diff --git a/sources/tech/20160910 HOSTING .NET CORE ON LINUX WITH DOCKER - A NOOB'S GUIDE.md b/sources/tech/20160910 HOSTING .NET CORE ON LINUX WITH DOCKER - A NOOB'S GUIDE.md index 678563a75f..5155702ca1 100644 --- a/sources/tech/20160910 HOSTING .NET CORE ON LINUX WITH DOCKER - A NOOB'S GUIDE.md +++ b/sources/tech/20160910 HOSTING .NET CORE ON LINUX WITH DOCKER - A NOOB'S GUIDE.md @@ -279,13 +279,16 @@ Server: Kestrel ``` ### KESTREL IN PRODUCTION -### +### 创建 KESTREL Microsoft’s words: +微软的介绍: >Kestrel is great for serving dynamic content from ASP.NET, however the web serving parts aren’t as feature rich as full-featured servers like IIS, Apache or Nginx. A reverse proxy-server can allow you to offload work like serving static content, caching requests, compressing requests, and SSL termination from the HTTP server. +>Kestrel 可以很好的处理来自 ASP.NET 的动态内容,然而,网络服务部分的特性没有达到 IIS,Apache 或者 Niginx 那样的全特性服务器好。反向代理服务器可以让你不用去做像处理静态内容,缓存请求,压缩请求,来自 HTTP 服务器的 SSL 终止这样的工作。 So I need to set up Nginx on my Linux machine to act as my reverse proxy. Microsoft spell out how to do this in Publish to a Linux Production Environment. I’ll summarise the instructions here: +因此我需要在 Linux 上把 Nginx 设置成一个反向代理服务器。微软发布了如何在 Linux 生产环境下进行设置的指导教程。我把说明总结在这儿: 1. Use dotnet publish to produce a self contained package for the application 2. Copy the published application to the server @@ -294,30 +297,45 @@ So I need to set up Nginx on my Linux machine to act as my reverse proxy. Micros 5. Enable and configure AppArmor (for limiting the resources available to an application) 6. Configure the server firewall 7. Secure Nginx (involves building from source and configuring SSL) +1. 通过 dotnet 发布来给应用产生一个自包含包。 +2. 把已发布的应用复制到服务器上 +3. 安装并配置 Nginx(如同配置一个反向代理服务器一样) +4.安装并配置管理员(确保 Nginx 服务器处于运行状态中) +5.安装并配置 AppArmor(限制应用的可用资源) +6.配置服务器防火墙 +7.保护好 Nginx(涉及从源代码构建和配置 SSL) It’s beyond the scope of this post to cover all of that, so I’m only going to concentrate on configuring Nginx as a reverse proxy - and naturally, I’m going to use Docker to do it. +这些内容已经超出了本文的范围,因此我将侧重于如何把 Nginx 配置成一个反向代理服务器。自然地,我通过 Docker 来完成这件事。 ### RUN NGINX IN ANOTHER CONTAINER +### 在另一个 CONTAIER 中运行 NGINX My aim is to run Nginx in a second Docker container and configure it as a reverse proxy to my application container. +我的目标是在一个二级 Docker container 中运行 Nginx 并把它配置成应用程序 container 的反向代理服务器。 I’ve used the official Nginx image from Docker Hub. First I tried it out like this: +我使用的是来自 Docker Hub 的官方 Nginx 图像。首先我尝试这样做: ``` docker run -d -p 8080:80 --name web nginx ``` This starts a container running Nginx and maps port 8080 on the host to port 80 in the container. Hitting http://localhost:8080 in the browser now shows the default Nginx landing page. +这打开了一个运行 Nginx 的container 并把主机上的 80 端口映射到了 container 的 80 端口上。现在在浏览器中打开网址 http://localhost:8080 会显示出 Nginx 的默认登录页面。 Now we’ve proved how easy it is to get Nginx running, we can kill the container. +现在我们证实了运行 Nginx 是多么的简单,我们可以关闭 container. ``` docker rm -f web ``` ### CONFIGURING NGINX AS A REVERSE PROXY +### 把 NGINX配置成一个反向代理服务器 Nginx can be configured as a reverse proxy by editing the config file at /etc/nginx/conf.d/default.conf like this: +可以通过像下面这样编辑位于目录 /etc/nginx/conf.d/default.conf 下的配置文件把 Nginx 配置成一个反向代理服务器: ``` server { @@ -330,6 +348,7 @@ server { ``` The config above will cause Nginx to proxy all requests from the root to http://localhost:6666. Remember localhost here refers to the container running Nginx. We can use our own config file inside the Nginx container using a volume: +通过上面的配置可以让 Nginx 代理从 root 到 http://localhost:6666 的所有请求。