|
|
[TOC]
Docker入门基础
课题简述
简单入门docker的基本使用,文本介绍docker命令的基础使用,docker镜像库,网络,存储的一些知识
环境
- ubuntu16.04
- python3.6
- Docker version 1.13.1
- Docker ID(为了镜像在公共仓库的pull,push)
一、Install Docker
1.1 安装docker-ce
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates
sudo apt-key adv \
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
#append this to /etc/apt/sources.list
deb https://apt.dockerproject.org/repo ubuntu-xenial main
sudo apt-get update
apt-cache policy docker-engine
apt-get upgrade
sudo apt-get install linux-image-extra-$(uname -r) linux-image-extra-virtual
sudo apt-get install docker-engine
1.2 默认安装系统自带的docker
apt-get update
# 默认将会安装最新版的docker1.13.1
apt-get install docker.io
1.2.1 docker1.13带来的新功能
- 正式支持服务栈: docker stack
- 正式支持插件:docker plugin
- 添加在 Swarm 集群环境下对密码、密钥管理的 secret 管理服务:docker secret
- 增加 docker system 命令
- 可以直接使用 docker-compose.yml 进行服务部署
- 添加 docker service 滚动升级出故障后回滚的功能
- 增加强制再发布选项 docker service update –force
- 允许 docker service create 映射宿主端口,而不是边界负载均衡网络端口
- 允许 docker run 连入指定的 swarm mode 的 overlay 网络
- 解决中国 GFW 墙掉 docker-engine apt/yum 源的问题
1.3 配置加速器
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
# --registry-mirror=http://alaudademo13.m.alauda.cn
1.4 了解docker安装目录
编号
路径名
意义
1
/var/lib/docker/devicemapper/devicemapper/data
用来存储相关的存储池数据
2
/var/lib/docker/devicemapper/devicemapper/metadata
用来存储相关的元数据
3
/var/lib/docker/devicemapper/metadata/
用来存储 device_id、大小、以及传输_id、初始化信息
4
/var/lib/docker/devicemapper/mnt
用来存储挂载信息
5
/var/lib/docker/container/
用来存储容器信息
6
/var/lib/docker/graph/
用来存储镜像中间件及镜像的元数据信息、以及依赖信息
7
/var/lib/docker/repositores-devicemapper
用来存储镜像基本信息
8
/var/lib/docker/tmp
docker临时目录
9
/var/lib/docker/trust
docker信任目录
10
/var/lib/docker/volumes
docker卷目录
二、Docker基础命令
2.1 命令的分类
子命令分类
子命令
与镜像相关的命令
images,search,pull,push,login,logout,commit,build,rmi(127)
容器生命周期管理
create,exec,kill,pause,restart,rm,run,start,stop,unpause
环境信息相关
info,version
系统维护相关
images,inspect,build,commit,pause/unpause,ps,rm,rmi,run,start/stop/restart,top,kill,...
日志信息相关
events,history,logs
Docker ID 相关
login,logout
与容器相关的命令
run, kill, stop, start, restart, logs, export, import
2.2 命令的基础使用
2.2.1 使用man,help学习docker命令
man docker subcommand
docker help subcommand
docker command --help
2.2.2 Docker镜像的操作
- 显示镜像信息
# 列出镜像的信息
docker images
# 自定义表显示镜像的信息
docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
- 查询镜像
- docker search IMAGE_NAME
- search images from docker hub
- 镜像的拉取删除与修改,重命名,创建
# 拉取镜像
docker pull busybox
# docker ID登录
➜ ~ docker login -u bluerdocker
Password:
Login Succeeded
# 镜像重命名(bluerdocker是我的docker ID)
docker tag busybox bluerdocker/busybox:latest
# 上传镜像
➜ ~ docker push bluerdocker/busybox
The push refers to a repository [docker.io/bluerdocker/busybox]
0271b8eebde3: Mounted from library/busybox
latest: digest: sha256:91ef6c1c52b166be02645b8efee30d1ee65362024f7da41c404681561734c465 size: 527
# 删除镜像
# 删除镜像时,如果存在打标签的镜像,那么只有到最后有一个镜像被删除时,镜像才被删除
➜ ~ docker rmi bluerdocker/busybox
Untagged: bluerdocker/busybox:latest
Untagged: bluerdocker/busybox@sha256:91ef6c1c52b166be02645b8efee30d1ee65362024f7da41c404681561734c465
➜ ~ docker rmi busybox
Untagged: busybox:latest
Untagged: busybox@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0
Deleted: sha256:6ad733544a6317992a6fac4eb19fe1df577d4dec7529efec28a5bd0edad0fd30
Deleted: sha256:0271b8eebde3fa9a6126b1f2335e170f902731ab4942f9f1914e77016540c7bb
# 从已有dockerfile创建镜像(download from docker hub)
docker build -t nginx/marion:v1 -m 1024 .
