1-Docker 介绍和基础操作
1 Docker 介绍和基础操作
Container 即容器,平时生活中指的是可以装下其它物品的工具, 以方便人类归纳放置物品 、存储和异地运输 ,比如人类使用的衣柜 、行李箱、 背包等可以成为容器,Container 除了容器以外,另一个意思是集装箱, 很多码头工人将很多装有不同物品但却整齐划一的箱子装载到停靠在岸边大船,然后方便的运来运去。
为什么这些集装箱可以很方便的运来运去呢?因为它们大小一致标准化尺寸的箱子,并且可以安全的隔离开,所以当我们使用 Container 来形容容器的时候,就是我们想要让容器达到一个可以打包,符合标准的状态。
集装箱标准尺寸重量
但今天我们所说的容器是一种 IT 技术。容器其实是一种沙盒技术。顾名思义,沙盒就是能够像一个集装箱一样,把你的应用装起来。这样,应用与应用之间就有了边界而不会相互干扰;同时装在沙盒里面的应用,也可以很方便的被搬来搬去,这也是 PaaS 想要的最理想的状态(可移植性,标准化,隔离性)。
容器是软件工业上的集装箱的技术,集装箱的标准化,减少了包装成本,大大提高货物运输和装卸效率,是传统运输行业的重大变革。早期的软件项目中软件更新,发布低效,开发测试发布周期很长,很难敏捷。有了容器技术,就可以利用其标准化的特点,大幅提高生产效率。
容器技术是虚拟化、云计算、大数据之后的一门新兴的并且是炙手可热的新技术, 容器技术提高了硬件资源利用率、 方便了企业的业务快速横向扩容(可以达到秒级快速扩容)、 实现了业务宕机自愈功能(配合K8S可以实现,但OpenStack无此功能),因此未来数年会是一个容器愈发流行的时代 ,这是 一个对于 IT 行业来说非常有影响和价值的技术,而对于IT行业的从业者来说, 熟练掌握容器技术无疑是一个很有前景的行业工作机会。
1.1 Docker 介绍
1.1.1 容器历史
虽然 docker 把容器技术推向了巅峰,但容器技术却不是从 docker 诞生的。实际上,容器技术连新技术都算不上,因为它的诞生和使用确实有些年头了。下面的一串名称可能有的你都没有听说过,但它们的确都是容器技术的应用:
1、Chroot Jail 就是我们常见的 chroot 命令的用法。它在 1979 年的时候就出现了,被认为是最早的容器化技术之一。它可以把一个进程的文件系统隔离起来。
2、The FreeBSD Jail Freebsd Jail (监狱)实现了操作系统级别的虚拟化,它是操作系统级别虚拟化技术的先驱之一。2000年,伴随FreeBSD4.0版的发布。
3、Linux VServer 使用添加到 Linux 内核的系统级别的虚拟化功能实现的专用虚拟服务器。允许创建许多独立的虚拟专用服务器(VPS),这些虚拟专用服务器在单个物理服务器上全速同时运行,从而有效地共享硬件资源。VPS提供与传统Linux服务器几乎相同的操作环境。可以在这样的VPS上启动所有服务(例如ssh,邮件,Web和数据库服务器),而无需(或者在特殊情况下只需进行很少的修改),就像在任何真实服务器上一样。
每个VPS都有自己的用户帐户数据库和root密码,并且与其他虚拟服务器隔离,但它们共享相同的硬件资源。2003年11月1日 VServer 1.0 发布。
官网: http://linux-vserver.org/
4、Solaris Containers 它也是操作系统级别的虚拟化技术,专为 X86 和 SPARC 系统设计。Solaris 容器是系统资源控制和通过"区域" 提供边界隔离的组合。
5、OpenVZ OpenVZ 是一种 Linux 中操作系统级别的虚拟化技术。 它允许创建多个安全隔离的 Linux 容器,即VPS。
6、Process Containers Process 容器由 Google 的工程师开发,一般被称为 cgroups。
7、LXC LXC为Linux Container的简写。可以提供轻量级的虚拟化,以便隔离进程和资源,而且不需要提供指令解释机制以及全虚拟化的其他复杂性。容器有效地将由单个操作系统管理的资源划分到孤立的组中,以更好地在孤立的组之间平衡有冲突的资源使用需求Linux Container提供了在单一可控主机节点上支持多个相互隔离的server container同时执行的机制。Linux Container有点像chroot,提供了一个拥有自己进程和网络空间的虚拟环境,但又有别于虚拟机,因为lxc是一种操作系统层次上的资源的虚拟化。
8、Warden 在最初阶段,Warden 使用 LXC 作为容器运行时。 如今已被 CloudFoundy 取代。
9、LMCTFY LMCTY 是 Let me contain that for you 的缩写。它是 Google 的容器技术栈的开源版本。Google 的工程师一直在与 docker 的 libertainer 团队合作,并将 libertainer 的核心概念进行抽象并移植到此项目中。该项目的进展不明,估计会被 libcontainer 取代。
10、Docker Docker 是一个可以将应用程序及其依赖打包到几乎可以在任何服务器上运行的容器的工具。
11、RKT RKT 是 Rocket 的缩写,它是一个专注于安全和开放标准的应用程序容器引擎。综上所述正如我们所看到的,docker 并不是第一个容器化技术,但它的确是最知名的一个。
1.1.2 Docker 是什么
Docker (码头工人)是一个开源项目,诞生于 2013 年初,最初是 dotCloud 公司(后由于 Docker 开源后大受欢迎就将公司改名为 Docker Inc ,总部位于美国加州的旧金山)内部的一个开源的 PAAS 服务 (Platform as a ServiceService )的业余项目。它基于 Google 公司推出的 Go 语言实现。 项目后来加入了 Linux 基金会,遵从了 Apache 2.0 协议,项目代码在 GitHub 上进行维护。
Docker 是基于 linux 内核实现,Docker 最早采用 LXC 技术 ,LXC 是 Linux 原生支持的容器技术 ,可以提供轻量级的虚拟化 ,可以说 docker 就是基于 LXC 发展起来 的,提供 LXC 的高级封装,标准的配置方法,在LXC的基础之上,docker提供了一系列更强大的功能。而虚拟化技术 KVM(KernelKernelbased Virtual Machine Machine) 基于 模块实现, 后来Docker 改为自己研发并开源的 runc 技术运行容器,彻底抛弃了LXC。
Docker 相比虚拟机的交付速度更快,资源消耗更低,Docker 采用客户端/服务端架构,使用远程API来管理和创建容器,其可以轻松的创建一个轻量级的、可移植的、自给自足的容器,docker 的三大理念是build(构建)、ship(运输)、 run(运行),Docker遵从apache 2.0协议,并通过(namespace及cgroup等)来提供容器的资源隔离与安全保障等,所以Docke容器在运行时不需要类似虚拟机(空运行的虚拟机占用物理机6-8%性能)的额外资源开销,因此可以大幅提高资源利用率,总而言之Docker是一种用了新颖方式实现的轻量级虚拟机.类似于VM但是在原理和应用上和VM的差别还是很大的,并且docker的专业叫法是应用容器(Application Container)。
Docker的主要目标
Build, Ship and Run Any App, Anywhere,即通过对应用组件的封装(Packaging)、分发(Distribution)、部署(Deployment)、运行(Runtime)等生命周期的管理,达到应用组件级别的“一次封装,到处运行”。这里的应用组件,既可以是一个Web应用,也可以是一套数据库服务,甚至是一个操作系统。将应用运行在Docker 容器上,可以实现跨平台,跨服务器,只需一次配置准备好相关的应用环境,即可实现到处运行,保证研发和生产环境的一致性,解决了应用和运行环境的兼容性问题,从而极大提升了部署效率,减少故障的可能性。
使用Docker 容器化封装应用程序的意义:
-
统一基础设施环境-docker环境
- 硬件的组成配置
- 操作系统的版本
3)运行时环境的异构
-
统一程序打包(装箱)方式-docker镜像
- java程序
- python程序
- nodejs程序
-
统一程序部署(运行)方式-docker容器
- java-jar...→ docker run...
- python manage.py runserver... → docker run...
- npm run dev ... → docker run...
1.1.3 Docker 和虚拟机,物理主机
容器和虚拟机技术比较
- 传统虚拟机是虚拟出一个主机硬件,并且运行一个完整的操作系统 ,然后在这个系统上安装和运行软件
- 容器内的应用直接运行在宿主机的内核之上,容器并没有自己的内核,也不需要虚拟硬件,相当轻量化
- 每个容器间是互相隔离,每个容器内都有一个属于自己的独立文件系统,独立的进程空间,网络空间,用户空间等,所以在同一个宿主机上的多个容器之间彼此不会相互影响
容器和虚拟机表现比较
- 资源利用率更高: 开销更小,不需要启动单独的虚拟机OS内核占用硬件资源,可以将服务器性能压榨至极致.虚拟机一般会有5-20%的损耗,容器运行基本无损耗,所以生产中一台物理机只能运行数十个
- 虚拟机,但是一般可以运行数百个容器
- 启动速度更快: 可以在数秒内完成启动
- 占用空间更小: 容器一般占用的磁盘空间以MB为单位,而虚拟机以GB
- 集成性更好: 和CI/CD(持续集成/持续部署)相关技术结合性更好,实现打包镜像发布测试可以一键运行,做到自动化并快速的部署管理,实现高效的开发生命周期
使用虚拟机是为了更好的实现服务运行环境隔离,每个虚拟机都有独立的内核,虚拟化可以实现不同操作系统的虚拟机,但是通常一个虚拟机只运行一个服务,很明显资源利用率比较低且造成不必要的性能损耗,我们创建虚拟机的目的是为了运行应用程序,比如Nginx、PHP、Tomcat等web程序,使用虚拟机无疑带来了一些不必要的资源开销,但是容器技术则基于减少中间运行环节带来较大的性能提升。
根据实验,一个运行着CentOS的KVM虚拟机启动后,在不做优化的情况下,虚拟机自己就需要占用100~200 MB内存。此外,用户应用运行在虚拟机里面,它对宿主机操作系统的调用就不可避免地要经过虚拟化软件的拦截和处理,这本身又是一层性能损耗,尤其对计算资源、网络和磁盘I/O的损耗非常大。
比如: 一台96G内存的物理服务器,为了运行java程序的虚拟机一般需要分配8G内存/4核的资源,只能运行13台左右虚拟机,但是改为在docker容器上运行Java程序,每个容器只需要分配4G内存即可,同样的物理服务器就可以运行25个左右容器,运行数量相当于提高一倍,可以大幅节省IT支出,通常情况下至少可节约一半以上的物理设备
1.1.4 Docker 的组成
docker 官网: http://www.docker.com
帮助文档链接: https://docs.docker.com/
docker 镜像: https://hub.docker.com/
docker 中文网站: http://www.docker.org.cn/
- Docker 主机(Host): 一个物理机或虚拟机,用于运行Docker服务进程和容器,也称为宿主机,node节点
- Docker 服务端(Server): Docker守护进程,运行docker容器
- Docker 客户端(Client): 客户端使用 docker 命令或其他工具调用docker API
- Docker 镜像(Images): 镜像可以理解为创建实例使用的模板,本质上就是一些程序文件的集合
- Docker 仓库(Registry): 保存镜像的仓库,官方仓库: https://hub.docker.com/,可以搭建私有仓库harbor
- Docker 容器(Container): 容器是从镜像生成对外提供服务的一个或一组服务,其本质就是将镜像中的程序启动后生成的进程
1.1.5 Namespace
一个宿主机运行了N个容器,多个容器共用一个 OS,必然带来的以下问题:
- 怎么样保证每个容器都有不同的文件系统并且能互不影响?
- 一个docker主进程内的各个容器都是其子进程,那么如果实现同一个主进程下不同类型的子进程?各个容子进程间能相互通信(内存数据)吗?
- 每个容器怎么解决IP及端口分配的问题?
- 多个容器的主机名能一样吗?
- 每个容器都要不要有root用户?怎么解决账户重名问题?
namespace是Linux系统的底层概念,在内核层实现,即有一些不同类型的命名空间被部署在核内,各个docker容器运行在同一个docker主进程并且共用同一个宿主机系统内核,各docker容器运行在宿主机的用户空间,每个容器都要有类似于虚拟机一样的相互隔离的运行空间,但是容器技术是在一个进程内实现运行指定服务的运行环境,并且还可以保护宿主机内核不受其他进程的干扰和影响,如文件系统空间、网络空间、进程空间等,目前主要通过以下技术实现容器运行空间的相互隔离:
1.1.5.1 MNT Namespace
每个容器都要有独立的根文件系统有独立的用户空间,以实现在容器里面启动服务并且使用容器的运行环境,即一个宿主机是ubuntu的服务器,可以在里面启动一个centos运行环境的容器并且在容器里面启动一个Nginx服务,此Nginx运行时使用的运行环境就是centos系统目录的运行环境,但是在容器里面是不能访问宿主机的资源,宿主机是使用了chroot技术把容器锁定到一个指定的运行目录里面。
例如:
/var/lib/containerd/io.containerd.runtime.v1.linux/moby/容器ID
根目录:
/var/lib/docker/overlay2/ID
范例:
[root@ubuntu1804 ~]#docker version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:27 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:43:36 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12
GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.19.0
GitCommit: de40ad0
#启动三个容器用于以下验证过程:
[root@ubuntu1804 ~]# docker run -d --name nginx-1 -p 80:80 nginx
[root@ubuntu1804 ~]# docker run -d --name nginx-2 -p 81:80 nginx
[root@ubuntu1804 ~]# docker run -d --name nginx-3 -p 82:80 nginx
范例:查看存储
[root@ubuntu1804 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
994a55201108 nginx "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 0.0.0.0:82->80/tcp, :::82->80/tcp nginx-3
c05301d01e12 nginx "/docker-entrypoint.…" 14 seconds ago Up 13 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp nginx-1
fe2e0e4a7e0c nginx "/docker-entrypoint.…" 20 seconds ago Up 19 seconds 0.0.0.0:81->80/tcp, :::81->80/tcp nginx-2
[root@ubuntu1804 ~]#ls /var/lib/docker/overlay2/39dc6163707a72b2f9cd04bed15bc84d3f74c7cf45a5248065ace6dd48446b3d
diff link lower merged work
[root@ubuntu1804 ~]#ls /var/lib/docker/overlay2/39dc6163707a72b2f9cd04bed15bc84d3f74c7cf45a5248065ace6dd48446b3d/merged/
bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var
boot docker-entrypoint.d etc lib media opt root sbin sys usr
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
d2d79c1d3695 centos:centos8.1.1911 "/bin/bash" 14 minutes ago
Up 14 minutes boring_carson
17ff44b1dbff centos:centos8.1.1911 "/bin/bash" 17 minutes ago
Up 17 minutes interesting_austin
[root@ubuntu1804 ~]#ls /var/lib/containerd/io.containerd.runtime.v1.linux/moby/
17ff44b1dbff94e3578b3d3b74daae54527c1f65a279bb07f00641bda24ba580 d2d79c1d36954642dbab35e19bf75075dc94b66c11626c72ac52910add710204
[root@ubuntu1804 ~]#ls
/var/lib/docker/overlay2/0c45e9ac63195a4562a1b5fcd4089a2ad604418d381557e7c1165da70263b75b/merged/
bin dev etc home lib lib64 lost+found media mnt opt proc root run
sbin srv sys tmp usr var
范例: 验证容器的根文件系统
[root@centos8 ~]#podman exec nginx cat /etc/issue
Debian GNU/Linux 9 \n \l
[root@centos8 ~]#podman exec nginx ls /
bin
boot
data
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
范例: 容器和宿主机共享内核
[root@centos8 ~]#podman exec nginx uname -r
4.18.0-147.el8.x86_64
[root@centos8 ~]#uname -r
4.18.0-147.el8.x86_64
1.1.5.2 IPC Namespace
一个容器内的进程间通信,允许一个容器内的不同进程的(内存、缓存等)数据访问,但是不能跨容器直接访问其他容器的数据.
1.1.5.3 UTS Namespace
UTS namespace(UNIX Timesharing System包含了运行内核的名称、版本、底层体系结构类型等信息)用于系统标识,其中包含了主机名hostname 和域名domainname ,它使得一个容器拥有属于自己主机名标识,这个主机名标识独立于宿主机系统和其上的其他容器。
范例:
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
d2d79c1d3695 centos:centos8.1.1911 "/bin/bash" 34 minutes ago
Up 34 minutes boring_carson
17ff44b1dbff centos:centos8.1.1911 "/bin/bash" 37 minutes ago
Up 37 minutes interesting_austin
[root@ubuntu1804 ~]#docker exec -it 17ff44b1dbff sh
sh-4.4# hostname
17ff44b1dbff
sh-4.4# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 17ff44b1dbff
sh-4.4# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
60: eth0@if61: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
sh-4.4# uname -r
4.15.0-29-generic
sh-4.4# free -h
total used free shared buff/cache available
Mem: 962Mi 268Mi 81Mi 1.0Mi 612Mi 522Mi
Swap: 1.9Gi 17Mi 1.8Gi
sh-4.4# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 60
Model name: Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
Stepping: 3
CPU MHz: 2494.237
BogoMIPS: 4988.47
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 6144K
NUMA node0 CPU(s): 0
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm
constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid pni
pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt
tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault
invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2
invpcid xsaveopt arat arch_capabilities
sh-4.4# exit
exit
[root@ubuntu1804 ~]#uname -r
4.15.0-29-generic
1.1.5.4 PID Namespace
Linux系统中,有一个PID为1的进程(init/systemd)是其他所有进程的父进程,那么在每个容器内也要有一个父进程来管理其下属的子进程,那么多个容器的进程通PID namespace进程隔离(比如PID编号重复、容器内的主进程生成与回收子进程等)。
范例:
[root@ubuntu1804 ~]#docker exec -it 17ff44b1dbff sh
sh-4.4# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.039 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.049 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.051 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.050 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.051 ms
^Z
[1]+ Stopped(SIGTSTP) ping 127.0.0.1
sh-4.4# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 12024 3172 pts/0 Ss+ 10:41 0:00 /bin/bash
root 46 1.2 0.3 12024 3228 pts/1 Ss 11:24 0:00 sh
root 51 0.0 0.2 29460 2280 pts/1 T 11:24 0:00 ping 127.0.0.1
root 52 0.0 0.3 43960 3332 pts/1 R+ 11:24 0:00 ps aux
sh-4.4#
[root@ubuntu1804 ~]#pstree -p
systemd(1)─┬─VGAuthService(816)
├─accounts-daemon(819)─┬─{accounts-daemon}(828)
│ └─{accounts-daemon}(839)
├─agetty(887)
├─atd(807)
├─blkmapd(512)
├─containerd(3371)─┬─containerd-shim(12233)─┬─bash(12259)
│ │ ├─sh(13359)───ping(13395)
│ │ ├─{containerd-shim}
(12234)
例如: 下图是在一个容器内使用top命令看到的PID为1的进程是nginx:
容器内的Nginx主进程与工作进程:
那么宿主机的PID究竟与容器内的PID是什么关系?
范例: 查看宿主机上的PID信息
1.1.5.5 NET Namespace
每一个容器都类似于虚拟机一样有自己的网卡、监听端口、TCP/IP协议栈等.
Docker使用network namespace启动一个vethX接口,这样你的容器将拥有它自己的桥接ip地址,通常docker0,而docker0实质就是Linux的虚拟网桥,网桥是在OSI七层模型的数据链路层的网络设备,通过mac地址对网络进行划分,并且在不同网络直接传递数据。
查看宿主机的网卡信息:
查看宿主机桥接设备:
通过brctl show命令查看桥接设备:
逻辑网络图:
宿主机iptables规则:
范例:
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
[root@ubuntu1804 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:0c:29:34:df:91 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.100/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:df91/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN group default
link/ether 02:42:9c:90:17:99 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:9cff:fe90:1799/64 scope link
valid_lft forever preferred_lft forever
[root@ubuntu1804 ~]#docker run -itd -p 8888:80 nginx
5dee9be9afdbab8c2f6c4c5eb0f956c9579efe93110daf638f8fd15f43d961e2
[root@ubuntu1804 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:0c:29:34:df:91 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.100/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:df91/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
link/ether 02:42:9c:90:17:99 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:9cff:fe90:1799/64 scope link
valid_lft forever preferred_lft forever
71: veth9e4fb80@if70: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master docker0 state UP group default
link/ether a2:7b:84:f7:8b:ff brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::a07b:84ff:fef7:8bff/64 scope link
valid_lft forever preferred_lft forever
[root@ubuntu1804 ~]#docker exec -it 5dee9b bash
root@5dee9be9afdb:/# apt update
Get:1 http://security-cdn.debian.org/debian-security buster/updates InRelease
[65.4 kB]
Get:2 http://security-cdn.debian.org/debian-security buster/updates/main amd64
Packages [173 kB]
Get:3 http://deb.debian.org/debian buster InRelease [122 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7908 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [5792 B]
Fetched 8323 kB in 13s (656 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@5dee9be9afdb:/# apt install net-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
net-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 248 kB of archives.
After this operation, 1002 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 net-tools amd64
1.60+git20180626.aebd88e-1 [248 kB]
Fetched 248 kB in 0s (610 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package net-tools.
(Reading database ... 7203 files and directories currently installed.)
Preparing to unpack .../net-tools_1.60+git20180626.aebd88e-1_amd64.deb ...
Unpacking net-tools (1.60+git20180626.aebd88e-1)
................................................................................
.]
Setting up net-tools (1.60+git20180626.aebd88e-1)
...#########....................................................................
]
root@5dee9be9afdb:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 1926 bytes 8680620 (8.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1466 bytes 80919 (79.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@5dee9be9afdb:/# exit
exit
[root@ubuntu1804 ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 563 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8
ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
71 4548 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2
tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8888 to:172.17.0.2:80
[root@ubuntu1804 ~]#ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer
Address:Port
LISTEN 0 64 0.0.0.0:2049 0.0.0.0:*
LISTEN 0 128 0.0.0.0:43045 0.0.0.0:*
users:(("rpc.mountd",pid=788,fd=17))
LISTEN 0 64 0.0.0.0:38599 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
users:(("rpcbind",pid=725,fd=8))
LISTEN 0 128 0.0.0.0:38805 0.0.0.0:*
users:(("rpc.mountd",pid=788,fd=13))
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
users:(("systemd-resolve",pid=785,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
users:(("sshd",pid=863,fd=3))
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
users:(("sshd",pid=913,fd=9))
LISTEN 0 128 127.0.0.1:6011 0.0.0.0:*
users:(("sshd",pid=913,fd=14))
LISTEN 0 128 0.0.0.0:43775 0.0.0.0:*
users:(("rpc.mountd",pid=788,fd=9))
LISTEN 0 64 [::]:33633 [::]:*
LISTEN 0 64 [::]:2049 [::]:*
LISTEN 0 128 [::]:55659 [::]:*
users:(("rpc.mountd",pid=788,fd=15))
LISTEN 0 128 [::]:111 [::]:*
users:(("rpcbind",pid=725,fd=11))
LISTEN 0 128 [::]:44917 [::]:*
users:(("rpc.mountd",pid=788,fd=11))
LISTEN 0 128 [::]:22 [::]:*
users:(("sshd",pid=863,fd=4))
LISTEN 0 128 *:8888 *:*
users:(("docker-proxy",pid=15249,fd=4))
LISTEN 0 128 [::]:41529 [::]:*
users:(("rpc.mountd",pid=788,fd=19))
LISTEN 0 128 [::1]:6010 [::]:*
users:(("sshd",pid=913,fd=8))
LISTEN 0 128 [::1]:6011 [::]:*
users:(("sshd",pid=913,fd=11))
[root@ubuntu1804 ~]#
[root@ubuntu1804 ~]#apt install bridge-utils -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
ifupdown
The following NEW packages will be installed:
bridge-utils
0 upgraded, 1 newly installed, 0 to remove and 225 not upgraded.
Need to get 30.1 kB of archives.
After this operation, 102 kB of additional disk space will be used.
Get:1 http://mirrors.aliyun.com/ubuntu bionic/main amd64 bridge-utils amd64 1.5-
15ubuntu1 [30.1 kB]
Fetched 30.1 kB in 0s (259 kB/s)
ySelecting previously unselected package bridge-utils.
(Reading database ... 71346 files and directories currently installed.)
Preparing to unpack .../bridge-utils_1.5-15ubuntu1_amd64.deb ...
Unpacking bridge-utils (1.5-15ubuntu1)
................................................................................
...........]
Setting up bridge-utils (1.5-15ubuntu1)
...###############################..............................................
..........]
Processing triggers for man-db (2.8.3-2)
...###################################################################..........
.........]
[root@ubuntu1804 ~]#brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02429c901799 no veth9e4fb80
1.1.5.6 User Namespace
各个容器内可能会出现重名的用户和用户组名称,或重复的用户UID或者GID,那么怎么隔离各个容器内的用户空间呢?
User Namespace允许在各个宿主机的各个容器空间内创建相同的用户名以及相同的用户UID和GID,只是会把用户的作用范围限制在每个容器内,即A容器和B容器可以有相同的用户名称和ID的账户,但是此用户的有效范围仅是当前容器内,不能访问另外一个容器内的文件系统,即相互隔离、互不影响、永不相见。
1.1.6 Control groups
Linux Cgroups的全称是Linux Control Groups,是Linux内核的一个功能.最早是由Google的工程师(主要是Paul Menage和Rohit Seth)在2006年发起,最早的名称为进程容器(process containers)。在2007年时,因为在Linux内核中,容器(container)这个名词有许多不同的意义,为避免混乱,被重命名为cgroup,并且被合并到2.6.24版的内核中去。自那以后,又添加了很多功能。
如果不对一个容器做任何资源限制,则宿主机会允许其占用无限大的内存空间,有时候会因为代码bug程序会一直申请内存,直到把宿主机内存占完,为了避免此类的问题出现,宿主机有必要对容器进行资源分配限制,比如CPU、内存等
Cgroups 最主要的作用,就是限制一个进程组能够使用的资源上限,包括CPU、内存、磁盘、网络带宽等等。此外,还能够对进程进行优先级设置,资源的计量以及资源的控制(比如:将进程挂起和恢复等操作)。
1.1.6.1 验证系统 cgroups
Cgroups在内核层默认已经开启,从CentOS 和 Ubuntu 不同版本对比,显然内核较新的支持的功能更多。
Centos 8.1 cgroups:
[root@centos8 ~]#cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
[root@centos8 ~]#grep CGROUP /boot/config-4.18.0-147.el8.x86_64
CONFIG_CGROUPS=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_BPF=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_SOCK_CGROUP_DATA=y
# CONFIG_BLK_CGROUP_IOLATENCY is not set
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y
[root@centos8 ~]#
Centos 7.6 cgroups:
[root@centos7 ~]#cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@centos7 ~]#grep CGROUP /boot/config-3.10.0-957.el7.x86_64
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NETPRIO_CGROUP=y
ubuntu cgroups:
[root@ubuntu1804 ~]#grep CGROUP /boot/config-4.15.0-29-generic
CONFIG_CGROUPS=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_RDMA=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_BPF=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_SOCK_CGROUP_DATA=y
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=m
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y
cgroups 中内存模块:
[root@ubuntu1804 ~]#grep MEMCG /boot/config-4.15.0-29-generic
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
# CONFIG_MEMCG_SWAP_ENABLED is not set
CONFIG_SLUB_MEMCG_SYSFS_ON=y
1.1.6.2 cgroups 具体实现
- blkio: 块设备IO限制
- cpu: 使用调度程序为 cgroup 任务提供 cpu 的访问
- cpuacct: 产生 cgroup 任务的 cpu 资源报告
- cpuset: 如果是多核心的 cpu,这个子系统会为 cgroup 任务分配单独的 cpu 和内存
- devices: 允许或拒绝 cgroup 任务对设备的访问
- freezer: 暂停和恢复 cgroup 任务
- memory: 设置每个 cgroup 的内存限制以及产生内存资源报告
- net_cls: 标记每个网络包以供 cgroup 方便使用
- ns: 命名空间子系统
- perf_event: 增加了对每 group的监测跟踪的能力,可以监测属于某个特定的 group 的所有线程以及运行在特定CPU上的线程
1.1.6.3 查看系统 cgroups
[root@ubuntu1804 ~]#ll /sys/fs/cgroup/
total 0
drwxr-xr-x 15 root root 380 Jan 22 16:20 ./
drwxr-xr-x 10 root root 0 Jan 22 16:20 ../
dr-xr-xr-x 5 root root 0 Jan 22 16:20 blkio/
lrwxrwxrwx 1 root root 11 Jan 22 16:20 cpu -> cpu,cpuacct/
lrwxrwxrwx 1 root root 11 Jan 22 16:20 cpuacct -> cpu,cpuacct/
dr-xr-xr-x 5 root root 0 Jan 22 16:20 cpu,cpuacct/
dr-xr-xr-x 3 root root 0 Jan 22 16:20 cpuset/
dr-xr-xr-x 5 root root 0 Jan 22 16:20 devices/
dr-xr-xr-x 3 root root 0 Jan 22 16:20 freezer/
dr-xr-xr-x 3 root root 0 Jan 22 16:20 hugetlb/
dr-xr-xr-x 5 root root 0 Jan 22 16:20 memory/
lrwxrwxrwx 1 root root 16 Jan 22 16:20 net_cls -> net_cls,net_prio/
dr-xr-xr-x 3 root root 0 Jan 22 16:20 net_cls,net_prio/
lrwxrwxrwx 1 root root 16 Jan 22 16:20 net_prio -> net_cls,net_prio/
dr-xr-xr-x 3 root root 0 Jan 22 16:20 perf_event/
dr-xr-xr-x 5 root root 0 Jan 22 16:20 pids/
dr-xr-xr-x 2 root root 0 Jan 22 16:20 rdma/
dr-xr-xr-x 6 root root 0 Jan 22 16:20 systemd/
dr-xr-xr-x 5 root root 0 Jan 22 16:20 unified/
[root@ubuntu1804 ~]#cat
/sys/fs/cgroup/cpu/docker/5dee9be9afdbab8c2f6c4c5eb0f956c9579efe93110daf638f8fd1
5f43d961e2/cpuacct.usage
4751336886
[root@ubuntu1804 ~]#cat
/sys/fs/cgroup/memory/docker/5dee9be9afdbab8c2f6c4c5eb0f956c9579efe93110daf638f8
fd15f43d961e2/memory.limit_in_bytes
9223372036854771712
[root@ubuntu1804 ~]#cat
/sys/fs/cgroup/memory/docker/5dee9be9afdbab8c2f6c4c5eb0f956c9579efe93110daf638f8
fd15f43d961e2/memory.max_usage_in_bytes
79278080
1.1.7 容器管理工具
有了以上的chroot、namespace、cgroups就具备了基础的容器运行环境,但是还需要有相应的容器创建与删除的管理工具、以及怎么样把容器运行起来、容器数据怎么处理、怎么进行启动与关闭等问题需要解决,于是容器管理技术出现了。目前主要是使用docker,早期使用 LXC.
