Docker容器技术

阅读量：5259 次

发布时间：2019-06-14

本文共 38398 字，大约阅读时间需要 127 分钟。

Docker介绍

什么是容器

Linux容器是与系统其他部分隔离开的一系列进程，从另一个系统镜像运行，并由该镜像提供支持进程所需的全部文件。

容器镜像包含了应用的所有依赖项，因而在从开发到测试再到生产的整个过程中，它都具有可移植性和一致性。

来源：

容器就是虚拟化吗？

虚拟化使得许多操作系统可同时在单个系统上运行。

容器只能共享操作系统内核,将应用进程与系统其他部分,隔离开。

容器和虚拟化的区别

linux容器技术，容器虚拟化和kvm虚拟化的区别

kvm虚拟化：需要硬件的支持，需要模拟硬件，可以运行不同的操作系统，启动时间分钟级(开机启动流程)

容器虚拟化：不需要硬件的支持。不需要模拟硬件，共用宿主机的内核，启动时间秒级(没有开机启动流程)

容器总结：

（1）与宿主机使用同一个内核，性能损耗小；

（2）不需要指令级模拟；

（3）容器可以在CPU核心的本地运行指令，不需要任何专门的解释机制；

（4）避免了准虚拟化和系统调用替换中的复杂性；

（5）轻量级隔离，在隔离的同时还提供共享机制，以实现容器与宿主机的资源共享。

容器技术的发展过程

chroot技术，新建一个子系统

chroot，即 change root directory (更改 root 目录)。在 linux 系统中，系统默认的目录结构都是以 `/`，即是以根 (root) 开始的。而在使用 chroot 之后，系统的目录结构将以指定的位置作为 `/` 位置。

参考资料：

使用chroot监狱限制SSH用户访问指定目录和使用指定命令：

lxc部署

Linux Container容器是一种内核虚拟化技术，可以提供轻量级的虚拟化，以便隔离进程和资源。

安装lxc

需要使用epel源

#安装epel源

yum install epel-release -y

#编译epel源配置文件

vi  /etc/yum.repos.d/epel.repo[epel]name=Extra Packages for Enterprise Linux 7 - $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearchfailovermethod=priorityenabled=1gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7[epel-debuginfo]name=Extra Packages for Enterprise Linux 7 - $basearch - Debugbaseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/$basearch/debug#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearchfailovermethod=priorityenabled=0gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7gpgcheck=1[epel-source]name=Extra Packages for Enterprise Linux 7 - $basearch - Sourcebaseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7/SRPMS#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearchfailovermethod=priorityenabled=0gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7gpgcheck=1

##安装lxc

yum install lxc-* -yyum install libcgroup* -yyum install bridge-utils.x86_64 -y

交接网卡

[root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=EthernetBOOTPROTO=noneNAME=eth0DEVICE=eth0ONBOOT=yesBRIDGE=br0[root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=BridgeBOOTPROTO=staticNAME=br0DEVICE=br0ONBOOT=yesIPADDR=10.0.0.11NETMASK=255.255.255.0GATEWAY=10.0.0.254DNS1=223.5.5.5

修改lxc默认配置

vi /etc/lxc/default.conf修改第2行为：lxc.network.link = br0

启动cgroup服务

systemctl enable cgconfig.servicesystemctl start cgconfig.service

创建lxc容器

方法1:lxc-create -t download -n centos7 -- --server mirrors.tuna.tsinghua.edu.cn/lxc-images -d centos -r 7 -a amd64方法2：lxc-create -t centos -n test

为容器指定ip和网关

vi /var/lib/lxc/centos7/configlxc.network.name = eth0lxc.network.ipv4 = 10.0.0.111/24lxc.network.ipv4.gateway = 10.0.0.254

启动容器

lxc-start -n centos7

lxc实操

#查看虚拟机

[root@docker opt]# lxc-ls   centos7

修改子系统root密码

[root@docker opt]# chroot /var/lib/lxc/centos7/rootfs passwd    Changing password for user root. New password: BAD PASSWORD: The password is shorter than 8 charactersRetype new password: passwd: all authentication tokens updated successfully.

启动子系统

[root@docker opt]# lxc-start -n centos7   systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)Detected virtualization lxc.Detected architecture x86-64.Welcome to CentOS Linux 7 (Core)!

检测

[root@docker ~]# lxc-checkconfig     Kernel configuration not found at /proc/config.gz; searching...Kernel configuration found at /boot/config-3.10.0-327.el7.x86_64--- Namespaces ---Namespaces: enabledUtsname namespace: enabledIpc namespace: enabledPid namespace: enabledUser namespace: enablednewuidmap is not installednewgidmap is not installedNetwork namespace: enabledMultiple /dev/pts instances: enabled--- Control groups ---Cgroup: enabledCgroup clone_children flag: enabledCgroup device: enabledCgroup sched: enabledCgroup cpu account: enabledCgroup memory controller: enabledCgroup cpuset: enabled--- Misc ---Veth pair device: enabledMacvlan: enabledVlan: enabledBridges: enabledAdvanced netfilter: enabledCONFIG_NF_NAT_IPV4: enabledCONFIG_NF_NAT_IPV6: enabledCONFIG_IP_NF_TARGET_MASQUERADE: enabledCONFIG_IP6_NF_TARGET_MASQUERADE: enabledCONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled--- Checkpoint/Restore ---checkpoint restore: enabledCONFIG_FHANDLE: enabledCONFIG_EVENTFD: enabledCONFIG_EPOLL: enabledCONFIG_UNIX_DIAG: enabledCONFIG_INET_DIAG: enabledCONFIG_PACKET_DIAG: enabledCONFIG_NETLINK_DIAG: enabledFile capabilities: enabledNote : Before booting a new kernel, you can check its configurationusage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

