Harbor && docker

一、简介

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,提供用户权限管理、镜像复制等功能,提高使用的registry的效率。

二、架构图:

Harbor && docker_第1张图片

注解:主要组件包括proxy,是一个nginx前端代理,主要是分发前端页面ui访问和镜像上传和下载流量,上图中通过深蓝色先标识;ui提供了一个web管理页面,当然还包括了一个前端页面和后端API,底层使用mysql数据库;registry是镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,上图通过红色线标识,当然registry的token认证也是通过ui组件完成;adminserver是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置,通过灰色线标识;jobsevice是负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log,上图通过紫色线标识;log是日志汇总组件,通过docker的log-driver把日志汇总到一起,通过浅蓝色线条标识。

三、安装配置harbor1.5.0
1、环境:

系统:CentOS Linux release 7.2.1511 (Core)
Python version:Python 2.7.5
Docker version:>=1.10 
Docker Compose version:>=1.6.0 
Openssl:直接yum安装最新版本即可(# yum -y install openssl openssl-devel)

2、安装docker

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum list docker-ce --showduplicates | sort -r
yum install docker-ce -y
systemctl start docker
systemctl enable docker
docker version

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:03 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:25:29 2018
  OS/Arch:          linux/amd64
  Experimental:     false

3、安装 docker-compose

 curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
 chmod +x /usr/local/bin/docker-compose
docker-compose version

docker-compose version 1.21.1, build 5a3f1a3
docker-py version: 3.3.0
CPython version: 3.6.5
OpenSSL version: OpenSSL 1.0.1t  3 May 2016

4、下载harbor-offline-installer-v1.5.1

分三个包:

https://download.csdn.net/download/zhangxueleishamo/10629751
https://download.csdn.net/download/zhangxueleishamo/10629761
https://download.csdn.net/download/zhangxueleishamo/10629765

官方链接:

 wget https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.0.tgz
tar -zxvf harbor-offline-installer-v1.5.1.tgz  -C /opt/

5、生成访问harbor密钥证书

#mkdir /data/cert 
#cd /data/cert
#openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............++
....................................................................................................++
e is 65537 (0x10001)

#openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]

# mkdir /opt/harbor/common/config/ui/ -p
# mkdir /opt/harbor/common/config/registry/ -p
# cp /data/cert/private_key.pem /opt/harbor/common/config/ui/private_key.pem
# cp /data/cert/root.crt /opt/harbor/common/config/registry/root.crt

6、配置https

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..................++
...................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout yoyi.harbor.com.key -out yoyi.harbor.com.csr
Generating a 4096 bit RSA private key
..........................................................................................................................++
...................................................................................................++
writing new private key to 'yoyi.harbor.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Bejing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:``1122qq
An optional company name []:yoyi.harbor.com

# openssl x509 -req -days 365 -in yoyi.harbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yoyi.harbor.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Bejing/O=harbor/OU=harbor/CN=yoyi.harbor.com/[email protected]
Getting CA Private Key

# echo subjectAltName = IP:192.168.5.121 extfile.cnf

# openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................++
.................................................++
e is 65537 (0x10001)


# openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]

7、修改harbor配置文件

#vim /opt/harbor/harbor.cfg
hostname = yoyi.harbor.com
ui_url_protocol = https
ssl_cert = /data/cert/yoyi.harbor.com.crt
ssl_cert_key = /data/cert/yoyi.harbor.com.key
secretkey_path = /data

8、启动harbor

./prepare 
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.crt
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /opt/harbor/data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
]# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 18.06.1

Note: docker-compose version: 1.21.1

[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-ui:v1.5.1
Loaded image: vmware/harbor-log:v1.5.1
Loaded image: vmware/harbor-jobservice:v1.5.1
Loaded image: vmware/registry-photon:v2.6.2-v1.5.1
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1
Loaded image: vmware/mariadb-photon:v1.5.1
Loaded image: vmware/clair-photon:v2.0.1-v1.5.1
Loaded image: vmware/harbor-adminserver:v1.5.1
Loaded image: vmware/nginx-photon:v1.5.1
Loaded image: vmware/photon:1.0
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1
Loaded image: vmware/postgresql-photon:v1.5.1
Loaded image: vmware/harbor-db:v1.5.1
Loaded image: vmware/redis-photon:v1.5.1
Loaded image: vmware/harbor-migrator:v1.5.0


[Step 2]: preparing environment ...
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...