1.1.7.1 LXC
LXC: Linux Container。可以提供轻量级的虚拟化功能,以便隔离进程和资源,包括一系列容器的管理工具软件,如,lxc-create,lxc-start,lxc-attach等,但这技术功能不完善,目前较少使用.
官方网站: https://linuxcontainers.org/
案例: Ubuntu安装 和使用 LXC
[root@ubuntu1804 ~]#apt install lxc lxd
Reading package lists... Done
Building dependency tree
Reading state information... Done
lxd is already the newest version (3.0.3-0ubuntu1~18.04.1).
lxc is already the newest version (3.0.3-0ubuntu1~18.04.1).
......
[root@ubuntu1804 ~]#lxc-checkconfig #检查内核对lcx的支持状况,必须全部为lcx
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.15.0-29-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
......
[root@ubuntu1804 ~]#lxc-create -t download --name alpine1 -- --dist alpine --release 3.9 --arch amd64
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created an Alpinelinux 3.9 x86_64 (20200121_13:00) container.
[root@ubuntu1804 ~]#lxc-start alpine1 #启动lxc容器
[root@ubuntu1804 ~]#lxc-attach alpine1 #进入lxc容器
~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:DF:9E:45
inet addr:10.0.1.51 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fedf:9e45/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2484 (2.4 KiB) TX bytes:1726 (1.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
~ # uname -r
4.15.0-29-generic
~ # uname -a
Linux alpine12 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
x86_64 Linux
~ # cat /etc/issue
Welcome to Alpine Linux 9
Kernel \r on an \m (\l)
~ # exit
[root@ubuntu1804 ~]#
命令选项说明:
-t 模板: -t 选项后面跟的是模板,模式可以认为是一个原型,用来说明需要一个什么样的容器(比如容器里
面需不需要有vim, apache等软件).模板实际上就是一个脚本文件(位于/usr/share/lxc/templates目
录),我们这里指定download模板(lxc-create会调用lxc-download脚本,该脚本位于刚说的模板目录
中)是说明我们目前没有自己模板,需要下载官方的模板
--name 容器名称: 为创建的容器命名
-- : --用来说明后面的参数是传递给download脚本的,告诉脚本需要下载什么样的模板
--dist 操作系统名称: 指定操作系统
--release 操作系统: 指定操作系统,可以是各种Linux的变种
--arch 架构: 指定架构,是x86还是arm,是32位还是64位
lxc启动容器依赖于模板,清华模板源: https://mirrors.tuna.tsinghua.edu.cn/help/lxc-images/,但是做模板相对较难,需要手动一步步创构建文件系统、准备基础目录及可执行程序等,而且在大规模使用容器的场景很难横向扩展,另外后期代码升级也需要重新从头构建模板,基于以上种种原因便有了docker.
1.1.7.2 docker
Docker 相当于增强版的LXC,功能更为强大和易用,也是当前最主流的容器前端管理工具.
Docker 先启动一个容器也需要一个外部模板,也称为镜像,docker的镜像可以保存在一个公共的地方共享使用,只要把镜像下载下来就可以使用,最主要的是可以在镜像基础之上做自定义配置并且可以再把其提交为一个镜像,一个镜像可以被启动为多个容器。
Docker的镜像是分层的,镜像底层为库文件且只读层即不能写入也不能删除数据,从镜像加载启动为一个容器后会生成一个可写层,其写入的数据会复制到宿主机上对应容器的目录,但是容器内的数据在删除容器后也会被随之删除。
1.1.7.3 pouch
项目网点: https://github.com/alibaba/pouch Pouch (小袋子)起源于 2011 年,并于2017年11月19日上午,在中国开源年会现场,阿里巴巴正式开源了基于 Apache 2.0 协议的容器技术 Pouch。Pouch 是一款轻量级的容器技术,拥有快速高效、可移植性高、资源占用少等特性,主要帮助阿里更快的做到内部业务的交付,同时提高超大规模下数据中心的物理资源利用率
目前的容器方案大多基于 Linux 内核提供的 cgroup 和 namespace 来实现隔离,然后这样轻量级方案存在弊端:
- 容器间,容器与宿主间,共享同一个内核
- 内核实现的隔离资源,维度不足
面对如此的内核现状,阿里巴巴采取了三个方面的工作,来解决容器的安全问题:
- 用户态增强容器的隔离维度,比如网络带宽、磁盘使用量等
- 给内核提交 patch,修复容器的资源可见性问题,cgroup 方面的 bug
- 实现基于 Hypervisor 的容器,通过创建新内核来实现容器隔离
1.1.7.4 Podman
虽然目前 Docker 是管理 Linux 容器最好的工具,注意没有之一,但是podman的横空出现即将改变这一点.
什么是Podman?
Podman即Pod Manager tool,从名称上可以看出和kubernets的pod的密切联系,不过就其功能来说,简而言之: alias docker = podman ,是CentOS 8 新集成的功能,或许不久的未来会代替docker
Podman是一个 为 Kubernetes 而生的开源的容器管理工具,原来是 CRI-O(即容器运行时接口CRI 和开放容器计划OCI) 项目的一部分,后来被分离成一个单独的项目叫 libpod。其可在大多数Linux平台上使用,它是一种无守护程序的容器引擎,用于在Linux系统上开发,管理和运行任何符合Open Container Initiative(OCI)标准的容器和容器镜像。
Podman 提供了一个与Docker兼容的命令行前端,Podman 里面87%的指令都和Docker CLI 相同,因此可以简单地为Docker CLI别名,即“ alias docker = podman”,事实上,podman使用的一些库也是docker的一部分。
CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes
官网地址: https://podman.io/
项目地址: https://github.com/containers/libpod
Podman 和 docker不同之处
- docker 需要在系统上运行一个守护进程(docker daemon),这会产生一定的开销,而 podman 不需要
- 启动容器的方式不同: docker cli 命令通过API跟 Docker Engine(引擎) 交互告诉它我想创建一个container,然后docker Engine 才会调用 OCI container runtime(runc) 来启动一个container。这代表container的process(进程)不会是Docker CLI 的 child process(子进程) ,而是 Docker Engine 的 child process 。 Podman 是直接给 OCI containner runtime(runc) 进行交互来创建container的,所以container process 直接是 podman 的 child process 。
- 因为docke有docker daemon,所以docker启动的容器支持 --restart 策略,但是podman不支持
- docker需要使用root用户来创建容器。 这可能会产生安全风险,尤其是当用户知道docker run命令的--privileged选项时。podman既可以由root用户运行,也可以由非特权用户运行
- docker在Linux上作为守护进程运行扼杀了容器社区的创新。 如果要更改容器的工作方式,则需要更改docker守护程序并将这些更改推送到上游。 没有守护进程,容器基础结构更加模块化,更容易进行更改。 podman的无守护进程架构更加灵活和安全。
1.1.8 Docker 的优势
- 快速部署: 短时间内可以部署成百上千个应用,更快速交付到线上
- 高效虚拟化: 不需要额外hypervisor支持,基于linux内核实现应用虚拟化,相比虚拟机大幅提高性能和效率
- 节省开支: 提高服务器利用率,降低IT支出
- 简化配置: 将运行环境打包保存至容器,使用时直接启动即可
- 环境统一: 将开发,测试,生产的应用运行环境进行标准化和统一,减少环境不一样带来的各种问题
- 快速迁移和扩展: 可实现跨平台运行在物理机、虚拟机、公有云等环境,良好的兼容性可以方便将应用从A宿主机迁移到B宿主机,甚至是A平台迁移到B平台
- 更好的实现面向服务的架构,推荐一个容器只运行一个应用,实现分布的应用模型,可以方便的进行横向扩展,符合开发中高内聚,低耦合的要求,减少不同服务之间的相互影响
1.1.9 Docker 的缺点
- 多个容器共用宿主机的内核,各应用之间的隔离不如虚拟机彻底
- 由于和宿主机之间的进程也是隔离的,需要进入容器查看和调试容器内进程等资源,变得比较困难和繁琐
- 如果容器内进程需要查看和调试,需要在每个容器内都需要安装相应的工具,这也造成存储空间的重复浪费
1.1.10 容器的核心技术
1.1.10.1 容器规范
OCI 官网:https://opencontainers.org/
容器技术除了的docker之外,还有coreOS的rkt,还有阿里的Pouch,为了保证容器生态的标准性和健康可持续发展,包括Linux 基金会、Docker、微软、红帽、谷歌和、IBM、等公司在2015年6月共同成立了一个叫Open Container Initiative(OCI)的组织,其目的就是制定开放的标准的容器规范,目前OCI一共发布了两个规范,分别是runtime spec和 image format spec,有了这两个规范,不同的容器公司开发的容器只要兼容这两个规范,就可以保证容器的可移植性和相互可操作性。
1.1.10.2 容器 runtime
runtime是真正运行容器的地方,因此为了运行不同的容器runtime需要和操作系统内核紧密合作相互在支持,以便为容器提供相应的运行环境
runtime 类型:
- Lxc: linux上早期的runtime,在 2013 年 Docker 刚发布的时候,就是采用lxc作为runtime, Docker 把 LXC 复杂的容器创建与使用方式简化为 Docker 自己的一套命令体系。随着Docker的发展,原 有的LXC不能满足Docker的需求,比如跨平台功能
- Libcontainer: 随着 Docker 的不断发展,重新定义容器的实现标准,将底层实现都抽象化到 Libcontainer 的接口。这就意味着,底层容器的实现方式变成了一种可变的方案,无论是使用 namespace、cgroups 技术抑或是使用 systemd 等其他方案,只要实现了 Libcontainer 定义的 一组接口,Docker 都可以运行。这也为 Docker 实现全面的跨平台带来了可能。
- runc: 早期libcontainer是Docker公司控制的一个开源项目,OCI的成立后,Docker把libcontainer项目移交给了OCI组织,runC就是在libcontainer的基础上进化而来,目前Docker默认的runtime,runc遵守OCI规范
- rkt: 是CoreOS开发的容器runtime,也符合OCI规范,所以使用rktruntime也可以运行Docker容器
范例: 查看docker的 runtime
[root@ubuntu1804 ~]#docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog
Swarm: inactive
Runtimes: runc #Runtimes
Default Runtime: runc #runtime
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-29-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 962MiB
Name: ubuntu1804.test.org
ID: G2JQ:M4DG:CW74:EETR:GU5U:OROC:ZN2F:RKSA:YQY2:XJYX:OHG7:SSVE
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
1.1.10.3 容器管理工具
管理工具连接runtime与用户,对用户提供图形或命令方式操作,然后管理工具将用户操作传递给runtime执行。
- lxc 是lxd 的管理工具
- Runc的管理工具是docker engine,docker engine包含后台deamon和cli两部分,大家经常提到的Docker就是指的docker engine
- Rkt的管理工具是rkt cli
范例: 查看docker engine
[root@ubuntu1804 ~]#docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:29:52 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:22 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@ubuntu1804 ~]#
1.1.10.4 容器定义工具
容器定义工具允许用户定义容器的属性和内容,以方便容器能够被保存、共享和重建。
Docker image: 是docker 容器的模板,runtime依据docker image创建容器
Dockerfile: 包含N个命令的文本文件,通过dockerfile创建出docker image
ACI(App container image): 与docker image类似,是CoreOS开发的rkt容器的镜像格式
1.1.10.5 镜像仓库 Registry
统一保存镜像而且是多个不同镜像版本的地方,叫做镜像仓库
- Docker hub: docker官方的公共仓库,已经保存了大量的常用镜像,可以方便大家直接使用阿里云,网易等第三方镜像的公共仓库
- Image registry: docker 官方提供的私有仓库部署工具,无web管理界面,目前使用较少
- Harbor: vmware 提供的自带web界面自带认证功能的镜像私有仓库,目前有很多公司使用
范例: 镜像地址格式
docker.io/library/alpine
harbor.hopu.org/project/centos:7.2.1511
registry.cn-hangzhou.aliyuncs.com/testuser/test:v1
172.18.200.101/project/centos: latest
172.18.200.101/project/java-7.0.59:v1
1.1.10.6 容器编排工具
当多个容器在多个主机运行的时候,单独管理容器是相当复杂而且很容易出错,而且也无法实现某一台主机宕机后容器自动迁移到其他主机从而实现高可用的目的,也无法实现动态伸缩的功能,因此需要有一种工具可以实现统一管理、动态伸缩、故障自愈、批量执行等功能,这就是容器编排引擎
容器编排通常包括容器管理、调度、集群定义和服务发现等功能
- Docker compose : docker 官方实现单机的容器的编排工具
- Docker swarm: docker 官方开发的容器编排引擎,支持overlay network
- Mesos+Marathon: Mesos是Apache下的开源分布式资源管理框架,它被称为是分布式系统的内核。Mesos最初是由加州大学伯克利分校的AMPLab开发的,后在Twitter得到广泛使用。通用的集群组员调度平台,mesos(资源分配)与marathon(容器编排平台)一起提供容器编排引擎功能
- Kubernetes: google领导开发的容器编排引擎,内部项目为Borg,且其同时支持 docker CoreOS,当前已成为容器编排工具事实上的标准
1.1.11 docker(容器)的依赖技术
容器网络:
docker自带的网络docker network仅支持管理单机的容器网络,当多主机运行的时候需要使用第三方开源网络,例如:calico、flannel等
服务发现: 容器的动态扩容特性决定了容器IP也会随之变化,因此需要有一种机制开源自动识别并将用户请求动态转发到新创建的容器上,kubernetes自带服务发现功能,需要结合kube-dns服务解析内部域名
容器监控: 可以通过原生命令docker ps/top/stats 查看容器运行状态,另外也可以使用Prometheus 、heapster等第三方监控工具监控容器的运行状态
数据管理: 容器的动态迁移会导致其在不同的Host之间迁移,因此如何保证与容器相关的数据也能随之迁移或随时访问,可以使用逻辑卷/存储挂载等方式解决
日志收集: docker 原生的日志查看工具docker logs,但是容器内部的日志需要通过ELK等专门的日志收集分析和展示工具进行处理
1.2 Docker安装及基础命令介绍
1.2.1 Docker 安装准备
官方网址: https://www.docker.com/
OS系统版本选择:
Docker 目前已经支持多种操作系统的安装运行,比如Ubuntu、CentOS、Redhat、Debian、Fedora,甚至是还支持了Mac和Windows,在linux系统上需要内核版本在3.10或以上
Docker版本选择: docker版本号之前一直是0.X版本或1.X版本,但是从2017年3月1号开始改为每个季度发布一次稳定版,其版本号规则也统一变更为YY.MM,例如17.09表示是2017年9月份发布的
Docker之前没有区分版本,但是2017年推出(将docker更名为)新的项目Moby,github地址: https://github.com/moby/moby,Moby项目属于Docker项目的全新上游,Docker将是一个隶属于的Moby的子产品,而且之后的版本之后开始区分为 CE(Doc-ker Community Edition,社区版本)和EE(Docker Enterprise Edition,企业收费版),CE社区版本和EE企业版本都是每个季度发布一个新版本,但是EE版本提供后期安全维护1年,而CE版本是4个月,以下为官方原文:
https://blog.docker.com/2017/03/docker-enterprise-edition/
Docker CE and EE are released quarterly, and CE also has a monthly “Edge” option. Each Docker EE release is supported and maintained for one year and receives security and critical bugfixes during that period. We are also improving Docker CE maintainability by maintaining each quarterly CE release for 4 months. That gets Docker CE users a new 1-month window to update from one version to the next.
如果要布署到kubernets上,需要查看相关kubernets对docker版本要求的说明,比如:
https://github.com/kubernetes/kubernetes/blob/v1.17.2/CHANGELOG-1.17.md
1.2.2 安装和删除方法
官方文档 : https://docs.docker.com/engine/install/
阿里云文档: https://developer.aliyun.com/mirror/docker-ce?spm=a2c6h.13651102.0.0.3e221b11guHCWE
1.2.2.1 Ubuntu 安装和删除Docker
官方文档: https://docs.docker.com/install/linux/docker-ce/ubuntu/
Ubuntu 14.04/16.04/18.04/20.10 安装 docker
方法一
# step 1: 卸载docker旧版本
sudo apt-get remove docker docker-engine docker.io containerd runc
# step 2: 更新 apt-get 仓库
sudo apt-get update
# Step 3: 安装依赖
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
# Step 4: 安装Docker
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
#或者
curl -sSL https://get.daocloud.io/docker | sh
#查看服务状态
[root@ubuntu2010 ~]#systemctl status docker
[root@ubuntu2010 ~]#docker version
Client: Docker Engine - Community
Version: 20.10.8
API version: 1.41
Go version: go1.16.6
Git commit: 3967b7d
Built: Fri Jul 30 19:54:09 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.8
API version: 1.41 (minimum version 1.12)
Go version: go1.16.6
Git commit: 75249d8
Built: Fri Jul 30 19:52:16 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.9
GitCommit: e25210fe30a0a703442421b0f60afac609f950a3
runc:
Version: 1.0.1
GitCommit: v1.0.1-0-g4144b63
docker-init:
Version: 0.19.0
GitCommit: de40ad0
方法二
# 更新 apt 包索引
[root@ubuntu2010 ~]#sudo apt-get update
#安装 apt 依赖包,用于通过HTTPS来获取仓库
[root@ubuntu2010 ~]#sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release -y
#添加 Docker 的官方 GPG 密钥
[root@ubuntu2010 ~]#curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
[root@ubuntu2010 ~]#echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
#安装 Docker Engine-Community
#更新 apt 包索引
[root@ubuntu2010 ~]#sudo apt-get update
Get:1 https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy InRelease [43.3 kB]
Get:2 https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages [8,280 B]
Hit:3 http://mirrors.aliyun.com/ubuntu focal InRelease
Hit:4 http://mirrors.aliyun.com/ubuntu focal-security InRelease
Hit:5 http://mirrors.aliyun.com/ubuntu focal-updates InRelease
Hit:6 http://mirrors.aliyun.com/ubuntu focal-proposed InRelease
Hit:7 http://mirrors.aliyun.com/ubuntu focal-backports InRelease
Fetched 51.6 kB in 2s (26.8 kB/s)
Reading package lists... Done
#安装最新版本的 Docker Engine-Community 和 containerd,或者转到下一步安装特定版本
[root@ubuntu2010 ~]#sudo apt-get install docker-ce docker-ce-cli containerd.io
#要安装特定版本的 Docker Engine-Community,请在仓库中列出可用版本,然后选择一种安装。列出您的仓库中可用的版本
[root@ubuntu2010 ~]#apt-cache madison docker-ce
docker-ce | 5:20.10.8~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.7~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.6~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.5~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.4~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.3~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.2~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.1~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
docker-ce | 5:20.10.0~3-0~ubuntu-groovy | https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu groovy/stable amd64 Packages
#使用第二列中的版本字符串安装特定版本,例如 5:20.10.7~3-0~ubuntu-groovy
#示例:指定版本安装
#apt-get -y install docker-ce=5:20.10.7~3-0~ubuntu-groovy docker-ce-cli=5:20.10.7~3-0~ubuntu-groovy
# 查看服务状态
[root@ubuntu2010 ~]#systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-12-27 14:36:46 UTC; 2min 28s ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 8193 (dockerd)
Tasks: 7
Memory: 28.7M
CGroup: /system.slice/docker.service
└─8193 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
#查看服务版本
[root@ubuntu2010 ~]#docker version
Client: Docker Engine - Community
Version: 20.10.8
API version: 1.41
Go version: go1.16.6
Git commit: 3967b7d
Built: Fri Jul 30 19:54:09 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
# 拉取镜像并运行测试
[root@ubuntu2010 ~]#docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:2498fce14358aa50ead0cc6c19990fc6ff866ce72aeb5546e1d59caac3d0d60f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
#删除docker
[root@ubuntu2010 ~]#apt purge docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
docker-ce-rootless-extras pigz slirp4netns
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
docker-ce*
0 upgraded, 0 newly installed, 1 to remove and 49 not upgraded.
After this operation, 101 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 72951 files and directories currently installed.)
Removing docker-ce (5:20.10.8~3-0~ubuntu-groovy) ...
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
(Reading database ... 72943 files and directories currently installed.)
Purging configuration files for docker-ce (5:20.10.8~3-0~ubuntu-groovy) ...
Processing triggers for systemd (246.6-1ubuntu1) ...