docker容器

Docker是通过内核虚拟化技术（namespaces及cgroups cpu、内存、磁盘io等）来提供容器的资源隔离与安全保障等。由于Docker通过操作系统层的虚拟化实现隔离，所以Docker容器在运行时，不需要类似虚拟机（VM）额外的操作系统开销，提高资源利用率。

docker的主要目标是"Build,Ship and Run any App,Angwhere",构建，运输，处处运行

构建：做一个docker镜像

运输：docker pull

运行：启动一个容器

每一个容器，他都有自己的文件系统rootfs.

kvm解决了硬件和操作系统之间的依赖

docker解决了软件和操作系统环境之间的依赖，能够让独立服务或应用程序在不同的环境中，得到相同的运行结果。

docker容器是一种轻量级、可移植、自包含的软件打包技术，使应用程序可以在几乎任何地方以相同的方式运行。开发人员在自己笔记本上创建并测试好的容器，无需任何修改就能够在生产系统的虚拟机、物理服务器或公有云主机上运行。

Docker的部署

wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.reposed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repoyum install docker-ce -y

docker的主要组成部分

docker是传统的CS架构分为docker client和docker server,向mysql一样

命令：docker version

[root@controller ~]# docker version Client: Version:    17.12.0-ce API version:    1.35 Go version:    go1.9.2 Git commit:    c97c6d6 Built:    Wed Dec 27 20:10:14 2017 OS/Arch:    linux/amd64Server: Engine:  Version:    17.12.0-ce  API version:    1.35 (minimum version 1.12)  Go version:    go1.9.2  Git commit:    c97c6d6  Built:    Wed Dec 27 20:12:46 2017  OS/Arch:    linux/amd64  Experimental:    false

设置docker远程执行

systemd详解：

在linux-node1设置

vim /usr/lib/systemd/system/docker.serviceExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://10.0.0.11:2375 systemctl daemon-reloadsystemctl restart docker.service ps -ef检查

在linux-node2设置

wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.reposed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repoyum install docker-ce -ydocker -H 10.0.0.11 info 　　　　---  远程执行 info 展示docker的信息

docker主要组件有：镜像、容器、仓库

启动第一个容器

命令：docker run -d -p 80:80 nginx

实操：

[root@docker-node1 ~]# docker run -d -p 80:80 nginxUnable to find image 'nginx:latest' locallylatest: Pulling from library/nginxe7bb522d92ff: Pull complete 6edc05228666: Pull complete cd866a17e81f: Pull complete Digest: sha256:285b49d42c703fdf257d1e2422765c4ba9d3e37768d6ea83d7fe2043dad6e63dStatus: Downloaded newer image for nginx:lateste1cb110a537622e4a5c885161bca69478adc5d218e6eb4e0307c7fe0c1350012#run： 创建并运行一个容器，#-d：放在后台#-p：端口映射#80:80：前面是宿主机的，后面是容器的#nginx：镜像的名字

docker的镜像管理

搜索镜像

命令：docker search

实操：

[root@docker-node1 ~]# docker search centosNAME（镜像名）     DESCRIPTION（说明）             STARS（送心数）  OFFICIAL（是否是官方的）    AUTOMATED（是否自动）centos             The official build of CentOS.   3992               [OK]

获取镜像

命令：docker pull

实操：

[root@docker-node1 ~]# docker pull centos    --- 拉取一个镜像centos（不指定版本默认为最新版，只写名字默认在官方拉取）Using default tag: latestlatest: Pulling from library/centosaf4b0a2388c6: Pull complete Digest: sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5dStatus: Downloaded newer image for centos:latest[root@docker-node1 ~]# docker images REPOSITORY          TAG                 IMAGE ID            CREATED             SIZEcentos              latest              ff426288ea90        3 weeks ago         207MBnginx               latest              3f8a4339aadd        5 weeks ago         108MB

拉取非官网的镜像：

[root@docker-node1 ~]# docker pull index.tenxcloud.com/tenxcloud/httpd:2.42.4: Pulling from tenxcloud/httpd8b87079b7a06: Downloading  11.53MB/51.36MBa3ed95caeb02: Download complete 0c30bf087cf7: Download complete 79f2be53847c: Downloading  11.14MB/11.7MB7063c4b35837: Download complete 5c27df81ae71: Download complete

镜像加速

镜像加速器：阿里云加速器，daocloud加速器，中科大加速器，Docker 中国官方镜像加速：https://registry.docker-cn.com

镜像加速配置：

vi /etc/docker/daemon.json{  "registry-mirrors": ["https://registry.docker-cn.com"]}

第三方docker镜像仓库，使用方法

docker pull index.tenxcloud.com/tenxcloud/httpd:latest

镜像操作

查看镜像

docker images

删除镜像

docker rmi  例子：docker image rm centos:latest

实操：

[root@docker ~]# docker image rm centos:latest （名字：版本）Untagged: centos:latestUntagged: centos@sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5dDeleted: sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23dDeleted: sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7[root@docker ~]# docker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEnginx               latest              3f8a4339aadd        5 weeks ago         108MB