Note: stopping existing Harbor instance ...
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-db          ... done
Stopping redis              ... done
Stopping harbor-adminserver ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-db          ... done
Removing redis              ... done
Removing harbor-adminserver ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating redis              ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://yoyi.harbor.com. 
For more details, please visit https://github.com/vmware/harbor .

# docker ps
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                   PORTS                                                              NAMES
fb81c4bdf1e7        vmware/harbor-jobservice:v1.5.1        "/harbor/start.sh"       3 minutes ago       Up 3 minutes                                                                                harbor-jobservice
d32560069411        vmware/nginx-photon:v1.5.1             "nginx -g 'daemon of…"   3 minutes ago       Up 3 minutes (healthy)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
3027884466bc        vmware/harbor-ui:v1.5.1                "/harbor/start.sh"       3 minutes ago       Up 3 minutes (healthy)                                                                      harbor-ui
d3f5f664acfd        vmware/harbor-db:v1.5.1                "/usr/local/bin/dock…"   3 minutes ago       Up 3 minutes (healthy)   3306/tcp                                                           harbor-db
efb310517d0c        vmware/registry-photon:v2.6.2-v1.5.1   "/entrypoint.sh serv…"   3 minutes ago       Up 3 minutes (healthy)   5000/tcp                                                           registry
67099980d893        vmware/redis-photon:v1.5.1             "docker-entrypoint.s…"   3 minutes ago       Up 3 minutes             6379/tcp                                                           redis
31bc58eb4424        vmware/harbor-adminserver:v1.5.1       "/harbor/start.sh"       3 minutes ago       Up 3 minutes (healthy)                                                                      harbor-adminserver
6c7c901328bf        vmware/harbor-log:v1.5.1               "/bin/sh -c /usr/loc…"   3 minutes ago       Up 3 minutes (healthy)   127.0.0.1:1514->10514/tcp                                          harbor-log

9、访问测试,默认用户名&密码:admin     Harbor12345

Harbor && docker_第2张图片

四、客户端使用。

1、登陆客户端安装docker,登陆harbor

#yum -y install docker-io
#service docker start
#docker login https://yoyi.harbor.com
Username: admin
Password: 
Error response from daemon: Get https://yoyi.harbor.com/v1/users/: x509: certificate signed by unknown authority

注:错误提示,证书验证不通过。如内网测试或使用可改用http,或向相关证书网站申请购买。

解决办法:

客户端上创建证书存储目录
mkdir /etc/docker/certs.d/yoyi.harbor.com
harbor服务器上将证书拷贝到客户端上
scp -r yoyi.harbor.com.crt [email protected]:/etc/docker/certs.d/yoyi.harbor.com
客户端上重启docker服务,重新登陆即可
service docker restart