[root@ubuntu2010 ~]#rm -rf /var/lib/docker
方法三
系统环境:Ubuntu 20.10 server
官方文档:https://docs.docker.com/engine/install/ubuntu/
选择相应的包:https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/
[root@ubuntu2010 ~]#wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/docker-ce-cli_20.10.9~3-0~ubuntu-bionic_amd64.deb
[root@ubuntu2010 ~]#wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/containerd.io_1.4.9-1_amd64.deb
[root@ubuntu2010 ~]#wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/docker-ce_20.10.9~3-0~ubuntu-bionic_amd64.deb
#安装libltdl7:
[root@ubuntu2010 ~]#sudo apt-get install libltdl7
#按顺序安装三个包,注意顺序不能错:
[root@ubuntu2010 ~]#dpkg -i docker-ce-cli_20.10.9~3-0~ubuntu-bionic_amd64.deb && dpkg -i containerd.io_1.4.9-1_amd64.deb && dpkg -i docker-ce_20.10.9~3-0~ubuntu-bionic_amd64.deb
[root@ubuntu2010 ~]#systemctl start docker
[root@ubuntu2010 ~]#systemctl enable docker
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable docker
[root@ubuntu2010 ~]#systemctl status docker
[root@ubuntu2010 ~]#docker version
Client: Docker Engine - Community
Version: 20.10.9
API version: 1.41
Go version: go1.16.8
Git commit: c2ea9bc
Built: Mon Oct 4 16:08:29 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.9
API version: 1.41 (minimum version 1.12)
Go version: go1.16.8
Git commit: 79ea9d3
Built: Mon Oct 4 16:06:34 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.9
GitCommit: e25210fe30a0a703442421b0f60afac609f950a3
runc:
Version: 1.0.1
GitCommit: v1.0.1-0-g4144b63
docker-init:
Version: 0.19.0
GitCommit: de40ad0
1.2.2.2 CentOS 安装和删除Docker
官方文档: https://docs.docker.com/install/linux/docker-ce/centos/
CentOS 6 因内核太旧,即使支持安装docker,但会有各种问题,不建议安装
CentOS 7 的 extras 源虽然可以安装docker,但包比较旧,建议从官方源或镜像源站点下载安装docker
CentOS 8 有新技术 podman 代替 docker
因此建议在 CentOS 7 上安装 docker
#extras 源中包名为docker
[root@centos7 ~]#yum list docker
Loaded plugins: fastestmirror
Repository base is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
Available Packages
docker.x86_64 2:1.13.1-103.git7f2769b.el7.centos extras
下载rpm包安装:
官方rpm包下载地址:
https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
阿里镜像下载地址:
https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/
通过yum源安装:
由于官网的yum源太慢,下面使用阿里云的Yum源进行安装
[root@centos7 ~]# yum install wget -y
[root@centos7 ~]# mkdir /root/bakrepo && mv /etc/yum.repos.d/* /root/bakrepo
[root@centos7 ~]# rm -rf /etc/yum.repos.d/*
[root@centos7 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@centos7 ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@centos7 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@centos7 ~]# yum -y install docker-ce
[root@centos7 ~]# systemctl enable --now docker
卸载删除 docker
[root@centos7 ~]# yum remove docker-ce -y
#删除docker资源存放的相关文件
[root@centos7 ~]# rm -rf /var/lib/docker
范例: CentOS 7 基于阿里云的安装docker方法
阿里云说明: https://developer.aliyun.com/mirror/docker-ce?spm=a2c6h.13651102.0.0.3e221b11sUMKNV
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3
sudo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# Step 4: 更新并安装Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
# 注意:
# 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,您可以通过以下方式开启。同理可以开启各种测试版本等。
# vim /etc/yum.repos.d/docker-ce.repo
# 将[docker-ce-test]下方的enabled=0修改为enabled=1
#
# 安装指定版本的Docker-CE:
# Step 1: 查找Docker-CE的版本:
# yum list docker-ce.x86_64 --showduplicates | sort -r
# Loading mirror speeds from cached hostfile
# Loaded plugins: branch, fastestmirror, langpacks
# docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
# docker-ce.x86_64 17.03.1.ce-1.el7.centos @docker-ce-stable
# docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
# Available Packages
# Step2: 安装指定版本的Docker-CE: (VERSION例如上面的17.03.0.ce.1-1.el7.centos)
# sudo yum -y install docker-ce-[VERSION]
[root@centos7 ~]#yum -y install docker-ce-19.03.12-3.el7
范例: 在CentOS 7上安装指定版本的docker
[root@centos7 ~]# yum install wget -y
[root@centos7 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@centos7 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@centos7 ~]# yum list docker-ce* --showduplicates | sort -r
[root@centos7 ~]# yum -y install docker-ce-20.10.9-3.el7 docker-ce-cli-20.10.9-3.el7 -y
[root@centos7 ~]# docker version
Client: Docker Engine - Community
Version: 20.10.9
API version: 1.41
Go version: go1.16.8
Git commit: c2ea9bc
Built: Mon Oct 4 16:08:14 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
[root@centos7 ~]# systemctl enable --now docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@centos7 ~]# docker version
Client: Docker Engine - Community
Version: 20.10.9
API version: 1.41
Go version: go1.16.8
Git commit: c2ea9bc
Built: Mon Oct 4 16:08:14 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.9
API version: 1.41 (minimum version 1.12)
Go version: go1.16.8
Git commit: 79ea9d3
Built: Mon Oct 4 16:06:37 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
范例: 在CentOS8安装docker
[root@centos8 ~]#tee /etc/yum.repos.d/docker.repo <<EOF
[docker]
name=docker
gpgcheck=0
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/x86_64/stable/
EOF
[root@centos8 ~]#dnf -y install docker-ce
[root@centos8 ~]#systemctl start docker
[root@centos8 ~]#docker version
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.16.15
Git commit: a224086
Built: Thu Mar 24 01:47:44 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.16.15
Git commit: 87a90dc
Built: Thu Mar 24 01:46:10 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.11
GitCommit: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc:
Version: 1.0.3
GitCommit: v1.0.3-0-gf46b6ba
docker-init:
Version: 0.19.0
GitCommit: de40ad0
[root@centos8 ~]#systemctl stop docker.socket
[root@centos8 ~]#systemctl enable docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
1.2.2.3 Linux 二进制安装
本方法适用于无法上网或无法通过包安装方式安装的主机上安装docker
安装文档: https://docs.docker.com/install/linux/docker-ce/binaries/
二进制安装下载路径
https://download.docker.com/linux/
https://mirrors.aliyun.com/docker-ce/linux/static/stable/x86_64/
范例: 在CentOS8上实现二进制安装docker
[root@centos8 ~]#wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.5.tgz
[root@centos8 ~]#ls
anaconda-ks.cfg docker-19.03.5.tgz
[root@centos8 ~]#tar xf docker-19.03.5.tgz
[root@centos8 ~]#ls
anaconda-ks.cfg docker docker-19.03.5.tgz
#启动dockerd服务
[root@centos8 ~]#dockerd &>/dev/null &
[root@centos8 ~]#docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:22:05 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:45 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@centos8 ~]#docker run hello-world
[root@centos8 ~]#pstree -p
范例: 创建相关的service文件,此方式新版有问题
#创建相关的service文件,此方式新版有问题
[root@centos8 ~]#groupadd -r docker
#将Ubuntu1804或CentOS7基于包方式安装的相关文件复制到相应目录下
[root@ubuntu1804 ~]#ll /lib/systemd/system/docker.*
-rw-r--r-- 1 root root 1695 Dec 13 19:43 /lib/systemd/system/docker.service
-rw-r--r-- 1 root root 175 Dec 13 19:43 /lib/systemd/system/docker.socket
[root@ubuntu1804 ~]#ll /lib/systemd/system/containerd.service
-rw-r--r-- 1 root root 1263 Nov 18 02:48 /lib/systemd/system/containerd.service
[root@ubuntu1804 ~]#cat /lib/systemd/system/docker.socket
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
[root@ubuntu1804 ~]#cat /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket containerd.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.target
[root@ubuntu1804 ~]#scp /lib/systemd/system/docker.* /lib/systemd/system/containerd.service 192.168.3.18:/lib/systemd/system/
[root@centos8 ~]#systemctl daemon-reload
[root@centos8 ~]#systemctl enable --now docker
1.2.2.4 安装 podman
范例: 在CentOS8上安装podman
#在CentOS8上安装docker会自动安装podman,docker工具只是一个脚本,调用了Podman
[root@centos8 ~]#dnf install podman
[root@centos8 ~]#rpm -ql podman
[root@centos8 ~]#podman version
Version: 1.6.4
RemoteAPI Version: 1
Go Version: go1.13.4
OS/Arch: linux/amd64
#修改拉取镜像的地址的顺序,提高速度
[root@centos8 ~]#vim /etc/containers/registries.conf
[registries.search]
registries = ['docker.io','quay.io','registry.redhat.io','registry.access.redhat.com']
1.2.2.5 在不同系统上实现一键安装 docker 脚本
1.2.2.5.1 基于 ubuntu 1804 的一键安装 docker 脚本
[root@ubuntu2010 ~]#cat install_docker_ubuntu.sh
#!/bin/bash
#Description: Install docker on Ubuntu2010
#Date:2020-12-22
COLOR="echo -e \\033[1;31m"
END="\033[m"
DOCKER_VERSION="5:20.10.7~3-0~ubuntu-groovy"
install_docker(){
dpkg -s docker-ce &> /dev/null && ${COLOR}"Docker已安装,退出"${END} && exit
apt update
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
apt update
${COLOR}"Docker有以下版本"${END}
apt-cache madison docker-ce
${COLOR}"5秒后即将安装: docker-"${DOCKER_VERSION}" 版本....."${END}
${COLOR}"如果想安装其它Docker版本,请按ctrl+c键退出,修改版本再执行"${END}
sleep 5
apt -y install docker-ce=${DOCKER_VERSION} docker-ce-cli=${DOCKER_VERSION}
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
EOF
systemctl daemon-reload
systemctl enable --now docker
docker version && ${COLOR}"Docker 安装成功"${END} || ${COLOR}"Docker 安装失败"${END}
}
install_docker
[root@ubuntu2010 ~]#chmod +x install_docker_ubuntu.sh
[root@ubuntu2010 ~]#./install_docker_ubuntu.sh
1.2.2.5.2 基于 CentOS 8 实现一键安装 docker 脚本
1.2.2.5.2.1 脚本1
利用阿里云的基于CentOS8的docker yum源实现
#!/bin/bash
. /etc/init.d/functions
COLOR="echo -e \\E[1;32m"
END="\\E[0m"
DOCKER_VERSION="-19.03.13-3.el8"
install_docker() {
${COLOR}"开始安装 Docker....."${END}
sleep 1
cat > /etc/yum.repos.d/docker.repo <<EOF
[docker]
name=docker
gpgcheck=0
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/x86_64/stable/
EOF
yum clean all
yum -y install docker-ce$DOCKER_VERSION docker-ce-cli$DOCKER_VERSION \
|| { ${COLOR}"Base,Extras的yum源失败,请检查yum源配置"${END};exit; }
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
EOF
systemctl enable --now docker
docker version && ${COLOR}"Docker安装成功"${END} || ${COLOR}"Docker安装失
败"${END}
}
rpm -q docker-ce &> /dev/null && action "Docker已安装" || install_docker
1.2.2.5.2.2 脚本2
早期CentOS8无yum仓库,可以利用下面脚本安装docker
#!/bin/bash
. /etc/init.d/functions
COLOR="echo -e \\E[1;32m"
END="\\E[0m"
DOCKER_VERSION="-19.03.8-3.el7"
install_docker() {
${COLOR}"开始安装 Docker....."${END}
sleep 1
wget -P /etc/yum.repos.d/ https://mirrors.aliyun.com/dockerce/linux/centos/docker-ce.repo || { ${COLOR}"
互联网连接失败,请检查网络配置!"${END};exit; }
yum clean all
dnf -y install https://mirrors.aliyun.com/dockerce/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.13-3.1.el7.x86_64.rpm
yum -y install docker-ce$DOCKER_VERSION docker-ce-cli$DOCKER_VERSION \
|| { ${COLOR}"Base,Extras的yum源失败,请检查yum源配置"${END};exit; }
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
EOF
systemctl enable --now docker
docker version && ${COLOR}"Docker安装成功"${END} || ${COLOR}"Docker安装失
败"${END}
}
rpm -q docker &> /dev/null && action "Docker已安装" || install_docker
1.2.2.5.3 基于 CentOS 7 实现一键安装docker 脚本
[root@centos7 ~]#cat install_docker_for_centos7.sh
#!/bin/bash
COLOR="echo -e \\033[1;31m"
END="\033[m"
VERSION="19.03.5-3.el7"
wget -P /etc/yum.repos.d/ https://mirrors.aliyun.com/dockerce/linux/centos/docker-ce.repo || { ${COLOR}"互联网连接失败,请检查网络配
置!"${END};exit; }
yum clean all
yum -y install docker-ce-$VERSION docker-ce-cli-$VERSION || {
${COLOR}"Base,Extras的yum源失败,请检查yum源配置"${END};exit; }
#使用阿里做镜像加速
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
EOF
systemctl enable --now docker
docker version && ${COLOR}"Docker安装成功"${END} || ${COLOR}"Docker安装失败"${END}
1.2.2.5.4 一键离线安装二进制 docker
#!/bin/bash
DOCKER_VERSION=20.10.20
URL=https://mirrors.aliyun.com
#URL=https://download.docker.com
prepare () {
if [ ! -e docker-${DOCKER_VERSION}.tgz ];then
#wget ${URL}/docker-ce/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz
wget ${URL}/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz
fi
[ $? -ne 0 ] && { echo "文件下载失败"; exit; }
}
install_docker () {
tar xf docker-${DOCKER_VERSION}.tgz -C /usr/local/
cp /usr/local/docker/* /usr/bin/
cat > /lib/systemd/system/docker.service <<-EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H unix://var/run/docker.sock
ExecReload=/bin/kill -s HUP \$MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
}
start_docker (){
systemctl enable --now docker
docker info
}
config_docker () {
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
EOF
systemctl restart docker
}
prepare
install_docker
config_docker
start_docker
1.2.2.5.5 实现多系统docker一键安装
#!/bin/bash
DOCKER_VERSION="20.10.10"
DOCKER_URL="http://mirrors.ustc.edu.cn"
#DOCKER_URL="https://mirrors.aliyun.com"
#DOCKER_URL="https://mirrors.tuna.tsinghua.edu.cn"
COLOR_SUCCESS="echo -e \\033[1;32m"
COLOR_FAILURE="echo -e \\033[1;31m"
END="\033[m"
. /etc/os-release
UBUNTU_DOCKER_VERSION="5:${DOCKER_VERSION}~3-0~${ID}-${UBUNTU_CODENAME}"
#UBUNTU_DOCKER_VERSION="5:20.10.9~3-0~`lsb_release -si`-`lsb_release -cs`"
#UBUNTU_DOCKER_VERSION="5:19.03.14~3-0~lsb_release -si-`lsb_release -cs`"
color () {
RES_COL=60
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \E[0m"
echo -n "$1" && $MOVE_TO_COL
echo -n "["
if [ $2 = "success" -o $2 = "0" ] ;then
${SETCOLOR_SUCCESS}
echo -n $" OK "
elif [ $2 = "failure" -o $2 = "1" ] ;then
${SETCOLOR_FAILURE}
echo -n $"FAILED"
else
${SETCOLOR_WARNING}
echo -n $"WARNING"
fi
${SETCOLOR_NORMAL}
echo -n "]"
echo
}
install_docker(){
if [ $ID = "centos" -o $ID = "rocky" ];then
if [ $VERSION_ID = "7" ];then
cat > /etc/yum.repos.d/docker.repo <<EOF
[docker]
name=docker
gpgcheck=0
#baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/
baseurl=${DOCKER_URL}/docker-ce/linux/centos/7/x86_64/stable/
EOF
else
cat > /etc/yum.repos.d/docker.repo <<EOF
[docker]
name=docker
gpgcheck=0
#baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/x86_64/stable/
baseurl=${DOCKER_URL}/docker-ce/linux/centos/8/x86_64/stable/
EOF
fi
yum clean all
${COLOR_FAILURE} "Docker有以下版本"${END}
yum list docker-ce --showduplicates
${COLOR_FAILURE}"5秒后即将安装: docker-"${DOCKER_VERSION}" 版本....."${END}
${COLOR_FAILURE}"如果想安装其它Docker版本,请按ctrl+c键退出,修改版本再执行"${END}
sleep 5
yum -y install docker-ce-$DOCKER_VERSION docker-ce-cli-$DOCKER_VERSION \
|| { color "Base,Extras的yum源失败,请检查yum源配置" 1;exit; }
else
dpkg -s docker-ce &> /dev/null && $COLOR"Docker已安装,退出" 1 && exit
apt update || { color "更新包索引失败" 1 ; exit 1; }
apt -y install apt-transport-https ca-certificates curl software-properties-common || \
{ color "安装相关包失败" 1 ; exit 2; }
curl -fsSL ${DOCKER_URL}/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] ${DOCKER_URL}/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt update
${COLOR_FAILURE} "Docker有以下版本"${END}
apt-cache madison docker-ce
${COLOR_FAILURE}"5秒后即将安装: docker-"${UBUNTU_DOCKER_VERSION}" 版本....."${END}
${COLOR_FAILURE}"如果想安装其它Docker版本,请按ctrl+c键退出,修改版本再执行"${END}
sleep 5
apt -y install docker-ce=${UBUNTU_DOCKER_VERSION} docker-ce-cli=${UBUNTU_DOCKER_VERSION}
fi
if [ $? -eq 0 ];then
color "安装软件包成功" 0
else
color "安装软件包失败,请检查网络配置" 1
exit
fi
}
config_docker (){
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn","https://hub-mirror.c.163.com","https://reg-mirror.qiniu.com"],
"insecure-registries": ["harbor.zhou.org"],
"live-restore": true
}
EOF
systemctl daemon-reload
systemctl enable docker
systemctl restart docker
docker version && color "Docker 安装成功" 0 || color "Docker 安装失败" 1
}
set_alias (){
echo 'alias rmi="docker images -qa|xargs docker rmi -f"' >> ~/.bashrc
echo 'alias rmc="docker ps -qa|xargs docker rm -f"' >> ~/.bashrc
}
install_docker
config_docker
set_alias
1.2.2.5.6 通用安装Docker脚本
从Docker官方下载通用安装脚本
[root@ubuntu2204 ~]#curl -fsSL get.docker.com -o get-docker.sh
[root@ubuntu2204 ~]#sh get-docker.sh --mirror Aliyun
1.2.3 docker 程序环境
环境配置文件:
/etc/sysconfig/docker-network
/etc/sysconfig/docker-storage
/etc/sysconfig/docker
Unit File:
/usr/lib/systemd/system/docker.service
docker-ce 配置文件:
/etc/docker/daemon.json
Docker Registry配置文件:
/etc/containers/registries.conf
范例: ubuntu 查看docker相关文件
#服务器端相关文件
[root@ubuntu1804 ~]#dpkg -L docker-ce
/.
/etc
/etc/default
/etc/default/docker
/etc/init
/etc/init/docker.conf
/etc/init.d
/etc/init.d/docker
/lib
/lib/systemd
/lib/systemd/system
/lib/systemd/system/docker.service
/lib/systemd/system/docker.socket
/usr
/usr/bin
/usr/bin/docker-init
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/share
/usr/share/doc
/usr/share/doc/docker-ce
/usr/share/doc/docker-ce/README.md
/usr/share/doc/docker-ce/changelog.Debian.gz
/var
/var/lib
/var/lib/docker-engine
/var/lib/docker-engine/distribution_based_engine.json
#客户端相关文件
[root@ubuntu1804 ~]#dpkg -L docker-ce-cli
/.
/usr
/usr/bin
/usr/bin/docker
/usr/libexec
/usr/libexec/docker
/usr/libexec/docker/cli-plugins
/usr/libexec/docker/cli-plugins/docker-app
/usr/libexec/docker/cli-plugins/docker-buildx
/usr/share
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/docker
/usr/share/doc
/usr/share/doc/docker-ce-cli
/usr/share/doc/docker-ce-cli/changelog.Debian.gz
/usr/share/fish
/usr/share/fish/vendor_completions.d
/usr/share/fish/vendor_completions.d/docker.fish
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/docker-attach.1.gz
/usr/share/man/man1/docker-build.1.gz
/usr/share/man/man1/docker-builder-build.1.gz
/usr/share/man/man1/docker-builder-prune.1.gz
/usr/share/man/man1/docker-builder.1.gz
/usr/share/man/man1/docker-checkpoint-create.1.gz
/usr/share/man/man1/docker-checkpoint-ls.1.gz
/usr/share/man/man1/docker-checkpoint-rm.1.gz
/usr/share/man/man1/docker-checkpoint.1.gz
/usr/share/man/man1/docker-commit.1.gz
/usr/share/man/man1/docker-config-create.1.gz
/usr/share/man/man1/docker-config-inspect.1.gz
/usr/share/man/man1/docker-config-ls.1.gz
/usr/share/man/man1/docker-config-rm.1.gz
/usr/share/man/man1/docker-config.1.gz
/usr/share/man/man1/docker-container-attach.1.gz
/usr/share/man/man1/docker-container-commit.1.gz
/usr/share/man/man1/docker-container-cp.1.gz
/usr/share/man/man1/docker-container-create.1.gz
/usr/share/man/man1/docker-container-diff.1.gz
/usr/share/man/man1/docker-container-exec.1.gz
/usr/share/man/man1/docker-container-export.1.gz
/usr/share/man/man1/docker-container-inspect.1.gz
/usr/share/man/man1/docker-container-kill.1.gz
/usr/share/man/man1/docker-container-logs.1.gz
/usr/share/man/man1/docker-container-ls.1.gz
/usr/share/man/man1/docker-container-pause.1.gz
/usr/share/man/man1/docker-container-port.1.gz
/usr/share/man/man1/docker-container-prune.1.gz
/usr/share/man/man1/docker-container-rename.1.gz
/usr/share/man/man1/docker-container-restart.1.gz
/usr/share/man/man1/docker-container-rm.1.gz
/usr/share/man/man1/docker-container-run.1.gz
/usr/share/man/man1/docker-container-start.1.gz
/usr/share/man/man1/docker-container-stats.1.gz
/usr/share/man/man1/docker-container-stop.1.gz
/usr/share/man/man1/docker-container-top.1.gz
/usr/share/man/man1/docker-container-unpause.1.gz
/usr/share/man/man1/docker-container-update.1.gz
/usr/share/man/man1/docker-container-wait.1.gz
/usr/share/man/man1/docker-container.1.gz
/usr/share/man/man1/docker-context-create.1.gz
/usr/share/man/man1/docker-context-export.1.gz
/usr/share/man/man1/docker-context-import.1.gz
/usr/share/man/man1/docker-context-inspect.1.gz
/usr/share/man/man1/docker-context-ls.1.gz
/usr/share/man/man1/docker-context-rm.1.gz
/usr/share/man/man1/docker-context-update.1.gz
/usr/share/man/man1/docker-context-use.1.gz
/usr/share/man/man1/docker-context.1.gz
/usr/share/man/man1/docker-cp.1.gz
/usr/share/man/man1/docker-create.1.gz
/usr/share/man/man1/docker-deploy.1.gz
/usr/share/man/man1/docker-diff.1.gz
/usr/share/man/man1/docker-engine-activate.1.gz
/usr/share/man/man1/docker-engine-check.1.gz
/usr/share/man/man1/docker-engine-update.1.gz
/usr/share/man/man1/docker-engine.1.gz
/usr/share/man/man1/docker-events.1.gz
/usr/share/man/man1/docker-exec.1.gz
/usr/share/man/man1/docker-export.1.gz
/usr/share/man/man1/docker-history.1.gz
/usr/share/man/man1/docker-image-build.1.gz
/usr/share/man/man1/docker-image-history.1.gz
/usr/share/man/man1/docker-image-import.1.gz
/usr/share/man/man1/docker-image-inspect.1.gz
/usr/share/man/man1/docker-image-load.1.gz
/usr/share/man/man1/docker-image-ls.1.gz
/usr/share/man/man1/docker-image-prune.1.gz
/usr/share/man/man1/docker-image-pull.1.gz
/usr/share/man/man1/docker-image-push.1.gz
/usr/share/man/man1/docker-image-rm.1.gz
/usr/share/man/man1/docker-image-save.1.gz
/usr/share/man/man1/docker-image-tag.1.gz
/usr/share/man/man1/docker-image.1.gz
/usr/share/man/man1/docker-images.1.gz
/usr/share/man/man1/docker-import.1.gz
/usr/share/man/man1/docker-info.1.gz
/usr/share/man/man1/docker-inspect.1.gz
/usr/share/man/man1/docker-kill.1.gz
/usr/share/man/man1/docker-load.1.gz
/usr/share/man/man1/docker-login.1.gz
/usr/share/man/man1/docker-logout.1.gz
/usr/share/man/man1/docker-logs.1.gz
/usr/share/man/man1/docker-manifest-annotate.1.gz
/usr/share/man/man1/docker-manifest-create.1.gz
/usr/share/man/man1/docker-manifest-inspect.1.gz
/usr/share/man/man1/docker-manifest-push.1.gz
/usr/share/man/man1/docker-manifest.1.gz
/usr/share/man/man1/docker-network-connect.1.gz
/usr/share/man/man1/docker-network-create.1.gz
/usr/share/man/man1/docker-network-disconnect.1.gz
/usr/share/man/man1/docker-network-inspect.1.gz
/usr/share/man/man1/docker-network-ls.1.gz
/usr/share/man/man1/docker-network-prune.1.gz
/usr/share/man/man1/docker-network-rm.1.gz
/usr/share/man/man1/docker-network.1.gz
/usr/share/man/man1/docker-node-demote.1.gz
/usr/share/man/man1/docker-node-inspect.1.gz
/usr/share/man/man1/docker-node-ls.1.gz
/usr/share/man/man1/docker-node-promote.1.gz
/usr/share/man/man1/docker-node-ps.1.gz
/usr/share/man/man1/docker-node-rm.1.gz
/usr/share/man/man1/docker-node-update.1.gz
/usr/share/man/man1/docker-node.1.gz
/usr/share/man/man1/docker-pause.1.gz
/usr/share/man/man1/docker-plugin-create.1.gz
/usr/share/man/man1/docker-plugin-disable.1.gz
/usr/share/man/man1/docker-plugin-enable.1.gz
/usr/share/man/man1/docker-plugin-inspect.1.gz
/usr/share/man/man1/docker-plugin-install.1.gz
/usr/share/man/man1/docker-plugin-ls.1.gz
/usr/share/man/man1/docker-plugin-push.1.gz
/usr/share/man/man1/docker-plugin-rm.1.gz
/usr/share/man/man1/docker-plugin-set.1.gz
/usr/share/man/man1/docker-plugin-upgrade.1.gz
/usr/share/man/man1/docker-plugin.1.gz
/usr/share/man/man1/docker-port.1.gz
/usr/share/man/man1/docker-ps.1.gz
/usr/share/man/man1/docker-pull.1.gz
/usr/share/man/man1/docker-push.1.gz
/usr/share/man/man1/docker-rename.1.gz
/usr/share/man/man1/docker-restart.1.gz
/usr/share/man/man1/docker-rm.1.gz
/usr/share/man/man1/docker-rmi.1.gz
/usr/share/man/man1/docker-run.1.gz
/usr/share/man/man1/docker-save.1.gz
/usr/share/man/man1/docker-search.1.gz
/usr/share/man/man1/docker-secret-create.1.gz
/usr/share/man/man1/docker-secret-inspect.1.gz
/usr/share/man/man1/docker-secret-ls.1.gz
/usr/share/man/man1/docker-secret-rm.1.gz
/usr/share/man/man1/docker-secret.1.gz
/usr/share/man/man1/docker-service-create.1.gz
/usr/share/man/man1/docker-service-inspect.1.gz
/usr/share/man/man1/docker-service-logs.1.gz
/usr/share/man/man1/docker-service-ls.1.gz
/usr/share/man/man1/docker-service-ps.1.gz
/usr/share/man/man1/docker-service-rm.1.gz
/usr/share/man/man1/docker-service-rollback.1.gz
/usr/share/man/man1/docker-service-scale.1.gz
/usr/share/man/man1/docker-service-update.1.gz
/usr/share/man/man1/docker-service.1.gz
/usr/share/man/man1/docker-stack-deploy.1.gz
/usr/share/man/man1/docker-stack-ls.1.gz
/usr/share/man/man1/docker-stack-ps.1.gz
/usr/share/man/man1/docker-stack-rm.1.gz
/usr/share/man/man1/docker-stack-services.1.gz
/usr/share/man/man1/docker-stack.1.gz
/usr/share/man/man1/docker-start.1.gz
/usr/share/man/man1/docker-stats.1.gz
/usr/share/man/man1/docker-stop.1.gz
/usr/share/man/man1/docker-swarm-ca.1.gz
/usr/share/man/man1/docker-swarm-init.1.gz
/usr/share/man/man1/docker-swarm-join-token.1.gz
