Docker介紹
什么是容器
Linux容器是與系統其他部分隔離開的一系列進程,從另一個系統鏡像運行,並由該鏡像提供支持進程所需的全部文件。
容器鏡像包含了應用的所有依賴項,因而在從開發到測試再到生產的整個過程中,它都具有可移植性和一致性。
來源:https://www.redhat.com/zh/topics/containers/whats-a-linux-container
容器就是虛擬化嗎?
虛擬化使得許多操作系統可同時在單個系統上運行。
容器只能共享操作系統內核,將應用進程與系統其他部分,隔離開。
容器和虛擬化的區別
linux容器技術,容器虛擬化和kvm虛擬化的區別
kvm虛擬化:需要硬件的支持,需要模擬硬件,可以運行不同的操作系統,啟動時間分鍾級(開機啟動流程)
容器虛擬化:不需要硬件的支持。不需要模擬硬件,共用宿主機的內核,啟動時間秒級(沒有開機啟動流程)
容器總結:
(1)與宿主機使用同一個內核,性能損耗小;
(2)不需要指令級模擬;
(3)容器可以在CPU核心的本地運行指令,不需要任何專門的解釋機制;
(4)避免了准虛擬化和系統調用替換中的復雜性;
(5)輕量級隔離,在隔離的同時還提供共享機制,以實現容器與宿主機的資源共享。
容器技術的發展過程
chroot技術,新建一個子系統
chroot,即 change root directory (更改 root 目錄)。在 linux 系統中,系統默認的目錄結構都是以 `/`,即是以根 (root) 開始的。而在使用 chroot 之后,系統的目錄結構將以指定的位置作為 `/` 位置。
參考資料:https://www.ibm.com/developerworks/cn/linux/l-cn-chroot/
使用chroot監獄限制SSH用戶訪問指定目錄和使用指定命令:https://linux.cn/article-8313-1.html
lxc部署
Linux Container容器是一種內核虛擬化技術,可以提供輕量級的虛擬化,以便隔離進程和資源。
安裝lxc
需要使用epel源
#安裝epel源
yum install epel-release -y
#編譯epel源配置文件
vi /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 7 - $basearch baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch failovermethod=priority enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [epel-debuginfo] name=Extra Packages for Enterprise Linux 7 - $basearch - Debug baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch/debug #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux 7 - $basearch - Source baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/SRPMS #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1
##安裝lxc
yum install lxc-* -y yum install libcgroup* -y yum install bridge-utils.x86_64 -y
交接網卡
[root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet BOOTPROTO=none NAME=eth0 DEVICE=eth0 ONBOOT=yes BRIDGE=br0 [root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge BOOTPROTO=static NAME=br0 DEVICE=br0 ONBOOT=yes IPADDR=10.0.0.11 NETMASK=255.255.255.0 GATEWAY=10.0.0.254 DNS1=223.5.5.5
修改lxc默認配置
vi /etc/lxc/default.conf 修改第2行為:lxc.network.link = br0
啟動cgroup服務
systemctl enable cgconfig.service
systemctl start cgconfig.service
創建lxc容器
方法1: lxc-create -t download -n centos7 -- --server mirrors.tuna.tsinghua.edu.cn/lxc-images -d centos -r 7 -a amd64 方法2: lxc-create -t centos -n test
為容器指定ip和網關
vi /var/lib/lxc/centos7/config lxc.network.name = eth0 lxc.network.ipv4 = 10.0.0.111/24 lxc.network.ipv4.gateway = 10.0.0.254
啟動容器
lxc-start -n centos7
lxc實操
#查看虛擬機
[root@docker opt]# lxc-ls
centos7
修改子系統root密碼
[root@docker opt]# chroot /var/lib/lxc/centos7/rootfs passwd Changing password for user root. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.
啟動子系統
[root@docker opt]# lxc-start -n centos7 systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization lxc. Detected architecture x86-64. Welcome to CentOS Linux 7 (Core)!