导出镜像

docker save  例子：docker image save centos > docker-centos7.4.tar.gz

实操：

[root@docker ~]# docker image save centos > docker-centos7.4.tar.gz[root@docker ~]# ls docker-centos7.4.tar.gzdocker-centos7.4.tar.gz

导入镜像

docker load  例子：docker image load -i docker-centos7.4.tar.gz

实操：

[root@docker ~]# docker image load -i docker-centos7.4.tar.gz e15afa4858b6: Loading layer  215.8MB/215.8MBLoaded image: centos:latest[root@docker ~]# docker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEcentos              latest              ff426288ea90        3 weeks ago         207MBnginx               latest              3f8a4339aadd        5 weeks ago         108MB

查看镜像详细信息

[root@docker ~]# docker image inspect centos[    {        "Id": "sha256:ff426288ea903fcf8d91aca97460c613348f7a27195606b45f19ae91776ca23d",        "RepoTags": [            "centos:latest"        ],        "RepoDigests": [],        "Parent": "",        "Comment": "",        "Created": "2018-01-08T19:58:27.63047329Z",        "Container": "dd31c81a4b47b90a14cf6d1c7389465060e390f12a0b71189d181a0458d8443f",        "ContainerConfig": {            "Hostname": "dd31c81a4b47",            "Domainname": "",            "User": "",            "AttachStdin": false,            "AttachStdout": false,            "AttachStderr": false,            "Tty": false,            "OpenStdin": false,            "StdinOnce": false,            "Env": [                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"            ],            "Cmd": [                "/bin/sh",                "-c",                "#(nop) ",                "CMD [\"/bin/bash\"]"            ],            "ArgsEscaped": true,            "Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90",            "Volumes": null,            "WorkingDir": "",            "Entrypoint": null,            "OnBuild": null,            "Labels": {                "build-date": "20180107",                "license": "GPLv2",                "name": "CentOS Base Image",                "vendor": "CentOS"            }        },        "DockerVersion": "17.06.2-ce",        "Author": "",        "Config": {            "Hostname": "",            "Domainname": "",            "User": "",            "AttachStdin": false,            "AttachStdout": false,            "AttachStderr": false,            "Tty": false,            "OpenStdin": false,            "StdinOnce": false,            "Env": [                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"            ],            "Cmd": [                "/bin/bash"            ],            "ArgsEscaped": true,            "Image": "sha256:5a28642a68c5af8083107fca9ffbc025179211209961eae9b1f40f928331fa90",            "Volumes": null,            "WorkingDir": "",            "Entrypoint": null,            "OnBuild": null,            "Labels": {                "build-date": "20180107",                "license": "GPLv2",                "name": "CentOS Base Image",                "vendor": "CentOS"            }        },        "Architecture": "amd64",        "Os": "linux",        "Size": 207191530,        "VirtualSize": 207191530,        "GraphDriver": {            "Data": {                "DeviceId": "10",                "DeviceName": "docker-8:2-667845-6de21ff18b07a4a121111b78d105af3ae3d1eccf0d5bcf3dff957e3640a79dac",                "DeviceSize": "10737418240"            },            "Name": "devicemapper"        },        "RootFS": {            "Type": "layers",            "Layers": [                "sha256:e15afa4858b655f8a5da4c4a41e05b908229f6fab8543434db79207478511ff7"            ]        },        "Metadata": {            "LastTagTime": "0001-01-01T00:00:00Z"        }    }]

查看镜像详细信息

Docker的容器管理

启动一个容器

docker run -d -p 80:80 nginx

查看启动的容器（两种方法）：

[root@docker-node1 ~]# docker psCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES75516b38df19        nginx               "nginx -g 'daemon of…"   3 hours ago         Up 3 hours          0.0.0.0:80->80/tcp   inspiring_euler[root@docker-node1 ~]# docker container lsCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES75516b38df19        nginx               "nginx -g 'daemon of…"   3 hours ago         Up 3 hours          0.0.0.0:80->80/tcp   inspiring_euler

显示所有状态的容器

[root@docker-node1 ~]# docker ps -aCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                   PORTS                NAMES75516b38df19        nginx               "nginx -g 'daemon of…"   3 hours ago         Up 3 hours               0.0.0.0:80->80/tcp   inspiring_eulere1cb110a5376        nginx               "nginx -g 'daemon of…"   3 hours ago         Exited (0) 3 hours ago                        thirsty_brattain

