1. 版本信息
Docker-CE指Docker社区版,由社区维护和提供技术支持,为免费版本,适合个人开发人员和小团队使用。
Docker-EE指Docker企业版,为收费版本,由售后团队和技术团队提供技术支持,专为企业开发和IT团队而设计。
相比Docker-EE,增加一些额外功能,更重要的是提供了更安全的保障。
此外,Docker的发布版本分为Stable版和Edge版,区别在于前者是按季度发布的稳定版(发布慢),后者是按月发布的边缘版(发布快)。
通常情况下,Docker-CE足以满足我们的需求。
一般生产环境比较常见的版本:17.03.X,17.06.X,18.06.X,19.03X
2. Docker的安装
2.1 在线安装
#使用清华源进行安装
sudo apt-get remove docker docker-engine docker.io
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-cache madison docker-ce docker-ce-cli
sudo apt install docker-ce=5:19.03.15~3-0~ubuntu-bionic docker-ce-cli=5:19.03.15~3-0~ubuntu-bionic
2.2 离线安装
~# tar xvf docker-19.03.15.tgz~#
~# \cp -rf docker/* /usr/bin/
~# cp containerd.service /lib/systemd/system/containerd.service
~# cp docker.service /lib/systemd/system/docker.service
~# cp docker.socket /lib/systemd/system/docker.socket
~# groupadd -r docker
~# groupadd -r test
~# useradd -r -m -g test test
~# useradd test -G docker
~# systemctl enable containerd.service && systemctl restart containerd.service
~# systemctl enable docker.service && systemctl restart docker.service
~# systemctl enable docker.socket && systemctl restart docker.socket
~# vim containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
~# vim docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target
~# vim docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
2.3 基础配置优化
root@ubuntu:~# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://hcepoa2b.mirror.aliyuncs.com"],
"storage-driver": "overlay2",
"data-root": "/data/docker"
}
root@ubuntu:~# systemctl daemon-reload
root@ubuntu:~# systemctl restart docker
3. 存储引擎
- AUFS(AnotherUnionFS):是一种UnionFS,是文件级的存储驱动。是把不同物理位置的目录合并挂载到一个目录下。即支持将不同目录挂载到同一个虚拟文件系统下的文件系统。该文件系统可以一层一层叠加修改文件,无论底下有多少层都是只读的,只有最上层的文件系统是可写的。当需要修改一个文件时,AUFS创建该文件的一个副本,使用CoW将文件从只读层复制到可写层进行修改,结果也保存在可写层。在Docker中,底下的只读层就是image,可写层就是Container,是Docker 18.06及更早版本的首选存储驱动程序,在内核3.13上运行Ubuntu 14.04时不支持overlay2。
- Overlay:是一种UnionFS,Linux 内核3.18后支持
- Overlay2:Docker官方首选存储引擎,所有Linux发行版均推荐使用的存储类型。如果docker 数据目录是一块单盘且是xfs格式的,需要在格式化的时候加上-n ftype=1,否则后期会在启动容器时报不支持d-type
- Devicemapper:是CentOS和RHEL推荐的存储驱动。是不支持Overlay2时的一种临时解决方案。
- ZFS/btrfs:没有广泛使用
- VFS:只适用于测试环境,适用于无法使用Copy-On-Write 文件系统的情况,此存储引擎性能很差,不建议用于生产
4. Docker镜像和基本命令
#下载镜像
root@ubuntu:~# docker pull nginx:1.18.0-alpine #要用哪个镜像版本,去docker的官网找
#镜像的命名方式
域名(不写默认)/镜像仓库(不写默认)/镜像名称:tag
如:harbor.test.net/tes1/java-app1:gittag-date_time
#保存镜像(先下载,再保存),用于无法内网特定镜像的部署等
root@ubuntu:~# docker save docker.io/library/mysql:5.6.51 -o mysql-5.6.51-image.tar.gz
#导入镜像
root@ubuntu:~# docker load -i mysql-5.6.51-image.tar.gz
root@ubuntu:~# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql 5.6.51 7f8929383df0 2 weeks ago 303MB
#删除镜像
root@ubuntu:~# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql 5.6.51 7f8929383df0 2 weeks ago 303MB
root@ubuntu:~# docker rmi 7f8929383df0
#修改tag
root@ubuntu:~# docker tag nginx:1.18.0-alpine test-nginx:1.18.0-alpine-v2
#运行容器
root@ubuntu:~# docker run -it --rm -d --name test-container1 -p 9800:80/tcp -p 8443:443/tcp test-nginx:1.18.0-alpine-v2 #--rm 容器退出自动删除 -d 后端运行
root@ubuntu:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1 packets, 64 bytes)
pkts bytes target prot opt in out source destination
2 124 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 1 packets, 64 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9800 to:172.17.0.2:80
root@ubuntu:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b80df22af1df test-nginx:1.18.0-alpine-v2 "/docker-entrypoint.…" 26 minutes ago Up 26 minutes 0.0.0.0:9800->80/tcp test-container1
#进入容器
root@ubuntu:~# docker exec -it b80df22af1df sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ #
#批量关闭运行的容器
root@ubuntu:~# docker stop $(docker ps -a -q)
#批量运行容器
root@ubuntu:~# docker start $(docker ps -a -q)
#批量删除已经退出的容器
root@ubuntu:~# docker rm $(docker ps -aq -f status=exited)
#删除所有容器,包括正在运行的
root@ubuntu:~# docker rm -f $(docker ps -a -q)