做下摘录.

Code

  • RedisKey设置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public class RedisKey {
    /**
     * 正则表达式.
     */
    public static final String REGEX = "\\{[a-zA-Z0-9]*\\}";
    /**
     * 全局独自执行任务.
     */
    public static final String EXEC_LOCK = "exec:lock";
    /**
     * 和锁配合使用,每个客户端一个标志.
     */
    private static final String OWNER_ID = UUID.randomUUID().toString();
    /**
     * 获取执行指定任务权限key.
     *
     * @return
     */
    public static String getExecLock(Object... objs) {
        return replaceKey(EXEC_LOCK, objs);
    }
    private static String replaceKey(String key, Object... objs) {
        for (Object obj : objs) {
            key = key.replaceFirst(REGEX, String.valueOf(obj));
        }
        return key;
    }
    public static String getOwnerId() {
        return OWNER_ID;
    }
}
  • RedisService服务工具类
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
@Slf4j
public class RedisService {  
    /**
     * Only set the key if it does not already exist.
     */
    private static final String SET_IF_NOT_EXIST = "NX";
    /**
     * Set the specified expire time, in milliseconds.
     */
    private static final String SET_WITH_EXPIRE_MILL_TIME = "PX";
    /**
     * Set the specified expire time, in seconds.
     */
    private static final String SET_WITH_EXPIRE_SECOND_TIME = "EX";
    private static final String LOCK_SUCCESS = "OK";
    private static final Long RELEASE_SUCCESS = 1L;
    
    /**
     * 设置分布式锁.(过期时间毫秒)
     * @param lockKey    锁的名称.
     * @param requestId  持锁人ID.
     * @param expireTime 锁的超时时间.
     * @return 是否获取锁.
     */
    public synchronized boolean tryGetDistributeLock(String lockKey, String requestId, int expireTime) {
        log.debug("lock key: {}, ownerId: {}, expire time: {}", lockKey, requestId, expireTime);
        String result = jedis.set(lockKey, requestId, SET_IF_NOT_EXIST, SET_WITH_EXPIRE_MILL_TIME, expireTime);
        if (LOCK_SUCCESS.equals(result)) {
            return true;
        }
        return false;
    }

    /**
     * 释放分布式锁.
     *
     * @param lockKey   锁
     * @param requestId 请求标识
     * @return 是否释放成功.
     */
    public synchronized boolean releaseDistributedLock(String lockKey, String requestId) {
        log.debug("release lock key: {}, ownerId: {}, expire time: {}", lockKey, requestId);
        String script = "if redis.call('get', KEYS[1]) == ARGV[1] then return redis.call('del', KEYS[1]) else return 0 end";
        Object result = jedis.eval(script, Collections.singletonList(lockKey), Collections.singletonList(requestId));
        if (RELEASE_SUCCESS.equals(result)) {
            return true;
        }
        return false;
    }
}

发表于 | 分类于
字数统计: 1,184 | 阅读时长 ≈ 5

环境

  • mac 10.13.6, LibreSSL 2.2.7

前言

对于数字签名、证书、CA、Https的相关概念一直都很混乱.参考了相关资料后,并记录.

  • 公钥、私钥

    用于对数据进行加密、解密.

  • 摘要(digest)、数字签名(signature)

    摘要,是对数据进行hash运算后的数据; 数字签名(signature),使用公(私)钥对摘要进行加密后的数据.

  • CA(Certificate Authority)证书中心、数字证书(Digest Certificate)

    CA(证书中心)用自己的私钥,对用户公钥、用户个人信息进行加密,生成数字证书(Digest Certificate).

  • SSL握手过程

    • 客户端向服务器发请求,请求证书

    • 服务器把证书发给客户端

    • 客户端一般会有大部分CA的公钥,客户端收到证书后,检查该颁发者是否是客户端认可的CA,如果是,就用该CA的公钥解密数字签名,然后再计算

      证书中的”公钥和证书信息“的hash值,比较两者,如果相同,那就说明该证书没有被人篡改过,而且是该CA机构颁发的。当然,还会进行其它验证,
      如证书的common name与http request header中的host(不包括端口)是否相同,等等,如果有哪项检查不通过,会有告警,如果所有检查通过,
      那进入下一步。

    • 客户端生成对称密钥,用证书中的公钥加密,发给服务器

    • 服务器收到对称密钥后保存,给客户端一个应答。

    • 客户端接收响应,这样就完成了SSL连接,后面的通信用对称密钥加密数据传输。

      因为非对称加密相对对称加密来说比较耗时,所以正式的数据传输是用对称加密算法。非对称加密只是用于建立SSL时对称密钥的安全传输。我们可以设置

HTTPS长连接,这样建立好SSL+HTTP连接后,可以用这个连接发多次HTTPS请求,而不用每次请求都建立连接。

生成证书

详细信息参考req

1
2
3
4
5
6
7
8
9
10
11
12
13
# 生成一个RSA私钥,1024是加密强度,一般是1024或2048 
$ openssl genrsa -out private.key 2048
 
# 生成一个证书请求
$ openssl req -new -key private.key -out cert_req.csr

# 自己签发证书,如果要权威CA签发的话,要把cert_req.csr发给CA
$ openssl x509 -req -days 3650 -in cert_req.csr -signkey private.key -out server_cert.crt
只需要两处填写就行,其他都不填.
...
Common Name (eg, fully qualified host name) []:这里填域名
...
A challenge password []:密码
  • 使用自签名脚本
1
2
3
4
5
6
7
$ ./gencrt.sh 
输入域名和密码即可,这里输入域名gitlab.example.com,则生成以下4个文件
gitlab.example.com.crt:自签名的证书
gitlab.example.com.csr:证书的请求
gitlab.example.com.key:不带口令的Key
gitlab.example.com.origin.key:带口令的Key
只要使用.crt和com.key即可.

