Docker 虚拟化学习笔记
Docker安装
YUM方式安装
- 安装国内阿里源
wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
- 安装Docker-CE版本
yum install docker-ce -y
- 启动Docker并查看进程状态
systemctl start docker
ps -ef |grep docker|grep -v grep
root 56831 1 0 13:33 ? 00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
二进制方式安装
- 从Docker官网下载Docker软件包
docker tar包下载地址 - 安装部署
#创建docker目录
mkdir -p /usr/local/docker
#解压到dcoker目录
tar -xf docker-26.0.2.tgz -C /usr/loacl/docker
#创建Docker用户和组
useradd docker -s /sbin/nologin -M
#添加docker目录到环境变量,并生效
cat>>/etc/profile<<EOF
export PATH=\$PATH:/usr/local/docker
EOF
source /etc/profile
#后台启动docker
nohup /usr/local/docker/dockerd &
#查看启动状态
ps -ef |grep docker|grep -v grep
root 2041 1 0 4月18 ? 00:02:02 /usr/local/docker/dockerd
root 2047 2041 0 4月18 ? 00:04:52 containerd --config /var/run/docker/containerd/containerd.toml
#查看docker版本
docker version
docker更新国内源
mkdir -p /etc/docker
cat>/etc/docker/daemon.json<<EOF
{
"registry-mirrors":["https://registry.docker-cn.com"]
}
EOF
#重启docker服务
docker常用命令
| 命令 | 说明 |
|---|---|
| docker search | 在docker hub中搜索镜像; |
| docker pull | 从docker镜像源服务器拉取指定镜像或者库镜像; |
| docker push | 推送指定镜像或者库镜像至docker源服务器; |
| docker history | docker history 展示一个镜像形成历史; |
| docker images | 列出系统当前镜像; |
| docker run | 创建一个新的容器并运行一个命令; |
| docker start | 启动容器; |
| docker stop | 停止容器; |
| docker attach | 当前shell下attach连接指定运行镜像; |
| docker build | 通过Dockerfile定制镜像; |
| docker commit | 提交当前容器为新的镜像; |
| docker cp | 从容器中拷贝指定文件或者目录到宿主机中; |
| docker create | 创建一个新的容器,同run,但不启动容器; |
| docker diff | 查看docker容器变化; |
| docker events | 从docker服务获取容器实时事件; |
| docker exec | 在已存在的容器上运行命令; |
| docker export | 导出容器的内容流作为一个tar归档文件[对应import]; |
| docker import | 从tar包中的内容创建一个新的文件系统映像[对应export]; |
| docker info | 显示系统相关信息; |
| docker inspect | 查看容器详细信息; |
| docker kill | 杀掉指定docker容器; |
| docker load | 从一个tar包中加载一个镜像[对应save]; |
| docker login | 注册或者登陆一个docker源服务器; |
| docker logout | Docker registry退出; |
| docker logs | 输出当前容器日志信息; |
| docker port | 查看映射端口对应的容器内部源端口; |
| docker pause | 暂停容器; |
| docker ps | 列出容器列表; |
| docker restart | 重启运行的容器; |
| docker rm | 移除一个或者多个容器; |
| docker rmi | 移除一个或多个镜像; |
| docker save | 保存一个镜像为一个tar包[对应load]; |
| docker tag | 给源中镜像打标签; |
| docker top | 查看容器中运行的进程信息; |
| docker unpause | 取消暂停容器; |
| docker version | 查看docker版本号; |
| docker wait | 截取容器停止时的退出状态值。 |
示例
搜索镜像
docker search centos
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
centos DEPRECATED; The official build of CentOS. 7721 [OK]
拉取centos镜像
[root@localhost ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
a1d0c7532777: Pull complete
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Downloaded newer image for centos:latest
docker.io/library/centos:latest
查看镜像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 2 years ago 231MB
启动centos镜像
[root@localhost ~]# docker run -itd --name=vm01 centos:latest
0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0
在运行的镜像执行命令
[root@localhost ~]# docker exec -it vm01 /bin/bash
[root@0c0eaca8dcbf /]# ls
bin etc lib lost+found mnt proc run srv tmp var
dev home lib64 media opt root sbin sys usr
查看容器详细信息
[root@localhost ~]# docker inspect vm01
[
{
"Id": "0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0",
"Created": "2024-04-18T17:50:15.031033164Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 92821,
"ExitCode": 0,
"Error": "",
"StartedAt": "2024-04-18T17:50:16.02925451Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6",