2、显示harbor上项目文件,下载,重新打包,并上传到自己的仓库

# docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE

因未传输,所以为空
搜索官方库,查询需要的镜像
#docker search -s 10 centos  //查询收藏超过10的相关centos镜像
Flag --stars has been deprecated, use --filter=stars=3 instead
INDEX       NAME                                        DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
docker.io   docker.io/centos                            The official build of CentOS.                   4762      [OK]       
docker.io   docker.io/ansible/centos7-ansible           Ansible on Centos7                              118                  [OK]
docker.io   docker.io/jdeathe/centos-ssh                CentOS-6 6.10 x86_64 / CentOS-7 7.5.1804 x...   99                   [OK]
docker.io   docker.io/consol/centos-xfce-vnc            Centos container with "headless" VNC sessi...   64                   [OK]
docker.io   docker.io/imagine10255/centos6-lnmp-php56   centos6-lnmp-php56                              45                   [OK]
docker.io   docker.io/tutum/centos                      Simple CentOS docker image with SSH access      43                   
docker.io   docker.io/centos/mysql-57-centos7           MySQL 5.7 SQL database server                   39                   
docker.io   docker.io/gluster/gluster-centos            Official GlusterFS Image [ CentOS-7 +  Glu...   34                   [OK]
docker.io   docker.io/openshift/base-centos7            A Centos7 derived base image for Source-To...   33                   
docker.io   docker.io/centos/python-35-centos7          Platform for building and running Python 3...   31                   
docker.io   docker.io/centos/postgresql-96-centos7      PostgreSQL is an advanced Object-Relationa...   29                   
docker.io   docker.io/kinogmt/centos-ssh                CentOS with SSH                                 22                   [OK]
docker.io   docker.io/centos/php-56-centos7             Platform for building and running PHP 5.6 ...   15                   
docker.io   docker.io/openshift/jenkins-2-centos7       A Centos7 based Jenkins v2.x image for use...   15               

注:docker没有查看详情的命令。docker search作用有限,不如到官方网站查(http://hub.docker.com)搜索,上面有最详细的信息。得出结论后再pull到本地使用

访问官网查询到centos相关镜像

Harbor && docker_第3张图片

#docker pull centos:7.5.1804    //将官方最新镜像下载到本地
Trying to pull repository docker.io/library/centos ... 
7.5.1804: Pulling from docker.io/library/centos
7dc0dca2b151: Pull complete 
Digest: sha256:7fa8d6e1b61a3f9fc1413be9c2f8a8a84dab8855cdb5c467d144ff171155fd19
Status: Downloaded newer image for docker.io/centos:7.5.1804

#docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.5.1804            fdf13fa91c6e        7 weeks ago         200 MB

将官方包重命名为自己仓库library下镜像包
#docker tag centos:7.5.1804  yoyi.harbor.com/library/yoyi-centos-7.5.1804 

# docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.5.1804            fdf13fa91c6e        7 weeks ago         200 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804   latest              fdf13fa91c6e        7 weeks ago         200 MB

将重命名的包上传到已经登陆的harbor上
# docker push yoyi.harbor.com/library/yoyi-centos-7.5.1804
The push refers to a repository [yoyi.harbor.com/library/yoyi-centos-7.5.1804]
bcc97fbfc9e1: Pushed 
latest: digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61 size: 529

命令查看harbor私有仓库下面的镜像包
# curl -X GET http://yoyi.harbor.com/

301 Moved Permanently

301 Moved Permanently


nginx/1.13.8

登陆harbor查看

Harbor && docker_第4张图片

3、在其他机器上安装自己打的包

Harbor && docker_第5张图片

直接点击上图红框内pull命令,会生成链接,到指定客户端粘贴执行即可。

#docker pull yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Trying to pull repository yoyi.harbor.com/library/yoyi-centos-7.5.1804 ... 
latest: Pulling from yoyi.harbor.com/library/yoyi-centos-7.5.1804
7dc0dca2b151: Pull complete 
Digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Status: Downloaded newer image for yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest

4、启动安装完成的镜像。

#docker run --name my-centos7.5 -d yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest /bin/bash -c "ping www.baidu.com"
d61832659e4c727cfa5a06f07d8162028bb6228b6d5de4588d52d4b893acb60e
# docker ps 
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   54 seconds ago      Up 52 seconds                           my-centos7.5

