一、什么是容器?
-
容器技术已经成为应用程序封装和交付的核心技术
-
容器技术的核心有以下几个内核技术组成:
- Cgroups(Control Groups) #资源管理
- NameSpace #进程隔离
- SElinux安全
-
由于是在物理机上实施隔离,启动一个容器,可以像启动一个进程一样快速
-
虚拟化必须要有操作系统
-
容器没操作系统
-
六大命名空间:主机名空间、文件系统、用户、网络、进程、信号向量
什么是docker?
- 实现容器的一种软件,docker是完整的一套轻量级容器管理系统,docker提供了一组命令,让用户更加方便直接地使用容器技术,而不需要过多关心底层内核技术
docker优点
- 相比于传统的虚拟化技术,容器更加简洁高效
- 传统虚拟机需要给每个VM安装操作系统
- 容器使用的共享公共库和程序
docker缺点
- 容器的隔离性没有虚拟化强
- 公用Linux内核,安全性有先天缺陷
- SElinux难以驾驭
- 监控容器和容器排错是挑战
环境准备
1、禁用 selinux [SELINUX=disabled]
[root@registry ~]# vim /etc/sysconfig/selinux
SELINUX=disabled
[root@registry ~]# getenforce
Disabled
2、卸载防火墙 [yum -y remove firewalld-*]
[root@registry ~]# yum -y remove firewalld-*
3、docker软件安装包提取码:nprh
[root@registry ~]# cp -a docker /var/ftp/localrepo/
[root@registry ~]# cd /var/ftp/localrepo/
[root@registry localrepo]# createrepo --update .
4、准备云主机
| 主机 | ip地址 | 最低配置 |
|---|---|---|
| registry | 172.31.78.170 | 2CPU,2G内存 |
| node001 | 172.31.78.171 | 2CPU,2G内存 |
| node002 | 172.31.78.172 | 2CPU,2G内存 |
| node003 | 172.31.78.169 | 2CPU,2G内存 |
5、准备yum源(以下步骤所有node节点进行操作,此处以node001为例)
使node节点的yum源由registry提供
[root@node001 ~]# vim /etc/yum.repos.d/repo.repo
[local_repo]
name=localrepo
baseurl=ftp://172.31.78.167/localrepo
enabled=1
gpgcheck=0
在node节点验证软件包
[root@node001 ~]# yum makecache
[root@node001 ~]# yum list docker-ce*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
docker-ce.x86_64 18.06.3.ce-3.el7 @local_repo
[root@node001 ~]# yum -y install docker-ce*
开启路由转发
[root@node001 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@node001 ~]# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
kernel.sysrq = 1
net.ipv4.ip_forward = 1
起服务
[root@node002 ~]# systemctl enable --now docker # 激活同时启动docker服务
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@node002 ~]# ifconfig # 验证,能看见 docker0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:41:d1:0c:99 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.78.172 netmask 255.255.240.0 broadcast 172.31.79.255
ether 00:16:3e:12:b3:30 txqueuelen 1000 (Ethernet)
RX packets 75855 bytes 109029284 (103.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8987 bytes 1357333 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node002 ~]# docker version # 查看docker版本,没有报错
Client:
Version: 18.06.3-ce
API version: 1.38
Go version: go1.10.3
Git commit: d7080c1
Built: Wed Feb 20 02:26:51 2019
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.3-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: d7080c1
Built: Wed Feb 20 02:28:17 2019
OS/Arch: linux/amd64
Experimental: false
开启FORWARD默认规则
[root@node001 ~]# vim /lib/systemd/system/docker.service
# 在 ExecStart 下面添加
ExecStartPost=/sbin/iptables -P FORWARD ACCEPT
[root@node001 ~]# systemctl daemon-reload
[root@node001 ~]# systemctl restart docker
[root@node001 ~]# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
docker-USER all -- 0.0.0.0/0 0.0.0.0/0
docker-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
docker all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
镜像管理&容器管理
docker镜像管理命令
| 镜像管理命令 | 说明 |
|---|---|
| docker images | 查看本机镜像 |
| docker search 镜像名称 | 从官方仓库查找镜像 |
| docker pull 镜像名称:标签 | 下载镜像 |
| docker push 镜像名称:标签 | 上传镜像 |
| docker save 镜像名称:标签 -o 备份镜像名称.tar | 备份镜像为tar包 |
| docker load -i 备份镜像名称 | 导入备份的镜像文件 |
| docker rmi 镜像名称:标签 | 删除镜像(必须先删除该镜像启动的所有容器) |
| docker history 镜像名称:标签 | 查看镜像的制作历史 |
| docker inspect 镜像名称:标签 | 查看镜像的详细信息 |
| docker tag 镜像名称:标签 新的镜像名称:新的标签 | 创建新的镜像名称和标签 |
| docker tar | 相当于ln链接,不占用系统空间 |
导入 centos nginx redis ubuntu 四个镜像到 node 节点(使用 lftp 或 scp 均可)
[root@registry localrepo]# ls
docker docker-images k8s repodata
[root@node001 ~]# yum -y install lftp
[root@node001 ~]# lftp 172.31.78.167
lftp 172.31.78.167:~> ls
drwxr-xr-x 6 0 0 4096 Oct 19 05:52 localrepo
drwxr-xr-x 2 0 0 4096 Apr 01 2020 pub
lftp 172.31.78.167:/> cd localrepo/
lftp 172.31.78.167:/localrepo> ls
drwxr-xr-x 2 0 0 4096 Oct 14 07:37 docker
drwxr-xr-x 2 0 0 4096 Oct 19 05:53 docker-images
drwxr-xr-x 4 0 0 4096 Oct 19 02:55 k8s
drwxr-xr-x 2 0 0 4096 Oct 19 02:56 repodata
lftp 172.31.78.167:/localrepo> mirror docker-images/ .