檢測
[root@docker ~]# lxc-checkconfig Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-3.10.0-327.el7.x86_64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled newuidmap is not installed newgidmap is not installed Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled Bridges: enabled Advanced netfilter: enabled CONFIG_NF_NAT_IPV4: enabled CONFIG_NF_NAT_IPV6: enabled CONFIG_IP_NF_TARGET_MASQUERADE: enabled CONFIG_IP6_NF_TARGET_MASQUERADE: enabled CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled --- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
docker容器
Docker是通過內核虛擬化技術(namespaces及cgroups cpu、內存、磁盤io等)來提供容器的資源隔離與安全保障等。由於Docker通過操作系統層的虛擬化實現隔離,所以Docker容器在運行時,不需要類似虛擬機(VM)額外的操作系統開銷,提高資源利用率。
docker的主要目標是"Build,Ship and Run any App,Angwhere",構建,運輸,處處運行
構建:做一個docker鏡像
運輸:docker pull
運行:啟動一個容器
每一個容器,他都有自己的文件系統rootfs.
kvm解決了硬件和操作系統之間的依賴
docker解決了軟件和操作系統環境之間的依賴,能夠讓獨立服務或應用程序在不同的環境中,得到相同的運行結果。
docker容器是一種輕量級、可移植、自包含的軟件打包技術,使應用程序可以在幾乎任何地方以相同的方式運行。開發人員在自己筆記本上創建並測試好的容器,無需任何修改就能夠在生產系統的虛擬機、物理服務器或公有雲主機上運行。
Docker的部署
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo yum install docker-ce -y
docker的主要組成部分
docker是傳統的CS架構分為docker client和docker server,向mysql一樣
命令:docker version
[root@controller ~]# docker version Client: Version: 17.12.0-ce API version: 1.35 Go version: go1.9.2 Git commit: c97c6d6 Built: Wed Dec 27 20:10:14 2017 OS/Arch: linux/amd64 Server: Engine: Version: 17.12.0-ce API version: 1.35 (minimum version 1.12) Go version: go1.9.2 Git commit: c97c6d6 Built: Wed Dec 27 20:12:46 2017 OS/Arch: linux/amd64 Experimental: false
設置docker遠程執行
systemd詳解:http://www.ruanyifeng.com/blog/2016/03/systemd-tutorial-part-two.html
在linux-node1設置
vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://10.0.0.11:2375
systemctl daemon-reload systemctl restart docker.service
ps -ef檢查
在linux-node2設置
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo yum install docker-ce -y docker -H 10.0.0.11 info --- 遠程執行 info 展示docker的信息
docker主要組件有:鏡像、容器、倉庫
啟動第一個容器
命令:docker run -d -p 80:80 nginx
實操:
[root@docker-node1 ~]# docker run -d -p 80:80 nginx Unable to find image 'nginx:latest' locally latest: Pulling from library/nginx e7bb522d92ff: Pull complete 6edc05228666: Pull complete cd866a17e81f: Pull complete Digest: sha256:285b49d42c703fdf257d1e2422765c4ba9d3e37768d6ea83d7fe2043dad6e63d Status: Downloaded newer image for nginx:latest e1cb110a537622e4a5c885161bca69478adc5d218e6eb4e0307c7fe0c1350012 #run: 創建並運行一個容器, #-d:放在后台 #-p:端口映射 #80:80:前面是宿主機的,后面是容器的 #nginx:鏡像的名字
docker的鏡像管理
搜索鏡像
命令:docker search
實操:
[root@docker-node1 ~]# docker search centos NAME(鏡像名) DESCRIPTION(說明) STARS(送心數) OFFICIAL(是否是官方的) AUTOMATED(是否自動) centos The official build of CentOS. 3992 [OK]
獲取鏡像
命令:docker pull
實操:
[root@docker-node1 ~]# docker pull centos --- 拉取一個鏡像centos(不指定版本默認為最新版,只寫名字默認在官方拉取) Using default tag: latest latest: Pulling from library/centos af4b0a2388c6: Pull complete Digest: sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d Status: Downloaded newer image for centos:latest [root@docker-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos latest ff426288ea90 3 weeks ago 207MB nginx latest 3f8a4339aadd 5 weeks ago 108MB
拉取非官網的鏡像:
