孤立卷
如果不指定挂载地点,那么默认挂载点在哪?
示例一
[root@28 ~]# docker run -it --name vm1 -v /data1 ubuntu
我们可以用df和mount命令查看
[root@28 ~]# docker inspect vm1 | grep vol
"Type": "volume",
"Source": "/var/lib/docker/volumes/2aaeb29bdcb93026012c49f895224b38c51a03b857e5021284bdf9511c97114c/_data",
其实挂载在真机的此目录下
[root@28 ~]# cd /var/lib/docker/volumes/2aaeb29bdcb93026012c49f895224b38c51a03b857e5021284bdf9511c97114c/_data
[root@28 _data]# ls
[root@28 _data]# cp /etc/passwd . # 上传文件到此目录
[root@28 _data]# ls
passwd
root@7d268de7b7ac:/# cd /data1/
root@7d268de7b7ac:/data1# ls
passwd # 指定挂载点有此文件
示例二:
[root@28 ~]# docker run -d --name vm2 -v /usr/share/nginx/html nginx
937f47c7f94c8f6bfc632f6cd9edae533038d636f1c1802c92c768d376520677
[root@28 ~]# docker inspect vm2 | grep vol
"Type": "volume",
"Source": "/var/lib/docker/volumes/722f5438c70d18523fbb4bf50b569652ca20356f64f21e763753d6b5c6b8033c/_data",
[root@28 ~]# cd /var/lib/docker/volumes/722f5438c70d18523fbb4bf50b569652ca20356f64f21e763753d6b5c6b8033c/_data
[root@28 _data]# ls # 这是默认发布目录
50x.html index.html
如果我们停掉这个容器
[root@28 _data]# docker stop vm2
vm2
[root@28 _data]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
937f47c7f94c nginx "nginx -g 'daemon ..." 3 minutes ago Exited (0) 7 seconds ago vm2
7d268de7b7ac ubuntu "/bin/bash" 18 minutes ago Up 18 minutes vm1
[root@28 ~]# cd /var/lib/docker/volumes/722f5438c70d18523fbb4bf50b569652ca20356f64f21e763753d6b5c6b8033c/_data
[root@28 _data]# ls # 静态数据还在
50x.html index.html
这些已经被停掉的服务占用的数据卷就叫做孤立卷,这些卷需要手动删除,必须要先删除服务,然后才能删除数据卷
[root@28 ~]# docker rm -f vm2
vm2
[root@28 ~]# docker volume rm 722f5438c70d18523fbb4bf50b569652ca20356f64f21e763753d6b5c6b8033c
722f5438c70d18523fbb4bf50b569652ca20356f64f21e763753d6b5c6b8033c
或者使用-v参数
-v, --volumes Remove the volumes associated with the container
[root@28 ~]# docker rm -vf vm1
vm1
[root@28 ~]# docker volume ls
DRIVER VOLUME NAME
local 2f3dafb40d7b6d34761fd1edc66bf7269a16d6b78b6229377aca4cc1ff0f7f77
local cc354578cccef91c06444a01fa4cfa16062d0e02221b9435589ce0ecffcc5373
删除这些的孤立卷
[root@28 ~]# docker volume rm `docker volume ls -q`
2f3dafb40d7b6d34761fd1edc66bf7269a16d6b78b6229377aca4cc1ff0f7f77
cc354578cccef91c06444a01fa4cfa16062d0e02221b9435589ce0ecffcc5373
数据卷容器---静态数据
1,创建Dockerfile
[root@foundation28 docker]# pwd
/tmp/docker
[root@foundation28 docker]# cd test/
[root@foundation28 test]# vim Dockerfile
FROM rhel7
ADD html.tar /usr/share
VOLUME [“/usr/share/nginx/html”]
# VOLUME 将apache 访问的日志数据存储到宿主机可以访问的数据卷中
# ADD 命令支持添加本地的 tar 压缩包到容器中指定目录,压缩包会被自动解压为目录
2,创建tar包
[root@foundation28 test]# mkdir nginx
[root@foundation28 test]# cd nginx/
[root@foundation28 nginx]# echo www.westos.org > index.html # 建立index.html
[root@foundation28 nginx]# ls
index.html
[root@foundation28 nginx]# cd ..
