Docker容器技术
Docker容器技术
863987322
发布于 2018-03-29 02:42:23
发布于 2018-03-29 02:42:23
代码可运行
运行总次数:1
代码可运行
Docker介绍
什么是容器
Linux容器是与系统其他部分隔离开的一系列进程,从另一个系统镜像运行,并由该镜像提供支持进程所需的全部文件。
容器镜像包含了应用的所有依赖项,因而在从开发到测试再到生产的整个过程中,它都具有可移植性和一致性。
来源:https://www.redhat.com/zh/topics/containers/whats-a-linux-container
容器就是虚拟化吗?
虚拟化使得许多操作系统可同时在单个系统上运行。
容器只能共享操作系统内核,将应用进程与系统其他部分,隔离开。
容器和虚拟化的区别
linux容器技术,容器虚拟化和kvm虚拟化的区别
kvm虚拟化:需要硬件的支持,需要模拟硬件,可以运行不同的操作系统,启动时间分钟级(开机启动流程)
容器虚拟化:不需要硬件的支持。不需要模拟硬件,共用宿主机的内核,启动时间秒级(没有开机启动流程)
容器总结:
(1)与宿主机使用同一个内核,性能损耗小;
(2)不需要指令级模拟;
(3)容器可以在CPU核心的本地运行指令,不需要任何专门的解释机制;
(4)避免了准虚拟化和系统调用替换中的复杂性;
(5)轻量级隔离,在隔离的同时还提供共享机制,以实现容器与宿主机的资源共享。
容器技术的发展过程
chroot技术,新建一个子系统
chroot,即 change root directory (更改 root 目录)。在 linux 系统中,系统默认的目录结构都是以 `/`,即是以根 (root) 开始的。而在使用 chroot 之后,系统的目录结构将以指定的位置作为 `/` 位置。
参考资料:https://www.ibm.com/developerworks/cn/linux/l-cn-chroot/
使用chroot监狱限制SSH用户访问指定目录和使用指定命令:https://linux.cn/article-8313-1.html
lxc部署
Linux Container容器是一种内核虚拟化技术,可以提供轻量级的虚拟化,以便隔离进程和资源。
安装lxc
需要使用epel源
#安装epel源
yum install epel-release -y#编译epel源配置文件
vi /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1##安装lxc
yum install lxc-* -y
yum install libcgroup* -y
yum install bridge-utils.x86_64 -y交接网卡
[root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=yes
BRIDGE=br0
[root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0
TYPE=Bridge
BOOTPROTO=static
NAME=br0
DEVICE=br0
ONBOOT=yes
IPADDR=10.0.0.11
NETMASK=255.255.255.0
GATEWAY=10.0.0.254
DNS1=223.5.5.5修改lxc默认配置
vi /etc/lxc/default.conf
修改第2行为:lxc.network.link = br0启动cgroup服务
systemctl enable cgconfig.service
systemctl start cgconfig.service创建lxc容器
方法1:
lxc-create -t download -n centos7 -- --server mirrors.tuna.tsinghua.edu.cn/lxc-images -d centos -r 7 -a amd64
方法2:
lxc-create -t centos -n test为容器指定ip和网关
vi /var/lib/lxc/centos7/config
lxc.network.name = eth0
lxc.network.ipv4 = 10.0.0.111/24
lxc.network.ipv4.gateway = 10.0.0.254启动容器
lxc-start -n centos7lxc实操
#查看虚拟机
[root@docker opt]# lxc-ls
centos7 修改子系统root密码
[root@docker opt]# chroot /var/lib/lxc/centos7/rootfs passwd
Changing password for user root.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.启动子系统
[root@docker opt]# lxc-start -n centos7
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!检测
[root@docker ~]# lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.0-327.el7.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfigdocker容器
Docker是通过内核虚拟化技术(namespaces及cgroups cpu、内存、磁盘io等)来提供容器的资源隔离与安全保障等。由于Docker通过操作系统层的虚拟化实现隔离,所以Docker容器在运行时,不需要类似虚拟机(VM)额外的操作系统开销,提高资源利用率。
docker的主要目标是"Build,Ship and Run any App,Angwhere",构建,运输,处处运行
构建:做一个docker镜像
运输:docker pull
运行:启动一个容器
每一个容器,他都有自己的文件系统rootfs.
