|
|
|
VIII docker
docker:
介绍;
镜像管理;
容器管理;
网络访问;
数据管理;
镜像构建;
私有仓库;
核心技术;
生产实践;
生态圈;
一、概念:
https://www.docker.com/
Docker is the world’s leading software containerization platform.(build,ship,run)
docker is an open platform for building,shipping and running distributed applications. it gives programmers,development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
Docker是个划时代的开源项目,它彻底释放了计算虚拟化的威力,极大提高了应用的运行效率,降低了云计算资源供应的成本,使用 Docker,可以让应用的部署、测试和分发都变得前所未有的高效和轻松;无论是应用开发者、运维人员、还是其他信息技术从业人员,都有必要认识和掌握Docker,以在有限的时间内做更多有意义的事;
docker用go语言编写,http2.0,在linuxx86_64环境下运行,LXC;
LXC,Linux Container,可以提供轻量级的虚拟化,以便隔离进程和资源,而且不需要提供指令解释机制以及全虚拟化的其他复杂性,相当于C++中的NameSpace,容器有效地将由单个操作系统管理的资源划分到孤立的组中,以更好地在孤立的组之间平衡有冲突的资源使用需求,与传统虚拟化技术相比,它的优势在于:与宿主机使用同一个内核,性能损耗小;不需要指令级模拟;不需要即时(Just-in-time)编译;容器可以在CPU核心的本地运行指令,不需要任何专门的解释机制;避免了准虚拟化和系统调用替换中的复杂性;轻量级隔离,在隔离的同时还提供共享机制,以实现容器与宿主机的资源共享;
Linux Container是一种轻量级的虚拟化的手段;
Linux Container提供了在单一可控主机节点上支持多个相互隔离的server container同时执行的机制,Linux Container有点像chroot,提供了一个拥有自己进程和网络空间的虚拟环境,但又有别于虚拟机,因为lxc是一种操作系统层次上的资源的虚拟化;
Sourceforge上有LXC这个开源项目,LXC项目本身只是一个为用户提供一个用户空间的工具集,用来使用和管理LXC容器,LXC真正的实现则是靠Linux内核的相关特性,LXC项目只是对此做了整合,基于容器的虚拟化技术起源于所谓的资源容器和安全容器;
LXC在资源管理方面依赖于Linux内核的cgroups子系统,cgroups子系统是Linux内核提供的一个基于进程组的资源管理的框架,可以为特定的进程组限定可以使用的资源,LXC在隔离控制方面依赖于Linux内核的namespace特性,具体而言就是在clone时加入相应的flag(NEWNS NEWPID等等);
#lxc-checkconfig,该命令用于判断linux内核是否支持LXC;
containers VS VMs:
VMs(each virtual machine includes the application,the necessary binaries and libraries and an entire guest operating system, all of which may be tens of GBs in size.);
containers(containers include the application and all of its dependencies,but share the kernel with other containers. they run as an isolated process in userspace on the host operating system. they are also not tied to any specific infrastructure, docker containers run on any computer,on any infrastructure and in any cloud.);
虚拟化技术已经改变了现代计算方式,它能够提升系统资源使用效率、消除应用程序和底层硬件之间的依赖关系,同时加强负载的可以移植性和安全性,但是hypervisor和虚拟机只是部署虚拟负载的方式之一,作为一种能够替代传统虚拟化技术的解决方案,容器虚拟化技术凭借其高效性和可靠性得到了快速发展,它能够提供新的特性,并且帮助数据中心专家解决新的顾虑,容器和虚拟机之间的主要区别在于虚拟化层的位置和操作系统资源的使用方式:
虚拟机依赖于hypervisor,其通常被安装在“裸金属”系统硬件之上,这导致hypervisor在某些方面被认为是一种操作系统,一旦 hypervisor安装完成,就可以从系统可用计算资源当中分配虚拟机实例了,每台虚拟机都能够获得唯一的操作系统和负载(应用程序);通常,第一台虚拟机都将会被用来运行系统管理程序,比如Microsoft System Center,而之后的虚拟机可能包含其他企业负载,比如数据库、ERP、CRM、邮件服务器、媒体服务器、web服务器或者其他业务应用;虚拟机之间是完全隔离的,没有任何一台虚拟机知道(或者依赖)相同系统当中的另外一台虚拟机的存在,恶意软件、应用程序崩溃和其他问题只能影响一台虚拟机,虚拟机从一个虚拟系统被移动到另外一个当中,而不用考虑系统硬件和操作系统等因素;
而容器环境的工作方式则有所不同,对于容器环境来说,需要首先安装主机操作系统,之后将容器层(比如LXC或libcontainer)安装在主机操作系统(通常是Linux变种)之上,在安装完容器层之后,就可以从系统可用计算资源当中分配容器实例了,并且企业应用可以被部署在容器当中,但是,每个容器化应用都会共享相同的操作系统(单个主机操作系统);相比于虚拟机,容器拥有更高的资源使用效率,因为它并不需要为每个应用分配单独的操作系统,实例规模更小、创建和迁移速度也更快,这意味相比于虚拟机,单个操作系统能够承载更多的容器,云提供商十分热衷于容器技术,因为在相同的硬件设备当中,可以部署数量更多的容器实例,然而,单个操作系统有可能引起影响所有相关实例的单点事故,比如,恶意软件或者主机操作系统崩溃可能禁用或者影响所有容器,此外,容器易于迁移,但是只能被迁移到具有兼容操作系统内核的其他服务器当中,这样会无形中减少迁移选择;
从实际应用的角度来说,容器和虚拟机可以在同一个数据中心当中共存,因此这两种技术被认为是互补的,为现代应用程序架构师和数据中心管理员添加了可用工具集,通过不同的方式为应用负载提供支持;
docker组成:docker client、docker server;
docker的整个生命周期(docer组件):image镜像、container容器、repository仓库;
注:
运行中的镜像称为容器;
docker的image可与openstack的image比对,一个image就是一个完整的OS,docker的image是只读的,启动container时在read only的image之上加了一层writable层;
container可与kvm的VM比对,docker使用container运行应用,各container也是隔离的,kvm是用VM运行应用;
repository是集中存放image文件的地方,可与openstack的glance比对,可将docker的repository理解为github(dockerhub)、git-pull(docker-pull);
docker改变了产品交付的方式,很多开源软件都有docker镜像(早期很多开源软件有VM镜像),下载下来直接运行,省去了复杂的部署;不要把docker容器当作VM镜像来管理,不建议启用ssh;docker更适合跑微服务;
docker的所有文件在/var/lib/docker/下,containers/存放容器,graph/存放镜像;
docker资源隔离,使用LXC,具体是kernel中的namespace(pid;net;ipc;mnt;uts;user);
docker资源限制,cgroups(controlgroups)是Linux内核提供的一种可以限制、记录、隔离进程组(process groups)所使用的物理资源(如:cpu,memory,IO等等)的机制,最初由google的工程师提出,后来被整合进Linux内核,Cgroups也是LXC为实现虚拟化所使用的资源管理手段,可以说没有cgroups就没有LXC;
docker VS openstack:
类别
| docker(PAAS)
| openstack(IAAS)
| 部署难度
| 非常简单
| 组件多,部署复杂
| 启动速度
| s级
| min级
| 执行性能
| 和物理系统几乎一致
| VM会占用一些资源(占系统资源的6-8%)
| 镜像体积
| MB级
| GB级
| 管理效率
| 管理简单
| 组件相互依赖,管理复杂
| 隔离性
| 隔离性高
| 彻底隔离
| 可管理性
| 单进程,不建议启动sshd
| 完整的系统管理
| 网络连接
| 比较弱
| 借助neutron可灵活组件各类网络架构
|
docker使用场景:
simplifying configuration;
developer productivity;
server consolidation;
multi tenancy;
code pipeline management;
app isolation;
debugging capabilities;
rapid deployment;
注:
面对产品;
面对开发;
面对测试(多版本测试);
面对运维;
面对自动化(扩容);
面对微服务;
面对大规模的分布式架构(微信红包);
二、操作:
[root@test6 ~]# uname -rm
2.6.32-431.el6.x86_64 x86_64
[root@test6 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5(Santiago)
[root@test6 ~]# yum update #(#yum -y install kernel*,Docker requires a 64-bit OS and version 3.10 or higher of the Linuxkernel.若在centos7或rhel7上安装要求内核版本至少为3.10以上)
[root@test6 ~]# yum -y install docker-io
……
Installed:
docker-io.x86_64 0:1.7.1-2.el6
Dependency Installed:
libcgroup.x86_64 0:0.40.rc1-18.el6_8 lua-alt-getopt.noarch 0:0.7.0-1.el6 lua-filesystem.x86_64 0:1.4.2-1.el6
lua-lxc.x86_64 0:1.0.9-1.el6 lxc.x86_64 0:1.0.9-1.el6 lxc-libs.x86_64 0:1.0.9-1.el6
Complete!