➜ dockerfile1 docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx/marion v1 64220f7e39ab 2 minutes ago 108 MB
还有一些其他的命令
build Build an image from a Dockerfile
history Show the history of an image
import Import the contents from a tarball to create a filesystem image
inspect Display detailed information on one or more images
load Load an image from a tar archive or STDIN
ls List images
prune Remove unused images
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rm Remove one or more images
save Save one or more images to a tar archive (streamed to STDOUT by default)
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
# 把一个镜像保存成一个tarball.
docker image save nginx -o nginx.tar
2.2.3 容器的生命周期管理
Commands:
attach # 进入一个正在运行的容器,不建议使用
commit # 把一个正在运行的容器打包成一个新的镜像
cp # 在容器与本地文件系统之间进行文件/文件夹拷贝
create # 创建一个新的容器
diff # 检查运行的容器与所使用镜像之间的变化
exec # 进入正在运行的容器
export # 把一个容器的文件系统归档成一个tar包
inspect # 显示一个/多个容器的详细信息
kill # 杀掉一个/多个正在运行的容器
logs # 查看容器中进程的运行日志
ls # 列出容器列表
pause # 暂停一个/多个容器中的所有进程
port # 显示容器与docker host的端口映射
prune # 移除所有所有停掉的容器
rename # 重命名容器
restart # 重启容器
rm # 删除一个或多个容器
run # 运行一个容器
start # 启动一个或多个容器
stats # 显示容器资源的使用信息
stop # 停止一个或多个容器
top # 显示容器中的进程
unpause # 恢复暂停的容器
update # 更新容器的配置(cpu,mem,重启的策略等)
wait # 阻塞运行直到容器停止,然后打印出它的退出代码
2.2.4 run wordpress on docker
docker pull mysql
- 挂载卷保存数据文件
mkdir -p /mysql/data
chmod -p 777 /mysql/data
- MySQL使用过程中的环境变量
Num
Env Variable
Description
1
MYSQL_ROOT_PASSWORD
root用户的密码
2
MYSQL_DATABASE
创建一个数据库
3
MYSQL_USER,MYSQL_PASSWORD
创建一个用户以及用户密码
4
MYSQL_ALLOW_EMPTY_PASSWORD
允许空密码
- 创建网络
docker network create --subnet 10.0.0.0/24 --gateway 10.0.0.1 marion
docker network ls
➜ ~ docker network ls | grep marion
6244609a83bb marion bridge local
- 创建MYSQL container
➜ ~ docker run -v /mysql/data:/var/lib/mysql --name mysqldb --restart=always -p 3306:3306 -e MYSQL_DATABASE='wordpress' -e MYSQL_USER='marion' -e MYSQL_PASSWORD='marion' -e MYSQL_ALLOW_EMPTY_PASSWORD='yes' -e MYSQL_ROOT_PASSWORD='marion' --network=marion --ip=10.0.0.2 -d mysql
➜ ~ docker ps -a
➜ marion docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3013c407c74b mysql "docker-entrypoint..." 4 minutes ago Up 4 minutes 0.0.0.0:3306->3306/tcp mysqldb
➜ marion docker exec -it 3013c407c74b /bin/bash
root@3013c407c74b:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:00:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:aff:fe00:2/64 scope link
valid_lft forever preferred_lft forever
root@3013c407c74b:/# apt-get install net-tools -y
root@3013c407c74b:/# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:45485 0.0.0.0:* LISTEN -
tcp6 0 0 :::3306 :::* LISTEN -
udp 0 0 127.0.0.11:48475 0.0.0.0:* -
root@3013c407c74b:/# mysql -u marion -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.20 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.01 sec)
mysql>
