docker学习
docker安装要求
1.cenos系统内核版本要高于3.10
2.升级软件 命令:yum update
开始安装
1.安装命令:yum install docker
常见命令
1.启动docker: systemctl start docker
2.停止docker: systemctl stop docker
3.重启docker:systemctl restart docker
4.将docker服务设置为开机启动:systemctl enable docker
镜像操作命令
1.检索:docker search 关键字 比如:docker search redis
2.拉取(下载):docker pull 镜像名:tag(标签名)
3.列表: docker images 查看本地镜像
4.删除:docker rmi images-id 删除指定的本地镜像
容器命令
1.运行 :docker run --name 自定义容器名称 -d image-name
比如:docker run --name myredis -d redis:5.0
–name:自定义容器名
-d:后台运行
image-name:指定镜像名称和标签
2.列表:docker ps 查看运行中的容器
加 -a 可以查看所有的容器
3.停止:docker stop 容器名称/容器id 停止当前你运行的容器
4.启动:docker start 容器名称/容器id 启动容器
5.删除: docker rm 容器名称/容器id 删除指定容器
6.端口映射:-p 暴露出去的端口:本来软件的端口 比如:-p 6379:6379
7.容器日志:docker logs 容器名称/容器id 比如:docker logs tomcat 相当于 tomcat的tail -f catalina.out
docker镜像加速器
vim /etc/docker/daemon.json
把下面代码添加到docker的配置文件 /etc/docker/daemon.json,由于镜像服务可能出现宕机,建议同时配置多个镜像
{
"registry-mirrors": [
"https://registry.docker-cn.com",
"https://reg-mirror.qiniu.com"
]
}
sudo systemctl daemon-reload
sudo systemctl restart docker
推荐使用阿里云加速器
登录阿里云- 控制台-容器镜像加速服务-镜像加速器
请注意 别使用我的,请自己登录阿里云
DockerFile定制镜像
常用命令
1.FROM
指定基础镜像
FROM <镜像>:tag
2.MAINTAINER
提供作者信息
使用格式:
MAINTAINER “springwind@qq.com”
3.ENV
为docker容器设置环境变量
4.USER
用来切换运行使用者身份
5.WORKDIR
用来切换工作目录
6.VOLUME
用来存放数据库和需要保持的数据
7.COPY
把有主机中的文件复制到镜像中去
8.ADD 复制
9.EXPOSE
为容器打开指定要监听的端口,实现与外部通信
比如:EXPOSE 80/tcp
10.RUN
用来执行命令的
比如:RUN[“可执行文件”,“参数1”,“参数2”]
编写dockerfile文件部署springboot项目
FROM java:8
VOLUME /tmp
ADD 你的jar包.jar 重命名的jar.jar
EXPOSE 8080
ENTRYPOINT ["java","-Djava.security.egd=file/dev/./urandom","-jar","重命名的jar.jar"]
VOLUME /tmp 创建/tmp目录并持久化到docker数据文件夹,因为springboot使用的内嵌tomcat容器默认是使用/tmp作为工作目录的
ENTRYPOINT 为了缩短tomcat启动时间
构建自定义镜像
docker build -t 容器名称 .