[root@docker-node1 ~]# docker pull index.tenxcloud.com/tenxcloud/httpd:2.4 2.4: Pulling from tenxcloud/httpd 8b87079b7a06: Downloading 11.53MB/51.36MB a3ed95caeb02: Download complete 0c30bf087cf7: Download complete 79f2be53847c: Downloading 11.14MB/11.7MB 7063c4b35837: Download complete 5c27df81ae71: Download complete
鏡像加速
鏡像加速器:阿里雲加速器,daocloud加速器,中科大加速器,Docker 中國官方鏡像加速:https://registry.docker-cn.com
鏡像加速配置:
vi /etc/docker/daemon.json { "registry-mirrors": ["https://registry.docker-cn.com"] }
第三方docker鏡像倉庫,使用方法
docker pull index.tenxcloud.com/tenxcloud/httpd:latest
鏡像操作
查看鏡像
docker images
刪除鏡像
docker rmi 例子:docker image rm centos:latest
實操:
[root@docker ~]# docker image rm centos:latest (名字:版本) Untagged: centos:latest Untagged: centos@sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d Deleted: sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23d Deleted: sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7 [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 3f8a4339aadd 5 weeks ago 108MB
導出鏡像
docker save 例子:docker image save centos > docker-centos7.4.tar.gz
實操:
[root@docker ~]# docker image save centos > docker-centos7.4.tar.gz [root@docker ~]# ls docker-centos7.4.tar.gz docker-centos7.4.tar.gz
導入鏡像
docker load 例子:docker image load -i docker-centos7.4.tar.gz
實操:
[root@docker ~]# docker image load -i docker-centos7.4.tar.gz e15afa4858b6: Loading layer 215.8MB/215.8MB Loaded image: centos:latest [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos latest ff426288ea90 3 weeks ago 207MB nginx latest 3f8a4339aadd 5 weeks ago 108MB
查看鏡像詳細信息
[root@docker ~]# docker image inspect centos [ { "Id": "sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23d", "RepoTags": [ "centos:latest" ], "RepoDigests": [], "Parent": "", "Comment": "", "Created": "2018-01-08T19:58:27.63047329Z", "Container": "dd31c81a4b47b90a14cf6d1c7389465060e390f12a0b71189d181a0458d8443f", "ContainerConfig": { "Hostname": "dd31c81a4b47", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "/bin/sh", "-c", "#(nop) ", "CMD [\"/bin/bash\"]" ], "ArgsEscaped": true, "Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "build-date": "20180107", "license": "GPLv2", "name": "CentOS Base Image", "vendor": "CentOS" } }, "DockerVersion": "17.06.2-ce", "Author": "", "Config": { "Hostname": "", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "/bin/bash" ], "ArgsEscaped": true, "Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "build-date": "20180107", "license": "GPLv2", "name": "CentOS Base Image", "vendor": "CentOS" } }, "Architecture": "amd64", "Os": "linux", "Size": 207191530, "VirtualSize": 207191530, "GraphDriver": { "Data": { "DeviceId": "10", "DeviceName": "docker-8:2-667845-6de21ff18b07a4a121111b78d105af3ae3d1eccf0d5bcf3dff957e3640a79dac", "DeviceSize": "10737418240" }, "Name": "devicemapper" }, "RootFS": { "Type": "layers", "Layers": [ "sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7" ] }, "Metadata": { "LastTagTime": "0001-01-01T00:00:00Z" } } ]
Docker的容器管理
啟動一個容器
docker run -d -p 80:80 nginx
查看啟動的容器(兩種方法):
[root@docker-node1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler [root@docker-node1 ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler
顯示所有狀態的容器
[root@docker-node1 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler e1cb110a5376 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 3 hours ago thirsty_brattain
只顯示容器id
[root@docker-node1 ~]# docker ps -a -q
7cef098bebc7
75516b38df19
查看容器ip