kvm解决了硬件和操作系统之间的依赖
docker解决了软件和操作系统环境之间的依赖,能够让独立服务或应用程序在不同的环境中,得到相同的运行结果。
docker容器是一种轻量级、可移植、自包含的软件打包技术,使应用程序可以在几乎任何地方以相同的方式运行。开发人员在自己笔记本上创建并测试好的容器,无需任何修改就能够在生产系统的虚拟机、物理服务器或公有云主机上运行。
Docker的部署
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -ydocker的主要组成部分
docker是传统的CS架构分为docker client和docker server,向mysql一样
命令:docker version
[root@controller ~]# docker version
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:10:14 2017
OS/Arch: linux/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:46 2017
OS/Arch: linux/amd64
Experimental: false设置docker远程执行
systemd详解:http://www.ruanyifeng.com/blog/2016/03/systemd-tutorial-part-two.html
在linux-node1设置
vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://10.0.0.11:2375
systemctl daemon-reload
systemctl restart docker.service
ps -ef检查在linux-node2设置
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y
docker -H 10.0.0.11 info --- 远程执行 info 展示docker的信息docker主要组件有:镜像、容器、仓库
启动第一个容器
命令:docker run -d -p 80:80 nginx
实操:
[root@docker-node1 ~]# docker run -d -p 80:80 nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
e7bb522d92ff: Pull complete
6edc05228666: Pull complete
cd866a17e81f: Pull complete
Digest: sha256:285b49d42c703fdf257d1e2422765c4ba9d3e37768d6ea83d7fe2043dad6e63d
Status: Downloaded newer image for nginx:latest
e1cb110a537622e4a5c885161bca69478adc5d218e6eb4e0307c7fe0c1350012
#run: 创建并运行一个容器,
#-d:放在后台
#-p:端口映射
#80:80:前面是宿主机的,后面是容器的
#nginx:镜像的名字docker的镜像管理
搜索镜像
命令:docker search
实操:
[root@docker-node1 ~]# docker search centos
NAME(镜像名) DESCRIPTION(说明) STARS(送心数) OFFICIAL(是否是官方的) AUTOMATED(是否自动)
centos The official build of CentOS. 3992 [OK]获取镜像
命令:docker pull
实操:
[root@docker-node1 ~]# docker pull centos --- 拉取一个镜像centos(不指定版本默认为最新版,只写名字默认在官方拉取)
Using default tag: latest
latest: Pulling from library/centos
af4b0a2388c6: Pull complete
Digest: sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d
Status: Downloaded newer image for centos:latest
[root@docker-node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest ff426288ea90 3 weeks ago 207MB
nginx latest 3f8a4339aadd 5 weeks ago 108MB拉取非官网的镜像:
[root@docker-node1 ~]# docker pull index.tenxcloud.com/tenxcloud/httpd:2.4
2.4: Pulling from tenxcloud/httpd
8b87079b7a06: Downloading 11.53MB/51.36MB
a3ed95caeb02: Download complete
0c30bf087cf7: Download complete
79f2be53847c: Downloading 11.14MB/11.7MB
7063c4b35837: Download complete
5c27df81ae71: Download complete镜像加速
镜像加速器:阿里云加速器,daocloud加速器,中科大加速器,Docker 中国官方镜像加速:https://registry.docker-cn.com
镜像加速配置:
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"]
} 第三方docker镜像仓库,使用方法
docker pull index.tenxcloud.com/tenxcloud/httpd:latest镜像操作
查看镜像
docker images删除镜像
docker rmi 例子:docker image rm centos:latest实操:
[root@docker ~]# docker image rm centos:latest (名字:版本)
Untagged: centos:latest
Untagged: centos@sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d
Deleted: sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23d
Deleted: sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 3f8a4339aadd 5 weeks ago 108MB导出镜像
docker save 例子:docker image save centos > docker-centos7.4.tar.gz实操:
[root@docker ~]# docker image save centos > docker-centos7.4.tar.gz
