docker部署与管理

1、安装环境

[root@xxx ~]# uname  -r
3.10.0-1127.19.1.el7.x86_64
[root@xxx ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)

2、准备目录

docker默认安装在 /var/lib/docker 下，有时候改分区太小，我们可以事先
创建一个目录 
mkdir /data/docker

然后创建软连接
ln -s /data/docker /var/lib/docker

3、yum方式安装docker

1、设置yum源
    yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
2、查看docker版本
    yum list docker-ce --showduplicates
3、安装docker
    yum install docker-ce

4、脚本方式安装docker

1、下载安装
sudo wget -qO- https://get.docker.com | sh

5、启动与停止

systemctl start docker

systemctl stop docker

systemctl restart  docker

6、加入开机启动项

systemctl enable docker

7、查看docker版本

//查看版本
docker version

//查看信息
docker info

8、配置普通用户管理docker

1、添加docker组
sudo groupadd docker
2、添加当前用户到docker组
sudo usermod -aG docker $USER
3、刷新docker组
newgrp docker 
4、测试
docker run hello-world

显示：
[xxx@wz ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete 
Digest: sha256:df5f5184104426b65967e016ff2ac0bfcd44ad7899ca3bbcf8e44e4461491a9e
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

测试是否OK

[root@xxxx ~]# docker run hello world
Unable to find image 'hello:latest' locally
docker: Error response from daemon: pull access denied for hello, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
[root@iZwz9d0wcbzzl41m47ou4yZ ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
0e03bdcc26d7: Pull complete 
Digest: sha256:e7c70bb24b462baa86c102610182e3efcb12a04854e8c582838d92970a09f323
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

9、镜像管理

查看镜像
    docker images

删除某个镜像
    docker rmi  image_id

通过Dockerfile创建镜像
    docker build

将修改过的容器重新提交为一个镜像
    docker commit -m="instruction " -a="my name" container_xxx_id  repo_name:tags

导出容器为镜像
    docker export -o ./my_image.tar.gz container_xxx_id  

导入镜像文件为镜像
    docker import my_image.tar.gz

10、容器管理

// 通过镜像创建容器
    docker  run 
    docker run --help查看命令

// 启动与停止
    docker start container_xxx_id
    docker stop container_xxx_id
    docker restart container_xxx_id

//查看容器
    docker ps -a

//删除某个容器
    docker rm container_xxx_id

//进入容器虚拟目录
    docker exec -it container_xxx_id /bin/bash

//查看容器实际存放目录
    docker inspect container_xxx_id|grep MergedDir

//实时跟踪日志，运行久了，刚进去会加载很多日志
    docker logs -f 容器

//查看最后10条日志
    docker logs --tail=10 容器

//查看容器进程
    docker top  container_xxx_id

//查看容器端口
    docker port container_xxx_id

11、仓库

公共仓库
    登入
      docker login

    提交
      docker push my_image:1.0

12、docker-compose 安装

1、第一种方式
    sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

2、第二种方式：
    sudo pip3  install docker-compose

12、配置非root用户启动docker

官方说明地址：https://docs.docker.com/engine/security/rootless/
a、先运行一下命令
########## BEGIN ##########
sudo sh -eux <<EOF
# Set user.max_user_namespaces
cat <<EOT > /etc/sysctl.d/51-rootless.conf
user.max_user_namespaces = 28633
EOT
sysctl --system
EOF
########## END ##########
b、运行一下脚本
  dockerd-rootless-setuptool.sh install
c、显示如下信息表示docker安装好了：
[INFO] systemd not detected, dockerd-rootless.sh needs to be started manually:

PATH=/usr/bin:/sbin:/usr/sbin:$PATH dockerd-rootless.sh 

[INFO] Creating CLI context "rootless"
Successfully created context "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/1002/docker.sock

d、启动
  按照上面的提示
  编辑 vim ~/.bashrc
  添加环境变量
  export PATH=/usr/bin:$PATH
  export DOCKER_HOST=unix:///run/user/1002/docker.sock
  PATH=/usr/bin:/sbin:/usr/sbin:$PATH 
  dockerd-rootless.sh

f、检验
   另外开一个窗口执行docker info
   docker pull hello-world
   docker run hello-world

13、其他问题

1、曾经成功启动的容器，启动不了
   解决办法：
   systemctl stop docker
   systemctl start docker
   再启动容器就可以了

14、特权例子

特权方式
    1、/usr/sbin/init 启动容器之后可以使用systemctl方法    
    2、-privileged=true 获取宿主机root权限（特殊权限-）
    su命令和su -命令最大的本质区别就是：前者只是切换了root身份，但Shell环境仍然是普通用户的Shell；而后者连用户和Shell环境一起切换成root身份了
    3、/sys/fs/cgroup:/sys/fs/cgroup
        
    命令：
        docker run -id --name=centos79 --env=container=docker  -v /data/softwares:/data/softwares -v /sys/fs/cgroup:/sys/fs/cgroup --privileged -p 8010:8000  --restart=no -t pwup/centos79_nginx20_redis5_mysql57_python3  /usr/sbin/init

15、常见问题

1、在容器中能ping通其他mysql机器，但是不能连上
   再容器中不能省略端口，都写全
   [root@89204820a2d1 myweb]# mysql -utest -h192.168.133.129  -p
   Enter password: 
    ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.133.129' (111)
    
[root@89204820a2d1 myweb]# mysql -utest -h192.168.133.129 -P 3306 -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


2、启动容器报错
   类似如： Error response from daemon: driver failed programming external connectivity on endpoint mysql (ba4634012701004ed972a42040c2be32aac39b2d739905a3acc3f847ce681690):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3306 -j DNAT --to-destination 172.17.0.4:3306 ! -i docker0: iptables: No chain/target/match by that name.
 (exit status 1))
  解决办法：
       重启下docker进程  systemctl restart docker