1. 镜像的分层结构
- 共享宿主机的kernel;
- base 镜像提供的是最小的 Linux 发行版;
- 同一docker主机支持运行多种 Linux 发行版;
- 采用分层结构的最大好处是:共享资源;
- Copy-on-Write 可写容器层,相当于虚拟机的快照;
- 容器层以下所有镜像层都是只读的;
- docker从上往下依次查找文件;
- 容器层保存镜像变化的部分,并不会对镜像本身进行任何修改;
- 一个镜像最多127层;
2. 镜像的构建
1).docker commit 构建新镜像三部曲
运行容器
修改容器
将容器保存为新的镜像
缺点:效率低、可重复性弱、容易出错;
使用者无法对镜像进行审计,存在安全隐患.
2).构建镜像
[root@node11 ~]# docker pull busybox 拉取镜像busybox
Using default tag: latest
latest: Pulling from library/busybox
50783e0dfb64: Pull complete
Digest: sha256:ef320ff10026a50cf5f0213d35537ce0041ac1d96e9b7800bafd8bc9eff6c693
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@node11 ~]# docker images 查看所有镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
yakexi007/game2048 latest 19299002fdbe 5 years ago 55.5MB
[root@node11 ~]# docker history busybox:latest 查看镜像的构建历史,一层是官网信息,一层是shell
IMAGE CREATED CREATED BY SIZE COMMENT
7a80323521cc 3 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:03ed8a1a0e4c80308… 1.24MB
[root@node11 ~]# docker inspect yakexi007/game2048:latest 查看镜像的详情
[root@node11 ~]# docker run -it --name demo busybox 以交互模式打开容器
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
/ #
用ctrl +d来退出,退出直接就关闭了docker ;用 ctrl+p+q 来将其打入后台运行;
[root@node11 ~]# yum install -y bridge-utils 下载工具包
[root@node11 ~]# docker ps 查看运行容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node11 ~]# docker ps -a 查看所有容器,不论是运行还是已经退出的的
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
eb73a3553cde busybox "sh" 4 minutes ago Exited (0) 3 minutes ago demo
[root@node11 ~]# docker start demo 启动后既可以用docker ps查看
[root@node11 ~]# docker attach demo 再次附加到demo容器上
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ip addrread escape sequence
用 ctrl+p+q 来将其打入后台运行;
[root@node11 ~]# docker rm demo删除容器
demo
[root@node11 ~]# docker run -it --rm busybox 加--rm参数退出后直接删除容器
/ # touch file
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ #
[root@node11 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node11 ~]# docker run -it --name vm1 busybox 创建容器vm1
/ # touch 1
/ # touch 2
/ # touch 3
/ # ls
1 2 3 bin dev etc home proc root sys tmp usr var
/ #
[root@node11 ~]# docker rm vm1 此时删除容器,刚才所创建的文件123也会被删除,因为文件是在容器中建立的
[root@node11 ~]# docker commit -m "add file" vm1 demo:v1 保存创建的数据在容器中创建demo:v1镜像
sha256:553b3449dbcd77a00da11f31f3417b3420d64e4d8d2f6695d0d7c293926b4a98
[root@node11 ~]# docker images 查看镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v1 553b3449dbcd 14 seconds ago 1.24MB
busybox latest 7a80323521cc 3 weeks ago 1.24MB
yakexi007/game2048 latest 19299002fdbe 5 years ago 55.5MB
[root@node11 ~]# docker history busybox:latest
IMAGE CREATED CREATED BY SIZE COMMENT
7a80323521cc 3 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:03ed8a1a0e4c80308… 1.24MB
[root@node11 ~]# docker history demo:v1
IMAGE CREATED CREATED BY SIZE COMMENT
553b3449dbcd 2 minutes ago sh 48B add file
7a80323521cc 3 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:03ed8a1a0e4c80308… 1.24MB
[root@node11 ~]# docker run -it --rm busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ #
[root@node11 ~]# docker run -it --rm demo:v1 镜像中有刚才创建的数据
/ # ls
bin dev etc file home proc root sys tmp usr var
/ #
3. Dockerfile
dockerfile常用指令:
1)、FROM
指定base镜像,如果本地不存在会从远程仓库下载。
创建 Dockerfile 文件
创建一个空目录,然后在空目录中创建 Dockerfile 文件;
[root@node11 ~]# mkdir docker
[root@node11 ~]# cd docker/
[root@node11 docker]# ls
[root@node11 docker]# vim Dockerfile
FROM busybox
RUN echo hello world > /file
[root@node11 docker]# docker build -t demo:v2 . 创建镜像
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM busybox
---> 7a80323521cc
Step 2/2 : RUN echo hello world > /file
---> Running in 6dc22015a2fb
Removing intermediate container 6dc22015a2fb
---> e20850cd1172
Successfully built e20850cd1172
Successfully tagged demo:v2
MAINTAINER
设置镜像的作者,比如用户邮箱等。
2)、COPY
把文件从build context复制到镜像
支持两种形式:COPY src dest 和 COPY [“src”, “dest”]
COPY:用于当前目录,不能指定为根目录。
[root@node11 docker]# echo www.westos.org > index.html
[root@node11 docker]# vim Dockerfile
FROM busybox 指定镜像,如果不存在会从远程仓库下载
RUN echo hello world > /file
RUN echo hello linux >> /file
COPY index.html /index.html 把文件从复制到镜像
[root@node11 docker]# docker build -t demo:v4 .
