docker容器初探—基本概念和基础命令用法
docker容器初探—基本概念和基础命令用法-------------------------------------------------------------------------------------------------------------------------------------------
一、基本概念
1、LXC:Linux Container,针对于Linux内核容器功能的用户空间接口,docker刚问世时基于LXC之上,后期发展摒弃了LXC,lxc -> libcontainer -> runC
2、docker:也是基于c/s架构
容器基于镜像启动,如果本地没有,docker会去ftp仓库拉取镜像到本地
基于自己开发的libcontainer
3、Cgroups和namespace是docker的核心技术
(1)docker的kernel namespace(内核名称空间)六个重要元素:ipc uts mount pid network user
http://s1.运维网.com/images/20181031/1540967885367374.png
(2)Cgroups:control groups
blkio:块设备IO
cpu CPU
cpuacct CPU资源使用报告
cpuset 多处理器平台上的CPU集合
devices 设备访问
freezer 挂起或恢复任务
memory 内存用量及报告
perf_event 对cgroup中的任务进行统一性能测试
net_cls cgroup中的任务创建的数据报文的类别标识符
OCI:Open Container Initiative,旨在围绕容器格式和运行时制定一个开放的工业化标准
4、镜像是分层构建的
docker image的使用
http://s1.运维网.com/images/20181031/1540967896771526.png
联合挂载:上3层都可以看到底层的/var/log,假设当第二层执行rm /tmp/a.txt后,上3层看不到/tmp/a.txt,但底层的/tmp/a.txt依然在。最上一层为可写层(其它层只读),平时修改操作都在可写层进行,所以修改完成后底层镜像没有变动,变动的只是可写层
5、docker怎样运行的
http://blog.运维网.com/13873498/E:/%E5%B7%A5%E5%85%B7/YoudaoNote/Note/414973196@163.com/56468b6468cd4888be114375be313665/clipboard.pnghttp://s1.运维网.com/images/20181031/1540968192495797.png
aufs:advanced multi-layered unification filesystem:高级多层统一文件系统,用于为Linux文件系统实现联合挂载
overlayfs:aufs的竞争产品,自从3.18版本被合并到Linux内核,也就是说CentOS7内核版本3.10未打补丁是不支持的,用的还是devicemapper,虽说redhat给内核打了补丁,不过支持度肯定还是远不如Ubuntu默认的aufs
6、特点:
(1)基于一个镜像,可以启动多个容器,供多个容器之间共享使用
(2)正常情况下一个docker容器只允许运行一个进程和其子进程,否则容器还需要一个进程管理器
7、docker的对象
image、contain、networks、volumes、plugins、other object
8、docker的registry仓库可分为:其中的镜像名的引用类似于httpd:v2.4.32,引用2.4.32版本的httpd
Docker Hub
gcr.io
quay.io
dev.aliyun.com
个人建立高可用仓库
http://s1.运维网.com/images/20181031/1540968206590119.png
registry分类
sponsor registry
mirror registry
vendor registry
private registry
二、docker的安装
1、docker的社区版:moby,也称作docker-ce
阿里云镜像站的docker-ce下,建议使用较新版本,k8s只支持到docker的17.03版
http://s1.运维网.com/images/20181031/1540968258114085.png
下载docker-ce.repo文件到yum源文件,yum -y install docker-ce
http://s1.运维网.com/images/20181031/1540968271773417.png
将此文件移动到/etc/yum.repos.d/目录下
yum -y install docker-ce
注意:安装过程中出现以下界面,请填写一个epel源,之后重装container-selinux
http://s1.运维网.com/images/20181031/1540968283893050.png
复制以下代码到/etc/yum.repos.d/目录下新建的repo文件
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/os/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/updates/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/extras/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/centosplus/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/centosplus/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
name=CentOS-$releasever - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/contrib/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/contrib/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
2、安装成功后,需要修改几个地方
(1)编辑/usr/lib/systemd/system/docker.service
http://s1.运维网.com/images/20181031/1540968306508740.png
(2)设置加速连接
登录阿里云账号,之后转入cr.console.aliyun.com,开通,界面如下