"ResolvConfPath": "/var/lib/docker/containers/0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0/hostname",
"HostsPath": "/var/lib/docker/containers/0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0/hosts",
"LogPath": "/var/lib/docker/containers/0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0/0c0eaca8dcbf30ceb9b5cfb1f741ec1d7f9d0b07ee263af6c293a0f73dd0dbd0-json.log",
"Name": "/vm01",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"ConsoleSize": [
28,
97
],
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "host",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": [],
"BlkioDeviceWriteBps": [],
"BlkioDeviceReadIOps": [],
"BlkioDeviceWriteIOps": [],
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": [],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/6e2a04be1f4a6db732c62f084af239210cdd77a0c70cf0a9d4bac94b83d854b4-init/diff:/var/lib/docker/overlay2/31486b9ba4281ec6a767123b30e60acb3cfbad38022166091de919bc50223207/diff",
"MergedDir": "/var/lib/docker/overlay2/6e2a04be1f4a6db732c62f084af239210cdd77a0c70cf0a9d4bac94b83d854b4/merged",
"UpperDir": "/var/lib/docker/overlay2/6e2a04be1f4a6db732c62f084af239210cdd77a0c70cf0a9d4bac94b83d854b4/diff",
"WorkDir": "/var/lib/docker/overlay2/6e2a04be1f4a6db732c62f084af239210cdd77a0c70cf0a9d4bac94b83d854b4/work"
},
"Name": "overlay2"
},
"Mounts": [],
"Config": {
"Hostname": "0c0eaca8dcbf",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/bash"
],
"Image": "centos:latest",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"org.label-schema.build-date": "20210915",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "e22dd8e2bf0471caa2a5d0fcdd0b42e8cd61c7f9919fb3203d4ccddfa4f364f7",
"SandboxKey": "/var/run/docker/netns/e22dd8e2bf04",
"Ports": {},
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "4de3c5e1de0a1933943820c1bedde177f3a5dd5d97deeef78f6c1eaf3ae1d502",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"MacAddress": "02:42:ac:11:00:02",
"NetworkID": "13fb2e7f71a18cb0caa01ffaaba97a633f3cec098ccfd8d359be9c436f692a80",
"EndpointID": "4de3c5e1de0a1933943820c1bedde177f3a5dd5d97deeef78f6c1eaf3ae1d502",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"DriverOpts": null,
"DNSNames": null
}
}
}
}
]
#查看容器IP地址
[root@localhost ~]# docker inspect vm01|grep -i ipaddr|tail -1
"IPAddress": "172.17.0.2",
ssh 172.17.0.2
ssh: connect to host 172.17.0.2 port 22: Connection refused
为什么有IP地址,但是ssh 却无法连接centos镜像呢?
因为centos镜像启动后,ssh服务没有启动!
centos镜像安装ssh服务
[root@localhost ~]# docker cp CentOS-Base-Aliyun.repo vm01:/etc/yum.repos.d
Successfully copied 4.61kB to vm01:/etc/yum.repos.d
[root@localhost ~]# docker exec -it vm01 /bin/bash
[root@0c0eaca8dcbf /]# cd /etc/yum.repos.d/
[root@0c0eaca8dcbf yum.repos.d]# ls
CentOS-Base-Aliyun.repo
[root@0c0eaca8dcbf yum.repos.d]# yum install openssh-server -y
[root@0c0eaca8dcbf yum.repos.d]# /usr/sbin/sshd
Unable to load host key: /etc/ssh/ssh_host_rsa_key
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
[root@0c0eaca8dcbf yum.repos.d]# ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
[root@0c0eaca8dcbf yum.repos.d]# ps -ef |grep ssh
root 148 0 0 18:50 ? 00:00:00 /usr/sbin/sshd
root 150 59 0 18:51 pts/1 00:00:00 grep --color=auto ssh
[root@0c0eaca8dcbf /]# yum install passwd -y
[root@0c0eaca8dcbf /]# echo Zhai@1990.|passwd --stdin root
Changing password for user root.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# ssh 172.17.0.2
root@172.17.0.2's password:
"System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."