Sending build context to Docker daemon 3.072kB
Step 1/4 : FROM busybox
---> 7a80323521cc
Step 2/4 : RUN echo hello world > /file
---> Using cache
---> e20850cd1172
Step 3/4 : RUN echo hello linux >> /file
---> Using cache
---> c26784fd2867
Step 4/4 : COPY index.html /index.html
---> Using cache
---> 5873b8b4adc6
Successfully built 5873b8b4adc6
Successfully tagged demo:v4
[root@node11 docker]# docker run -it --rm demo:v4构建镜像
/ # ls
bin etc home proc sys usr
dev file index.html root tmp var
/ # cat index.html
www.westos.org
/ #
[root@node11 docker]# docker history demo:v4用 Dockerfile 文件构建镜像的过程会有详细的过程
IMAGE CREATED CREATED BY SIZE COMMENT
5873b8b4adc6 About a minute ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
c26784fd2867 About a minute ago /bin/sh -c echo hello linux >> /file 24B
e20850cd1172 11 minutes ago /bin/sh -c echo hello world > /file 12B
7a80323521cc 3 weeks ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:03ed8a1a0e4c80308… 1.24MB
src必须指定build context中的文件或目录
3)、ADD
用法与COPY类似,不同的是src可以是归档压缩文件,文件会被自动解压到dest,也可以自动下载URL并拷贝到镜像:
[root@node11 docker]# vim Dockerfile
FROM busybox
RUN echo hello world > /file
RUN echo hello linux >> /file
COPY index.html /index.html
ADD nginx-1.22.0.tar.gz /
[root@node11 docker]# docker build -t demo:v5 .
Sending build context to Docker daemon 1.077MB
Step 1/5 : FROM busybox
---> 7a80323521cc
Step 2/5 : RUN echo hello world > /file
---> Using cache
---> e20850cd1172
Step 3/5 : RUN echo hello linux >> /file
---> Using cache
---> c26784fd2867
Step 4/5 : COPY index.html /index.html
---> Using cache
---> 5873b8b4adc6
Step 5/5 : ADD nginx-1.22.0.tar.gz /
---> f7b0dab596e5
Successfully built f7b0dab596e5
Successfully tagged demo:v5
[root@node11 docker]# docker run -it --rm demo:v5
/ # ls
bin etc home nginx-1.22.0 root tmp var
dev file index.html proc sys usr
/ # cd nginx-1.22.0/
/nginx-1.22.0 # ls add不仅有复制功能还可以自动解压
CHANGES LICENSE auto configure html src
CHANGES.ru README conf contrib man
/nginx-1.22.0 #
ADD html.tar /var/www
ADD http://ip/html.tar /var/www
4)、ENV
设置环境变量,变量可以被后续的指令使用:
ENV HOSTNAME sevrer1.example.com
5)、EXPOSE
如果容器中运行应用服务,可以把服务端口暴露出去:
EXPOSE 80
6)、VOLUME
申明数据卷,通常指定的是应用的数据挂在点:
VOLUME ["/var/www/html"]
WORKDIR
[root@node11 docker]# vim Dockerfile
FROM busybox
RUN echo hello world > /file
RUN echo hello linux >> /file
COPY index.html /index.html
ADD nginx-1.22.0.tar.gz /
ENV HOSTNAME node11 定义HOSTNAME变量
CMD echo "hello $HOSTNAME" 输出变量
[root@node11 docker]# docker build -t demo:v6 . 构建镜像
Sending build context to Docker daemon 1.077MB