Nginx使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# 启动nginx
$ docker run --name mynginx -p 8080:80 -d nginx
# 拷贝nginx的配置文件到本地,并重命名文件夹为conf
$ docker cp mynginx:/etc/nginx /opt/nginx
$ mv /opt/nginx/nginx /opt/nginx/conf/certs下
# 删除容器
$ docker rm -f mynginx
# 拷贝密钥到/opt/nginx/conf/certs下
$ cp gitlab.example.com.crt gitlab.example.com.key /opt/nginx/conf/certs
# 设置证书.在配置文件最后添加内容.
$ vim /opt/nginx/conf/conf.d/default.conf
server {
    listen 443 ssl;
    server_name  localhost;

    ssl                      on;
    ssl_certificate          /etc/nginx/certs/gitlab.example.com.crt;
    ssl_certificate_key      /etc/nginx/certs/gitlab.example.com.key;

    ssl_session_timeout  5m;

    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}
# 启动
$ docker run --name mynginx -v /opt/nginx/conf:/etc/nginx -p 8080:80 -p 8081:443 -d nginx
# 浏览器验证即可.

参考

附录

自签名脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ vim gencrt.sh
#!/bin/sh
# create self-signed server certificate:
read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 2048

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"

发表于 | 分类于
字数统计: 448 | 阅读时长 ≈ 2

前言

这里记录自己常用的一些实战技巧.

技巧一

容器执行指定命令并后台运行

容器是否会长久运行,是和 docker run 指定的命令有关,和 -d 参数无关.
我就有以下场景需求.制作一个squid镜像,并在运行容器后,容器里执行squid start命令.
一般需要让容器可以后台长久运行,需要指定/bin/bash指令.

1
$ docker run -ti --name [容器名] -d [镜像名] /bin/bash

方式一:通过Dockerfile来build

利用ENTRYPOINT实现

1
2
3
4
5
6
7
8
9
10
FROM centos:7
RUN yum install -y squid
# ip高匿与端口
RUN echo 'request_header_access Via deny all' >> /etc/squid/squid.conf \
 && echo 'request_header_access X-Forwarded-For deny all' >> /etc/squid/squid.conf \
 && echo 'request_header_access From deny all' >> /etc/squid/squid.conf \
 && sed -i 's/http_access deny all/http_access allow all/g' /etc/squid/squid.conf \
 && sed -i 's/http_port 3128/http_port 57112/g' /etc/squid/squid.conf
ENTRYPOINT /usr/sbin/squid start && /bin/bash # 这个是重点
EXPOSE 57112

方式二:使用supervisor(有问题,待修改)

1、容器中需要安装supervisor服务;
2、上传本地supervisor配置文件

1
2
3
4
5
6
7
8
9
10
11
FROM centos:7
RUN yum install -y squid python-setuptools
RUN easy_install supervisor
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
# ip高匿与端口
RUN echo 'request_header_access Via deny all' >> /etc/squid/squid.conf \
 && echo 'request_header_access X-Forwarded-For deny all' >> /etc/squid/squid.conf \
 && echo 'request_header_access From deny all' >> /etc/squid/squid.conf \
 && sed -i 's/http_access deny all/http_access allow all/g' /etc/squid/squid.conf \
 && sed -i 's/http_port 3128/http_port 57112/g' /etc/squid/squid.conf
EXPOSE 57112

supervisor配置文件
1
2
3
4
[supervisord]
nodaemon=true
[program:squid]
command=/usr/sbin/squid start

技巧二

Docker Hub 自动构建

技巧三

本地阅读Docker官方文档

1
2
# 本地运行Docker官方文档网站
$ docker run -d -p 80:4000 docs/docker.github.io

发表于 | 分类于
字数统计: 349 | 阅读时长 ≈ 2

环境

  • mac 10.13.4 , Docker version 18.03.1-ce,Centos7

前言

目前docker提供ce(community edition)社区版本和ee(enterprise edition)企业版本.选择ce版本即可.

docker

img

img

Centos7安装

安装CE版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# 卸载旧版本
$ yum remove docker \
                  docker-ce \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-engine
# 为了防止之前已经安装的遗留问题,删除镜像储存目录
$ rm -rf /var/lib/docker
# 安装依赖工具
$ yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2
# 安装docker官方仓库(失败 使用阿里云仓库)
$ yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
# 如果上面执行后如下报错,添加阿里云的源即可.
Loaded plugins: fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
Could not fetch/save url https://download.docker.com/linux/centos/docker-ce.repo to file /etc/yum.repos.d/docker-ce.repo: [Errno 12] Timeout on https://download.docker.com/linux/centos/docker-ce.repo: (28, 'Resolving timed out after 30455 milliseconds')
$ yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装docker
$ yum install -y docker-ce
# 启动
$ systemctl enable docker && systemctl start docker

添加docker hub中国官方镜像加速器

1
2
3
4
$ vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://registry.docker-cn.com"]
}

参考

发表于 | 分类于
字数统计: 248 | 阅读时长 ≈ 1

常见问题汇总

阿里云启动报错:error initializing graphdriver: driver not supported

  • 问题描述
    从版本docker-ce-18.06.0.ce降到版本docker-ce-17.03.2.ce,不能启动.