[root@0c0eaca8dcbf ~]# yum install net-tools -y
[root@0c0eaca8dcbf ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 148/sshd
tcp6 0 0 :::22 :::* LISTEN 148/sshd
#退出docker容器,使用docker commit命令将此已经安装openssh-server命令的docker容器进行commit;
[root@localhost ~]# docker commit vm01 centos-ssh:v1
sha256:398e02997ed231759fd4ced360c0563dc376de38116dd7a9f84a1602cf7a9d8a
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-ssh v1 398e02997ed2 7 seconds ago 276MB
centos latest 5d0da3dc9764 2 years ago 231MB
#启动新的镜像centos-ssh
[root@localhost ~]# docker run -itd --name=vm02 centos-ssh
Unable to find image 'centos-ssh:latest' locally
docker: Error response from daemon: pull access denied for centos-ssh, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
[root@localhost ~]# docker run -itd --name=vm02 centos-ssh:v1
b178ba64756058c1f86a2bc4db03cb17e3a04f34505e66cd41aea2982f04124b
[root@localhost ~]# docker exec -it b178ba647560 /bin/bash
[root@b178ba647560 /]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
#ssh服务没有启动?解决办法
[root@b178ba647560 /]# /usr/sbin/sshd
docker export
- 归档运行中的容器文件系统到本地
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33f36343e7ca centos-ssh:v1 "/bin/bash" 3 hours ago Up 3 hours vm03
b178ba647560 centos-ssh:v1 "/bin/bash" 3 hours ago Up 3 hours vm02
0c0eaca8dcbf centos:latest "/bin/bash" 5 hours ago Up 5 hours vm01
[root@localhost ~]# docker export -o /root/centos.tar vm01
[root@localhost ~]# ls
anaconda-ks.cfg CentOS-Base-Aliyun.repo centos.tar
- 归档未运行中的容器文件系统到本地
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33f36343e7ca centos-ssh:v1 "/bin/bash" 3 hours ago Up 3 hours vm03
b178ba647560 centos-ssh:v1 "/bin/bash" 3 hours ago Exited (0) 12 seconds ago vm02
0c0eaca8dcbf centos:latest "/bin/bash" 5 hours ago Up 5 hours vm01
[root@localhost ~]# docker export -o /root/centos-ssh.tar vm02
[root@localhost ~]# ls
anaconda-ks.cfg CentOS-Base-Aliyun.repo centos-ssh.tar centos.tar
docker import
[root@localhost ~]# ls
anaconda-ks.cfg CentOS-Base-Aliyun.repo centos-ssh.tar centos.tar
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-ssh v1 398e02997ed2 4 hours ago 276MB
[root@localhost ~]# docker import centos.tar centos:latest
sha256:f15db9a7b7bbf333dcc2128c1318031f8153e66feba31cdd25e44e2f4f5eaff9
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest f15db9a7b7bb 3 seconds ago 265MB
centos-ssh v1 398e02997ed2 4 hours ago 276MB
注意:
不推荐使用docker export和export import,因为可能导出过程中丢失内存中的数据,导致import之后出现问题!!!
例如:import 之后启动centos容器需要docker run -itd --name=vm01 centos /bin/bash
推荐使用docker save和docker load
docker save
[root@localhost ~]# docker save -o centos8.tar centos
[root@localhost ~]# ls
anaconda-ks.cfg centos centos8.tar CentOS-Base-Aliyun.repo
docker load
[root@localhost ~]# docker load -i centos8.tar
Loaded image: centos:latest
docker rmi
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-ssh v1 398e02997ed2 4 hours ago 276MB
centos latest 5d0da3dc9764 2 years ago 231MB
[root@localhost ~]# docker rmi centos
Error response from daemon: conflict: unable to remove repository reference "centos" (must force) - container 0c0eaca8dcbf is using its referenced image 5d0da3dc9764
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
33f36343e7ca centos-ssh:v1 "/bin/bash" 3 hours ago Up 3 hours vm03
b178ba647560 centos-ssh:v1 "/bin/bash" 4 hours ago Exited (0) 18 minutes ago vm02
0c0eaca8dcbf centos:latest "/bin/bash" 6 hours ago Exited (0) 32 seconds ago vm01
[root@localhost ~]# docker rm 0c0eaca8dcbf
0c0eaca8dcbf
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-ssh v1 398e02997ed2 4 hours ago 276MB
centos latest 5d0da3dc9764 2 years ago 231MB
[root@localhost ~]# docker rmi centos
Untagged: centos:latest
Untagged: centos@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Dockerfile语法命令详解
- FROM指定所创建的镜像的基础镜像,如果本地不存在,则默认会去Docker Hub下载指定镜像。
格式为:FROM,或FROM:,或FROM@。任何Dockerfile中的第一条指令必须为FROM指令。并且,如果在同一个Dockerfile文件中创建多个镜像,可以使用多个FROM指令(每个镜像一次)。
- MAINTAINER指定维护者信息。
格式为MAINTAINER。例如:
MAINTAINER image_creator@docker.com
该信息将会写入生成镜像的Author属性域中。
- RUN运行指定命令。
格式为:RUN或RUN [“executable”,“param1”,“param2”]。
注意:后一个指令会被解析为json数组,所以必须使用双引号。
前者默认将在shell终端中运行命令,即/bin/sh -c;后者则使用exec执行,不会启动shell环境。
指定使用其他终端类型可以通过第二种方式实现,例如:
RUN [“/bin/bash”,“-c”,“echo hello”]
每条RUN指令将在当前镜像的基础上执行指定命令,并提交为新的镜像。当命令较长时可以使用\换行。例如:
RUN apt-get update
&& apt-get install -y libsnappy-dev zliblg-dev libbz2-dev
&& rm -rf /var/cache/apt
- CMD用来指定启动容器时默认执行的命令。
它支持三种格式:
CMD [“executable”,“param1”,“param2”] 使用exec执行,是推荐使用的方式;
CMD param1 param2 在/bin/sh中执行,提供给需要交互的应用;
CMD [“param1”,“param2”] 提供给ENTRYPOINT的默认参数。
每个Dockerfile只能有一条CMD命令。如果指定了多条命令,只有最后一条会被执行。入股用户启动容器时指定了运行的命令(作为run的参数),则会覆盖掉CMD指定的命令。
- LABEL指令用来生成用于生成镜像的元数据的标签信息。
格式为:LABEL = = = …。
例如:
LABEL version=“1.0”
LABEL description=“This text illustrates \ that label-values can span multiple lines.”