Step 1/7 : FROM busybox
---> 7a80323521cc
Step 2/7 : RUN echo hello world > /file
---> Using cache
---> e20850cd1172
Step 3/7 : RUN echo hello linux >> /file
---> Using cache
---> c26784fd2867
Step 4/7 : COPY index.html /index.html
---> Using cache
---> 5873b8b4adc6
Step 5/7 : ADD nginx-1.22.0.tar.gz /
---> Using cache
---> f7b0dab596e5
Step 6/7 : ENV HOSTNAME node11
---> Running in bfa8ee87d04f
Removing intermediate container bfa8ee87d04f
---> 2759f357dcc6
Step 7/7 : CMD echo "hello $HOSTNAME"
---> Running in 447dedd55caf
Removing intermediate container 447dedd55caf
---> b89ff1067097
Successfully built b89ff1067097
Successfully tagged demo:v6
[root@node11 docker]# docker run -it --rm demo:v6 运行结束后直接关闭
hello node11
或者:
[root@node11 docker]# vim Dockerfile
[root@node11 docker]# docker build -t demo:v7 .
[root@node11 docker]# docker run -it --rm demo:v7
[root@node11 docker]# cd /etc/docker/
[root@node11 docker]# vim /etc/docker/daemon.json 创建镜像加速器服务
{
"registry-mirrors": ["https://uz579kot.mirror.aliyuncs.com"]
}
[root@node11 docker]# systemctl restart docker 重启
[root@node11 docker]# docker info 查看是否成功
[root@node11 docker]# docker pull nginx 拉取nginx镜像
Using default tag: latest
latest: Pulling from library/nginx
a2abf6c4d29d: Pull complete
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@node11 docker]# docker run -d --name nginx nginx 打入后台并创建镜像nginx
35beea8413fbb09c8ce1421f83606c26753e68b815f4dde2deecb5986d8e0524
CMD 与 ENTRYPOINT
这两个指令都是用于设置容器启动后执行的命令,但CMD会被docker run后面的命令行覆盖,而ENTRYPOINT不会被忽略,一定会被执行。
docker run后面的参数可以传递给ENTRYPOINT指令当作参数。
Dockerfile中只能指定一个ENTRYPOINT,如果指定了很多,只有最后一个有效。
Shell和exec格式的区别
#cat Dockerfile
FROM busybox
ENV name world
CMD echo “hello, $name”
Shell格式底层会调用/bin/sh -c来执行命令,可以解析变量,而下面的exec格式不会:
#cat Dockerfile
FROM busybox
ENV name world
ENTRYPOINT ["/bin/echo", “hello, $name”]
需要改写成以下形式:
#cat Dockerfile
FROM busybox
ENV name world
ENTRYPOINT ["/bin/sh", “-c”, “echo hello, $name”]
Exec格式时,ENTRYPOINT可以通过CMD提供额外参数,CMD的额外参数可以在容器启动时动态替换。在shell格式时ENTRYPOINT会忽略任何CMD或docker run提供的参数。
#cat Dockerfile
FROM busybox
ENTRYPOINT ["/bin/echo", “hello”]
CMD [“world”]
看下在运行容器时的区别:
#docker run --rm busybox:v1
hello world
#docker run --rm busybox:v1 linux
hello linux
官方推荐使用exec格式书写
[root@node11 docker]# vim Dockerfile
FROM busybox
RUN echo hello world > /file
RUN echo hello linux >> /file
COPY index.html /index.html
ADD nginx-1.22.0.tar.gz /
ENV HOSTNAME node11
INT ["/bin/echo","hello"]
CMD ["world"]
[root@node11 docker]# docker build -t demo:v8 .