    1
    2
    3
    4
    5
    6
    7
    8
    $ journalctl -xe
    .....
    Aug 08 14:27:12 es3-log systemd[1]: Starting Docker Application Container Engine...
    Aug 08 14:27:12 es3-log dockerd[23468]: time="2018-08-08T14:27:12.282682284+08:00" level=info msg="libcontainerd: new con...23476"
    Aug 08 14:27:13 es3-log dockerd[23468]: time="2018-08-08T14:27:13.286553501+08:00" level=error msg="[graphdriver] prior s...orted"
    Aug 08 14:27:13 es3-log dockerd[23468]: Error starting daemon: error initializing graphdriver: driver not supported
    Aug 08 14:27:13 es3-log systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
    ......

  • 解决方案
    删除docker镜像存放目录/var/lib/docker,猜测是新版本目录结构与老版本不通导致.

    1
    2
    3
    4
    5
    # docker-ce-17.03.2.ce版本/var/lib/docker目录
    containers image network overlay plugins swarm tmp trust volumes
    # docker-ce-18.06.0.ce版本/var/lib/docker目录
    builder buildkit containerd containers image network overlay2 plugins runtimes	swarm tmp trust volumes
    $ rm -rf /var/lib/docker

发表于 | 分类于
字数统计: 1,343 | 阅读时长 ≈ 7

环境

  • centos 7
  • jenkins 2.121.1

前言

jenkins集群是必须搭建的,可以提高部署效率,每次只是部署几个job自然不会出现问题,如果一次要执行100个呢?试过就知道有多慢了!

搭建

jenkins-master只负责分发构建任务.

img

搭建之前,我先把几个关键点梳理下:

  • jenkins主节点创建job到目标部署主机的ssh免密登录密钥信息,在集群中的jenkins从节点如何获取?
  • jenkins主节点数据必须持久化到本地磁盘

Pull jenkins images

1
$ docker pull jenkins/jenkins:lts

Jenkins master and Mount data volume

Build Dockerfile: jenkins-data and jenkins-master

1
2
3
4
$ docker build -f jenkins-data-dockerfile -t jenkins-data .
$ docker build -f jenkins-master-dockerfile -t jenins-master .
# 从节点宿主机上执行
$ docker build -f jenkins-slave-dockerfile -t jenins-slave .

Run jenkins-master

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 创建用户持久化jenkins数据文件的目录及日志目录.
$ mkdir -p {/data/jenkins,/data/logs/jenkins}
# 容器内启动jenkins服务使用的是jenkins用户,所以必须修改目录用户拥有者为
$ chown 1000:1000 {/data/jenkins,/data/logs/jenkins}
# 启动数据卷jenkins-datas
$ docker run --name jenkins-data \
-v /data/jenkins:/var/jenkins_home \
-v /data/logs/jenkins:/var/log/jenkins \
jenkins-data
# 启动jenkins-master.(构建dockerfile见附录.)
$ docker run -d \
-p 19875:8080 \
-p 50000:50000 \
--volumes-from jenkins-data \
--name jenkins-master \
jenkins-master

Run jenkins-slave in slave machine

1
2
3
4
5
6
$ docker run -ti -d \
-p 19222:22 \
--restart on-failure \
--network host \ 
--name jenkins-slave \
jenkins-slave

Jenkins master add slave node

添加登录slave的用户名密码

Jenkins->Credentials

img

这里可以添加root用户,避免一些权限问题.

添加节点

Jenkins->系统管理->管理节点

img

指定远程工作目录,如果是用jenkins_slave用户时注意/home/jenkins_home需要jenkins_slave权限.为了方便起见,这里就直接使用root用户

img

同步jenkins-master的密钥及相关脚本

这里我采用的做法是配置job,通过job将.ssh/id_rsa, .ssh/id_rsa.pub,.ssh/known_hosts拷贝到slave中(见rsa_sysnc.sh脚本).
(所有脚本proxy-scripts已同步到git上.)

新建同步job

img

上传dockerfile到docker hub个人仓库.

参考

Getting started with Docker 官方,推荐

Docker Volume 之权限管理

Get Started with Jenkins 2.0 with Docker

Official Jenkins Docker image

附录

jenkins-data-dockerfile

1
2
3
4
5
6
7
8
9
10
$ vim jenkins-data-dockerfile
FROM debian:jessie
# Create the jenkins user
RUN useradd -d "/var/jenkins_home" -u 1000 -m -s /bin/bash jenkins
# Create the folders and volume mount points
RUN mkdir -p /var/log/jenkins
RUN chown -R jenkins:jenkins /var/log/jenkins
VOLUME ["/var/log/jenkins", "/var/jenkins_home"]
USER jenkins
CMD ["echo", "Data container for Jenkins"]

jenkins-master-dockerfile(待补充插件列表)