只显示容器id

[root@docker-node1 ~]# docker ps -a -q7cef098bebc775516b38df19

查看容器ip

docker container inspect id或name

[root@docker-node1 ~]# docker container inspect 75516b38df19[    {        "Id": "75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3",        "Created": "2018-01-31T12:12:06.387035752Z",        "Path": "nginx",        "Args": [            "-g",            "daemon off;"        ],        "State": {            "Status": "running",            "Running": true,            "Paused": false,            "Restarting": false,            "OOMKilled": false,            "Dead": false,            "Pid": 19388,            "ExitCode": 0,            "Error": "",            "StartedAt": "2018-01-31T12:12:06.710448922Z",            "FinishedAt": "0001-01-01T00:00:00Z"        },        "Image": "sha256:3f8a4339aadda5897b744682f5f774dc69991a81af8d715d37a616bb4c99edf5",        "ResolvConfPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/resolv.conf",        "HostnamePath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hostname",        "HostsPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/hosts",        "LogPath": "/var/lib/docker/containers/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3/75516b38df194d00fbb2d5ce51316f621f76a1037a0fdf1d578d14498a68d8a3-json.log",        "Name": "/inspiring_euler",        "RestartCount": 0,        "Driver": "devicemapper",        "Platform": "linux",        "MountLabel": "",        "ProcessLabel": "",        "AppArmorProfile": "",        "ExecIDs": null,        "HostConfig": {            "Binds": null,            "ContainerIDFile": "",            "LogConfig": {                "Type": "json-file",                "Config": {}            },            "NetworkMode": "default",            "PortBindings": {                "80/tcp": [                    {                        "HostIp": "",                        "HostPort": "80"                    }                ]            },            "RestartPolicy": {                "Name": "no",                "MaximumRetryCount": 0            },            "AutoRemove": false,            "VolumeDriver": "",            "VolumesFrom": null,            "CapAdd": null,            "CapDrop": null,            "Dns": [],            "DnsOptions": [],            "DnsSearch": [],            "ExtraHosts": null,            "GroupAdd": null,            "IpcMode": "shareable",            "Cgroup": "",            "Links": null,            "OomScoreAdj": 0,            "PidMode": "",            "Privileged": false,            "PublishAllPorts": false,            "ReadonlyRootfs": false,            "SecurityOpt": null,            "UTSMode": "",            "UsernsMode": "",            "ShmSize": 67108864,            "Runtime": "runc",            "ConsoleSize": [                0,                0            ],            "Isolation": "",            "CpuShares": 0,            "Memory": 0,            "NanoCpus": 0,            "CgroupParent": "",            "BlkioWeight": 0,            "BlkioWeightDevice": [],            "BlkioDeviceReadBps": null,            "BlkioDeviceWriteBps": null,            "BlkioDeviceReadIOps": null,            "BlkioDeviceWriteIOps": null,            "CpuPeriod": 0,            "CpuQuota": 0,            "CpuRealtimePeriod": 0,            "CpuRealtimeRuntime": 0,            "CpusetCpus": "",            "CpusetMems": "",            "Devices": [],            "DeviceCgroupRules": null,            "DiskQuota": 0,            "KernelMemory": 0,            "MemoryReservation": 0,            "MemorySwap": 0,            "MemorySwappiness": null,            "OomKillDisable": false,            "PidsLimit": 0,            "Ulimits": null,            "CpuCount": 0,            "CpuPercent": 0,            "IOMaximumIOps": 0,            "IOMaximumBandwidth": 0        },        "GraphDriver": {            "Data": {                "DeviceId": "8",                "DeviceName": "docker-8:2-667845-d7559a9d1629b837315264d5191776a3583b745cbb270be66f15126659ea266d",                "DeviceSize": "10737418240"            },            "Name": "devicemapper"        },        "Mounts": [],        "Config": {            "Hostname": "75516b38df19",            "Domainname": "",            "User": "",            "AttachStdin": false,            "AttachStdout": false,            "AttachStderr": false,            "ExposedPorts": {                "80/tcp": {}            },            "Tty": false,            "OpenStdin": false,            "StdinOnce": false,            "Env": [                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",                "NGINX_VERSION=1.13.8-1~stretch",                "NJS_VERSION=1.13.8.0.1.15-1~stretch"            ],            "Cmd": [                "nginx",                "-g",                "daemon off;"            ],            "ArgsEscaped": true,            "Image": "nginx",            "Volumes": null,            "WorkingDir": "",            "Entrypoint": null,            "OnBuild": null,            "Labels": {                "maintainer": "NGINX Docker Maintainers 
      
       "            },            "StopSignal": "SIGTERM"        },        "NetworkSettings": {            "Bridge": "",            "SandboxID": "33eb47f2321af718ee6a7564f8ae8c9841719051efebb2dfdb8a206d19e83004",            "HairpinMode": false,            "LinkLocalIPv6Address": "",            "LinkLocalIPv6PrefixLen": 0,            "Ports": {                "80/tcp": [                    {                        "HostIp": "0.0.0.0",                        "HostPort": "80"                    }                ]            },            "SandboxKey": "/var/run/docker/netns/33eb47f2321a",            "SecondaryIPAddresses": null,            "SecondaryIPv6Addresses": null,            "EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e",            "Gateway": "172.17.0.1",            "GlobalIPv6Address": "",            "GlobalIPv6PrefixLen": 0,            "IPAddress": "172.17.0.2",            "IPPrefixLen": 16,            "IPv6Gateway": "",            "MacAddress": "02:42:ac:11:00:02",            "Networks": {                "bridge": {                    "IPAMConfig": null,                    "Links": null,                    "Aliases": null,                    "NetworkID": "12e101b4dd9dd0078bab6ed9ce9aaf2d7cca2e00e4a66b5629f088732d6698d0",                    "EndpointID": "a4a179b29fb9cda0c6332579460dddc5fbc6e7f29dd5608ae9f5742701d4202e",                    "Gateway": "172.17.0.1",                    "IPAddress": "172.17.0.2",                    "IPPrefixLen": 16,                    "IPv6Gateway": "",                    "GlobalIPv6Address": "",                    "GlobalIPv6PrefixLen": 0,                    "MacAddress": "02:42:ac:11:00:02",                    "DriverOpts": null                }            }        }    }]