Total: 1 directory, 6 files, 0 symlinks
New: 6 files, 0 symlinks
180970096 bytes transferred
To be removed: 6 directories, 8 files, 0 symlinks
[root@node001 ~]# ls
centos.tar.gz info.html info.php nginx.tar.gz redis.tar.gz ubuntu.tar.gz
[root@node001 ~]# docker load -i centos.tar.gz
[root@node001 ~]# docker load -i redis.tar.gz
[root@node001 ~]# docker load -i ubuntu.tar.gz
[root@node001 ~]# docker load -i nginx.tar.gz
# 查看镜像
[root@node001 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
redis latest 82629e941a38 21 months ago 95MB
nginx latest 42b4762643dc 21 months ago 109MB
ubuntu latest 20bb25d32758 21 months ago 87.5MB
centos latest 76d6bc25b8a5 2 years ago 200MB
# 备份镜像 centos 到 tar 包
[root@node001 ~]# docker save centos:latest -o centos.tar
# 删除镜像,不能删除已经创建容器的镜像
[root@node001 ~]# docker rmi ubuntu:latest
# 查看镜像的详细信息
[root@node001 ~]# docker inspect centos:latest
[
{
"Id": "sha256:76d6bc25b8a5685072a1a99d9ac7c2e52dc3070081c872034a1889ca2d4bcf8c",
"RepoTags": [
"centos:latest"
],
"RepoDigests": [],
"Parent": "",
"Comment": "",
"Created": "2018-10-09T18:20:34.032588496Z",
"Container": "88a04a5d6cdb307c049d5a4053fbb504c0f956a2430a5f58bced4aea06c59c2e",
"ContainerConfig": {
"Hostname": "88a04a5d6cdb",
"Domainname": "",
......
# 查看镜像的历史信息
[root@node001 ~]# docker history nginx:latest
IMAGE CREATED CREATED BY SIZE COMMENT
42b4762643dc 21 months ago /bin/sh -c #(nop) CMD ["nginx" "-g" "daemon… 0B
<missing> 21 months ago /bin/sh -c #(nop) STOPSIGNAL SIGTERM 0B
<missing> 21 months ago /bin/sh -c #(nop) EXPOSE 80 0B
<missing> 21 months ago /bin/sh -c ln -sf /dev/stdout /var/log/nginx… 22B
<missing> 21 months ago /bin/sh -c set -x && apt-get update && apt… 53.9MB
<missing> 21 months ago /bin/sh -c #(nop) ENV NJS_VERSION=1.15.8.0.… 0B
<missing> 21 months ago /bin/sh -c #(nop) ENV NGINX_VERSION=1.15.8-… 0B
<missing> 21 months ago /bin/sh -c #(nop) LABEL maintainer=NGINX Do… 0B
<missing> 21 months ago /bin/sh -c #(nop) CMD ["bash"] 0B
<missing> 21 months ago /bin/sh -c #(nop) ADD file:a65337a57a064a79a… 55.3MB
# 给镜像添加新的名词和标签
[root@node001 ~]# docker tag ubuntu:latest newubun:newlatest
# ----------------------以下操作必须在一台可以访问互联网的机器上执行---------------------------
# 搜索镜像
[root@node001 ~]# docker search busybox
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
busybox Busybox base image. 2014 [OK]
progrium/busybox 70 [OK]
radial/busyboxplus Full-chain, Internet enabled, busybox made f… 33 [OK]
yauritux/busybox-curl Busybox with CURL 10
arm32v7/busybox Busybox base image. 8
armhf/busybox Busybox base image. 6
arm64v8/busybox Busybox base image. 4
odise/busybox-curl 4 [OK]
s390x/busybox Busybox base image. 2
prom/busybox Prometheus Busybox docker base images 2 [OK]
arm32v6/busybox Busybox base image. 2
joeshaw/busybox-nonroot Busybox container with non-root user nobody 2
aarch64/busybox Busybox base image. 2
i386/busybox Busybox base image. 2
p7ppc64/busybox Busybox base image for ppc64. 2
vukomir/busybox busybox and curl 1
spotify/busybox Spotify fork of https://hub.docker.com/_/bus… 1
ppc64le/busybox Busybox base image. 1
sou856099/busybox 0
amd64/busybox Busybox base image. 0
concourse/busyboxplus 0
arm32v5/busybox Busybox base image. 0
emccorp/busybox Busybox 0
e2eteam/busybox 0
ggtools/busybox-ubuntu Busybox ubuntu version with extra goodies 0 [OK]
