Docker的组成
Docker 是Docker.lnc公司开源的一个基于LXC技术之上构建的Container容器引擎,源代码托管在GitHub上,基于Go语言并遵从Apache2.0协议开源。
Docker是通过内核虚拟化技术(namespaces及cgroups等)来提供容器的资源隔离与安全保障等。
Docker由Docker Server和 Docker Client组成。
Docker组件分为:镜像(Image)、容器(Container)和仓库(Repository)。
Docker与Kvm的区别和优势:
1、更快捷的交付部署: Docker 可以快速创建容器,快速迭代应用程序,并让整个过程全程可见,使团队中的其他成员更容易理解应用程序是如何创建和工作的。 Docker 容器很轻很快!容器的启动时间是秒级的,大量地节约开发、测试、部署的时间。
2、更高效的虚拟化:Docker 容器的运行不需要额外的 hypervisor 支持,它是内核级的虚拟化,因此可以实现更高的性能和效率。
3、更轻松的迁移和扩展:ocker 容器几乎可以在任意的平台上运行,包括物理机、虚拟机、公有云、私有云、个人×××、服务器等。这种兼容性可以让用户把一个应用程序从一个平台直接迁移到另外一个。
4、更简单的管理:就可以替代以往大量的更新工作。所有的修改都以增量的方式被分发和更新,从而实现自动化并且高效的管理。
5、跟Kvm的区别:
![](https://s1.51cto.com/images/blog/201805/04/4e17a8ba9387193d570823b98ea7b7b2.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
Docker与openstack的对比
Docker能干什么
Docker的局限性
1、LXC是基于cgroup等linux kernel功能的,因此container的guest系统只能是linux base的。
2、Docker的隔离性跟KVM等的虚拟化相比还是有些欠缺,所有container公用一部分的运行库。
3、container随着用户进程的停止而销毁,container中的log等用户数据不便收集。
4、Docker是面向应用的,其终极目标是构建PAAS平台,而现有虚拟机主要目的是提供一个灵活的计算资源池,是面向架构的,其终极目标是构建一个IAAS平台,所以它不能替代传统虚拟化解决方案。
一张图总结Docker的使用:
Docker的安装
准备:
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
ls
yum clean all
wget http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache
安装:
yum install docker 1.12.6(centos7系统)
centos6系统
yum install docker-io(版本最高1.7.1,建议用7)
yum install device-mapper-event-libs
关闭selinux
vim /etc/selinux/config
setenforce 0
启动:
systemctl start docker
systemctl enable docker
配置国内镜像站:
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
systemctl restart docker
查找镜像
docker search centos
下载镜像
docker pull centos
查看镜像
docker images
启动镜像
docker run -it -d --name nginx /bin/bash
查看ip地址
ip ad li
查看启动的镜像
docker ps
查看所有
docker ps -a
访问私有镜像站,配置:
在/etc/sysconfig/docker
添加:
ADD_REGISTRY='--add-registry 172.16.234.101:5000'
BLOCK_REGISTRY='--block-registry docker.io'
INSECURE_REGISTRY='--insecure-registry 172.16.234.101:5000'
重启docker
再pull镜像默认就从234.101下载了
docker pull nginx
问题解决
WARNING: IPv4 forwarding is disabled. Networking will not work.