常见软件配置
一.redis
docker run -d --name redis-server -p 6379:6379 redis --requirepass “redis123”
–name redis-server : 指定容器名称
-p 6379:6379 : 端口映射
–requitepass “redis123” : 指定redis连接密码
2.开始持久化,挂载目录
docker run -d --name redis-server -p 6379:6379 -v /usr/redis/redis.conf:/etc/redis/redis.conf -v /usr/redis/data/:/data redis:latest /etc/redis/redis.conf --appendonly yes --requirepass “redis123”
在/usr/redis新建文件夹,拷贝redis.conf配置文件,建data文件夹保存redis持久化数据
-v 挂在目录,这里本别挂在了redis.conf文件和data文件夹,
/etc/redis/redis.conf 关键配置,让redis以指定的配置文件启动,而不是默认无配置启动
–appendonly yes redis启动后开启数据持久化
docker run -d --name redis-server -p 6379:6379 redis:5.0 --requirepass "123456" --appendonly ye
docker run -d --privileged=true -p 6379:6379 --restart always -v /root/redis/redis.conf:/etc/redis/redis.conf -v /root/redis/data:/data --name redis redis:latest redis-server /etc/redis/redis.conf --appendonly yes
注意:
要挂载的redis.conf配置文件中的daemonize yes改回no
解释:
-d -> 以守护进程的方式启动容器
-p 6379:6379 -> 绑定宿主机端口
--name myredis -> 指定容器名称
--restart always -> 开机启动
--privileged=true -> 提升容器内权限
-v /root/docker/redis/conf:/etc/redis/redis.conf -> 映射配置文件
-v /root/docker/redis/data:/data -> 映射数据目录
--appendonly yes -> 开启数据持久化
最后运行命令查看是否成功:
ps -ef|grep redis
3.进入容器中去
docker exec -it 容器id redis-cli
二、mysql
1.一般不需要目录映射
sudo docker run -p 3306:3306 --name mysql -e MYSQL_ROOT_PASSWORD=123456 -d mysql:5.7
–name:容器名,此处命名为mysql
-e:配置信息,此处配置mysql的root用户的登陆密码
-p:端口映射,此处映射 主机3306端口 到 容器的3306端口
-d:源镜像名,此处为 mysql:5.7
2.目录映射
sudo docker run -p 3306:3306 --name mysql
-v /usr/local/docker/mysql/conf:/etc/mysql
-v /usr/local/docker/mysql/logs:/var/log/mysql
-v /usr/local/docker/mysql/data:/var/lib/mysql
-e MYSQL_ROOT_PASSWORD=123456
-d mysql:5.7
-v:主机和容器的目录映射关系,":"前为主机目录,之后为容器目录
3.检查容器是否正确运行
docker container ls
可以看到容器ID,容器的源镜像,启动命令,创建时间,状态,端口映射信息,容器名字
4.进入mysql客户端
sudo docker exec -it mysql bash
mysql -uroot -p123456
实测:
sudo docker run --privileged=true --restart always -p 3366:3306 --name mysql3366 -v /root/mysql/conf/my.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf -v /root/mysql/logs:/logs -v /root/mysql/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -d mysql:5.6
--privileged=true 提升容器权限
--restart always 开机自启
-v /root/mysql/conf/my.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf
-v /root/mysql/logs:/logs -v /root/mysql/data:/var/lib/mysql
-e MYSQL_ROOT_PASSWORD=123456
-d mysql:5.6
my.cnf文件
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
# 映射出来的端口要对应
port = 3366
#/root/mysql 是你当前mysql存放位置
socket = /root/mysql/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
local-infile=0
symbolic-links=0
#/root/mysql 是你当前mysql存放位置
basedir = /root/mysql
datadir = /root/mysql/data
# 映射出来的端口要对应
port = 3366
socket = /root/mysql/mysql.sock
#error.log和mysql.pid都要自己创建
log-err = /root/mysql/data/error.log
pid-file = /root/mysql/data/mysql.pid
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 1M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