记住这里的本地主机指的是运行 Nginx 的 container. 我们可以利用卷来使用在 Nginx container 内部的配置文件: ``` docker run -d -p 8080:80 \ @@ -338,21 +357,26 @@ nginx ``` Note: this maps a single file from the host to the container, rather than an entire directory. +注意:这把一个单一文件从主机映射到 container 中,而不是一个完整目录。 ### COMMUNICATING BETWEEN CONTAINERS +### 在 CONTAINER 间进行通信 Docker allows inter-container communication using shared virtual networks. By default, all containers started by the Docker daemon will have access to a virtual network called bridge. This allows containers to be referenced from other containers on the same network via IP address and port. - +Docer 允许内部 container 通过共享虚拟网络进行通信。默认情况下,所有 +通过 Dcocker 后台程序启动的 container 都可以访问一种叫做桥的虚拟网络。这使得一个 container 可以被另一个 container 在相同的网络上通过 IP 地址和端口来引用。 You can discover the IP address of a running container by inspecting it. I’ll start a container from the niksoper/netcore-books image that I created earlier, and inspect it: +你可以通过监测 container 来找到它的 IP 地址。我将从之前创建的 niksoper/netcore-books 图像中启动一个 container 并监测它: 1. docker run -d -p 5000:5000 --name books niksoper/netcore-books 2. docker inspect books ![](http://blog.scottlogic.com/nsoper/assets/docker-inspect-ip.PNG) -We can see this container has "IPAddress": "172.17.0.3". +我们可以看到这个 container 的 IP 地址是 "IPAddress": "172.17.0.3". So now if I create the following Nginx config file, then start an Nginx container using that file, then it will proxy requests to my API: +所以现在如果我创建下面的 Nginx 配置文件,并使用这个文件启动一个 Nginx container, 它将代理请求到我的应用程序界面【API】: ``` server { @@ -365,6 +389,7 @@ server { ``` Now I can start an Nginx container using that config (note I’m mapping port 8080 on the host to port 80 on the Nginx container): +现在我可以使用这个配置文件启动一个 Nginx container(注意我把主机上的 8080 端口映射到了 Nginx container 上的 80 端口): ``` docker run -d -p 8080:80 \ @@ -373,16 +398,21 @@ nginx ``` A request to http://localhost:8080 will now be proxied to my application. Note the Server header in the following curl response: +一个到 http://localhost:8080 的请求代理到应用上。注意下面卷反应的服务器标题: ![](http://blog.scottlogic.com/nsoper/assets/nginx-proxy-response.PNG) ### DOCKER COMPOSE +### DOCKER 生成 At this point I was fairly pleased with my progress but I thought there must be a better way of configuring Nginx without needing to know the exact IP address of the application container. Another of the local Scott Logic DevOps heroes - Jason Ebbin - stepped up at this point and suggested Docker Compose. +在这个地方,我为自己的进步而感到高兴,但我认为一定还有更好的方法来配置 Nginx,可以不需要知道应用的 container 的确切 IP 地址。另一个当地的大师 Jason Ebbin - Scott Logic DevOps 在这个地方进行可改进,并建议生成 Docker。 As a high level description - Docker Compose makes it very easy to start up a collection of interconnected containers using a declarative syntax. I won’t go into the details of how Docker Compose works because you can read about it in this previous post. +作为一个高层次的描述 - Docker 生成使得一组互相连接的 container 通过声明式语法来启动变得非常简单。我不想再细说 Docker 生成是如何工作的因为你可以在之前的文章中找到。 