/usr/share/man/man1/docker-swarm-join.1.gz
/usr/share/man/man1/docker-swarm-leave.1.gz
/usr/share/man/man1/docker-swarm-unlock-key.1.gz
/usr/share/man/man1/docker-swarm-unlock.1.gz
/usr/share/man/man1/docker-swarm-update.1.gz
/usr/share/man/man1/docker-swarm.1.gz
/usr/share/man/man1/docker-system-df.1.gz
/usr/share/man/man1/docker-system-events.1.gz
/usr/share/man/man1/docker-system-info.1.gz
/usr/share/man/man1/docker-system-prune.1.gz
/usr/share/man/man1/docker-system.1.gz
/usr/share/man/man1/docker-tag.1.gz
/usr/share/man/man1/docker-top.1.gz
/usr/share/man/man1/docker-trust-inspect.1.gz
/usr/share/man/man1/docker-trust-key-generate.1.gz
/usr/share/man/man1/docker-trust-key-load.1.gz
/usr/share/man/man1/docker-trust-key.1.gz
/usr/share/man/man1/docker-trust-revoke.1.gz
/usr/share/man/man1/docker-trust-sign.1.gz
/usr/share/man/man1/docker-trust-signer-add.1.gz
/usr/share/man/man1/docker-trust-signer-remove.1.gz
/usr/share/man/man1/docker-trust-signer.1.gz
/usr/share/man/man1/docker-trust.1.gz
/usr/share/man/man1/docker-unpause.1.gz
/usr/share/man/man1/docker-update.1.gz
/usr/share/man/man1/docker-version.1.gz
/usr/share/man/man1/docker-volume-create.1.gz
/usr/share/man/man1/docker-volume-inspect.1.gz
/usr/share/man/man1/docker-volume-ls.1.gz
/usr/share/man/man1/docker-volume-prune.1.gz
/usr/share/man/man1/docker-volume-rm.1.gz
/usr/share/man/man1/docker-volume.1.gz
/usr/share/man/man1/docker-wait.1.gz
/usr/share/man/man1/docker.1.gz
/usr/share/man/man5
/usr/share/man/man5/Dockerfile.5.gz
/usr/share/man/man5/docker-config-json.5.gz
/usr/share/man/man8
/usr/share/man/man8/dockerd.8.gz
/usr/share/zsh
/usr/share/zsh/vendor-completions
/usr/share/zsh/vendor-completions/_docker
范例: CentOS7 查看docker相关文件
[root@centos7 ~]#rpm -ql docker-ce
/usr/bin/docker-init
/usr/bin/docker-proxy
/usr/bin/dockerd
/usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.socket
[root@centos7 ~]#rpm -ql docker-ce-cli
/usr/bin/docker
/usr/libexec/docker/cli-plugins/docker-app
/usr/libexec/docker/cli-plugins/docker-buildx
/usr/share/bash-completion/completions/docker
/usr/share/doc/docker-ce-cli-19.03.12
/usr/share/doc/docker-ce-cli-19.03.12/LICENSE
/usr/share/doc/docker-ce-cli-19.03.12/MAINTAINERS
/usr/share/doc/docker-ce-cli-19.03.12/NOTICE
/usr/share/doc/docker-ce-cli-19.03.12/README.md
/usr/share/fish/vendor_completions.d/docker.fish
/usr/share/man/man1/docker-attach.1.gz
/usr/share/man/man1/docker-build.1.gz
/usr/share/man/man1/docker-builder-build.1.gz
/usr/share/man/man1/docker-builder-prune.1.gz
/usr/share/man/man1/docker-builder.1.gz
/usr/share/man/man1/docker-checkpoint-create.1.gz
/usr/share/man/man1/docker-checkpoint-ls.1.gz
/usr/share/man/man1/docker-checkpoint-rm.1.gz
/usr/share/man/man1/docker-checkpoint.1.gz
/usr/share/man/man1/docker-commit.1.gz
/usr/share/man/man1/docker-config-create.1.gz
/usr/share/man/man1/docker-config-inspect.1.gz
/usr/share/man/man1/docker-config-ls.1.gz
/usr/share/man/man1/docker-config-rm.1.gz
/usr/share/man/man1/docker-config.1.gz
/usr/share/man/man1/docker-container-attach.1.gz
/usr/share/man/man1/docker-container-commit.1.gz
/usr/share/man/man1/docker-container-cp.1.gz
/usr/share/man/man1/docker-container-create.1.gz
/usr/share/man/man1/docker-container-diff.1.gz
/usr/share/man/man1/docker-container-exec.1.gz
/usr/share/man/man1/docker-container-export.1.gz
/usr/share/man/man1/docker-container-inspect.1.gz
/usr/share/man/man1/docker-container-kill.1.gz
/usr/share/man/man1/docker-container-logs.1.gz
/usr/share/man/man1/docker-container-ls.1.gz
/usr/share/man/man1/docker-container-pause.1.gz
/usr/share/man/man1/docker-container-port.1.gz
/usr/share/man/man1/docker-container-prune.1.gz
/usr/share/man/man1/docker-container-rename.1.gz
/usr/share/man/man1/docker-container-restart.1.gz
/usr/share/man/man1/docker-container-rm.1.gz
/usr/share/man/man1/docker-container-run.1.gz
/usr/share/man/man1/docker-container-start.1.gz
/usr/share/man/man1/docker-container-stats.1.gz
/usr/share/man/man1/docker-container-stop.1.gz
/usr/share/man/man1/docker-container-top.1.gz
/usr/share/man/man1/docker-container-unpause.1.gz
/usr/share/man/man1/docker-container-update.1.gz
/usr/share/man/man1/docker-container-wait.1.gz
/usr/share/man/man1/docker-container.1.gz
/usr/share/man/man1/docker-context-create.1.gz
/usr/share/man/man1/docker-context-export.1.gz
/usr/share/man/man1/docker-context-import.1.gz
/usr/share/man/man1/docker-context-inspect.1.gz
/usr/share/man/man1/docker-context-ls.1.gz
/usr/share/man/man1/docker-context-rm.1.gz
/usr/share/man/man1/docker-context-update.1.gz
/usr/share/man/man1/docker-context-use.1.gz
/usr/share/man/man1/docker-context.1.gz
/usr/share/man/man1/docker-cp.1.gz
/usr/share/man/man1/docker-create.1.gz
/usr/share/man/man1/docker-deploy.1.gz
/usr/share/man/man1/docker-diff.1.gz
/usr/share/man/man1/docker-engine-activate.1.gz
/usr/share/man/man1/docker-engine-check.1.gz
/usr/share/man/man1/docker-engine-update.1.gz
/usr/share/man/man1/docker-engine.1.gz
/usr/share/man/man1/docker-events.1.gz
/usr/share/man/man1/docker-exec.1.gz
/usr/share/man/man1/docker-export.1.gz
/usr/share/man/man1/docker-history.1.gz
/usr/share/man/man1/docker-image-build.1.gz
/usr/share/man/man1/docker-image-history.1.gz
/usr/share/man/man1/docker-image-import.1.gz
/usr/share/man/man1/docker-image-inspect.1.gz
/usr/share/man/man1/docker-image-load.1.gz
/usr/share/man/man1/docker-image-ls.1.gz
/usr/share/man/man1/docker-image-prune.1.gz
/usr/share/man/man1/docker-image-pull.1.gz
/usr/share/man/man1/docker-image-push.1.gz
/usr/share/man/man1/docker-image-rm.1.gz
/usr/share/man/man1/docker-image-save.1.gz
/usr/share/man/man1/docker-image-tag.1.gz
/usr/share/man/man1/docker-image.1.gz
/usr/share/man/man1/docker-images.1.gz
/usr/share/man/man1/docker-import.1.gz
/usr/share/man/man1/docker-info.1.gz
/usr/share/man/man1/docker-inspect.1.gz
/usr/share/man/man1/docker-kill.1.gz
/usr/share/man/man1/docker-load.1.gz
/usr/share/man/man1/docker-login.1.gz
/usr/share/man/man1/docker-logout.1.gz
/usr/share/man/man1/docker-logs.1.gz
/usr/share/man/man1/docker-manifest-annotate.1.gz
/usr/share/man/man1/docker-manifest-create.1.gz
/usr/share/man/man1/docker-manifest-inspect.1.gz
/usr/share/man/man1/docker-manifest-push.1.gz
/usr/share/man/man1/docker-manifest.1.gz
/usr/share/man/man1/docker-network-connect.1.gz
/usr/share/man/man1/docker-network-create.1.gz
/usr/share/man/man1/docker-network-disconnect.1.gz
/usr/share/man/man1/docker-network-inspect.1.gz
/usr/share/man/man1/docker-network-ls.1.gz
/usr/share/man/man1/docker-network-prune.1.gz
/usr/share/man/man1/docker-network-rm.1.gz
/usr/share/man/man1/docker-network.1.gz
/usr/share/man/man1/docker-node-demote.1.gz
/usr/share/man/man1/docker-node-inspect.1.gz
/usr/share/man/man1/docker-node-ls.1.gz
/usr/share/man/man1/docker-node-promote.1.gz
/usr/share/man/man1/docker-node-ps.1.gz
/usr/share/man/man1/docker-node-rm.1.gz
/usr/share/man/man1/docker-node-update.1.gz
/usr/share/man/man1/docker-node.1.gz
/usr/share/man/man1/docker-pause.1.gz
/usr/share/man/man1/docker-plugin-create.1.gz
/usr/share/man/man1/docker-plugin-disable.1.gz
/usr/share/man/man1/docker-plugin-enable.1.gz
/usr/share/man/man1/docker-plugin-inspect.1.gz
/usr/share/man/man1/docker-plugin-install.1.gz
/usr/share/man/man1/docker-plugin-ls.1.gz
/usr/share/man/man1/docker-plugin-push.1.gz
/usr/share/man/man1/docker-plugin-rm.1.gz
/usr/share/man/man1/docker-plugin-set.1.gz
/usr/share/man/man1/docker-plugin-upgrade.1.gz
/usr/share/man/man1/docker-plugin.1.gz
/usr/share/man/man1/docker-port.1.gz
/usr/share/man/man1/docker-ps.1.gz
/usr/share/man/man1/docker-pull.1.gz
/usr/share/man/man1/docker-push.1.gz
/usr/share/man/man1/docker-rename.1.gz
/usr/share/man/man1/docker-restart.1.gz
/usr/share/man/man1/docker-rm.1.gz
/usr/share/man/man1/docker-rmi.1.gz
/usr/share/man/man1/docker-run.1.gz
/usr/share/man/man1/docker-save.1.gz
/usr/share/man/man1/docker-search.1.gz
/usr/share/man/man1/docker-secret-create.1.gz
/usr/share/man/man1/docker-secret-inspect.1.gz
/usr/share/man/man1/docker-secret-ls.1.gz
/usr/share/man/man1/docker-secret-rm.1.gz
/usr/share/man/man1/docker-secret.1.gz
/usr/share/man/man1/docker-service-create.1.gz
/usr/share/man/man1/docker-service-inspect.1.gz
/usr/share/man/man1/docker-service-logs.1.gz
/usr/share/man/man1/docker-service-ls.1.gz
/usr/share/man/man1/docker-service-ps.1.gz
/usr/share/man/man1/docker-service-rm.1.gz
/usr/share/man/man1/docker-service-rollback.1.gz
/usr/share/man/man1/docker-service-scale.1.gz
/usr/share/man/man1/docker-service-update.1.gz
/usr/share/man/man1/docker-service.1.gz
/usr/share/man/man1/docker-stack-deploy.1.gz
/usr/share/man/man1/docker-stack-ls.1.gz
/usr/share/man/man1/docker-stack-ps.1.gz
/usr/share/man/man1/docker-stack-rm.1.gz
/usr/share/man/man1/docker-stack-services.1.gz
/usr/share/man/man1/docker-stack.1.gz
/usr/share/man/man1/docker-start.1.gz
/usr/share/man/man1/docker-stats.1.gz
/usr/share/man/man1/docker-stop.1.gz
/usr/share/man/man1/docker-swarm-ca.1.gz
/usr/share/man/man1/docker-swarm-init.1.gz
/usr/share/man/man1/docker-swarm-join-token.1.gz
/usr/share/man/man1/docker-swarm-join.1.gz
/usr/share/man/man1/docker-swarm-leave.1.gz
/usr/share/man/man1/docker-swarm-unlock-key.1.gz
/usr/share/man/man1/docker-swarm-unlock.1.gz
/usr/share/man/man1/docker-swarm-update.1.gz
/usr/share/man/man1/docker-swarm.1.gz
/usr/share/man/man1/docker-system-df.1.gz
/usr/share/man/man1/docker-system-events.1.gz
/usr/share/man/man1/docker-system-info.1.gz
/usr/share/man/man1/docker-system-prune.1.gz
/usr/share/man/man1/docker-system.1.gz
/usr/share/man/man1/docker-tag.1.gz
/usr/share/man/man1/docker-top.1.gz
/usr/share/man/man1/docker-trust-inspect.1.gz
/usr/share/man/man1/docker-trust-key-generate.1.gz
/usr/share/man/man1/docker-trust-key-load.1.gz
/usr/share/man/man1/docker-trust-key.1.gz
/usr/share/man/man1/docker-trust-revoke.1.gz
/usr/share/man/man1/docker-trust-sign.1.gz
/usr/share/man/man1/docker-trust-signer-add.1.gz
/usr/share/man/man1/docker-trust-signer-remove.1.gz
/usr/share/man/man1/docker-trust-signer.1.gz
/usr/share/man/man1/docker-trust.1.gz
/usr/share/man/man1/docker-unpause.1.gz
/usr/share/man/man1/docker-update.1.gz
/usr/share/man/man1/docker-version.1.gz
/usr/share/man/man1/docker-volume-create.1.gz
/usr/share/man/man1/docker-volume-inspect.1.gz
/usr/share/man/man1/docker-volume-ls.1.gz
/usr/share/man/man1/docker-volume-prune.1.gz
/usr/share/man/man1/docker-volume-rm.1.gz
/usr/share/man/man1/docker-volume.1.gz
/usr/share/man/man1/docker-wait.1.gz
/usr/share/man/man1/docker.1.gz
/usr/share/man/man5/Dockerfile.5.gz
/usr/share/man/man5/docker-config-json.5.gz
/usr/share/man/man8/dockerd.8.gz
/usr/share/zsh/vendor-completions/_docker
1.2.4 docker 命令帮助
docker 命令是最常使用的docker 客户端命令,其后面可以加不同的参数以实现不同的功能
docker 命令格式
docker [OPTIONS] COMMAND
COMMAND分为
Management Commands #指定管理的资源对象类型,较新的命令用法,将命令按资源类型进行分类,方便使用
Commands #对不同资源操作的命令不分类,使用容易产生混乱
docker 命令有很多子命令,可以用下面方法查看帮助
#docker 命令帮助
man docker
docker
docker --help
#docker 子命令帮助
man docker-COMMAND
docker COMMAND --help
官方文档: https://docs.docker.com/reference/
范例: 查看docker命令帮助
[root@ubuntu1804 ~]#docker --help
Usage: docker [OPTIONS] COMMAND
A self-sufficient runtime for containers
Options:
--config string Location of client config files (default
"/root/.docker")
-c, --context string Name of the context to use to connect to the daemon
(overrides DOCKER_HOST env var and default
context set with "docker context use")
-D, --debug Enable debug mode
-H, --host list Daemon socket(s) to connect to
-l, --log-level string Set the logging level
("debug"|"info"|"warn"|"error"|"fatal") (default "info")
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default
"/root/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default
"/root/.docker/cert.pem")
--tlskey string Path to TLS key file (default
"/root/.docker/key.pem")
--tlsverify Use TLS and verify the remote
-v, --version Print version information and quit
Management Commands:
builder Manage builds
config Manage Docker configs
container Manage containers
context Manage contexts
engine Manage the docker engine
image Manage images
network Manage networks
node Manage Swarm nodes
plugin Manage plugins
secret Manage Docker secrets
service Manage services
stack Manage Docker stacks
swarm Manage Swarm
system Manage Docker
trust Manage trust on Docker images
volume Manage volumes
Commands:
attach Attach local standard input, output, and error streams to a
running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's
filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by
default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit
codes
Run 'docker COMMAND --help' for more information on a command.
1.2.5 查看 Docker 相关信息
1.2.5.1 查看 docker 版本
[root@ubuntu1804 ~]#docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:29:52 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:22 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
1.2.5.2 查看 docker 详解信息
[root@ubuntu1804 ~]#docker info
Client:
Debug Mode: false #client 端是否开启 debug
Server:
Containers: 2 #当前主机运行的容器总数
Running: 0 #有几个容器是正在运行的
Paused: 0 #有几个容器是暂停的
Stopped: 2 #有几个容器是停止的
Images: 4 #当前服务器的镜像数
Server Version: 19.03.5 #服务端版本
Storage Driver: overlay2 #正在使用的存储引擎
Backing Filesystem: extfs #后端文件系统,即服务器的磁盘文件系统
Supports d_type: true #是否支持 d_type
Native Overlay Diff: true #是否支持差异数据存储
Logging Driver: json-file #日志类型
Cgroup Driver: cgroupfs #Cgroups 类型
Plugins: #插件
Volume: local #卷
Network: bridge host ipvlan macvlan null overlay # overlay 跨主机通信
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog # 日志类型
Swarm: inactive #是否支持 swarm
Runtimes: runc #已安装的容器运行时
Default Runtime: runc #默认使用的容器运行时
Init Binary: docker-init #初始化容器的守护进程,即 pid 为 1 的进程
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339 #版本
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 #runc 版本
init version: fec3683 #init 版本
Security Options: #安全选项
apparmor #安全模块,https://docs.docker.com/engine/security/apparmor/
seccomp #安全计算模块,即制容器操作,
https://docs.docker.com/engine/security/seccomp/
Profile: default #默认的配置文件
Kernel Version: 4.15.0-29-generic #宿主机内核版本
Operating System: Ubuntu 18.04.1 LTS #宿主机操作系统
OSType: linux #宿主机操作系统类型
Architecture: x86_64 #宿主机架构
CPUs: 1 #宿主机 CPU 数量
Total Memory: 962MiB #宿主机总内存
Name: ubuntu1804.test.org #宿主机 hostname
ID: IZHJ:WPIN:BRMC:XQUI:VVVR:UVGK:NZBM:YQXT:JDWB:33RS:45V7:SQWJ #宿主机 ID
Docker Root Dir: /var/lib/docker #宿主机关于docker数据的保存目录
Debug Mode: false #server 端是否开启 debug
Registry: https://index.docker.io/v1/ #仓库路径
Labels:
Experimental: false #是否测试版
Insecure Registries:
127.0.0.0/8 : #非安全的镜像仓库
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/ #镜像仓库
Live Restore Enabled: false #是否开启活动重启 (重启docker-daemon 不关闭容器 )
WARNING: No swap limit support #系统警告信息 (没有开启 swap 资源限制 )
范例: 解决上述SWAP报警提示
官方文档: https://docs.docker.com/install/linux/linux-postinstall/#your-kernel-does-not-support-cgroup-swap-limit-capabilities
[root@ubuntu1804 ~]#docker info
......
WARNING: No swap limit support
[root@ubuntu1804 ~]# vim /etc/default/grub
GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=2
GRUB_DISTRIBUTOR=`lsb_ release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 swapaccount=1" #修改此行
[root@ubuntu1804 ~]# update-grub
[root@ubuntu1804 ~]# reboot
1.2.5.3 查看 docker0 网卡
在docker安装启动之后,默认会生成一个名称为docker0的网卡并且默认IP地址为172.17.0.1的网卡
#ubuntu18.04安装docker后网卡配置
[root@ubuntu1804 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:0c:29:34:df:91 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.100/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:df91/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
link/ether 02:42:d3:26:ed:4e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:d3ff:fe26:ed4e/64 scope link
valid_lft forever preferred_lft forever
#CentOS 7.6 安装docker后网卡配置
[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 00:0c:29:ca:00:e4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feca:e4/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN group default
link/ether 02:42:d2:81:c2:e0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
#CentOS 8.1 安装docker后网卡配置
[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:0c:29:4d:ef:3e brd ff:ff:ff:ff:ff:ff
inet 10.0.0.18/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:ef3e/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN group default
link/ether 02:42:f5:3e:65:b6 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
[root@centos8 ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
1.2.5.4 docker 存储引擎
官方文档关于存储引擎的相关文档: https://docs.docker.com/storage/storagedriver/ https://docs.docker.com/storage/storagedriver/select-storage-driver/
-
AUFS: (Advanced Mult-Layered Unification Filesystem,版本2之前旧称AnotherUnionFS)是一种 Union FS ,是文件级的存储驱动。Aufs是之前的UnionFS的重新实现,2006年由Junjiro Okajima开发
所谓 UnionFS就是把不同物理位置的目录合并 mount 到同一个目录中。简单来说就是支持将不同目录挂载到一个虚拟文件系统下的。这种可以层层地叠加修改文件。无论底下有多少都是只读的,最上系统可写的。当需要修改一个文件时, AUFS 创建该文件的一个副本,使用 CoW 将文件从只读层复制到可写进行修改,结果也保存在Docker 中,底下的只读层就是 image,可写层就是Container
aufs 被拒绝合并到主线 Linux 。其代码被批评为"dense, unreadable, uncommented 密集、不可读、未注释"。 相反,OverlayFS被合并到 Linux 内核中。在多次尝试将 aufs 合并到主线内核失败后,作者放弃了
AUFS 是 Docker 18.06 及更早版本的首选存储驱动程序,在内核 3.13 上运行 Ubuntu 14.04 时不支持 overlay2
-
Overlay: 一种 Union FS 文件系统, Linux 内核 3.18 后支持
-
Overlay2: Overlay 的升级版,到目前为止,所有 Linux 发行版推荐使用的存储类 型,也是docker默认使用的存储引擎为overlay2,需要磁盘分区支持d-type功能,因此需要系统磁盘的额外支持,相对AUFS来说Overlay2 有以下优势: 更简单地设计; 从3.18开始就进入了Linux内核主线;资源消耗更少
-
devicemapper: 因为CentOS 7.2和RHEL 7.2 的之前版本内核版本不支持 overlay2,默认使用的存储驱动程序,最大数据容量只支持100GB且性能不佳,当前较新版本的CentOS 已经支持overlay2, 因此推荐使用 overlay2,另外此存储引擎已在Docker Engine 18.09中弃用
-
ZFS(Sun -2005)/btrfs(Oracle-2007): 目前没有广泛使用
-
vfs: 用于测试环境,适用于无法使用 copy-on -writewrite 时的情况。 此存储驱动程序的性能很差,通常不建议用于生产
修改存储引擎参考文档: https://docs.docker.com/storage/storagedriver/overlayfs-driver/
范例: 在CentOS7.2修改存储引擎
[root@centos7 ~]#vim /lib/systemd/system/docker.service
.....
ExecStart=/usr/bin/dockerd -s overlay2 -H fd:// --containerd=/run/containerd/containerd.sock
......
#创建新的xfs分区,添加ftype特性,否则默认无法启动docker服务
[root@centos7 ~]#mkfs.xfs -n ftype=1 /dev/sdb
[root@centos7 ~]#mount /dev/sdb /var/lib/docker
[root@centos7 ~]#systemctl daemon-reload
[root@centos7 ~]#systemctl restart docker
注意:修改存储引擎会导致所有容器丢失,所以先备份再修改
#查看Ubuntu1804的默认存储引擎
[root@ubuntu1804 ~]#docker info |grep Storage
WARNING: No swap limit support
Storage Driver: overlay2
#查看CentOS7.6的默认存储引擎
[root@centos7 ~]#docker info |grep Storage
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Storage Driver: overlay2
Docker官方推荐首选存储引擎为overlay2,其次为devicemapper,但是devicemapper存在使用空间方面的一些限制,虽然可以通过后期配置解决,但是官方依然推荐使用overlay2,以下是生产故障事例: https://www.cnblogs.com/youruncloud/p/5736718.html
[root@centos7 ~]#xfs_info /data
meta-data=/dev/mapper/centos-root isize=512 agcount=4, agsize=3276800 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0 spinodes=0
data = bsize=4096 blocks=13107200, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal bsize=4096 blocks=6400, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@centos7 ~]#
如果docker数据目录是一块单独的磁盘分区而且是xfs格式的,那么需要在格式化的时候加上参数-n ftype=1(启用此功能表示节点文件类型存入在目录结构中), 示例: mkfs.xfs -n ftype=1 devname ,否则后期在无法启动容器,并会报错不支持 d_type
注意: ext4文件系统无需此d_type特性
[root@centos7 ~]#xfs_info /data
meta-data=/dev/mapper/centos-root isize=512 agcount=4, agsize=3276800 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0 spinodes=0
data = bsize=4096 blocks=13107200, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0 #CentOS7.2之前
版本此特性默认ftype=0
log =internal bsize=4096 blocks=6400, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@centos7 ~]#
报错界面:
范例: aufs 实现联合文件系统挂载
[root@ubuntu1804 ~]#cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev ramfs
nodev bdev
nodev proc
nodev cpuset
nodev cgroup
nodev cgroup2
nodev tmpfs
nodev devtmpfs
nodev configfs
nodev debugfs
nodev tracefs
nodev securityfs
nodev sockfs
nodev dax
nodev bpf
nodev pipefs
nodev hugetlbfs
nodev devpts
ext3
ext2
ext4
squashfs
vfat
nodev ecryptfs
fuseblk
nodev fuse
nodev fusectl
nodev pstore
nodev mqueue
btrfs
nodev autofs
nodev rpc_pipefs
nodev nfsd
nodev overlay
nodev aufs
[root@ubuntu1804 ~]#grep -i aufs /boot/config-4.15.0-29-generic
CONFIG_AUFS_FS=m
CONFIG_AUFS_BRANCH_MAX_127=y
# CONFIG_AUFS_BRANCH_MAX_511 is not set
# CONFIG_AUFS_BRANCH_MAX_1023 is not set
# CONFIG_AUFS_BRANCH_MAX_32767 is not set
CONFIG_AUFS_SBILIST=y
# CONFIG_AUFS_HNOTIFY is not set
CONFIG_AUFS_EXPORT=y
CONFIG_AUFS_INO_T_64=y
CONFIG_AUFS_XATTR=y
# CONFIG_AUFS_FHSM is not set
# CONFIG_AUFS_RDU is not set
CONFIG_AUFS_DIRREN=y
# CONFIG_AUFS_SHWH is not set
# CONFIG_AUFS_BR_RAMFS is not set
# CONFIG_AUFS_BR_FUSE is not set
CONFIG_AUFS_BR_HFSPLUS=y
CONFIG_AUFS_BDEV_LOOP=y
# CONFIG_AUFS_DEBUG is not set
[root@ubuntu1804 ~]#mkdir dir{1,2}
[root@ubuntu1804 ~]#echo here is dir1 > dir1/file1
[root@ubuntu1804 ~]#echo here is dir2 > dir2/file2
[root@ubuntu1804 ~]#mkdir /data/aufs
[root@ubuntu1804 ~]#mount -t aufs -o br=/root/dir1=ro:/root/dir2=rw none
/data/aufs
[root@ubuntu1804 ~]#ll /data/aufs/
total 16
drwxr-xr-x 4 root root 4096 Jan 25 16:22 ./
drwxr-xr-x 4 root root 4096 Jan 25 16:22 ../
-rw-r--r-- 1 root root 13 Jan 25 16:22 file1
-rw-r--r-- 1 root root 13 Jan 25 16:22 file2
[root@ubuntu1804 ~]#cat /data/aufs/file1
here is dir1
[root@ubuntu1804 ~]#cat /data/aufs/file2
here is dir2
[root@ubuntu1804 ~]#df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
udev devtmpfs 462560 0 462560 0% /dev
tmpfs tmpfs 98512 10296 88216 11% /run
/dev/sda2 ext4 47799020 2770244 42570972 7% /
tmpfs tmpfs 492552 0 492552 0% /dev/shm
tmpfs tmpfs 5120 0 5120 0% /run/lock
tmpfs tmpfs 492552 0 492552 0% /sys/fs/cgroup
/dev/sda3 ext4 19091540 45084 18053588 1% /data
/dev/sda1 ext4 944120 77112 801832 9% /boot
tmpfs tmpfs 98508 0 98508 0% /run/user/0
none aufs 47799020 2770244 42570972 7% /data/aufs
[root@ubuntu1804 ~]#echo write to file1 >> /data/aufs/file1
-bash: /data/aufs/file1: Read-only file system
[root@ubuntu1804 ~]#echo write to file2 >> /data/aufs/file2
[root@ubuntu1804 ~]#cat /data/aufs/file1
here is dir1
[root@ubuntu1804 ~]#cat /data/aufs/file2
here is dir2
write to file2
[root@ubuntu1804 ~]#umount /data/aufs
[root@ubuntu1804 ~]#mv dir1/file1 dir1/file2
[root@ubuntu1804 ~]#cat dir1/file2
here is dir1
[root@ubuntu1804 ~]#cat dir2/file2
here is dir2
write to file2
[root@ubuntu1804 ~]#mount -t aufs -o br=/root/dir1=ro:/root/dir2=rw none
/data/aufs
[root@ubuntu1804 ~]#ls /data/aufs -l
total 4
-rw-r--r-- 1 root root 13 Jan 25 16:22 file2
[root@ubuntu1804 ~]#cat /data/aufs/file2
here is dir1
[root@ubuntu1804 ~]#
范例: 修改存储引擎
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
nginx latest 5ad3bd0e67a9 3 days ago
127MB
alpine latest e7d92cdc71fe 7 days ago
5.59MB
centos centos8.1.1911 470671670cac 7 days ago
237MB
centos latest 470671670cac 7 days ago
237MB
busybox latest 6d5fcfe5ff17 4 weeks ago
1.22MB
hello-world latest fce289e99eb9 12 months ago
1.84kB
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
d4741f815199 busybox "sh" 41 hours ago
Exited (137) 23 hours ago flamboyant_moser
5dee9be9afdb nginx "nginx -g 'daemon of…" 2 days ago
Exited (0) 23 hours ago lucid_lichterman
[root@ubuntu1804 ~]#docker info |grep "Storage Driver"
Storage Driver: overlay2
[root@ubuntu1804 ~]#systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
[root@ubuntu1804 ~]#cat /etc/docker/daemon.json
{
"storage-driver": "aufs"
}
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#docker info |grep aufs
WARNING: the aufs storage-driver is deprecated, and will be removed in a future
release.