- EXPOSE声明镜像内服务所监听的端口。
格式为:EXPOSE […]
例如:
EXPOSE 22 80 443 3306
注意:该命令只是起到声明作用,并不会自动完成端口映射。在容器启动时需要使用-P(大写P),Docker主机会自动分配一个宿主机未被使用的临时端口转发到指定的端口;使用-p(小写p),则可以具体指定哪个宿主机的本地端口映射过来。
- ENV指定环境变量,在镜像生成过程中会被后续RUN指令使用,在镜像启动的容器中也会存在。
格式为:ENV 或ENV=…。
例如:
ENV GOLANG_VERSION 1.6.3
https://golang.org/dl/go G O L A N G V E R S I O N . l i n u x − a m d 64. t a r . g z E N V G O L A N G D O W N L O A D S H A 256 c d d 5 e 08530 c 0579255 d 6153 b 08 f d b 3 b 8 e 47 c a a b b e 717 b c 7 b c d 7561275 a 87 a e b R U N c u r l − f s s L " GOLANG_VERSION.linux-amd64.tar.gz ENV GOLANG_DOWNLOAD_SHA256 cdd5e08530c0579255d6153b08fdb3b8e47caabbe717bc7bcd7561275a87aeb RUN curl -fssL " GOLANGVERSION.linux−amd64.tar.gzENVGOLANGDOWNLOADSHA256cdd5e08530c0579255d6153b08fdb3b8e47caabbe717bc7bcd7561275a87aebRUNcurl−fssL"GOLANG_DOWNLOAD_RUL" -o golang.tar.gz && echo “$GOLANG_DOWNLOAD_SHA256 golang.tar.gz” | sha256sum -c - && tar -C /usr/local -xzf golang.tar.gz && rm golang.tar.gz
ENV GOPATH G O P A T H / b i n : / u s r / l o c a l / g o / b i n : GOPATH/bin:/usr/local/go/bin: GOPATH/bin:/usr/local/go/bin:PATH
RUN mkdir -p “KaTeX parse error: Expected 'EOF', got '&' at position 13: GOPATH/bin" &̲& chmod -R 777 …GOPATH”
指令指定的环境变量在运行时可以被覆盖掉,如docker run --env = built_image。
- ADD该指令将复制指定的路径下的内容到容器中的路径下。
格式为:ADD
其中可以使Dockerfile所在目录的一个相对路径(文件或目录),也可以是一个URL,还可以是一个tar文件(如果是tar文件,会自动解压到路径下)。可以使镜像内的绝对路径,或者相当于工作目录(WORKDIR)的相对路径。路径支持正则表达式,例如:
ADD *.c /code/
- COPY复制本地主机的(为Dockerfile所在目录的一个相对路径、文件或目录)下的内容到镜像中的下。目标路径不存在时,会自动创建。路径同样支持正则。
格式为:COPY 当使用本地目录为源目录时,推荐使用COPY。
- ENTRYPOINT指定镜像的默认入口命令,该入口命令会在启动容器时作为根命令执行,所有传入值作为该命令的参数。
支持两种格式:
ENTRYPOINT [“executable”,“param1”,“param2”] (exec调用执行);
ENTRYPOINT command param1 param2(shell中执行)。
此时,CMD指令指定值将作为根命令的参数。
每个Dockerfile中只能有一个ENTRYPOINT,当指定多个时,只有最后一个有效。
在运行时可以被–entrypoint参数覆盖掉,如docker run --entrypoint。
- VOLUME
创建一个数据卷挂载点。
格式为:VOLUME [“/data”]
可以从本地主机或者其他容器挂载数据卷,一般用来存放数据库和需要保存的数据等。
- USER
指定运行容器时的用户名或UID,后续的RUN等指令也会使用特定的用户身份。
格式为:USER daemon
当服务不需要管理员权限时,可以通过该指令指定运行用户,并且可以在之前创建所需要的用户。例如:
RUN groupadd -r nginx && useradd -r -g nginx nginx要临时获取管理员权限可以用gosu或者sudo。
- WORKDIR为后续的RUN、CMD和ENTRYPOINT指令配置工作目录。
格式为:WORKDIR /path/to/workdir。
可以使用多个WORKDIR指令,后续命令如果参数是相对的,则会基于之前命令指定的路径。例如:
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
则最终路径为/a/b/c
ARG指定一些镜像内使用的参数(例如版本号信息等),这些参数在执行docker build命令时才以–build-arg=格式传入。格式为:ARG[=]。
则可以用docker build --build-arg=来指定参数值。
docker bulid
[root@localhost 2024-04-19]# cat Dockerfile
FROM centos:latest
MAINTAINER image_creator@ipro
LABEL description="ssh net-tools"
RUN rm -f /etc/yum.repos.d/*
COPY CentOS-Base-Aliyun.repo /etc/yum.repos.d
RUN yum install openssh-server net-tools passwd -y \
&& ssh-keygen -A \
&& echo 'Zhai@ipro.' | passwd --stdin root
EXPOSE 22
CMD /usr/sbin/sshd -D
ENTRYPOINT /usr/sbin/init
[root@localhost 2024-04-19]# mv /root/CentOS-Base-Aliyun.repo .