查看容器

停止容器

docker container stop id或namedocker container kill id或name

实操：

[root@docker-node1 ~]# docker container stop 75516b38df1975516b38df19[root@docker-node1 ~]# docker container lsCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES[root@docker-node1 ~]# docker ps -aCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES75516b38df19        nginx               "nginx -g 'daemon of…"   3 hours ago         Exited (0) 10 seconds ago                       inspiring_eulere1cb110a5376        nginx               "nginx -g 'daemon of…"   3 hours ago         Exited (0) 3 hours ago                          thirsty_brattain

总结：docker容器内的第一个进程必须一直处于前台运行的状态，否则这个容器，就会处于退出状态！

删除已关闭的容器

[root@docker-node1 ~]# docker container rm e1cb110a5376e1cb110a5376

批量删除：

docker rm -f `docker ps -a -q` -- 强制删除全部，包括启动中的

[root@docker-node1 ~]# docker rm `docker ps -a -q`    #只删除关闭状态的7cef098bebc775516b38df19

交互式进入容器，分配终端

docker run -it nginx:latest /bin/bash

-i -t：--interactive --tty（直接进入容器）

[root@docker-node1 ~]# docker run -it nginx:latest /bin/bashroot@7cef098bebc7:/# lsbin   dev  home  lib64    mnt  proc  run     srv  tmp  varboot  etc  lib     media    opt  root  sbin  sys  usr

进入容器的方法

[root@docker-node1 opt]# docker run -it --name erlianzhang centos:latest [root@b07f6aad08cd /]#

进入到存活的容器中

[root@docker ~]# docker attach erlianzhang [root@b07f6aad08cd /]#

exec方式必须指定起始命令 --- 推荐使用exec

[root@docker ~]# docker exec -it erlianzhang /bin/bash[root@abcadd1250cb /]# ps -efUID         PID   PPID  C STIME TTY          TIME CMDroot          1      0  0 16:14 pts/0    00:00:00 /bin/bashroot         13      0  0 16:16 pts/1    00:00:00 /bin/bashroot         25     13  0 16:16 pts/1    00:00:00 ps -ef

注意：进入容器中第一个命令一定要让容器夯住，否则会变成退出状态

暂时退出容器：ctrl+p，ctrl+q

回到容器：docker attach id或name

docker容器的网络访问

指定映射

-p hostPort:containerPort    -p ip:hostPort:containerPort     -p ip::containerPort    -p hostPort:containerPort:udp    -p 81:80 –p 443:443

随机映射

docker run -P

实操

docker run -d -p 888:80 nginx:latest

docker run -d -p 10.0.0.11:80:80 nginx:latest

[root@docker-node1 opt]# docker run -d -p 888:80 nginx:latest 1b177e8c6357ed08ddabb745b902a4e577e8c25e154a4b891dfa900b108dd4bd[root@docker-node1 opt]# netstat -lntupActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1406/sshd           tcp        0      0 10.0.0.11:2375          0.0.0.0:*               LISTEN      19206/dockerd       tcp6       0      0 :::22                   :::*                    LISTEN      1406/sshd           tcp6       0      0 :::888                  :::*                    LISTEN      21455/docker-proxy

docker的数据卷管理

数据卷(文件或目录)

-v /data    -v src:dst

数据卷容器

--volumes-from

实操：挂载数据卷在容器宿主机

[root@docker-node1 opt]# docker run -d -p 80:80 -v /data:/usr/share/nginx/html nginx:latest884b2c093c5c59897bd55b0dcec36c882abdc99134f8fffed4cb5decda17327d

创建数据卷

[root@docker-node1 data]# docker volume lsDRIVER              VOLUME NAMElocal               qingge

手动将容器保存为镜像（制作镜像）

命令：docker commit

特权容器

docker run --privileged  -ti -e "container=docker"  -v /sys/fs/cgroup:/sys/fs/cgroup  centos:latest  /usr/sbin/init

保存为镜像

[root@docker-node1 ~]# docker commit ebfdf46f9f12 centos6-sshsha256:b917ca49263af6d4435dc3c144c214af29c56dad7256e4de7978ffd9a7e24f39[root@docker-node1 ~]# docker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEcentos6-ssh         latest              b917ca49263a        5 seconds ago       315MBhttpd               2.4                 2e202f453940        5 days ago          179MBcentos              latest              ff426288ea90        3 weeks ago         207MBnginx               latest              3f8a4339aadd        5 weeks ago         108MBcentos              6.8                 6704d778b3ba        2 months ago        195MB

dockerfile自动构建docker镜像

dockerfile主要组成部分：

基础镜像信息       FROM：centos:6.8    制作镜像操作指令   RUN yum install openssh-server -y    容器启动时执行指令 CMD ["/bin/bash"]

dockerfile常用指令：

FROM        这个镜像的妈妈是谁？  （指定基础镜像）    MAINTAINER  告诉别人，谁负责养它？（指定维护者信息，可以没有）    RUN         你想让它干啥         （在命令前面加上RUN即可）    ADD         给它点创业资金       （COPY文件，会自动解压）    WORKDIR     我是cd,今天刚化了妆  （设置当前工作目录）    VOLUME      给它一个存放行李的地方（设置卷，挂载主机目录）    EXPOSE      它要打开的门是啥     （指定对外的端口）    CMD         奔跑吧，兄弟！       （指定容器启动后的要干的事情）

