003_docker_常用指令_待补充
1 基本命令
docker version
[root@server 001_vmware_bakup]# docker version
Client:
Version: 18.09.0
API version: 1.39
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:48:22 2018
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.0
API version: 1.39 (minimum version 1.12)
Go version: go1.10.4
Git commit: 4d60db4
Built: Wed Nov 7 00:19:08 2018
OS/Arch: linux/amd64
Experimental: false
docker info
[root@k8s-ha-master01 ~]# docker info
Containers: 32
Running: 30
Paused: 0
Stopped: 2
Images: 23
Server Version: 18.09.0
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk sy slog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.4.215-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 2.921GiB
Name: k8s-ha-master01
ID: UKHA:DW3W:3NZV:3K7J:7R6J:2X64:TSGB:CUEN:REQJ:TUFF:23F3:5DGI
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
docker run -it centos:7.7.1908 /bin/bash (Ctrl+P Ctrl+Q 退出容器,容器继续运行)
docker run -d ubuntu:15.10 /bin/sh -c "while true; do echo hello world; sleep 1; done"
docker run -d -p 127.0.0.1:5001:5000 training/webapp python app.py
docker run -d -p 127.0.0.1:9080:8080 wuyue/tomcat:7.0.99 /bin/bash
docker run -d -p 8080:80 nginx
docker exec -it 7b0cca2a3237 /bin/bash
docker logs -tf --tail 5 7b0cca2a3237
docker top e95d11df1191 //查看容器中的进程
[root@hbhost dockerfiles]# docker port d13fdb4e30de
5000/tcp -> 127.0.0.1:5001
docker port d13fdb4e30de 5000
docker inspect 7b0cca2a3237 //volume-from 既支持容器的查看,也支持镜像的查看
docker kill
docker stop
docker start -i
docker ps
docker ps -a
docker rm -f
docker cp abc.tar.gz ***:/home/s
cat docker/ubuntu.tar | docker import - test/ubuntu:v1
2 docker基本组成
- Docker Client 客户端
- Docker Daemon 守护进程
- Docker Image 镜像
- Docker Container 容器
- Docker Registry 仓库
2.1 Docker Image镜像(构建和打包阶段)
容器的基石
层叠的只读文件系统:bootfs-rootfs(基础镜像)-add emacs-add Apache
联合加载(union mount)
docker images //存储位置 /var/lib/docker
docker inspect wuyue1991/nginx:v1
docker rmi --no-prune
docker search hadoop
docker pull hadoop
docker pull sequenceiq/hadoop-docker --registry-mirror= //指定registry /etc/default/docker
docker push
构建镜像
from-container
docker commit -m="has update" -a="runoob" e218edb10161(container) runoob/ubuntu:v2
docker export 1e560fca3906(container) > ubuntu.tar
from-dockerfile
From centos:6.9
MAINTAINER wuyue "[email protected]"
WORKDIR /usr
RUN mkdir -p java/jdk1.7.0_79 \
&& mkdir tomcat
#ADD自带解压功能
ADD jdk1.7.0_79 /usr/java/jdk1.7.0_79
ADD apache-tomcat-7.0.99 /usr/tomcat
ENV JAVA_HOME=/usr/java/jdk1.7.0_79
ENV PATH=$JAVA_HOME/bin:$PATH
ENV CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$CLASSPATH
EXPOSE 8080
EXPOSE 8005
EXPOSE 8009
ENTRYPOINT ["/usr/tomcat/bin/catalina.sh","run"]
other:user onbuild copy
docker build -t wuyue/tomcat:7.0.99 .