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
{
"storage-driver": "aufs"
}
[root@ubuntu1804 ~]#ls /var/lib/docker
aufs builder buildkit containers image network overlay2 plugins runtimes
swarm tmp trust volumes
[root@ubuntu1804 ~]#ls /var/lib/docker/aufs/
diff layers mnt
[root@ubuntu1804 ~]#ll /var/lib/docker/aufs/
total 20
drwx------ 5 root root 4096 Jan 25 16:46 ./
drwx--x--x 15 root root 4096 Jan 25 16:46 ../
drwx------ 2 root root 4096 Jan 25 16:46 diff/
drwx------ 2 root root 4096 Jan 25 16:46 layers/
drwx------ 2 root root 4096 Jan 25 16:46 mnt/
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
[root@ubuntu1804 ~]#cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
[root@ubuntu1804 ~]#
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#ll /var/lib/docker/aufs/
total 20
drwx------ 5 root root 4096 Jan 25 16:46 ./
drwx--x--x 15 root root 4096 Jan 25 16:48 ../
drwx------ 2 root root 4096 Jan 25 16:46 diff/
drwx------ 2 root root 4096 Jan 25 16:46 layers/
drwx------ 2 root root 4096 Jan 25 16:46 mnt/
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
d4741f815199 busybox "sh" 41 hours ago
Exited (137) 23 hours ago flamboyant_moser
5dee9be9afdb nginx "nginx -g 'daemon of…" 2 days ago
Exited (0) 23 hours ago lucid_lichterman
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
nginx latest 5ad3bd0e67a9 3 days ago
127MB
alpine latest e7d92cdc71fe 7 days ago
5.59MB
centos centos8.1.1911 470671670cac 7 days ago
237MB
centos latest 470671670cac 7 days ago
237MB
busybox latest 6d5fcfe5ff17 4 weeks ago
1.22MB
hello-world latest fce289e99eb9 12 months ago
1.84kB
[root@ubuntu1804 ~]#
1.2.5.5 docker 服务进程
通过查看docker进程,了解docker的运行及工作方式
1.2.5.5.1 查看宿主机进程树
[root@ubuntu1804 ~]#docker version
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:29:52 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea838
Built: Wed Nov 13 07:28:22 2019
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
runc:
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@ubuntu1804 ~]#pstree -p
systemd(1)─┬─VGAuthService(796)
├─accounts-daemon(800)─┬─{accounts-daemon}(805)
│ └─{accounts-daemon}(807)
├─agetty(866)
├─atd(799)
├─blkmapd(502)
├─containerd(801)─┬─containerd-shim(2497)─┬─sh(2520)
│ │ ├─{containerd-shim}(2499)
│ │ ├─{containerd-shim}(2500)
│ │ ├─{containerd-shim}(2501)
│ │ ├─{containerd-shim}(2502)
│ │ ├─{containerd-shim}(2503)
│ │ ├─{containerd-shim}(2504)
│ │ ├─{containerd-shim}(2505)
│ │ ├─{containerd-shim}(2550)
│ │ └─{containerd-shim}(2551)
│ ├─containerd-shim(2627)─┬─nginx(2649)───nginx(2699)
│ │ ├─{containerd-shim}(2628)
│ │ ├─{containerd-shim}(2629)
│ │ ├─{containerd-shim}(2630)
│ │ ├─{containerd-shim}(2631)
│ │ ├─{containerd-shim}(2632)
│ │ ├─{containerd-shim}(2633)
│ │ ├─{containerd-shim}(2634)
│ │ ├─{containerd-shim}(2636)
│ │ └─{containerd-shim}(2678)
│ ├─containerd-shim(2756)─┬─nginx(2776)───nginx(2823)
│ │ ├─{containerd-shim}(2757)
│ │ ├─{containerd-shim}(2758)
│ │ ├─{containerd-shim}(2759)
│ │ ├─{containerd-shim}(2760)
│ │ ├─{containerd-shim}(2761)
│ │ ├─{containerd-shim}(2762)
│ │ ├─{containerd-shim}(2763)
│ │ ├─{containerd-shim}(2765)
│ │ └─{containerd-shim}(2805)
│ ├─{containerd}(906)
│ ├─{containerd}(907)
│ ├─{containerd}(909)
│ ├─{containerd}(930)
│ ├─{containerd}(931)
│ ├─{containerd}(933)
│ ├─{containerd}(934)
│ ├─{containerd}(948)
│ ├─{containerd}(2498)
│ └─{containerd}(2827)
├─cron(794)
├─dbus-daemon(781)
├─dockerd(2207)─┬─docker-proxy(2622)─┬─{docker-proxy}(2623)
│ │ ├─{docker-proxy}(2624)
│ │ ├─{docker-proxy}(2625)
│ │ └─{docker-proxy}(2626)
│ ├─docker-proxy(2750)─┬─{docker-proxy}(2751)
│ │ ├─{docker-proxy}(2752)
│ │ ├─{docker-proxy}(2753)
│ │ ├─{docker-proxy}(2754)
│ │ └─{docker-proxy}(2755)
│ ├─{dockerd}(2209)
│ ├─{dockerd}(2210)
│ ├─{dockerd}(2211)
│ ├─{dockerd}(2215)
│ ├─{dockerd}(2220)
│ ├─{dockerd}(2221)
│ ├─{dockerd}(2222)
│ ├─{dockerd}(2514)
│ └─{dockerd}(2540)
├─iscsid(837)
├─iscsid(839)
├─lvmetad(513)
├─lxcfs(780)─┬─{lxcfs}(783)
│ ├─{lxcfs}(784)
│ └─{lxcfs}(1512)
├─networkd-dispat(795)───{networkd-dispat}(925)
├─polkitd(808)─┬─{polkitd}(809)
│ └─{polkitd}(816)
├─rpc.idmapd(690)
├─rpc.mountd(751)
├─rpcbind(693)
├─rsyslogd(788)─┬─{rsyslogd}(791)
│ ├─{rsyslogd}(792)
│ └─{rsyslogd}(793)
├─snapd(798)─┬─{snapd}(823)
│ ├─{snapd}(826)
│ ├─{snapd}(827)
│ ├─{snapd}(828)
│ ├─{snapd}(873)
│ ├─{snapd}(882)
│ └─{snapd}(883)
├─sshd(881)───sshd(912)───bash(1240)───pstree(2900)
├─systemd(947)───(sd-pam)(958)
├─systemd-journal(481)
├─systemd-logind(797)
├─systemd-network(700)
├─systemd-resolve(730)
├─systemd-timesyn(691)───{systemd-timesyn}(746)
├─systemd-udevd(508)
└─vmtoolsd(489)
[root@ubuntu1804 ~]#ps aux|grep -E "containerd|docker"
root 801 0.0 4.4 776680 43972 ? Ssl 12:30 0:03
/usr/bin/containerd
root 2207 0.0 8.8 839016 86712 ? Ssl 16:48 0:02
/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 2497 0.0 0.5 107696 5564 ? Sl 17:33 0:00 containerdshim -namespace moby -workdir
/var/lib/containerd/io.containerd.runtime.v1.linux/moby/d4741f815199a35c7e802662
206160342d56125b47ec46d48a5f580759d86a6e -address
/run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtimeroot /var/run/docker/runtime-runc
root 2622 0.0 0.4 405532 4128 ? Sl 17:34 0:00
/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8888 -container-ip
172.17.0.3 -container-port 80
root 2627 0.0 0.6 109104 6196 ? Sl 17:34 0:00 containerdshim -namespace moby -workdir
/var/lib/containerd/io.containerd.runtime.v1.linux/moby/5dee9be9afdbab8c2f6c4c5e
b0f956c9579efe93110daf638f8fd15f43d961e2 -address
/run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtimeroot /var/run/docker/runtime-runc
root 2750 0.0 0.4 479264 4148 ? Sl 17:38 0:00
/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 6666 -container-ip
172.17.0.4 -container-port 80
root 2756 0.0 0.6 109104 6204 ? Sl 17:38 0:00 containerdshim -namespace moby -workdir
/var/lib/containerd/io.containerd.runtime.v1.linux/moby/d9e7f75cdb9d7d30f8febae3
0d72cdc4b6e96b0408fa998af6deb3937d5271ed -address
/run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtimeroot /var/run/docker/runtime-runc
root 2899 0.0 0.1 14428 1100 pts/0 S+ 17:51 0:00 grep --
color=auto -E containerd|docker
18.06及之前的docker版本,进程关系:
1.2.5.5.2 docker的进程关系
docker 相关的四个进程:
- dockerd: 服务器程序,被client直接访问,其父进程为宿主机的systemd守护进程。
- docker-proxy: 每个进程docker-proxy实现对应一个需要网络通信的容器,管理宿主机和容器的之间端口映射,其父进程为dockerd,如果容器不需要网络则无需启动
- containerd: 被dockerd进程调用以实现与runc交互
- containerd-shim: 真正运行容器的载体,每个容器对应个containerd-shim进程,其父进程为containerd
1.2.5.5.3 containerd-shim命令使用
[root@ubuntu1804 ~]#containerd-shim -h
Usage of containerd-shim:
-address string
grpc address back to main containerd
-containerd-binary containerd publish
path to containerd binary (used for containerd publish) (default
"containerd")
-criu string
path to criu binary
-debug
enable debug output in logs
-namespace string
namespace that owns the shim
-runtime-root string
root directory for the runtime (default "/run/containerd/runc")
-socket string
abstract socket path to serve
-systemd-cgroup
set runtime to use systemd-cgroup
-workdir string
path used to storge large temporary data
1.2.5.5.4 容器的创建与管理过程
通信流程:
- dockerd通过grpc和 containerd模块通信,dockerd由libcontainerd负责和containerd进行交换,dockerd和containerd 通信socket文件: /run/containerd/containerd.sock
- containerd在dockerd启动时被启动,然后containerd启动grpc请求监听,containerd处理grpc请求,根据请求做相应动作
- 若是run, start或是exec 容器,containerd 拉起一个container-shim , 并进行相应的操作
- container-shim别拉起后,start/exec/create拉起runC进程,通过exit、control文件和containerd通信,通过父子进程关系和SIGCHLD监控容器中进程状态
- 在整个容器生命周期中,containerd通过 epoll 监控容器文件,监控容器事件
1.2.5.5.5 gRPC简介
gRPC是Google开发的一款高性能、开源和通用的 RPC 框架,支持众多语言客户端
官网: https://www.grpc.io/
1.2.5.5.6 podman 的进程结构
podman没有dockerd服务进程,所以当无容器启动时,无需启动任何进程,而容器启动时,会做为conmon的子进程
[root@centos8 ~]#podman version
Version: 1.4.2-stable2
RemoteAPI Version: 1
Go Version: go1.12.8
OS/Arch: linux/amd64
[root@centos8 ~]#podman run -d -p 80:80 docker.io/library/nginx
d8877293635c599a82ab5cb82c942cd86baf7c5810dd824154b15b0a88e76be8
[root@centos8 ~]#ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
users:(("conmon",pid=5173,fd=5))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
users:(("sshd",pid=687,fd=4))
LISTEN 0 128 [::]:22 [::]:*
users:(("sshd",pid=687,fd=6))
[root@centos8 ~]#pstree -p
systemd(1)─┬─NetworkManager(660)─┬─{NetworkManager}(680)
│ └─{NetworkManager}(682)
├─VGAuthService(663)
├─agetty(805)
├─anacron(2793)
├─atd(799)
├─auditd(616)───{auditd}(617)
├─automount(816)─┬─{automount}(821)
│ ├─{automount}(822)
│ ├─{automount}(829)
│ └─{automount}(837)
├─conmon(5173)─┬─nginx(5183)───nginx(5194)
│ └─{conmon}(5175)
├─crond(797)
├─dbus-daemon(658)
├─polkitd(665)─┬─{polkitd}(679)
│ ├─{polkitd}(683)
│ ├─{polkitd}(694)
│ ├─{polkitd}(695)
│ └─{polkitd}(750)
├─rngd(661)───{rngd}(673)
├─rsyslogd(814)─┬─{rsyslogd}(818)
│ └─{rsyslogd}(820)
├─sshd(687)─┬─sshd(1166)───sshd(1243)───bash(1244)
│ └─sshd(1306)───sshd(1308)───bash(1309)───pstree(5198)
├─sssd(659)─┬─sssd_be(722)
│ └─sssd_nss(749)
├─systemd(1234)───(sd-pam)(1237)
├─systemd-journal(543)
├─systemd-logind(794)
├─systemd-udevd(575)
├─tuned(692)─┬─{tuned}(1080)
│ ├─{tuned}(1089)
│ └─{tuned}(1097)
└─vmtoolsd(664)───{vmtoolsd}(762)
[root@centos8 ~]#
1.2.6 docker 服务管理
docker 服务基于C/S 结构,可以实现基于本地和远程方式进行管理
#Dockerd守护进程启动选项
-H tcp://host:port
unix:///path/to/socket,
fd://* or fd://socketfd
#守护进程默认配置:
-H unix:///var/run/docker.sock
#使用Docker客户端命令选项
-H tcp://host:port
unix:///path/to/socket,
fd://* or fd://socketfd
客户端默认配置:
-H unix:///var/run/docker.sock
#docker客户端也可以使用环境变量DOCKER_ HOST,代替-H选项
export DOCKER_HOST="tcp://docker-server:2375"
范例: 通过UDS访问docker
[root@ubuntu1804 ~]#cat /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues
still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd
229.
# Both the old, and new location are accepted by systemd 229 and up, so using
the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd
230.
# Both the old, and new name are accepted by systemd 230 and up, so using the
old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker
containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target
[root@ubuntu1804 ~]#systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset:
enabled)
Active: active (running) since Wed 2020-07-22 14:06:46 CST; 5h 50min ago
Docs: https://docs.docker.com
Main PID: 1138 (dockerd)
Tasks: 17
CGroup: /system.slice/docker.service
└─1138 /usr/bin/dockerd -H fd:// --
containerd=/run/containerd/containerd.sock
Jul 22 15:43:42 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T15:43:42.056506408+08:00" level=info msg="
Jul 22 15:43:42 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T15:43:42.064414577+08:00" level=info msg="
Jul 22 15:53:58 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T15:53:58.938037439+08:00" level=info msg="
Jul 22 15:53:58 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T15:53:58.951842078+08:00" level=info msg="
Jul 22 15:55:33 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T15:55:33.837166628+08:00" level=info msg="
Jul 22 19:47:55 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T19:47:55.212507176+08:00" level=info msg="
Jul 22 19:47:55 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T19:47:55.220542970+08:00" level=info msg="
Jul 22 19:47:55 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T19:47:55.234106123+08:00" level=info msg="
Jul 22 19:47:55 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T19:47:55.237476234+08:00" level=info msg="
Jul 22 19:47:55 ubuntu1804.test.org dockerd[1138]: time="2020-07-
22T19:47:55.238167375+08:00" level=info msg=
[root@ubuntu1804 ~]#ll /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 22 20:33 /var/run/docker.sock=
[root@ubuntu1804 ~]#nc -U /var/run/docker.sock
GET /info HTTP/1.1
host: www.test.org
HTTP/1.1 200 OK
Api-Version: 1.40
Content-Type: application/json
Docker-Experimental: false
Ostype: linux
Server: Docker/19.03.12 (linux)
Date: Wed, 22 Jul 2020 11:54:12 GMT
Transfer-Encoding: chunked
947
{"ID":"LVU6:OXD3:TAPB:KDNQ:YRSN:XTAS:3V32:IERB:2DM6:4CDK:CRO6:ZKAW","Containers"
:0,"ContainersRunning":0,"ContainersPaused":0,"ContainersStopped":0,"Images":5,"
Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports
d_type","true"],["Native Overlay Diff","true"]],"SystemStatus":null,"Plugins":
{"Volume":["local"],"Network":
["bridge","host","ipvlan","macvlan","null","overlay"],"Authorization":null,"Log"
:["awslogs","fluentd","gcplogs","gelf","journald","jsonfile","local","logentries","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":fa
lse,"KernelMemory":true,"KernelMemoryTCP":true,"CpuCfsPeriod":true,"CpuCfsQuota"
:true,"CPUShares":true,"CPUSet":true,"PidsLimit":true,"IPv4Forwarding":true,"Bri
dgeNfIptables":true,"BridgeNfIp6tables":true,"Debug":false,"NFd":21,"OomKillDisa
ble":true,"NGoroutines":35,"SystemTime":"2020-07-
22T19:54:12.335572334+08:00","LoggingDriver":"jsonfile","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"4.15.0-111-
generic","OperatingSystem":"Ubuntu 18.04.4
LTS","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://inde
x.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":
[],"AllowNondistributableArtifactsHostnames":[],"InsecureRegistryCIDRs":
["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":
["https://56sxj93s.mirror.aliyuncs.com/"],"Secure":true,"Official":trbashue}},"Mirro
rs":
["https://56sxj93s.mirror.aliyuncs.com/"]},"NCPU":4,"MemTotal":3122880512,"Gener
icResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":
"","NoProxy":"","Name":"ubuntu1804.test.org","Labels":
[],"ExperimentalBuild":false,"ServerVersion":"19.03.12","ClusterStore":"","Clust
erAdvertise":"","Runtimes":{"runc":
{"path":"runc"}},"DefaultRuntime":"runc","Swarm":
{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,
"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","Ini
tBinary":"docker-init","ContainerdCommit":
{"ID":"7ad184331fa3e55e52b890ea95e65ba581ae3429","Expected":"7ad184331fa3e55e52b
890ea95e65ba581ae3429"},"RuncCommit":
{"ID":"dc9208a3303feef5b3839f4323d9beb36df0a9dd","Expected":"dc9208a3303feef5b38
39f4323d9beb36df0a9dd"},"InitCommit":
{"ID":"fec3683","Expected":"fec3683"},"SecurityOptions":
["name=apparmor","name=seccomp,profile=default"],"Warnings":["WARNING: No swap
limit support"]}
范例: docker服务添加标签
[root@ubuntu1804 ~]#vim /lib/systemd/system/docker.service
#修改下面行
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
--label="name=docker1"
[root@ubuntu1804 ~]#systemctl daemon-reload
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 5
Server Version: 19.03.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-111-generic
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 2.908GiB
Name: ubuntu1804.test.org
ID: LVU6:OXD3:TAPB:KDNQ:YRSN:XTAS:3V32:IERB:2DM6:4CDK:CRO6:ZKAW
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
name=docker1 #此处显示添加的标签
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/
Live Restore Enabled: false
WARNING: No swap limit support
范例: 开启docker的远程访问
#方法1
[root@ubuntu1804 ~]#vim /lib/systemd/system/docker.service
#修改下面行
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --
containerd=/run/containerd/containerd.sock --label="name=docker1"
#方法2
[root@ubuntu1804 ~]#vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
{
"hosts": ["tcp://0.0.0.0:2375", "fd://"]
}
[root@ubuntu1804 ~]#systemctl daemon-reload
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#ss -tnlp|grep 2375
LISTEN 0 128 *:2375 *:*
users:(("dockerd",pid=9964,fd=3))
[root@ubuntu1804 ~]#ps -ef | grep docker
root 9964 1 0 20:33 ? 00:00:00 /usr/bin/dockerd -H fd:// -H
tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock --
label=name=docker1
root 10187 2854 0 20:37 pts/1 00:00:00 grep --color=auto docker
[root@ubuntu1804 ~]#ll /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 22 20:33 /var/run/docker.sock=
#实现远程访问方式1
[root@centos7 ~]#curl http://10.0.0.100:2375/info
{"ID":"LVU6:OXD3:TAPB:KDNQ:YRSN:XTAS:3V32:IERB:2DM6:4CDK:CRO6:ZKAW","Containers"
:0,"ContainersRunning":0,"ContainersPaused":0,"ContainersStopped":0,"Images":5,"
Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports
d_type","true"],["Native Overlay Diff","true"]],"SystemStatus":null,"Plugins":
{"Volume":["local"],"Network":
["bridge","host","ipvlan","macvlan","null","overlay"],"Authorization":null,"Log"
:["awslogs","fluentd","gcplogs","gelf","journald","jsonfile","local","logentries","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":fa
lse,"KernelMemory":true,"KernelMemoryTCP":true,"CpuCfsPeriod":true,"CpuCfsQuota"
:true,"CPUShares":true,"CPUSet":true,"PidsLimit":true,"IPv4Forwarding":true,"Bri
dgeNfIptables":true,"BridgeNfIp6tables":true,"Debug":false,"NFd":22,"OomKillDisa
ble":true,"NGoroutines":35,"SystemTime":"2020-07-
22T20:54:42.419355793+08:00","LoggingDriver":"jsonfile","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"4.15.0-111-
generic","OperatingSystem":"Ubuntu 18.04.4
LTS","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://inde
x.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":
[],"AllowNondistributableArtifactsHostnames":[],"InsecureRegistryCIDRs":
["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":
["https://56sxj93s.mirror.aliyuncs.com/"],"Secure":true,"Official":true}},"Mirro
rs":
["https://56sxj93s.mirror.aliyuncs.com/"]},"NCPU":4,"MemTotal":3122880512,"Gener
icResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":
"","NoProxy":"","Name":"ubuntu1804.test.org","Labels":
["name=docker1"],"ExperimentalBuild":false,"ServerVersion":"19.03.12","ClusterSt
ore":"","ClusterAdvertise":"","Runtimes":{"runc":
{"path":"runc"}},"DefaultRuntime":"runc","Swarm":
{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,
"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","Ini
tBinary":"docker-init","ContainerdCommit":
{"ID":"7ad184331fa3e55e52b890ea95e65ba581ae3429","Expected":"7ad184331fa3e55e52b
890ea95e65ba581ae3429"},"RuncCommit":
{"ID":"dc9208a3303feef5b3839f4323d9beb36df0a9dd","Expected":"dc9208a3303feef5b38
39f4323d9beb36df0a9dd"},"InitCommit":
{"ID":"fec3683","Expected":"fec3683"},"SecurityOptions":
["name=apparmor","name=seccomp,profile=default"],"Warnings":["WARNING: API is
accessible on http://0.0.0.0:2375 without encryption.\n Access to the
remote API is equivalent to root access on the host. Refer\n to the
'Docker daemon attack surface' section in the documentation for\n more
information: https://docs.docker.com/engine/security/security/#docker-daemonattack-surface","WARNING: No swap limit support"]}
#实现远程访问方式2
[root@centos7 ~]#docker -H tcp://10.0.0.100:2375 info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 5
Server Version: 19.03.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-111-generic
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 2.908GiB
Name: ubuntu1804.test.org
ID: LVU6:OXD3:TAPB:KDNQ:YRSN:XTAS:3V32:IERB:2DM6:4CDK:CRO6:ZKAW
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
name=docker1
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/
Live Restore Enabled: false
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host.
Refer
to the 'Docker daemon attack surface' section in the documentation for
more information:
https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support
[root@centos7 ~]#
#实现远程访问方式3
[root@centos7 ~]#export DOCKER_HOST="tcp://10.0.0.100:2375"
[root@centos7 ~]#docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 5
Server Version: 19.03.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-111-generic
Operating System: Ubuntu 18.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 2.908GiB
Name: ubuntu1804.test.org
ID: LVU6:OXD3:TAPB:KDNQ:YRSN:XTAS:3V32:IERB:2DM6:4CDK:CRO6:ZKAW
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
name=docker1
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/
Live Restore Enabled: false
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host.
Refer
to the 'Docker daemon attack surface' section in the documentation for
more information:
https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support
#恢复连接本机
[root@centos7 ~]#unset DOCKER_HOST
[root@centos7 ~]#docker info
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk
syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-1127.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 972.3MiB
Name: centos7.testuser.com
ID: USO2:CGRA:LIV3:SWOQ:5AWX:EN6W:4AUZ:XYZ7:LL6K:SUQ5:HANV:TX5L
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/
Live Restore Enabled: false
1.3 镜像管理
1.3.1 镜像结构和原理
镜像即创建容器的模版,含有启动容器所需要的文件系统及所需要的内容,因此镜像主要用于方便和快速的创建并启动容器
镜像含里面是一层层的文件系统,叫做 Union FS(联合文件系统),联合文件系统,可以将几层目录挂载到一起(就像千层饼,洋葱头,俄罗斯套娃一样),形成一个虚拟文件系统,虚拟文件系统的目录结构就像普通 linux 的目录结构一样,镜像通过这些文件再加上宿主机的内核共同提供了一个 linux 的虚拟环境,每一层文件系统叫做一层 layer,联合文件系统可以对每一层文件系统设置三种权限,只读(readonly)、读写(readwrite)和写出(whiteout-able),但是镜像中每一层文件系统都是只读的,构建镜像的时候,从一个最基本的操作系统开始,每个构建提交的操作都相当于做一层的修改,增加了一层文件系统,一层层往上叠加,上层的修改会覆盖底层该位置的可见性,这也很容易理解,就像上层把底层遮住了一样,当使用镜像的时候,我们只会看到一个完全的整体,不知道里面有几层,实际上也不需要知道里面有几层,结构如下:
一个典型的 Linux文件系统由 bootfs 和 rootfs 两部分组成
bootfs(boot file system) 主要包含bootloader和kernel,bootloader主要用于引导加载 kernel,Linux刚启动时会加载bootfs文件系统,当boot加载完成后,kernel 被加载到内存中后接管系统的控制权,bootfs会被 umount 掉
rootfs (root file system) 包含的就是典型 Linux 系统中的/dev,/proc,/bin,/etc 等标准目录和文件,不同的 linux 发行版(如 ubuntu 和 CentOS ) 主要在 rootfs 这一层会有所区别。
一般的镜像通常都比较小,官方提供的Ubuntu镜像只有60MB多点,而 CentOS 基础镜像也只有200MB左右,一些其他版本的镜像甚至只有几MB,比如: busybox 才1.22MB,alpine镜像也只有5M左右。镜像直接调用宿主机的内核,镜像中只提供 rootfs,也就是只需要包括最基本的命令,配置文件和程序库等相关文件就可以了。
下图就是有两个不同的镜像在一个宿主机内核上实现不同的rootfs。
容器、镜像和父镜像关系:
范例: 查看镜像的分层结构
[root@ubuntu1804 ~]#docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
8ec398bc0356: Pull complete
a53c868fbde7: Pull complete
79daf9dd140d: Pull complete
Digest: sha256:70821e443be75ea38bdf52a974fd2271babd5875b2b1964f05025981c75a6717
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
#查看镜像分层历史
[root@ubuntu1804 ~]#docker image history nginx
[root@ubuntu1804 ~]#docker inspect nginx
[root@ubuntu1804 ~]#docker save nginx -o nginx.tar
[root@ubuntu1804 ~]#docker images
[root@ubuntu1804 ~]#ll -h nginx.tar
-rw------- 1 root root 131M Jul 20 22:33 nginx.tar
[root@ubuntu1804 ~]#tar xf nginx.tar -C /data
[root@ubuntu1804 ~]#ll /data
[root@ubuntu1804 ~]#cat /data/manifest.json
[{"Config":"0901fa9da894a8e9de5cb26d6749eaffb67b373dc1ff8a26c46b23b1175c913a.jso
n","RepoTags":["nginx:latest"],"Layers":
["d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd/layer.tar","f
4bf863ecdbb8bddb4b3bb271bdd97b067dcb6c95c56f720018abec6af190c6e/layer.tar","517e
3239147277447b60191907bc66168963e0ce8707a6a33532f7c63a0d2f12/layer.tar","0bb74fc
d4b686412f7993916e58c26abd155fa10b10a4dc09a778e7c324c39a2/layer.tar","68c9e9da52
d5a57ee196829ce4a461cc9425b0b920689da9ad547f1da13dbc9d/layer.tar"]}]
[root@ubuntu1804 ~]#du -sh /data/*
8.0K
/data/0901fa9da894a8e9de5cb26d6749eaffb67b373dc1ff8a26c46b23b1175c913a.json
16K /data/0bb74fcd4b686412f7993916e58c26abd155fa10b10a4dc09a778e7c324c39a2
16K /data/517e3239147277447b60191907bc66168963e0ce8707a6a33532f7c63a0d2f12
16K /data/68c9e9da52d5a57ee196829ce4a461cc9425b0b920689da9ad547f1da13dbc9d
70M /data/d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd
62M /data/f4bf863ecdbb8bddb4b3bb271bdd97b067dcb6c95c56f720018abec6af190c6e
16K /data/lost+found
4.0K /data/manifest.json
4.0K /data/repositories
[root@ubuntu1804 ~]#cd /data/d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd/
[root@ubuntu1804 d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd]#ls
json layer.tar VERSION
[root@ubuntu1804 d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd]#tar xf layer.tar
[root@ubuntu1804 d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd]#ls
bin dev home layer.tar lib64 mnt proc run srv tmp var
boot etc json lib media opt root sbin sys usr VERSION
[root@ubuntu1804 d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd]#cat etc/i
init.d/ issue issue.net
[root@ubuntu1804 d2cf0fc540bb3be33ee7340498c41fd4fc82c6bb02b9955fca2109e599301dbd]#cat etc/issue
Debian GNU/Linux 10 \n \l
1.3.2 搜索镜像
1.3.2.1 搜索镜像
1.3.2.1.1 官方网站进行镜像的搜索
官网: http://hub.docker.com
在官方的docker 仓库中搜索指定名称的docker镜像,也会有很多三方镜像。
1.3.2.2.2 执行docker search命令进行搜索
格式如下:
Usage: docker search [OPTIONS] TERM
Options:
-f, --filter filter Filter output based on conditions provided
--format string Pretty-print search using a Go template
--limit int Max number of search results (default 25)
--no-trunc Don't truncate output
说明:
OFFICIAL: 官方
AUTOMATED: 使用第三方docker服务来帮助编译镜像,可以在互联网上面直接拉取到镜像,减少了繁琐的编译过程
范例:
[root@ubuntu1804 ~]#docker search centos
范例: 选择性的查找镜像
#搜索点赞100个以上的镜像
#旧语法
[root@ubuntu1804 ~]#docker search -s 100 centos
#新语法
[root@ubuntu1804 ~]#docker search --filter=stars=100 centos
1.3.2.2 alpine 介绍
Alpine 操作系统是一个面向安全的轻型 Linux 发行版。它不同于通常 Linux 发行版,Alpine 采用了musl libc 和 busybox 以减小系统的体积和运行时资源消耗,但功能上比 busybox 又完善的多,因此得到开源社区越来越多的青睐。在保持瘦身的同时,Alpine 还提供了自己的包管理工具 apk,可以通过https://pkgs.alpinelinux.org/packages 网站上查询包信息,也可以直接通过 apk 命令直接查询和安装各种软件。
Alpine 由非商业组织维护的,支持广泛场景的 Linux发行版,它特别为资深/重度Linux用户而优化,关注安全,性能和资源效能。Alpine 镜像可以适用于更多常用场景,并且是一个优秀的可以适用于生产的基础系统/环境。
Alpine Docker 镜像也继承了 Alpine Linux 发行版的这些优势。相比于其他 Docker 镜像,它的容量非常小,仅仅只有 5 MB 左右(对比 Ubuntu 系列镜像接近 200 MB),且拥有非常友好的包管理机制。官方镜像来自 docker-alpine 项目。
目前 Docker 官方已开始推荐使用 Alpine 替代之前的 Ubuntu 做为基础镜像环境。这样会带来多个好处。包括镜像下载速度加快,镜像安全性提高,主机之间的切换更方便,占用更少磁盘空间等。
下表是官方镜像的大小比较:
REPOSITORY TAG IMAGE ID VIRTUAL SIZE
alpine latest 4e38e38c8ce0 4.799 MB
debian latest 4d6ce913b130 84.98 MB
ubuntu latest b39b81afc8ca 188.3 MB
centos latest 8efe422e6104 210 MB
- Alpine 官网: https://www.alpinelinux.org/
- Alpine 官方仓库: https://github.com/alpinelinux
- Alpine 官方镜像: https://hub.docker.com/_/alpine/
- Alpine 官方镜像仓库: https://github.com/gliderlabs/docker-alpine
- Alpine 阿里云的镜像仓库: https://mirrors.aliyun.com/alpine/
范例: alpine管理软件
#修改源替换成阿里源,将里面 dl-cdn.alpinelinux.org 的 改成 mirrors.aliyun.com
vi /etc/apk/repositories
http://mirrors.aliyun.com/alpine/v3.8/main/
http://mirrors.aliyun.com/alpine/v3.8/community/
#更新源
apk update
#安装软件
apk add vim
#删除软件
apk del openssh openntp vim
范例:
/ # apk --help
/ # apk add nginx
/ # apk info nginx
nginx-1.16.1-r6 description:
HTTP and reverse proxy server (stable version)
nginx-1.16.1-r6 webpage:
https://www.nginx.org/
nginx-1.16.1-r6 installed size:
1126400
~ # apk manifest nginx
~ # ls -l /bin
1.3.2.3 Debian(ubuntu)系统建议安装的基础包
在很多软件官方提供的镜像都使用的是Debian(ubuntu)的系统,比如:nginx,tomcat,mysql,httpd 等,但镜像内缺少很多常用的调试工具.当需要进入容器内进行调试管理时,可以安装以下常用工具包
# apt update #安装软件前需要先更新索引
# apt install procps #提供top,ps,free等命令
# apt install psmisc #提供pstree,killall等命令
# apt install iputils-ping #提供ping命令
# apt install net-tools #提供netstat网络工具ifconfig等
1.3.3 下载镜像
从 docker 仓库将镜像下载到本地,命令格式如下:
docker pull [OPTIONS] NAME[:TAG|@DIGEST]
Options:
-a, --all-tags Download all tagged images in the repository
--disable-content-trust Skip image verification (default true)
--platform string Set platform if server is multi-platform capable
-q, --quiet Suppress verbose output
NAME: 是镜像名,一般的形式 仓库服务器:端口/项目名称/镜像名称
:TAG: 即版本号,如果不指定:TAG,则下载最新版镜像latest
镜像下载说明
[root@ubuntu1804 ~]#docker pull hello-world
Using default tag: latest #默认下载最新版本
latest: Pulling from library/hello-world
1b930d010525: Pull complete #分层下载
Digest: sha256:9572f7cdcee8591948c2963463447a53466950b3fc15a247fcad1917ca215a2f
#摘要
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest #下载的完整地址
镜像下载保存的路径:
/var/lib/docker/overlay2/镜像ID
注意: 镜像下载完成后,会自动解压缩,比官网显示的可能会大很多,如: centos8.1.1911下载时只有70MB,下载完后显示237MB
范例: 从docker官网下载镜像
docker pull hello-world
docker pull alpine
docker pull busybox
docker pull nginx
docker pull centos
docker pull centos:centos7.7.1908
docker pull docker.io/library/mysql:5.7.29
docker pull mysql:5.6.47
范例: 下载镜像 alpine,busybox等镜像,查看下载的存放目录
[root@ubuntu1804 ~]#ls /var/lib/docker/overlay2/
[root@ubuntu1804 ~]#du -sh /var/lib/docker/overlay2
[root@ubuntu1804 ~]#ls /var/lib/docker/overlay2/l
[root@ubuntu1804 ~]#docker pull hello-world
[root@ubuntu1804 ~]#docker pull alpine:3.11.3
[root@ubuntu1804 ~]#docker pull busybox
[root@ubuntu1804 ~]#docker pull centos:centos8.1.1911
[root@ubuntu1804 ~]#du -sh /var/lib/docker/overlay2/*
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
alpine 3.11.3 e7d92cdc71fe 7 days ago 5.59MB
centos centos8.1.1911 470671670cac 7 days ago 237MB
busybox latest 6d5fcfe5ff17 4 weeks ago 1.22MB
hello-world latest fce289e99eb9 12 months ago 1.84kB
[root@ubuntu1804 ~]#ls -l /var/lib/docker/overlay2/l
total 16
lrwxrwxrwx 1 root root 72 Jan 25 19:51 C5ZTDYHYDTO7BQG6HX36MU6X5K ->
../de31641b8d2207de7f08eabb5240474a1aaccfef08b6034dcee02b9623f8d9dc/diff
lrwxrwxrwx 1 root root 72 Jan 25 19:57 DEXHVNUGFLFJCSJAKISOHQG7JY ->
../f41df336075611f9e358e5eaf2ebd5089920a90ba68760cdec8da03edff362f7/diff
lrwxrwxrwx 1 root root 72 Jan 25 19:51 KJ5IA5AUHFUEQXFKJA7UDUIA7A ->
../1802616f4c8e0a0b52c839431b6faa8ac21f4bd831548dcbd46943d3f60061fa/diff
lrwxrwxrwx 1 root root 72 Jan 25 19:51 ZM3U4WDNHGJJX5DXHA5M4ZWAIW ->
../5773b92e1351da5e589d0573d9f22d1ec3be1e0e98edbfcddba4b830f12c7be2/diff
范例: 指定 TAG下载特定版本的镜像
[root@ubuntu1804 ~]#docker pull docker.io/library/mysql:5.7.29
[root@ubuntu1804 ~]#docker pull mysql:5.6.47
范例: 指定DIGEST下载特定版本的镜像
先到 hub.docker.com查到指定版本的DIGEST
[root@ubuntu1804 ~]#docker pull alpine@sha256:156f59dc1cbe233827642e09ed06e259ef6fa1ca9b2e29d52ae14d5e7b79d7f0
sha256:156f59dc1cbe233827642e09ed06e259ef6fa1ca9b2e29d52ae14d5e7b79d7f0: Pulling
from library/alpine
5d2415897100: Pull complete
Digest: sha256:156f59dc1cbe233827642e09ed06e259ef6fa1ca9b2e29d52ae14d5e7b79d7f0
Status: Downloaded newer image for
alpine@sha256:156f59dc1cbe233827642e09ed06e259ef6fa1ca9b2e29d52ae14d5e7b79d7f0
docker.io/library/alpine@sha256:156f59dc1cbe233827642e09ed06e259ef6fa1ca9b2e29d52ae14d5e7b79d7f0
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
alpine <none> 3c791e92a856 3 weeks ago 5.57MB
1.3.4 docker 镜像加速配置
docker 镜像官方的下载站点是: https://hub.docker.com/
从国内下载官方的镜像站点有时候会很慢,因此可以更改docker配置文件添加一个加速器,可以通过加速器达到加速下载镜像的目的
国内有许多公司都提供了docker 加速镜像,比如: 阿里云,腾讯云,网易云,以下以阿里云为例
1.3.4.1 阿里云获取加速地址
浏览器打开http://cr.console.aliyun.com,注册或登录阿里云账号,点击左侧的镜像加速器,将会得到一个专属的加速地址,而且下面有使用配置说明:
1.3.4.2 docker 镜像加速配置
1. 安装/升级Docker客户端
推荐安装1.10.0以上版本的Docker客户端,参考文档[docker-ce] --> #https://yq.aliyun.com/articles/110806
2. 配置镜像加速器
针对Docker客户端版本大于 1.10.0 的用户
您可以通过修改daemon配置文件/etc/docker/daemon.json来使用加速器
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://l6gzhlm5.mirror.aliyuncs.com"]
}
EOF
#网易云: http://hub-mirror.c.163.com/
#腾讯云: https://mirror.ccs.tencentyun.com
sudo systemctl daemon-reload
sudo systemctl restart docker
范例:
[root@ubuntu1804 ~]#docker info | tail
WARNING: the overlay storage-driver is deprecated, and will be removed in a future release.