vim /usr/lib/sysctl.d/00-system.conf
net.ipv4.ip_forward=1
systemctl restart network
docker基本操作
导出镜像
docker save centos > /opt/centos.tar.gz
docker save -o centos7 centos
导入镜像
docker load centos < /opt/centos.tar.gz
docker load --input 本地镜像
导出容器快照
docker export -o mysql-date +%Y%m%d
.tar a404c6c174a2
导入容器快照
docker import my_ubuntu_v3.tar runoob/ubuntu:v4
在官方下载一个镜像
docker pull centos
查看下载的镜像
docker images
运行一个命令
docker run centos /bin/echo "hello"
查看当前docker运行情况
docker ps -a
运行一个命令并指定名称
docker run --name madocker -t -i centos /bin/bash
- --name 指定名字
- -t 分配一个伪终端
- -i 保持终端打开状态
- centos 镜像名称
- 命令
启动一个容器
docker start 容器ID
进入一个容器
docker attach 容器ID
- 这种进入方式显示是同步的,类似openstack的VNC连接方式。
- 使用exit命令,docker容器会停止运行,因为退出了bash。
另一种进入容器的方式
nsenter -t 容器PID -u -n -i -p
- 如果没有这个命令,需要安装一个包,yum install util-linux -y
- -t 指定容器PID
- 获取容器PID的方法:
1、启动容器:docker start 容器ID
2、获取PID:docker inspect --format "{{.State.Pid}}" 容器ID - -u 用户空间,user namespace
- -n network namespace
- -i 进程间通信空间
- -p pid
进入容器脚本
vim ns.sh
!/bin/bash
PID=$(docker inspect --format "{{.State.Pid}}" $1)
nsenter -t $PID -u -n -i -p
chmod +x ns.sh
- ./ns.sh 容器ID 直接进入容器,并且退出时容器正常运行。
删除一个容器
docker rm {容器ID|容器名称}
*如果要删除一个正在运行的容器,添加-f参数。
在运行一个命令后自动删除容器
docker run --rm centos /bin/echo "hello"
*执行完echo命令后,该容器自动被删除
杀死所有正在运行的容器
docker kill $(docker ps -a -q)
- -q 只列出容器ID
docker run -d --name nfs -v /data centos
手动构建一个镜像
docker run --name mynginx -it centos
rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
yum makecache
yum install vim nginx -y
vim /etc/nginx/nginx.conf
添加:
daemon off;
:wq
exit
docker commit -m "my nginx" 容器id hetao/mynginx:v1
*hetao/mynginx:v1,hetao,dockerhub上的目录,v1,版本号
docker run -d -p 82:80 hetao/mynginx:v1 nginx
最后一个nginx为要传输的命令。
使用export import导出和导入docker容器
docker export -o mysql-date +%Y%m%d
.tar a404c6c174a2
docker import my_ubuntu_v3.tar runoob/ubuntu:v4
docker 网络和存储
docker inspect centos/容器id 列出容器centos的所有内容
docker commit
语法
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
OPTIONS说明:
-a :提交的镜像作者;
-c :使用Dockerfile指令来创建镜像;
-m :提交时的说明文字;
-p :在commit时,将容器暂停。
实例
将容器a404c6c174a2 保存为新的镜像,并添加提交人信息和说明信息。
docker file 构建镜像
mkdir /opt/dockerfile/nginx -p
cd /opt/dockerfile
echo "dockerfile">index.html
vim Dockerfile
This docker file
VERSION 1
Author: luis
Base image
FROM centos
Maintainer
MAINTAINER hetao hetao@gagogroup.com
Commands
RUN rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
RUN yum makecache
RUN yum install vim nginx -y
ADD index.html /usr/share/nginx/html/index.html
RUN echo "daemon off;" >>/etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx"]
centos7.3 搭建docker私库-harbor
系统信息: Centos 7.3 64
harbor版本:1.4.0
1、安装docker yum源(如果有epel base源,可以先备份,再下载epel和base源)
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum makecache fast
2、安装docker docker-compose
yum install docker-ce docker-compose -y
systemctl start docker
systemctl enable docker
3、下载harbor在线安装包
mkdir /data/harbor
cd /data/harbor
wget https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-online-installer-v1.4.0.tgz
tar xvf harbor-online-installer-v1.4.0.tgz
4、修改harbor.cfg文件
hostname = harbor.51cto.wang (前端域名,也可以是IP,不能是localhost/127.0.0.1)
ui_url_protocol = https (使用默认的http会导致docker login登录不了,且不安全)
ssl_cert = /data/harbor/cert/server.crt (证书存放目录及文件名)
ssl_cert_key = /data/harbor/cert/server.key
auth_mode = db_auth (本地数据库认证)
harbor_admin_password = Harbor12345 (admin用户的密码)
project_creation_restriction = adminonly (仅管理员可以创建项目,everyone为所有人可以创建项目)
self_registration = on (开启自注册功能)
5、创建证书
mkdir /data/harbor/cert && cd /data/harbor/cert
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /data/harbor/cert/server.key -out /data/harbor/cert/server.crt
(只填Common Name这一项,其他都默认回车)
Generating a 2048 bit RSA private key
...........................+++
.....................................................................................................................+++
writing new private key to ‘/data/harbor/cert/server.key‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:harbor.51cto.wang
Email Address []:
6、生成配置文件并启动容器
cd /data/harbor/harbor
./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 17.06.1
Note: docker-compose version: 1.9.0
[Step 1]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/server.crt
Clearing the configuration file: ./common/config/nginx/cert/server.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Copied configuration file: ./common/config/uiprivate_key.pem
Copied configuration file: ./common/config/registryroot.crt
The configuration files are ready, please use docker-compose to start the service.