[root@test6 ~]# /etc/init.d/docker start
Starting cgconfig service: [ OK ]
Starting docker: [ OK ]
[root@test6 ~]# /etc/init.d/docker restart
Stopping docker: [FAILED]
Starting docker: [ OK ]
[root@test6 ~]# ps aux | grep docker
root 42806 0.1 1.5 227004 15948 pts/0 Sl 20:19 0:00 /usr/bin/docker -d
root 42875 0.0 0.0 103316 840 pts/0 S+ 20:22 0:00 grep docker
#docker -v #(-v, --version=false,Print version information and quit)
#docker version #(Show the Docker version information,查看docker的版本号,包括客户端、服务端、依赖的Go等)
#docker info #(Display system-wide information,查看系统(docker)层面信息,包括管理的images, containers数等)
# docker search [OPTIONS] TERM #(Search for an image on the Docker Hub,搜索镜像)
# docker pull [OPTIONS] NAME[:TAG|@DIGEST] #(Pull an image or a repository from a Docker registry server,获取镜像)
# docker images [OPTIONS] [REPOSITORY] #(List images查看镜像;
-a, --all=false,Show all images (default hides intermediate images)列出所有images包含历史隐藏的)
# docker rmi [OPTIONS] IMAGE [IMAGE...] #(Remove one or more images删除镜像)
# docker run [OPTIONS] IMAGE [COMMAND][ARG...] #(Run a command in a new container,#docker run --help;
-h, --hostname=,Containerhost name;
--name=,Assign a name to the container;
-i, --interactive=false,Keep STDIN open even if not attached;
-t, --tty=false,Allocate apseudo-TTY;
-d, --detach=false,Run container in background and print container ID;
--restart=no,Restart policy to apply when a container exits;
-P, --publish-all=false,Publish all exposed ports to random ports,随机映射;
-p, --publish=[],Publish a container's port(s) to the host,映射HOST端口到容器,方便外部访问容器内服务,host_port可以省略,省略表示把container_port映射到一个动态端口;
-v, --volume=[],Bind mount avolume;
--volumes-from=[],Mount volumes from the specified container(s);
-c, --cpu-shares=0,CPU shares(relative weight);
--cpuset-cpus=,CPUs in which to allow execution (0-3, 0,1);
-m, --memory=,Memory limit;
--rm=false,Automatically remove the container when it exits)
注(-P随机映射;-p指定映射):
-P #(随机映射)
-p hostPort:containerPort
-p ip:hostPort:containerPort #(多IP时使用指定的IP)
-p ip::containerPort #(多IP时使用指定的IP)
-p hostPort:containerPort -p hostPort:containerPort
#docker ps [OPTIONS] #(List containers;
-a, --all=false,Show all containers (default shows just running);
-l, --latest=false,Show the latest created container, include non-running;
-q, --quiet=false,Only display numeric IDs,仅列出正在运行的容器的CONTAINER ID)
#docker port [OPTIONS] CONTAINER[PRIVATE_PORT[/PROTO]] #(Lookup the public-facing port that is NAT-ed to PRIVATE_PORT,查看本地哪个Port映射到container的指定port,用#docker ps也可看到)
例:
#docker port CONTAINER_ID CONTAINER_PORT
注:端口映射是docker比较重要的一个功能,原因在于我们每次运行容器的时候容器的IP地址不能指定而是在桥接网卡的地址范围内随机生成的,宿主机的IP地址是固定的,我们可以将容器的端口的映射到宿主机器上的一个端口,免去每次访问容器中的某个服务时都要查看容器的IP的地址,对于一个运行的容器,可以使用docker port加上容器中需要映射的端口和容器的ID来查看该端口号在宿主机器上的映射端口;
#docker start|stop|restart [OPTIONS] CONTAINER [CONTAINER...] #(Start a stopped container;Stop a running container;Restart a running container)
#docker stats [OPTIONS] CONTAINER [CONTAINER...] #(Display a stream of a containers' resource usage statistics,查看指定容器资源使用状态信息)
#docker rm [OPTIONS] CONTAINER [CONTAINER...] #(Remove one or more containers)
#docker rm `docker ps -a -q` #(同#docker ps -a -q | xargs docker rm,删除所有容器)
#docker exec [OPTIONS] CONTAINER COMMAND [ARG...] #(Run a command in a running container,进入正在运行的容器)
[root@test6 ~]# which nsenter #(此命令在util-Linux包里,使用此命令可访问指定进程的namespace)
/usr/bin/nsenter
#man nsenter
-t, --target pid,Specify a target process to get contexts from.;
-m, --mount[=file],Enter the mount namespace.If no file is specified, enter the mount namespace of the target process. If file is specified, enter the mount namespace specified by file.;
-u, --uts[=file],Enter the UTS namespace. If no file is specified,enter the UTS namespace of the target process. If file is specified, enter the UTS namespace specified by file.;
-i, --ipc[=file],Enter the IPC namespace. If no file is specified,enter the IPC namespace of the target process. If file is specified, enter the IPC namespace specified by file.;
-n, --net[=file],Enter the network namespace. If no file is specified, enter the network namespace of the target process. If file is specified, enter the network namespace specified by file.;
-p, --pid[=file],Enter the PID namespace. If no file is specified, enter the PID namespace of the target process. If file is specified,enter the PID namespace specified by file.)
