一、简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,提供用户权限管理、镜像复制等功能,提高使用的registry的效率。
二、架构图:
注解:主要组件包括proxy,是一个nginx前端代理,主要是分发前端页面ui访问和镜像上传和下载流量,上图中通过深蓝色先标识;ui提供了一个web管理页面,当然还包括了一个前端页面和后端API,底层使用mysql数据库;registry是镜像仓库,负责存储镜像文件,当镜像上传完毕后通过hook通知ui创建repository,上图通过红色线标识,当然registry的token认证也是通过ui组件完成;adminserver是系统的配置管理中心附带检查存储用量,ui和jobserver启动时候回需要加载adminserver的配置,通过灰色线标识;jobsevice是负责镜像复制工作的,他和registry通信,从一个registry pull镜像然后push到另一个registry,并记录job_log,上图通过紫色线标识;log是日志汇总组件,通过docker的log-driver把日志汇总到一起,通过浅蓝色线条标识。
三、安装配置harbor1.5.0
1、环境:
系统:CentOS Linux release 7.2.1511 (Core)
Python version:Python 2.7.5
Docker version:>=1.10
Docker Compose version:>=1.6.0
Openssl:直接yum安装最新版本即可(# yum -y install openssl openssl-devel)
2、安装docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum list docker-ce --showduplicates | sort -r
yum install docker-ce -y
systemctl start docker
systemctl enable docker
docker version
Client:
Version: 18.06.1-ce
API version: 1.38
Go version: go1.10.3
Git commit: e68fc7a
Built: Tue Aug 21 17:23:03 2018
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 18.06.1-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: e68fc7a
Built: Tue Aug 21 17:25:29 2018
OS/Arch: linux/amd64
Experimental: false
3、安装 docker-compose
curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose version
docker-compose version 1.21.1, build 5a3f1a3
docker-py version: 3.3.0
CPython version: 3.6.5
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
4、下载harbor-offline-installer-v1.5.1
分三个包:
https://download.csdn.net/download/zhangxueleishamo/10629751
https://download.csdn.net/download/zhangxueleishamo/10629761
https://download.csdn.net/download/zhangxueleishamo/10629765
官方链接:
wget https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.0.tgz
tar -zxvf harbor-offline-installer-v1.5.1.tgz -C /opt/
5、生成访问harbor密钥证书
#mkdir /data/cert
#cd /data/cert
#openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............++
....................................................................................................++
e is 65537 (0x10001)
#openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]
# mkdir /opt/harbor/common/config/ui/ -p
# mkdir /opt/harbor/common/config/registry/ -p
# cp /data/cert/private_key.pem /opt/harbor/common/config/ui/private_key.pem
# cp /data/cert/root.crt /opt/harbor/common/config/registry/root.crt
6、配置https
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..................++
...................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout yoyi.harbor.com.key -out yoyi.harbor.com.csr
Generating a 4096 bit RSA private key
..........................................................................................................................++
...................................................................................................++
writing new private key to 'yoyi.harbor.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Bejing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:``1122qq
An optional company name []:yoyi.harbor.com
# openssl x509 -req -days 365 -in yoyi.harbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yoyi.harbor.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Bejing/O=harbor/OU=harbor/CN=yoyi.harbor.com/[email protected]
Getting CA Private Key
# echo subjectAltName = IP:192.168.5.121 extfile.cnf
# openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................++
.................................................++
e is 65537 (0x10001)
# openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:[email protected]
7、修改harbor配置文件
#vim /opt/harbor/harbor.cfg
hostname = yoyi.harbor.com
ui_url_protocol = https
ssl_cert = /data/cert/yoyi.harbor.com.crt
ssl_cert_key = /data/cert/yoyi.harbor.com.key
secretkey_path = /data
8、启动harbor
./prepare
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.crt
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /opt/harbor/data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
]# ./install.sh
[Step 0]: checking installation environment ...