[root@localhost 2024-04-19]# ls
CentOS-Base-Aliyun.repo Dockerfile
[root@localhost 2024-04-19]# docker build -t centos8:ssh .
[+] Building 13.3s (9/9) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 433B 0.0s
=> [internal] load metadata for docker.io/library/centos:latest 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [1/4] FROM docker.io/library/centos:latest 0.0s
=> CACHED [2/4] RUN rm -f /etc/yum.repos.d/* 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 2.70kB 0.0s
=> [3/4] COPY CentOS-Base-Aliyun.repo /etc/yum.repos.d 0.2s
=> [4/4] RUN yum install openssh-server net-tools passwd -y && ssh-keygen -A && echo 'Zhai@ipro.' | passwd --stdin root 12.7s
=> exporting to image 0.2s
=> => exporting layers 0.1s
=> => writing image sha256:9a677f65adbfc264d4848c0c1e7630e33279ad17922c6e7a55bbad524558da87 0.0s
=> => naming to docker.io/library/centos8:ssh 0.0s
[root@localhost 2024-04-19]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos8 ssh 9a677f65adbf 30 seconds ago 276MB
centos latest 5d0da3dc9764 2 years ago 231MB
[root@localhost 2024-04-19]# docker run -itd --name=vm01 centos8:ssh
[root@localhost 2024-04-19]# docker exec -it vm01 /bin/bash
[root@c37bed1e553e /]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
[root@localhost 2024-04-19]# docker run -itd --name=vm02 --privileged centos8:ssh
[root@localhost 2024-04-19]# docker exec -it vm02 /bin/bash
[root@8f013784a211 /]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 57/sshd
tcp6 0 0 :::22 :::* LISTEN 57/sshd
Docker的–privileged=true选项
–privileged=true的作用:
当使用–privileged=true选项运行容器时,Docker会赋予容器几乎与主机相同的权限。具体来说,这个选项做了以下两件事情:
1.给容器添加了所有的capabilities
2.允许容器访问主机的所有设备
这意味着在一个privileged容器中,我们可以做很多平时不能做的事情,例如加载内核模块、直接操作硬件设备等。
–privileged=true的风险
尽管–privileged=true选项为容器提供了强大的功能,但它也带来了一些严重的安全隐患。由于privileged容器具有几乎与主机相同的权限,所以如果容器被恶意代码控制,那么攻击者就可以轻易地突破容器的边界,对主机进行任意操作。
因此,我们需要谨慎地使用–privileged=true选项,只在真正需要的情况下才启用它。在可能的情况下,我们应该尽量使用其他更细粒度的权限控制手段,例如通过–cap-add或–device参数来分别添加必要的capabilities或设备访问权限。
Docker网络
基于Docker run创建Docker容器时,可以使用–net选项指定容器的网络模式,Docker默认有以下四种网络模式:
- host模式,使用–net=host指定;
默认Docker容器运行会分配独立的Network Namespace隔离子系统,基于host模式,容器将不会获得一个独立的Network Namespace,而是和宿主机共用一个Network Namespace,容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。
- container模式,使用–net=container:NAME_or_ID指定;(基本不使用)
Container模式指定新创建的容器和已经存在的一个容器共享一个Network Namespace,而不是和宿主机共享。
即新创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定的容器共享IP、端口范围等。同样两个容器除了网络方面相同之外,其他的如文件系统、进程列表等还是隔离的。
- none模式,使用–net=none指定;
None模式与其他的模式都不同,如果处于None模式,Docker容器拥有自己的Network Namespace,但是并不为Docker容器进行任何网络配置。也就是说该Docker容器没有网卡、IP、路由等信息,需要手工为Docker容器添加网卡、配置IP等,典型Pipework工具为Docker容器指定IP等信息;
none模式,配置IP
#安装pipework工具
yum install git -y
[root@localhost ~]# git clone https://github.com/jpetazzo/pipework.git
正克隆到 'pipework'...
remote: Enumerating objects: 547, done.
remote: Counting objects: 100% (37/37), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 547 (delta 17), reused 25 (delta 13), pack-reused 510
接收对象中: 100% (547/547), 197.62 KiB | 0 bytes/s, done.