# 下载镜像
[root@node001 ~]# docker pull busybox
docker.io/library/busybox:latest
[root@node001 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest f0b02e9d092d 5 days ago 1.23MB
docker容器管理命令
| 容器管理命令 | 说明 |
|---|---|
| docker run -it(d) 镜像名称:标签 启动命令 | 创建启动并进入一个容器,后台容器使用参数 d |
| docker ps | 查看容器 -a 所有容器,包含未启动的,-q 只显示id |
| docker rm 容器ID | -f 强制删除,支持命令重入 |
| docker start|stop|restart 容器id | 启动、停止、重启容器 |
| docker cp 本机文件路径 容器id:容器内路径 | 把本机文件拷贝到容器内(上传) |
| docker cp 容器id:容器内路径 本机文件路径 | 把容器内文件拷贝到本机(下载) |
| docker inspect 容器ID | 查看容器的详细信息 |
| docker attach 容器id | 进入容器的默认进程,退出后容器会关闭 |
| docker attach 容器id [ctrl+p, ctrl+q] | 进入容器以后,退出容器而不关闭容器的方法 |
| docker exec -it 容器id 启动命令 | 进入容器新的进程,退出后容器不会关闭 |
docker run 启动一个新的容器
-i 交互式,-t 终端, -d 在后台启动
/bin/bash是容器内的命令,每一个容器都有一个默认的启动命令,可以用docker inspect的cmd字段查看容器本身默认的启动命令busybox,ubuntu,centos是交互式容器,Nginx,redis是服务器式容器,默认的启动命令是容器
默认启动服务
- docker.io/redis 服务型容器
- docker.io/nginx 服务型容器
- 想进入交互式后加"/bin/bash"
使用attach进入容器后,不能使用exit或者Ctrl+c退出终端,不然这个正在运行的终端就挂了,因为它的进程数pid只有1个
必须使用Ctrl+pq 退出终端!!!
系统中有一个上帝 pid==1 (上帝仅仅用来排错,维护用exec命令)
系统诞生出现上帝,如果上帝死亡,那么系统就挂掉了
# 在后台启动容器
[root@node001 ~]# docker run -itd nginx:latest
bde8103e05c233a75b4e1df4d7fe4e8dd63a56e3f79eee243b1616400b6fcc49
# 在前台启动容器
[root@node001 ~]# docker run -it --name myos centos:latest /bin/bash
[root@d48af17879e6 /]# ctrl+p, ctrl+q # 使用快捷键退出,保证容器不关闭
# 查看容器
[root@node001 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d48af17879e6 centos:latest "/bin/bash" About a minute ago Up About a minute myos
bde8103e05c2 nginx:latest "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes 80/tcp elastic_turing
# 只查看id
[root@node001 ~]# docker ps -q
d48af17879e6
bde8103e05c2
# 查看所有容器,包含未启动的
[root@node001 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d48af17879e6 centos:latest "/bin/bash" 3 minutes ago Up 3 minutes myos
bde8103e05c2 nginx:latest "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes 80/tcp elastic_turing
# 进入容器的默认进程
[root@node001 ~]# docker attach d48af17879e6
# 退出容器
[root@d48af17879e6 /]# exit # 退出后容器会关闭
exit
每一次执行docker run都会启动一个新的容器
例:在容器内删掉/ ,再次在终端进入容器依旧可以执行命令
[root@d48af17879e6 ~]# rm -rf /*
[root@d48af17879e6 ~]# ls #没有任何的命令,无法执行任何操作
bash: /usr/bin/ls: No such file or directory
[root@node001 ~]# docker run -it docker.io/centos:latest /bin/bash #再次执行进入容器的命令
[root@28750a992e3c /]# ls #命令可以正常操作,但容器名和前一次的名字不同,docker run命令每次启动都会开启新的容器
bin etc lib media opt root sbin sys usr
dev home lib64 mnt proc run srv tmp var
# 查看容器详细信息
[root@node001 ~]# docker inspect bde # 可以缩写容器ID
[
{
"Id": "bde8103e05c233a75b4e1df4d7fe4e8dd63a56e3f79eee243b1616400b6fcc49",
"Created": "2020-10-19T06:24:04.026872706Z",
"Path": "nginx",
"Args": [
"-g",
"daemon off;"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
......
"IPAddress": "172.17.0.2",
......
[root@node001 ~]# curl http://172.17.0.2
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
# 进入容器,查看路径
[root@node001 ~]# docker exec -it b /bin/bash # 使用exec进入容器的所有操作exit后都不会变,除非这个运行的容器被stop了
root@bde8103e05c2:/# cat -n /etc/nginx/conf.d/default.conf
19 root /usr/share/nginx/html;
# 从容器内拷贝首页文件到宿主机,修改后拷贝回容器内
[root@node001 ~]# docker cp b:/usr/share/nginx/html/index.html ./index.html
[root@node001 ~]# vim index.html
<h1>
hi,this is xiaotiantian's test
goooooood luck!