Note: docker version: 18.06.1
Note: docker-compose version: 1.21.1
[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-ui:v1.5.1
Loaded image: vmware/harbor-log:v1.5.1
Loaded image: vmware/harbor-jobservice:v1.5.1
Loaded image: vmware/registry-photon:v2.6.2-v1.5.1
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1
Loaded image: vmware/mariadb-photon:v1.5.1
Loaded image: vmware/clair-photon:v2.0.1-v1.5.1
Loaded image: vmware/harbor-adminserver:v1.5.1
Loaded image: vmware/nginx-photon:v1.5.1
Loaded image: vmware/photon:1.0
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1
Loaded image: vmware/postgresql-photon:v1.5.1
Loaded image: vmware/harbor-db:v1.5.1
Loaded image: vmware/redis-photon:v1.5.1
Loaded image: vmware/harbor-migrator:v1.5.0
[Step 2]: preparing environment ...
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
Note: stopping existing Harbor instance ...
Stopping harbor-jobservice ... done
Stopping harbor-ui ... done
Stopping harbor-db ... done
Stopping redis ... done
Stopping harbor-adminserver ... done
Stopping registry ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-ui ... done
Removing harbor-db ... done
Removing redis ... done
Removing harbor-adminserver ... done
Removing registry ... done
Removing harbor-log ... done
Removing network harbor_harbor
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry ... done
Creating harbor-adminserver ... done
Creating redis ... done
Creating harbor-db ... done
Creating harbor-ui ... done
Creating harbor-jobservice ... done
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://yoyi.harbor.com.
For more details, please visit https://github.com/vmware/harbor .
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fb81c4bdf1e7 vmware/harbor-jobservice:v1.5.1 "/harbor/start.sh" 3 minutes ago Up 3 minutes harbor-jobservice
d32560069411 vmware/nginx-photon:v1.5.1 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx
3027884466bc vmware/harbor-ui:v1.5.1 "/harbor/start.sh" 3 minutes ago Up 3 minutes (healthy) harbor-ui
d3f5f664acfd vmware/harbor-db:v1.5.1 "/usr/local/bin/dock…" 3 minutes ago Up 3 minutes (healthy) 3306/tcp harbor-db
efb310517d0c vmware/registry-photon:v2.6.2-v1.5.1 "/entrypoint.sh serv…" 3 minutes ago Up 3 minutes (healthy) 5000/tcp registry
67099980d893 vmware/redis-photon:v1.5.1 "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 6379/tcp redis
31bc58eb4424 vmware/harbor-adminserver:v1.5.1 "/harbor/start.sh" 3 minutes ago Up 3 minutes (healthy) harbor-adminserver
6c7c901328bf vmware/harbor-log:v1.5.1 "/bin/sh -c /usr/loc…" 3 minutes ago Up 3 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
9、访问测试,默认用户名&密码:admin Harbor12345
四、客户端使用。
1、登陆客户端安装docker,登陆harbor
#yum -y install docker-io
#service docker start
#docker login https://yoyi.harbor.com
Username: admin
Password:
Error response from daemon: Get https://yoyi.harbor.com/v1/users/: x509: certificate signed by unknown authority
注:错误提示,证书验证不通过。如内网测试或使用可改用http,或向相关证书网站申请购买。
解决办法:
客户端上创建证书存储目录
mkdir /etc/docker/certs.d/yoyi.harbor.com