1
2
3
4
5
6
$ vim jenkins-master-dockerfile
FROM jenkins/jenkins:lts
# 增加swarm:3.13插件.https://plugins.jenkins.io/swarm
USER root
RUN /usr/local/bin/install-plugins.sh docker_swarm Ansible Multijob Pipeline
USER jenkins

jenkins-slave-dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
FROM centos:centos7
# 创建用户及修改密码
RUN groupadd -g 1000 jenkins_slave
RUN useradd -d /home/jenkins_home -s /bin/bash \
-m jenkins_slave -u 1000 -g jenkins_slave
RUN echo 'ys123456' | passwd --stdin root
RUN echo 'jpass' | passwd --stdin jenkins_slave
# 安装依赖包
RUN yum install -y passwd openssl openssh-server wget git vim java-1.8.0-openjdk java-1.8.0-openjdk-devel ansible
# 设置maven,安装路径保持和jenkins-master中的一致.
RUN rm -rf /opt/apache-maven* && \
wget -O /opt/apache-maven-3.5.4.tar.gz http://mirrors.shu.edu.cn/apache/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz && \
tar -xvf /opt/apache-maven-3.5.4.tar.gz -C /opt/ && \
mv /opt/apache-maven-3.5.4 /opt/maven && \
rm -rf /opt/apache-maven-3.5.4 && \
rm -rf /opt/apache-maven-3.5.4.tar.gz && \
echo "export MAVEN_HOME=/opt/maven" >> /etc/profile && \
echo 'PATH=$PATH:$MAVEN_HOME/bin' >> /etc/profile && \
source /etc/profile
# 设置jdk,安装路径保持和jenkins-master中的一致.
RUN mkdir -p /usr/local/java && \
wget --no-cookies \
--no-check-certificate \
--header "Cookie: oraclelicense=accept-securebackup-cookie" \
http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz \
-O /usr/local/java/jdk1.8.tar.gz
RUN tar -xvf /usr/local/java/jdk1.8.tar.gz -C /usr/local/java && mv /usr/local/java/jdk1.8.0_171 /usr/local/java/jdk1.8 && echo 'export JAVA_HOME=/usr/local/java/jdk1.8' >> /etc/profile && echo 'PATH=$PATH:$JAVA_HOME/bin' && source /etc/profile
# 设置jenkins_home目录,保持和jenkins-master一致.(根据需要自己修改路径)
RUN mkdir -p /root/.jenkins && echo 'export JENKINS_HOME=/root/.jenkins/' >> /etc/profile && source /etc/profile
# 生成密钥
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
RUN sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd
RUN mkdir -p /root/.ssh && chown root.root /root && chmod 700 /root/.ssh

# 下载脚本.这里是因为脚本构建用到了许多脚本.
RUN git clone https://github.com/steven-ji/proxy-scripts.git /opt/scripts
RUN chown -R 1000:1000 /opt/scripts

#设置时区
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo 'Asia/Shanghai' >/etc/timezone

EXPOSE 22

CMD ip addr ls eth0 | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+';/usr/sbin/sshd -D

jenkins-slave-swarm-dockerfile

碰到的问题

场景一:jenkins-master为较早创建,需要扩展jenkins-slave

jenkins-master为较早创建的,其中全局工具配置里jdk路径、maven路径、工作空间路径等都是已经确定好的.在创建jenkins-slave时,需要保持与jenkins-master一致.(或者修改主master的相关路径)

  • jdk安装路径一致
  • maven安装路径一致
  • 工作空间(workspace)路径一致
    jenkins->全局工具配置

jenkins->系统设置
Jenkins默认的内置工作空间为系统用户的根目录下,其文件夹名称为”.jenkins”.如果设置了JENKINS_HOME则使用.

发表于 | 分类于
字数统计: 1,872 | 阅读时长 ≈ 9

Foreword

最近准备迁移公司的svn仓库,记录下自己学习及迁移过程.

Install

GitLab目前提供三个版本:(以下都是docker镜像)

只是为了满足基本使用,以CE版本安装.

Run

  • 运行环境要求

    4G内存(最低2G)、4核或8核CPU

启动GitLab是比较简单.但在正式开始使用之前,对它的配置有个全面的了解是很有必要的.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ docker run -d \
  --hostname 192.168.1.222 \
  --publish 443:443 --publish 80:80 --publish 22:22 \
  --name gitlab \
  --restart always \
  --volume /data/gitlab/config:/etc/gitlab \
  --volume /data/gitlab/logs:/var/log/gitlab \
  --volume /data/gitlab/data:/var/opt/gitlab \
  --network host \
  gitlab/gitlab-ce:latest
# 443 https访问端口,80 http访问端口, 22 docker容器端口.
# /data/gitlab/config配置文件目录
# /data/gitlab/logs日志存储目录
# /data/gitlab/data应用数据存储目录

  • --env GITLAB_OMNIBUS_CONFIG=""

    该参数可以覆盖容器中GitLab的配置文件/etc/gitlab/gitlab.rb.具体参数详见gitlab.rb.template

Language translate

使用xlang提供的汉化包.

测试汉化包

我使用的gitlab版本是v11.3.5,在xlang的branch中只能找到11-3-stable-zh.所以我先进行了测试,看是否可用.(如何测试?可以按照这篇文章gitlab汉化操作.)

实际上就是使用汉化包的文件替换/opt/gitlab/embedded/service/gitlab-rails/中的文件

1
2
3
$ cp -rf gitlab-11-3-stable-zh/* /opt/gitlab/embedded/service/gitlab-rails/
$ gitlab-ctl reconfigure
$ gitlab-ctl restart

测试暂时没发现问题,就是使用11-3-stable-zh版本的汉化包.

如何将汉化包加入容器?

我用的是镜像,难道我将汉化包文件路径映射到容器中吗?好吧,来测试一把.

1
2
3
4
5
6
7
8
9
10
11
$ docker run -d \
  --hostname 192.168.1.222 \
  --publish 443:443 --publish 80:80 --publish 22:22 \
  --name gitlab \
  --restart always \
  --volume /data/gitlab/config:/etc/gitlab \
  --volume /data/gitlab/logs:/var/log/gitlab \
  --volume /data/gitlab/data:/var/opt/gitlab \
  --volume /data/gitlab/data/zh/gitlab:/opt/gitlab/embedded/service/gitlab-rails \
  --network host \
  gitlab/gitlab-ce:11.3.5-ce.0

结果悲剧了,一直不断自动重启.这种问题也不是我能解决的,只能先放弃了.