[root@foundation28 test]# tar cf html.tar nginx/
[root@foundation28 test]# tar tf html.tar # -t 用分档形式列出文件内容
nginx/
nginx/html/
nginx/html/index.html
3,生成镜像
[root@foundation28 test]# docker build -t rhel7:v4 . # 注意路径
5,创建一个数据卷容器vol
[root@foundation28 test]# docker create --name vol rhel7:v4 bash
# 这个bash可以不加,因为对于一个数据卷容器来说,不进行数据的修改,不用bash交互操作
6,应用,这个vol是一个静态的封装好的容器,一旦生成就不要修改,这个数据卷可以供其他的很多容器使用,只需要在创建时用--volumes-from
[root@foundation28 test]# docker run -d --name vm1 --volumes-from vol nginx
8034f9b5b64ec63e25fae16c5f16fa5fe0c92a444444cb18dd2eb3330bf9787c
7,测试
[root@foundation28 test]# curl 172.17.0.2
www.westos.org
私有仓库
1,建立用户认证目录目录,创建用户
[root@foundation28 ~]# cd /tmp/docker/
[root@foundation28 docker]# mkdir auth
[root@foundation28 docker]# cd auth/
[root@foundation28 docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn zm westos > auth/htpasswd # 这里>表示重定向,如果还要添加,需要用>>,否则会覆盖之前的
--entrypoint 覆盖镜像默认的ENTRYPOINT,之前我们说过,ENTRYPOINT是不可以被覆盖的,如果实在要覆盖需要使用此参数
-B 强制密码加密
-b 使用命令行中的密码而不是提示输入密码
-n 不更新加密文件,只将加密后的用户名密码显示在屏幕上
-m:默认采用MD5算法对密码进行加密
[root@foundation28 docker]# cat auth/htpasswd
zm:$2y$05$SgzB4hTwhwxgWj2UcNU15eIN63MPTp06C0utgRsSLplvDFrB1bDcy
[root@foundation28 docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn redhat westos >> auth/htpasswd
[root@foundation28 docker]# cat auth/htpasswd
zm:$2y$05$SgzB4hTwhwxgWj2UcNU15eIN63MPTp06C0utgRsSLplvDFrB1bDcy
redhat:$2y$05$zfb1S921.PG0DUNCVsPpF.2FoLEsW7IBx/8Lr311zLy/qblPgP1/i
2,创建私有仓库
[root@foundation28 docker]# pwd
/tmp/docker
[root@foundation28 docker]# docker run -d --restart=always --name registry -v `pwd`/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -v `pwd`/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -p 443:443 registry:2.3.1
certs下是获取的密钥和证书
-e 表示设置环境变量
dcbc104556debe7c7c35a141568b6763dc39ddf8df58d872af7e59460fe2ab7c
[root@foundation28 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dcbc104556de registry:2.3.1 "/bin/registry /et..." 8 seconds ago Up 6 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
3,测试,用密钥登录
westos.org需要提前做好解析
[root@foundation28 ~]# docker login -u zm -p westos westos.org
Login Succeeded
[root@foundation28 ~]# cd .docker/
[root@foundation28 .docker]# ls
config.json
[root@foundation28 .docker]# cat config.json
{
"auths": {
"westos.org": {
"auth": "em06d2VzdG9z"
}
}
}
4,测试上传镜像
[root@foundation28 .docker]# docker push westos.org/nginx
DOCKER-COMPOSE整合服务实现负载均衡
服务(service):一个应用容器,实际上可以运行多个相同镜像的实例。Compose 面向项目进行管理
haproxy调度apache和nginx
首先建立apache镜像(Dockerfile生成)和nginx镜像
apache rhel7:v1
1,建立整合.yml文件
[root@foundation28 ~]# docker rm -f `docker ps -aq`
[root@foundation28 ~]# cd /tmp/docker/
[root@foundation28 docker]# make compose/
[root@foundation28 compose]# cat docker-compose.yml
apache:
image: rhel7:v1 # 如果没有镜像,需要搭建
expose:
- 80
volumes:
- ./web:/var/www/html # 这个目录必须要有,默认发布目录挂载点
nginx:
image: nginx