harbor服务器上将证书拷贝到客户端上
scp -r yoyi.harbor.com.crt [email protected]:/etc/docker/certs.d/yoyi.harbor.com
客户端上重启docker服务,重新登陆即可
service docker restart
2、显示harbor上项目文件,下载,重新打包,并上传到自己的仓库
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
因未传输,所以为空
搜索官方库,查询需要的镜像
#docker search -s 10 centos //查询收藏超过10的相关centos镜像
Flag --stars has been deprecated, use --filter=stars=3 instead
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/centos The official build of CentOS. 4762 [OK]
docker.io docker.io/ansible/centos7-ansible Ansible on Centos7 118 [OK]
docker.io docker.io/jdeathe/centos-ssh CentOS-6 6.10 x86_64 / CentOS-7 7.5.1804 x... 99 [OK]
docker.io docker.io/consol/centos-xfce-vnc Centos container with "headless" VNC sessi... 64 [OK]
docker.io docker.io/imagine10255/centos6-lnmp-php56 centos6-lnmp-php56 45 [OK]
docker.io docker.io/tutum/centos Simple CentOS docker image with SSH access 43
docker.io docker.io/centos/mysql-57-centos7 MySQL 5.7 SQL database server 39
docker.io docker.io/gluster/gluster-centos Official GlusterFS Image [ CentOS-7 + Glu... 34 [OK]
docker.io docker.io/openshift/base-centos7 A Centos7 derived base image for Source-To... 33
docker.io docker.io/centos/python-35-centos7 Platform for building and running Python 3... 31
docker.io docker.io/centos/postgresql-96-centos7 PostgreSQL is an advanced Object-Relationa... 29
docker.io docker.io/kinogmt/centos-ssh CentOS with SSH 22 [OK]
docker.io docker.io/centos/php-56-centos7 Platform for building and running PHP 5.6 ... 15
docker.io docker.io/openshift/jenkins-2-centos7 A Centos7 based Jenkins v2.x image for use... 15
注:docker没有查看详情的命令。docker search作用有限,不如到官方网站查(http://hub.docker.com)搜索,上面有最详细的信息。得出结论后再pull到本地使用
访问官网查询到centos相关镜像
#docker pull centos:7.5.1804 //将官方最新镜像下载到本地
Trying to pull repository docker.io/library/centos ...
7.5.1804: Pulling from docker.io/library/centos
7dc0dca2b151: Pull complete
Digest: sha256:7fa8d6e1b61a3f9fc1413be9c2f8a8a84dab8855cdb5c467d144ff171155fd19
Status: Downloaded newer image for docker.io/centos:7.5.1804
#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7.5.1804 fdf13fa91c6e 7 weeks ago 200 MB
将官方包重命名为自己仓库library下镜像包
#docker tag centos:7.5.1804 yoyi.harbor.com/library/yoyi-centos-7.5.1804
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7.5.1804 fdf13fa91c6e 7 weeks ago 200 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804 latest fdf13fa91c6e 7 weeks ago 200 MB
将重命名的包上传到已经登陆的harbor上
# docker push yoyi.harbor.com/library/yoyi-centos-7.5.1804
The push refers to a repository [yoyi.harbor.com/library/yoyi-centos-7.5.1804]
bcc97fbfc9e1: Pushed
latest: digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61 size: 529
命令查看harbor私有仓库下面的镜像包
# curl -X GET http://yoyi.harbor.com/
301 Moved Permanently
301 Moved Permanently
nginx/1.13.8
登陆harbor查看
3、在其他机器上安装自己打的包
直接点击上图红框内pull命令,会生成链接,到指定客户端粘贴执行即可。
#docker pull yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Trying to pull repository yoyi.harbor.com/library/yoyi-centos-7.5.1804 ...