怎么办呢?搜索了一番,找到了twang2218/gitlab-ce-zh提供的Dockerfile.

在twang2218的Dockerfile中找到了使用替换文件的操作

image-20181023142449054

既然twang2218能打包成功,说明Dockerfile是正确的.现在只要替换为我使用的版本和汉化包版本应该同样有效.(他山之石可以攻玉)

构建汉化包镜像
生成Dockerfile

在github上直接Forktwang2218/gitlab-ce-zh的代码,再clone到本地.

1
$ git clone https://github.com/steven-ji/gitlab-ce-zh.git

修改version.sh文件,增加11.3.5

1
2
3
4
5
6
7
8
$ vim version.sh
export VERSIONS=(
    10.7.7
    10.8.7
    11.0.5
    11.1.4
    11.3.5
)

使用脚本生成Dockerfile文件.会生成11.3目录,并且里面有个Dockerfile文件.

1
$ ./build generate 11.3

注:由于xlang提供v11.3.5的汉化包为11.3-stable-zh,所以需要修改Dockerfile文件中的v11.3.5-zh为11.3-stable-zh

通过docker hub自动构建镜像

关联github即可,具体操作忽略.

使用汉化版gitlab
1
2
3
4
5
6
7
8
9
10
$ docker pull jilingjun1014/gitlab-zh:v11.3.5
$ docker run -d \
  --publish 443:443 --publish 80:80 --publish 22:22 \
  --name gitlab \
  --restart always \
  --volume /data/gitlab/config:/etc/gitlab \
  --volume /data/gitlab/logs:/var/log/gitlab \
  --volume /data/gitlab/data:/var/opt/gitlab \
  --network host \
  jilingjun1014/gitlab-zh:v11.3.5

Config

GitLab启动加载的配置文件为gitlab.rb,先创建出来.

1
$ touch /data/gitlab/config/gitlab.rb

邮件通知配置

邮件的配置方式比较多,我的是以阿里云企业邮箱为主.(以下提供链接)

1
2
3
4
5
6
7
8
9
10
gitlab_rails['gitlab_email_from'] = "username@company.com"
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.mxhichina.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "username@company.com"
gitlab_rails['smtp_password'] = "password"
gitlab_rails['smtp_domain'] = "mxhichina.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true
测试邮箱
1
2
3
4
# ssh到Gitlab的docker容器中.
$ docker exec -ti gitlab /bin/bash
$ gitlab-rails console
$ Notify.test_email('destination_email@address.com', 'Message Subject', 'Message Body').deliver_now

配置外部访问的URL

不使用内置的nginx时可以不配置.

  • 支持https
1
2
3
4
5
# 配置文件中添加如下,则访问GitLab的路径就是:http://gitlab.example.com
external_url "http://gitlab.example.com"
external_url "https://gitlab.example.com"
# 重新加载配置
$ gitlab-ctl reconfigure

配置端口

  • 配置web访问端口

    配置文件external_url属性指定.(实际上,修改的是容器内的端口)

1
2
external_url "http://gitlab.example.com:9080"
external_url "https://gitlab.example.com:9443"

如:访问端口为9080和9443,则在容器启动时,宿主机与容器的映射端口为-p 9443:9443 -p 9080:9080

  • 配置容器ssh端口

    配置文件:gitlab_rails['gitlab_shell_ssh_port'] = 9022

配置支持Https

GitLab安装时默认绑定安装了一个内置的Nginx.

使用内置Nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# set access url
external_url "http://gitlab.example.com"
external_url "https://gitlab.example.com"
# compatable http
nginx['redirect_http_to_https'] = true
# set certs
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
# set errer page info
nginx['custom_error_pages'] = {
  '404' => {
    'title' => 'Example title',
    'header' => 'Example header',
    'message' => 'Example message'
  }
}
使用外部Nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 关闭内置nginx
nginx['enable'] = false
# 配置访问用户.Debian/Ubuntu the default user is www-data for both Apache/Nginx whereas for RHEL/CentOS the Nginx user is nginx.
web_server['external_users'] = ['www-data','nginx']
# 配置nginx服务器ip白名单
gitlab_rails['trusted_proxies'] = ['192.168.1.0/24', '192.168.2.1', '2001:0db8::/32' ]
# Define the external url
external_url 'http://git.example.com'
# Disable the built-in nginx
nginx['enable'] = false
# Disable the built-in unicorn
unicorn['enable'] = false
# Set the internal API URL
gitlab_rails['internal_api_url'] = 'http://git.example.com'
# Define the web server process user (ubuntu/nginx)
web_server['external_users'] = ['www-data']

配置Git Repository数据存储路径

Git repository数据存储的默认路径是:/var/opt/gitlab/git-data.

注:如果采用了docker镜像方式,在启动时已经指定了宿主机的目录/data/gitlab/data,所以下面的配置可以不用.

1
2
3
4
5
# default修改存储目录,alternative增加一个存储目录
git_data_dirs({
  "default" => { "path" => "/var/opt/gitlab/git-data" },
  "alternative" => { "path" => "/mnt/nas/git-data" }
})

GitLab重新加载配置

对配置的所有修改,都需要重载配置并重启.