处理 delta 中: 100% (287/287), done.
[root@localhost ~]# mv pipework /opt/
[root@localhost pipework]# ln -s /opt/pipework/pipework /usr/bin/pipework
#启动一台虚拟机
[root@localhost yum.repos.d]# docker run -itd --name=ipro-01 --net=none centos
8964c56df5b394e7caa42a010663fe6d2a083c5367b4929651b7e019d68fcaa7
[root@localhost yum.repos.d]# docker exec ipro-01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@localhost yum.repos.d]# pipework docker0 ipro-01 192.168.192.201/24@192.168.192.2
[root@localhost yum.repos.d]# docker exec ipro-01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: eth1@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 66:0c:a3:ed:ec:d5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.192.201/24 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::640c:a3ff:feed:ecd5/64 scope link
valid_lft forever preferred_lft forever
- bridge模式,使用–net=bridge指定,默认设置;
Bridge模式是Docker默认的网络模式,该模式会为每一个容器分配Network Namespace、设置IP、路由等配置,默认会将Docker容器连接到一个虚拟网桥交换机Docker0上。
桥接模式拓扑图
Docker Bridge创建过程:
- 首先宿主机上创建一对虚拟网卡veth pair设备,veth设备总是成对出现的,组成了一个数据的通道,数据从一个设备进入,就会从另一个设备出来,veth设备常用来连接两个网络设备。
- Docker将veth pair设备的一端放在新创建的容器中,并命名为eth0,然后将另一端放在宿主机中,以vethxxx这样类似的名字命名,并将这个网络设备加入到docker0网桥中,可以通过brctl show命令查看。
- 从docker0子网中分配一个IP给容器使用,并设置docker0的IP地址为容器的默认网关。
- 此时容器IP与宿主机能够通信,宿主机也可以访问容器中的IP地址,在Bridge模式下,连在同一网桥上的容器之间可以相互通信,同时容器也可以访问外网,但是其他物理机不能访问docker容器IP,需要通过NAT将容器IP的port映射为宿主机的IP和port。
容器配置静态IP
- 配置桥接网络
yum -y install bridge-utils
#备份网卡
cp ifcfg-ens33{,.bak}
[root@localhost network-scripts]# vim ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
UUID=d23c4668-f32f-4361-9055-4e6b063deb59
DEVICE=ens33
ONBOOT=yes
#IPADDR=192.168.192.9
#PREFIX=24
#GATEWAY=192.168.192.2
BRIDGE="br0"
[root@localhost network-scripts]# vim ifcfg-br0
TYPE=Bridge
BOOTPROTO=static
DEVICE=br0
ONBOOT=yes
IPADDR=192.168.192.9
PREFIX=24
GATEWAY=192.168.192.2
systemctl restart network.service
[root@localhost network-scripts]# ip a
[root@localhost network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 00:0c:29:e4:d8:f4 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:58:72:a1:66 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:58ff:fe72:a166/64 scope link
valid_lft forever preferred_lft forever
5: veth1pl57269@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default qlen 1000
link/ether 86:16:24:c5:44:70 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::8416:24ff:fec5:4470/64 scope link
valid_lft forever preferred_lft forever
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:0c:29:e4:d8:f4 brd ff:ff:ff:ff:ff:ff
inet 192.168.192.9/24 brd 192.168.192.255 scope global noprefixroute br0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee4:d8f4/64 scope link
valid_lft forever preferred_lft forever
- 容器配置静态IP
[root@localhost network-scripts]# pipework br0 ipro-02 192.168.192.202/24@192.168.192.2
[root@localhost network-scripts]# docker exec -it ipro-02 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
7: eth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:55:57:a2:65:ee brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.192.202/24 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::fc55:57ff:fea2:65ee/64 scope link
valid_lft forever preferred_lft forever
当容器重启时,pipework设置的IP会自动消失,需要重新设置。
docker 网络
- 查看网络
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
0820873495c2 bridge bridge local
e6848a43d8bc host host local
a30716046083 none null local
- 创建网络
基础用法:docker network create 网络名称
创建网络时是可以添加一系列参数的:
–driver:驱动程序类型
–gateway:主子网的IPV4和IPV6的网关
–subnet:代表网段的CIDR格式的子网 mynet:自定义网络名称
例:docker network create --driver=bridge --gateway=192.168.137.1 --subnet=192.168.137.0/16 mynet
不指定任何选项的时候默认的–driver(网络模式)也是bridge(桥接)