[root@node001 ~]# docker cp ./index.html b:/usr/share/nginx/html/index.html
[root@node001 ~]# curl http://172.17.0.2
<h1>
hi,this is xiaotiantian's test
goooooood luck!
# 删除容器
[root@node001 ~]# docker rm -f b # 删除以b开头ID号的容器,docker rm命令也可以删除容器,但不能删除正在运行的容器,如果要删除,就先stop停止服务或加-f选项强制执行
b
[root@node001 ~]# docker ps -a # 查看所有容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d48af17879e6 centos:latest "/bin/bash" 22 minutes ago Exited (0) 15 minutes ago myos
# 删除所有容器
[root@node001 ~]# docker rm -f $(docker ps -aq)
d48af17879e6
容器内服务安装
[root@node001 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node001 ~]# docker run -it --name myapache centos:latest
[root@7193163acab5 /]# rm -f /etc/yum.repos.d/*.repo
#---------------------不要退出这个终端,在另一个终端拷贝 yum 配置文件到容器--------------------
[root@node001 ~]# docker cp /etc/yum.repos.d/CentOS-Base.repo myapache:/etc/yum.repos.d/
#------------------------回到创建容器的终端继续执行命令--------------------------------------
[root@7193163acab5 /]# yum -y install net-tools httpd
Complete!
[root@7193163acab5 /]# echo "hello xiaotian" > /var/www/html/index.html
[root@7193163acab5 /]# export LANG=C
[root@7193163acab5 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 1731 bytes 37378676 (35.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1328 bytes 75001 (73.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@7193163acab5 /]# systemctl start httpd #此时起服务会报错
Failed to get D-Bus connection: Operation not permitted
[root@node001 ~]# pstree -p #系统的上帝进程为systemd,在终端内使用systemctl命令其实是上帝进程执行
systemd(1)─┬─NetworkManager(755)─┬─{NetworkManager}(775)
│ └─{NetworkManager}(782)
├─VGAuthService(665)
[root@7193163acab5 /]# pstree -p #容器内的上帝进程为bash也就是本身
bash(1)---pstree(47)
[root@7193163acab5 /]# rpm -ql httpd | grep service # 查看记录httpd服务的启动程序的文件
/usr/lib/systemd/system/htcacheclean.service
[root@7193163acab5 /]# cat /usr/lib/systemd/system/httpd.service # 查看启动程序
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND # 启动服务
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
[root@7193163acab5 /]# /usr/sbin/httpd -DFOREGROUND # 启动后如果报出以下问题,可以修改配置文件,也可以不用管
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@7193163acab5 /]# vi /etc/httpd/conf/httpd.conf
ServerName localhost:80
[root@7193163acab5 /]# /usr/sbin/httpd -DFOREGROUND # 启动服务后ctrl-p, ctrl-q 退出
[root@node001 ~]# curl http://172.17.0.2
hello xiaotian
打包镜像
自定义镜像:
docker commit:
- 使用镜像启动容器,在该容器基础上做修改
- 另存为一个新镜像
创建自定义镜像
[root@node001 ~]# docker run -it centos:latest
[root@6b5708c6e410 /]# yum repolist
[root@6b5708c6e410 /]# rm -f /etc/yum.repos.d/*.repo
# 如果虚拟机本机可以访问外网,可以使用以下方法进行添加yum源
[root@6b5708c6e410 /]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.huaweicloud.com/repo/CentOS-Base-7.repo
# 本机无法访问外网,所以使用docker cp的方法添加yum源
[root@node001 ~]# docker cp /etc/yum.repos.d/CentOS-Base.repo 6://etc/yum.repos.d # 在另一个终端执行docker cp
[root@6b5708c6e410 /]# yum install -y net-tools vim-enhanced tree bash-completion iproute psmisc && yum clean all # 回到容器的终端,下载软件包
[root@6b5708c6e410 /]# exit # 退出容器
exit
[root@node001 ~]# docker commit 6 myod:latest # 打包镜像
sha256:631f6b81c82e79a11623b369daae8dae99f0a9f67b90fd2e0e7c85792a8b8c54
dockerfile打包镜像
dockerfile语法
| 语法指令 | 语法说明 |
|---|---|
| FROM | 基础镜像 |
| RUN | 制作镜像时执行的命令,可以有多个 |
| ADD | 复制文件到镜像,自动解压 |
| COPY | 复制文件到镜像,不解压 |
| EXPOSE | 声明开放的端口 |
| ENV | 设置容器启动后的环境变量 |
| WORKDIR | 定义容器默认工作目录(等于cd) |
| CMD | 容器启动时执行的命令,仅可以有一条CMD |
使用dockerfile创建镜像
docker build -t 镜像名称:标签 dockerfile所在目录
制作apache镜像
CMD 指令可以查看 service 文件的启动命令 ExecStart(/lib/systemd/system/httpd.service),CMD命令只可以有一条,例在终端上输入ls -l -a ,在dockerfile中CMD["/bin/ls","-l","-a"]
