云计算 docker k8s
Ubuntu LTS 奇数是开发版 偶数是稳定版 长时间服务(稳定版)
win10 win11 自带 powershell 更好用相比 xshell
root@servera:~# apt-get install ^C
root@servera:~# apt install ^C
apt安装的两种方法
root@servera:~# apt remove ^C
root@servera:~# ps aux
/usr/lib/systemd/system
ls
查看系统进程
docker info
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1" 打开内存限制swap分区为1
root@servera:/etc/netplan# vim /etc/default/grub
root@servera:/etc/netplan# update-grub^C
root@servera:/etc/netplan# reboot
docker search ubunt
docker search --limit 3 --filter is-official=true ubuntu
查看官方镜像
docker search --limit 3 --filter is-official=true --no-trunc ubuntu
展开官方镜像
root@server1:~# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
root@servera:~# vim docker-tag.sh
#!/bin/sh
# Simple script that will display docker repository tags.
# Usage:
# $ docker-show-repo-tags.sh ubuntu centos
for Repo in $* ; do
curl -s -S "https://registry.hub.docker.com/v2/repositories/library/$Repo/tags/" | \
sed -e 's/,/,\n/g' -e 's/\[/\[\n/g' | \
grep '"name"' | \
awk -F\" '{print $4;}' | \
sort -fu | \
sed -e "s/^/${Repo}:/"
done
root@servera:~# chmod +x docker-tag.sh
root@servera:~# ./docker-tag.sh centos
centos:7
centos:7.9.2009
centos:8.4.2105
centos:centos6
centos:centos6.10
centos:centos7
centos:centos7.9.2009
centos:centos8
centos:centos8.4.2105
centos:latest
root@servera:~# ./docker-tag.sh quay.io/flannel
sed: -e expression #1, char 13: unknown option to `s'
root@servera:~# ./docker-tag.sh flannel
docker save -o centos.tar centos:7 存出来
docker load --input centos.tar
root@servera:~# docker run centos:7 echo hello world
hello world
root@servera:~# echo hello world
hello world
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root@servera:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
eca686c37625 centos:7 "echo hello world" 22 seconds ago Exited (0) 15 seconds ago recursing_gauss
root@servera:~#
root@servera:~# docker ps -a -f " status=created"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cd020fab7694 centos:7 "make" 3 minutes ago Created gifted_elgamal
root@servera:~# docker ps -a -f " status=running"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root@servera:~# docker run ubuntu
root@servera:~# docker run -i -t --name test centos:7 /bin/bash
docker run -itd --name devtest --hostname webserver centos:7 /bin/bash
d 后台运行 hostname 改主机名
root@servera:~# docker attach devtest
[root@webserver /]# ls ~
anaconda-ks.cfg
[root@webserver /]# exit
exit
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root@servera:~#
root@servera:~# docker start devtest
devtest
root@servera:~# docker start test
test
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b13e1d544994 centos:7 "/bin/bash" 2 minutes ago Up 11 seconds devtest
fadecbac636b centos:7 "/bin/bash" 27 minutes ago Up 3 seconds test
root@servera:~# docker stop test
test
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b13e1d544994 centos:7 "/bin/bash" 3 minutes ago Up 50 seconds devtest
root@servera:~# docker pause devtest
devtest
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b13e1d544994 centos:7 "/bin/bash" 3 minutes ago Up About a minute (Paused) devtest
root@servera:~# docker unpause devtest
devtest
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b13e1d544994 centos:7 "/bin/bash" 4 minutes ago Up About a minute devtest
root@servera:~# docker exec devtest ls ~
anaconda-ks.cfg
root@servera:~# docker exec -it devtest bash
[root@webserver /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.3 0.0 11836 2852 pts/0 Ss+ 02:47 0:00 /bin/bash
root 16 2.3 0.0 46408 3820 ? Ss 02:50 0:00 ping www.baidu.com
root 28 11.0 0.0 11836 2844 pts/1 Ss 02:51 0:00 bash
root 42 0.0 0.0 51740 3540 pts/1 R+ 02:51 0:00 ps aux
[root@webserver /]# exit
exit
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b13e1d544994 centos:7 "/bin/bash" 5 minutes ago Up 3 minutes devtest
root@servera:~#
attach 进入容器
exec 进入容器中的容器
docker rm -f $(docker ps -a -q)
另一种运行容器的方法
root@servera:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
root@servera:~# docker create -it --name test --hostname web centos:7 /bin/bash
01994358d20ee1e6e642e9b86f5fa7d9f1c6c915af0860a9bc465443d8df9fbe
root@servera:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01994358d20e centos:7 "/bin/bash" 8 seconds ago Created test
root@servera:~# docker start test
test
root@servera:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01994358d20e centos:7 "/bin/bash" 25 seconds ago Up 5 seconds test
root@servera:~# rz -E
rz waiting to receive.