5、删除镜像和关闭docker容器

注:先停止容器-删除容器-删除镜像

docker ps 
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   54 seconds ago      Up 52 seconds                           my-centos7.5
[root@slaver ~]# docker stop my-centos7.5
my-centos7.5
[root@slaver ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
# docker ps -a
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS                       PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   5 minutes ago       Exited (137) 8 seconds ago                       my-centos7.5
# docker rm -f d61832659e4c
d61832659e4c
# docker images 
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.2.1511            ddc0fb7d7a72        2 months ago        195 MB
docker.io/centos                               7.3.1611            2e5dfff91072        2 months ago        192 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804   latest              fdf13fa91c6e        2 months ago        200 MB
# docker rmi yoyi.harbor.com/library/yoyi-centos-7.5.1804
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804@sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Deleted: sha256:fdf13fa91c6e0445e51dfd26443aa4bcd561fd40a7c5e85718c4df8e67bcc514
Deleted: sha256:bcc97fbfc9e1a709f0eb78c1da59caeb65f43dc32cd5deeb12b8c1784e5b8237

六、运行简单服务

nginx:

docker pull nginx

# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
docker.io/nginx     latest              e81eb098537d        9 days ago          109 MB

docker run --name my-nginxd  -v /data/nginx.conf:/etc/nginx/nginx.conf:rw -v /data/html:/usr/share/nginx/html:rw  -p 9090:80 -d nginx 

注释:/data/nginx.conf 配置文件   /data/html页面目录   9090端口

七、dockerfile

FROM 指定基础镜像,并且必须是第一条指令。

            如果不以任何镜像为基础,那么写法为: FROM scratch。同时意味着所写指令作为镜像的第一层开始。

            语法:

FROM 
FROM :
FROM :
可选项,如没有选择,默认值为latest

RUN 运行指定的命令

         语法

RUN   //直接跟shell命令,/bin/sh -c &&  cmd /S /C
RUN ["executable","param1","parm2"] //函数调用,调用可执行文件,后面为2个参数

RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
RUN ["/bin/bash","-c","echo hello"]

注:多行命令,不要写多个RUN,原因是Dockerfile中每一个指令都会建立一层。
    多少RUN就构建了多少层镜像,会造成镜像的臃肿、多层,不仅增加构建部署时间,还容易出错,换行符为\

CMD 为容器启动时要运行的命令

         语法

CMD ["executable","param1","param2"]  //例:CMD ["sh","-c","echo $HOME"]
CMD ["parm1","param2"]   //例: CMD ["echo","$HOME"]
CMD command param1 param2   //shell执行方式和方法
注: 参数要用双引号,不能单引号。原因是参数传递后,docker解析是一个JSON array

注释:RUN是构建容器时运行的命令以及提交运行结果;CMD是容器启动时执行的命令,在构建时并不运行。

LABEL 为镜像指定标签

       语法

LABEL = = = ....
一个Dockerfile可以有多个LABEL,例如:
LABEL "com.example.vendor"="ACME Incorporated"
LABEL com.example.label-with-value="foo"
LABEL version="1.0"
LABEL description="This text illustrates \
that label-values can span multiple lines."
说明:LABEL会继承基础镜像的LABEL,如遇到key相同,则值覆盖

MAINTAINER 指定作者

      语法

MAINTAINER 

EXPOSE 为暴露容器运行时的监听端口给外部,但EXPOSE并不会使容器访问主机的端口,如映射端口,必须启动后加-P参数

ENV 设置环境变量

      语法

ENV      //一个参数及值
ENV = ...   //多个参数及值

ADD 一个复制命令,把文件复制都镜像中

     语法

ADD  ... 
ADD ["",...""]
注:src是一个本地文件或压缩文件或url;dest是容器内的绝对路径,也可以是相对于工作目录的相对路径
    如src写成一个url,那么ADD就类似于wget命令
例:
ADD test relativeDir/
ADD test /relativeDir
ADD http://example.com/foobar /
注:尽量不要把src写成目录,如是一个目录,将复制整个目录的内容,包括文件系统元数据