docker run -d -p 9088:8080 wuyue/tomcat:7.0.99 //iptables进行端口映射 iptables -L -n ipvsadm -Ln
docker tag 860c279d2fec runoob/centos:dev
docker save -o my_ubuntu_v3.tar runoob/ubuntu:v3
Dockerfile构建,可以使用中间层镜像进行调试。
docker build --no-cache
镜像构建历史
docker history 2622e6cca7eb
2.2 Docker Container 容器(启动和执行阶段)
通过镜像启动
层叠的只读文件系统+可写层:bootfs-rootfs(基础镜像)-add emacs-add Apache-可写层(写时复制 copy on write)
3 Remote API
3.1 方式一:socket
[root@server 001_vmware_bakup]# ps -ef | grep docker | grep -v grep
root 31453 1 0 01:38 ? 00:00:01 /usr/bin/dockerd -H unix://nc -U /var/run/docker.sock
GET /info HTTP/1.1
3.2 方式二:tcp
vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
systemctl daemon-reload
systemctl restart docker
curl http://127.0.0.1:2375/info
docker -H tcp://127.0.0.1:2375 info
4.docker启动配置文件
/etc/default/docker
5.Docker依赖的Linux内核特性(namespaces和cgroups)
(资源的隔离namespaces + 资源的限制cgroups)process + docker image + container engine
资源隔离与限制namespace+cgroup:
- PID (Process ID) 进程隔离
- NET (Network)管理网络接口
- IPC (InterProcess Communication) 管理跨进程通信的访问
- MNT(Mount) 管理挂载点
- UTS (Unix Timesharing System) 隔离内核和版本标识
- user
- cgroup
cgroup驱动:system cgroup driver、cgroupfs cgroup driver
基本功能:
- 资源限制
- 优先级设定
- 资源计量
- 资源控制
容器docker常用的 cgroup:
- cpu cpuset cpuacct
- memory
- device
- freezer
- blkio
- pid
不常用的cgroup:
- net_cls
- net_prio
- hugetlb
- perf_event
- rdma
Docker容器的能力
- 文件系统隔离:每个容器都有自己的root文件系统
- 进程隔离:每个容器都运行在自己的进程环境中
- 网络隔离:容器间的虚拟网络接口和IP地址是分开的
- 资源隔离和分组:使用cgroups将cpu和内存等资源独立分配给每个docker容器
6. docker网络
yum install bridge-utils //安装网桥管理程序
brctl show //查看网桥设备
修改docker0默认地址
docker0: flags=4163 mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:43:09:3f:63 txqueuelen 0 (Ethernet)
RX packets 76 bytes 8105 (7.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 97 bytes 6436 (6.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig docker0 192.168.200.1 netmask 255.255.255.0
docker0: flags=4163 mtu 1500
inet 192.168.200.1 netmask 255.255.255.0 broadcast 192.168.200.255
ether 02:42:43:09:3f:63 txqueuelen 0 (Ethernet)
RX packets 76 bytes 8105 (7.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 97 bytes 6436 (6.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
新增网桥
[root@hbhost ~]# brctl addbr br01
[root@hbhost ~]# ifconfig br01 192.168.100.1 netmask 255.255.255.0
[root@hbhost ~]# vim /etc/default/docker
DOCKER_OPS=" -b=br01"
[root@hbhost ~]# brctl show
容器的互联
[root@hbhost dockerfiles]# ls
Dockerfile
[root@hbhost dockerfiles]# cat Dockerfile
FROM ubuntu:14.04
RUN apt-get install -y ping
RUN apt-get update
RUN apt-get install -y nginx
RUN apt-get install -y curl
EXPOSE 80
CMD /bin/bash
[root@hbhost dockerfiles]# docker build -t wuyue1991/nginx:v1 .- 允许所有容器互联(虚拟网桥docker0 默认)
- 拒绝容器间互联(守护进程启动选项 --icc=false)
- 允许特定容器间的互联(守护进程启动选项--icc=false --iptables=true 容器启动选项 --link)
iptables -L -n 查看Chain
--link 建立固定连接
启动容器ng03,建立对ng01的固定连接,容器ng01的ip地址改变,ng03依然可以连接。
注意:需要先启动ng01,否则ng03会启动失败
[root@hbhost dockerfiles]# docker run -it --name ng03 --link=ng01:test01 wuyue1991/nginx:v1
root@f85c1f90784e:/# ping test01
PING test01 (172.17.0.2) 56(84) bytes of data.