http://s1.运维网.com/images/20181031/1540968317294012.png
写入
http://s1.运维网.com/images/20181031/1540968323705437.png
(3)开启docker需要/proc/sysnet/brige/bridge-nf-call-iptables和/proc/sysnet/brige/bridge-nf-call-ip6tables为1,常保存需要vim /etc/sysctl.d/docker.conf,写入net.bridge.bridge-nf-call-iptables = 1和
net.bridge.bridge-nf-call-ip6tables = 1
http://s1.运维网.com/images/20181031/1540968330781407.png
完成后systemctl daemon-reload;systemctl restart docker
三、docker官方镜像网站
https://hub.docker.com
http://s1.运维网.com/images/20181031/1540968337993297.png
四、docker基础命令
1、docker search :搜索镜像
http://s1.运维网.com/images/20181031/1540968355565176.png
2、docker image pull alpine:从仓库向本地拖镜像,不用标签默认用最新版alpine
alpine有版本:
http://s1.运维网.com/images/20181031/1540968362939422.png
安装效果
http://s1.运维网.com/images/20181031/1540968371879938.png
3、docker image ls:查看镜像信息
docker imager ls -a
http://s1.运维网.com/images/20181031/1540968382845637.png
4、docker image inspect alpine:显示镜像详细信息
http://s1.运维网.com/images/20181031/1540968390848690.png
5、docker image rm alpine:3.8,删除alpine3.8镜像
http://s1.运维网.com/images/20181031/1540968401100588.png
6、docker image tag httpd:2.4.37-alpine httpd:2.4,给标签为2.4.37-alpine的httpd镜像增加标签httpd:2.4
docker image tag httpd:2.4.37-alpine chenux/httpd:2.4
docker image tag httpd:2.4.37-alpine reg.chenux.com:8443/chenux/httpd:2.4,只有这么打上主机标签才会认为是自己的docker库,否则系统会认为是官方的docker库
有原镜像
http://s1.运维网.com/images/20181031/1540968414951255.png
添加镜像tag,docker image tag httpd:2.4.37-alpine httpd:2.4,docker image tag busybox:1.29 chenux/busybox:2.4
http://s1.运维网.com/images/20181031/1540968423575885.png
docker image tag httpd:2.4.37-alpine reg.chenux.com:8443/chenux/httpd:2.4
http://s1.运维网.com/images/20181031/1540968432834784.png
注:一个镜像可以有多个tag标签,但一个tag标签只能有一个镜像
7、docker container run --name alpine1 -it alpine:3.8
新建一个容器,名字叫alpine1,并启动打开其交互界面
http://s1.运维网.com/images/20181031/1540968439134697.png
docker container run --name alpine1 alpine:3.8 -d
启动一个容器,名字叫alpine1,以守护进程方式后台运行
http://s1.运维网.com/images/20181031/1540968457484907.png
另起一个终端
http://s1.运维网.com/images/20181031/1540968469181350.png
注:这里httpd可以后台运行是因为镜像里CMD中有个httpd-foreground前台运行,所以此时-d剥离后依然存在,而alpine镜像由于没有前台运行的指令,所以此法创建出后是退出状态
http://s1.运维网.com/images/20181031/1540968479674695.png
docker container run --name alpine1 -it alpine:3.8 --rm alpine
启动一个容器,名字叫alpine1,打开其交互界面,停止后删除该容器
启动状态时存在httpd2
http://s1.运维网.com/images/20181031/1540968491399694.png
停止后
http://s1.运维网.com/images/20181031/1540968505700813.png
8、docker container ls,查看docker容器状态信息
docker container ls -a
http://s1.运维网.com/images/20181031/1540968518749932.png
9、docker container start httpd1,启动一个关闭的容器
显示前有container状态
http://s1.运维网.com/images/20181031/1540968528443310.png
启动docker container start httpd1
http://s1.运维网.com/images/20181031/1540968536674309.png
docker container start -i doc7
启动doc7容器并进入交互界面
http://s1.运维网.com/images/20181031/1540968545699918.png
10、docker container attach doc7,其他终端使用该命令关联一个容器的终端,前台运行光标闪烁
http://s1.运维网.com/images/20181031/1540968554576298.png