[Step 2]: checking existing instance of Harbor ...
Note: stopping existing Harbor instance ...
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing harbor-db ... done
Removing harbor-log ... done
Removing network harbor_harbor
[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log
Creating harbor-adminserver
Creating harbor-db
Creating registry
Creating harbor-ui
Creating harbor-jobservice
Creating nginx
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://harbor.51cto.wang .
For more details, please visit https://github.com/vmware/harbor .
7、登录并推送第一个镜像
<本地登录>
1)登录web,创建一个名为test的项目
2)推送一个测试镜像到test项目中
docker login -u admin -p Harbor123456 harbor.51cto.wang (登录)
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
vmware/registry-photon v2.6.2-v1.4.0 8920f621ddd1 5 weeks ago 198MB
vmware/nginx-photon v1.4.0 20c8a01ac6ab 5 weeks ago 135MB
vmware/harbor-log v1.4.0 9e818c7a27ab 5 weeks ago 200MB
vmware/harbor-jobservice v1.4.0 29c14d91b043 5 weeks ago 191MB
vmware/harbor-ui v1.4.0 6cb4318eda6a 5 weeks ago 209MB
vmware/harbor-adminserver v1.4.0 8145970fa013 5 weeks ago 182MB
vmware/harbor-db v1.4.0 c38da34727f0 5 weeks ago 521MB
task/task v2 5e45422e6d29 2 months ago 1.76GB
task/task v1 78022f6d4a90 2 months ago 1.69GB
将task:v2上传至harbor
docker tag task/task:v2 harbor.51cto.wang/test/task:test
docker push harbor.51cto.wang/test/task:test
The push refers to a repository [harbor.51cto.wang/test/task]
196171e612cc: Pushed
test: digest: sha256:09921659d583e6e53ade0a81dc5ebccc7be6245d8a2a2c84f22539d4f64d075d size: 529
<异地登录>
1)拷贝证书(在registry所在的服务器上操作)
mkdir -p /etc/docker/certs.d/harbor.51cto.wang
cp /data/harbor/cert/server.crt /etc/docker/certs.d/harbor.51cto.wang/ca.crt
2)在客户端上操作
mkdir -p /etc/docker/certs.d/harbor.51cto.wang
拷贝服务端ca.crt到该目录下
docker login -u admin -p Harbor123456 harbor.51cto.wang
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
FQA:
1、如执行脚本报错,可分开执行,./prepare && docker-compose up -d
2、若在启动容器过程中提示端口被占用,可修改docker-compose.yml文件,修改端口
3、登录时报错:Error response from daemon: Get https://registry.niudingfeng.com/v1/users/: x509: certificate signed by unknown authority
此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。
chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
cat /data/harbor/cert/server.crt >>/etc/pki/tls/certs/ca-bundle.crt
chmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
systemctl restart docker
参考文档:
http://www.bubuko.com/infodetail-1944996.html
https://vmware.github.io/harbor/
转载于:https://blog.51cto.com/ershao/2112637