ID: IZHJ:WPIN:BRMC:XQUI:VVVR:UVGK:NZBM:YQXT:JDWB:33RS:45V7:SQWJ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
[root@ubuntu1804 ~]#cat /etc/docker/daemon.json
{
"storage-driver": "overlay",
"registry-mirrors": ["https://56sxj93s.mirror.aliyuncs.com"]
}
[root@ubuntu1804 ~]#systemctl daemon-reload
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#docker info | tail
WARNING: the overlay storage-driver is deprecated, and will be removed in a
future release.
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://56sxj93s.mirror.aliyuncs.com/
Live Restore Enabled: false
1.3.5 查看本地镜像
docker images 可以查看下载至本地的镜像
格式:
docker images [OPTIONS] [REPOSITORY[:TAG]]
docker image ls [OPTIONS] [REPOSITORY[:TAG]]
#常用选项:
-q, --quiet Only show numeric IDs
-a, --all Show all images (default hides intermediate images)
--digests Show digests
--no-trunc Don't truncate output
-f, --filter filter Filter output based on conditions provided
--format string Pretty-print images using a Go template
执行结果的显示信息说明:
REPOSITORY #镜像所属的仓库名称
TAG #镜像版本号(标识符),默认为latest
IMAGE ID #镜像唯一ID标识,如果ID相同,说明是同一个镜像有多个名称
CREATED #镜像在仓库中被创建时间
VIRTUAL SIZE #镜像的大小
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql 5.7.29 5d9483f9a7b2 2 years ago 455MB
Repository仓库
- 由某特定的docker镜像的所有迭代版本组成的镜像仓库
- 一个Registry中可以存在多个Repository
- Repository可分为“顶层仓库”和“用户仓库”
- Repository用户仓库名称一般格式为“用户名/仓库名”
- 每个Repository仓库可以包含多个Tag(标签),每个标签对应一个镜像
范例:
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
alpine 3.11.3 e7d92cdc71fe 7 days ago 5.59MB
centos centos8.1.1911 470671670cac 7 days ago 237MB
busybox latest 6d5fcfe5ff17 4 weeks ago 1.22MB
hello-world latest fce289e99eb9 12 months ago 1.84kB
[root@ubuntu1804 ~]#docker images -q
e7d92cdc71fe
470671670cac
6d5fcfe5ff17
fce289e99eb9
#显示完整的ImageID
[root@ubuntu1804 ~]#docker images --no-trunc
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat 9.0.37-v1
sha256:b8d669ebf99e65d5ed69378d0d53f054e7de4865d335ab7aa0a7a5508e1369f7 47hours ago 652MB
#只查看指定REPOSITORY的镜像
[root@ubuntu1804 ~]#docker images tomcat
范例: 查看指定镜像的详细信息
[root@centos8 ~]#podman image inspect alpine
1.3.6 镜像导出
利用docker save命令可以将从本地镜像导出为一个打包 tar文件,然后复制到其他服务器进行导入使用
格式:
docker save [OPTIONS] IMAGE [IMAGE...]
选项:
-o, --output string Write to a file, instead of STDOUT
常见用法:
docker save -o /path/file.tar IMAGE1 IMAGE2 ...
docker save IMAGE1 IMAGE2 ... > /path/file.tar
范例: 镜像导出
[root@ubuntu1804 ~]#docker images
[root@ubuntu1804 ~]#docker save mysql:5.7.29 alpine:3.11.3 -o /data/myimages.tar
#或者
[root@ubuntu1804 ~]#docker save mysql:5.7.29 alpine:3.11.3 > /data/myimages.tar
1.3.7 镜像导入
利用docker load命令可以将镜像导出的压缩文件再导入
格式:
docker load [OPTIONS]
#选项
-i, --input string Read from tar archive file, instead of STDIN
-q, --quiet Suppress the load output
范例: 镜像导入
[root@centos7 ~]#docker images
[root@centos7 ~]#docker load -i /data/myimages.tar
#或者
[root@centos7 ~]#docker load < /data/myimages.tar
范例: 一次导出多个镜像
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest e7d92cdc71fe 7 days ago 5.59MB
busybox latest 6d5fcfe5ff17 4 weeks ago 1.22MB
[root@ubuntu1804 ~]#docker save busybox alpine > /opt/all.tar
[root@ubuntu1804 ~]#ll -h /opt/all.tar
-rw-r--r-- 1 root root 7.0M Jan 25 22:12 /opt/all.tar
[root@ubuntu1804 ~]#docker rmi -f `docker images -q`
[root@ubuntu1804 ~]#docker images
[root@ubuntu1804 ~]#docker load -i /opt/all.tar
5216338b40a7: Loading layer
[==================================================>] 5.857MB/5.857MB
Loaded image: alpine:latest
195be5f8be1d: Loading layer
[==================================================>] 1.437MB/1.437MB
Loaded image: busybox:latest
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest e7d92cdc71fe 7 days ago 5.59MB
busybox latest 6d5fcfe5ff17 4 weeks ago 1.22MB
1.3.8 删除镜像
docker rmi 命令可以删除本地镜像
格式
docker rmi [OPTIONS] IMAGE [IMAGE...]
docker image rm [OPTIONS] IMAGE [IMAGE...]
#选项:
-f, --force Force removal of the image
--no-prune Do not delete untagged parents
范例:
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine 3.11.3 e7d92cdc71fe 7 days ago 5.59MB
mysql 5.7.29 b598110d0fff 10 days ago 435MB
[root@centos7 ~]#docker rmi b59811
[root@centos7 ~]#docker rmi alpine:3.11.3
Untagged: alpine:3.11.3
Deleted: sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a
Deleted: sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10
[root@centos7 ~]#docker images
范例: 删除多个镜像
[root@ubuntu1804 ~]#docker rmi nginx tomcat
范例: 强制删除正在使用的镜像,也会删除对应的容器
[root@ubuntu1804 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
b5a0d2e1e1d0 centos:centos8.1.1911 "bash" 41 minutes
ago Up 41 minutes jolly_burnell
[root@ubuntu1804 ~]#docker rmi centos:centos8.1.1911
Error response from daemon: conflict: unable to remove repository reference "centos:centos8.1.1911" (must force) - container b5a0d2e1e1d0 is using its referenced image 470671670cac
[root@ubuntu1804 ~]#docker rmi -f centos:centos8.1.1911
Untagged: centos:centos8.1.1911
Untagged:
centos@sha256:fe8d824220415eed5477b63addf40fb06c3b049404242b31982106ac204f6700
[root@ubuntu1804 ~]#docker ps -a
范例: 删除所有镜像
[root@ubuntu1804 ~]#docker images
[root@ubuntu1804 ~]#docker rmi -f `docker images -q`
[root@ubuntu1804 ~]#docker images
1.3.9 镜像打标签
docker tag 可以给镜像打标签,类似于起别名,但通常要遵守一定的命名规范,才可以上传到指定的仓库
格式
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
#TARGET_IMAGE[:TAG]格式一般形式
仓库主机FQDN或IP[:端口]/项目名(或用户名)/image名字:版本
TAG 默认为 latest
范例:
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest e7d92cdc71fe 11 days ago 5.59MB
centos centos7.7.1908 08d05d1d5859 2 months ago 204MB
[root@ubuntu1804 ~]#docker tag alpine alpine:3.11
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
alpine 3.11 e7d92cdc71fe 11 days ago 5.59MB
alpine latest e7d92cdc71fe 11 days ago 5.59MB
centos centos7.7.1908 08d05d1d5859 2 months ago 204MB
总结: 企业使用镜像及常见操作: 搜索、下载、导出、导入、删除
命令总结:
docker search centos
docker pull alpine
docker images
docker save > /opt/centos.tar #导出centos镜像
docker load -i centos-latest.tar.xz #导入本地镜像
docker rmi 镜像ID/镜像名称 #删除指定ID的镜像,此镜像对应容器正启动镜像不能被删除,除非将容器全部关闭
1.4 容器操作基础命令
1.4.1 启动容器
docker run 可以启动容器,进入到容器,并随机生成容器ID和名称
1.4.1.1 启动第一个容器
范例: 运行docker 的 hello world
[root@centos7 ~]#docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:2498fce14358aa50ead0cc6c19990fc6ff866ce72aeb5546e1d59caac3d0d60f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest feb5d9fea6a5 3 months ago 13.3kB
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
28ba76a97842 hello-world "/hello" About a minute ago Exited (0) About a minute ago priceless_shaw
1.4.1.2 启动容器的流程
1.4.1.3 启动容器用法
帮助: man docker-run
命令格式:
docker run [选项] [镜像名] [shell命令] [参数]
#选项:
-i, --interactive Keep STDIN open even if not attached,通常和-t一起使用
-t, --tty 分配pseudo-TTY,通常和-i一起使用,注意对应的容器必须运行shell才支持进入
-d, --detach Run container in background and print container ID,台后运行,默认前台
--name string Assign a name to the container
--h, --hostname string Container host name
--rm Automatically remove the container when it exits
-p, --publish list Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--dns list Set custom DNS servers
--entrypoint string Overwrite the default ENTRYPOINT of the image
--restart policy
--privileged Give extended privileges to container
-e, --env=[] Set environment variables
--env-file=[] Read in a line delimited file of environment variables
--restart 可以指定四种不同的policy
注意: 容器启动后,如果容器内没有前台运行的进程,将自动退出停止
从容器内退出,并停止容器
exit
从容器内退出,且容器不停止
同时按三个键,ctrl+p+q
范例: 运行容器
#启动容器时会自动随机字符作为容器名
[root@centos7 ~]#docker run alpine
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
756f8702f87a alpine "/bin/sh" 4 seconds ago Exited (0) 3 seconds ago musing_euler
28ba76a97842 hello-world "/hello" 7 minutes ago Exited (0) 7 minutes ago priceless_shaw
范例: 一次性运行容器中命令
#启动的容器在执行完shell命令就退出,用于测试
[root@centos7 ~]#docker run busybox echo "Hello linux"
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
3cb635b06aa2: Pull complete
Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fbebd0397f25fae164abe1e8a6a
Status: Downloaded newer image for busybox:latest
Hello linux
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4bdeee5cfcbc busybox "echo 'Hello linux'" 7 seconds ago Exited (0) 6 seconds ago nice_yonath
756f8702f87a alpine "/bin/sh" About a minute ago Exited (0) About a minute ago musing_euler
28ba76a97842 hello-world "/hello" 9 minutes ago Exited (0) 9 minutes ago priceless_shaw
范例: 指定容器名称
#注意每个容器的名称要唯一
[root@centos7 ~]#docker run --name a1 alpine
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a65972cd0120 alpine "/bin/sh" 8 seconds ago Exited (0) 7 seconds ago a1
4bdeee5cfcbc busybox "echo 'Hello linux'" 4 minutes ago Exited (0) 4 minutes ago nice_yonath
756f8702f87a alpine "/bin/sh" 5 minutes ago Exited (0) 5 minutes ago musing_euler
28ba76a97842 hello-world "/hello" 13 minutes ago Exited (0) 13 minutes ago priceless_shaw
范例: 运行交互式容器并退出
[root@centos7 ~]#docker run -it docker.io/busybox sh
/ # exit
[root@centos7 ~]#
#用exit退出后容器也停止
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bed5a84fa9e9 busybox "sh" 32 seconds ago Exited (0) 29 seconds ago reverent_wu
[root@centos7 ~]#docker ps --help
Usage: docker ps [OPTIONS]
List containers
Options:
-a, --all Show all containers (default shows just running)
-f, --filter filter Filter output based on conditions provided
--format string Pretty-print containers using a Go template
-n, --last int Show n last created containers (includes all states) (default -1)
-l, --latest Show the latest created container (includes all states)
--no-trunc Don't truncate output
-q, --quiet Only display container IDs
-s, --size Display total file sizes
[root@centos7 ~]#docker run -it docker.io/busybox sh
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
bdbbaa22dec6: Pull complete
Digest: sha256:6915be4043561d64e0ab0f8f098dc2ac48e077fe23f488ac24b665166898115a
Status: Downloaded newer image for busybox:latest
/ #同时按三个键:ctrl+p+q
#用同时按三个键ctrl+p+q退出后容器不会停止
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f625acbd791e busybox "sh" 54 seconds ago Up 52 seconds vibrant_ramanujan
范例: 设置容器内的主机名
[root@centos7 ~]#docker run -it --name a2 -h a2.org alpine
/ # cat /etc/hostname
a2.org
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 a2.org a2
/ # cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 114.114.114.114
范例: 一次性运行容器,退出后立即删除,用于测试
[root@centos7 ~]#docker run --rm alpine cat /etc/issue
Welcome to Alpine Linux 3.15
Kernel \r on an \m (\l)
[root@centos7 ~]#docker ps -a
范例: 创建容器后直接进入并退出
退出两种方式:
- exit 容器也停止
- 按ctrl+p+q 容器不停止
#执行exit退出后容器关闭
[root@centos7 ~]#docker run -it --name alpine2 alpine
/ # cat /etc/issue
Welcome to Alpine Linux 3.15
Kernel \r on an \m (\l)
/ # exit #退出容器,容器也停止运行
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
008c49f6a847 alpine "/bin/sh" 37 seconds ago Exited (0) 19 seconds ago alpine2
[root@centos7 ~]#docker run -it --name alpine3 alpine
/ #
#同时按ctrl+p+q 三个键退出后,容器不停止\
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9964bf361a4a alpine "/bin/sh" 30 seconds ago Up 29 seconds alpine3
008c49f6a847 alpine "/bin/sh" About a minute ago Exited (0) About a minute ago alpine2
什么是守护式容器:
- 能够长期运行
- 无需交互式会话
- 适合运行应用程序和服务
范例: 启动前台守护式容器
[root@centos7 ~]#docker run nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/26 11:22:23 [notice] 1#1: using the "epoll" event method
2021/12/26 11:22:23 [notice] 1#1: nginx/1.21.4
2021/12/26 11:22:23 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/26 11:22:23 [notice] 1#1: OS: Linux 3.10.0-1160.49.1.el7.x86_64
2021/12/26 11:22:23 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/26 11:22:23 [notice] 1#1: start worker processes
2021/12/26 11:22:23 [notice] 1#1: start worker process 31
#查看上面启动 nginx 容器的ID号,查看容器内的ip信息
[root@centos7 ~]#docker inspect 89 | grep IP
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"IPAMConfig": null,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
# wget -O -以'-'作为file参数,那么数据将会被打印到标准输出,通常为控制台。
# wget -O ./-以'./-'作为file参数,那么数据才会被输出到名为'-'的file中。
wget:
-q:不显示指令执行过程
-O:下载并以指定的文件名保存
[root@centos7 ~]#docker run --rm --name b1 busybox wget -qO - 172.17.0.2
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
范例: 启动后台守护式容器
[root@centos7 ~]#docker run -d nginx
4169c23eb1019bf4685669dc792f158958696a81515afb5e41069fb38ec05f89
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4169c23eb101 nginx "/docker-entrypoint.…" About a minute ago Up About a minute 80/tcp gallant_colden
#有些容器后台启动不会持续运行
[root@centos7 ~]#docker run -d --name alpine4 alpine
f829e22dcfcfd5ed034e6bad2f792fea261cd09398fd88876bf5bf20c7dd618f
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4169c23eb101 nginx "/docker-entrypoint.…" 4 minutes ago Up 4 minutes 80/tcp gallant_colden
892198a5fc87 nginx "/docker-entrypoint.…" 7 minutes ago Up 7 minutes 80/tcp zen_northcutt
[root@centos7 ~]#docker run -td --name alpine5 alpine
fd980c72419ec465d47ce7e547ad170494dd42166fbf143a8aa774b0c58008d2
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fd980c72419e alpine "/bin/sh" 24 seconds ago Up 23 seconds alpine5
4169c23eb101 nginx "/docker-entrypoint.…" 6 minutes ago Up 6 minutes 80/tcp gallant_colden
892198a5fc87 nginx "/docker-entrypoint.…" 9 minutes ago Up 9 minutes 80/tcp zen_northcutt
范例: 开机自动运行容器
#默认容器不会自动启动
[root@centos7 ~]#docker run -d --name nginx -p 80:80 nginx
50dfd4c9e02c817ca7f3d8eb9c91e78e03aa4646e871ab08af620e849c19685f
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
50dfd4c9e02c nginx "/docker-entrypoint.…" 18 seconds ago Up 17 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp nginx
[root@centos7 ~]#reboot
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#设置容器总是运行
[root@centos7 ~]#docker run -d --name nginx1 --restart=always -p 80:80 nginx
261c382be0299ab48abac4a52880c97dd84a1e4c23430584780c50ea1f7475fe
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
261c382be029 nginx "/docker-entrypoint.…" 7 seconds ago Up 7 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp nginx1
[root@centos7 ~]#reboot
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
261c382be029 nginx "/docker-entrypoint.…" 57 seconds ago Up 20 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp nginx1
--privileged 选项
大约在0.6版,--privileged 选项被引入docker。使用该参数,container内的root拥有真正的root权限。否则,container内的root只是外部的一个普通用户权限。privileged启动的容器,可以看到很多host上的设备,并且可以执行mount。甚至允许你在docker启动docker容器。
范例: 使用 --privileged 让容器获取 root 权限
`centos7操作`
#在虚拟机外面新增一块硬盘 /dev/sdb , 重启系统使其生效,或者热加载
[root@centos7 ~]#parted /dev/sdb
GNU Parted 3.1
使用 /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
(parted) mkpart part01 0 500M
警告: The resulting partition is not properly aligned for best performance.
忽略/Ignore/放弃/Cancel? i
(parted) p
Model: VMware, VMware Virtual S (scsi)
Disk /dev/sdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name 标志
1 17.4kB 500MB 500MB part01
(parted) quit
信息: You may need to update /etc/fstab.
[root@centos7 ~]#mkfs.ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
文件系统标签=
OS type: Linux
块大小=1024 (log=0)
分块大小=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
122400 inodes, 488264 blocks
24413 blocks (5.00%) reserved for the super user
第一个数据块=1
Maximum filesystem blocks=34078720
60 block groups
8192 blocks per group, 8192 fragments per group
2040 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409
Allocating group tables: 完成
正在写入inode表: 完成
Creating journal (8192 blocks): 完成
Writing superblocks and filesystem accounting information: 完成
[root@centos7 ~]#docker run -it centos
[root@57f47d2a75c0 /]# cat /etc/redhat-release
CentOS Linux release 8.4.2105
[root@57f47d2a75c0 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
|-sda1 8:1 0 1G 0 part
`-sda2 8:2 0 79G 0 part
sdb 8:16 0 1G 0 disk
`-sdb1 8:17 0 476.8M 0 part
sr0 11:0 1 4.4G 0 rom
[root@57f47d2a75c0 /]# mount /dev/sdb1 /mnt/
mount: /mnt: permission denied.
[root@57f47d2a75c0 /]# exit
exit
#利用 --privileged 选项运行容器
[root@centos7 ~]#docker run -it --privileged centos
#可以看到宿主机的设备
[root@816f48aaab22 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 80G 0 disk
|-sda1 8:1 0 1G 0 part
`-sda2 8:2 0 79G 0 part
sdb 8:16 0 1G 0 disk
`-sdb1 8:17 0 476.8M 0 part
sr0 11:0 1 4.4G 0 rom
[root@816f48aaab22 /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 10475520 2679708 7795812 26% /
tmpfs 65536 0 65536 0% /dev
tmpfs 931496 0 931496 0% /sys/fs/cgroup
shm 65536 0 65536 0% /dev/shm
/dev/mapper/centos-var 10475520 2679708 7795812 26% /etc/hosts
[root@816f48aaab22 /]# mount /dev/sdb1 /mnt/
[root@816f48aaab22 /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 10475520 2679708 7795812 26% /
tmpfs 65536 0 65536 0% /dev
tmpfs 931496 0 931496 0% /sys/fs/cgroup
shm 65536 0 65536 0% /dev/shm
/dev/mapper/centos-var 10475520 2679708 7795812 26% /etc/hosts
/dev/sdb1 464606 2318 433779 1% /mnt
[root@816f48aaab22 /]# touch /mnt/containter.txt
[root@816f48aaab22 /]# echo container data > /mnt/containter.txt
[root@816f48aaab22 /]# cat /mnt/containter.txt
container data
#在宿主机查看是否生成文件
[root@centos7 ~]#mount /dev/sdb1 /data/
[root@centos7 ~]#cd /data/
[root@centos7 /data]#ls
containter.txt lost+found
[root@centos7 /data]#echo host data >> /data/containter.txt
[root@centos7 /data]#cat /data/containter.txt
container data
host data
#在容器内可看文件是否发生变化
[root@816f48aaab22 /]# cat /mnt/containter.txt
container data
host data
-----------------------------------
`centos8操作`
[root@centos8 ~]#podman run -it centos
[root@382ab09932a7 /]#cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
[root@382ab09932a7 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 200G 0 disk
|-sda1 8:1 0 1G 0 part
|-sda2 8:2 0 100G 0 part
|-sda3 8:3 0 50G 0 part
|-sda4 8:4 0 1K 0 part
`-sda5 8:5 0 2G 0 part [SWAP]
sr0 11:0 1 7G 0 rom
[root@382ab09932a7 /]# mount /dev/sda3 /mnt
mount: /mnt: permission denied.