ENV 环境变量查询服务文件中的环境变量配置文件 EnvironmentFile 指定的文件内容
RUN相当于远程执行命令,远程时无法执行cd命令,在dockerfile中WORKDIR相当于cd命令
[root@node001 ~]# mkdir web ; cd web
[root@node001 web]# vim dockerfile
FROM myod:latest # 基础镜像myod,标签为latest
RUN yum -y install httpd php # 制作镜像的命令
ENV LANG=C # 启动的环境变量
ADD test.tar.gz /var/www/html # 复制文件到镜像内,注:复制本地文件不能是绝对路径,只能是相对路径
WORKDIR /var/www/html # 工作目录
EXPOSE 80 # 开放端口
CMD ["/usr/sbin/httpd","-DFOREGROUND"] # 执行的命令
[root@node001 web]# mkdir {1..10}.test
[root@node001 web]# ls
10.test 1.test 2.test 3.test 4.test 5.test 6.test 7.test 8.test 9.test dockerfile
[root@node001 web]# tar -zcvf test.tar.gz *.test
10.test/
1.test/
2.test/
3.test/
4.test/
5.test/
6.test/
7.test/
8.test/
9.test/
[root@node001 web]# ls
10.test 1.test 2.test 3.test 4.test 5.test 6.test 7.test 8.test 9.test dockerfile test.tar.gz
[root@node001 web]# docker build -t myos:httpd . # 封装镜像
Successfully tagged myos:httpd
查看与验证镜像
[root@node001 web]# docker images # 查看镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
myos httpd b7b8c5d39b38 49 seconds ago 596MB
myod latest 631f6b81c82e 35 minutes ago 457MB
redis latest 82629e941a38 21 months ago 95MB
nginx latest 42b4762643dc 21 months ago 109MB
newubun newlatest 20bb25d32758 21 months ago 87.5MB
ubuntu latest 20bb25d32758 21 months ago 87.5MB
centos latest 76d6bc25b8a5 2 years ago 200MB
[root@node001 web]# docker rm -f $(docker ps -aq) # 删除容器
6b5708c6e410
7193163acab5
[root@node001 web]# docker run -itd myos:httpd # 后台启动容器
c837007e48c46531919bc90c0b648c3d2eb6b97784b1975cc2e243708dbd5bbd
[root@node001 web]# docker inspect c | grep "IPAddress"
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
[root@node001 web]# curl -I 172.17.0.2 # 查看服务是否为Apache
HTTP/1.1 403 Forbidden
Date: Mon, 19 Oct 2020 08:40:27 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
制作php镜像
[root@node001 ~]# yum -y install php-fpm
[root@node001 ~]# mkdir php ; cd php
[root@node001 php]# cp /etc/php-fpm.d/www.conf ./
[root@node001 php]# vim www.conf
12: listen = 0.0.0.0:9000
24: ;listen.allowed_clients = 127.0.0.1
[root@node001 php]# cp /root/info.php . # 在前面的云盘软件包内有该文件
[root@node001 php]# vim dockerfile
FROM myod:latest
RUN yum -y install php-fpm
COPY www.conf /etc/php-fpm.d/www.conf
EXPOSE 9000
WORKDIR /usr/local/nginx/html
COPY info.php info.php
CMD ["/usr/sbin/php-fpm","--nodemonize"]
[root@node001 php]# docker build -t myos:php-fpm .
Successfully tagged myos:php-fpm
[root@node001 php]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myos php-fpm 87d6d2559112 About a minute ago 587MB
myos httpd b7b8c5d39b38 24 minutes ago 596MB
myod latest 631f6b81c82e About an hour ago 457MB
redis latest 82629e941a38 21 months ago 95MB
nginx latest 42b4762643dc 21 months ago 109MB
newubun newlatest 20bb25d32758 21 months ago 87.5MB
ubuntu latest 20bb25d32758 21 months ago 87.5MB
centos latest 76d6bc25b8a5 2 years ago 200MB
制作nginx镜像
[root@node001 ~]# mkdir nginx;cd nginx
[root@node001 nginx]# yum -y install gcc make pcre-devel openssl-devel
[root@node001 nginx]# useradd nginx
[root@node001 nginx]# ls # 上传nginx包
nginx-1.18.0.tar.gz
[root@node001 nginx]# tar -xf nginx-1.18.0.tar.gz
[root@node001 nginx]# cd nginx-1.18.0/
[root@node001 nginx-1.18.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module
[root@node001 nginx-1.18.0]# make && make install
[root@node001 nginx-1.18.0]# cd /usr/local/
[root@node001 local]# cp /root/info.* ./nginx/html/
[root@node001 local]# tar -zcf nginx.tar.gz nginx # 打包nginx目录
[root@node001 nginx]# cp /usr/local/nginx.tar.gz .