#docker inspect [OPTIONS] CONTAINER|IMAGE [CONTAINER|IMAGE...] #(Return low-level information on a container or image;
-f, --format=,Format the output using the given go template)
生产中进入容器的方法:
方一:
#docker inspect --format "``.`State`.`Pid `" nginx_test1 #(获取容器pid)
#nsenter --target <PID> --mount --uts --ipc --net --pid
方二:
https://github.com/yeasy/docker_practice/archive/v0.8.tar.gz
https://github.com/yeasy/docker_practice/blob/master/_local/.bashrc_docker #(复制此文件的代码到/root/.bashrc里)
[root@test6 ~]# echo "[ -f ~/.bashrc_docker ] && . ~/.bashrc_docker" >> ~/.bashrc ; source ~/.bashrc
#docker-pid CONTAINER_ID
#docker-ip CONTAINER_ID
#docker-enter CONTAINER_ID COMMAND
将运行中的容器生成新的镜像:
#docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]] #(Create a new image from a container's changes;
-m, --message=,Commit message)
持久化容器:
#docker export [OPTIONS] CONTAINER #(Stream the contents of a container as a tar archive;
-o, --output=,Write to a file,instead of STDOUT)
例:
#docker export CONTAINER_ID >/tmp/export.tar
#cat /tmp/export.tar | docker import -export:lastest #(导入持久化容器)
持久化镜像:
#docker save [OPTIONS] IMAGE [IMAGE...] #(Save an image to a tar archive;
-o, --output=,Write to an file,instead of STDOUT)
例:
#docker save IMAGE_ID > /tmp/save.tar
#docker load < /tmp/save.tar #(导入持久化镜像)
给image打tag:
#docker tag [OPTIONS] IMAGE[:TAG] [REGISTRYHOST/] [USERNAME/]NAME[:TAG] #(Tag an image into a repository)
例:
#docker tag CONTAINER_ID load:tag
注:export&import与save&load的区别:
导出后再导入(export&import)的容器会丢失所有的历史,而保存后再加载(save-load)的镜像没有丢失历史和层(layer),这意味着使用导出后再导入的方式,你将无法回滚到之前的层(layer),同时,使用保存后再加载的方式持久化整个镜像,就可以做到层回滚,(可以执行docker tag 来回滚之前的层);
#docker build [OPTIONS] PATH | URL | - #(Build an image from a Dockerfile;
-t, --tag=,Repository name (and optionally a tag) for the image;
#docker logs [OPTIONS] CONTAINER #(Fetch the logs of a container,查看docker实例运行日志)
[root@test6 ~]# docker -v
Docker version 1.7.1, build 786b29d/1.7.1
[root@test6 ~]# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64
[root@test6 ~]# docker info
Containers: 2
Images: 4
Storage Driver: devicemapper
PoolName: docker-8:2-807654-pool
PoolBlocksize: 65.54 kB
Backing Filesystem: extfs
Datafile: /dev/loop0
Metadata file: /dev/loop1
DataSpace Used: 580.1 MB
DataSpace Total: 107.4 GB
DataSpace Available: 5.508 GB
Metadata Space Used: 1.044 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.146 GB
UdevSync Supported: true
Deferred Removal Enabled: false
Dataloop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file:/var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.117-RHEL6 (2016-08-15)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 2.6.32-431.el6.x86_64
Operating System: <unknown>
CPUs: 1
Total Memory: 980.9 MiB
Name: test6
ID:MTK4:OGCH:THXB:BD6H:KEUT:BJQV:JQ52:7JCE:ODY7:U4EH:PPD5:TMBL
[root@test6 ~]# docker search centos #(Search foran image on the Docker Hub)
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
centos The officialbuild of CentOS. 3005 [OK]
jdeathe/centos-ssh CentOS-6 6.8 x86_64 /CentOS-7 7.3.1611 x8... 56 [OK]
……
[root@test6 ~]# docker pull centos #(Pull an image or arepository from a Docker registry server;默认下载的lastest最近版本centos7,若下6系列使用#dockerpull centos:6)
latest: Pulling from centos
3690474eb5b4: Pull complete
0a444b299d5a: Pull complete
a04895de1996: Pull complete
d4350798c2ee: Pull complete
Digest:sha256:6e45de12a92ce6fcc0e3d0ffca8000833675f96679b3f1ecf71485c339826f27
Status: Downloaded newer image forcentos:latest
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos latest d4350798c2ee 4 weeks ago 191.8 MB
[root@test6 ~]# docker run centos /bin/echo "hello world"
hello world
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c4587c56489f centos "/bin/echo 'hello wo 12 seconds ago Exited (0)10 seconds ago mad_thompson
[root@test6 ~]# docker run --name docker_test1 -it centos /bin/bash #(执行后会返回CONTAINER ID;docker只能运行已指定的一个应用程序,如echo "hello world",/bin/bash,当指定的这个应用退出,docker容器也退出)
[root@a77ba5f5a63d/]# ls
anaconda-post.log dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var
[root@a77ba5f5a63d /]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@a77ba5f5a63d /]# exit
exit
[root@test6 ~]# docker ps -l #(在另一终端执行)
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a77ba5f5a63d centos "/bin/bash" About a minute ago Up About aminute docker_test1
[root@test6 ~]# docker ps -a #(在另一终端执行)
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a77ba5f5a63d centos "/bin/bash" About a minute ago Up About aminute docker_test1
c4587c56489f centos "/bin/echo 'hello wo 5 minutes ago Exited(0) 5 minutes ago mad_thompson
[root@test6 ~]# docker ps -l #(在执行exit后,查看状态为Exited)
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a77ba5f5a63d centos "/bin/bash" 14 minutes ago Exited(127) 5 seconds ago docker_test1
[root@test6 ~]# docker rm a77ba5f5a63d
a77ba5f5a63d
[root@test6 ~]# docker rm c4587c56489f
c4587c56489f
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@test6 ~]# docker run -d --name nginx_test1 nginx #(没有此镜像会自动去pull下载)
Unable to find image 'nginx:latest' locally
latest: Pulling from nginx
32734c6d04f6: Pull complete
1849b6667515: Pull complete
dd624ca8e781: Pull complete
9fc8fc300550: Pull complete
590494f17750: Pull complete
943e2fd86162: Pull complete
cd021197146a: Pull complete
93c50d378b4b: Pull complete
Digest:sha256:2b942f7dd01a57ceeb5985a0472a2f92735eb81a910dec70c2183c61fc54298c
Status: Downloaded newer image fornginx:latest
4dea114ceeb09f3f1c00faf3008bffa1ae434a0a17c3dbf79dbc767565c8cdec
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
nginx latest 93c50d378b4b 2 weeks ago 181.6 MB
centos latest d4350798c2ee 4 weeks ago 191.8 MB
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4dea114ceeb0 nginx "nginx -g 'daemon of 10 minutes ago Up 10minutes 80/tcp, 443/tcp nginx_test1
[root@test6 ~]# docker exec -it 4dea114ceeb0 /bin/bash
root@4dea114ceeb0:/#ps aux | grep nginx
root 1 0.0 0.3 31708 3056 ? Ss 06:34 0:00 nginx: master process nginx -g daemon off;
nginx 6 0.0 0.1 32100 1672 ? S 06:34 0:00 nginx: worker process
root 13 0.0 0.0 11068 816 ? S+ 07:27 0:00 grep nginx
root@4dea114ceeb0:/# exit
exit
[root@test6 ~]# docker inspect --format "` `.`State`.`Pid `" nginx_test1
44338
[root@test6 ~]# nsenter --target 44338 --mount --uts --ipc --net --pid
root@4dea114ceeb0:/# ps aux | grep nginx
root 1 0.0 0.3 31708 3056 ? Ss 06:34 0:00 nginx: master process nginx -g daemon off;
