天健胡马灵越鸟

Docker架构简介命令详解

1.1、Docker的介绍

Docker是一个开源的应用容器引擎，使用Go语言开发，基于Linux内核的cgroup，namespace，Union FS等技术，对应用进程进行封装隔离，并且

独立于宿主机与其他进程，这种运行时封装的状态称为容器。

Docker早起版本实现是基于LXC，并进一步对其封装，包括文件系统、网络互联、镜像管理等方面，极大简化了容器管理。从0.7版本以后开始去

除LXC，转为自行研发的libcontainer，从1.11版本开始，进一步演进为使用runC和containerd。

Docker理念是将应用及依赖包打包到一个可移植的容器中，可发布到任意Linux发行版Docker引擎上。使用沙箱机制运行程序，程序之间相互隔离。

1.2、docker的体系架构

Containerd：是一个简单的守护进程，使用runC管理容器。向Docker Engine提
供接口。
Shim：只负责管理一个容器。
runC：是一个轻量级的工具，只用来运行容器。

1.4、docker的内部组件

1. Namespaces

命名空间，Linux内核提供的一种对进程资源隔离的机制，例如进程、网络、挂载点等资源。

2. CGroups

控制组，Linux内核提供的一种限制进程资源的机制；例如CPU、内存等资源。

3. UnionFS

联合文件系统，支持将不同位置的目录挂载到同一虚拟文件系统，形成一种分层的模型。

1.5、虚拟机与容器区别

以 KVM 举例，与 Docker 对比

启动时间

Docker秒级启动，KVM分钟级启动。

轻量级

容器镜像大小通常以M为单位，虚拟机以G为单位。

容器资源占用小，要比虚拟机部署更快速。

性能

容器共享宿主机内核，系统级虚拟化，占用资源少，没有Hypervisor层开销，容器性能基本接近物理机；

虚拟机需要Hypervisor层支持，虚拟化一些设备，具有完整的GuestOS，虚拟化开销大，因而降低性能，没有容器性能好。

安全性

由于共享宿主机内核，只是进程级隔离，因此隔离性和稳定性不如虚拟机，容器具有一定权限访问宿主机内核，存在一定安全隐患。

使用要求

KVM基于硬件的完全虚拟化，需要硬件CPU虚拟化技术支持；

容器共享宿主机内核，可运行在主流的Linux发行版，不用考虑CPU是否支持虚拟化技术。

1.6、docker 的应用场景

场景一：节省项目环境部署时间

1. 单项目打包

2. 整套项目打包

3. 新开源技术试用

场景二：环境一致性

场景三：持续集成

场景四：微服务

场景五：弹性伸缩

参看： https://blog.51cto.com/lizhenliang/1978081

1.7、在Centos7.x安装docker

CentOS7
# 安装依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加Docker软件包源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 更新yum包索引
yum makecache fast
# 安装Docker CE
yum install docker-ce -y
# 启动
systemctl start docker
# 卸载
yum remove docker-ce
rm -rf /var/lib/docker
官方安装文档：
https://docs.docker.com/engine/installation/linux/docker-
ce/centos/#docker-ee-customers

1.8、镜像加速

什么是镜像？

简单说，Docker镜像是一个不包含Linux内核而又精简的Linux操作系统。

镜像从哪里来？

Docker Hub是由Docker公司负责维护的公共注册中心，包含大量的容器镜像，Docker工具默认从这个公共镜像库下载镜像。

https://hub.docker.com/explore

默认是国外的源，下载会慢，建议配置国内镜像仓库：

# vi /etc/docker/daemon.json

{

"registry-mirrors": [ "https://registry.docker-cn.com"]

}

----

重启一下：

systemctl restart docker

1.9、镜像与容器的关系

镜像不是一个单一的文件，而是有多层构成。我们可以通过docker history /NAME> 查

 看镜像中各层内容及大小，每层对应着Dockerfile中的一条指令。Docker镜像默认存储在
 /var/lib/docker/中。
 容器其实是在镜像的最上面加了一层读写层，在运行容器里做的任何文件改动，都会写
 到这个读写层。如果容器删除了，最上面的读写层也就删除了，改动也就丢失了。
 Docker使用存储驱动管理镜像每层内容及可读写层的容器层。

2.0、存储驱动

2.1、镜像命令

二、docker常用命令

2.1、查看版本

[root@ansible-server ~]# docker --version

Docker version 18.09.6, build 481bc77156

2.2、查看帮助

[root@ansible-server ~]# docker --help

Usage: docker [OPTIONS] COMMAND

A self-sufficient runtime for containers

Options:

--config string Location of client config files (default "/root/.docker")