- 3、运行nginx-php
mkdir -p /var/www/html
docker run --name php7 -p 9000:9000 -p 80:80 -v /var/www/html:/usr/local/nginx/html --restart=always --network=marion --ip=10.0.0.3 -d skiychan/nginx-php7
docker ps
docker exec -it cfb9556b71b3 /bin/bash
cd /usr/local/php/etc
vim php.ini
date.timezone =Asia/Shanghai
- 编辑nginx配置文件/usr/local/nginx/conf/nginx.conf
user www www; #modify
worker_processes auto; #modify
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log /var/log/nginx_error.log crit; #add
#pid logs/nginx.pid;
pid /var/run/nginx.pid; #modify
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
client_max_body_size 100m; #add
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 120; #65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
root /usr/local/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root /usr/local/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
#add
##########################vhost#####################################
include vhost/*.conf;
}
daemon off;
- 测试配置文件是否有问题
[root@cfb9556b71b3 sbin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
- 重新加载配置文件
[root@cfb9556b71b3 sbin]# /usr/local/nginx/sbin/nginx -s reload
[root@cfb9556b71b3 sbin]#
2.2.5 容器的重启策略
- no
- on-failure
- always
- unless-stopped
三、Dockerfile
Comment
INSTRUCTION arguments
1. FROM
基于哪个base镜像
2. RUN
- 执行命令并创建新的镜像层,run经常用于安装软件包
3. MAINTAINER
镜像创建者
4. copy
将文件从build context复制到镜像
#1
COPY ["src","dest"]
COPY src dest
#注意:src只能指定build context中的文件
5. CMD
- container启动时执行的命令,但是一个Dockerfile中只能有一条CMD命令,多条则只执行最后一条CMD。CMD主要用于container启动时指定的服务
- 当docker run command的命令匹配到CMD command时,会替换CMD执行的命令。
- 存在三种使用格式
- Exec: CMD ["Command","param1","param2"]
- CMD ["param1","param2"] 为ENTRYPOINT提供额外的参数,此时ENTRYPOINT必须使用exec格式
- CMD command param1 param2
6. ENTRYPOINT
container启动时执行的命令,但是一个Dockerfile中只能有一条ENTRYPOINT命令,如果多条,则只执行最后一条。ENTRYPOINT没有CMD的可替换特性
- ENTRYPOINT的exec格式用于设置执行的命令及其参数,同时可通过CMD提供额外的参数
- ENTRYPOINT的shell格式会忽略任何CMD或docker run提供的参数
7. USER
使用哪个用户跑container
8. EXPOSE
container内部服务开启的端口。主机上要用还得在启动container时,做host-container的端口映射:
docker run -d -p 127.0.0.1:3000:22 ubuntu-ssh
container ssh服务的22端口被映射到主机的33301端口
9. ENV
用来设置环境变量,比如:ENV ROOT_PASS tenxcloud
10. ADD
将文件<src>拷贝到container的文件系统对应的路径<dest>。ADD只有在build镜像的时候运行一次,后面运行container的时候不会再重新加载了。如果src是一个tar,zip,tgz,xz文件,文件会被自动的解压到dest
11. VOLUME
可以将本地文件夹或者其他container的文件夹挂载到container中。
12. WORKDIR
切换目录用,可以多次切换(相当于cd命令),对RUN、CMD、ENTRYPOINT生效
13. ONBUILD
ONBUILD 指定的命令在构建镜像时并不执行,而是在它的子镜像中执行
14. 两种方式shell,EXEC指定run,cmd和entrypoint要运行的命令
- CMD和ENTRYPOINT建议使用Exec格式
- RUN则两种都是可以的
注意
构建dockerfile时,必须提前转备好build context中的文件
四、Docker registry
4.1 搭建本地镜像仓库
#检查端口5000是否被占用
netstat -tunlp | grep 5000
# pull registry
mkdir -p /opt/myregistry
docker run -d -p 5000:5000 --name registry --restart=always -v /opt/myregistry:/var/lib/registry registry:2.4.1