docker container inspect id或name
[root@docker-node1 ~]# docker container inspect 75516b38df19 [ { "Id": "75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3", "Created": "2018-01-31T12:12:06.387035752Z", "Path": "nginx", "Args": [ "-g", "daemon off;" ], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 19388, "ExitCode": 0, "Error": "", "StartedAt": "2018-01-31T12:12:06.710448922Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:3f8a4339aadda5897b744682f5f774dc69991a81af8d715d37a616bb4c99edf5", "ResolvConfPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/resolv.conf", "HostnamePath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hostname", "HostsPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hosts", "LogPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3-json.log", "Name": "/inspiring_euler", "RestartCount": 0, "Driver": "devicemapper", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "default", "PortBindings": { "80/tcp": [ { "HostIp": "", "HostPort": "80" } ] }, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "shareable", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0 }, "GraphDriver": { "Data": { "DeviceId": "8", "DeviceName": "docker-8:2-667845-d7559a9d1629b837315264d5191776a3583b745cbb270be66f15126659ea266d", "DeviceSize": "10737418240" }, "Name": "devicemapper" }, "Mounts": [], "Config": { "Hostname": "75516b38df19", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.13.8-1~stretch", "NJS_VERSION=1.13.8.0.1.15-1~stretch" ], "Cmd": [ "nginx", "-g", "daemon off;" ], "ArgsEscaped": true, "Image": "nginx", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>" }, "StopSignal": "SIGTERM" }, "NetworkSettings": { "Bridge": "", "SandboxID": "33eb47f2321af718ee6a7564f8ae8c9841719051efebb2dfdb8a206d19e83004", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "80/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "80" } ] }, "SandboxKey": "/var/run/docker/netns/33eb47f2321a", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e", "Gateway": "172.17.0.1", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "MacAddress": "02:42:ac:11:00:02", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "12e101b4dd9dd0078bab6ed9ce9aaf2d7cca2e00e4a66b5629f088732d6698d0", "EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e", "Gateway": "172.17.0.1", "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:02", "DriverOpts": null } } } } ]
停止容器
docker container stop id或name docker container kill id或name
實操:
[root@docker-node1 ~]# docker container stop 75516b38df19 75516b38df19 [root@docker-node1 ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@docker-node1 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 10 seconds ago inspiring_euler e1cb110a5376 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 3 hours ago thirsty_brattain
總結:docker容器內的第一個進程必須一直處於前台運行的狀態,否則這個容器,就會處於退出狀態!
刪除已關閉的容器
[root@docker-node1 ~]# docker container rm e1cb110a5376 e1cb110a5376
批量刪除:
docker rm -f `docker ps -a -q` -- 強制刪除全部,包括啟動中的
[root@docker-node1 ~]# docker rm `docker ps -a -q` #只刪除關閉狀態的 7cef098bebc7 75516b38df19
交互式進入容器,分配終端
docker run -it nginx:latest /bin/bash
-i -t:--interactive --tty(直接進入容器)
[root@docker-node1 ~]# docker run -it nginx:latest /bin/bash root@7cef098bebc7:/# ls bin dev home lib64 mnt proc run srv tmp var boot etc lib media opt root sbin sys usr