latest: Pulling from yoyi.harbor.com/library/yoyi-centos-7.5.1804
7dc0dca2b151: Pull complete
Digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Status: Downloaded newer image for yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
4、启动安装完成的镜像。
#docker run --name my-centos7.5 -d yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest /bin/bash -c "ping www.baidu.com"
d61832659e4c727cfa5a06f07d8162028bb6228b6d5de4588d52d4b893acb60e
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d61832659e4c yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest "/bin/bash -c 'pin..." 54 seconds ago Up 52 seconds my-centos7.5
5、删除镜像和关闭docker容器
注:先停止容器-删除容器-删除镜像
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d61832659e4c yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest "/bin/bash -c 'pin..." 54 seconds ago Up 52 seconds my-centos7.5
[root@slaver ~]# docker stop my-centos7.5
my-centos7.5
[root@slaver ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d61832659e4c yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest "/bin/bash -c 'pin..." 5 minutes ago Exited (137) 8 seconds ago my-centos7.5
# docker rm -f d61832659e4c
d61832659e4c
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7.2.1511 ddc0fb7d7a72 2 months ago 195 MB
docker.io/centos 7.3.1611 2e5dfff91072 2 months ago 192 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804 latest fdf13fa91c6e 2 months ago 200 MB
# docker rmi yoyi.harbor.com/library/yoyi-centos-7.5.1804
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804@sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Deleted: sha256:fdf13fa91c6e0445e51dfd26443aa4bcd561fd40a7c5e85718c4df8e67bcc514
Deleted: sha256:bcc97fbfc9e1a709f0eb78c1da59caeb65f43dc32cd5deeb12b8c1784e5b8237
六、运行简单服务
nginx:
docker pull nginx
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest e81eb098537d 9 days ago 109 MB
docker run --name my-nginxd -v /data/nginx.conf:/etc/nginx/nginx.conf:rw -v /data/html:/usr/share/nginx/html:rw -p 9090:80 -d nginx
注释:/data/nginx.conf 配置文件 /data/html页面目录 9090端口
七、dockerfile
FROM 指定基础镜像,并且必须是第一条指令。
如果不以任何镜像为基础,那么写法为: FROM scratch。同时意味着所写指令作为镜像的第一层开始。
语法:
FROM
FROM :
FROM :
可选项,如没有选择,默认值为latest
RUN 运行指定的命令
语法
RUN //直接跟shell命令,/bin/sh -c && cmd /S /C
RUN ["executable","param1","parm2"] //函数调用,调用可执行文件,后面为2个参数
RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
RUN ["/bin/bash","-c","echo hello"]
注:多行命令,不要写多个RUN,原因是Dockerfile中每一个指令都会建立一层。
多少RUN就构建了多少层镜像,会造成镜像的臃肿、多层,不仅增加构建部署时间,还容易出错,换行符为\
CMD 为容器启动时要运行的命令
语法
CMD ["executable","param1","param2"] //例:CMD ["sh","-c","echo $HOME"]
CMD ["parm1","param2"] //例: CMD ["echo","$HOME"]
CMD command param1 param2 //shell执行方式和方法
注: 参数要用双引号,不能单引号。原因是参数传递后,docker解析是一个JSON array
注释:RUN是构建容器时运行的命令以及提交运行结果;CMD是容器启动时执行的命令,在构建时并不运行。
LABEL 为镜像指定标签
语法
LABEL = = = ....
一个Dockerfile可以有多个LABEL,例如:
LABEL "com.example.vendor"="ACME Incorporated"
LABEL com.example.label-with-value="foo"
LABEL version="1.0"
LABEL description="This text illustrates \
that label-values can span multiple lines."
说明:LABEL会继承基础镜像的LABEL,如遇到key相同,则值覆盖
MAINTAINER 指定作者
语法
MAINTAINER
EXPOSE 为暴露容器运行时的监听端口给外部,但EXPOSE并不会使容器访问主机的端口,如映射端口,必须启动后加-P参数
ENV 设置环境变量
语法
ENV //一个参数及值
ENV = ... //多个参数及值
ADD 一个复制命令,把文件复制都镜像中
语法
ADD ...
ADD ["",...""]
注:src是一个本地文件或压缩文件或url;dest是容器内的绝对路径,也可以是相对于工作目录的相对路径
如src写成一个url,那么ADD就类似于wget命令
例:
ADD test relativeDir/
ADD test /relativeDir
ADD http://example.com/foobar /
注:尽量不要把src写成目录,如是一个目录,将复制整个目录的内容,包括文件系统元数据
COPY 复制命令
语法
COPY ...
COPY ["",...""]