nginx 6 0.0 0.1 32100 1672 ? S 06:34 0:00 nginx: worker process
root 21 0.0 0.0 11068 856 ? S+ 07:59 0:00 grep nginx
root@4dea114ceeb0:/# exit
logout
[root@test6 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4dea114ceeb0 nginx "nginx -g 'daemon of About an hour ago Up About anhour 80/tcp, 443/tcp nginx_test1
[root@test6 ~]# vim in.sh
#!/bin/bash
#
CNAME=$1
CPID=`docker inspect --format "``.`State`.`Pid `" $1`
nsenter --target $CPID --mount --uts --ipc--net --pid
[root@test6 ~]# chmod +x in.sh
[root@test6 ~]# ./in.sh nginx_test1
root@4dea114ceeb0:/# exit
logout
docker网络访问:
[root@test6 ~]# ipaddr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen1000
link/ether 00:0c:29:32:f4:98 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.134/24 brd 192.168.23.255scope global eth0
inet6 fe80::20c:29ff:fe32:f498/64 scope link
valid_lft forever preferred_lft forever
3: docker0:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 0a:ae:91:25:e7:a4 brd ff:ff:ff:ff:ff:ff
inet 172.17.42.1/16 scope global docker0
inet6 fe80::d489:24ff:fea9:122c/64 scope link
valid_lft forever preferred_lft forever
14: vethda6c685:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 0a:ae:91:25:e7:a4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::8ae:91ff:fe25:e7a4/64 scope link
valid_lft forever preferred_lft forever
[root@test6 ~]# brctl show
bridge name bridgeid STP enabled interfaces
docker0 8000.0aae9125e7a4 no vethda6c685
[root@test6 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
[root@test6 ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
target prot opt source destination
[root@test6 ~]# ./in.sh nginx_test1
root@4dea114ceeb0:/# ping baidu.com #(容器内可连网)
PING baidu.com (220.181.57.217): 56 databytes
64 bytes from 220.181.57.217: icmp_seq=0ttl=127 time=41.856 ms
64 bytes from 220.181.57.217: icmp_seq=1ttl=127 time=30.136 ms
64 bytes from 220.181.57.217: icmp_seq=2ttl=127 time=29.606 ms
64 bytes from 220.181.57.217: icmp_seq=3ttl=127 time=29.776 ms
^C--- baidu.com ping statistics ---
4 packets transmitted, 4 packets received,0% packet loss
round-trip min/avg/max/stddev =29.606/32.844/41.856/5.207 ms
root@4dea114ceeb0:/# ping 192.168.23.134 #(与宿主机互通)
PING 192.168.23.134 (192.168.23.134): 56data bytes
64 bytes from 192.168.23.134: icmp_seq=0ttl=64 time=0.854 ms
64 bytes from 192.168.23.134: icmp_seq=1ttl=64 time=0.110 ms
64 bytes from 192.168.23.134: icmp_seq=2ttl=64 time=0.110 ms
^C--- 192.168.23.134 ping statistics ---
3 packets transmitted, 3 packets received,0% packet loss
round-trip min/avg/max/stddev =0.110/0.358/0.854/0.351
root@4dea114ceeb0:/# ip addr #(运行容器的IP)
13: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP>mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 scope global eth0
inet6 fe80::42:acff:fe11:4/64 scope link
valid_lft forever preferred_lft forever
15: lo: <LOOPBACK,UP,LOWER_UP> mtu16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
root@4dea114ceeb0:/# ip route #(defautlgateway)
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.4
default via 172.17.42.1dev eth0
root@4dea114ceeb0:/# exit
logout
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4dea114ceeb0 nginx "nginx -g 'daemon of 2 hours ago Up 2hours 80/tcp, 443/tcp nginx_test1
[root@test6 ~]# docker stop 4dea114ceeb0
4dea114ceeb0
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4dea114ceeb0 nginx "nginx -g 'daemon of 2 hours ago Exited (0) 6 seconds ago nginx_test1
[root@test6 ~]# docker rm 4dea114ceeb0
4dea114ceeb0
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@test6 ~]# docker run -d -P --name nginx_test1 nginx #(随机映射,hostPort的32769对应containerPort的80,hostPort的32768对应containerPort的443)
833cb5b7bce5f4d8ccded7340c65013c3ed85beda5b0700a781bf562528a5a27
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
833cb5b7bce5 nginx "nginx -g 'daemon of 32 seconds ago Up 30seconds 0.0.0.0:32769->80/tcp,0.0.0.0:32768->443/tcp nginx_test1
http://192.168.23.134:32769/
[root@test6 ~]# docker run -d -p 91:80 --name nginx_test2 nginx #(指定映射,hostPort的91对应containerPort的80)
5fdad68fb9bd39220c59c6dbc2138523c93f43bf31be0574fa7e83a8ef8c4c71
[root@test6 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5fdad68fb9bd nginx "nginx -g 'daemon of 6 seconds ago Up 5seconds 443/tcp,0.0.0.0:91->80/tcp nginx_test2
http://192.168.23.134:91/
docker数据管理:
1、数据卷:
-v /data
-v SRC:DST[:ro] #(SRC为docker容器里的路径,DST为本地宿主机的路径;冒号两边的路径最后不能有斜线)
2、数据卷容器:
--volumes-from
[root@test6 ~]# docker run -h test1 --name volume_test1 -it -v /data centos
[root@test1 /]#ls /data
[root@test6 ~]# cd /var/lib/docker/volumes/959e95494ed729723d96dc6a2096db1ee821faf98e57e2a1ec05c0a60a0bad5b/_data/
[root@test6 _data]# touch test.txt
[root@test1 /]# ls /data #(宿主机的/var/lib/docker/volumes/959e95494ed729723d96dc6a2096db1ee821faf98e57e2a1ec05c0a60a0bad5b/_data/这个路径和容器中的/data是相通的;docker1.6版本需要映射才能看到#dockerinspect --format ` `.`Volumes ` volume_test1 map[/data:/var/lib/docker/volumes/959e95494ed729723d96dc6a2096db1ee821faf98e57e2a1ec05c0a60a0bad5b/_data])
test.txt
[root@test6 ~]# ls /opt
logstash rh
[root@test6 ~]# docker run -h test2 --name volume_test2 -it -v /opt:/opt centos #(记录日志是docker的短板,可通过此种方式把日志写到物理机路径下,在物理机上启动logstash收集)
[root@test2/]# ls /opt
logstash rh
[root@test6 ~]# docker run -h test3 --name volume_test3 -it --volumes-from volume_test1 centos #(将volume_test1的数据卷挂在新建的容器volume_test3上)
[root@test3/]# ls /data
test.txt
[root@test6 ~]# docker rm `docker ps -a -q` #(在每个容器中exit后,,确保是Exited状态再执行此命令)
fe948e794102
cb820a099163
3e420d4f20bc
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
docker镜像构建(手动构建;dockerfile自动构建):
手动构建:
[root@test6 ~]# docker pull centos:6
6: Pulling from centos
c40f84131ae5: Pull complete
c3bd2182e0b9: Pull complete
10611b26a8b9: Pull complete
10611b26a8b9: Pulling fs layer
Digest: sha256:916364e13ac5f217ee9bbcef060960797834551fd7b8a332145dcb715c4a6196
Status: Downloaded newer image for centos:6
[root@test6 ~]# docker run -h test1 --name nginx_module -itd centos:6
f968454b222cf2b10aa5402ad566dcd76ec4c881814393b10f8c6e7dbb8ff30d
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f968454b222c centos:6 "/bin/bash" 57 seconds ago Up 56 seconds nginx_module
[root@test6 ~]# docker- #(有~/.bashrc_docker)
docker-enter docker-ip docker-pid
[root@test6 ~]# docker-ip nginx_module
172.17.0.6
[root@test6 ~]# docker-pid nginx_module
4284
[root@test6 ~]# docker-enter nginx_module