root@servera:~# ls
centos.tar docker-tag.sh nginx-1.20.2.tar.gz
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01994358d20e centos:7 "/bin/bash" 3 minutes ago Up 2 minutes test
root@servera:~# docker run -itd --name webserver --hostname node1 ubuntu:latest bash
80f28ac3bb1076b7f995aa436e05116f3435d6d9a2c60251ef2266d1470e6bff
root@servera:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
80f28ac3bb10 ubuntu:latest "bash" 11 seconds ago Up 6 seconds webserver
01994358d20e centos:7 "/bin/bash" 3 minutes ago Up 3 minutes test
root@servera:~# docker exec -it test bash
[root@web /]# yum install -y httpd
apt update
apt install apt-file -y
apt-file update
apt-file search netstat | grep bin
安装 tools的
apt-file search scp | grep bin | grep scp
openssh-client: /usr/bin/scp
scp [email protected]:/root/nginx-1.20.2.tar.gz ~
cd
ls
apt install gcc libpcre3 libpcre3-dev zlib1g zlib1g-dev make -y
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin
useradd nginx
nginx -t
Nginx
netst -anput | grep 80
apt install elinks
做完把docker容器做成镜像
docker ps
docker commit id号 hansir/ubuntu-nginx
docker run -itd --name web2 hansir/ubuntu-nginx nginx
docker ps
docker exec web3 nginx
docker ps -a
docker run -itd --name web2 hansir/ubuntu-nginx tail -f /var/log/lastlog
nginx
docker run -itd --name web3 hansir/ubuntu-nginx
docker ps -a
docker run -itd --name web4 hansir/ubuntu-nginx sh -c " nginx && tail -f /var/log/lastlog "
docker exec web4 ifconfig
elinks 172.17.0.6
做成模板 类似快照
docker ps
docker export -o nginx.tar web5
ls
docker import nginx.tar nginx2::latest
docker images
docker run -itd --name web6 nginx2 bash
docker exec web6 nginx
docker exec web6 ifconfig
elinks 172.17.0.6
宿主机做轮询
41 tar -zxvf nginx-1.18.0.tar.gz
42 cd nginx-1.18.0/
43 ./configure
44 apt install gcc libpcre3 libpcre3-dev zlib1g zlib1g-dev make -y
45 ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx
46 make && make install
47 ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
48 useradd nginx
49 nginx -t
50 nginx
upstream xixi {
server 172.17.0.4:80 weight=1;
server 172.17.0.5:80 weight=1;
server 172.17.0.6:80 weight=1;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
proxy_pass http://xixi;
}
下载一个ubuntu镜像
root@servera:~# docker pull ubuntu:latest
root@servera:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest ba6acccedd29 6 months ago 72.8MB
root@servera:~# ls
nginx-1.18.0.tar.gz
容器1
root@servera:~# docker run -itd --name web1 ubuntu bash
root@servera:~# docker exec -it web1 bash
root@764da60a66f9:/# apt update
root@764da60a66f9:/# apt install net-tools -y
root@764da60a66f9:/# apt install openssh-client -y
root@764da60a66f9:/# scp [email protected]:/root/nginx-1.18.0.tar.gz ./
安装mysql
apt update
apt install mysql-server
docker-ce
docker docker-engine docker.io containerd
docker-ce docker-ce-cli containerd.io docker-compose-plugin
vim /etc/apt/sources.list
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
root@ubuntu20:~# docker tag centos:7 centos:latest //改名字
5.10 第二天
root@serverb:~# uname -r
5.4.0-109-generic
root@serverb:~# docker run -it --rm --name test centos:7
docker 不适合于对内核有要求的任务,docker共享内核
耦合: 有冲突的
解耦: 不冲突的
apt install apache2 -y
systemctl start apache2
apt install net-tools
netstat -anput | grep apache
ps ax | grep 4721/2047
cd /proc/
ls #伪文件系统
ls /sys/
proc(内存变化映射) sys 两个伪装文件系统
root@serverb:/proc# cd 2047/
root@serverb:/proc/2047# ls
root@serverb:/proc/2047# cd ns/
root@serverb:/proc/2047/ns# ls
cgroup mnt pid user
ipc net pid_for_children uts
ns= name space 域名空间
ll
ll ../../2/ns
namespace编号相同就是耦合 不相同就是解耦
同一个空间就是耦合
cat cpuinfo cpu
cat meminfo 内存
cat devices 看设备
cat mounts 看挂载量
cat filesystems 看支持的文件系统
cat modules 查看计算机中加载的模块
cat version 看ubuntu内核模块
cat cmdline 查看启动内核的命令行
cat swaps 查看swap分区挂载量
cat uptime 打开系统正常运行时间
cat kmsg 内核信息输出文件
cat self 查看内核文件
cat pci
cat tty/driver/serial 查看谁是谁的串口顺序
cat sys/kernel/ostype 操作系统类型
cat sys/kernel/osrelease 发行版本
cat sys/kernel/version 查看系统版本
cat sys/kernel/hostname 查看名字
cat partitions 查看分区
cat locks 查看文件上锁
cat loadavg 查看1 5 12 分钟负载
docker run -itd --name test centos:7 /bin/bash
docker inspect test
docker inspect --format '{{ .State.Pid}}' test
ipc 信号量。消息队列和共享内存
mnt 挂载点和文件系统
net 网络协议栈。网络设备
pid 进程编号
user 用户和组
uts 主机名域名
为什么docker不能运行程序?