curl http://172.17.0.1:5000/v2
# modify https to http
echo "{"insecure-registries:["172.17.0.1:5000"]"}" > /etc/docker/daemon.json
# 拉取busybox镜像做测试
docker pull busybox
# tag镜像
docker tag busybox 172.17.0.1:5000/busybox01
# 删除tag为latest的镜像
docker rmi busybox
# push镜像到本地仓库
docker push 172.17.0.1:5000/busybox01
# check
tree -l 4 /opt/myregistry
# 删除下载的busybox镜像
docker rmi 172.17.0.1:5000/busybox01
# 从本地镜像仓库下载
docker pull 172.17.0.1:5000/busybox01
4.2 公有仓库Docker Hub
- sign up a docker id
- sign in docker hub
- Docker Cloud
4.3 企业级harbor仓库
4.3.1 download harbor offline tar package
wget https://github.com/vmware/harbor/releases/download/v1.2.2/harbor-offline-installer-v1.2.2.tgz -o /home/marion/docker
tar xf /home/marion/docker/harbor-offline-installer-v1.2.2.tgz
cd /home/marion/docker/harbor
4.3.2 添加域名解析
vim /etc/hosts
## append this
10.0.0.128 www.proharbor.com
## 检查是否正常
ping www.proharbor.com
4.3.3 创建自签证书
mkdir /home/marion/docker/harbor/newcert
cd /home/marion/docker/harbor/newcert
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout proharbor.com.key -out proharbor.com.csr
openssl x509 -req -days 3650 -in proharbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out proharbor.com.crt
mkdir -pv /etc/docker/certs.d/www.proharbor.com
cp /home/marion/docker/harbor/newcert/ca.crt /etc/docker/certs.d/www.proharbor.com/
cp /home/marion/docker/harbor/newcert/proharbor.com.crt /usr/local/share/ca-certificates/www.proharbor.com.crt
update-ca-certificates
4.3.4 更新配置文件
4.3.4.1 更新harbor.cfg
hostname = www.proharbor.com
ui_url_protocol = https
ssl_cert = /home/marion/docker/harbor/newcert/proharbor.com.crt
ssl_cert_key = /home/marion/docker/harbor/newcert/proharbor.com.key
4.3.4.2 更新docker-compose.yml
# 创建本地仓库镜像的存储目录
cd /home/marion/docker/harbor
mkdir /home/marion/harborregistry/
vim docker-compose.yml
# ------以下是docker-compose.yml修改后的内容------
version: '2'
services:
log:
image: vmware/harbor-log:v1.2.2
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
ports:
- 127.0.0.1:1514:514
networks:
- harbor
registry:
image: registry:2.4.1
container_name: registry
restart: always
volumes:
- /home/marion/harborregistry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.2.2
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.2.2
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.2.2
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.2.2
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
- /data/secretkey:/etc/jobservice/key:z
networks:
- harbor
depends_on:
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
proxy:
image: vmware/nginx-photon:1.11.13
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
4.3.4.3 仓库根目录配置文件
这个文件可以看到容器中镜像存储的根目录,根据此可以把其共享到docker host
version: 0.1
log:
level: debug
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /storage