[root@382ab09932a7 /]# exit
exit
#利用--privileged 选项运行容器
[root@centos8 ~]#podman run -it --privileged centos
#可以看到宿主机的设备
[root@a6391a8f82e3 /]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 200G 0 disk
|-sda1 8:1 0 1G 0 part
|-sda2 8:2 0 100G 0 part
|-sda3 8:3 0 50G 0 part
|-sda4 8:4 0 1K 0 part
`-sda5 8:5 0 2G 0 part [SWAP]
sr0 11:0 1 7G 0 rom
[root@a6391a8f82e3 /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 104806400 2754832 102051568 3% /
tmpfs 65536 0 65536 0% /dev
tmpfs 408092 5892 402200 2% /etc/hosts
shm 64000 0 64000 0% /dev/shm
tmpfs 408092 0 408092 0% /sys/fs/cgroup
[root@a6391a8f82e3 /]# mount /dev/sda3 /mnt
[root@a6391a8f82e3 /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 104806400 2754632 102051768 3% /
tmpfs 65536 0 65536 0% /dev
tmpfs 408092 5892 402200 2% /etc/hosts
shm 64000 0 64000 0% /dev/shm
tmpfs 408092 0 408092 0% /sys/fs/cgroup
/dev/sda3 52403200 619068 51784132 2% /mnt
[root@a6391a8f82e3 /]# touch /mnt/containter.txt
[root@a6391a8f82e3 /]# echo container data > /mnt/containter.txt
[root@a6391a8f82e3 /]# cat /mnt/containter.txt
container data
[root@a6391a8f82e3 /]#
#在宿主机查看是否生成文件
[root@centos8 ~]#lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 200G 0 disk
├─sda1 8:1 0 1G 0 part /boot
├─sda2 8:2 0 100G 0 part /
├─sda3 8:3 0 50G 0 part /data
├─sda4 8:4 0 1K 0 part
└─sda5 8:5 0 2G 0 part [SWAP]
sr0 11:0 1 7G 0 rom
[root@centos8 ~]#ll /data/containter.txt
-rw-r--r-- 1 root root 25 Feb 29 12:26 /data/containter.txt
[root@centos8 ~]#cat /data/containter.txt
container data
[root@centos8 ~]#echo host data >> /data/containter.txt
[root@centos8 ~]#cat /data/containter.txt
container data
host data
#在容器内可看文件是否发生变化
[root@a6391a8f82e3 /]# cat /mnt/containter.txt
container data
host data
范例: 运行docker官方文档容器
[root@centos7 ~]#docker run -it -d -p 4000:4000 docs/docker.github.io:latest
Unable to find image 'docs/docker.github.io:latest' locally
latest: Pulling from docs/docker.github.io
cbdbe7a5bc2a: Pull complete
10c113fb0c77: Pull complete
9ba64393807b: Pull complete
262f9908119d: Pull complete
c4a057508f96: Pull complete
1442a42d69f2: Pull complete
afa00dd93f09: Pull complete
caa91f40ad1d: Pull complete
Digest: sha256:16ed8366dece4a7659110a2e7baf41c48294e2e8750a8146b86ba9c43368a3a2
Status: Downloaded newer image for docs/docker.github.io:latest
7ae51c67729cd5e9f6994255113b3d6116c7c937193e30b7a82b69bb259991c6
[root@centos7 ~]#docker images docs/docker.github.io
REPOSITORY TAG IMAGE ID CREATED SIZE
docs/docker.github.io latest 32ed84d97e30 18 months ago 1GB
#用浏览器访问http://localhost:4000/可以看到下面docker文档资料
1.4.2 查看容器信息
1.4.2.1 显示当前存在容器
格式
docker ps [OPTIONS]
docker container ls [OPTIONS]
选项:
-a, --all Show all containers (default shows just running)
-q, --quiet Only display numeric IDs
-s, --size Display total file sizes
-f, --filter filter Filter output based on conditions provided
-l, --latest Show the latest created container (includes all states)
-n, --last int Show n last created containers (includes all states)
(default -1)
范例:
#显示运行的容器
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 7 minutes ago Up 7 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis
261c382be029 nginx "/docker-entrypoint.…" 50 minutes ago Up 46 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp nginx1
#显示全部容器,包括退出状态的容器
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 8 minutes ago Up 8 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis
816f48aaab22 centos "/bin/bash" 17 minutes ago Exited (0) 10 minutes ago nostalgic_curie
57f47d2a75c0 centos
#只显示容器ID
[root@centos7 ~]#docker ps -a -q
7ae51c67729c
816f48aaab22
[root@centos7 ~]#docker ps -aq
7ae51c67729c
816f48aaab22
#显示容器大小
[root@centos7 ~]#docker ps -a -s
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 9 minutes ago Up 9 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis 2B (virtual 1GB)
816f48aaab22 centos
[root@centos7 ~]#docker ps -as
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 9 minutes ago Up 9 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis 2B (virtual 1GB)
816f48aaab22 centos
#显示最新创建的容器(停止的容器也能显示)
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 10 minutes ago Up 10 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis
范例: 显示指定状态的容器
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 18 minutes ago Up 18 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ae51c67729c docs/docker.github.io:latest "/docker-entrypoint.…" 18 minutes ago Up 18 minutes 80/tcp, 0.0.0.0:4000->4000/tcp, :::4000->4000/tcp angry_margulis
[root@centos7 ~]#docker ps -f 'status=running'
[root@centos7 ~]#docker ps -f 'status=exited'
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
816f48aaab22 centos "/bin/bash" 27 minutes ago Exited (0) 20 minutes ago nostalgic_curie
57f47d2a75c0 centos "/bin/bash" 53 minutes ago Exited (32) 30 minutes ago happy_chaplygin
#删除所有容器
[root@centos7 ~]#docker rm -f $(docker ps -qa)
[root@centos7 ~]#docker rm -f `docker ps -qa`
1.4.2.2 查看容器内的进程
docker top CONTAINER [ps OPTIONS]
范例:
[root@centos7 ~]#docker run -d httpd
Unable to find image 'httpd:latest' locally
latest: Pulling from library/httpd
a2abf6c4d29d: Already exists
dcc4698797c8: Pull complete
41c22baa66ec: Pull complete
67283bbdd4a0: Pull complete
d982c879c57e: Pull complete
Digest: sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32
Status: Downloaded newer image for httpd:latest
c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10
[root@centos7 ~]#docker top c03ba0c
UID PID PPID C STIME TTY TIME CMD
root 2652 2634 0 20:42 ? 00:00:00 httpd -DFOREGROUND
33 2678 2652 0 20:42 ? 00:00:00 httpd -DFOREGROUND
33 2679 2652 0 20:42 ? 00:00:00 httpd -DFOREGROUND
33 2680 2652 0 20:42 ? 00:00:00 httpd -DFOREGROUND
[root@centos7 ~]#docker run -d alpine /bin/sh -c 'i=1;while true;do echo hello$i;let i++;sleep 1;done'
883630a1db114f0c497c74d69e5b7121e0abe353fa980024848ea66aa521630e
[root@centos7 ~]#docker top 8836
UID PID PPID C STIME TTY TIME CMD
root 2809 2790 0 20:43 ? 00:00:00 /bin/sh -c i=1;while true;do echo hello$i;let i++;sleep 1;done
root 2848 2809 0 20:43 ? 00:00:00 sleep 1
[root@centos7 ~]#docker stop 88
1.4.2.3 查看容器资源使用情况
docker stats [OPTIONS] [CONTAINER...]
Display a live stream of container(s) resource usage statistics
Options:
-a, --all Show all containers (default shows just running)
--format string Pretty-print images using a Go template
--no-stream Disable streaming stats
范例:
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c03ba0c15b68 httpd "httpd-foreground" 2 minutes ago Up 2 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker stats c03ba0c15b68
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
c03ba0c15b68 condescending_bell 0.00% 8.762MiB / 1.777GiB 0.48% 656B / 0B 4.01MB / 0B 82
#默认启动elasticsearch会使用较多的内存
[root@centos7 ~]#docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.6.2
[root@centos7 ~]#curl http://192.168.1.10:9200
{
"name" : "fe6428e8b845",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "AQjSdgOxRgG8SAle5_0Meg",
"version" : {
"number" : "7.6.2",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
"build_date" : "2020-03-26T06:34:37.794943Z",
"build_snapshot" : false,
"lucene_version" : "8.4.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
#查看所有容器
[root@centos7 ~]#docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
fe6428e8b845 elasticsearch 4.53% 1.233GiB / 1.777GiB 69.40% 1.26kB / 996B 603MB / 1.63MB 43
c03ba0c15b68 condescending_bell 0.00% 8.773MiB / 1.777GiB 0.48% 772B / 0B 4.01MB / 0B 82
#限制内存使用大小
[root@centos7 ~]#docker run -d --name elasticsearch -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" -e ES_JAVA_OPTS="-Xms64m -Xmx128m" elasticsearch:7.6.2
a446cf1fa7f5d27185962799d348d6d738465a32cdf6d43b49cd70cc25e92da6
[root@centos7 ~]#docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
a446cf1fa7f5 elasticsearch 98.52% 280.4MiB / 1.777GiB 15.41% 656B / 0B 238MB / 0B 19
c03ba0c15b68 condescending_bell 0.00% 8.773MiB / 1.777GiB 0.48% 772B / 0B 4.01MB / 0B 82
1.4.2.4 查看容器的详细信息
docker inspect 可以查看docker各种对象的详细信息,包括:镜像,容器,网络等
docker inspect [OPTIONS] NAME|ID [NAME|ID...]
Options:
-f, --format string Format the output using the given Go template
-s, --size Display total file sizes if the type is container
范例:
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c03ba0c15b68 httpd "httpd-foreground" 9 minutes ago Up 9 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker inspect c03ba0c15b68
[
{
"Id": "c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10",
"Created": "2021-12-26T12:42:16.715909454Z",
"Path": "httpd-foreground",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 2652,
"ExitCode": 0,
"Error": "",
"StartedAt": "2021-12-26T12:42:17.232910533Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34",
"ResolvConfPath": "/var/lib/docker/containers/c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10/hostname",
"HostsPath": "/var/lib/docker/containers/c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10/hosts",
"LogPath": "/var/lib/docker/containers/c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10/c03ba0c15b6896e2fb42969d46f21f3588e9503723413ae43c692f5567258f10-json.log",
"Name": "/condescending_bell",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "host",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/9935417316ba8581d100e8496cd2a0f7e8ea9d15056f84090e094e3399d1a7a3-init/diff:/var/lib/docker/overlay2/c3ee943f56f2d9b0d5d1efa38293a71797b302be4f68eb964ef4db5499cfe1d1/diff:/var/lib/docker/overlay2/c91fbbe65b36ae9015af454857ab6f910b2c7ba95ada8c22dfc63c8b2ab73375/diff:/var/lib/docker/overlay2/bf39bd7fb84084587b613f4ec5569f4fc8fd15382830ad92a14f716098391878/diff:/var/lib/docker/overlay2/65de748bfdf84189def1d318b0ea2c56d3697a01c9adc636c4954a595c5eefa0/diff:/var/lib/docker/overlay2/5a9044cc60a93bf3e536670c8cf708a5e1a108a4f3841c12316d55b0534900b9/diff",
"MergedDir": "/var/lib/docker/overlay2/9935417316ba8581d100e8496cd2a0f7e8ea9d15056f84090e094e3399d1a7a3/merged",
"UpperDir": "/var/lib/docker/overlay2/9935417316ba8581d100e8496cd2a0f7e8ea9d15056f84090e094e3399d1a7a3/diff",
"WorkDir": "/var/lib/docker/overlay2/9935417316ba8581d100e8496cd2a0f7e8ea9d15056f84090e094e3399d1a7a3/work"
},
"Name": "overlay2"
},
"Mounts": [],
"Config": {
"Hostname": "c03ba0c15b68",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HTTPD_PREFIX=/usr/local/apache2",
"HTTPD_VERSION=2.4.52",
"HTTPD_SHA256=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9",
"HTTPD_PATCHES="
],
"Cmd": [
"httpd-foreground"
],
"Image": "httpd",
"Volumes": null,
"WorkingDir": "/usr/local/apache2",
"Entrypoint": null,
"OnBuild": null,
"Labels": {},
"StopSignal": "SIGWINCH"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "8d084e9383310d26e46fd03e524ec86c340b27446bd78ea4a2a1a22355c471b4",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": null
},
"SandboxKey": "/var/run/docker/netns/8d084e938331",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "93894f8abb2210f5092a21fbde77474ab5d9132a37139801c53342988bfab14f",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "b0e82aa4581b8c37149e79121979fbe392456b3653a42ca4134384b37a5c6e8d",
"EndpointID": "93894f8abb2210f5092a21fbde77474ab5d9132a37139801c53342988bfab14f",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
}
}
]
#选择性查看
[root@centos7 ~]#docker inspect -f "{{.Metadata}}" elasticsearch:7.6.2
{0001-01-01 00:00:00 +0000 UTC}
[root@centos7 ~]#docker inspect -f "{{.Metadata}}" nginxtest:v1
{2021-12-24 15:52:36.117586932 +0800 CST}
[root@centos7 ~]#docker inspect -f "{{.Created}}" nginxtest:v1
2021-12-24T07:43:34.310438828Z
[root@centos7 ~]#docker inspect --format "{{.Created}}" nginxtest:v1
2021-12-24T07:43:34.310438828Z
[root@centos7 ~]#docker inspect --format="{{.Created}}" nginxtest:v1
2021-12-24T07:43:34.310438828Z
1.4.3 删除容器
docker rm 可以删除容器,即使容器正在运行当中,也可以被强制删除掉
格式
docker rm [OPTIONS] CONTAINER [CONTAINER...]
docker container rm [OPTIONS] CONTAINER [CONTAINER...]
#选项:
-f, --force Force the removal of a running container (uses SIGKILL)
-v, --volumes Remove the volumes associated with the container
#删除停止的容器
docker container prune [OPTIONS]
Options:
--filter filter Provide filter values (e.g. 'until=<timestamp>')
-f, --force Do not prompt for confirmation
范例:
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a446cf1fa7f5 elasticsearch:7.6.2 "/usr/local/bin/dock…" 7 minutes ago Exited (143) 6 minutes ago elasticsearch
883630a1db11 alpine "/bin/sh -c 'i=1;whi…" 13 minutes ago Exited (137) 13 minutes ago epic_perlman
c03ba0c15b68 httpd "httpd-foreground" 14 minutes ago Up 14 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker rm a446cf1fa7f5
a446cf1fa7f5
[root@centos7 ~]#docker rm epic_perlman
epic_perlman
[root@centos7 ~]#docker rm -f c03ba0c15b68
范例: 删除所有容器
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c03ba0c15b68 httpd "httpd-foreground" 16 minutes ago Up 16 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker rm -f `docker ps -a -q`
[root@centos7 ~]#docker ps -a -q | xargs docker rm -f
范例: 删除指定状态的容器
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7663990dd878 nginx "/docker-entrypoint.…" 4 seconds ago Exited (0) 2 seconds ago bold_colden
c03ba0c15b68 httpd "httpd-foreground" 17 minutes ago Up 17 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker rm `docker ps -qf status=exited`
7663990dd878
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c03ba0c15b68 httpd "httpd-foreground" 17 minutes ago Up 17 minutes 80/tcp condescending_bell
[root@centos7 ~]#docker rm -f `docker ps -qf status=running`
c03ba0c15b68
范例: 删除所有停止的容器
[root@centos7 ~]#docker container prune -f
Deleted Containers:
37ba6ef81e33102a9cf4547ed10095d2298e29c8d67991b31390d5db8001dbcf
6c674c7ced422c7c29f218118c8b5da734ccebb9da31cdd3f64e7c658d2882a4
Total reclaimed space: 0B
1.4.4 容器的启动和停止
格式
docker start|stop|restart|pause|unpause 容器ID
批量正常启动或关闭所有容器
docker start $(docker ps -a -q)
docker stop $(docker ps -a -q)
范例:
[root@centos7 ~]#docker run -d --name nginx1 nginx
6e71daefba1b63b04fe2431f38be8e38f88ee66df49cb432c01be3312a246651
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e71daefba1b nginx "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 80/tcp nginx1
[root@centos7 ~]#docker stop 6e
6e
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@centos7 ~]#docker start 6e
6e
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e71daefba1b nginx "/docker-entrypoint.…" 18 seconds ago Up 1 second 80/tcp nginx1
[root@centos7 ~]#docker restart 6e
6e
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e71daefba1b nginx "/docker-entrypoint.…" 23 seconds ago Up 1 second 80/tcp nginx1
范例: 启动并进入容器
[root@centos7 ~]#docker run --name=c1 -it ubuntu bash
root@df76f04d7d24:/# exit
exit
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
df76f04d7d24 ubuntu "bash" 16 seconds ago Exited (0) 3 seconds ago c1
[root@centos7 ~]#docker start df
df
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
df76f04d7d24 ubuntu "bash" 50 seconds ago Up 1 second c1
#启动并进入容器
[root@centos7 ~]#docker start -i c1
root@df76f04d7d24:/# exit
exit
[root@centos7 ~]#docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
df76f04d7d24 ubuntu "bash" About a minute ago Exited (0) 1 second ago c
范例: 启动和停止所有容器
[root@centos7 ~]#docker rm -f `docker ps -a -q`
df76f04d7d24
6e71daefba1b
[root@centos7 ~]#docker run -d --name nginx1 nginx
3038270a7d34935f75f88aabd17b40b3652370749dde68d139cdb867318b9257
[root@centos7 ~]#docker run -d --name nginx2 nginx
c08af0b5d286cf812f3a4cdb6d89538dd44b08333ba5b61ae5935079c9f19f04
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c08af0b5d286 nginx "/docker-entrypoint.…" 29 seconds ago Up 29 seconds 80/tcp nginx2
3038270a7d34 nginx "/docker-entrypoint.…" 32 seconds ago Up 32 seconds 80/tcp nginx1
[root@centos7 ~]#docker stop `docker ps -a -q`
c08af0b5d286
3038270a7d34
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c08af0b5d286 nginx "/docker-entrypoint.…" 32 seconds ago Exited (0) 1 second ago nginx2
3038270a7d34 nginx "/docker-entrypoint.…" 35 seconds ago Exited (0) 1 second ago nginx1
[root@centos7 ~]#docker start `docker ps -a -q`
c08af0b5d286
3038270a7d34
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c08af0b5d286 nginx "/docker-entrypoint.…" 58 seconds ago Up 1 second 80/tcp nginx2
3038270a7d34 nginx "/docker-entrypoint.…" About a minute ago Up 1 second 80/tcp nginx1
范例: 暂停和恢复容器
[root@centos7 ~]#docker run -d --name n1 nginx
c40a028160366636684dc99d239029a5f570531645b045148c3ee8275fc378b9
[root@centos7 ~]#docker top n1
UID PID PPID C STIME TTY TIME CMD
root 4824 4806 0 21:10 ? 00:00:00 nginx: master process nginx -g daemon off;
101 4874 4824 0 21:10 ? 00:00:00 nginx: worker process
[root@centos7 ~]#ps aux|grep nginx
root 4673 0.0 0.1 8676 3356 ? Ss 21:09 0:00 nginx: master process nginx -g daemon off;
101 4714 0.0 0.0 9080 1532 ? S 21:09 0:00 nginx: worker process
root 4888 0.0 0.0 112828 988 pts/0 R+ 21:10 0:00 grep --color=auto nginx
[root@centos7 ~]#docker pause n1
n1
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c40a02816036 nginx "/docker-entrypoint.…" 2 minutes ago Up 2 minutes (Paused) 80/tcp n1
[root@centos7 ~]#ps aux|grep nginx
root 4824 0.0 0.1 8676 3356 ? Ds 21:10 0:00 nginx: master process nginx -g daemon off;
101 4874 0.0 0.0 9080 1528 ? D 21:10 0:00 nginx: worker process
root 4956 0.0 0.0 112828 984 pts/0 S+ 21:14 0:00 grep --color=auto nginx
[root@centos7 ~]#docker unpause n1
n1
[root@centos7 ~]#ps aux|grep nginx
root 4824 0.0 0.1 8676 3356 ? Ss 21:10 0:00 nginx: master process nginx -g daemon off;
101 4874 0.0 0.0 9080 1528 ? S 21:10 0:00 nginx: worker process
1.4.5 给正在运行的容器发信号
docker kill 可以给容器发信号,默认号SIGKILL,即9信号
格式
docker kill [OPTIONS] CONTAINER [CONTAINER...]
#选项:
-s, --signal string Signal to send to the container (default "KILL")
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c40a02816036 nginx "/docker-entrypoint.…" 6 minutes ago Up 5 minutes 80/tcp n1
[root@centos7 ~]#docker kill n1
n1
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
范例: 关闭所有容器
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c40a02816036 nginx "/docker-entrypoint.…" 6 minutes ago Exited (137) 50 seconds ago n1
c08af0b5d286 nginx "/docker-entrypoint.…" 8 minutes ago Up 2 seconds 80/tcp nginx2
3038270a7d34 nginx "/docker-entrypoint.…" 8 minutes ago Up 3 seconds 80/tcp nginx1
#强制关闭所有运行中的容器
[root@centos7 ~]#docker kill `docker ps -a -q`
c08af0b5d286
3038270a7d34
1.4.6 进入正在运行的容器
1.4.6.1 使用 attach 命令
docker attach 容器名,attach 类似于vnc,操作会在同一个容器的多个会话界面同步显示,所有使用此方式进入容器的操作都是同步显示的,且使用exit退出后容器自动关闭,不推荐使用,需要进入到有shell环境的容器
格式:
docker attach [OPTIONS] CONTAINER
范例:
[root@centos7 ~]#docker run -it centos
[root@9da9ee98edce /]# cat /etc/redhat-release
CentOS Linux release 8.4.2105
[root@9da9ee98edce /]# ctrl+p+q 退出
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9da9ee98edce centos "/bin/bash" 57 seconds ago Up 57 seconds condescending_leavitt
[root@centos7 ~]#docker attach 9d
[root@9da9ee98edce /]#
#同时在第二个终端attach到同一个容器,执行命令,可以在前一终端看到显示图面是同步的
[root@centos7 ~]#docker attach 9d
[root@9da9ee98edce /]# cat /etc/redhat-release
CentOS Linux release 8.4.2105
[root@9da9ee98edce /]# exit #两个终端都同时退出
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9da9ee98edce centos "/bin/bash" 2 minutes ago Exited (0) 28 seconds ago condescending_leavitt
1.4.6.2 使用exec命令
在运行中的容器启动新进程,可以执行单次命令,以及进入容器测试环境使用此方式,使用exit退出,但容器还在运行,
此为推荐方式
格式:
docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
常用选项:
-d, --detach Detached mode: run command in the background
-e, --env list Set environment variables
-i, --interactive Keep STDIN open even if not attached
-t, --tty Allocate a pseudo-TTY
#常见用法
docker exec -it 容器ID sh|bash /bin/bash
范例:
[root@centos7 ~]#docker run -itd centos
04bd89ff7af425c3b6ea158c68a192c99c1c95dd3d0015ab108c6fe7700d4ddf
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" 24 seconds ago Up 23 seconds quirky_blackburn
#执行一次性命令
[root@centos7 ~]#docker exec 04bd cat /etc/redhat-release
CentOS Linux release 8.4.2105
#进入容器,执行命令,exit 退出但容器不停止
[root@centos7 ~]#docker exec -it 04 bash
[root@04bd89ff7af4 /]# cat /etc/redhat-release
CentOS Linux release 8.4.2105
[root@04bd89ff7af4 /]# exit
exit
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" About a minute ago Up About a minute quirky_blackburn
1.4.6.3 使用nsenter命令
nsenter命令需要通过PID进入到容器内部,且退出后仍然正常运行: 不过需要事先使用 docker inspect 获取到容器的PID, 目前此方式使用较少,此工具来自于util-linux包
#安装nsenter命令
yum -y install util-linux #CentOS
apt -y install util-linux #Ubuntu
nsenter [options] [program [arguments]]
options:
-t, --target pid:指定被进入命名空间的目标进程的pid
-m, --mount[=file]:进入mount命令空间。如果指定了file,则进入file的命令空间
-u, --uts[=file]:进入uts命令空间。如果指定了file,则进入file的命令空间
-i, --ipc[=file]:进入ipc命令空间。如果指定了file,则进入file的命令空间
-n, --net[=file]:进入net命令空间。如果指定了file,则进入file的命令空间
-p, --pid[=file]:进入pid命令空间。如果指定了file,则进入file的命令空间
-U, --user[=file]:进入user命令空间。如果指定了file,则进入file的命令空间
-G, --setgid gid:设置运行程序的gid
-S, --setuid uid:设置运行程序的uid
-r, --root[=directory]:设置根目录
-w, --wd[=directory]:设置工作目录
#获取容器的IP
docker inspect -f "{{.NetworkSettings.IPAddress}}" 容器ID
#获取到某个docker容器的PID,可以通过PID进入到容器内
docker inspect -f "{{.State.Pid}}" 容器ID
nsenter -t PID -m -u -i -n -p
范例:
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" 5 minutes ago Up 5 minutes quirky_blackburn
[root@centos7 ~]#docker inspect -f {{.State}} 04bd89ff7af4
{running true false false false false 5414 0 2021-12-26T13:22:45.551694044Z 0001-01-01T00:00:00Z <nil>}
[root@centos7 ~]#docker inspect -f {{.State.Status}} 04bd89ff7af4
running
[root@centos7 ~]#docker inspect -f {{.State.Pid}} 04bd89ff7af4
5414
[root@centos7 ~]#nsenter -t 5414 -m -u -i -n -p
[root@04bd89ff7af4 /]# exit
logout
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" 7 minutes ago Up 7 minutes quirky_blackburn
1.4.6.4 脚本方式
将nsenter命令写入到脚本进行调用,方便进入容器看日志或排错
如下:
[root@centos7 ~]#vim docker-in.sh
[root@centos7 ~]#cat docker-in.sh
#!/bin/bash
docker_in(){
NAME_ID=$1
PID=$(docker inspect -f "{{.State.Pid}}" ${NAME_ID})
nsenter -t ${PID} -m -u -i -n -p
}
docker_in $1
[root@centos7 ~]#chmod +x docker-in.sh
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" 14 minutes ago Up 14 minutes quirky_blackburn
[root@centos7 ~]#./docker-in.sh 04bd89ff7af4
[root@04bd89ff7af4 /]# cat /etc/redhat-release
CentOS Linux release 8.4.2105
[root@04bd89ff7af4 /]# exit
logout
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04bd89ff7af4 centos "/bin/bash" 15 minutes ago Up 14 minutes quirky_blackburn
1.4.7 暴露所有容器端口
容器启动后,默认处于预定义的NAT网络中,所以外部网络的主机无法直接访问容器中网络服务docker run -P 可以将事先容器预定义的所有端口映射宿主机的网卡的随机端口,默认从32768开始使用随机端口 时,当停止容器后再启动可能会导致端口发生变化
-P , --publish-all= true | false 默认为false
#示例:
docker run -P docker.io/nginx #映射容器所有暴露端口至随机本地端口
docker port 可以查看容器的端口映射关系
格式
docker port CONTAINER [PRIVATE_PORT[/PROTO]]
范例:
[root@centos7 ~]#docker port nginx-c1
443/tcp -> 0.0.0.0:8443
53/udp -> 0.0.0.0:8053
80/tcp -> 0.0.0.0:8080
[root@centos7 ~]#docker port nginx-c1 53/udp
0.0.0.0:8053
范例:
[root@centos7 ~]#docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
Digest: sha256:366e9f1ddebdb844044c2fafd13b75271a9f620819370f8971220c2b330a9254
Status: Image is up to date for nginx:latest
docker.io/library/nginx:latest
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@centos7 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
#前台启动的会话窗口无法进行其他操作,除非退出,但是退出后容器也会退出
[root@centos7 ~]#docker run -P nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/26 13:43:11 [notice] 1#1: using the "epoll" event method
2021/12/26 13:43:11 [notice] 1#1: nginx/1.21.4
2021/12/26 13:43:11 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/26 13:43:11 [notice] 1#1: OS: Linux 3.10.0-1160.49.1.el7.x86_64
2021/12/26 13:43:11 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/26 13:43:11 [notice] 1#1: start worker processes
2021/12/26 13:43:11 [notice] 1#1: start worker process 31
#另开一个窗口执行下面命令
[root@centos7 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:49153 *:*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:49153 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1cb9878ea180 nginx "/docker-entrypoint.…" 58 seconds ago Up 57 seconds 0.0.0.0:49153->80/tcp, :::49153->80/tcp charming_black
[root@centos7 ~]#curl 192.168.1.10:49153
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#自动生成Iptables规则
[root@centos7 ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 1248 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
3 180 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
1 60 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49153 to:172.17.0.2:80
#回到之前的会话窗口,同时按 ctrl+c 退出容器
[root@centos7 ~]#docker run -P nginx
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7b90d46f7239 nginx "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 0.0.0.0:49157->80/tcp, :::49157->80/tcp keen_brown
6e669aa92ad7 nginx "/docker-entrypoint.…" 39 seconds ago Exited (0) 3 seconds ago friendly_euclid
端口映射的本质就是利用NAT技术实现的
范例: 端口映射和iptables
#端口映射前的iptables规则
[root@centos7 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[root@centos7 ~]#iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
[root@centos7 ~]#iptables -S > pre.filter
[root@centos7 ~]#iptables -S -t nat > pre.nat
#实现端口映射
[root@centos7 ~]#docker run -d -P --name nginx1 nginx
219fc8cb5f157f69602f9cf4a4e222b5f68aa63d2629dd5844bf274fa2bb5702
[root@centos7 ~]#docker exec -it nginx1 hostname -i
172.17.0.2
[root@centos7 ~]#docker port nginx1
80/tcp -> 0.0.0.0:49158
80/tcp -> :::49158
#端口映射后的iptables规则
[root@centos7 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[root@centos7 ~]#iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49158 -j DNAT --to-destination 172.17.0.2:80