[root@test1 ~]# cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@test1~]# ll /etc/yum.repos.d
total 24
-rw-r--r--. 1 root root 1991 May 18 2016 CentOS-Base.repo
-rw-r--r--. 1 root root 647 May 18 2016 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 630 May 18 2016 CentOS-Media.repo
-rw-r--r--. 1 root root 6259 May 18 2016 CentOS-Vault.repo
-rw-r--r--. 1 root root 289 May 18 2016 CentOS-fasttrack.repo
[root@test1~]# yum -y groupinstall "Compatibility Libraries" "DevelopmentTools"
[root@test1 ~]# yum -y install wget gcc gcc-c++ make openssl-devel pcre-devel
[root@test1 ~]# wget -P /usr/local/srchttp://nginx.org/download/nginx-1.10.2.tar.gz
[root@test1 ~]# ll -h /usr/local/src
total 892K
-rw-r--r--. 1 root root 890K Oct 18 15:14nginx-1.10.2.tar.gz
[root@test1 ~]# groupadd -r -g 108 nginx
[root@test1 ~]# useradd -r -g 108 -u 108nginx
[root@test1 ~]# id nginx
uid=108(nginx) gid=108(nginx)groups=108(nginx)
[root@test1 ~]# cd /usr/local/src
[root@test1 src]# tar xf nginx-1.10.2.tar.gz
[root@test1 src]# cd nginx-1.10.2
[root@test1 nginx-1.10.2]# ./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
[root@test1 nginx-1.10.2]# make && make install
[root@test1 nginx-1.10.2]# vi /etc/init.d/nginx
[root@test1 nginx-1.10.2]# chmod +x !$
chmod +x /etc/init.d/nginx
[root@test1 nginx-1.10.2]# chkconfig --add nginx
[root@test1 nginx-1.10.2]# chkconfig nginx on
[root@test1 nginx-1.10.2]# chkconfig --list nginx
nginx 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@test1 ~]# vi /etc/nginx/nginx.conf #(daemon off;让nginx在前台运行,也可不用此项,最后在启动容器时加入指令/etc/init.d/nginx restart)
daemon off;
[root@test1 ~]# /etc/init.d/nginx start
Starting nginx:
[root@test6 ~]# docker commit -m "jowin's nginx" f968454b222c jowin/mynginx:V1
a1ede8b196b618fe7c40491ae3a807f043ee59eb0627c97a7b12e3cf3257064c
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
jowin/mynginx V1 a1ede8b196b6 43 seconds ago 869.4 MB
nginx latest 93c50d378b4b 2 weeks ago 181.6 MB
centos latest d4350798c2ee 4 weeks ago 191.8 MB
centos 6 10611b26a8b9 10 weeks ago 194.6 MB
[root@test6 ~]# docker run -h test2 --name nginx_test -d -p 92:80 jowin/mynginx:V1 /etc/init.d/nginx restart
8fdb3f664c08279fc65e64359e67c8be1bb28c9b989eb2f7242eae3240a98e34
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8fdb3f664c08 jowin/mynginx:V1 "/etc/init.d/nginx r 4 seconds ago Up 3 seconds 0.0.0.0:92->80/tcp nginx_test
f968454b222c centos:6 "/bin/bash" 49 minutes ago Up 49 minutes nginx_module
http://192.168.23.134:92/
dockerfile自动构建:
dockerfile文件里的命令:
FROM #(基础镜像信息,例FROM IMAGE_NAME[:TAG],无TAG表示latest最后修改版本)
MAINTAINER #(维护者信息,如MAINTAINER NAME)
RUN #(构建指令,RUN可运行被基础镜像支持的指令;在要运行的命令前加上RUN;如RUN COMMAND)
CMD #(设置指令,用于container启动时指定的操作,该操作可以是执行自定义脚本,也可执行系统命令;CMD定义的这条信息只能在dockerfile文件中执行一次,若有多条则执行最后一条;如CMD COMMAND PARAMETER1 [PARAMETER2])
ENTRYPOINT #(设置指令,指定容器启动时执行的命令,可以多次设置,但是只有最后一个有效,同CMD,ENTRYPOINT指定的是一个可执行的脚本或者程序的路径,该指定的脚本或者程序将会以param1和param2作为参数执行,所以如果CMD指令使用这种形式运行CMD ["param1","param2"],那么Dockerfile中必须要有配套的ENTRYPOINT;两种使用方式:一种是独自使用(当独自使用时,如果你还使用了CMD命令且CMD是一个完整的可执行的命令,那么CMD指令和ENTRYPOINT会互相覆盖只有最后一个CMD或者ENTRYPOINT有效),例如:
(1)
ENTRYPOINT ["executable","param1", "param2"] (like an exec, the preferred form)
ENTRYPOINT command param1 param2 (as ashell)
(2)
# CMD指令将不会被执行,只有ENTRYPOINT指令被执行
CMD echo “Hello, World!”
ENTRYPOINT ls -l
另一种是与CMD命令配合使用来指定ENTRYPOINT的默认参数,这时CMD指令不是一个完整的可执行命令,仅仅是参数的一部分;ENTRYPOINT指令只能使用JSON方式指定执行命令,而不能指定参数,例如:
CMD ["-l"]
ENTRYPOINT ["/usr/bin/ls"]
)
ADD #(构建指令,所有拷贝到container中的文件和文件夹权限为0755,uid和gid为0;如果是一个目录,那么会将该目录下的所有文件添加到container中,不包括目录;如果文件是可识别的压缩格式,则docker会帮忙解压缩(注意压缩格式);如果<src>是文件且<dst>中不使用斜杠结束,则会将<dst>视为文件,<src>的内容会写入<dst>;如果<src>是文件且<dst>中使用斜杠结束,则会<src>文件拷贝到<dst>目录下,<src>是相对被构建的源目录的相对路径,可以是文件或目录的路径,也可以是一个远程的文件url,<dst>是container中的绝对路径;copy文件,会自动解压;如ADD SRC DST)
WORKDIR #(设置指令,可以多次切换(相当于cd命令),对RUN、CMD、ENTRYPOINT生效;当前工作目录;如WORKDIR /PATH/TO/DIR)
VOLUME #(设置指令,使容器中的一个目录具有持久化存储数据的功能,该目录可以被容器本身使用,也可以共享给其他容器使用,我们知道容器使用的是AUFS,这种文件系统不能持久化数据,当容器关闭后,所有的更改都会丢失,当容器中的应用有持久化数据的需求时可以在Dockerfile中使用该指令;目录挂载;如VOLUME ["MOUNTPOINT"])
EXPOSE #(设置指令,该指令会将容器中的端口映射成宿主机器中的某个端口,当你需要访问容器的时候,可以不是用容器的IP地址而是使用宿主机器的IP地址和映射后的端口,要完成整个操作需要两个步骤,首先在Dockerfile使用EXPOSE设置需要映射的容器端口,然后在运行容器的时候指定-p选项加上EXPOSE设置的端口,这样EXPOSE设置的端口号会被随机映射成宿主机器中的一个端口号,也可以指定需要映射到宿主机器的那个端口,这时要确保宿主机器上的端口号没有被使用,EXPOSE指令可以一次设置多个端口号,相应的运行容器的时候,可以配套的多次使用-p选项;如EXPOSE PORT [PORT])
ENV #(构建指令,在镜像中设置环境变量,设置了后,后续的RUN命令都可以使用,container启动后,可以通过docker inspect查看这个环境变量,也可以通过在docker run --env key=value时设置或修改环境变量,假如你安装了JAVA程序,需要设置JAVA_HOME,那么可以在Dockerfile中写ENVJAVA_HOME /path/to/java/dirent)
举例1(Dockfile自动构建,nginx用yum方式安装):
[root@test6 ~]# mkdir -pv /opt/dockerfile/nginx
mkdir: created directory `/opt/dockerfile'
mkdir: created directory`/opt/dockerfile/nginx'
[root@test6 ~]# cp /etc/yum.repos.d/epel-release-6-8.noarch.rpm /opt/dockerfile/nginx/
[root@test6 ~]# cd /opt/dockerfile/nginx
[root@test6 nginx]# vim Dockerfile #(该文件首字母一定要大写)
-----------------------file-start-------------------
# This is my Dockerfile
# Version1.0
# Author:jowin
FROM centos:6
MAINTAINER jowin
ADD epel-release-6-8.noarch.rpm /usr/local/src/
WORKDIR /usr/local/src
RUN yum -y install epel-release-6-8.noarch.rpm && yum -y install nginx
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
RUN chkconfig nginx on
EXPOSE 80
CMD /etc/init.d/nginx restart
-----------------------file-end-------------------
[root@test6 nginx]# ls
Dockerfile epel-release-6-8.noarch.rpm
[root@test6 nginx]# docker build -t mynginx:V1 /opt/dockerfile/nginx/ #(每一步都是容器一层)
Sending build context to Docker daemon932.4 kB
Sending build context to Docker daemon
Step 0 : FROM centos:6
---> 10611b26a8b9
Step 1 : MAINTAINER jowin
---> Running in 24597906bd47
---> 999639f2c6a2
Removing intermediate container24597906bd47
Step 2 : ADD epel-release-6-8.noarch.rpm/usr/local/src/
---> 96c8ba9fd0a8
Removing intermediate containera256f12df6bf
Step 3 : WORKDIR /usr/local/src
---> Running in 21c8e6b8611a
---> 1b353408f743
Removing intermediate container21c8e6b8611a
Step 4 : RUN yum -y installepel-release-6-8.noarch.rpm && yum -y install nginx
---> Running in e135afd7a757
Loaded plugins: fastestmirror, ovl
Setting up Install Process
Examining epel-release-6-8.noarch.rpm:epel-release-6-8.noarch
Marking epel-release-6-8.noarch.rpm to beinstalled
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:6-8will be installed
--> Finished Dependency Resolution
……
Complete!