I’ll start with the docker-compose.yml file that I’m using: +我将通过一个我所使用的 docker-compose.yml 文件来启动: ``` version: '2' @@ -400,19 +430,26 @@ services: - ./proxy.conf:/etc/nginx/conf.d/default.conf ``` -This is version 2 syntax, so you’ll need to have at least version 1.6 of Docker Compose in order for this to work. +This is version 2 syntax, so you’ll need to have at least version 1.6 of Docker Compose in order for this to work +这是版本 2 的语法,所以为了能够正常工作,你至少需要 1.6 版本的 Docker Compose. -This file tells Docker to create two services - one for the application and another for the Nginx reverse proxy. +This file tells Docker to create two services - one for the application and another for the Nginx reverse proxy. +这个文件告诉 Docker 创建两条服务 - 一条是给应用的,另一条是给 Nginx 反向代理服务器的。 ### BOOKS-SERVICE +### 服务列表 This builds a container called books-api from the Dockerfile in the same directory as this docker-compose.yml. Note that this container does not need to publish any ports because it only needs to be accessed from the reverse-proxy container rather than the host operating system. +这将从相同目录下的 Docker 文件创建一个叫做 books-api 的 conainer 作为 docker-compose.yml.注意这个 container 不需要发布任何端口,因为只要能够从反向代理服务器访问它就可以,而不需要从主机操作系统。 ### REVERSE-PROXY +### 反向代理 This starts a container called reverse-proxy based on the nginx image with a proxy.conf file mounted as the config from the current directory. It maps port 9090 on the host to port 8080 in the container which allows us to access the container from the host at http://localhost:9090. +这将启动一个基于 nginx 图像叫做 反向代理(reverse-proxy)的container,并把位于当前目录下的 proxy.conf 文件安装成为配置。它把主机上的 9090 端口映射到 container 中的 8080 端口,这将允许我们在 http://localhost:9090. 上通过主机访问 container. The proxy.conf file looks like this: +proxy.conf 文件看起来像下面这样: ``` server { @@ -425,48 +462,58 @@ server { ``` The key point here is that we can now refer to books-service by name so we don’t need to know the IP address of the books-api container! +这儿的关键点是我们现在可以通过名字引用 【服务列表】,因此我们不需要知道 books-api 这个 container 的 IP 地址! Now we can start the two containers with a working reverse proxy (-d means detached so we don’t see the output from the containers): +现在我们可以通过一个工作中的反向代理启动两个 container(-d 意味着这是独立的,因此我们不能看到来自 container 的输出): ``` docker compose up -d ``` Prove the containers were created: +证实我们所创建的 container: ``` docker ps ``` And finally confirm that we can hit the API via the reverse proxy: +最后来证实我们可以通过反向代理来控制应用程序界面【API】: ``` curl -i http://localhost:9090/api/books ``` ### WHAT’S GOING ON? +### 发生了什么? Docker Compose makes this happen by creating a new virtual network called mvclibrary_default which is used by both books-api and reverse-proxy containers (the name is based on the parent directory of the docker-compose.yml file). - -Prove the network exists with docker network ls: +Docker Compose 通过创建一个新的叫做 mvclibrary_default 的虚拟网络来实现这件事,这个虚拟网络同时用于 books-api 和反向代理的 container(名字是基于 docker-compose.yml 文件的父目录)。 ![](http://blog.scottlogic.com/nsoper/assets/docker-network-ls.PNG) You can see the details of the new network using docker network inspect mvclibrary_default: +你可以看到新的网络通过 docker 网络监测 mvclibrary_default 的细节: ![](http://blog.scottlogic.com/nsoper/assets/network-inspect.PNG) Note that Docker has assigned "Subnet": "172.18.0.0/16" to the network. The /16 part is CIDR notation and a full explanation is way beyond the scope of this post but CIDR just refers to a range of IP addresses. Running docker network inspect bridge shows "Subnet": "172.17.0.0/16" so the two networks do not overlap. +注意 Docker 已经分配了子网:“172.18.0.0/16”。