[root@docker ~]# ls docker-centos7.4.tar.gz
docker-centos7.4.tar.gz导入镜像
docker load 例子:docker image load -i docker-centos7.4.tar.gz实操:
[root@docker ~]# docker image load -i docker-centos7.4.tar.gz
e15afa4858b6: Loading layer 215.8MB/215.8MB
Loaded image: centos:latest
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest ff426288ea90 3 weeks ago 207MB
nginx latest 3f8a4339aadd 5 weeks ago 108MB查看镜像详细信息
[root@docker ~]# docker image inspect centos
[
{
"Id": "sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23d",
"RepoTags": [
"centos:latest"
],
"RepoDigests": [],
"Parent": "",
"Comment": "",
"Created": "2018-01-08T19:58:27.63047329Z",
"Container": "dd31c81a4b47b90a14cf6d1c7389465060e390f12a0b71189d181a0458d8443f",
"ContainerConfig": {
"Hostname": "dd31c81a4b47",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"CMD [\"/bin/bash\"]"
],
"ArgsEscaped": true,
"Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"build-date": "20180107",
"license": "GPLv2",
"name": "CentOS Base Image",
"vendor": "CentOS"
}
},
"DockerVersion": "17.06.2-ce",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/bash"
],
"ArgsEscaped": true,
"Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"build-date": "20180107",
"license": "GPLv2",
"name": "CentOS Base Image",
"vendor": "CentOS"
}
},
"Architecture": "amd64",
"Os": "linux",
"Size": 207191530,
"VirtualSize": 207191530,
"GraphDriver": {
"Data": {
"DeviceId": "10",
"DeviceName": "docker-8:2-667845-6de21ff18b07a4a121111b78d105af3ae3d1eccf0d5bcf3dff957e3640a79dac",
"DeviceSize": "10737418240"
},
"Name": "devicemapper"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]Docker的容器管理
启动一个容器
docker run -d -p 80:80 nginx查看启动的容器(两种方法):
[root@docker-node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler
[root@docker-node1 ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler显示所有状态的容器
[root@docker-node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Up 3 hours 0.0.0.0:80->80/tcp inspiring_euler
e1cb110a5376 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 3 hours ago thirsty_brattain只显示容器id
[root@docker-node1 ~]# docker ps -a -q
7cef098bebc7
75516b38df19查看容器ip
docker container inspect id或name
[root@docker-node1 ~]# docker container inspect 75516b38df19
[
{
"Id": "75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3",
"Created": "2018-01-31T12:12:06.387035752Z",
"Path": "nginx",
"Args": [
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 19388,
"ExitCode": 0,
"Error": "",
"StartedAt": "2018-01-31T12:12:06.710448922Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:3f8a4339aadda5897b744682f5f774dc69991a81af8d715d37a616bb4c99edf5",
"ResolvConfPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hostname",
"HostsPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hosts",
"LogPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3-json.log",
"Name": "/inspiring_euler",
"RestartCount": 0,
"Driver": "devicemapper",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"80/tcp": [
{
"HostIp": "",
"HostPort": "80"
}
]
},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "shareable",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": 0,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0