進入容器的方法
[root@docker-node1 opt]# docker run -it --name erlianzhang centos:latest
[root@b07f6aad08cd /]#
進入到存活的容器中
[root@docker ~]# docker attach erlianzhang
[root@b07f6aad08cd /]#
exec方式必須指定起始命令 --- 推薦使用exec
[root@docker ~]# docker exec -it erlianzhang /bin/bash [root@abcadd1250cb /]# ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 16:14 pts/0 00:00:00 /bin/bash root 13 0 0 16:16 pts/1 00:00:00 /bin/bash root 25 13 0 16:16 pts/1 00:00:00 ps -ef
注意:進入容器中第一個命令一定要讓容器夯住,否則會變成退出狀態
暫時退出容器:ctrl+p,ctrl+q
回到容器:docker attach id或name
docker容器的網絡訪問
指定映射
-p hostPort:containerPort -p ip:hostPort:containerPort -p ip::containerPort -p hostPort:containerPort:udp -p 81:80 –p 443:443
隨機映射
docker run -P
實操
docker run -d -p 888:80 nginx:latest
docker run -d -p 10.0.0.11:80:80 nginx:latest
[root@docker-node1 opt]# docker run -d -p 888:80 nginx:latest 1b177e8c6357ed08ddabb745b902a4e577e8c25e154a4b891dfa900b108dd4bd [root@docker-node1 opt]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1406/sshd tcp 0 0 10.0.0.11:2375 0.0.0.0:* LISTEN 19206/dockerd tcp6 0 0 :::22 :::* LISTEN 1406/sshd tcp6 0 0 :::888 :::* LISTEN 21455/docker-proxy
docker的數據卷管理
數據卷(文件或目錄)
-v /data
-v src:dst
數據卷容器
--volumes-from
實操:掛載數據卷在容器宿主機
[root@docker-node1 opt]# docker run -d -p 80:80 -v /data:/usr/share/nginx/html nginx:latest 884b2c093c5c59897bd55b0dcec36c882abdc99134f8fffed4cb5decda17327d
創建數據卷
[root@docker-node1 data]# docker volume ls DRIVER VOLUME NAME local qingge
手動將容器保存為鏡像(制作鏡像)
命令:docker commit
特權容器
docker run --privileged -ti -e "container=docker" -v /sys/fs/cgroup:/sys/fs/cgroup centos:latest /usr/sbin/init
保存為鏡像
[root@docker-node1 ~]# docker commit ebfdf46f9f12 centos6-ssh sha256:b917ca49263af6d4435dc3c144c214af29c56dad7256e4de7978ffd9a7e24f39 [root@docker-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos6-ssh latest b917ca49263a 5 seconds ago 315MB httpd 2.4 2e202f453940 5 days ago 179MB centos latest ff426288ea90 3 weeks ago 207MB nginx latest 3f8a4339aadd 5 weeks ago 108MB centos 6.8 6704d778b3ba 2 months ago 195MB
dockerfile自動構建docker鏡像
dockerfile主要組成部分:
基礎鏡像信息 FROM:centos:6.8 制作鏡像操作指令 RUN yum install openssh-server -y 容器啟動時執行指令 CMD ["/bin/bash"]
dockerfile常用指令:
FROM 這個鏡像的媽媽是誰? (指定基礎鏡像)
MAINTAINER 告訴別人,誰負責養它?(指定維護者信息,可以沒有)
RUN 你想讓它干啥 (在命令前面加上RUN即可)
ADD 給它點創業資金 (COPY文件,會自動解壓)
WORKDIR 我是cd,今天剛化了妝 (設置當前工作目錄)
VOLUME 給它一個存放行李的地方(設置卷,掛載主機目錄)
EXPOSE 它要打開的門是啥 (指定對外的端口)
CMD 奔跑吧,兄弟! (指定容器啟動后的要干的事情)
dockerfile其他指令:
COPY 復制文件
ENV 環境變量
ENTRYPOINT 容器啟動后執行的命令
實例:
此處在CMD處執行的是一個腳本,腳本內容大致是開啟ssh服務並讓ssh服務夯住,參數是-D,開啟httpd服務
[root@docker-node1 ~]# cat /opt/base/Dockerfile FROM centos:6.8 RUN yum install wget unzip php* httpd openssh-server -y RUN cd /var/www/html/ && wget http://static.kodcloud.com/update/download/kodexplorer4.25.zip && unzip kodexplorer4.25.zip RUN echo 'root:123456'|chpasswd RUN echo 'ServerName 127.0.0.1:80' >>/etc/httpd/conf/httpd.conf RUN /etc/init.d/sshd start RUN chmod -Rf 777 /var/www/html/ RUN sed 's#Options Indexes FollowSymLinks#Options FollowSymLinks#g' /etc/httpd/conf/httpd.conf -i COPY init.sh /init.sh EXPOSE 80/tcp EXPOSE 22/tcp CMD ["/bin/bash","/init.sh"] [root@docker-node1 ~]# ll /opt/base/ total 8 -rw-r--r-- 1 root root 528 Feb 1 06:16 Dockerfile -rw-r--r-- 1 root root 82 Feb 1 03:37 init.sh [root@docker-node1 ~]# docker image build -t centos6-yun .