# Replication Master Server (default)
# binary logging is required for replication
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=mixed
# required unique id between 1 and 2^32 - 1
# defaults to 1 if master-host is not set
# but will not function as a master if omitted
server-id = 1
# Replication Slave (comment out master section to use this)
#
# To configure this host as a replication slave, you can choose between
# two methods :
#
# 1) Use the CHANGE MASTER TO command (fully described in our manual) -
# the syntax is:
#
# CHANGE MASTER TO MASTER_HOST=<host>, MASTER_PORT=<port>,
# MASTER_USER=<user>, MASTER_PASSWORD=<password> ;
#
# where you replace <host>, <user>, <password> by quoted strings and
# <port> by the master's port number (3306 by default).
#
# Example:
#
# CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306,
# MASTER_USER='joe', MASTER_PASSWORD='secret';
#
# OR
#
# 2) Set the variables below. However, in case you choose this method, then
# start replication for the first time (even unsuccessfully, for example
# if you mistyped the password in master-password and the slave fails to
# connect), the slave will create a master.info file, and any later
# change in this file to the variables' values below will be ignored and
# overridden by the content of the master.info file, unless you shutdown
# the slave server, delete master.info and restart the slaver server.
# For that reason, you may want to leave the lines below untouched
# (commented) and instead use CHANGE MASTER TO (see above)
#
# required unique id between 2 and 2^32 - 1
# (and different from the master)
# defaults to 2 if master-host is set
# but will not function as a slave if omitted
#server-id = 2
#
# The replication master for this slave - required
#master-host = <hostname>
#
# The username the slave will use for authentication when connecting
# to the master - required
#master-user = <username>
#
# The password the slave will authenticate with when connecting to
# the master - required
#master-password = <password>
#
# The port the master is listening on.
# optional - defaults to 3306
#master-port = <port>
#
# binary logging - not required for slaves, but recommended
#log-bin=mysql-bin
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /usr/local/mysql/data
#innodb_data_file_path = ibdata1:10M:autoextend
#innodb_log_group_home_dir = /usr/local/mysql/data
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
#innodb_buffer_pool_size = 16M
#innodb_additional_mem_pool_size = 2M
# Set .._log_file_size to 25 % of buffer pool size
#innodb_log_file_size = 5M
#innodb_log_buffer_size = 8M
#innodb_flush_log_at_trx_commit = 1
#innodb_lock_wait_timeout = 50
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
在这里插入代码片
三、tomcat运行war包
进入tomcat 容器
docker exec -it 容器id /bin/bash
–restart=always 表示此容器开机启动,只要docker也设置了开机自启,docker不死
1.一种是把项目放到webapps中去
docker cp xxx.war包路径 容器ID:/要复制过去的目录路径
2.是目录映射
创建一个目录映射
创建文件夹 /usr/local/dev/docker-tomcat
docker run -d -p 8088:8080 --name tomcat -v /usr/local/dev/docker-tomcat:/usr/local/tomcat/webapps --restart=always tomcat
四、nginx
docker run --restart=always --privileged=true --name nginx -d -p 80:80 -v /root/nginx/conf/nginx.conf:/etc/nginx/nginx.conf -v /root/nginx/html:/usr/share/nginx/html:rw -v /root/nginx/logs:/var/log/nginx nginx:latest
idea docker一键部署
安装后开放docker的远程连接访问:
执行:vi /usr/lib/systemd/system/docker.service
修改ExeStart为:/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
执行:systemctl daemon-reload
执行:systemctl restart docker
执行:netstat -nlpt
接下来配置IDEA:
File->settings->plugings->Browse repositories->搜索docker->选中docker integration->点击右下角install安装,完成后重启IDEA.