},
"GraphDriver": {
"Data": {
"DeviceId": "8",
"DeviceName": "docker-8:2-667845-d7559a9d1629b837315264d5191776a3583b745cbb270be66f15126659ea266d",
"DeviceSize": "10737418240"
},
"Name": "devicemapper"
},
"Mounts": [],
"Config": {
"Hostname": "75516b38df19",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NGINX_VERSION=1.13.8-1~stretch",
"NJS_VERSION=1.13.8.0.1.15-1~stretch"
],
"Cmd": [
"nginx",
"-g",
"daemon off;"
],
"ArgsEscaped": true,
"Image": "nginx",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
},
"StopSignal": "SIGTERM"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "33eb47f2321af718ee6a7564f8ae8c9841719051efebb2dfdb8a206d19e83004",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "80"
}
]
},
"SandboxKey": "/var/run/docker/netns/33eb47f2321a",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "12e101b4dd9dd0078bab6ed9ce9aaf2d7cca2e00e4a66b5629f088732d6698d0",
"EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
}
}
]停止容器
docker container stop id或name
docker container kill id或name实操:
[root@docker-node1 ~]# docker container stop 75516b38df19
75516b38df19
[root@docker-node1 ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75516b38df19 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 10 seconds ago inspiring_euler
e1cb110a5376 nginx "nginx -g 'daemon of…" 3 hours ago Exited (0) 3 hours ago thirsty_brattain总结:docker容器内的第一个进程必须一直处于前台运行的状态,否则这个容器,就会处于退出状态!
删除已关闭的容器
[root@docker-node1 ~]# docker container rm e1cb110a5376
e1cb110a5376批量删除:
docker rm -f `docker ps -a -q` -- 强制删除全部,包括启动中的
[root@docker-node1 ~]# docker rm `docker ps -a -q` #只删除关闭状态的
7cef098bebc7
75516b38df19交互式进入容器,分配终端
docker run -it nginx:latest /bin/bash
-i -t:--interactive --tty(直接进入容器)
[root@docker-node1 ~]# docker run -it nginx:latest /bin/bash
root@7cef098bebc7:/# ls
bin dev home lib64 mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr进入容器的方法
[root@docker-node1 opt]# docker run -it --name erlianzhang centos:latest
[root@b07f6aad08cd /]#进入到存活的容器中
[root@docker ~]# docker attach erlianzhang
[root@b07f6aad08cd /]# exec方式必须指定起始命令 --- 推荐使用exec
[root@docker ~]# docker exec -it erlianzhang /bin/bash
[root@abcadd1250cb /]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 16:14 pts/0 00:00:00 /bin/bash
root 13 0 0 16:16 pts/1 00:00:00 /bin/bash
root 25 13 0 16:16 pts/1 00:00:00 ps -ef注意:进入容器中第一个命令一定要让容器夯住,否则会变成退出状态
暂时退出容器:ctrl+p,ctrl+q
回到容器:docker attach id或name
docker容器的网络访问
指定映射
-p hostPort:containerPort
-p ip:hostPort:containerPort
-p ip::containerPort
-p hostPort:containerPort:udp
-p 81:80 –p 443:443随机映射
docker run -P实操
docker run -d -p 888:80 nginx:latest
docker run -d -p 10.0.0.11:80:80 nginx:latest
[root@docker-node1 opt]# docker run -d -p 888:80 nginx:latest
1b177e8c6357ed08ddabb745b902a4e577e8c25e154a4b891dfa900b108dd4bd
[root@docker-node1 opt]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1406/sshd
tcp 0 0 10.0.0.11:2375 0.0.0.0:* LISTEN 19206/dockerd
tcp6 0 0 :::22 :::* LISTEN 1406/sshd
tcp6 0 0 :::888 :::* LISTEN 21455/docker-proxy docker的数据卷管理
数据卷(文件或目录)
-v /data
-v src:dst数据卷容器
--volumes-from实操:挂载数据卷在容器宿主机
[root@docker-node1 opt]# docker run -d -p 80:80 -v /data:/usr/share/nginx/html nginx:latest