[root@localhost ~]# docker network create --gateway=62.168.19.254 --subnet=62.168.19.0/24 gaw
01a8945f6c33d500b39159c14589a8ea9a861021700ce241cc49c7116cb43096
- 查看网络数据源
[root@localhost ~]# docker network inspect gaw
[
{
"Name": "gaw",
"Id": "01a8945f6c33d500b39159c14589a8ea9a861021700ce241cc49c7116cb43096",
"Created": "2024-04-18T18:55:51.040970677+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "62.168.19.0/24",
"Gateway": "62.168.19.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
- 将容器连接到指定网络
docker network connect 网络名称 容器名称
[root@localhost ~]# docker run -itd --name ipro-03 --privileged centos
ae57ab30e51b92275904fbb362c0e128fbfc085d2d025eef450be0a2542a6fd1
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ae57ab30e51b centos "/bin/bash" 6 seconds ago Up 6 seconds ipro-03
03d039573e36 centos "/bin/bash" 4 hours ago Up 4 hours ipro-02
8964c56df5b3 centos "/bin/bash" 5 hours ago Up 5 hours ipro-01
[root@localhost ~]# docker network connect gaw ipro-03
[root@localhost ~]# docker exec -it ipro-03 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
12: eth1@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:3e:a8:13:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 62.168.19.1/24 brd 62.168.19.255 scope global eth1
valid_lft forever preferred_lft forever
- 断开容器的网络
docker network disconnect 网络名称 容器名称
[root@localhost ~]# docker exec -it ipro-03 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
12: eth1@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:3e:a8:13:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 62.168.19.1/24 brd 62.168.19.255 scope global eth1
valid_lft forever preferred_lft forever
[root@localhost ~]# docker network disconnect gaw ipro-03
[root@localhost ~]# docker exec -it ipro-03 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
- 删除所有不在使用的网络
docker network prune
[root@localhost ~]# docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
gaw
- 删除一个或多个网络
docker network rm 网络名称
创建自己的网络类型并指定网段
docker network create --subnet=172.18.0.0/26 mynetwork镜像启动运行时指定自己的网络IP 命令
docker run -itd -p 5001:5001 --name 镜像名称 --net mynetwork --ip 172.18.0.2 --privileged=true --restart=always -d 镜像名称
-d:表示后台运行
–restart=always:表示自启动
–privileged=true:表示拥有更多的权限
–name 表示容易的命名
-p 宿主机端口和容器端口的映射
-v 宿主机目录和容器目录的映射
[root@localhost ~]# docker network create --subnet=62.168.19.0/24 gaw
9f50d939a1b780b678fc3022190287e862634246cc104a695eb55f57fb0047b6
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
0820873495c2 bridge bridge local
9f50d939a1b7 gaw bridge local
e6848a43d8bc host host local
a30716046083 none null local
[root@localhost ~]# docker run -itd -p 9527:22 --name ipro-66 --net gaw --ip 62.168.19.66 --privileged=true --restart=always -d centos
344801313f71268897866398afa96a3aaf4a73463bb246eda6424e4e5a31281d
[root@localhost ~]# docker exec -it ipro-66 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:3e:a8:13:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 62.168.19.66/24 brd 62.168.19.255 scope global eth0
valid_lft forever preferred_lft forever
#重启虚拟机之后,IP不变
[root@localhost ~]# docker stop ipro-66
ipro-66
[root@localhost ~]# docker start ipro-66
ipro-66
[root@localhost ~]# docker exec -it ipro-66 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:3e:a8:13:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 62.168.19.66/24 brd 62.168.19.255 scope global eth0
valid_lft forever preferred_lft forever
镜像启动运行时指定自己的网络IP
***********************mysql*******************************************
docker run -itd -p 3306:3306 --name mysql --net mynetwork --ip=172.18.0.2 --privileged=true --restart=always -v /d/docker_data/mysql8/mysql-files:/var/lib/mysql-files -v /d/docker_data/mysql8/log:/var/log/mysql -v /d/docker_data/mysql8/data:/var/lib/mysql -v /d/docker_data/mysql8/conf:/etc/mysql/conf.d -e MYSQL_ROOT_PASSWORD=master$1234 -e TZ=Asia/Shanghai -d mysql