Sending build context to Docker daemon 1.077MB
Step 1/8 : FROM busybox
---> 7a80323521cc
Step 2/8 : RUN echo hello world > /file
---> Using cache
---> e20850cd1172
Step 3/8 : RUN echo hello linux >> /file
---> Using cache
---> c26784fd2867
Step 4/8 : COPY index.html /index.html
---> Using cache
---> 5873b8b4adc6
Step 5/8 : ADD nginx-1.22.0.tar.gz /
---> Using cache
---> f7b0dab596e5
Step 6/8 : ENV HOSTNAME node11
---> Using cache
---> 2759f357dcc6
Step 7/8 : ENTRYPOINT ["/bin/echo","hello"]
---> Running in c96d5d5d32b1
Removing intermediate container c96d5d5d32b1
---> cd2109960e29
Step 8/8 : CMD ["world"]
---> Running in 17846e97b7a8
Removing intermediate container 17846e97b7a8
---> b01ca6875af0
Successfully built b01ca6875af0
Successfully tagged demo:v8
[root@node11 docker]# docker run -it --rm demo:v8
hello world
[root@node11 docker]# docker run -it --rm demo:v8 linux
hello linux
[root@node11 docker]# docker run -it --rm demo:v8 123
hello 123
7)、为RUN、CMD、ENTRYPOINT、ADD和COPY指令设置镜像中的当前工作目录,如果目录不存在会自动创建。
8)、RUN
在容器中运行命令并创建新的镜像层,常用于安装软件包:
RUN yum install -y vim
例子:
把nginx容器化
删掉不需要镜像
[root@node11 docker]# docker images | grep demo | awk '{print $1":"$2}'
[root@node11 docker]# docker images | grep demo | awk '{system("docker rmi "$1":"$2"")}'
[root@node11 docker]# docker pull centos:7
7: Pulling from library/centos
2d473b07cdd5: Pull complete
Digest: sha256:9d4bcbbb213dfd745b58be38b13b996ebb5ac315fe75711bd618426a630e0987
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
[root@node11 docker]# vim Dockerfile
FROM centos:7
ADD nginx-1.22.0.tar.gz /mnt
WORKDIR /mnt/nginx-1.22.0
RUN yum install -y gcc make pcre-devel openssl-devel
RUN ./configure --with-http_ssl_module
RUN make
RUN make install
COPY index.html /usr/local/nginx/html
VOLUME /data
EXPOSE 80
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
[root@node11 docker]# docker build -t nginx:v1 .
[root@node11 docker]# docker run -d --name web1 -p 80:80 nginx:v1
ab384f31fdd9d2dcbb3e1ac0cef8cae64623fa8b4bccbe4b532954384cf84bfc
[root@node11 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ab384f31fdd9 nginx:v1 "/usr/local/nginx/sb…" 6 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp web1
[root@node11 docker]# cd /var/lib/docker/volumes/f6855d4ef3fcf9b8b9b73d4367bada788acbc27a5ba0e64983065130223ebc9d/_data
[root@node11 _data]# ls
[root@node11 _data]# touch file1
[root@node11 _data]# cd
[root@node11 ~]# docker exec web1 ls /data
file1
[root@node11 docker]# docker images nginx构建的镜像比较大后期可以优化
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 03e33a901b4f 6 minutes ago 500MB
nginx <none> b692a91e4e15 2 weeks ago 142MB
nginx latest 605c77e624dd 7 months ago 141MB
4.镜像的优化
- 选择最精简的基础镜像;
- 减少镜像的层数;
- 清理镜像构建的中间产物;
- 注意优化网络请求;
- 尽量去用构建缓存;
- 使用多阶段构建镜像;
优化一:减少镜像层数,清理镜像构建的中间产物
[root@node11 ~]# cd docker/
[root@node11 docker]# docker images封装的镜像过大500M
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 03e33a901b4f 5 hours ago 500MB
nginx <none> b692a91e4e15 2 weeks ago 142MB
busybox latest 7a80323521cc 3 weeks ago 1.24MB
nginx latest 605c77e624dd 7 months ago 141MB
centos 7 eeb6ee3f44bd 11 months ago 204MB
yakexi007/game2048 latest 19299002fdbe 5 years ago 55.5MB
[root@node11 docker]# vim Dockerfile
FROM centos:7
ADD nginx-1.22.0.tar.gz /mnt
WORKDIR /mnt/nginx-1.22.0
RUN yum install -y gcc make pcre-devel openssl-devel && ./configure --with-http_ssl_module && make && make install && yum clean all && rm -rf /mnt/nginx-1.22.0
COPY index.html /usr/local/nginx/html
VOLUME /data
EXPOSE 80
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
[root@node11 docker]# docker build -t nginx:v2 . 构建镜像
[root@node11 docker]# docker images nginx 经过优化的封装镜像为322M