884b2c093c5c59897bd55b0dcec36c882abdc99134f8fffed4cb5decda17327d创建数据卷
[root@docker-node1 data]# docker volume ls
DRIVER VOLUME NAME
local qingge手动将容器保存为镜像(制作镜像)
命令:docker commit
特权容器
docker run --privileged -ti -e "container=docker" -v /sys/fs/cgroup:/sys/fs/cgroup centos:latest /usr/sbin/init保存为镜像
[root@docker-node1 ~]# docker commit ebfdf46f9f12 centos6-ssh
sha256:b917ca49263af6d4435dc3c144c214af29c56dad7256e4de7978ffd9a7e24f39
[root@docker-node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos6-ssh latest b917ca49263a 5 seconds ago 315MB
httpd 2.4 2e202f453940 5 days ago 179MB
centos latest ff426288ea90 3 weeks ago 207MB
nginx latest 3f8a4339aadd 5 weeks ago 108MB
centos 6.8 6704d778b3ba 2 months ago 195MBdockerfile自动构建docker镜像
dockerfile主要组成部分:
基础镜像信息 FROM:centos:6.8
制作镜像操作指令 RUN yum install openssh-server -y
容器启动时执行指令 CMD ["/bin/bash"]dockerfile常用指令:
FROM 这个镜像的妈妈是谁? (指定基础镜像)
MAINTAINER 告诉别人,谁负责养它?(指定维护者信息,可以没有)
RUN 你想让它干啥 (在命令前面加上RUN即可)
ADD 给它点创业资金 (COPY文件,会自动解压)
WORKDIR 我是cd,今天刚化了妆 (设置当前工作目录)
VOLUME 给它一个存放行李的地方(设置卷,挂载主机目录)
EXPOSE 它要打开的门是啥 (指定对外的端口)
CMD 奔跑吧,兄弟! (指定容器启动后的要干的事情)dockerfile其他指令:
COPY 复制文件
ENV 环境变量
ENTRYPOINT 容器启动后执行的命令实例:
此处在CMD处执行的是一个脚本,脚本内容大致是开启ssh服务并让ssh服务夯住,参数是-D,开启httpd服务
[root@docker-node1 ~]# cat /opt/base/Dockerfile
FROM centos:6.8
RUN yum install wget unzip php* httpd openssh-server -y
RUN cd /var/www/html/ && wget http://static.kodcloud.com/update/download/kodexplorer4.25.zip && unzip kodexplorer4.25.zip
RUN echo 'root:123456'|chpasswd
RUN echo 'ServerName 127.0.0.1:80' >>/etc/httpd/conf/httpd.conf
RUN /etc/init.d/sshd start
RUN chmod -Rf 777 /var/www/html/
RUN sed 's#Options Indexes FollowSymLinks#Options FollowSymLinks#g' /etc/httpd/conf/httpd.conf -i
COPY init.sh /init.sh
EXPOSE 80/tcp
EXPOSE 22/tcp
CMD ["/bin/bash","/init.sh"]
[root@docker-node1 ~]# ll /opt/base/
total 8
-rw-r--r-- 1 root root 528 Feb 1 06:16 Dockerfile
-rw-r--r-- 1 root root 82 Feb 1 03:37 init.sh
[root@docker-node1 ~]# docker image build -t centos6-yun .docker image build -t centos6-yun /opt/base/Dockerfile
docker image build -t 指定一个自动构建的镜像标签 Dockerfile文件路径
参考其他的dockerfile
官方dockerfile或者时速云镜像广场
容器间的互联
docker run -d -p 80:80 nginx
docker run -it --link quirky_brown:web01 qstack/centos-ssh /bin/bash
ping web01使用docker运行zabbix-server
docker run --name mysql-server -t \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-d mysql:5.7 \
--character-set-server=utf8 --collation-server=utf8_bin
docker run --name zabbix-java-gateway -t \
-d zabbix/zabbix-java-gateway:latest
docker run --name zabbix-server-mysql -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-e ZBX_JAVAGATEWAY="zabbix-java-gateway" \
--link mysql-server:mysql \
--link zabbix-java-gateway:zabbix-java-gateway \
-p 10051:10051 \
-d zabbix/zabbix-server-mysql:latest
docker run --name zabbix-web-nginx-mysql -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--link mysql-server:mysql \
--link zabbix-server-mysql:zabbix-server \
-p 80:80 \
-d zabbix/zabbix-web-nginx-mysql:latestdocker私有仓库
普通的registry
启动registry容器
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry修改配置文件
/etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["10.0.0.11:5000"]