-D, --debug Enable debug mode

-H, --host list Daemon socket(s) to connect to

-l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")

--tls Use TLS; implied by --tlsverify

--tlscacert string Trust certs signed only by this CA (default "/root/.docker/ca.pem")

--tlscert string Path to TLS certificate file (default "/root/.docker/cert.pem")

--tlskey string Path to TLS key file (default "/root/.docker/key.pem")

--tlsverify Use TLS and verify the remote

-v, --version Print version information and quit

2.3、查看镜像分层

[root@ansible-server ~]# docker image history nginx:latest

IMAGE CREATED CREATED BY SIZE COMMENT

53f3fd8007f7 2 weeks ago /bin/sh -c #(nop) CMD ["nginx" "-g" "daemon… 0B

2 weeks ago /bin/sh -c #(nop) STOPSIGNAL SIGTERM 0B

2 weeks ago /bin/sh -c #(nop) EXPOSE 80 0B

2 weeks ago /bin/sh -c ln -sf /dev/stdout /var/log/nginx… 22B

2 weeks ago /bin/sh -c set -x && apt-get update && apt… 54.1MB

2 weeks ago /bin/sh -c #(nop) ENV NJS_VERSION=1.15.12.0… 0B

2 weeks ago /bin/sh -c #(nop) ENV NGINX_VERSION=1.15.12… 0B

2 weeks ago /bin/sh -c #(nop) LABEL maintainer=NGINX Do… 0B

2 weeks ago /bin/sh -c #(nop) CMD ["bash"] 0B

2 weeks ago /bin/sh -c #(nop) ADD file:fcb9328ea4c115670… 55.3MB

2.4、查看镜像的详细信息

查看镜像的详细信息

[root@ansible-server ~]# docker image inspect nginx

[

{

"Id": "sha256:53f3fd8007f76bd23bf663ad5f5009c8941f63828ae458cef584b5f85dc0a7bf",

"RepoTags": [

"nginx:latest"

],

"RepoDigests": [

省略部分......

2.5、下载镜像

[root@ansible-server ~]# docker image pull nginx:1.11

1.11: Pulling from library/nginx

6d827a3ef358: Pull complete

f8f2e0556751: Pull complete

5c9972dca3fd: Pull complete

451b9524cb06: Pull complete

Digest: sha256:e6693c20186f837fc393390135d8a598a96a833917917789d63766cab6c59582

Status: Downloaded newer image for nginx:1.11

2.6、删除镜像

查看并删除镜像

[root@ansible-server ~]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

nginx latest 53f3fd8007f7 2 weeks ago 109MB

nginx 1.11 5766334bdaa0 2 years ago 183MB

[root@ansible-server ~]# docker image rm nginx:1.11

Untagged: nginx:1.11

Untagged: nginx@sha256:e6693c20186f837fc393390135d8a598a96a833917917789d63766cab6c59582

Deleted: sha256:5766334bdaa0bc37f1f0c02cb94c351f9b076bcffa042d6ce811b0fd9bc31f3b

Deleted: sha256:1fcf2d3addf02c3b6add24c7b0993038f7e3eee616b10e671e25440e03bc7697

Deleted: sha256:51c56cdbb9306c4d6f2da2b780924f3b926bd13d15a4f6693a5175690e288436

Deleted: sha256:ec9a826666cfa5df0471f716145da63294019c09a5f2e31613122b57df8f7ce0

Deleted: sha256:5d6cbe0dbcf9a675e86aa0fbedf7ed8756d557c7468d6a7c64bde7fa9e029636

2.7、给镜像打tag

#给镜像打tag，再查看

[root@ansible-server ~]# docker tag nginx:1.11 nginx:v1

[root@ansible-server ~]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

nginx latest 53f3fd8007f7 2 weeks ago 109MB

nginx 1.11 5766334bdaa0 2 years ago 183MB

nginx v1 5766334bdaa0 2 years ago 183MB

2.8、导出镜像

[root@ansible-server ~]# docker image save nginx:1.11 >nginx1.11.tar

[root@ansible-server ~]# du -sh nginx1.11.tar

182M nginx1.11.tar

2.9、导入镜像

#删除这个已存在的镜像

[root@ansible-server ~]# docker rmi nginx:1.11

Untagged: nginx:1.11

#再导入镜像

[root@ansible-server ~]# docker load

 Loaded image: nginx:1.11
  
 #查看镜像
 [root@ansible-server ~]# docker images
 REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 nginx               latest              53f3fd8007f7        2 weeks ago         109MB
 nginx               1.11                5766334bdaa0        2 years ago         183MB
 nginx               v1                  5766334bdaa0        2 years ago         183MB