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v2 0e03955f0e2c 18 seconds ago 322MB
nginx v1 03e33a901b4f 6 hours ago 500MB
nginx <none> b692a91e4e15 2 weeks ago 142MB
nginx latest 605c77e624dd 7 months ago 141MB
[root@node11 docker]# docker history nginx:v2
IMAGE CREATED CREATED BY SIZE COMMENT
0e03955f0e2c About a minute ago /bin/sh -c #(nop) CMD ["/usr/local/nginx/sb… 0B
89dec2fb1e10 About a minute ago /bin/sh -c #(nop) EXPOSE 80 0B
adba7ec861f1 About a minute ago /bin/sh -c #(nop) VOLUME [/data] 0B
3aefe8bb197f About a minute ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
c6325882c586 About a minute ago /bin/sh -c yum install -y gcc make pcre-deve… 112MB 压缩在此步骤
accbc32caf7f 6 hours ago /bin/sh -c #(nop) WORKDIR /mnt/nginx-1.22.0 0B
f7b2d5314c3d 6 hours ago /bin/sh -c #(nop) ADD file:50cfbd6588de73023… 6.46MB
eeb6ee3f44bd 11 months ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 11 months ago /bin/sh -c #(nop) LABEL org.label-schema.sc… 0B
<missing> 11 months ago /bin/sh -c #(nop) ADD file:b3ebbe8bd304723d4… 204MB
优化二:使用多阶段构建镜像
在构建NGINX时我们只需要的是Nginx的二进制文件, 中途为了编译而安装的依赖以及编译中产生的内容其实在服务中都没有用到;
采用多阶段构建的方法,创建一个临时镜像用于编译,将编译好的二进制文件拷贝到最终要创建的镜像。
[root@node11 docker]# vim Dockerfile
FROM centos:7 as build
ADD nginx-1.22.0.tar.gz /mnt
WORKDIR /mnt/nginx-1.22.0
RUN yum install -y gcc make pcre-devel openssl-devel && ./configure --with-http_ssl_module && make && make install && yum clean all && rm -rf /mnt/nginx-1.22.0
FROM centos:7
COPY --from=build /usr/local/nginx /usr/local/nginx
COPY index.html /usr/local/nginx/html
VOLUME /data
EXPOSE 80
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
[root@node11 docker]# docker images nginx 优化为210M
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v3 2085993744b9 27 seconds ago 210MB
nginx v2 0e03955f0e2c 6 minutes ago 322MB
nginx v1 03e33a901b4f 6 hours ago 500MB
nginx <none> b692a91e4e15 2 weeks ago 142MB
nginx latest 605c77e624dd 7 months ago 141MB
[root@node11 docker]# docker run -it --rm nginx:v3 bash 运行
[root@73b045ed0fae /]# cd /usr/local/nginx/
[root@73b045ed0fae nginx]# ls
conf html logs sbin
[root@73b045ed0fae nginx]# cd sbin
[root@73b045ed0fae sbin]# ls
nginx
[root@73b045ed0fae sbin]# ldd /usr/local/nginx/sbin/nginx
linux-vdso.so.1 => (0x00007ffcfdff0000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fe83c945000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe83c729000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe83c4f2000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe83c290000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007fe83c01e000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe83bbbb000)
libz.so.1 => /lib64/libz.so.1 (0x00007fe83b9a5000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe83b5d7000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe83cb49000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fe83b3d4000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe83b187000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe83ae9e000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe83ac9a000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe83aa67000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe83a857000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe83a653000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe83a439000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe83a212000)
优化三:选择最精简的基础镜像
如果还需要进一步的优化,此处我们选择更加精简的基础镜像;
[root@node11 ~]# docker load -i base-debian11.tar 将镜像导入到本机
5b1fa8e3e100: Loading layer 3.697MB/3.697MB
0b3d0512394d: Loading layer 18.28MB/18.28MB
Loaded image: gcr.io/distroless/base-debian11:latest