}"insecure-registries": ["10.0.0.11:5000"] ---- 将https转换成http
重启docker服务
systemctl restart docker.service为镜像打标签
docker tag centos6-yun:latest 10.0.0.11:5000/erlianzhang/centos6-yun:latestpush推送镜像
docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest带basic认证的registry
mkdir /opt/registry-var/auth/ -p
htpasswd -Bbn oldboy 123456 >> /opt/registry-var/auth/htpasswd
docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry实操
yum install httpd-tools.x86_64 -y
[root@docker-node1 ~]# mkdir /opt/registry-var/auth/ -p
ASSWD_PATH=/auth/htpasswd registry
[root@docker-node1 ~]# htpasswd -Bbn erlianzhang 123456 d>> /opt/registry-var/auth/htpassw
[root@docker-node1 ~]# docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
589820e671fa51114bf9ccf143375bce7351a80f7035e571f4e8524a1096edbb
[root@docker-node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
589820e671fa registry "/entrypoint.sh /etc…" 11 seconds ago Up 11 seconds 0.0.0.0:5000->5000/tcp confident_visvesvaraya
[root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest --- 不验证就不能上传
The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun]
f8508dc392c8: Preparing
f85b7909a4bc: Preparing
8b2d1868cde8: Preparing
ad87982f4b1b: Preparing
ac521dbe8cd3: Preparing
3d169f2d5cff: Waiting
6bad9d62f12a: Waiting
f28db075daf0: Waiting
e00c9229b481: Waiting
no basic auth credentials
[root@docker-node1 ~]# docker login 10.0.0.11:5000 --- 验证一下
Username: erlianzhang
Password:
Login Succeeded
[root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest --- 再次上传就可以了
The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun]
f8508dc392c8: Pushed
f85b7909a4bc: Pushed
8b2d1868cde8: Pushed
ad87982f4b1b: Pushed
ac521dbe8cd3: Pushed
3d169f2d5cff: Pushed
6bad9d62f12a: Pushed
f28db075daf0: Pushed
e00c9229b481: Pushed
latest: digest: sha256:46e0409381ef7c5922bc5c37b5888015ab415c0e7248e463323db361318e93bf size: 2205验证
[root@docker-node1 ~]# cat .docker/config.json
{
"auths": {
"10.0.0.11:5000": {
"auth": "b2xkYm95OjEyMzQ1Ng=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/17.12.0-ce (linux)"
}
}docker-compose(单机版的容器编排工具)
docker-compose简介
一句话:docker-compose是用来做docker的多容器控制
docker-compose 是什么
docker-compose是一个用来把docker自动化的东西。
有了docker-compose你可以把所有繁复的docker操作全都一条命令,自动化的完成。
详细指令参考:https://www.jianshu.com/p/2217cfed29d7
安装python环境
yum install -y python2-pip详细指令:http://www.jianshu.com/p/2217cfed29d7
配置pip加速
[root@docker-node1 ~]# mkdir .pip
[root@docker-node1 ~]# vim ~/.pip/pip.conf
[global]
index-url = http://mirrors.aliyun.com/pypi/simple/
[install]
trusted-host=mirrors.aliyun.com
pip install docker-compose配置文件
该配置文件是部署wordpress博客网站的
cd my_wordpress/
vi docker-compose.ymlversion: '3'
services:
db:
image: mysql:5.7
volumes:
- /data/db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: somewordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
volumes:
- /data/web_data:/var/www/html
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: wordpress启动服务
#启动
docker-compose up
#后台启动
docker-compose up -ddocker配合haproxy负载
灰度重启容器,防止因为更新业务全部关闭容器
安装haproxy
yum install haproxy -y修改配置文件
vi /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats level admin