dockerfile其他指令：

COPY             复制文件    ENV              环境变量    ENTRYPOINT       容器启动后执行的命令

实例：

此处在CMD处执行的是一个脚本，脚本内容大致是开启ssh服务并让ssh服务夯住，参数是-D，开启httpd服务

[root@docker-node1 ~]# cat /opt/base/Dockerfile FROM centos:6.8RUN yum install wget unzip php* httpd openssh-server -yRUN cd /var/www/html/ && wget http://static.kodcloud.com/update/download/kodexplorer4.25.zip && unzip kodexplorer4.25.zip RUN echo 'root:123456'|chpasswdRUN echo 'ServerName 127.0.0.1:80' >>/etc/httpd/conf/httpd.confRUN /etc/init.d/sshd startRUN chmod -Rf 777 /var/www/html/RUN sed 's#Options Indexes FollowSymLinks#Options FollowSymLinks#g' /etc/httpd/conf/httpd.conf -iCOPY init.sh /init.shEXPOSE 80/tcpEXPOSE 22/tcpCMD ["/bin/bash","/init.sh"][root@docker-node1 ~]# ll /opt/base/total 8-rw-r--r-- 1 root root 528 Feb  1 06:16 Dockerfile-rw-r--r-- 1 root root  82 Feb  1 03:37 init.sh[root@docker-node1 ~]# docker image build -t centos6-yun .

docker image build -t centos6-yun /opt/base/Dockerfile

docker image build -t 指定一个自动构建的镜像标签 Dockerfile文件路径

参考其他的dockerfile

官方dockerfile或者时速云镜像广场

容器间的互联

docker run -d -p 80:80 nginx    docker run -it --link quirky_brown:web01 qstack/centos-ssh /bin/bash    ping web01

使用docker运行zabbix-server

docker run --name mysql-server -t \      -e MYSQL_DATABASE="zabbix" \      -e MYSQL_USER="zabbix" \      -e MYSQL_PASSWORD="zabbix_pwd" \      -e MYSQL_ROOT_PASSWORD="root_pwd" \      -d mysql:5.7 \      --character-set-server=utf8 --collation-server=utf8_bindocker run --name zabbix-java-gateway -t \      -d zabbix/zabbix-java-gateway:latestdocker run --name zabbix-server-mysql -t \      -e DB_SERVER_HOST="mysql-server" \      -e MYSQL_DATABASE="zabbix" \      -e MYSQL_USER="zabbix" \      -e MYSQL_PASSWORD="zabbix_pwd" \      -e MYSQL_ROOT_PASSWORD="root_pwd" \      -e ZBX_JAVAGATEWAY="zabbix-java-gateway" \      --link mysql-server:mysql \      --link zabbix-java-gateway:zabbix-java-gateway \      -p 10051:10051 \      -d zabbix/zabbix-server-mysql:latestdocker run --name zabbix-web-nginx-mysql -t \      -e DB_SERVER_HOST="mysql-server" \      -e MYSQL_DATABASE="zabbix" \      -e MYSQL_USER="zabbix" \      -e MYSQL_PASSWORD="zabbix_pwd" \      -e MYSQL_ROOT_PASSWORD="root_pwd" \      --link mysql-server:mysql \      --link zabbix-server-mysql:zabbix-server \      -p 80:80 \      -d zabbix/zabbix-web-nginx-mysql:latest

docker私有仓库

普通的registry

启动registry容器

docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry  registry

修改配置文件

/etc/docker/daemon.json

{  "registry-mirrors": ["https://registry.docker-cn.com"],  "insecure-registries": ["10.0.0.11:5000"]}

"insecure-registries": ["10.0.0.11:5000"] ---- 将https转换成http

重启docker服务

systemctl restart docker.service

为镜像打标签

docker tag centos6-yun:latest 10.0.0.11:5000/erlianzhang/centos6-yun:latest

push推送镜像

docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest

带basic认证的registry

mkdir /opt/registry-var/auth/ -phtpasswd  -Bbn erlianzhang 123456  >> /opt/registry-var/auth/htpasswddocker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry

实操

yum install httpd-tools.x86_64 -y[root@docker-node1 ~]# mkdir /opt/registry-var/auth/ -pASSWD_PATH=/auth/htpasswd registry [root@docker-node1 ~]# htpasswd  -Bbn erlianzhang 123456 >> /opt/registry-var/auth/htpassw [root@docker-node1 ~]# docker run -d -p 5000:5000 -v /opt/registry-var/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry589820e671fa51114bf9ccf143375bce7351a80f7035e571f4e8524a1096edbb[root@docker-node1 ~]# docker ps CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES589820e671fa        registry            "/entrypoint.sh /etc…"   11 seconds ago      Up 11 seconds       0.0.0.0:5000->5000/tcp   confident_visvesvaraya[root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest   --- 不验证就不能上传The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun]f8508dc392c8: Preparing f85b7909a4bc: Preparing 8b2d1868cde8: Preparing ad87982f4b1b: Preparing ac521dbe8cd3: Preparing 3d169f2d5cff: Waiting 6bad9d62f12a: Waiting f28db075daf0: Waiting e00c9229b481: Waiting no basic auth credentials[root@docker-node1 ~]# docker login 10.0.0.11:5000    --- 验证一下Username: erlianzhangPassword: Login Succeeded[root@docker-node1 ~]# docker push 10.0.0.11:5000/erlianzhang/centos6-yun:latest   --- 再次上传就可以了The push refers to repository [10.0.0.11:5000/erlianzhang/centos6-yun]f8508dc392c8: Pushed f85b7909a4bc: Pushed 8b2d1868cde8: Pushed ad87982f4b1b: Pushed ac521dbe8cd3: Pushed 3d169f2d5cff: Pushed 6bad9d62f12a: Pushed f28db075daf0: Pushed e00c9229b481: Pushed latest: digest: sha256:46e0409381ef7c5922bc5c37b5888015ab415c0e7248e463323db361318e93bf size: 2205