[root@node11 docker]# mkdir new
[root@node11 docker]# cd new/
[root@node11 new]# vim Dockerfile
FROM nginx as base
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
ARG TIME_ZONE
RUN mkdir -p /opt/var/cache/nginx && \
cp -a --parents /usr/lib/nginx /opt && \
cp -a --parents /usr/share/nginx /opt && \
cp -a --parents /var/log/nginx /opt && \
cp -aL --parents /var/run /opt && \
cp -a --parents /etc/nginx /opt && \
cp -a --parents /etc/passwd /opt && \
cp -a --parents /etc/group /opt && \
cp -a --parents /usr/sbin/nginx /opt && \
cp -a --parents /usr/sbin/nginx-debug /opt && \
cp -a --parents /lib/x86_64-linux-gnu/ld-* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libpcre* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libc* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libdl* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpthread* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libcrypt* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libssl.so.* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libcrypto.so.* /opt && \
cp /usr/share/zoneinfo/${TIME_ZONE:-ROC} /opt/etc/localtime
FROM gcr.io/distroless/base-debian11
COPY --from=base /opt /
EXPOSE 80 443
ENTRYPOINT ["nginx", "-g", "daemon off;"]
[root@node11 new]# docker build -t nginx:v4 . 构建镜像
Sending build context to Docker daemon 3.072kB
Step 1/7 : FROM nginx as base
---> 605c77e624dd
Step 2/7 : ARG TIME_ZONE
---> Using cache
---> 5beb5c4a1bb7
Step 3/7 : RUN mkdir -p /opt/var/cache/nginx && cp -a --parents /usr/lib/nginx /opt && cp -a --parents /usr/share/nginx /opt && cp -a --parents /var/log/nginx /opt && cp -aL --parents /var/run /opt && cp -a --parents /etc/nginx /opt && cp -a --parents /etc/passwd /opt && cp -a --parents /etc/group /opt && cp -a --parents /usr/sbin/nginx /opt && cp -a --parents /usr/sbin/nginx-debug /opt && cp -a --parents /lib/x86_64-linux-gnu/ld-* /opt && cp -a --parents /usr/lib/x86_64-linux-gnu/libpcre* /opt && cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && cp -a --parents /lib/x86_64-linux-gnu/libc* /opt && cp -a --parents /lib/x86_64-linux-gnu/libdl* /opt && cp -a --parents /lib/x86_64-linux-gnu/libpthread* /opt && cp -a --parents /lib/x86_64-linux-gnu/libcrypt* /opt && cp -a --parents /usr/lib/x86_64-linux-gnu/libssl.so.* /opt && cp -a --parents /usr/lib/x86_64-linux-gnu/libcrypto.so.* /opt && cp /usr/share/zoneinfo/${TIME_ZONE:-ROC} /opt/etc/localtime
---> Using cache
---> d49136d7ec9c
Step 4/7 : FROM gcr.io/distroless/base-debian11
---> 24787c1cd2e4
Step 5/7 : COPY --from=base /opt /
---> 2850e943b1cf
Step 6/7 : EXPOSE 80 443
---> Running in 066152f00fe5
Removing intermediate container 066152f00fe5
---> 6fe4bc135587
Step 7/7 : ENTRYPOINT ["nginx", "-g", "daemon off;"]
---> Running in 9d3a220a0572
Removing intermediate container 9d3a220a0572
---> 50bde945fabb
Successfully built 50bde945fabb
Successfully tagged nginx:v4
[root@node11 new]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2e6add81168f nginx:v4 "nginx -g 'daemon of…" 6 seconds ago Up 4 seconds 80/tcp, 443/tcp demo
ab384f31fdd9 nginx:v1 "/usr/local/nginx/sb…" 6 hours ago Up 6 hours 0.0.0.0:80->80/tcp, :::80->80/tcp web1
[root@node11 new]# docker images nginx 优化为33.7M
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v4 17304c5b9302 About a minute ago 33.7MB
nginx v3 2085993744b9 40 minutes ago 210MB
nginx v2 0e03955f0e2c 46 minutes ago 322MB
nginx v1 03e33a901b4f 6 hours ago 500MB
nginx <none> b692a91e4e15 2 weeks ago 142MB
nginx latest 605c77e624dd 7 months ago 141MB
- 镜像常用子命令
images 显示镜像列表
history 显示镜像构建历史
commit 从容器创建镜像
build 从Dockerfile构建镜像
tag 给镜像打标签
search 搜索镜像
pull 从仓库拉取镜像
push 上传镜像到仓库
rmi 删除镜像