#对比端口映射前后的变化
[root@centos7 ~]#iptables -S > post.filter
[root@centos7 ~]#iptables -S -t nat > post.nat
[root@centos7 ~]#diff pre.filter post.filter
13a14
> -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
[root@centos7 ~]#diff pre.nat post.nat
8a9
> -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
9a11
> -A DOCKER ! -i docker0 -p tcp -m tcp --dport 49158 -j DNAT --to-destination 172.17.0.2:80
#本地和远程都可以访问
[root@centos7 ~]#curl 127.0.0.1:49158
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#利用 iptables 阻止同一个宿主机的其它容器CentOS8的访问
#未禁止前,先访问测试
[root@centos7 ~]#docker run -it centos
[root@537a628b1e20 /]# curl 192.168.1.10:49158
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@537a628b1e20 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@centos7 ~]#iptables -I DOCKER -s 192.168.1.11 -d 172.17.0.2 -p tcp --dport 80 -j REJECT
[root@centos7 ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -s 192.168.1.11/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
#新开一台centos7机器ip是192.168.1.11
#测试访问
[root@centos7 ~]#curl 192.168.1.10:49154
curl: (7) Failed connect to 192.168.1.10:49154; 拒绝连接
#删除限制
[root@centos7 ~]#iptables -D DOCKER -s 192.168.1.11 -d 172.17.0.2 -p tcp --dport 80 -j REJECT
[root@centos7 ~]#curl 192.168.1.10:49154
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@centos7 ~]#curl -I 192.168.1.10:49154
HTTP/1.1 200 OK
Server: nginx/1.21.4
Date: Sun, 26 Dec 2021 14:15:41 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 02 Nov 2021 14:49:22 GMT
Connection: keep-alive
ETag: "61814ff2-267"
Accept-Ranges: bytes
1.4.8 指定端口映射
docker run -p 可以将容器的预定义的指定端口映射到宿主机的相应端口
注意: 多个容器映射到宿主机的端口不能冲突,但容器内使用的端口可以相同
方式1: 容器80端口映射宿主机本地随机端口
#docker run -p 80 --name nginx-test-port1 nginx
方式2: 容器80端口映射到宿主机本地端口81
#docker run -p 81:80 --name nginx-test-port2 nginx
方式3: 宿主机本地IP:宿主机本地端口:容器端口
#docker run -p 192.168.1.10:82:80 --name nginx-test-port3 docker.io/nginx
方式4: 宿主机本地IP:宿主机本地随机端口:容器端口,默认从32768开始
#docker run -p 192.168.1.10::80 --name nginx-test-port4 docker.io/nginx
方式5: 宿主机本机ip:宿主机本地端口:容器端口/协议,默认为tcp协议
#docker run -p 192.168.1.10:83:80/udp --name nginx-test-port5 docker.io/nginx
方式6: 一次性映射多个端口+协议
#docker run -p 8080:80/tcp -p 8443:443/tcp -p 53:53/udp --name nginx-test-port6 nginx
范例:
[root@centos7 ~]#docker run -d -p 8080:80 -p 8443:443 -p 8053:53/udp nginx
c58406e0b567bdd0e069ca1fa26c1142282a01e266148b52368cfc72088ccc5e
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c58406e0b567 nginx "/docker-entrypoint.…" 6 seconds ago Up 6 seconds 0.0.0.0:8053->53/udp, :::8053->53/udp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp quirky_shtern
[root@centos7 ~]#ss -ntpul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:881 *:* users:(("rpcbind",pid=710,fd=7))
udp UNCONN 0 0 *:8053 *:* users:(("docker-proxy",pid=7988,fd=4))
udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=825,fd=6))
udp UNCONN 0 0 *:111 *:* users:(("rpcbind",pid=710,fd=6))
udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=737,fd=5))
udp UNCONN 0 0 [::]:881 [::]:* users:(("rpcbind",pid=710,fd=10))
udp UNCONN 0 0 [::]:8053 [::]:* users:(("docker-proxy",pid=7992,fd=4))
udp UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=710,fd=9))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=737,fd=6))
tcp LISTEN 0 128 *:49154 *:* users:(("docker-proxy",pid=7334,fd=4))
tcp LISTEN 0 128 *:111 *:* users:(("rpcbind",pid=710,fd=8))
tcp LISTEN 0 128 *:8080 *:* users:(("docker-proxy",pid=7972,fd=4))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1011,fd=3))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1243,fd=13))
tcp LISTEN 0 128 *:8443 *:* users:(("docker-proxy",pid=7956,fd=4))
tcp LISTEN 0 128 [::]:49154 [::]:* users:(("docker-proxy",pid=7338,fd=4))
tcp LISTEN 0 128 [::]:111 [::]:* users:(("rpcbind",pid=710,fd=11))
tcp LISTEN 0 128 [::]:8080 [::]:* users:(("docker-proxy",pid=7976,fd=4))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1011,fd=4))
tcp LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1243,fd=14))
tcp LISTEN 0 128 [::]:8443 [::]:* users:(("docker-proxy",pid=7960,fd=4))
[root@centos7 ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60 3154 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80
0 0 MASQUERADE udp -- * * 172.17.0.3 172.17.0.3 udp dpt:53
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
10 576 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:49154 to:172.17.0.2:80
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:172.17.0.3:443
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.17.0.3:80
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8053 to:172.17.0.3:53
#杀死nginx进程,nginx将关闭,相应端口也会关闭
[root@centos7 ~]#kill <NGINXPID>
实战案例: 修改已经创建的容器的端口映射关系
[root@centos7 ~]#docker run -d -p 80:80 --name nginx01 nginx
bb8a33eee29c69a6894276e147026b9fbe73fbc74bb4f6a35bee5e375effe25d
[root@centos7 ~]#docker port nginx01
80/tcp -> 0.0.0.0:80
80/tcp -> :::80
[root@centos7 ~]#lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 8189 root 4u IPv4 126298 0t0 TCP *:http (LISTEN)
docker-pr 8193 root 4u IPv6 126305 0t0 TCP *:http (LISTEN)
[root@centos7 ~]#ls /var/lib/docker/containers/bb8a33eee29c69a6894276e147026b9fbe73fbc74bb4f6a35bee5e375effe25d/
bb8a33eee29c69a6894276e147026b9fbe73fbc74bb4f6a35bee5e375effe25d-json.log hosts
checkpoints mounts
config.v2.json resolv.conf
hostconfig.json resolv.conf.hash
hostname
[root@centos7 ~]#systemctl stop docker.socket
[root@centos7 ~]#vim /var/lib/docker/containers/bb8a33eee29c69a6894276e147026b9fbe73fbc74bb4f6a35bee5e375effe25d/hostconfig.json
"PortBindings":{"80/tcp":[{"HostIp":"","HostPort":"80"}]}
#PortBindings后80/tcp对应的是容器内部的80端口,HostPort对应的是映射到宿主机的端口80 修改此处为8000
"PortBindings":{"80/tcp":[{"HostIp":"","HostPort":"8000"}]}
[root@centos7 ~]#systemctl start docker
[root@centos7 ~]#docker port nginx01
[root@centos7 ~]#docker start nginx01
nginx01
[root@centos7 ~]#docker port nginx01
80/tcp -> 0.0.0.0:8000
80/tcp -> :::8000
1.4.9 查看容器的日志
docker logs 可以查看容器中运行的进程在控制台输出的日志信息
格式
docker logs [OPTIONS] CONTAINER
选项:
--details Show extra details provided to logs
-f, --follow Follow log output
--since string Show logs since timestamp (e.g. 2013-01-02T13:23:37) or
relative (e.g. 42m for 42 minutes)
--tail string Number of lines to show from the end of the logs (default
"all")
-t, --timestamps Show timestamps
--until string Show logs before a timestamp (e.g. 2013-01-02T13:23:37) or
relative (e.g. 42m for 42 minutes)
范例: 查看容器日志
[root@centos7 ~]#docker run alpine /bin/sh -c 'i=1;while true;do echo hello$i;let i++;sleep 2;done'
hello1
hello2
hello3
hello4
hello5
hello6
[root@centos7 ~]#]#docker run -d alpine /bin/sh -c 'i=1;while true;do echo hello$i;let i++;sleep 2;don'e'
5f24264ed7238e8a35f451ea4c5b556cbecb37921ba3ce2dffa7f6906404bc92
[root@centos7 ~]#docker logs 5f
hello1
hello2
hello3
hello4
hello5
hello6
hello7
hello8
hello9
hello10
[root@centos7 ~]#docker logs --tail 3 5f
hello30
hello31
hello32
#显示时间
[root@centos7 ~]#docker logs --tail 2 -t 5f
2021-12-26T14:32:31.577377517Z hello46
2021-12-26T14:32:33.579790001Z hello47
#持续跟踪
[root@centos7 ~]#docker logs -f 5f
范例: 查看httpd服务日志
[root@centos7 ~]#docker pull httpd
Using default tag: latest
latest: Pulling from library/httpd
Digest: sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32
Status: Image is up to date for httpd:latest
docker.io/library/httpd:latest
[root@centos7 ~]#docker run -d -p 80:80 --name web1 httpd
c6646b354e609ad9150e0ce06aeba7076ae7ffde8beba61f19ea443e1e24953f
[root@centos7 ~]#docker logs web1
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sun Dec 26 14:34:24.038303 2021] [mpm_event:notice] [pid 1:tid 140090651909440] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations
[Sun Dec 26 14:34:24.038509 2021] [core:notice] [pid 1:tid 140090651909440] AH00094: Command line: 'httpd -D FOREGROUND'
[root@centos7 ~]#docker logs -f web1
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sun Dec 26 14:34:24.038303 2021] [mpm_event:notice] [pid 1:tid 140090651909440] AH00489: Apache/2.4.52 (Unix) configured -- resuming normal operations
[Sun Dec 26 14:34:24.038509 2021] [core:notice] [pid 1:tid 140090651909440] AH00094: Command line: 'httpd -D FOREGROUND'
范例: 查看nginx服务访问日志
#查看一次
[root@centos7 ~]#docker run -d --name nginx-test nginx
d2d29ff3eb752308bb46c45d2751e0306c1be257799c974f78b1a47d47e1baec
[root@centos7 ~]#docker logs nginx-test
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2021/12/26 14:36:37 [notice] 1#1: using the "epoll" event method
2021/12/26 14:36:37 [notice] 1#1: nginx/1.21.4
2021/12/26 14:36:37 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2021/12/26 14:36:37 [notice] 1#1: OS: Linux 3.10.0-1160.49.1.el7.x86_64
2021/12/26 14:36:37 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/12/26 14:36:37 [notice] 1#1: start worker processes
2021/12/26 14:36:37 [notice] 1#1: start worker process 31
#持续查看
[root@centos7 ~]#docker logs -f nginx-test
1.4.10 传递运行命令
容器需要有一个前台运行的进程才能保持容器的运行,通过传递运行参数是一种方式,另外也可以在构建镜像的时候指定容器启动时运行的前台命令
容器里的PID为1的守护进程的实现方式
- 服务类: 如: Nginx,Tomcat,Apache ,但服务不能停
- 命令类: 如: tail -f /etc/hosts ,主要用于测试环境,注意: 不要tail -f <服务访问日志> 会产生不必要的磁盘IO
范例:
[root@centos7 ~]#docker run -d alpine
e556532ce211d706b2e2389246f9c06b1092d43c70053803ad2827459bb32e8c
[root@centos7 ~]#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e556532ce211 alpine "/bin/sh" 4 seconds ago Exited (0) 2 seconds ago nostalgic_galileo
[root@centos7 ~]#docker run -d alpine tail -f /etc/hosts
df2b8fe58d9ac8c07e6abbc9ceda0c2068c858f6868c2b2a8d2df8cb2be91327
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
df2b8fe58d9a alpine "tail -f /etc/hosts" 3 seconds ago Up 2 seconds unruffled_sanderson
[root@centos7 ~]#docker exec -it df bash
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 tail -f /etc/hosts
7 root 0:00 sh
13 root 0:00 ps aux
/ # exit
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
df2b8fe58d9a alpine "tail -f /etc/hosts" About a minute ago Up About a minute unruffled_sanderson
1.4.11 容器内部的hosts文件
容器会自动将容器的ID加入自已的/etc/hosts文件中,并解析成容器的IP
[root@centos7 ~]#docker run -it centos /bin/bash
[root@d4083ce737a1 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 d4083ce737a1 #默认会将实例的ID 添加到自己的hosts文件
[root@d4083ce737a1 /]# hostname
d4083ce737a1
[root@d4083ce737a1 /]# ping d4083ce737a1
#在另一个会话执行
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d4083ce737a1 centos "/bin/bash" About a minute ago Up About a minute elegant_hertz
df2b8fe58d9a alpine "tail -f /etc/hosts" 3 minutes ago Up 3 minutes unruffled_sanderson
范例: 修改容器的 hosts文件
[root@centos7 ~]#docker run -it --rm --add-host www.test.com:6.6.6.6 --add-host www.demo.org:8.8.8.8 busybox
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
6.6.6.6 www.test.com
8.8.8.8 www.demo.org
172.17.0.3 14345dad0c39
1.4.12 指定容器DNS
容器的dns服务器,默认采用宿主机的dns 地址,可以用下面方式指定其它的DNS地址
- 将dns地址配置在宿主机
- 在容器启动时加选项 --dns=x.x.x.x
- 在/etc/docker/daemon.json 文件中指定
范例: 容器的DNS默认从宿主机的DNS获取
--ubuntu查询DNS
[root@ubuntu1804 ~]#systemd-resolve --status|grep -A1 -i "DNS Servers"
DNS Servers: 180.76.76.76
223.6.6.6
--centos7查询DNS
[root@centos7 ~]#cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 114.114.114.114
[root@centos7 ~]#docker run -it --rm centos bash
[root@101cb195242c /]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 114.114.114.114
范例: 指定DNS地址
[root@centos7 ~]#docker run -it --rm --dns 1.1.1.1 --dns 8.8.8.8 centos bash
[root@d5c237aa2c09 /]# cat /etc/resolv.conf
search localdomain
nameserver 1.1.1.1
nameserver 8.8.8.8
[root@d5c237aa2c09 /]# exit
exit
范例: 指定domain名
[root@centos7 ~]#docker run -it --rm --dns 1.1.1.1 --dns 8.8.8.8 --dns-search a.com --dns-search b.com busybox
/ # cat /etc/resolv.conf
search a.com b.com
nameserver 1.1.1.1
nameserver 8.8.8.8
/ # exit
[root@centos7 ~]#
范例: 配置文件指定DNS和搜索domain名
[root@centos7 ~]#vim /etc/docker/daemon.json
{
"registry-mirrors":["https://rsbud4vc.mirror.aliyuncs.com","https://dockerhub.azk8s.cn","http://hubmirror.c.163.com","http://qtid6917.mirror.aliyuncs.com","https://rncxm540.mirror.aliyuncs.com","https://e9yneuy4.mirror.aliyuncs.com"],
"dns" : [ "114.114.114.114", "119.29.29.29"],
"dns-search": [ "test.com", "demo.org"]
}
[root@centos7 ~]#systemctl restart docker
[root@centos7 ~]#docker run -it --rm centos bash
[root@3554534b0b05 /]# cat /etc/resolv.conf
search test.com demo.org
nameserver 114.114.114.114
nameserver 119.29.29.29
[root@3554534b0b05 /]# exit
exit
[root@centos7 ~]#
#用--dns指定优先级更高
[root@centos7 ~]#docker run -it --rm --dns 8.8.8.8 --dns 8.8.4.4 centos bash
[root@14360ff21835 /]# cat /etc/resolv.conf
search test.com demo.org
nameserver 8.8.8.8
nameserver 8.8.4.4
[root@14360ff21835 /]# exit
exit
1.4.13 容器内和宿主机之间复制文件
docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH
Options:
-a, --archive Archive mode (copy all uid/gid information)
-L, --follow-link Always follow symbol link in SRC_PATH
范例:
[root@centos7 ~]#docker run -itd centos
399bff9421f2e60012723e829f302fb99d1f4a5230cb1375fdc26b6396c7c7d2
[root@centos7 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
399bff9421f2 centos "/bin/bash" 8 seconds ago Up 7 seconds gallant_galois
#将容器内文件复制到宿主机
[root@centos7 ~]#docker cp -a 399b:/etc/centos-release .
[root@centos7 ~]#ls
centos-release post.filter post.nat pre.filter pre.nat
[root@centos7 ~]#cat centos-release
CentOS Linux release 8.4.2105
#将宿主机文件复制到容器内
[root@centos7 ~]#docker cp /etc/issue 399b:/root/
[root@centos7 ~]#docker exec 399b cat /root/issue
\S
Kernel \r on an \m
[root@centos7 ~]#
1.4.14 使用 systemd 控制容器运行
[root@centos7 ~]#vim /lib/systemd/system/hello.service
[root@centos7 ~]#cat /lib/systemd/system/hello.service
[Unit]
Description=Hello World
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker kill busybox-hello
ExecStartPre=-/usr/bin/docker rm busybox-hello
ExecStartPre=/usr/bin/docker pull busybox
ExecStart=/usr/bin/docker run --name busybox-hello busybox /bin/sh -c "while true; do echo Hello World; sleep 1; done"
ExecStop=/usr/bin/docker kill busybox-hello
[Install]
WantedBy=multi-user.target
[root@centos7 ~]#systemctl daemon-reload
[root@centos7 ~]#systemctl enable --now hello.service
Created symlink from /etc/systemd/system/multi-user.target.wants/hello.service to /usr/lib/systemd/system/hello.service.
[root@centos7 ~]#tail -f /var/log/messages
Dec 26 23:04:18 centos7 NetworkManager[725]: <info> [1640531058.7293] manager: (veth4ad6fcd): new Veth device (/org/freedesktop/NetworkManager/Devices/174)
Dec 26 23:04:18 centos7 containerd: time="2021-12-26T23:04:18.766554186+08:00" level=info msg="starting signal loop" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/2a9d4b6381187dce788566a9fb010215eb6d417d8214a9e69b78a9f1bec65d54 pid=13229
Dec 26 23:04:18 centos7 kernel: IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Dec 26 23:04:18 centos7 kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Dec 26 23:04:18 centos7 kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth4ad6fcd: link becomes ready
Dec 26 23:04:18 centos7 kernel: docker0: port 2(veth4ad6fcd) entered blocking state
Dec 26 23:04:18 centos7 kernel: docker0: port 2(veth4ad6fcd) entered forwarding state
Dec 26 23:04:18 centos7 NetworkManager[725]: <info> [1640531058.8979] device (veth4ad6fcd): carrier: link connected
Dec 26 23:04:18 centos7 docker: Hello World
Dec 26 23:04:19 centos7 docker: Hello World
Dec 26 23:04:20 centos7 docker: Hello World
Dec 26 23:04:21 centos7 docker: Hello World
Dec 26 23:04:22 centos7 docker: Hello World
Dec 26 23:04:23 centos7 docker: Hello World
Dec 26 23:04:24 centos7 docker: Hello World
[root@centos7 ~]#systemctl status hello.service
● hello.service - Hello World
Loaded: loaded (/usr/lib/systemd/system/hello.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2021-12-26 23:05:21 CST; 3s ago
Process: 13361 ExecStop=/usr/bin/docker kill busybox-hello (code=exited, status=0/SUCCESS)
Process: 13411 ExecStartPre=/usr/bin/docker pull busybox (code=exited, status=0/SUCCESS)
Process: 13406 ExecStartPre=/usr/bin/docker rm busybox-hello (code=exited, status=0/SUCCESS)
Process: 13402 ExecStartPre=/usr/bin/docker kill busybox-hello (code=exited, status=1/FAILURE)
Main PID: 13428 (docker)
Tasks: 5
Memory: 16.3M
CGroup: /system.slice/hello.service
└─13428 /usr/bin/docker run --name busybox-hello busybox /bin/sh -c while true; do echo ..
12月 26 23:05:12 centos7 docker[13406]: busybox-hello
12月 26 23:05:12 centos7 docker[13411]: Using default tag: latest
12月 26 23:05:21 centos7 docker[13411]: latest: Pulling from library/busybox
12月 26 23:05:21 centos7 docker[13411]: Digest: sha256:b5cfd4befc119a590ca1a81d6bb0fa1fb19f1fb...8a6a
12月 26 23:05:21 centos7 docker[13411]: Status: Image is up to date for busybox:latest
12月 26 23:05:21 centos7 docker[13411]: docker.io/library/busybox:latest
12月 26 23:05:21 centos7 systemd[1]: Started Hello World.
12月 26 23:05:22 centos7 docker[13428]: Hello World
12月 26 23:05:23 centos7 docker[13428]: Hello World
12月 26 23:05:24 centos7 docker[13428]: Hello World
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos7 ~]#systemctl stop hello.service
1.4.15 传递环境变量
有些容器运行时,需要传递变量,可以使用 -e <参数> 或 --env-file <参数文件> 实现
范例: 传递变量创建MySQL
变量参考链接: https://hub.docker.com/_/mysql
#MySQL容器运行时需要指定root的口令
[root@centos7 ~]#docker run --name mysql01 mysql:5.7.32
2020-11-16 01:43:13+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL
Server 5.7.32-1debian10 started.
2020-11-16 01:43:13+00:00 [Note] [Entrypoint]: Switching to dedicated user
'mysql'
2020-11-16 01:43:13+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL
Server 5.7.32-1debian10 started.
2020-11-16 01:43:13+00:00 [ERROR] [Entrypoint]: Database is uninitialized and
password option is not specified
You need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD
and MYSQL_RANDOM_ROOT_PASSWORD
[root@centos7 ~]#docker run --name mysql-test1 -v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=wordpress -e MYSQL_USER=wpuser -e MYSQL_PASSWORD=123456 -d -p 3306:3306 mysql:5.7.30
Unable to find image 'mysql:5.7.30' locally
5.7.30: Pulling from library/mysql
8559a31e96f4: Pull complete
d51ce1c2e575: Pull complete
c2344adc4858: Pull complete
fcf3ceff18fc: Pull complete
16da0c38dc5b: Pull complete
b905d1797e97: Pull complete
4b50d1c6b05c: Pull complete
d85174a87144: Pull complete
a4ad33703fa8: Pull complete
f7a5433ce20d: Pull complete
3dcd2a278b4a: Pull complete
Digest: sha256:32f9d9a069f7a735e28fd44ea944d53c61f990ba71460c5c183e610854ca4854
Status: Downloaded newer image for mysql:5.7.30
7183bef3e021eeb5b81dcc56451a5800ac927b8e69a28a108c42a40799972c63
[root@centos7 ~]#cat /data/mysql/auto.cnf
[auto]
server-uuid=37ece332-665f-11ec-b9e2-0242ac110002
[root@centos7 ~]#touch env.list
[root@centos7 ~]#cat env.list
MYSQL_ROOT_PASSWORD=123456
MYSQL_DATABASE=wordpress
MYSQL_USER=wpuser
MYSQL_PASSWORD=wppass
[root@centos7 ~]#docker run --name mysql-test2 -v /root/mysql/:/etc/mysql/conf.d -v /data/mysql2:/var/lib/mysql --env-file=env.list -d -p 3307:3306 mysql:5.7.30
0ef773746d52ac07a2c5c1b4739a24f988bd38b8ca806d688f0fc13e45fc161d
[root@centos7 ~]#docker exec -it mysql-test2 /bin/bash
root@9f326afc60b5:/# mysql -uroot -p123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.30 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
root@9f326afc60b5:/# mysql -uwpuser -pwppass
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.30 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
1.4.16 podman 管理容器
范例: podman管理容器
#安装httpd
[root@centos8 ~]#podman pull httpd
[root@centos8 ~]#podman run -d --name web -p 80:80 httpd
[root@centos8 ~]#curl 127.0.0.1
<html><body><h1>It works!</h1></body></html>
[root@centos8 ~]#podman exec -it web /bin/sh
# ls
bin build cgi-bin conf error htdocs icons include logs modules
# cd htdocs
# cat index.html
<html><body><h1>It works!</h1></body></html>
# echo welcome to test > index.html
# exit
[root@centos8 ~]#curl 127.0.0.1
welcome to test
#安装nginx
[root@centos8 ~]#podman run -dt -p 80:80 --name nginx -v /data:/data -e
NGINX_VERSION=1.16 nginx:1.16.0
[root@centos8 ~]#podman stop nginx
#将容器设为开机启动
[root@centos8 ~]#vim /lib/systemd/system/nginx_podman.service
[root@centos8 ~]#cat /lib/systemd/system/nginx_podman.service
[Unit]
Description=Podman Nginx Service
After=network.target
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/podman start -a nginx # -a, --attach Attach container's STDOUT and STDERR
ExecStop=/usr/bin/podman stop -t 10 nginx
Restart=always
[Install]
WantedBy=multi-user.target
[root@centos8 ~]#systemctl daemon-reload
[root@centos8 ~]#systemctl enable --now nginx_podman.service
[root@centos8 ~]#curl 127.0.0.1
#podman 查看日志
[root@centos8 ~]#podman logs nginx
10.0.0.8 - - [24/Feb/2020:14:19:45 +0000] "GET / HTTP/1.1" 200 612 "-"
"curl/7.61.1" "-"
10.0.0.1 - - [24/Feb/2020:14:25:54 +0000] "GET / HTTP/1.1" 200 612 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/79.0.3945.117 Safari/537.36" "-"
[root@centos8 ~]#podman port nginx
80/tcp -> 0.0.0.0:80
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@centos8 ~]#systemctl stop nginx_podman.service
[root@centos8 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
#查看进程信息
[root@centos8 ~]#systemctl start nginx_podman.service
[root@centos8 ~]#pstree -p
#nginx进程杀死后还会自动启动
[root@centos8 ~]#kill 2388
[root@centos8 ~]#ps aux|grep nginx
[root@centos8 ~]#podman top nginx
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
root 1 0 0.000 4m38.979412738s pts/0 0s nginx: master
process nginx -g daemon off;
nginx 6 1 0.000 4m37.979473913s pts/0 0s nginx: worker
process
[root@centos8 ~]#podman stats nginx
ID NAME CPU % MEM USAGE / LIMIT MEM % NET IO BLOCK
IO PIDS
9198c59a8a3d nginx -- 2.474MB / 835.8MB 0.30% 2.25kB / 1.742kB --
/ -- 2
1.5 实战案例: 利用 docker 快速部署自动化运维平台
1.5.1 项目说明
Spug 面向中小型企业设计的轻量级无 Agent 的自动化运维平台,整合了主机管理、主机批量执行、主机在线终端、文件在线上传下载、应用发布部署、在线任务计划、配置中心、监控、报警等一系列功能。
特性
- 批量执行: 主机命令在线批量执行
- 在线终端: 主机支持浏览器在线终端登录
- 文件管理: 主机文件在线上传下载
- 任务计划: 灵活的在线任务计划
- 发布部署: 支持自定义发布部署流程
- 配置中心: 支持 KV、文本、json 等格式的配置
- 监控中心: 支持站点、端口、进程、自定义等监控
- 报警中心: 支持短信、邮件、钉钉、微信等报警方式
- 优雅美观: 基于 Ant Design 的 UI 界面
- 开源免费: 前后端代码完全开源
官网地址: https://www.spug.dev/
使用文档:https://www.spug.dev/docs/about-spug/
gitee链接: https://gitee.com/openspug/spug
1.5.2 部署过程
官方说明:
https://www.spug.cc/docs/install-docker/
1.5.2.1 安装docker
略
1.5.2.2 拉取镜像
root@ubuntu2204:~# docker pull registry.aliyuncs.com/openspug/spug
1.5.2.3 启动容器
root@ubuntu2204:~# docker run -d --restart=always --name=spug -p 80:80 registry.aliyuncs.com/openspug/spug
# 持久化存储启动命令:
# mydata指的是本地磁盘路径,也可以是其他目录,但需要保证映射的本地磁盘路径已经存在,/data是容器内代码和数据初始化存储的路径
# docker run -d --restart=always --name=spug -p 80:80 -v /mydata/:/data registry.aliyuncs.com/openspug/spug
1.5.2.4 初始化
以下操作会创建一个用户名为 admin 密码为 123456 的管理员账户,可自行替换管理员账户。
root@ubuntu2204:~# docker exec spug init_spug admin 123456
/usr/local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
Migrations for 'account':
data/spug/spug_api/apps/account/migrations/0001_initial.py
- Create model History
- Create model Role
- Create model User
- Add field created_by to role
Migrations for 'alarm':
data/spug/spug_api/apps/alarm/migrations/0001_initial.py
- Create model Alarm
- Create model Group
- Create model Contact
Migrations for 'config':
data/spug/spug_api/apps/config/migrations/0001_initial.py
- Create model Service
- Create model Environment
- Create model ConfigHistory
- Create model Config
Migrations for 'exec':
data/spug/spug_api/apps/exec/migrations/0001_initial.py
- Create model Transfer
- Create model ExecTemplate
- Create model ExecHistory
Migrations for 'home':
data/spug/spug_api/apps/home/migrations/0001_initial.py
- Create model Navigation
- Create model Notice
Migrations for 'host':
data/spug/spug_api/apps/host/migrations/0001_initial.py
- Create model Host
- Create model HostExtend
- Create model Group
Migrations for 'monitor':
data/spug/spug_api/apps/monitor/migrations/0001_initial.py
- Create model Detection
Migrations for 'notify':
data/spug/spug_api/apps/notify/migrations/0001_initial.py
- Create model Notify
Migrations for 'schedule':
data/spug/spug_api/apps/schedule/migrations/0001_initial.py
- Create model History
- Create model Task
Migrations for 'setting':
data/spug/spug_api/apps/setting/migrations/0001_initial.py
- Create model Setting
- Create model UserSetting
Migrations for 'app':
data/spug/spug_api/apps/app/migrations/0001_initial.py
- Create model App
- Create model Deploy
- Create model DeployExtend1
- Create model DeployExtend2
Migrations for 'repository':
data/spug/spug_api/apps/repository/migrations/0001_initial.py
- Create model Repository
Migrations for 'deploy':
data/spug/spug_api/apps/deploy/migrations/0001_initial.py
- Create model DeployRequest
Operations to perform:
Apply all migrations: account, alarm, app, config, deploy, exec, home, host, monitor, notify, repository, schedule, setting
Running migrations:
Applying account.0001_initial... OK
Applying alarm.0001_initial... OK
Applying config.0001_initial... OK
Applying app.0001_initial... OK
Applying repository.0001_initial... OK
Applying deploy.0001_initial... OK
Applying exec.0001_initial... OK
Applying home.0001_initial... OK
Applying host.0001_initial... OK
Applying monitor.0001_initial... OK
Applying notify.0001_initial... OK
Applying schedule.0001_initial... OK
Applying setting.0001_initial... OK
初始化/更新成功
/usr/local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
创建用户成功
root@ubuntu2204:~#
1.5.2.5 访问测试
在浏览器中输入 http://localhost:80 访问。
用户名: admin 密码: 123456
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果