3.0、运行一个容器

[root@ansible-server ~]# docker run -itd nginx

b8ecef224d29f0eaece24c9406e88207491443ab6beb053eb560dce2171b8b4a

#查看容器

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

b8ecef224d29 nginx "nginx -g 'daemon of…" 9 seconds ago Up 6 seconds 80/tcp affectionate_feistel

3.1、导出一个正在运行的容器（备注：导出后就变成了一个镜像文件）

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

b8ecef224d29 nginx "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes 80/tcp affectionate_feistel

[root@ansible-server ~]# docker export b8ecef224d29 >nginx.tar

[root@ansible-server ~]# du -sh nginx.tar

107M nginx.tar

３.２、导入镜像

[root@ansible-server ~]# docker image import nginx.tar nginx:self

sha256:bbf50008d2bfb21486bb723cb9779ac04e854ee7e8176529d433941527a10fb9

[root@ansible-server ~]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

nginx self 594fc0cf36b0 58 seconds ago 108MB

nginx latest 53f3fd8007f7 2 weeks ago 109MB

nginx 1.11 5766334bdaa0 2 years ago 183MB

nginx v1 5766334bdaa0 2 years ago 183MB

三、容器管理

3.1、查看容器命令

[root@ansible-server ~]# docker container --help

Usage: docker container COMMAND

Manage containers

Commands:

attach Attach local standard input, output, and error streams to a running container

commit Create a new image from a container's changes

cp Copy files/folders between a container and the local filesystem

create Create a new container

diff Inspect changes to files or directories on a container's filesystem

exec Run a command in a running container

export Export a container's filesystem as a tar archive

inspect Display detailed information on one or more containers

kill Kill one or more running containers

logs Fetch the logs of a container

ls List containers

pause Pause all processes within one or more containers

port List port mappings or a specific mapping for the container

prune Remove all stopped containers

rename Rename a container

restart Restart one or more containers

rm Remove one or more containers

run Run a command in a new container

start Start one or more stopped containers

stats Display a live stream of container(s) resource usage statistics

stop Stop one or more running containers

top Display the running processes of a container

unpause Unpause all processes within one or more containers

update Update configuration of one or more containers

wait Block until one or more containers stop, then print their exit codes

Run 'docker container COMMAND --help' for more information on a command.

3.2、创建容器常用选项

3.3、创建一个容器

#创建一个重命名为bs的容器

[root@ansible-server ~]# docker container run -itd --name bs busybox

27080338dabb3d76d3a5864999e2085240d3a6e9c7ef201bd91f9d18c0167969

#查看容器

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

27080338dabb busybox "sh" 49 seconds ago Up 47 seconds bs

d5ee27264bd3 alpine "/bin/sh" 3 minutes ago Exited (0) About a minute ago focus

b8ecef224d29 nginx "nginx -g 'daemon of…" 45 minutes ago Up 45 minutes 80/tcp affec

#进入容器中

[root@ansible-server ~]# docker container attach bs

/ # ls

bin dev etc home proc root sys tmp usr var

/ # ps -ef

PID USER TIME COMMAND

1 root 0:00 sh

8 root 0:00 ps -ef

/ # ifconfig

eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03

inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

/ # echo "123" >>/etc/hosts

/ # tail -1 /etc/hosts

123

/ # exit #退出容器，同时终端也会并闭。

3.4、进入容器命令

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

27080338dabb busybox "sh" 15 minutes ago Up 4 minutes bs

[root@ansible-server ~]# docker exec -it bs sh

/ # ls

bin dev etc home proc root sys tmp usr var

/ #

3.5、运行容器，映射端口80到8088上面。

#运行容器，映射端口80到8088上面。

[root@ansible-server ~]# docker container run -itd -p 8080:80 --name nginx02 nginx

71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c

#查看容器

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

71beefd3446a nginx "nginx -g 'daemon of…" 17 seconds ago Up 15 seconds 0.0.0.0:8080->80/tcp nginx02

#访问这个容器

59.47.71.220:8080

返回结果：

Welcome to nginx!