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats
mode http
bind 0.0.0.0:8888
stats enable
stats uri /haproxy-status
stats auth admin:123456
frontend frontend_www_example_com
bind 10.0.0.11:8000
mode http
option httplog
log global
default_backend backend_www_example_com
backend backend_www_example_com
option forwardfor header X-REAL-IP
option httpchk HEAD / HTTP/1.0
balance roundrobin
server web-node1 10.0.0.11:32768 check inter 2000 rise 30 fall 15
server web-node2 10.0.0.11:32769 check inter 2000 rise 30 fall 15启动服务
systemctl start haproxy安装socat
yum install socat.x86_64 -y
echo "disable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/stats
echo "enable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/stats利用测试页测试
<html>
<head>
<title>PHP测试</title>
</head>
<body>
<?php echo '<p>Hello World </p>'; ?>
<?php echo "访问的服务器地址是:"."<fontcolor=red>".$_SERVER['SERVER_ADDR']."</font>"."<br>";
echo"访问的服务器域名是:"."<fontcolor=red>".$_SERVER['SERVER_NAME']."</font>"."<br>";
?>
</body>
</html>Docker网络类型
类型 | 说明 |
|---|---|
None | 不为容器配置任何网络功能,没有网络 --net=none |
Container | 与另一个运行中的容器共享Network Namespace,--net=container:containerID |
Host | 与主机共享Network Namespace,--net=host |
Bridge | Docker设计的NAT网络模型(默认类型) |
Bridge默认docker网络隔离基于网络命名空间,在物理机上创建docker容器时会为每一个docker容器分配网络命名空间,并且把容器IP桥接到物理机的虚拟网桥上。
不为容器配置网络功能
此模式下创建容器是不会为容器配置任何网络参数的,如:容器网卡、IP、通信路由等,全部需要自己去配置。
[root@docker01 ~]# docker run -it --network none busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever与其他容器共享网络配置(Container)
此模式和host模式很类似,只是此模式创建容器共享的是其他容器的IP和端口而不是物理机,此模式容器自身是不会配置网络和端口,创建此模式容器进去后,你会发现里边的IP是你所指定的那个容器IP并且端口也是共享的,而且其它还是互相隔离的,如进程等。
[root@docker01 ~]# docker run -it --network container:mywordpress_db_1 busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
105: eth0@if106: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever使用宿主机网络
此模式创建的容器没有自己独立的网络命名空间,是和物理机共享一个Network Namespace,并且共享物理机的所有端口与IP,并且这个模式认为是不安全的。、
[root@docker01 ~]# docker run -it --network host busybox:latest /bin/sh查看网络列表
[root@docker01 ~]# docker network list
NETWORK ID NAME DRIVER SCOPE
b15e8a720d3b bridge bridge local
345d65b4c2a0 host host local
bc5e2a32bb55 mywordpress_default bridge local
ebf76eea91bb none null local用PIPEWORK为docker容器配置独立IP
参考文档:http://blog.csdn.net/design321/article/details/48264825
官方网站:https://github.com/jpetazzo/pipework
宿主环境:centos7.2
1、安装pipework
wget https://github.com/jpetazzo/pipework/archive/master.zip
unzip master.zip
cp pipework-master/pipework /usr/local/bin/
chmod +x /usr/local/bin/pipework2、配置网桥连接
安装桥接工具
yum install bridge-utils.x86_64 -y修改网卡配置,实现桥接
# 修改eth0配置,让br0实现桥接
[root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
BRIDGE=br0
[root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0
TYPE=Bridge
BOOTPROTO=static
NAME=br0
DEVICE=br0
ONBOOT=yes
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.254
DNS1=223.5.5.5
# 重启网络
[root@docker01 ~]# /etc/init.d/network restart3、运行一个容器镜像测试:
pipework br0 $(docker run -d -it -p 6880:80 --name httpd_pw httpd) 10.0.0.220/24@10.0.0.254在其他主机上测试端口及连通性
[root@docker01 ~]# curl 10.0.0.220
<html><body><h1>It works!</h1></body></html>
[root@docker01 ~]# ping 10.0.0.220 -c 1
PING 10.0.0.220 (10.0.0.220) 56(84) bytes of data.