[root@ae1d19f3b6a3 /]# systemctl start httpd
Failed to get D-Bus connection: Operation not permitted
root@ubuntu20:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest 118b6abfbf55 3 weeks ago 144MB
busybox latest beae173ccac6 3 months ago 1.24MB
centos 7 eeb6ee3f44bd 7 months ago 204MB
root@ubuntu20:~# uname -r
5.4.0-107-generic
root@ubuntu20:~# docker run --rm -it --name test centos:7 bash
[root@44a68620f227 /]# uname -r
5.4.0-107-generic
root@ubuntu20:~# apt install apache2 -y
root@ubuntu20:~# systemctl start apache2
root@ubuntu20:~# netstat -anput | grep apache2
tcp6 0 0 :::80 :::* LISTEN 7727/apache2
root@ubuntu20:~# cd /proc/
root@ubuntu20:/proc# ls
root@ubuntu20:/proc# cd 7727
root@ubuntu20:/proc/7727# ls
root@ubuntu20:/proc/7727# cd ns
root@ubuntu20:/proc/7727/ns# ls
cgroup ipc mnt net pid pid_for_children user uts
root@ubuntu20:/proc/7727/ns# ll
total 0
dr-x--x--x 2 root root 0 Apr 20 05:13 ./
dr-xr-xr-x 9 root root 0 Apr 20 05:11 ../
lrwxrwxrwx 1 root root 0 Apr 20 05:14 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 mnt -> 'mnt:[4026532634]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 20 05:14 uts -> 'uts:[4026531838]'
root@ubuntu20:/proc/7727/ns# cd
root@ubuntu20:~# docker run -itd --name test centos:7 /bin/bash
root@ubuntu20:~# docker inspect test //查看这个容器的详细信息
[
{
"Id": "9f714c1f1362da277903eaf108aaef4178b04d700222ed5d3e4fe58e7f257066",
"Created": "2022-04-20T05:23:16.348551887Z",
"Path": "/bin/bash",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 8797,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-04-20T05:23:16.558939243Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
。。。。
root@ubuntu20:~# docker inspect --format '{{ .State.Pid}}' test
8797
root@ubuntu20:~# ps af | grep 8797
8797 pts/0 Ss+ 0:00 /bin/bash
9127 pts/0 S+ 0:00 \_ grep --color=auto 8797 容器在开机的时候映射了一个宿主机的pid编号
root@serverb:~# ps
PID TTY TIME CMD
774 pts/0 00:00:00 bash
1887 pts/0 00:00:00 bash
2068 pts/0 00:00:00 ps
root@serverb:~# ll /proc/774/ns/
total 0
dr-x--x--x 2 root root 0 May 9 20:52 ./
dr-xr-xr-x 9 root root 0 May 9 20:35 ../
lrwxrwxrwx 1 root root 0 May 9 20:52 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 May 9 20:52 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 May 9 20:52 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 May 9 20:52 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 May 9 20:52 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 May 9 20:52 uts -> 'uts:[4026531838]'
root@serverb:~# ll /proc/1887/ns/
total 0
dr-x--x--x 2 root root 0 May 9 20:49 ./
dr-xr-xr-x 9 root root 0 May 9 20:49 ../
lrwxrwxrwx 1 root root 0 May 9 20:52 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 May 9 20:52 ipc -> 'ipc:[4026532559]'
lrwxrwxrwx 1 root root 0 May 9 20:52 mnt -> 'mnt:[4026532557]'
lrwxrwxrwx 1 root root 0 May 9 20:49 net -> 'net:[4026532562]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid_for_children -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 20:52 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 May 9 20:52 uts -> 'uts:[4026532558]'
root@serverb:~# docker exec -it test /bin/bash
[root@5019ebad4c90 /]# read escape sequence (ctrl+p ctrl+q)
root@serverb:~# ps axf
PID TTY STAT TIME COMMAND
1861 ? Sl 0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 5019ebad4c90ce22375d9784f4
1887 pts/0 Ss+ 0:00 \_ /bin/bash
2096 ? Ss+ 0:00 \_ /bin/bash
root@serverb:~# ll /proc/1887/ns
total 0
dr-x--x--x 2 root root 0 May 9 20:49 ./
dr-xr-xr-x 9 root root 0 May 9 20:49 ../