ctrl+p后ctrl+q,剥离容器的终端
http://s1.运维网.com/images/20181031/1540968561460795.png
11、docker ps:doc列出后台运行的容器
docker ps -a
http://s1.运维网.com/images/20181031/1540968572545973.png
12、docker logs:用来获取和显示docker控制台的日志
http://s1.运维网.com/images/20181031/1540968583925986.png
13、docker container exec,非交互式突破容器外壳进入容器内部执行命令
docker exec alpine1 ifconfig
http://s1.运维网.com/images/20181031/1540968590199482.png
docker exec web1 -it /bin/bash, 交互式突破容器外壳进入容器内部执行命令
14、docker top web1,对web1的容器查看内部运行状态
http://s1.运维网.com/images/20181031/1540968608677183.png
15、docker container stats,获取当前所有容器cpu、内存、网络io、磁盘io的消耗
http://s1.运维网.com/images/20181031/1540968617826089.png
16、docker container pause,暂停容器
docker container unpause ,继续运行暂停的容器
http://s1.运维网.com/images/20181031/1540968629844452.png
docker rm web1,删除web1容器
http://s1.运维网.com/images/20181031/1540968637755210.png
四、docker状态转换结构图
http://s1.运维网.com/images/20181031/1540968665343276.png
docker kill类似于virsh中的destroy,一般情况不建议使用,除非docker在使用中遇到了错误
OOM:out of memory,非计划内终止,容器所在的宿主机内存资源耗尽,此时系统会自动杀死占用内存最大的由docker内的服务进程,此时需要定制策略,看此服务进程是重启还是进入stopped状态
五、制作docker镜像
因为docker的镜像采用是联合挂载,因此对镜像的修改制作,实质上是对镜像最上层可写层进行写操作保存,对底层镜像并没有修改
1、下载原镜像
docker image pull busybox
docker container run --name b1 -it busybox
http://s1.运维网.com/images/20181031/1540968706803914.png
2、进行修改,比如安装包之类
http://s1.运维网.com/images/20181031/1540968716121549.png
docker commit,用于该容器可写层写的数据保存为一个镜像层
docker commit doc7,保doc7这个容器可写层
http://s1.运维网.com/images/20181031/1540968727516950.png
3、新的镜像没有名字和标签,所以需要添加
docker image tag IMAGEID mycentos:7
http://s1.运维网.com/images/20181031/1540968736507976.png
4、如果有需求,还可以继续使用docker commit -c 命令修改需要镜像的指令的内部
docker commit -a "chenux" -c 'CMD ["/usr/sbin/httpd","-DFOREGROUND"]' -p centos-base1 centos-httpd:v0.2-2.4
-a,添加作者
-c,修改CMD中指令
-p,修改过程中容器暂停
修改centos-base1镜像,添加作者信息chenux,由CMD中的/bin/bash命令改为了/usr/sbin/httpd,-DFOREGROUND,创建过程中暂停容器,新镜像名字叫centos-httpd:v0.2-2.4
镜像信息中containerconfig中的CMD
示例
http://s1.运维网.com/images/20181031/1540968751942892.png
修改结果
http://s1.运维网.com/images/20181031/1540968759629268.png
六、使用registry推送镜像
1、阿里云创建镜像仓库
http://s1.运维网.com/images/20181031/1540968971301544.png
2、建立仓库信息
http://s1.运维网.com/images/20181031/1540968985766202.png
3、选择本地仓库
http://s1.运维网.com/images/20181031/1540968993530281.png
4、创建好后点击管理
http://s1.运维网.com/images/20181031/1540969001163895.png
5、推送时镜像标签需要和服务器保持一致,阿里云提示的操作指南会有
http://s1.运维网.com/images/20181031/1540969011275517.png
(1)登录仓库
http://s1.运维网.com/images/20181031/1540969073374275.png
(2)添加标签
http://s1.运维网.com/images/20181031/1540969083410186.png
(3)推送
http://s1.运维网.com/images/20181031/1540969091204386.png
完成后
http://s1.运维网.com/images/20181031/1540969100326974.png
仓库也有了
http://s1.运维网.com/images/20181031/1540969110225144.png
推送完成后,docker logout
七、分发镜像
docker image save IMAGE-ID -o /DIR/*.tar
http://s1.运维网.com/images/20181031/1540969121637488.png
scp
docker image load -i /DIR/*.tar
http://s1.运维网.com/images/20181031/1540969135251522.png
测试结果
http://s1.运维网.com/images/20181031/1540969142919970.png
页:
[1]