---> 3e4dbe258c07
Removing intermediate containere135afd7a757
Step 5 : RUN echo "daemon off;">> /etc/nginx/nginx.conf
---> Running in 4757741a6a9a
---> 346eedad76db
Removing intermediate container4757741a6a9a
Step 6 : RUN chkconfig nginx on
---> Running in dab6062e3271
---> d24a7f82e4e3
Removing intermediate containerdab6062e3271
Step 7 : EXPOSE 80
---> Running in 8f8579602e2a
---> 04fb848c54f9
Removing intermediate container8f8579602e2a
Step 8 : CMD /etc/init.d/nginx restart
---> Running in 0a5d800e1254
---> 5727c7a98de6
Removing intermediate container0a5d800e1254
Successfully built 5727c7a98de6
[root@test6 nginx]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
mynginx V1 5727c7a98de6 5 minutes ago 622 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 4 weeks ago 191.8 MB
centos 6 10611b26a8b9 10 weeks ago 194.6 MB
[root@test6 nginx]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@test6 ~]# docker run -h test8 --name nginx_test -d -p 93:80 mynginx:V1
b3f0b7e99f545657d3e9c3691e93f46cabb692ab3e102345577a65180b7bb607
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3f0b7e99f54 mynginx:V1 "/bin/sh -c '/etc/in 3 seconds ago Up 2 seconds 0.0.0.0:93->80/tcp nginx_test
http://192.168.23.134:93/
[root@test6 ~]# docker stop `docker ps -a-q`
b3f0b7e99f54
[root@test6 ~]# docker rm `docker ps -a -q`
b3f0b7e99f54
举例2(Dockfile自动构建,nginx用源码安装):
[root@test6 ~]# mkdir -pv /opt/dockerfile/nginx
mkdir: created directory `/opt/dockerfile'
mkdir: created directory`/opt/dockerfile/nginx'
[root@test6 ~]# wget -P /opt/dockerfile/nginx/ http://nginx.org/download/nginx-1.10.2.tar.gz #(将要传至容器中的文件都放在此目录下)
[root@test6 ~]# vim /etc/init.d/nginx #(准备启动脚本)
[root@test6 ~]# chmod +x /etc/init.d/nginx
[root@test6 ~]# cp /etc/init.d/nginx /opt/dockerfile/nginx/
[root@test6 ~]# cd /opt/dockerfile/nginx
[root@test6 nginx]# vim Dockerfile #(该文件首字母一定要大写)
-----------------------file-start-------------------
# This is my Dockerfile
# Version1.0
# Author:jowin
FROM centos:6
MAINTAINER jowin
ADD nginx-1.10.2.tar.gz /usr/local/src/
ADD nginx /etc/init.d/
RUN chmod 755 /etc/init.d/nginx
RUN yum -y groupinstall "Compatibility Libraries" "Development Tools"
RUN yum -y install wget gcc gcc-c++ makeopenssl-devel pcre-devel
RUN groupadd -r -g 108 nginx && useradd -r -g 108 -u 108 nginx
RUN mkdir -p /var/tmp/nginx/client
WORKDIR /usr/local/src/nginx-1.10.2
RUN ./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre && make && make install
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
RUN chkconfig --add nginx &&chkconfig nginx on
EXPOSE 80
CMD /etc/init.d/nginx restart
-----------------------file-end-------------------
[root@test6 nginx]# ls
Dockerfile nginx nginx-1.10.2.tar.gz
[root@test6 nginx]# docker build -t mynginx:V2 /opt/dockerfile/nginx/
Sending build context to Docker daemon933.4 kB
Sending build context to Docker daemon
Step 0 : FROM centos:6
---> 10611b26a8b9
Step 1 : MAINTAINER jowin
---> Using cache
---> 999639f2c6a2
Step 2 : ADD nginx-1.10.2.tar.gz/usr/local/src/
---> a7f1ceebdf62
Removing intermediate container2803f4e155d6
Step 3 : ADD nginx /etc/init.d/
---> 7c24afc8de93
Removing intermediate container3cc4e5d4a12d
Step 4 : RUN chmod 755 /etc/init.d/nginx
---> Running in 05f1c843e10c
---> c79c9a993f23
Removing intermediate container05f1c843e10c
Step 5 : RUN yum -y groupinstall"Compatibility Libraries" "Development Tools"
---> Running in afb41a9093df
Loaded plugins: fastestmirror, ovl
Setting up Group Process
……
Complete!
---> f12bcfba970a
Removing intermediate containerc8dfc49e1cb2
Step 6 : RUN yum -y install wget gccgcc-c++ make openssl-devel pcre-devel
---> Running in 223fabfcd01f
Loaded plugins: fastestmirror, ovl
……
Complete!
---> facc087068a5
Removing intermediate container223fabfcd01f
Step 7 : RUN groupadd -r -g 108 nginx&& useradd -r -g 108 -u 108nginx
---> Running in 0f9485f61a3c
---> f435055d568c
Removing intermediate container0f9485f61a3c
Step 8 : RUN mkdir -p /var/tmp/nginx/client
---> Running in 6bf27d58a485
---> 9b6f4fb2841a
Removing intermediate container6bf27d58a485
Step 9 : WORKDIR/usr/local/src/nginx-1.10.2
---> Running in e45619137f0f
---> f2ec9e6630ea
Removing intermediate containere45619137f0f
Step 10 : RUN ./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre && make && makeinstall
---> Running in 6e4d7297cce1
checking for OS
+Linux 2.6.32-642.13.1.el6.x86_64 x86_64
……
make[1]: Leaving directory`/usr/local/src/nginx-1.10.2'
---> 7995848f13ce
Removing intermediate container6e4d7297cce1
Step 11 : RUN echo "daemon off;">> /etc/nginx/nginx.conf
---> Running in 7999a60b9b15
---> b9fc8b5907c0
Removing intermediate container7999a60b9b15
Step 12 : RUN chkconfig --add nginx&& chkconfig nginx on
---> Running in b022f7b7d2a7
---> c31a4dcdb26d
Removing intermediate containerb022f7b7d2a7
Step 13 : EXPOSE 80
---> Running in cb0fce765630
---> 88659a814893
Removing intermediate containercb0fce765630
Step 14 : CMD /etc/init.d/nginx restart
---> Running in 4cf1af9267c0
---> e36386cedd23
Removing intermediate container4cf1af9267c0
Successfully built e36386cedd23
[root@test6 nginx]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
mynginx V2 e36386cedd23 2 minutes ago 908.3 MB
mynginx V1 5727c7a98de6 51 minutes ago 622 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 4 weeks ago 191.8 MB
centos 6 10611b26a8b9 10 weeks ago 194.6 MB
[root@test6 nginx]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@test6 nginx]# docker run -h test2 --name nginx_test2 -d -p 94:80 mynginx:V2
a1f183710d19e78f0a2f38d023cb6fb11e9608668097a2159153b8a6242cf13d
[root@test6 nginx]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a1f183710d19 mynginx:V2 "/bin/sh -c '/etc/in 3 seconds ago Up 2 seconds 0.0.0.0:94->80/tcp nginx_test2
http://192.168.23.134:94/
[root@test6 nginx]# docker stop `docker ps-a -q`
a1f183710d19
[root@test6 nginx]# docker rm `docker ps -a-q`
a1f183710d19
举例3(Dockfile自动构建,stress压力测试)
[root@test6 ~]# yum -y install stress #(用epel源(http://mirrors.aliyun.com/help/epel)安装此工具,linux下压力测试)
[root@test6 ~]# man stress
-c, --cpu N,spawn N workersspinning on sqrt(),产生多个处理sqrt()函数的cpu进程;
-i, --io N,spawn N workersspinning on sync(),产生多个处理sync()函数的磁盘io进程;
-m, --vm N,spawn N workersspinning on malloc()/free(),产生多个处理malloc()内存分配函数的进程;
[root@test6 ~]# mkdir /opt/dockerfile/stress
[root@test6 ~]# cp /etc/yum.repos.d/epel-release-6-8.noarch.rpm /opt/dockerfile/stress/
[root@test6 ~]# cd !$
cd /opt/dockerfile/stress
[root@test6 stress]# vim Dockerfile
FROM centos:6
ADD epel-release-6-8.noarch.rpm/usr/local/src/
WORKDIR /usr/local/src
RUN yum -y install epel-release-6-8.noarch.rpm && yum -y install stress
ENTRYPOINT ["stress"]
[root@test6 stress]# docker build -tstress:V1 /opt/dockerfile/stress/
Sending build context to Docker daemon18.94 kB
Sending build context to Docker daemon
Step 0 : FROM centos:6
---> 10611b26a8b9
Step 1 : ADD epel-release-6-8.noarch.rpm/usr/local/src/
---> 6ad551534139
Removing intermediate containerf157f173a6b9
Step 2 : WORKDIR /usr/local/src
---> Running in d6d37746ae09
---> 2c600a3a7d67
Removing intermediate containerd6d37746ae09
Step 3 : RUN yum -y installepel-release-6-8.noarch.rpm && yum -y install stress
---> Running in eeb460c3fcee
Loaded plugins: fastestmirror, ovl
Setting up Install Process
Examining epel-release-6-8.noarch.rpm:epel-release-6-8.noarch
Marking epel-release-6-8.noarch.rpm to beinstalled
Resolving Dependencies
……
Complete!