[root@node001 nginx]# vim dockerfile
FROM myod:latest
RUN yum -y install pcre openssl && useradd nginx
ADD nginx.tar.gz /usr/local
EXPOSE 80
WORKDIR /usr/local/nginx/html
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off"] # 执行启动命令,以["","",""]形式相当于exec进入容器
[root@node001 nginx]# docker build -t myos:nginx .
Successfully tagged myos:nginx
[root@node001 nginx]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myos nginx af9a004da132 About a minute ago 556MB
myos php-fpm 87d6d2559112 About an hour ago 587MB
myos httpd b7b8c5d39b38 2 hours ago 596MB
myod latest 631f6b81c82e 2 hours ago 457MB
redis latest 82629e941a38 21 months ago 95MB
nginx latest 42b4762643dc 21 months ago 109MB
newubun newlatest 20bb25d32758 21 months ago 87.5MB
ubuntu latest 20bb25d32758 21 months ago 87.5MB
centos latest 76d6bc25b8a5 2 years ago 200MB
对外发布
如果是云主机可以将公网ip绑定在该主机上
docker run -itd -p 宿主机端口:容器端口 镜像名称:标签
# Apache服务
[root@node001 web]# docker run -itd -p 80:80 myos:httpd
80462e6ccdc285c5621f73d861f2b3e11297f47482c9fb0ec507e651a58cd64b
[root@node001 web]# vim /var/www/html/index.html
<h1>
hi,xiaotian
happy!!!
[root@node001 web]# docker cp /var/www/html/index.html 8://var/www/html/index.html
# 在命令行访问
[root@node001 web]# docker inspect 8 | grep "IPAddress"
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
[root@node001 web]# curl -I 172.17.0.2
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2020 02:23:44 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 20 Oct 2020 02:08:33 GMT
ETag: "1a-5b210b5362a40"
Accept-Ranges: bytes
Content-Length: 26
Content-Type: text/html; charset=UTF-8
[root@node001 web]# curl 172.17.0.2
<h1>
hi,xiaotian
happy!!!
# 在浏览器访问
# nginx服务,要先停止http服务哦
[root@node001 ~]# docker stop $(docker ps -aq)
80462e6ccdc2
######################################################################################################
# 报错了哦!!!
如果报错如下:
[root@node001 ~]# docker run -it myos:nginx
nginx: [emerg] unexpected end of parameter, expecting ";" in command line
上面提示缺少”;”,很有可能是使用方式导致nginx.conf出现问题。所以直接修改nginx.conf将daemon off的方式写入,算是一种暂定对应方法。
- 修改步骤:
[root@node001 nginx]# vim dockerfile
FROM myod:latest
RUN yum -y install pcre openssl && useradd nginx
ADD nginx.tar.gz /usr/local # 将封装的tar包导入到容器
RUN echo "daemon off" >> /usr/local/nginx/conf/nginx.conf # 将daemon off写入文件
EXPOSE 80
WORKDIR /usr/local/nginx/html
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off"]
[root@node001 nginx]# docker ps -a # 删除镜像前先确保当镜像下没有容器是启动的
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27ac0a011c0a myos:nginx "/usr/local/nginx/sb…" 9 minutes ago Exited (1) 9 minutes ago serene_tereshkova
c837007e48c4 myos:httpd "/usr/sbin/httpd -DF…" 22 hours ago Up 4 hours 80/tcp competent_heisenberg
[root@node001 nginx]# docker rm -f 2 # 删除当前镜像下的容器
2
[root@node001 nginx]# docker rmi myos:nginx # 删除镜像
Untagged: myos:nginx
Deleted: sha256:af9a004da13205dc9baf4cf67648cd255ec5ee6c47fa602663e0c79c7b06f715
Deleted: sha256:3300c38105d26c9dfdc3d3b1aea3758fffa4f1dee08c5817abb6275d7f8f43f9
Deleted: sha256:ad28e4a88d3bd5f9bdb3b919c315b1586b79d8c35f93dbd21eae6a386c2def32
Deleted: sha256:896b695a71f823bc570e0c4b31650a15120277e18f152dce8b504cde04d02f18
Deleted: sha256:8db758fd1e858f5c62604b18c68cefd1b6762b4a2aa9a1ca97432224923967d0
Deleted: sha256:9b54c742dc484212cb9a3fc76a3894d0115c99f1e0163a05aaebcbc1ae833b69
Deleted: sha256:c6b19af4e4b9b3cd3611ac77ed66c5dbaa0c924f22eeb75dc1bb340fef7b747b
[root@node001 nginx]# docker build -t myos:nginx . # 封装镜像
###########################################################################################################
[root@registry ~]# docker run -itd -p 80:80 myos:nginx # 后台启动nginx自定义镜像
baefad2e23e32d2309f7ea58f411233a1014adfc41990e5d3d60e86b4a2e2845
[root@registry ~]# docker inspect b | grep "IPAddress"
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