docker image build -t centos6-yun /opt/base/Dockerfile
docker image build -t 指定一個自動構建的鏡像標簽 Dockerfile文件路徑
參考其他的dockerfile
官方dockerfile或者時速雲鏡像廣場
容器間的互聯
docker run -d -p 80:80 nginx docker run -it --link quirky_brown:web01 qstack/centos-ssh /bin/bash ping web01
使用docker運行zabbix-server
docker run --name mysql-server -t \ -e MYSQL_DATABASE="zabbix" \ -e MYSQL_USER="zabbix" \ -e MYSQL_PASSWORD="zabbix_pwd" \ -e MYSQL_ROOT_PASSWORD="root_pwd" \ -d mysql:5.7 \ --character-set-server=utf8 --collation-server=utf8_bin docker run --name zabbix-java-gateway -t \ -d zabbix/zabbix-java-gateway:latest docker run --name zabbix-server-mysql -t \ -e DB_SERVER_HOST="mysql-server" \ -e MYSQL_DATABASE="zabbix" \ -e MYSQL_USER="zabbix" \ -e MYSQL_PASSWORD="zabbix_pwd" \ -e MYSQL_ROOT_PASSWORD="root_pwd" \ -e ZBX_JAVAGATEWAY="zabbix-java-gateway" \ --link mysql-server:mysql \ --link zabbix-java-gateway:zabbix-java-gateway \ -p 10051:10051 \ -d zabbix/zabbix-server-mysql:latest docker run --name zabbix-web-nginx-mysql -t \ -e DB_SERVER_HOST="mysql-server" \ -e MYSQL_DATABASE="zabbix" \ -e MYSQL_USER="zabbix" \ -e MYSQL_PASSWORD="zabbix_pwd" \ -e MYSQL_ROOT_PASSWORD="root_pwd" \ --link mysql-server:mysql \ --link zabbix-server-mysql:zabbix-server \ -p 80:80 \ -d zabbix/zabbix-web-nginx-mysql:latest
docker私有倉庫
普通的registry
啟動registry容器
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry
修改配置文件
/etc/docker/daemon.json
{ "registry-mirrors": ["https://registry.docker-cn.com"], "insecure-registries": ["10.0.0.11:5000"] }
"insecure-registries": ["10.0.0.11:5000"] ---- 將https轉換成http
重啟docker服務
systemctl restart docker.service
為鏡像打標簽
docker tag centos6-yun:latest 10.0.0.11:5000/erlianzhang/centos6-yun:latest
push推送鏡像
docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest
帶basic認證的registry
mkdir /opt/registry-var/auth/ -p htpasswd -Bbn erlianzhang 123456 >> /opt/registry-var/auth/htpasswd docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
實操
yum install httpd-tools.x86_64 -y [root@docker-node1 ~]# mkdir /opt/registry-var/auth/ -p ASSWD_PATH=/auth/htpasswd registry
[root@docker-node1 ~]# htpasswd -Bbn erlianzhang 123456 >> /opt/registry-var/auth/htpassw [root@docker-node1 ~]# docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry 589820e671fa51114bf9ccf143375bce7351a80f7035e571f4e8524a1096edbb [root@docker-node1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 589820e671fa registry "/entrypoint.sh /etc…" 11 seconds ago Up 11 seconds 0.0.0.0:5000->5000/tcp confident_visvesvaraya [root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest --- 不驗證就不能上傳 The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun] f8508dc392c8: Preparing f85b7909a4bc: Preparing 8b2d1868cde8: Preparing ad87982f4b1b: Preparing ac521dbe8cd3: Preparing 3d169f2d5cff: Waiting 6bad9d62f12a: Waiting f28db075daf0: Waiting e00c9229b481: Waiting no basic auth credentials [root@docker-node1 ~]# docker login 10.0.0.11:5000 --- 驗證一下 Username: erlianzhang Password: Login Succeeded [root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest --- 再次上傳就可以了 The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun] f8508dc392c8: Pushed f85b7909a4bc: Pushed 8b2d1868cde8: Pushed ad87982f4b1b: Pushed ac521dbe8cd3: Pushed 3d169f2d5cff: Pushed 6bad9d62f12a: Pushed f28db075daf0: Pushed e00c9229b481: Pushed latest: digest: sha256:46e0409381ef7c5922bc5c37b5888015ab415c0e7248e463323db361318e93bf size: 2205