1
2
$ gitlab-ctl reconfigure
$ gitlab-ctl restart

Example

image-20181014223921033

Environment

  • mac 10.13.6, gitlab-ce 11.3.5-ce.0, docker 18.03.1-ce

Set configuration

Set Store path、Suport https、Set emial

  • 配置文件路径:/Users/jilingjun/Applications/data/gitlab/config

    • ssl文件路径:/Users/jilingjun/Applications/data/gitlab/config/ssl

  • 数据存储路径:/Users/jilingjun/Applications/data/gitlab/data

  • 日志存储路径:/Users/jilingjun/Applications/data/log/gitlab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ vim /Users/jilingjun/Applications/data/gitlab/config/gitlab.rb
# set access url
external_url "http://gitlab.example.com"
external_url "https://gitlab.example.com"
# set ssh port
gitlab_rails['gitlab_shell_ssh_port'] = 9022
# compatable http
nginx['redirect_http_to_https'] = true
# set certs
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.example.com.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.example.com.key"
# set errer page info
nginx['custom_error_pages'] = {
  '404' => {
    'title' => 'Example title',
    'header' => 'Example header',
    'message' => 'Example message'
  }
}
# set email config.Here use aliyun enterprise mail.
gitlab_rails['gitlab_email_from'] = "username@company.com"
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.mxhichina.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "username@company.com"
gitlab_rails['smtp_password'] = "password"
gitlab_rails['smtp_domain'] = "mxhichina.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = true

Generator And Use self certificate

参考之前写的《生成自签名根证书》

RUN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ docker run -d \
  --hostname 192.168.1.222 \
  --publish 443:443 --publish 80:80 --publish 22:22 \
  --name gitlab \
  --restart always \
  --volume /data/gitlab/config:/etc/gitlab \
  --volume /data/gitlab/logs:/var/log/gitlab \
  --volume /data/gitlab/data:/var/opt/gitlab \
  --network host \
  jilingjun1014/gitlab-zh:v11.3.5
  
# See gitlab container logs
$ docker logs -f gitlab

# Update Permission
$ docker exec gitlab update-permissions
$ docker restart gitlab

# See gitlab container logs
$ docker logs -f gitlab

Reference

GitLab Docker Images

Gitlab汉化

发表于 | 分类于
字数统计: 2,891 | 阅读时长 ≈ 16

前言

生产上,有时需要对一些大表(几千万数据)的表中字段进行增、改操作.如果直接操作,很可能对线上有比较大的影响.很多时候,需要在非忙时(大多是凌晨)进行表修改.想想都折磨人.

这里记录使用工具gh-ost(go语言编写)进行表字段修改.

为什么用它

原理

  • 伪装成一个mysql的从节点,读取binary log.

    gh-ost-general-flow

场景

在阿里云上的一台mysql,一张2000w数据的表,需要增加一个int型字段.

使用gh-ost,耗时37分钟.

环境

  • mysql 5.7.15-log (阿里云)
  • gh-ost 1.0.46

使用

Requirements

  • If you mysql already using RBR, all is well for you
  • If not, convert one of your replicas to binlog_format='ROW', or let gh-ost do this for you.gh-ost will not convert back to STATEMENT (SBR)
  • Replica should support log-slave-updates.

所以,gh-ost建议连接到mysql的从节点上.原因如上:如果binary log为statement模式时,gh-ost会强制转换到row模式,且需要自己手动改回statement.(注: gh-ost参数中配置–switch-to-rbr)

limitations

  • 使用具有管理员账号的权限.
  • gh-ost对表名大小写不敏感,如待迁移的表名为:MyTable,且存在一张表为Mytable,则不能使用.

  • 表需要存在主键,且主键的值不是null,否则需要在gh-ost参数中添加--allow-nullable-unique-key.一般表的id都设置为自增主键,通用场景不用考虑这种问题.Read more

  • 如果gh-ost连接的是从节点,需要确保主从节点上两张表的表结构一直.

  • 使用google云数据库,参数添加 --gcp
  • 使用阿里云的RDS,参数添加 --aliyun-rds
  • 对表重命名不能使用

Install and Use

下载完成后解压后直接使用即可.

使用的关键是相关参数的设置及理解.参数的详细信息通过./gh-ost --help查看即可.这里我也罗列了详见附录gh-ost参数详解.

这里记录下我迁移中设置的相关参数.

阿里云RDS且无从节点

  • 阿里云的RDS,需要添加参数–aliyun-rds

  • 无从节点,直接在主节点上执行–allow-on-master

Check binlog_format

检查mysql的binary log格式(FULL也是支持的).如果是statement,需要添加–switch-to-rbr参数,且最后需要手动将binlog_format设置回statement格式.

1
2
3
4
5
$ show variables like 'binlog_format';
+-----------------------------------------+--------------------------------+
| Variable_name                           | Value                          |
+-----------------------------------------+--------------------------------+
| binlog_format                           | ROW                            |
Run migrate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
./gh-ost \
--aliyun-rds=true \
--allow-on-master \
--host= --port= --database= --table= --conf=/opt/account.cnf \
--alter="ADD COLUMN platform int(2) DEFAULT NULL COMMENT '所属平台'" \
--chunk-size=5000 \
--concurrent-rowcount \
--cut-over=atomic \
--cut-over-lock-timeout-seconds=3 \
--initially-drop-ghost-table=true \
--initially-drop-old-table=true \
--initially-drop-socket-file=true \
--timestamp-old-table=true \
--verbose \
--serve-socket-file=/tmp/gh-ost.test.sock \
--switch-to-rbr \
--execute