COPY 复制命令

       语法

COPY ...
COPY ["",...""]
注:与ADD的区别,copy的src只能是本地文件,其它用法一致

ENTRYPOINT 启动时的默认命令

       语法

ENTRYPOINT ["executable","param1","param2"]  //可执行文件,后面2个参数
ENTRYPOINT command param1 param2    //shell用法

与CMD比较说明
  相同点:只能写一条,如果写多条,那么只有最后一条生效;容器启动时才运行,运行时机相同。
  不同点:ENTRYPOINT不会被运行的command覆盖,而CMD则会被覆盖; 如果在Dockerfile中同时写了这两种,并且CMD指令不是一个完整的可执行命令,那么CMD指令的内容将会作为ENTRYPOIN的参数; 如果CMD是一个完整的可执行命令,那么他们两个会互相覆盖,在最后的生效

官方使用一张表格展示组合的执行情况

VOLUME 实现挂载功能,可以将本地文件或其他容器中的文件挂载到这个容器中

             语法

VOLUME ["/data"]
VOLUME ["/var/log/"]
VOLUME /var/log
VOLUME /var/log /var/db
注:一般的使用场景为需要持久化存储数据时; 容器使用的是AUFS,不能持久化数据,当容器关闭后,所更改丢失,所以当数据需要持久化使用这个命令。

USER 启动容器的用户,可以是用户名或UID

          用法

USER daemo
USER UID
注:如设置了容器以demon用户去运行,那么RUN,CMD,ENTRYPOINT都会以这个用户去运行

WORKDIR 设置工作目录; 解析环境变量

          语法

WORKDIR /path/to/workdir
设置完目录后,对RUN,CMD,ENTRYPOINT,COPY,ADD生效,如不存在则会创建,可设置多次
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
执行的结果是 /a/b/c

ENV DIRPATH /path
WORKDIR $dirpath/$DIRNAME
RUN pwd
执行的结果是 /path/$DIRNAME

ARG 设置变量命令

       语法

ARG  [=]
定义了一个变量,在docker build创建镜像的时候,使用 --build-arg =来指定参数
如果用户在build镜像时制定了一个参数没有定义在Dockerfile中,那么将有一个Warning: [Warning] One or more build-args [foo] were not consumed.

可以定义一个或多个参数,如下:
FROM busybox
ARG user1
ARG buildno
...

也可以给参数一个默认值:
FROM busybox
ARG user1=someuser
ARG buildno=1
...
如果我们给了ARG定义的参数默认值,那么当build镜像时没有指定参数值,将会使用这个默认值。

ONBUILD 为镜像天机触发器

               语法

ONBUILD [INSTRUCTION]
命令只对当前镜像的子镜像生效。
比如当前镜像为A,在Dockerfile中添加:
ONBUILD RUN ls -al
这个ls -al 命令不会在A镜像构建后启动的时候执行
此时有一个镜像B是基于A镜像构建的,那么这个ls -al 命令会在B镜像构建的时候执行。

STOPSIGNAL signal当容器退出时给系统发送什么样的指令

HEALTHCHECK 容器监控状况检查命令

          语法

HEALTHCHECK [OPTIONS] CMD command  //在容器内部运行一个命令来检查容器的健康状况
HEALTHCHECK NONE    //在基础镜像中取消健康检查命令

[OPTIONS]选项
--interval=DURATION 两次检查默认的时间间隔为30秒
--timeout=DURATION  健康检查命令运行超时时长,默认30秒
--retries=N 当连续失败指定次数后,则容器被认为是不健康的,状态为unhealthy,默认次数是3

注:HEALTHCHECK命令只能出现一次,如果出现了多次,只有最后一个生效。

CMD后面的命令的返回值决定了本次健康检查是否成功,具体的返回值如下:
0:success - 表示容器时健康的
1:unhealthy - 表示容器已经不能工作了
2:reserved - 保留值

例如:HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://localhost/ || exit 1
健康检查命令是:curl -f http://localhost/ || exit 1
两次检查的间隔时间是5秒
命令超时时间为3秒

 

你可能感兴趣的:(docker)