64 bytes from test01 (172.17.0.2): icmp_seq=1 ttl=64 time=0.089 ms
64 bytes from test01 (172.17.0.2): icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from test01 (172.17.0.2): icmp_seq=3 ttl=64 time=0.100 ms
root@f85c1f90784e:/# ping ng01
PING test01 (172.17.0.2) 56(84) bytes of data.
64 bytes from test01 (172.17.0.2): icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from test01 (172.17.0.2): icmp_seq=2 ttl=64 time=0.092 ms
64 bytes from test01 (172.17.0.2): icmp_seq=3 ttl=64 time=0.093 ms
root@f85c1f90784e:/# env
HOSTNAME=f85c1f90784e
TERM=xterm
TEST01_PORT_80_TCP=tcp://172.17.0.2:80
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
TEST01_PORT_80_TCP_ADDR=172.17.0.2
SHLVL=1
HOME=/root
TEST01_PORT=tcp://172.17.0.2:80
TEST01_PORT_80_TCP_PORT=80
LESSOPEN=| /usr/bin/lesspipe %s
TEST01_NAME=/ng03/test01
LESSCLOSE=/usr/bin/lesspipe %s %s
TEST01_PORT_80_TCP_PROTO=tcp
_=/usr/bin/env
root@f85c1f90784e:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 test01 23a1053290d8 ng01
172.17.0.4 f85c1f90784e查看ip_forwrd
[root@hbhost dockerfiles]# sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1 //允许流量转发
iptables -L -n
表(filter)链( input output forward docker)规则(ACCEPT DROP)
[root@hbhost dockerfiles]# iptables -F && service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
[root@hbhost dockerfiles]# iptables -I DOCKER -s 172.17.0.2 -d 172.17.0.5 -p TCP --dport 5000 -j DROP
[root@hbhost dockerfiles]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
DROP tcp -- 172.17.0.2 172.17.0.5 tcp dpt:5000
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target prot opt source destination
Chain DOCKER-USER (0 references)
target prot opt source destination
[root@hbhost dockerfiles]# iptables -L DOCKER -n --line-numbers
Chain DOCKER (1 references)
num target prot opt source destination
1 DROP tcp -- 172.17.0.2 172.17.0.5 tcp dpt:5000
2 ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:5000
[root@hbhost dockerfiles]# iptables -D DOCKER 2
[root@hbhost dockerfiles]# iptables -L DOCKER -n --line-numbers
Chain DOCKER (1 references)
num target prot opt source destination
1 DROP tcp -- 172.17.0.2 172.17.0.5 tcp dpt:5000
7. 数据卷volume
docker run -v ~/container_data:/data -it --name volume01 wuyue1991/nginx:v1
docker run -v ~/container_data:/data -it --name volume02 wuyue1991/nginx:v1
dockerfile VOLUME
数据卷容器(--volumes-from ) 对 docker run -v和 dockerfile VOLUME的利用
docker run -it --name ubuntuVolume --volumes-from volume01 ubuntu:14.04 /bin/bash
[root@hbhost container_data]# docker inspect --format="{{.Mounts}}" ubuntuVolume
[{bind /root/container_data /data true rprivate}]
[root@hbhost container_data]# docker inspect --format="{{.Mounts}}" volume02
[{bind /root/container_data /data true rprivate}]
[root@hbhost container_data]# docker inspect --format="{{.Mounts}}" volume01
[{bind /root/container_data /data true rprivate}]
删除数据卷容器,并不会删除数据卷。-v不会删除正在被挂载的数据卷
数据卷容器对于存储的权限管理和统一管理 意义重大
数据卷的备份与还原(补充)
8.容器跨主机连接(需要重点补充)
- 使用网桥实现跨主机容器连接(配置简单,需要划分IP段,和物理机在同一网段,管理困难不易使用)
- 使用Open vSwitch实现跨主机容器连接(GRE:通用路由协议封装,使用隧道协议,实现ovs网桥直接点对点连接)ovs-vsctl show
建立ovs网桥
添加gre连接
配置docker容器虚拟网桥
为虚拟网桥添加ovs接口
添加不懂docker容器网段路由 - 使用weave实现跨主机容器连接