验证

[root@docker-node1 ~]# cat .docker/config.json {    "auths": {        "10.0.0.11:5000": {            "auth": "b2xkYm95OjEyMzQ1Ng=="        }    },    "HttpHeaders": {        "User-Agent": "Docker-Client/17.12.0-ce (linux)"    }}

docker-compose（单机版的容器编排工具）

docker-compose简介

一句话：docker-compose是用来做docker的多容器控制

docker-compose 是什么

docker-compose是一个用来把docker自动化的东西。

有了docker-compose你可以把所有繁复的docker操作全都一条命令，自动化的完成。

详细指令参考：

安装python环境

yum install -y python2-pip

详细指令：

配置pip加速

[root@docker-node1 ~]# mkdir .pip[root@docker-node1 ~]# vim ~/.pip/pip.conf[global]index-url = http://mirrors.aliyun.com/pypi/simple/[install]trusted-host=mirrors.aliyun.com

pip install docker-compose

配置文件

该配置文件是部署wordpress博客网站的

cd my_wordpress/vi docker-compose.yml

version: '3'services:   db:     image: mysql:5.7     volumes:       - /data/db_data:/var/lib/mysql     restart: always     environment:       MYSQL_ROOT_PASSWORD: somewordpress       MYSQL_DATABASE: wordpress       MYSQL_USER: wordpress       MYSQL_PASSWORD: wordpress   wordpress:     depends_on:       - db     image: wordpress:latest     volumes:       - /data/web_data:/var/www/html     ports:        - "8000:80"     restart: always     environment:       WORDPRESS_DB_HOST: db:3306       WORDPRESS_DB_USER: wordpress       WORDPRESS_DB_PASSWORD: wordpress

启动服务

#启动docker-compose up#后台启动docker-compose up -d

docker配合haproxy负载

灰度重启容器，防止因为更新业务全部关闭容器

安装haproxy

yum install haproxy -y

修改配置文件

vi /etc/haproxy/haproxy.cfg

global    log         127.0.0.1 local2    chroot      /var/lib/haproxy    pidfile     /var/run/haproxy.pid    maxconn     4000    user        haproxy    group       haproxy    daemon    stats socket /var/lib/haproxy/stats level admindefaults    mode                    http    log                     global    option                  httplog    option                  dontlognull    option http-server-close    option forwardfor       except 127.0.0.0/8    option                  redispatch    retries                 3    timeout http-request    10s    timeout queue           1m    timeout connect         10s    timeout client          1m    timeout server          1m    timeout http-keep-alive 10s    timeout check           10s    maxconn                 3000listen stats    mode http    bind 0.0.0.0:8888    stats enable    stats uri     /haproxy-status     stats auth    admin:123456frontend frontend_www_example_com    bind 10.0.0.11:8000    mode http    option httplog    log global    default_backend backend_www_example_combackend backend_www_example_com    option forwardfor header X-REAL-IP    option httpchk HEAD / HTTP/1.0    balance roundrobin    server web-node1  10.0.0.11:32768 check inter 2000 rise 30 fall 15    server web-node2  10.0.0.11:32769 check inter 2000 rise 30 fall 15

启动服务

systemctl start haproxy

安装socat

yum install socat.x86_64 -yecho "disable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/statsecho "enable server backend_www_example_com/web-node3"|socat stdio /var/lib/haproxy/stats

利用测试页测试

            PHP测试                
     Hello World 
'; ?>        
     ".$_SERVER['SERVER_ADDR'].""."
";        echo"访问的服务器域名是:"."
     
      ".$_SERVER['SERVER_NAME'].""."
      
";        ?>

Docker网络类型

类型	说明
None	不为容器配置任何网络功能，没有网络 --net=none
Container	与另一个运行中的容器共享Network Namespace，--net=container:containerID
Host	与主机共享Network Namespace，--net=host
Bridge	Docker设计的NAT网络模型（默认类型）

Bridge默认docker网络隔离基于网络命名空间，在物理机上创建docker容器时会为每一个docker容器分配网络命名空间，并且把容器IP桥接到物理机的虚拟网桥上。

不为容器配置网络功能

此模式下创建容器是不会为容器配置任何网络参数的，如：容器网卡、IP、通信路由等，全部需要自己去配置。

[root@docker01 ~]# docker run  -it --network none busybox:latest  /bin/sh / # ip a1: lo: 
     
       mtu 65536 qdisc noqueue     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever

与其他容器共享网络配置(Container）

此模式和host模式很类似，只是此模式创建容器共享的是其他容器的IP和端口而不是物理机，此模式容器自身是不会配置网络和端口，创建此模式容器进去后，你会发现里边的IP是你所指定的那个容器IP并且端口也是共享的，而且其它还是互相隔离的，如进程等。