***********************redis*******************************************
docker run --name redis -p 6379:6379 --net mynetwork --ip=172.18.0.3 --privileged=true --restart=always -v /D/docker_data/redis/conf/redis.conf:/etc/redis/redis.conf -v /D/docker_data/redis/data:/data/ -d redis redis-server /etc/redis/redis.conf --appendonly yes
***********************jar*******************************************
docker run -itd -p 48080:48080 --net mynetwork --ip=172.18.0.4 --name=ly_crb ly_crb --privileged=true --restart=always
***********************nginx*******************************************
docker run -itd --name ng -p 80:80 --net mynetwork --ip=172.18.0.5 --privileged=true --restart=always nginx
docker cp dd51994c870d:/etc/nginx/nginx.conf d:\\docker_data\\nginx\\conf (拷贝文件)
docker run -itd --restart=always --privileged=true --name nginx -p 80:80 -p 443:443 --net=mynetwork --ip=172.18.0.5 -v /d/docker_data/nginx/cert:/etc/nginx/cert -v /d/docker_data/nginx/conf/nginx.conf:/etc/nginx/nginx.conf -v /d/docker_data/nginx/www:/usr/share/nginx/html -v /d/docker_data/nginx/log:/var/log/nginx nginx:latest
//********************ngingx 配置********************************
server {
listen *:80;
server_name www.szcrb.com;
root /usr/share/nginx/html/ly_crb;
location / {
root /usr/share/nginx/html/ly_crb;
try_files $uri $uri/ @router;
index index.html;
}
location @router {
rewrite ^.*$ /index.html last;
}
}
*****************************************************************************************************************************************************************************************
-d:表示后台运行
--restart=always:表示自启动
--privileged=true:表示拥有更多的权限
--name 表示容易的命名
-p 宿主机端口和容器端口的映射
-v 宿主机目录和容器目录的映射
###
run:运行
–restart=always:当docker重启时,该容器也会重新启动
-d redis:后台运行redis镜像
-p:映射端口号,容器内部和服务器内部关联
–appendonly yes:持久化
–name docker_redis:启动一个redis并设置docker容器名称为docker_redis
-v /root/redis/redis.conf:/etc/redis/redis.conf:将服务器中redis.conf文件映射到docker中
-v /root/redis/data:/data:同上
redis-server /etc/redis/redis.conf:以加载配置文件方式启动
docker资源限制
CPU资源
默认情况下容器可以使用的主机 CPU 资源是不受限制的。和内存资源的使用一样,如果不对容器可以使用的 CPU 资源进行限制,一旦发生容器内程序异常使用 CPU 的情况,很可能把整个主机的 CPU 资源耗尽,从而导致更大的灾难。
通过 --cpus 选项指定容器可以使用的 CPU 个数,并且还可以指定如 1.5 之类的小数。
docker run -itd --name=ipro-05 --cpus=1 --privileged centos
通过 --cpus 选项我们无法让容器始终在一个或某几个 CPU 上运行,但是通过 --cpuset-cpus 选项却可以做到!这是非常有意义的,因为现在的多核系统中每个核心都有自己的缓存,如果频繁的调度进程在不同的核心上执行势必会带来缓存失效等开销。
#docker run -d --cpuset-cpus 0-1
#docker run -d --cpuset-cpus 1,3
内存资源
通过 -m 参数限制内存大小
设置-m值为500Mb,表示容器程序使用内存受限。
如果指定 -m 内存限制时不添加 –memory-swap 选项,则表示容器中程序可以使用 500m内存和500m swap 内存。那么容器里程序可以跑到500m*2=1g后才会被oom给杀死。
# docker run -itd -m 500m --name ipro-06 centos
# docker stats ipro-06
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
cdcf3f1e8c29 ipro-06 0.00% 536KiB / 500MiB 0.10% 656B / 0B 0B / 0B 1
参数–memory-swappiness=0 表示禁用容器 swap 功能。
docker run -itd -m 500m --memory-swappiness=0 --name=ipro-07 centos
指定限制内存大小并且设置 memory-swap 值为 -1
表示容器程序使用内存受限,而 swap 空间使用不受限制(宿主 swap 支持使用多少则容器即可使用多少。如果 –memory-swap 设置小于 –memory 则设置不生效,使用默认设置)。–memory-swap -1
docker run -itd -m 500m --memory-swap -1 --name=ipro-08 centos
指定限制内存大小并且设置 memory-swap 值
指定限制内存大小500Mb并且设置 memory-swap 值400Mb当压测值是900Mb时,则容器中的进程会被直接 OOM kill。
docker run -itd -m 500m --memory-swap 600m --name=ipro-09 centos
参数–oom-kill-disable ,加上之后则达到限制内存之后也不会被 kill
正常情况不添加 –oom-kill-disable 容器程序内存使用超过限制后则会直接 OOM kill,加上之后则达到限制内存之后也不会被 kill。
docker run -itd -m 500m --oom-kill-disable --name=ipro-10 centos
扫一扫
161
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