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
http:
addr: :5000
secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: https://www.proharbor.com/service/token
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
notifications:
endpoints:
- name: harbor
disabled: false
url: http://ui/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
4.3.5 安装harbor以及notary,clair
cd /home/marion/docker/harbor/
sudo ./install.sh --with-notary --with-clair
#关闭harbor所有的容器(必须在含有docker-compose.yml文件的目录下执行)
docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml down -v
#启动harbor相关的所有容器(必须在含有docker-compose.yml文件的目录下执行)
docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml up -d
4.3.6 验证查看
- 打开浏览器,输入https://www.proharbor.com
- 用户名/密码:admin/Harbor12345(默认的)
- 打开终端: docker login www.proharbor.com ,admin/Harbor12345
4.3.7 查看日志
#日志路径各不相同,具体路径根据docker-compose.yml或者*/harbor/common/目录下的配置文件进行确定
cd /var/log/harbor
docker logs 容器功能名称
4.3.8 push/pull
#push
root@dockermaster:/home/marion/docker/harbor# docker tag redis www.proharbor.com/harborssl/redis:dev
root@dockermaster:/home/marion/docker/harbor# docker push www.proharbor.com/harborssl/redis:dev
The push refers to a repository [www.proharbor.com/harborssl/redis]
d112bb627859: Pushed
265ab1ac61ec: Pushed
2341e66d779d: Pushed
9503917b6420: Pushed
aa84bbcc6553: Pushed
29d71372a492: Pushed
dev: digest: sha256:b707a0c39062f1769c8e16069015e1ba839add849deb441428fc0c1deee67c36 size: 1571
#pull
root@dockermaster:/home/marion/docker/harbor# docker pull www.proharbor.com/harborssl/redis:dev
dev: Pulling from harborssl/redis
Digest: sha256:b707a0c39062f1769c8e16069015e1ba839add849deb441428fc0c1deee67c36
Status: Downloaded newer image for www.proharbor.com/harborssl/redis:dev
4.3.9 harbor参考链接
- harbor project
- vmware harbor
- harbor安装指南
- harbor用户指南
- https访问harbor
- docker-compse命令行参考
五、Docker网络
docker在安装的时候就会配置一个docker0的linux bridge的方式,在不使用 --network时, 这也是docker默认使用的方式。docker有三种常见的网络模式,分别是none,bridge,host
➜ ~ docker network ls
NETWORK ID NAME DRIVER SCOPE
3ea8a3ad1a61 bridge bridge local
9043e76f315a host host local
eba2113c67eb none null local
5.1、docker network command
➜ ~ docker network --help
Usage: docker network COMMAND
Manage networks
Options:
--help Print usage
Commands:
connect 把一个容器连接到网络
create 创建一个网络
disconnect 从网络中中断容器的连接
inspect 在一个或多个网络上显示详细信息
ls 列出网络
prune 移除所有未使用的网络
rm 移除一个或多个网络
5.2、docker none network
➜ ~ docker run -it --network=none busybox
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
5.3、docker host network
host网络模式,其实就是借用的docker host上的网卡信息
➜ ~ docker run -it --network=host busybox
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:D7:FD:FF:0D
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:d7ff:fefd:ff0d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:13785 (13.4 KiB)
...