# --conf设置登录mysql的用户名和密码文件的绝对路径.内容格式如下.
[client]
user=gh-ost
password=123456
# --aliyun-rds=true针对使用阿里云的RDS.
# --allow-on-master没有从节点时,直接连接主mysql时指定.
# --alter表结构操作,如我这里添加字段"ADD COLOUM platform int(2) DEFAULT NULL COMMENT '所属平台'"
# --chunk-size每次复制数据的数量,默认是1000,允许100~100,000之间.
# --concurrent-rowcount一边复制数据一边计算数据量
# --cut-over数据复制的最后一步,安全的对原表和新表进行切换.默认是atomic,而two-step则不安全.
# --cut-over-lock-timeout-seconds执行cut-over时间.默认3秒,可以不用配置.
# --cut-over-exponential-backoff执行cut-over失败后执行指数级等待.
# --exponential-backoff-max-interval执行指数级等待的最大时间间隔.默认是64.如:
# --exact-rowcount真实计算数据总量,执行count()操作.个人觉得没必要,比较耗时.
# --initially-drop-ghost-table(建议使用)清除以前操作遗留下的ghost表
# --initially-drop-old-table(建议使用)清除以前操作遗留下的旧表
# --initially-drop-socket-file(建议使用)清除以前遗留的socket文件
# --timestamp-old-table旧表加上时间戳
# --verbose日志界别debug
# --serve-socket-file=/tmp/gh-ost.test.sock 
# --panic-flag-file=/tmp/gh-ost.panic.flag(暂时不清楚,先不使用)
# --switch-to-rbr(建议添加)这样不用关注mysql的bin log的格式.让gh-ost去执行设置bin-log格式操作.