# 命令行访问
[root@registry ~]# curl -I 172.17.0.2
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 20 Oct 2020 06:52:43 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 19 Oct 2020 09:24:22 GMT
Connection: keep-alive
ETag: "5f8d5b46-264"
Accept-Ranges: bytes
# 浏览器访问
网络架构间通信
实验步骤
[root@node001 ~]# mkdir -p /var/{webroot,webconf}
[root@node001 ~]# cp info.php info.html /var/webroot
[root@node001 ~]# cp /usr/local/nginx/conf/nginx.conf /var/webconf/
[root@node001 ~]# vim /var/webconf/nginx.conf # 开开启PHP
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi.conf;
}
# 启动前端 nginx 服务,并映射共享目录和配置文件
[root@node001 ~]# docker run -itd --name nginx -p 80:80 -v /var/webconf/nginx.conf:/usr/local/nginx/conf/nginx.conf -v /var/webroot:/usr/local/nginx/html myos:nginx # -v映射目录或文件
8a631b473458659bd54ed9b4b51ada5520272e991ac740fe369b5b32f02bcd58
# 启动后端 php 服务,并映射共享目录
[root@node001 ~]# docker run -itd --network=container:nginx -v /var/webroot:/usr/local/nginx/html myos:php-fpm
5a219b36965f2c3cfa7b208b424e8c04bf7ab15e5743bbad84a48ab4e3ea5e53
[root@node001 ~]# docker inspect 8 | grep -aiE "ipadd" | tail -1
"IPAddress": "172.17.0.2",
[root@node001 ~]# curl http://172.17.0.2/info.html
<html>
<marquee behavior="alternate">
<font size="12px" color=#00ff00>Hello World</font>
</marquee>
</html>
[root@node001 ~]# curl http://172.17.0.2/info.php
<pre>
Array
(
[REMOTE_ADDR] => 172.17.0.2
[REQUEST_METHOD] => GET
[HTTP_USER_AGENT] => curl/7.29.0
[REQUEST_URI] => /info.php
)
php_host: f705f89b45f9
1229
docker私有仓库
自定义私有仓库
步骤:
安装私有仓库(服务端)
yum install docker-distribution
启动私有仓库,并设置开机自启动
systemctl start docker-distribution
systemctl enable docker-distribution
仓库配置文件及数据存储路径
/etc/docker-distribution/registry/config.yml
/var/lib/registry
客户端配置:
- 修改配置文件 /etc/sysconfig/docker
- 允许非加密方式访问仓库
ADD_REGISTRY=’–add-registry 仓库IP:5000’ - docker仓库地址
INSECURE_REGISTRY=’–insecure-registry 仓库IP:5000’
重启docker服务
systemctl restart docker
为镜像创建标签:
- 这里的地址要写上仓库主机的IP地址或者主机名
- docker tag 镜像:标签 IP:5000/镜像:latest
上传镜像:
- 上传镜像的标签内包含地址和端口号
- docker push IP:5000/镜像:latest
远程启动器(docker2)
- 配置/etc/sysconfig/docker
- ADD_REGISTRY=’–add-registry 仓库IP:5000’
- INSECURE_REGISTRY=’–insecure-registry 仓库IP:5000’
重启docker
- 重启docker服务
- systemctl restart docker
远程启动镜像
- docker run -it [仓库IP:5000]/myos:latest
查看私有镜像仓库中的镜像名称
- curl http://仓库IP:5000/v2/_catalog
查看某一仓库的标签
- curl http://仓库IP:5000/v2//tags/list
私有仓库数据存储目录
- /var/lib/registry
环境准备
| 主机 | ip地址 | 配置 |
|---|---|---|
| registry | 172.31.78.167 | 2CPU,2G(可以访问外网) |
| node001 | 172.31.78.171 | 2CPU,2G |
| node002 | 172.31.78.172 | 2CPU,2G |
[root@registry ~]# yum -y install docker-distribution
[root@registry ~]# systemctl enable --now docker-distribution.service
Created symlink from /etc/systemd/system/multi-user.target.wants/docker-distribution.service to /usr/lib/systemd/system/docker-distribution.service.
[root@registry ~]# ss -nutlp | grep 5000
tcp LISTEN 0 128 [::]:5000 [::]:* users:(("registry",pid=32696,fd=3))
[root@registry ~]# curl http://172.31.78.167:5000/v2/_catalog
{"repositories":[]}
docker客户端配置
所有node节点都需要配置,这里 node001,node002都要配置
native.cgroupdriver cgroup驱动,docker默认 cgroupfs
registry-mirrors 默认下载仓库,使用国内源能快一点
insecure-registries 私有仓库地址(重点)
1.停止所有容器
[root@node001 ~]# docker stop $(docker ps -aq)
2.配置/etc/sysconfig/docker
--------------------------------------------------------------------------------
ps:打开/etc/sysconfig/docker配置文件发现改文件是新文件时,是因为在/lib/systemd/system/docker.service里面没有加载配置文件,可以进行如下操作:
[root@node001 ~]# vim /lib/systemd/system/docker.service
[Unit]
Description=docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/docker
ExecStart=/usr/bin/dockerd $OPTIONS
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
MountFlags=slave
[Install]
WantedBy=multi-user.target
[root@node001 ~]# vim /etc/sysconfig/docker
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock'