3.6、查看容器的日志（备注：日志会输出到控制台）

#查看容器的日志（备注：日志会输出到控制台）

[root@ansible-server ~]# docker logs nginx02

98.142.138.176 - - [23/May/2019:02:59:08 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-"

2019/05/23 02:59:09 [error] 6#6: *2 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 98.142.138.176, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "59.47.71.229:8080", referrer: "http://59.47.71.229:8080/"

98.142.138.176 - - [23/May/2019:02:59:09 +0000] "GET /favicon.ico HTTP/1.1" 404 556 "http://59.47.71.229:8080/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36" "-"

#容器日志保存地址

[root@ansible-server ~]# ls /var/lib/docker/containers/

71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c

#进入日志目录，查看访问日志

[root@ansible-server containers]# cd 71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c/

[root@ansible-server 71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c]# ll

total 28

-rw-r-----. 1 root root 1751 May 23 11:08 71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c-json.log

drwx------. 2 root root 6 May 23 10:57 checkpoints

-rw-------. 1 root root 2900 May 23 10:57 config.v2.json

-rw-r--r--. 1 root root 1463 May 23 10:57 hostconfig.json

-rw-r--r--. 1 root root 13 May 23 10:57 hostname

-rw-r--r--. 1 root root 174 May 23 10:57 hosts

drwx------. 3 root root 17 May 23 10:57 mounts

-rw-r--r--. 1 root root 76 May 23 10:57 resolv.conf

-rw-r--r--. 1 root root 71 May 23 10:57 resolv.conf.hash

#查看访问日志

[root@ansible-server 71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c]# tail 71beefd3446a4db2cf316c5ca6611256fd77a3e49494e89838c59e520ebfac4c-json.log

{"log":"98.142.138.176 - - [23/May/2019:02:59:08 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\" \"-\"\r\n","stream":"stdout","time":"2019-05-23T02:59:08.9258795Z"}

{"log":"2019/05/23 02:59:09 [error] 6#6: *2 open() \"/usr/share/nginx/html/favicon.ico\" failed (2: No such file or directory), client: 98.142.138.176, server: localhost, request: \"GET /favicon.ico HTTP/1.1\", host: \"59.47.71.229:8080\", referrer: \"http://59.47.71.229:8080/\"\r\n","stream":"stdout","time":"2019-05-23T02:59:09.7594971Z"}

{"log":"98.142.138.176 - - [23/May/2019:02:59:09 +0000] \"GET /favicon.ico HTTP/1.1\" 404 556 \"http://59.47.71.229:8080/\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\" \"-\"\r\n","stream":"stdout","time":"2019-05-23T02:59:09.7595791Z"}

{"log":"98.142.138.176 - - [23/May/2019:03:08:10 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\" \"-\"\r\n","stream":"stdout","time":"2019-05-23T03:08:10.0499976Z"}

{"log":"98.142.138.176 - - [23/May/2019:03:08:12 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\" \"-\"\r\n","stream":"stdout","time":"2019-05-23T03:08:12.8716702Z"}

{"log":"98.142.138.176 - - [23/May/2019:03:08:15 +0000] \"GET / HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\" \"-\"\r\n","stream":"stdout","time":"2019-05-23T03:08:15.1182369Z"}

3.7、--restart=always：指的是服务退出，始终会重启容器

#清理所有容器

[root@ansible-server ~]# docker stop $(docker ps -a -q);docker rm $(docker ps -a -q)

4aff4bb376dd

eb53d76f4778

27080338dabb

d5ee27264bd3

b8ecef224d29

4aff4bb376dd

eb53d76f4778

27080338dabb

d5ee27264bd3

b8ecef224d29

#删除所有镜像

[root@ansible-server ~]# docker rmi $(docker images -q)

#运行容器（--restart=always：指的是服务退出，始终会重启容器）

[root@ansible-server ~]# docker container run -itd -p 8080:80 --name nginx02 --restart=always nginx

1372e859b8e8bff473f2d242a50e0f51f96dabd325800ae3504aabf3e041af55

#查看容器

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

1372e859b8e8 nginx "nginx -g 'daemon of…" 5 seconds ago Up 3 seconds 0.0.0.0:8080->80/tcp nginx02

3.8、限制容器使用CPU资源

[root@ansible-server ~]# docker container run -itd --cpus 1 --name nginx01 nginx

2d801ef7a76d913124b77e42d14da6722d138501600d076beec1a734642dbf99

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

2d801ef7a76d nginx "nginx -g 'daemon of…" 6 seconds ago Up 4 seconds 80/tcp nginx01

3.9、限制内存使用率

[root@ansible-server ~]# docker container run -itd --memory 512m --name nginx02 nginx

ea65f58c0e55a38019480c4c75a76e71ee129d310e279e5adea73ac792f1a04e

[root@ansible-server ~]# docker ps -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

ea65f58c0e55 nginx "nginx -g 'daemon of…" 8 seconds ago Up 5 seconds 80/tcp nginx02

2d801ef7a76d nginx "nginx -g 'daemon of…" 4 minutes ago Up 4 minutes 80/tcp n

4.0、查看容器资源利用率

[root@ansible-server ~]# docker container stats nginx02

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS

ea65f58c0e55 nginx02 0.00% 1.359MiB / 512MiB 0.27% 648B / 0B 0B / 0B 2