注:与ADD的区别,copy的src只能是本地文件,其它用法一致
ENTRYPOINT 启动时的默认命令
语法
ENTRYPOINT ["executable","param1","param2"] //可执行文件,后面2个参数
ENTRYPOINT command param1 param2 //shell用法
与CMD比较说明
相同点:只能写一条,如果写多条,那么只有最后一条生效;容器启动时才运行,运行时机相同。
不同点:ENTRYPOINT不会被运行的command覆盖,而CMD则会被覆盖; 如果在Dockerfile中同时写了这两种,并且CMD指令不是一个完整的可执行命令,那么CMD指令的内容将会作为ENTRYPOIN的参数; 如果CMD是一个完整的可执行命令,那么他们两个会互相覆盖,在最后的生效
官方使用一张表格展示组合的执行情况
VOLUME 实现挂载功能,可以将本地文件或其他容器中的文件挂载到这个容器中
语法
VOLUME ["/data"]
VOLUME ["/var/log/"]
VOLUME /var/log
VOLUME /var/log /var/db
注:一般的使用场景为需要持久化存储数据时; 容器使用的是AUFS,不能持久化数据,当容器关闭后,所更改丢失,所以当数据需要持久化使用这个命令。
USER 启动容器的用户,可以是用户名或UID
用法
USER daemo
USER UID
注:如设置了容器以demon用户去运行,那么RUN,CMD,ENTRYPOINT都会以这个用户去运行
WORKDIR 设置工作目录; 解析环境变量
语法
WORKDIR /path/to/workdir
设置完目录后,对RUN,CMD,ENTRYPOINT,COPY,ADD生效,如不存在则会创建,可设置多次
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
执行的结果是 /a/b/c
ENV DIRPATH /path
WORKDIR $dirpath/$DIRNAME
RUN pwd
执行的结果是 /path/$DIRNAME
ARG 设置变量命令
语法
ARG [=]
定义了一个变量,在docker build创建镜像的时候,使用 --build-arg =来指定参数
如果用户在build镜像时制定了一个参数没有定义在Dockerfile中,那么将有一个Warning: [Warning] One or more build-args [foo] were not consumed.
可以定义一个或多个参数,如下:
FROM busybox
ARG user1
ARG buildno
...
也可以给参数一个默认值:
FROM busybox
ARG user1=someuser
ARG buildno=1
...
如果我们给了ARG定义的参数默认值,那么当build镜像时没有指定参数值,将会使用这个默认值。
ONBUILD 为镜像天机触发器
语法
ONBUILD [INSTRUCTION]
命令只对当前镜像的子镜像生效。
比如当前镜像为A,在Dockerfile中添加:
ONBUILD RUN ls -al
这个ls -al 命令不会在A镜像构建后启动的时候执行
此时有一个镜像B是基于A镜像构建的,那么这个ls -al 命令会在B镜像构建的时候执行。
STOPSIGNAL signal当容器退出时给系统发送什么样的指令
HEALTHCHECK 容器监控状况检查命令
语法
HEALTHCHECK [OPTIONS] CMD command //在容器内部运行一个命令来检查容器的健康状况
HEALTHCHECK NONE //在基础镜像中取消健康检查命令
[OPTIONS]选项
--interval=DURATION 两次检查默认的时间间隔为30秒
--timeout=DURATION 健康检查命令运行超时时长,默认30秒
--retries=N 当连续失败指定次数后,则容器被认为是不健康的,状态为unhealthy,默认次数是3
注:HEALTHCHECK命令只能出现一次,如果出现了多次,只有最后一个生效。
CMD后面的命令的返回值决定了本次健康检查是否成功,具体的返回值如下:
0:success - 表示容器时健康的
1:unhealthy - 表示容器已经不能工作了
2:reserved - 保留值
例如:HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://localhost/ || exit 1
健康检查命令是:curl -f http://localhost/ || exit 1
两次检查的间隔时间是5秒
命令超时时间为3秒