驗證
[root@docker-node1 ~]# cat .docker/config.json { "auths": { "10.0.0.11:5000": { "auth": "b2xkYm95OjEyMzQ1Ng==" } }, "HttpHeaders": { "User-Agent": "Docker-Client/17.12.0-ce (linux)" } }
docker-compose(單機版的容器編排工具)
docker-compose簡介
一句話:docker-compose是用來做docker的多容器控制
docker-compose 是什么
docker-compose是一個用來把docker自動化的東西。
有了docker-compose你可以把所有繁復的docker操作全都一條命令,自動化的完成。
詳細指令參考:https://www.jianshu.com/p/2217cfed29d7
安裝python環境
yum install -y python2-pip
詳細指令:http://www.jianshu.com/p/2217cfed29d7
配置pip加速
[root@docker-node1 ~]# mkdir .pip [root@docker-node1 ~]# vim ~/.pip/pip.conf [global] index-url = http://mirrors.aliyun.com/pypi/simple/ [install] trusted-host=mirrors.aliyun.com
pip install docker-compose
配置文件
該配置文件是部署wordpress博客網站的
cd my_wordpress/
vi docker-compose.yml
version: '3' services: db: image: mysql:5.7 volumes: - /data/db_data:/var/lib/mysql restart: always environment: MYSQL_ROOT_PASSWORD: somewordpress MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: wordpress wordpress: depends_on: - db image: wordpress:latest volumes: - /data/web_data:/var/www/html ports: - "8000:80" restart: always environment: WORDPRESS_DB_HOST: db:3306 WORDPRESS_DB_USER: wordpress WORDPRESS_DB_PASSWORD: wordpress
啟動服務
#啟動 docker-compose up #后台啟動 docker-compose up -d
docker配合haproxy負載
灰度重啟容器,防止因為更新業務全部關閉容器
安裝haproxy
yum install haproxy -y
修改配置文件
vi /etc/haproxy/haproxy.cfg
global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats level admin defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 listen stats mode http bind 0.0.0.0:8888 stats enable stats uri /haproxy-status stats auth admin:123456 frontend frontend_www_example_com bind 10.0.0.11:8000 mode http option httplog log global default_backend backend_www_example_com backend backend_www_example_com option forwardfor header X-REAL-IP option httpchk HEAD / HTTP/1.0 balance roundrobin server web-node1 10.0.0.11:32768 check inter 2000 rise 30 fall 15 server web-node2 10.0.0.11:32769 check inter 2000 rise 30 fall 15
啟動服務
systemctl start haproxy
安裝socat
yum install socat.x86_64 -y echo "disable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/stats echo "enable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/stats
利用測試頁測試
<html>
<head>
<title>PHP測試</title>
</head>
<body>
<?php echo '<p>Hello World </p>'; ?>
<?php echo "訪問的服務器地址是:"."<fontcolor=red>".$_SERVER['SERVER_ADDR']."</font>"."<br>";
echo"訪問的服務器域名是:"."<fontcolor=red>".$_SERVER['SERVER_NAME']."</font>"."<br>";
?>
</body>
</html>
Docker網絡類型
| 類型 |
說明 |
| None |
不為容器配置任何網絡功能,沒有網絡 --net=none |
| Container |
與另一個運行中的容器共享Network Namespace,--net=container:containerID |
| Host |
與主機共享Network Namespace,--net=host |
| Bridge |
Docker設計的NAT網絡模型(默認類型) |
Bridge默認docker網絡隔離基於網絡命名空間,在物理機上創建docker容器時會為每一個docker容器分配網絡命名空間,並且把容器IP橋接到物理機的虛擬網橋上。
不為容器配置網絡功能
此模式下創建容器是不會為容器配置任何網絡參數的,如:容器網卡、IP、通信路由等,全部需要自己去配置。
[root@docker01 ~]# docker run -it --network none busybox:latest /bin/sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever
與其他容器共享網絡配置(Container)
此模式和host模式很類似,只是此模式創建容器共享的是其他容器的IP和端口而不是物理機,此模式容器自身是不會配置網絡和端口,創建此模式容器進去后,你會發現里邊的IP是你所指定的那個容器IP並且端口也是共享的,而且其它還是互相隔離的,如進程等。
[root@docker01 ~]# docker run -it --network container:mywordpress_db_1 busybox:latest /bin/sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 105: eth0@if106: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0 valid_lft forever preferred_lft forever
使用宿主機網絡