附录

gh-ost参数详解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
-aliyun-rds
  	set to 'true' when you execute on Aliyun RDS.
-allow-master-master
  	explicitly allow running in a master-master setup
-allow-nullable-unique-key
  	allow gh-ost to migrate based on a unique key with nullable columns. As long as no NULL values exist, this should be OK. If NULL values exist in chosen key, data may be corrupted. Use at your own risk!
-allow-on-master
  	allow this migration to run directly on master. Preferably it would run on a replica
-alter string
  	alter statement (mandatory)
-approve-renamed-columns ALTER
  	in case your ALTER statement renames columns, gh-ost will note that and offer its interpretation of the rename. By default gh-ost does not proceed to execute. This flag approves that gh-ost's interpretation is correct
-ask-pass
  	prompt for MySQL password
-assume-master-host string
  	(optional) explicitly tell gh-ost the identity of the master. Format: some.host.com[:port] This is useful in master-master setups where you wish to pick an explicit master, or in a tungsten-replicator where gh-ost is unable to determine the master
-assume-rbr
  	set to 'true' when you know for certain your server uses 'ROW' binlog_format. gh-ost is unable to tell, event after reading binlog_format, whether the replication process does indeed use 'ROW', and restarts replication to be certain RBR setting is applied. Such operation requires SUPER privileges which you might not have. Setting this flag avoids restarting replication and you can proceed to use gh-ost without SUPER privileges
-check-flag
  	Check if another flag exists/supported. This allows for cross-version scripting. Exits with 0 when all additional provided flags exist, nonzero otherwise. You must provide (dummy) values for flags that require a value. Example: gh-ost --check-flag --cut-over-lock-timeout-seconds --nice-ratio 0
-chunk-size int
  	amount of rows to handle in each iteration (allowed range: 100-100,000) (default 1000)
-concurrent-rowcount
  	(with --exact-rowcount), when true (default): count rows after row-copy begins, concurrently, and adjust row estimate later on; when false: first count rows, then start row copy (default true)
-conf string
  	Config file
-critical-load string
  	Comma delimited status-name=threshold, same format as --max-load. When status exceeds threshold, app panics and quits
-critical-load-hibernate-seconds int
  	When nonzero, critical-load does not panic and bail out; instead, gh-ost goes into hibernate for the specified duration. It will not read/write anything to from/to any server
-critical-load-interval-millis int
  	When 0, migration immediately bails out upon meeting critical-load. When non-zero, a second check is done after given interval, and migration only bails out if 2nd check still meets critical load
-cut-over string
  	choose cut-over type (default|atomic, two-step) (default "atomic")
-cut-over-exponential-backoff
  	Wait exponentially longer intervals between failed cut-over attempts. Wait intervals obey a maximum configurable with 'exponential-backoff-max-interval').
-cut-over-lock-timeout-seconds int
  	Max number of seconds to hold locks on tables while attempting to cut-over (retry attempted when lock exceeds timeout) (default 3)
-database string
  	database name (mandatory)
-debug
  	debug mode (very verbose)
-default-retries int
  	Default number of retries for various operations before panicking (default 60)
-discard-foreign-keys
  	DANGER! This flag will migrate a table that has foreign keys and will NOT create foreign keys on the ghost table, thus your altered table will have NO foreign keys. This is useful for intentional dropping of foreign keys
-dml-batch-size int
  	batch size for DML events to apply in a single transaction (range 1-100) (default 10)
-exact-rowcount
  	actually count table rows as opposed to estimate them (results in more accurate progress estimation)
-execute
  	actually execute the alter & migrate the table. Default is noop: do some tests and exit
-exponential-backoff-max-interval int
  	Maximum number of seconds to wait between attempts when performing various operations with exponential backoff. (default 64)
-force-named-cut-over
  	When true, the 'unpostpone|cut-over' interactive command must name the migrated table
-force-table-names string
  	table name prefix to be used on the temporary tables
-heartbeat-interval-millis int
  	how frequently would gh-ost inject a heartbeat value (default 100)
-help
  	Display usage
-hooks-hint string
  	arbitrary message to be injected to hooks via GH_OST_HOOKS_HINT, for your convenience
-hooks-path string
  	directory where hook files are found (default: empty, ie. hooks disabled). Hook files found on this path, and conforming to hook naming conventions will be executed
-host string
  	MySQL hostname (preferably a replica, not the master) (default "127.0.0.1")
-initially-drop-ghost-table
  	Drop a possibly existing Ghost table (remains from a previous run?) before beginning operation. Default is to panic and abort if such table exists
-initially-drop-old-table
  	Drop a possibly existing OLD table (remains from a previous run?) before beginning operation. Default is to panic and abort if such table exists
-initially-drop-socket-file
  	Should gh-ost forcibly delete an existing socket file. Be careful: this might drop the socket file of a running migration!
-master-password string
  	MySQL password on master, if different from that on replica. Requires --assume-master-host
-master-user string
  	MySQL user on master, if different from that on replica. Requires --assume-master-host
-max-lag-millis int
  	replication lag at which to throttle operation (default 1500)
-max-load string
  	Comma delimited status-name=threshold. e.g: 'Threads_running=100,Threads_connected=500'. When status exceeds threshold, app throttles writes
-migrate-on-replica
  	Have the migration run on a replica, not on the master. This will do the full migration on the replica including cut-over (as opposed to --test-on-replica)
-nice-ratio float
  	force being 'nice', imply sleep time per chunk time; range: [0.0..100.0]. Example values: 0 is aggressive. 1: for every 1ms spent copying rows, sleep additional 1ms (effectively doubling runtime); 0.7: for every 10ms spend in a rowcopy chunk, spend 7ms sleeping immediately after
-ok-to-drop-table
  	Shall the tool drop the old table at end of operation. DROPping tables can be a long locking operation, which is why I'm not doing it by default. I'm an online tool, yes?
-panic-flag-file string
  	when this file is created, gh-ost will immediately terminate, without cleanup
-password string
  	MySQL password
-port int
  	MySQL port (preferably a replica, not the master) (default 3306)
-postpone-cut-over-flag-file string
  	while this file exists, migration will postpone the final stage of swapping tables, and will keep on syncing the ghost table. Cut-over/swapping would be ready to perform the moment the file is deleted.
-quiet
  	quiet
-replica-server-id uint
  	server id used by gh-ost process. Default: 99999 (default 99999)
-replication-lag-query string
  	Deprecated. gh-ost uses an internal, subsecond resolution query
-serve-socket-file string
  	Unix socket file to serve on. Default: auto-determined and advertised upon startup
-serve-tcp-port int
  	TCP port to serve on. Default: disabled
-skip-foreign-key-checks
  	set to 'true' when you know for certain there are no foreign keys on your table, and wish to skip the time it takes for gh-ost to verify that
-skip-renamed-columns ALTER
  	in case your ALTER statement renames columns, gh-ost will note that and offer its interpretation of the rename. By default gh-ost does not proceed to execute. This flag tells gh-ost to skip the renamed columns, i.e. to treat what gh-ost thinks are renamed columns as unrelated columns. NOTE: you may lose column data
-stack
  	add stack trace upon error
-switch-to-rbr
  	let this tool automatically switch binary log format to 'ROW' on the replica, if needed. The format will NOT be switched back. I'm too scared to do that, and wish to protect you if you happen to execute another migration while this one is running
-table string
  	table name (mandatory)
-test-on-replica
  	Have the migration run on a replica, not on the master. At the end of migration replication is stopped, and tables are swapped and immediately swap-revert. Replication remains stopped and you can compare the two tables for building trust
-test-on-replica-skip-replica-stop
  	When --test-on-replica is enabled, do not issue commands stop replication (requires --test-on-replica)
-throttle-additional-flag-file string
  	operation pauses when this file exists; hint: keep default, use for throttling multiple gh-ost operations (default "/tmp/gh-ost.throttle")
-throttle-control-replicas string
  	List of replicas on which to check for lag; comma delimited. Example: myhost1.com:3306,myhost2.com,myhost3.com:3307
-throttle-flag-file string
  	operation pauses when this file exists; hint: use a file that is specific to the table being altered
-throttle-http string
  	when given, gh-ost checks given URL via HEAD request; any response code other than 200 (OK) causes throttling; make sure it has low latency response
-throttle-query string
  	when given, issued (every second) to check if operation should throttle. Expecting to return zero for no-throttle, >0 for throttle. Query is issued on the migrated server. Make sure this query is lightweight
-timestamp-old-table
  	Use a timestamp in old table name. This makes old table names unique and non conflicting cross migrations
-tungsten
  	explicitly let gh-ost know that you are running on a tungsten-replication based topology (you are likely to also provide --assume-master-host)
-user string
  	MySQL user
-verbose
  	verbose
-version
  	Print version & exit

参考

发表于
字数统计: 105 | 阅读时长 ≈ 1

Cannot have both the docker-py and docker python modules installed together

问题很明显,目标服务器pip即安装了docker-py又安装了docker,解决办法:两者都写在后,重新安装docker-py.

1
2
3
4
5
6
7
8
9
10
# 查询版本
$ pip show docker-py
$ pip show docker
# 卸载,同理pip、pip2、pip3
$ pip uninstall docker
$ pip uninstall docker-py
$ pip uninstall docker-compose
# 安装(--ignore-installed)
$ pip install 'docker-compose>=1.7.0'
$ pip install 'docker-py>=1.7.0'
Fork me on GitHub