64 bytes from 10.0.0.220: icmp_seq=1 ttl=64 time=0.043 ms4、再运行一个容器,设置网路类型为none:
pipework br0 $(docker run -d -it --net=none --name test httpd:2.4) 10.0.0.221/24@10.0.0.254进行访问测试
[root@docker01 ~]# curl 10.0.0.221
<html><body><h1>It works!</h1></body></html>5、重启容器后需要再次指定:
pipework br0 testduliip 172.16.146.113/24@172.16.146.1
pipework br0 testduliip01 172.16.146.112/24@172.16.146.1Docker跨主机通信之macvlan
创建macvlan网络
docker network create --driver macvlan --subnet 10.1.0.0/24 --gateway 10.1.0.254 -o parent=eth0 macvlan_1设置eth0的网卡为混杂模式
ip link set eth0 promisc on创建使用macvlan网络的容器
docker run -it --network macvlan_1 --ip=10.1.0.210 busybox:latest /bin/sh基于macvlan网络,还存有overlay网络
Dcoker跨主机通信之overlay 参考文档:http://www.cnblogs.com/CloudMan6/p/7270551.html
Docker镜像的生命周期图
docker企业级镜像仓库harbor
介绍
Harbor 是一个企业级的 Docker Registry,可以实现 images 的私有存储和日志统计权限控制等功能,并支持创建多项目(Harbor 提出的概念),基于官方 Registry V2 实现。 通过地址:https://github.com/vmware/harbor/releases 可以下载最新的版本。 官方提供了两种版本:在线版和离线版。
安装步骤
容器管理
[root@docker01 harbor]# pwd
/opt/harbor
[root@docker01 harbor]# docker-compose stop第一步:安装docker和docker-compose
下载harbor-offline-installer-v1.3.0.tgz
cd /opt && https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.3.0.tgz
tar xf harbor-offline-installer-v1.3.0.tgz第二步:修改主机及web界面密码
修改harbor.cfg配置文件
[root@docker01 harbor]# vim harbor.cfg
···
hostname = 10.0.0.100
harbor_admin_password = 123456
···第三步:执行install.sh
[root@docker01 harbor]# ./install.sh第四步:web登陆测试
镜像推送到仓库的指定项目
[root@docker02 ~]# docker tag centos:6.8 10.0.0.100/clsn/centos6.8:1.0
[root@docker02 ~]#
[root@docker02 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 5b0d59026729 8 days ago 1.15MB
10.0.0.100/clsn/centos6.8 1.0 6704d778b3ba 2 months ago 195MB
centos 6.8 6704d778b3ba 2 months ago 195MB
[root@docker02 ~]# docker login 10.0.0.100
Username: admin
Password:
Login Succeeded推送镜像
[root@docker02 ~]# docker push 10.0.0.100/clsn/centos6.8
The push refers to repository [10.0.0.100/clsn/centos6.8]
e00c9229b481: Pushing 13.53MB/194.5MB转载注明出处,写这篇很累!!!
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
暂无评论
推荐阅读
![Docker从入门到干活,看这一篇足矣 [建议收藏]](https://ask.qcloudimg.com/http-save/yehe-1626210/7f38a6c03540cde70b2a2c079af929f6.png)
推荐阅读
相关推荐
Docker 容器入门
更多 >
腾讯云开发者