此模式創建的容器沒有自己獨立的網絡命名空間,是和物理機共享一個Network Namespace,並且共享物理機的所有端口與IP,並且這個模式認為是不安全的。、
[root@docker01 ~]# docker run -it --network host busybox:latest /bin/sh
查看網絡列表
[root@docker01 ~]# docker network list NETWORK ID NAME DRIVER SCOPE b15e8a720d3b bridge bridge local 345d65b4c2a0 host host local bc5e2a32bb55 mywordpress_default bridge local ebf76eea91bb none null local
用PIPEWORK為docker容器配置獨立IP
參考文檔:http://blog.csdn.net/design321/article/details/48264825
官方網站:https://github.com/jpetazzo/pipework
宿主環境:centos7.2
1、安裝pipework
wget https://github.com/jpetazzo/pipework/archive/master.zip unzip master.zip cp pipework-master/pipework /usr/local/bin/ chmod +x /usr/local/bin/pipework
2、配置網橋連接
安裝橋接工具
yum install bridge-utils.x86_64 -y
修改網卡配置,實現橋接
# 修改eth0配置,讓br0實現橋接 [root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes BRIDGE=br0 [root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge BOOTPROTO=static NAME=br0 DEVICE=br0 ONBOOT=yes IPADDR=10.0.0.100 NETMASK=255.255.255.0 GATEWAY=10.0.0.254 DNS1=223.5.5.5
# 重啟網絡 [root@docker01 ~]# /etc/init.d/network restart
3、運行一個容器鏡像測試:
pipework br0 $(docker run -d -it -p 6880:80 --name httpd_pw httpd) 10.0.0.220/24@10.0.0.254
在其他主機上測試端口及連通性
[root@docker01 ~]# curl 10.0.0.220 <html><body><h1>It works!</h1></body></html> [root@docker01 ~]# ping 10.0.0.220 -c 1 PING 10.0.0.220 (10.0.0.220) 56(84) bytes of data. 64 bytes from 10.0.0.220: icmp_seq=1 ttl=64 time=0.043 ms
4、再運行一個容器,設置網路類型為none:
pipework br0 $(docker run -d -it --net=none --name test httpd:2.4) 10.0.0.221/24@10.0.0.254
進行訪問測試
[root@docker01 ~]# curl 10.0.0.221 <html><body><h1>It works!</h1></body></html>
5、重啟容器后需要再次指定:
pipework br0 testduliip 172.16.146.113/24@172.16.146.1 pipework br0 testduliip01 172.16.146.112/24@172.16.146.1
Docker跨主機通信之macvlan
創建macvlan網絡
docker network create --driver macvlan --subnet 10.1.0.0/24 --gateway 10.1.0.254 -o parent=eth0 macvlan_1
設置eth0的網卡為混雜模式
ip link set eth0 promisc on
創建使用macvlan網絡的容器
docker run -it --network macvlan_1 --ip=10.1.0.210 busybox:latest /bin/sh
基於macvlan網絡,還存有overlay網絡
Dcoker跨主機通信之overlay 參考文檔:http://www.cnblogs.com/CloudMan6/p/7270551.html
Docker鏡像的生命周期圖
docker企業級鏡像倉庫harbor
介紹
Harbor 是一個企業級的 Docker Registry,可以實現 images 的私有存儲和日志統計權限控制等功能,並支持創建多項目(Harbor 提出的概念),基於官方 Registry V2 實現。 通過地址:https://github.com/vmware/harbor/releases 可以下載最新的版本。 官方提供了兩種版本:在線版和離線版。
安裝步驟
容器管理
[root@docker01 harbor]# pwd /opt/harbor [root@docker01 harbor]# docker-compose stop
第一步:安裝docker和docker-compose
下載harbor-offline-installer-v1.3.0.tgz
cd /opt && https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.3.0.tgz tar xf harbor-offline-installer-v1.3.0.tgz
第二步:修改主機及web界面密碼
修改harbor.cfg配置文件
[root@docker01 harbor]# vim harbor.cfg ··· hostname = 10.0.0.100 harbor_admin_password = 123456 ···
第三步:執行install.sh
[root@docker01 harbor]# ./install.sh
第四步:web登陸測試
鏡像推送到倉庫的指定項目
[root@docker02 ~]# docker tag centos:6.8 10.0.0.100/clsn/centos6.8:1.0 [root@docker02 ~]# [root@docker02 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox latest 5b0d59026729 8 days ago 1.15MB 10.0.0.100/clsn/centos6.8 1.0 6704d778b3ba 2 months ago 195MB centos 6.8 6704d778b3ba 2 months ago 195MB [root@docker02 ~]# docker login 10.0.0.100 Username: admin Password: Login Succeeded
推送鏡像
[root@docker02 ~]# docker push 10.0.0.100/clsn/centos6.8 The push refers to repository [10.0.0.100/clsn/centos6.8] e00c9229b481: Pushing 13.53MB/194.5MB
轉載注明出處,寫這篇很累!!!