[root@docker01 ~]# docker run  -it --network container:mywordpress_db_1  busybox:latest  /bin/sh / # ip a1: lo: 
     
       mtu 65536 qdisc noqueue     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever105: eth0@if106: 
      
        mtu 1500 qdisc noqueue     link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff    inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0       valid_lft forever preferred_lft forever

使用宿主机网络

此模式创建的容器没有自己独立的网络命名空间，是和物理机共享一个Network Namespace，并且共享物理机的所有端口与IP，并且这个模式认为是不安全的。、

[root@docker01 ~]# docker run  -it --network host  busybox:latest  /bin/sh

查看网络列表

[root@docker01 ~]# docker network list NETWORK ID          NAME                  DRIVER              SCOPEb15e8a720d3b        bridge                bridge              local345d65b4c2a0        host                  host                localbc5e2a32bb55        mywordpress_default   bridge              localebf76eea91bb        none                  null                local

用PIPEWORK为docker容器配置独立IP

参考文档：

官方网站：

宿主环境：centos7.2

1、安装pipework

wget https://github.com/jpetazzo/pipework/archive/master.zipunzip master.zipcp pipework-master/pipework  /usr/local/bin/chmod +x /usr/local/bin/pipework

2、配置网桥连接

安装桥接工具

yum install bridge-utils.x86_64 -y

修改网卡配置，实现桥接

# 修改eth0配置，让br0实现桥接[root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0TYPE=EthernetBOOTPROTO=staticNAME=eth0DEVICE=eth0ONBOOT=yesBRIDGE=br0[root@docker01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0TYPE=BridgeBOOTPROTO=staticNAME=br0DEVICE=br0ONBOOT=yesIPADDR=10.0.0.100NETMASK=255.255.255.0GATEWAY=10.0.0.254DNS1=223.5.5.5 # 重启网络[root@docker01 ~]# /etc/init.d/network restart

3、运行一个容器镜像测试：

pipework br0 $(docker run -d -it -p 6880:80 --name  httpd_pw httpd) 10.0.0.220/24@10.0.0.254

在其他主机上测试端口及连通性

[root@docker01 ~]# curl 10.0.0.220It works!
[root@docker01 ~]# ping 10.0.0.220 -c 1PING 10.0.0.220 (10.0.0.220) 56(84) bytes of data.64 bytes from 10.0.0.220: icmp_seq=1 ttl=64 time=0.043 ms

4、再运行一个容器，设置网路类型为none：

pipework br0 $(docker run -d -it --net=none --name test httpd:2.4) 10.0.0.221/24@10.0.0.254

进行访问测试

[root@docker01 ~]# curl 10.0.0.221It works!

5、重启容器后需要再次指定：

pipework br0 testduliip  172.16.146.113/24@172.16.146.1pipework br0 testduliip01  172.16.146.112/24@172.16.146.1

Docker跨主机通信之macvlan

创建macvlan网络

docker network create --driver macvlan --subnet 10.1.0.0/24 --gateway 10.1.0.254 -o parent=eth0 macvlan_1

设置eth0的网卡为混杂模式

ip link set eth0 promisc on

创建使用macvlan网络的容器

docker run -it --network macvlan_1 --ip=10.1.0.210 busybox:latest /bin/sh

基于macvlan网络，还存有overlay网络

Dcoker跨主机通信之overlay 参考文档：

Docker镜像的生命周期图

docker企业级镜像仓库harbor

介绍

Harbor 是一个企业级的 Docker Registry，可以实现 images 的私有存储和日志统计权限控制等功能，并支持创建多项目(Harbor 提出的概念)，基于官方 Registry V2 实现。通过地址：可以下载最新的版本。官方提供了两种版本：在线版和离线版。

安装步骤

容器管理

[root@docker01 harbor]# pwd/opt/harbor[root@docker01 harbor]# docker-compose stop

第一步：安装docker和docker-compose

下载harbor-offline-installer-v1.3.0.tgz

cd /opt && https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.3.0.tgztar xf harbor-offline-installer-v1.3.0.tgz

第二步：修改主机及web界面密码

修改harbor.cfg配置文件

[root@docker01 harbor]# vim harbor.cfg     ···    hostname = 10.0.0.100    harbor_admin_password = 123456    ···

第三步：执行install.sh

[root@docker01 harbor]# ./install.sh

第四步：web登陆测试

镜像推送到仓库的指定项目

[root@docker02 ~]# docker  tag centos:6.8  10.0.0.100/clsn/centos6.8:1.0[root@docker02 ~]#  [root@docker02 ~]# docker images REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZEbusybox                     latest              5b0d59026729        8 days ago          1.15MB10.0.0.100/clsn/centos6.8   1.0                 6704d778b3ba        2 months ago        195MBcentos                      6.8                 6704d778b3ba        2 months ago        195MB[root@docker02 ~]# docker login 10.0.0.100Username: adminPassword: Login Succeeded

推送镜像

[root@docker02 ~]# docker push 10.0.0.100/clsn/centos6.8 The push refers to repository [10.0.0.100/clsn/centos6.8]e00c9229b481: Pushing  13.53MB/194.5MB

转载注明出处，写这篇很累！！！

转载于:https://www.cnblogs.com/lyq863987322/p/8494969.html

你可能感兴趣的文章

day22 01 初识面向对象----简单的人狗大战小游戏

【BZOJ4516】生成魔咒（后缀自动机）

查看>>

提高PHP性能的10条建议