expose:
- 80 # nginx有自己的默认发布页面
haproxy:
image: haproxy
volumes:
- ./haproxy:/usr/local/etc/haproxy # 做负载均衡需要修改配置文件,我们直接挂载,方便修改
links:
- apache # 整合
- nginx
ports:
- "8080:80" # 暴露80端口,把容器的80端口映射为真机的8080端口,不做映射也行,需要关闭真机的nginx或httpd服务,防止端口冲突
expose:
- 80
2,导入haproxy包,创建调度文件haproxy.cfg
[root@foundation28 compose]# docker load -i /var/ftp/pub/haproxy.tar
[root@foundation28 compose]# mkdir web
[root@foundation28 compose]# cp ../web/index.html web/
[root@foundation28 compose]# mkdir haproxy
[root@foundation28 compose]# ls
docker-compose.yml haproxy web
[root@foundation28 compose]# cd haproxy
[root@foundation28 haproxy]# vim haproxy.cfg
[root@foundation28 haproxy]# cat haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
stats uri /status
frontend balancer
bind 0.0.0.0:80
default_backend web_backends
backend web_backends
balance roundrobin
server web1 apache:80 check
server web2 nginx:80 check
# 注意:之前我们写调度器写的是ip或者域名,这里我们要写实例名,yml文件中定义的,这就是容器之前的通信
3,docker-compose整合管理
获取二进制文件并赋予可执行权限,做软链接(/user/local/bin)
必须在compose目录下执行此命令
[root@foundation28 compose]# docker-compose up # 整合输出所有容器的输出
Starting compose_nginx_1 ... done
Recreating compose_apache_1 ... done
Recreating compose_haproxy_1 ... done
Ctrl+c结束
[root@foundation28 compose]# docker-compose start # 开启
4,调度测试
访问真机的8080端口
F5刷新测试
apache宕机
此时不再调度
SWARM集群及负载均衡应用
sevrer1: 172.25.28.1
server2: 172.25.28.2
server3: 172.25.28.3
服务(service):一个应用容器,实际上可以运行多个相同镜像的实例。
一,SWARM集群
1,虚拟机都安装并启动docker
[root@server1 ~]# ls
docker-engine-17.03.1.ce-1.el7.centos.x86_64.rpm
docker-engine-selinux-17.03.1.ce-1.el7.centos.noarch.rpm
[root@server1 ~]# yum install -y *
[root@server1 ~]# systemctl start docker
2,server1创建集群
[root@server1 ~]# yum install -y bash-* # swarm工具,rhel集成,自行安装
注意:安装后退出shell然后重新登录,可以tab补出swarm命令
[root@server1 ~]# docker swarm init
Swarm initialized: current node (25vifx5bp0u5crspu1pw9lr3a) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join \
--token SWMTKN-1-459d8ja4d7vjj6k17p6xmaun5t0jq2j4hnpo119dha00pp2dhq-83osmvdkkeq42or27qusyor74 \
172.25.28.1:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
3,server2,server3加入集群
[root@server2 ~]# docker swarm join --token SWMTKN-1-459d8ja4d7vjj6k17p6xmaun5t0jq2j4hnpo119dha00pp2dhq-83osmvdkkeq42or27qusyor74 172.25.28.1:2377
4,server1查看集群
[root@server1 ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
25vifx5bp0u5crspu1pw9lr3a * server1 Ready Active Leader
5v95kf02pqwc431pi0vlmgfyl server2 Ready Active
rtwm7lkuoly2gcte2pfy9smzk server3 Ready Active
二,docker负载均衡
1,真机搭建一个公共仓库,给三个虚拟机使用
[root@foundation28 compose]# docker-compose stop
[root@foundation28 ~]# tail -n 1 /etc/hosts
172.25.254.28 westos.org
[root@foundation28 ~]# cd /tmp/docker/
[root@foundation28 docker]# cd certs/
[root@foundation28 certs]# ls
domain.crt domain.key
[root@foundation28 certs]# rm -rf *
[root@foundation28 certs]# cd ..