pom.xml
<properties>
<docker.image.prefix>springwind</docker.image.prefix>
</properties>
<build>
<finalName>${project.artifactId}</finalName>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<fork>true</fork>
</configuration>
</plugin>
<!-- 跳过单元测试 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skipTests>true</skipTests>
</configuration>
</plugin>
<!--使用docker-maven-plugin插件-->
<plugin>
<groupId>com.spotify</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>1.0.0</version>
<!--将插件绑定在某个phase执行-->
<executions>
<execution>
<id>build-image</id>
<!--用户只需执行mvn package ,就会自动执行mvn docker:build-->
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
<execution>
<id>tag-image</id>
<!--用户只需执行mvn package ,就会对镜像进项标签设定-->
<phase>package</phase>
<goals>
<goal>tag</goal>
</goals>
</execution>
</executions>
<configuration>
<!--指定生成的镜像名-->
<imageName>${docker.image.prefix}/${project.artifactId}</imageName>
<!--指定标签-->
<imageTags>
<imageTag>latest</imageTag>
</imageTags>
<!--基础镜像jdk1.8 -->
<baseImage>java</baseImage>
<!--制作者提供本人信息 -->
<maintainer>springwind@qq.com</maintainer>
<!--切换到/ROOT目录 -->
<workdir>/ROOT</workdir>
<cmd>["java","-version"]</cmd>
<entryPoint>["java","-jar";"${project.build.finalName}.jar"]</entryPoint>
<!-- 指定 Dockerfile 路径-->
<dockerDirectory>${project.basedir}/src/main/docker</dockerDirectory>
<!--指定远程 docker api地址-->
<dockerHost>https://47.99.64.181:2375</dockerHost>
<!-- 这里是复制 jar 包到 docker 容器指定目录配置 -->
<resources>
<resource>
<targetPath>/</targetPath>
<!--jar 包所在的路径 此处配置的 即对应 target 目录-->
<directory>${project.build.directory}</directory>
<!-- 需要包含的 jar包 ,这里对应的是 Dockerfile中添加的文件名 -->
<include>${project.build.finalName}.jar</include>
</resource>
</resources>
</configuration>
</plugin>
</plugins>
</build>
打包的时候构建镜像到docker
1.可以使用命令
mvn clean package docker:build
2.点击maven的package 就可以执行
<executions>
<execution>
<id>build-image</id>
<!--用户只需执行mvn package ,就会自动执行mvn docker:build-->
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
docker加密
创建一个目录文件夹 存放公钥和私钥的
mkdir -p /usr/local/ca
cd /usr/local/ca
1.生成公钥和私钥
openssl genrsa -aes256 -out ca-key.pem 4096
然后输两次密码就行了。
2.依次输入密码 ,国家,省,市,组织名称,邮箱等
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
3.创建一个服务器秘钥和证书签名来请求,确保公用名与你用来连接到docker的主机名匹配
openssl genrsa -out server-key.pem 4096
4.ca来签署公钥
$HOST 换成你自己服务器外网的ip或者域名
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
5.配置白名单
先允许指定ip可以连接到服务器的docker ,可以配置ip 用逗号隔开。
因为是ssl连接,推荐配置0.0.0.0(表示所有ip都可以连接,但是必须有证书才可以连接成功)
$host :换成你自己服务器外网的ip或者域名
echo subjectAltName = IP:$host,IP:0.0.0.0 >> extfile.cnf
6.执行命令
将docker守护程序秘钥的扩展使用属性设置为用于服务器身份验证
echo extendedKeyUsage= serverAuth >> extfile.cnf
7.生成签名证书
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
这里提示输入最开始设置的密码
8.生成客户端的key.pem
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
9.要使用秘钥适合客户端身份验证
创建扩展配置文件
echo extendedKetUsage = clientAuth >> extfile.cnf
echo extendedKeyUsage = clientAuth >> extfile-client.cnf
10.生成签名证书
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile-client.cnf
这里提示输入最开始设置的密码
11.删除不需要的文件,两个证书签名请求
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
12.可修改权限
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem key.pem server-cert.pem cert.pem
13.归集服务器证书
cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/
14.修改docker的配置
使用docker 守护成都仅接受来自提供ca信任的证书的客户端的连接
vim /lib/systemd/system/docker.service
将
ExecStart=/usr/bin/dockerd
替换成:
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/usr/local/ca/ca.pem --tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/docker.sock
15.重新记载daemon并重启docker
systemctl daemon-reload
systemctl restart docker
16.开放2375端口
/sbin/iptables -I INPUT -p tcp --dport 2375 -j ACCEPT
18.重启docker
systemctl restart docker
5049
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