---> 338c70034926
Removing intermediate containereeb460c3fcee
Step 4 : ENTRYPOINT stress
---> Running in b63dfcd11205
---> 74d069b8070a
Removing intermediate containerb63dfcd11205
Successfully built 74d069b8070a
[root@test6 stress]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
stress V1 74d069b8070a 9 minutes ago 287.7 MB
mynginx V2 e36386cedd23 32 minutes ago 908.3 MB
mynginx V1 5727c7a98de6 About an hour ago 622 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 4 weeks ago 191.8 MB
centos 6 10611b26a8b9 10 weeks ago 194.6 MB
[root@test6 stress]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
容器资源配额:
(1)CPU份额控制:
http://blog.csdn.net/horsefoot/article/details/51731543
[root@test6 ~]# docker run -itd --cpu-shares 100 stress:V1 --cpu 1 #(最后的--cpu 1是stress命令的参数)
70e786fb864811595226e911d6651064dea7bc98e896e8bc4467e72a1d62afaf
[root@test6 ~]# docker run -itd --cpu-shares 50 stress:V1 --cpu 1
939fff5393bbf387ef9a4b9c1cfeb26ac2024b187e8f2a96509c7cb373a052aa
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
939fff5393bb stress:V1 "stress --cpu 1" 6 seconds ago Up 2 seconds elegant_goodall
70e786fb8648 stress:V1 "stress --cpu 1" 16 seconds ago Up 15 seconds loving_fermat
#cat /cgroup/cpu/docker/CONTAINER_ID/cpu.shares
#top结果如下:
[root@test6 ~]# docker stop `docker ps -q`
939fff5393bb
70e786fb8648
[root@test6 ~]# docker rm `docker ps -a -q`
939fff5393bb
70e786fb8648
(2)CPU core控制:
#docker run -itd--cpuset-cpus 0-2 stress:V1 #(表示创建的容器只能使用012这三个核心)
#cat /cgroup/cpuset/docker/CONTAINTER_ID/cpuset.cpus
#docker exec CONTAINER_ID taskset -c -p1 #(查看容器内进程与cpu的绑定,容器内第一个进程的编号一般为1)
(3)内存配额控制:
[root@test6 ~]# docker run -itd -m 128m stress:V1 --vm 1 --vm-bytes 128m --vm-hang 0 #(-m 128m,设置容器使用的最大内存上限,新版本此处设多少就能用多少,老版本能过载使用能达到2倍甚至更多;默认情况下,除了-m(--memory)指定的内存大小以外,docker还为容器分配了同样大小的swap分区,也就是说,上面的命令创建出的容器实际上最多可以使用256MB内存,而不是128MB内存,如果需要自定义swap分区大小,则可以通过联合使用--memory-swap参数来实现控制)
0ed05c7bd67efb5a9972550e00a9d63c0239db265c9cd1bfb5db9e1259c1a025
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0ed05c7bd67e stress:V1 "stress --vm 1 --vm- 15 seconds ago Up 4 seconds prickly_hodgkin
[root@test6 ~]# docker-enter 0ed05c7bd67e
[root@0ed05c7bd67e ~]#
#cat /cgroup/memory/docker/CONTAINER_ID/memory.limit_in_bytes
#cat /cgroup/memory/docker/CONTAINER_ID/memory.memsw.limit_in_bytes
docker网络:
(1)docker默认使用bridge:
[root@test6 ~]# ip addr
256: vethe182dcb:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 52:12:99:6d:2e:ac brd ff:ff:ff:ff:ff:ff
inet6 fe80::5012:99ff:fe6d:2eac/64 scope link
valid_lft forever preferred_lft forever
1: lo: <LOOPBACK,UP,LOWER_UP> mtu65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen1000
link/ether 00:0c:29:32:f4:98 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.134/24 brd 192.168.23.255 scope global eth0
inet6 fe80::20c:29ff:fe32:f498/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP>mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:12:99:6d:2e:ac brd ff:ff:ff:ff:ff:ff
inet 172.17.42.1/16 scope global docker0
inet6 fe80::80ee:6dff:febb:7ecc/64 scope link
valid_lft forever preferred_lft forever
[root@test6 ~]# brctl show
bridge name bridgeid STP enabled interfaces
docker0 8000.5212996d2eac no vethe182dcb
[root@test6 ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
target prot opt source destination
(2)host网络:
(3)其它:
registry:
官方的Docker hub是一个用于管理公共镜像的好地方,我们可以在上面找到我们想要的镜像,也可以把我们自己的镜像推送上去,但是,有时候,我们的使用场景需要我们拥有一个私有的镜像仓库用于管理我们自己的镜像,这个可以通过开源软件Registry来达成目的;
Registry在github上有两份代码:老代码库和新代码库,老代码是采用python编写的,存在pull和push的性能问题,出到0.9.1版本之后就标志为deprecated,不再继续开发,从2.0版本开始就在新代码库进行开发,新代码库是采用go语言编写,修改了镜像id的生成算法、registry上镜像的保存结构,大大优化了pull和push镜像的效率;
官方在Docker hub上提供了registry的镜像,我们可以直接使用该registry镜像来构建一个容器,搭建我们自己的私有仓库服务;
[root@test6 ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The DockerRegistry 2.0 implementation for... 1286 [OK]
konradkleine/docker-registry-frontend Browse and modify your Docker registry in... 134 [OK]
……
[root@test6 ~]# docker pull registry
latest: Pulling from registry
6f8afccfec17: Pull complete
38535c2527ab: Pull complete
f65507bfd5af: Pull complete
343c0e0e9a06: Pull complete
8da0a1a131a1: Pull complete
262f434a6db5: Pull complete
ca1c9bbf547c: Pull complete
a375b425d304: Pull complete
46afc3aaeab9: Pull complete
Digest:sha256:dfe7dab682674fd612b582e489d4c9d0d163f538539210201da33fd3de6faf69
Status: Downloaded newer image for registry:latest
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
stress V1 74d069b8070a 3 days ago 287.7 MB
mynginx V2 e36386cedd23 3 days ago 908.3 MB
mynginx V1 5727c7a98de6 3 days ago 622 MB
registry latest 46afc3aaeab9 3 days ago 33.17 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 5 weeks ago 191.8 MB
centos 6 10611b26a8b9 11 weeks ago 194.6 MB
[root@test6 ~]# vim /etc/sysconfig/docker
other_args="--insecure-registry 192.168.23.134:5000"
[root@test6 ~]# /etc/init.d/docker restart
Stopping docker: [ OK ]
Starting docker: [ OK ]
[root@test6 ~]# mkdir /opt/registry
[root@test6 ~]# docker run -v /opt/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry -d registry #(registry默认将镜像保存在容器的/var/lib/registry,将其映射到宿主机的/opt/registry)
44990ef6275b6bb34c69b8fd854899e0eda12bc984885fd19c1ce00c2bae0070
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44990ef6275b registry "/entrypoint.sh /etc 9 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp registry