# 获取证书和密钥
[root@foundation28 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key # 这里不进行htpasswd用户加密,公共仓库
....................................................................................................................................................++
......................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
[root@foundation28 docker]# cd certs/
[root@foundation28 certs]# ls
domain.crt domain.key
[root@foundation28 certs]# pwd
/tmp/docker/certs
# 创建并启动仓库
[root@foundation28 docker]# docker run -d --restart=always --name registry -v `pwd`/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1
87fbd6adbfdd6336cf7ca4102e29f7227d7be6aa7b5d95658519da8a6a61c569
# 复制证书,上传测试时需要用到
[root@foundation28 registry]# cd /etc/docker/
[root@foundation28 docker]# cd certs.d/ # 没有就建立
[root@foundation28 certs.d]# cd westos.org/ # 没有就建立
[root@foundation28 westos.org]# cp /tmp/docker/certs/domain.crt ca.crt
2,上传测试
[root@foundation28 westos.org]# docker push westos.org/nginx
The push refers to a repository [westos.org/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
3,给三个虚拟机上传证书
[root@foundation28 ~]# cd /etc/docker/
[root@foundation28 docker]# scp -r certs.d/ root@172.25.28.1:/etc/docker/
[root@foundation28 docker]# scp -r certs.d/ root@172.25.28.2:/etc/docker/
[root@foundation28 docker]# scp -r certs.d/ root@172.25.28.3:/etc/docker/
4,三个虚拟机都做解析解析
[root@server1 ~]# tail -n1 /etc/hosts
172.25.28.250 westos.org
6,管理节点server1创建容器
[root@server1 ~]# docker service create --name nginx --publish 80:80 --replicas 3 westos.org/nginx # --publish 80:80 端口映射,最后只需要访问server1的80端口,--replicas 3 是三个任务,负载均衡,每个节点一个
o4arvg4a3o9ircn9799v49hh9
[root@server1 ~]# docker service ls # 查看拉取状态
[root@server1 ~]# docker service ps nginx
[root@server1 ~]# docker service scale nginx=6 # 负载均衡,每个虚拟机2个服务
[root@server1 ~]# docker service ps nginx
[root@server1 ~]# docker service scale nginx=3
7,此时访问任意虚拟机的ip地址都可以得到
访问server1的节点时,刷新页面会负载均衡,只不过都一样,为了清楚,每个节点加一个默认发布页面
[root@server1 ~]# echo server1 > index.html
[root@server1 ~]# docker cp index.html nginx.3.q5l2hslqvbniotn1f0f934h2e:/usr/share/nginx/html
注意:如果是6个nginx服务,要给每个节点的两个nignx容器都要设置发布页面。如果直接改为6个任务,不给新增加的容器设置默认发布页面,这样页面会有问题,因为创建的名字是随机的,之前创建的发布页面可能不会对应
[root@foundation28 docker]# for i in {1..10}; do curl 172.25.28.1; done
server2
server3
server1
server2
server3
server1
server2
server3
server1
server2
https://github.com/dockersamples/docker-swarm-visualizer
三,可视化管理页面
1,导入可视化监控界面并上传到仓库
[root@foundation28 pub]# docker load -i visualizer.tar
[root@foundation28 pub]# docker tag dockersamples/visualizer westos.org/visualizer
[root@foundation28 pub]# docker push westos.org/visualizer
2,管理节点创建westos.org/visualizer实例
[root@server1 ~]# docker service create \
> --name=viz \
> --publish=8080:8080/tcp \
> --constraint=node.role==manager \
> --mount=type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
> westos.org/visualizer
2i51duq2sbmg66mbc1zxx7vmg
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b656b459fb2b westos.org/nginx@sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f "nginx -g 'daemon ..." 9 minutes ago Up 9 minutes 80/tcp nginx.6.xnuxacav8g1fo5kxcsqc5jau7
2468f243050e westos.org/nginx@sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f "nginx -g 'daemon ..." 9 minutes ago Up 9 minutes 80/tcp nginx.2.w4gsubfi2oitq0vc8wcrj21rw
[root@server1 ~]# docker service ls # 刷新 比较慢
ID NAME MODE REPLICAS IMAGE
2i51duq2sbmg viz replicated 0/1 westos.org/visualizer:latest
o4arvg4a3o9i nginx replicated 3/3 westos.org/nginx:latest
[root@server1 ~]# docker service ls
ID NAME MODE REPLICAS IMAGE
2i51duq2sbmg viz replicated 1/1 westos.org/visualizer:latest
o4arvg4a3o9i nginx replicated 3/3 westos.org/nginx:latest
3,查看监控
[root@server1 ~]# docker service scale nginx=6
如果server3机宕机,那么就只剩server1和server2调度,并且server3上的服务会迁移到别的主机,server3服务重新启动也不会迁移回来