/16 部分是无类域内路由选择【CIDR】,一个完整的解释已经超出了本文的范围,但无类域内路由选择【CIDR】仅表示一个 IP 地址范围。运行 docker 网络来监测桥,显示子网:“172.17.0.0/16”,因此这两个网络是不重叠的。 Now docker inspect books-api to confirm the application container is using this network: +现在用 docker 来监测 books-api 来证实应用的 container 是使用这个网络: ![](http://blog.scottlogic.com/nsoper/assets/docker-inspect-books-api.PNG) Notice the two "Aliases" for the container are the container identifier (3c42db680459) and the service name given in docker-compose.yml (books-service). We’re using the books-service alias to reference the application container in the custom Nginx configuration file. This could have been done manually with docker network create but I like Docker Compose because it wraps up container creation and interdependencies cleanly and succinctly. +注意 container 的两个别名是 container 标识符(3c42db680459)和由 docker-compose.yml (服务列表)给出的服务名。我们通过服务列表别名来引用在自定义 Nginx 配置文件中的应用的 container。这本可一以通过 docker 网络手动创建,但是我喜欢用 Docker Compose,因为它可以干净简洁的收捲创建和相互依存的 container。 ### CONCLUSION +### 结论 So now I can get the application running on Linux with Nginx in a few easy steps, without making any lasting changes to the host operating system: +所以现在我可以通过几个简单的步骤在 Linux 系统上用 Nginx 运行应用程序,不需要对主机操作系统做任何长期的改变: ``` git clone https://github.com/niksoper/aspnet5-books.git @@ -477,22 +524,29 @@ curl -i http://localhost:9090/api/books ``` I know what I have described in this post is not a truly production ready setup because I’ve not spoken about any of the following, but most of these topics could take an entire post on their own: +我知道我在这篇文章中所写的内容不是一个真正的生产准备设置,因为我没有写任何有关下面这些的内容,但是绝大多数下面的这些主题都需要用单独一篇完整的文章来叙述。 - Security concerns like firewalls or SSL configuration - How to ensure the application keeps running - How to be selective about what to include in a Docker image (I dumped everything in via the Dockerfile) - Databases - how to manage them in containers +- 安全考虑比如防火墙和 SSL 配置 +- 如何确保应用该保持运行状态 +- 如何选择需要包含的 Docker 图像(我把所有的都放入了 Dockerfile 中) +- 数据库 - 如何在 container 中管理应用 This has been a very interesting learning experience for me because for a while now I have been curious to explore the new cross platform support that comes with ASP.NET Core, and the opportunity to explore a little bit of the DevOps world using Docker Compose for a “Configuration as Code” approach has been both enjoyable and educational. +对我来说这是一个非常有趣的学习经历,因为有一段时间我对探索伴有 ASP.NET 核心的跨平台支持非常好奇,使用针对 “Configuratin as Code” 的 Docker Compose 方法来探索一下 DevOps 的世界也是非常愉快并且很有教育意义的。 If you’re at all curious about Docker then I encourage you to get stuck in by trying it out - especially if this puts you out of your comfort zone. Who knows, you might enjoy it? +如果你对 Docker 很好奇,那么我鼓励你来尝试学习它 - 特别地,这是否会让你感到痛苦。谁知道呢,有可能你会喜欢它? -------------------------------------------------------------------------------- via: http://blog.scottlogic.com/2016/09/05/hosting-netcore-on-linux-with-docker.html?utm_source=webopsweekly&utm_medium=email 作者:[Nick Soper][a] -译者:[译者ID](https://github.com/译者ID) +译者:[ucasFL](https://github.com/ucasFL) 校对:[校对者ID](https://github.com/校对者ID) 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出