http://192.168.23.134:5000/v2/
[root@test6 ~]# docker tag stress:V1 192.168.23.134:5000/stress:V1 #(给即将要推送到私有仓库的镜像做标记)
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
stress V1 74d069b8070a 3 days ago 287.7 MB
192.168.23.134:5000/stress V1 74d069b8070a 3 days ago 287.7 MB
mynginx V2 e36386cedd23 3 days ago 908.3 MB
mynginx V1 5727c7a98de6 3 days ago 622 MB
registry latest 46afc3aaeab9 3 days ago 33.17 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 5 weeks ago 191.8 MB
centos 6 10611b26a8b9 11 weeks ago 194.6 MB
[root@test6 ~]# docker push 192.168.23.134:5000/stress:V1
The push refers to a repository[192.168.23.134:5000/stress] (len: 1)
74d069b8070a: Image already exists
74d069b8070a: Buffering to Disk
338c70034926: Image successfully pushed
2c600a3a7d67: Image successfully pushed
6ad551534139: Image successfully pushed
6ad551534139: Buffering to Disk
10611b26a8b9: Image already exists
c40f84131ae5: Image successfully pushed
c40f84131ae5: Buffering to Disk
Digest:sha256:fc774ad3fd86014ce488c24360931be8f4bc804046e49c089c9a8cabe6713ef9
[root@test6 ~]# docker-enter registry
44990ef6275b:~# ls /var/lib/registry/docker/registry/v2/repositories/stress/
_layers _manifests _uploads
44990ef6275b:~# exit
[root@test6 ~]# ls /opt/registry/docker/registry/v2/repositories/stress/
_layers _manifests _uploads
http://192.168.23.134:5000/v2/_catalog
[root@test6 ~]# docker rmi 192.168.23.134:5000/stress:V1 #(将本地的stress:V1删掉)
Untagged: 192.168.23.134:5000/stress:V1
Deleted:74d069b8070a4a60c9037ab3ea3ee3393de564ea5f8e9b504e242b880f405ded
Deleted: 338c700349262c59a29fa18c5be083c9b1102363e7e08237e9a8e06f87809cee
Deleted:2c600a3a7d67aeca796b3076d6608b14b4cd45773f4b2d0b1938b5161c4f2f05
Deleted:6ad551534139344ddc661b4132211646abb10ba73583077567bc552abb45b48d
[root@test6 ~]# docker pull 192.168.23.134:5000/stress:V1 #(从私有仓库中下载)
V1: Pulling from 192.168.23.134:5000/stress
6ad551534139: Pull complete
2c600a3a7d67: Pull complete
338c70034926: Pull complete
74d069b8070a: Already exists
74d069b8070a: Pulling fs layer
3690474eb5b4: Already exists
c40f84131ae5: Already exists
c3bd2182e0b9: Already exists
Digest:sha256:fc774ad3fd86014ce488c24360931be8f4bc804046e49c089c9a8cabe6713ef9
Status: Downloaded newer image for192.168.23.134:5000/stress:V1
[root@test6 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
192.168.23.134:5000/stress V1 74d069b8070a 3 days ago 287.7 MB
mynginx V2 e36386cedd23 3 days ago 908.3 MB
mynginx V1 5727c7a98de6 3 days ago 622 MB
registry latest 46afc3aaeab9 3 days ago 33.17 MB
nginx latest 93c50d378b4b 3 weeks ago 181.6 MB
centos latest d4350798c2ee 5 weeks ago 191.8 MB
centos 6 10611b26a8b9 11 weeks ago 194.6 MB
[root@test6 ~]# docker stop `docker ps -q`
44990ef6275b
[root@test6 ~]# docker rm `docker ps -a -q`
44990ef6275b
docker management(shipyard):
https://shipyard-project.com/
Shipyard是建立在docker集群管理工具Citadel之上的可以管理容器、主机等资源的web图形化工具,包括core和extension两个版本;core即shipyard,主要是把多个Docker host上的containers统一管理(支持跨越多个host),extension即shipyard-extensions添加了应用路由和负载均衡、集中化日志、部署等;
engine(一个shipyard管理的docker集群可以包含一个或多个engine(引擎),一个engine就是监听tcp端口的dockerdaemon,shipyard管理docker daemon、images、containers完全基于Docker API,不需要做其他的修改;另shipyard可以对每个engine做资源限制,包括CPU和内存,因为TCP监听相比Unix socket方式会有一定的安全隐患,所以shipyard还支持通过SSL证书与docker后台进程安全通信);
rethinkdb(是一个shipyard项目的一个docker镜像,用来存放账号account、引擎engine、服务密钥servicekey、扩展元数据extension metadata等信息,但不会存储任何有关容器或镜像的内容,一般会启动一个shipyard/rethinkdb容器shipyard-rethinkdb-data来使用它的/data作为数据卷供另外rethinkdb一个挂载,专门用于数据存储);
(1)shipyard v1(基于Python/Django)版本时安装过程比较复杂,既可以通过在host上安装,也可以部署shipyard镜像(包括shipyard-agent、shipyard-deploy等组件);
(2)shipyard v2版本简化了安装过程,启动两个镜像就完成安装(获取一个/data的数据卷;使用数据卷/data启动rethinkdb);最后启动shipyard控制器即可使用;
(3)以上两种方式安装很麻烦的,现在官方有了自动安装脚本,使用非常方便(https://shipyard-project.com/docs/deploy/automated/),Shipyard启用了7个容器,默认访问端口是8080,默认用户名和密码是admin和shipyard;
[root@test6 ~]# curl -sSL https://shipyard-project.com/deploy | bash -s #(第三种方式,一键安装)
Deploying Shipyard
-> Starting Database
-> Starting Discovery
-> Starting Cert Volume
-> Starting Proxy
-> Starting Swarm Manager
-> Starting Swarm Agent
-> Starting Controller
Waiting for Shipyard on 192.168.23.134:8080
........................................
Shipyard available athttp://192.168.23.134:8080
Username: admin Password: shipyard
http://192.168.23.134:8080
[root@test6 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56fdb108168b shipyard/shipyard:latest "/bin/controller --d 12 hours ago Up 12 hours 0.0.0.0:8080->8080/tcp shipyard-controller
3620784c0213 swarm:latest "/swarm j --addr192 12 hours ago Up 12 hours 2375/tcp shipyard-swarm-agent
21f60db1102d swarm:latest "/swarm m--replicat 12 hours ago Up 12 hours 2375/tcp shipyard-swarm-manager
d36cfdb24321 shipyard/docker-proxy:latest "/usr/local/bin/run" 12 hours ago Up 12 hours 0.0.0.0:2375->2375/tcp shipyard-proxy
081d1a2001d5 alpine "sh" 12 hours ago Up 12 hours shipyard-certs
9fd267a05129 microbox/etcd:latest "/bin/etcd -addr 192 12 hours ago Up 12 hours 0.0.0.0:4001->4001/tcp,0.0.0.0:7001->7001/tcp shipyard-discovery
7ac05182605e rethinkdb "rethinkdb --bindal 12 hours ago Up 12 hours 8080/tcp, 28015/tcp, 29015/tcp shipyard-rethinkdb
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-28 10:49:30
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