docker_CERT_PATH=/etc/docker
# If you want to add your own registry to be used for docker search and docker
# pull use the ADD_REGISTRY option to list a set of registries, each prepended
# with --add-registry flag. The first registry added will be the first registry
# searched.
# ADD_REGISTRY='--add-registry registry.access.redhat.com'
# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
# option and give it a set of registries, each prepended with --block-registry
# flag. For example adding docker.io will stop users from downloading images
# from docker.io
# BLOCK_REGISTRY='--block-registry'
# If you have a registry secured with https but do not have proper certs
# distributed, you can tell docker to not look for full authorization by
# adding the registry to the INSECURE_REGISTRY line and uncommenting it.
INSECURE_REGISTRY='--insecure-registry dl.dockerpool.com:5000'
# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1
# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# docker_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false
重新加载配置,重启docker
[root@node001 ~]# systemctl daemon-reload
[root@node001 ~]# systemctl restart docker
--------------------------------------------------------------------------------
[root@node001 ~]# vim /etc/sysconfig/docker
11 ADD_REGISTRY='--add-registry 172.31.78.167:5000' # 设置默认仓库为registry主机
22 INSECURE_REGISTRY='--insecure-registry 172.31.78.167:5000'
3.重启服务
[root@node001 ~]# systemctl restart docker
4.将文件同步给node002主机
[root@node001 ~]# yum -y install rsync
[root@node002 ~]# yum -y install rsync
[root@node001 ~]# rsync -av /etc/sysconfig/docker 172.31.78.172:/etc/sysconfig/
5.重启node002主机docker服务
[root@node002 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node002 ~]# cat /etc/sysconfig/docker | grep 172
ADD_REGISTRY='--add-registry 172.31.78.167:5000'
INSECURE_REGISTRY='--insecure-registry 172.31.78.167:5000'
[root@node002 ~]# systemctl restart docker
6.传镜像到仓库主机
打标签:docker tag myos:latest 172.31.78.167:5000/myos:latest
上传镜像:docker push 172.31.78.167:5000/myos:latest
验证: curl http://172.31.78.167:5000/v2/_catalog
标签: curl http://172.31.78.167:5000/v2/myos/tags/list
[root@node001 ~]# docker tag myos:httpd 172.31.78.167:5000/myos:httpd # 给本机的myos:httpd打个标签
[root@node001 ~]# docker push 172.31.78.167:5000/myos:httpd # 上传到镜像仓库
The push refers to repository [172.31.78.167:5000/myos]
81fd8e9665b8: Pushed
b475f6e98f42: Pushed
6ae11db405e3: Pushed
bcc97fbfc9e1: Pushed
httpd: digest: sha256:87789a4ee1181908fcfce117617746cb987566c56c7d03bacaec4e40a449a13b size: 1160
[root@node001 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myos nginx d052ae1c1170 2 days ago 570MB
myos php-fpm 87d6d2559112 2 days ago 587MB
172.31.78.167:5000/myos httpd b7b8c5d39b38 2 days ago 596MB
myos httpd b7b8c5d39b38 2 days ago 596MB
myod latest 631f6b81c82e 3 days ago 457MB
redis latest 82629e941a38 21 months ago 95MB
nginx latest 42b4762643dc 21 months ago 109MB
ubuntu latest 20bb25d32758 21 months ago 87.5MB
newubun newlatest 20bb25d32758 21 months ago 87.5MB
centos latest 76d6bc25b8a5 2 years ago 200MB
--------------------------------------------------------------------------------
ps:如果在上传镜像时出现如下情况:
Get https://172.31.78.167:5000/v2/: http: server gave HTTP response to HTTPS client
如果/etc/sysconfig/docker配置文件也修改,解决办法:
[root@node001 ~]# vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://hub-mirror.c.163.com"],
"insecure-registries":["172.31.78.167:5000", "registry:5000"]
}
重启服务
[root@node001 ~]# systemctl restart docker
7.访问验证
[root@node002 ~]# curl http://172.31.78.167:5000/v2/_catalog
{"repositories":["myos"]}
[root@node002 ~]# curl http://172.31.78.167:5000/v2/myos/tags/list
{"name":"myos","tags":["httpd"]}
[root@node002 ~]# docker run -it 172.31.78.167:5000/myos:httpd
Unable to find image '172.31.78.167:5000/myos:httpd' locally
newhttp: Pulling from myos
7dc0dca2b151: Pull complete
053292d6ec55: Pull complete
cff5257333dd: Pull complete
33a6cf4f7e09: Pull complete
9251ff9c7060: Pull complete
Digest: sha256:45d1296836bd9d4f95faf4251a49e491c3dcd96318d4d209042c5b7834672a4f
Status: Downloaded newer image for 172.31.78.167:5000/myos:httpd
[root@abde069eb267 html]# # 成功!Ctrl+p,Ctrl+q退出
1759
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