docker network网络的优缺点:
- 好处
- docker host网络的性能比较好
- docker host网络传输效率高
- 缺点
- docker host的主机上使用的端口,容器不能继续使用
5.4、docker bridge network
brctl show 将会显示docker0上的网络设备,如果有容器运行的是bridge的网络模式,就会把虚拟网卡挂在docker0上,这里应该注意的是:容器内的虚拟网卡与docker0上挂的虚拟网卡是成对存在的pair,
5.4.1 安装brctl工具
apt-get install bridge-utils -y
5.4.2查看容器的网络地址
➜ ~ docker run -it --network=bridge busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1459 (1.4 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
5.5 docker网络模式之用户自定义网络
docker提供三种自定义的网络驱动
- bridge
- overlay :此次不share
- macvlan :此次不share
5.5.1 创建自定义bridge网络
docker network create --driver bridge bridge1
brctl show
docker network create --driver bridge --subnet 172.17.16.0/24 --dateway 172.17.16.1 bridge2
docker run -it --network=bridge2 busybox
----ifconfig
docker run -it --network=bridge2 --ip=172.17.16.3 busybox
5.6、docker容器之间的互联互通
docker容器之间的互联互通基于三种模式:IP,Docker DNS,joined
5.6.1 基于IP方式的互联互通
docker run -it --network=bridge2 --ip=172.17.16.4 busybox
docker run -it --network=bridge2 --ip=172.17.16.5 busybox
ping -c 3 172.17.16.4(from 172.17.16.5)
5.6.2 基于Docker DNS之间的互联互通
注意:docker dns只能使用在用户自定的网络模式下运行的容器
docker run -it --network=bridge2 --name=busyboxone busybox
docker run -it --network=bridge2 --name=busyboxtwo busybox
ping -c 3 busyboxone(form busyboxtwo)
5.6.3 基于join方式的互联互通
仔细观察此种模式下的网络配置信息完全一样,是通过127.0.0.1进行通信
docker run -it --name web1 httpd
docker run -it --network=container:web1 httpd
5.7 docker容器与外部是如何进行互相访问的
5.7.1 docker容器访问外部
docker默认的网络是bridge网络,因此只要docker host可以连接互联网,那么容器就是可以联网的,但是容器访问外部网络的过程是如何实现的呢? 容器在向外部发送请求时,docker在NAT上将容器的源地址改为了docker host的地址,因此访问外部的源地址就变成了docker host的地址
ip r
iptables -t NAT -S
tcpdump -i docker0 -n icmp
tcpdump -i ens33 -n icmp
5.7.2 外部是如何访问docker容器的
容器为了响应外部的访问请求,把容器自己的内部端口暴露给docker host,于是和docker host进行了 端口之间的映射,外部进行访问容器就会变成访问docker host上的一个端口,当docker-proxy进行发现有访问docker host上的容器映射的端口时,就会自动转发给容器,这就是外部访问容器的一个过程;
六、Docker存储
docker存储驱动storage driver(优先使用linux默认的storage driver,因为比较稳定)
- ubuntu:aufs,/var/lib/docker/aufs
- redhat/centos:device mapper
- suse:btrfs
6.1 docker data mount
格式:-v <host_path>:<container_path> #指定docker host路径与container的路径
docker run -d -p 7001:80 -v /root/htdocs:/usr/local/apache2/htdocs httpd
docker run -d -p 7001:80 -v /root/htdocs:/usr/local/apache2/htdocs:ro httpd #(ro)表示只读
# 类似于selinux这类标签系统,可以在volume挂载时使用z或Z指定该volume是否可以共享,默认为z即为共享
此类型挂载数据是比较方便备份和迁移数据,但是对于容器的迁移是比较麻烦的
6.2 docker managed volume
docker run -d -p 7002:80 -v /usr/local/apache2/htdocs --name web1 httpd #只指定container path
docker inspect web1 #查找Source
docker volume ls
docker volume inspect VOLUME_NAME
6.3 docker data mount与docker managed volume对比
类型
docker_data_mount
docker_managed_volume
volume location
anywhere
/var/lib/docker/volumes/...
如果存在挂载点
隐藏并替换为volume
原有数据复制到volume
是否支持单文件挂载
yes
no(must dir)
privileges
read-only & read-write
read_write
移植性
弱,需要指定host path
强,不需指定host目录
6.4 volume container共享数据
docker create --name vc_data -v /root/htdocs:/usr/local/apache2/htdocs -v /var/www/html busybox
docker run -d -p 7006:80 --name web1 --volume-from vc_data httpd
6.5 数据卷的生命周期管理
6.5.1 备份
docker registry挂载的卷是本地的文件系统,因此针对文件系统备份就可以
6.5.2 恢复
使用备份的文件拷贝到docker registry挂载的本地文件系统中就可以
6.5.3 更新
registry version迁移数据
- docker stop CONTAINER:registry
- 启用新的registry并mount原始的挂载文件系统
6.5.4 销毁
docker rm #删除容器
docker rm -v # 删除容器以及容器使用的volume
docker volume ls
docker volume rm
docker volume rm $(docker volume ls -q) |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-26 14:18:49
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