lrwxrwxrwx 1 root root 0 May 9 20:52 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 May 9 20:52 ipc -> 'ipc:[4026532559]'
lrwxrwxrwx 1 root root 0 May 9 20:52 mnt -> 'mnt:[4026532557]'
lrwxrwxrwx 1 root root 0 May 9 20:49 net -> 'net:[4026532562]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 20:52 pid_for_children -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 20:52 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 May 9 20:52 uts -> 'uts:[4026532558]'
root@serverb:~# ll /proc/2096/ns
total 0
dr-x--x--x 2 root root 0 May 9 21:01 ./
dr-xr-xr-x 9 root root 0 May 9 20:56 ../
lrwxrwxrwx 1 root root 0 May 9 21:01 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 May 9 21:01 ipc -> 'ipc:[4026532559]'
lrwxrwxrwx 1 root root 0 May 9 21:01 mnt -> 'mnt:[4026532557]'
lrwxrwxrwx 1 root root 0 May 9 21:01 net -> 'net:[4026532562]'
lrwxrwxrwx 1 root root 0 May 9 21:01 pid -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 21:01 pid_for_children -> 'pid:[4026532560]'
lrwxrwxrwx 1 root root 0 May 9 21:01 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 May 9 21:01 uts -> 'uts:[4026532558]'
第二天
root@ubuntu20:~# apt install gcc -y
root@ubuntu20:~# vim test.c
#define _GUN_SOURCE
#include
#include
#include
#include
#include
#include
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
char* const child_args[] = {
"/bin/bash",
NULL
};
int child_main(void* args) {
printf("在子进程中! \n");
execv(child_args[0], child_args);
return 1;
}
int main() {
printf("程序开始: \n");
int child_pid = clone(child_main, child_stack + STACK_SIZE, SIGCHLD, NULL);
waitpid(child_pid, NULL, 0);
printf("已退出\n");
return 0;
}
root@ubuntu20:~# gcc -Wall test.c -o test.o
root@ubuntu20:~# ./test.o
程序开始:
在子进程中!
root@ubuntu20:~# ps
PID TTY TIME CMD
1583 pts/0 00:00:00 su
1585 pts/0 00:00:00 bash
7090 pts/0 00:00:00 test.o
7091 pts/0 00:00:00 bash
7098 pts/0 00:00:00 ps
root@ubuntu20:~# ps af
PID TTY STAT TIME COMMAND
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
7090 pts/0 S 0:00 \_ ./test.o
7091 pts/0 S 0:00 \_ /bin/bash
7101 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ubuntu20:~# exit
exit
已退出
root@ubuntu20:~# ps af
PID TTY STAT TIME COMMAND
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
7110 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ubuntu20:~# vim test.c
int child_main(void* args) {
printf("在子进程中! \n");
sethostname("ChangeName", 12);
int main() {
printf("程序开始: \n");
int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWUTS | SIGCHLD, NULL);
root@ubuntu20:~# gcc -Wall test.c -o uts.0
root@ubuntu20:~# ./uts.0
程序开始:
在子进程中!
root@ChangeName:~# ps af
PID TTY STAT TIME COMMAND
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
28594 pts/0 S 0:00 \_ ./uts.0
28595 pts/0 S 0:00 \_ /bin/bash
28606 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ChangeName:~# ll /proc/1563/ns
total 0
dr-x--x--x 2 huisir huisir 0 Apr 21 07:10 ./
dr-xr-xr-x 9 huisir huisir 0 Apr 21 06:38 ../
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 net -> 'net:[4026531992]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 user -> 'user:[4026531837]'
lrwxrwxrwx 1 huisir huisir 0 Apr 21 07:10 uts -> 'uts:[4026531838]'
root@ChangeName:~# ll /proc/28595/ns
total 0
dr-x--x--x 2 root root 0 Apr 21 07:12 ./
dr-xr-xr-x 9 root root 0 Apr 21 07:10 ../
lrwxrwxrwx 1 root root 0 Apr 21 07:12 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 21 07:12 uts -> 'uts:[4026532633]' //uts和上面的不一样
root@ubuntu20:~# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
------ Semaphore Arrays --------
key semid owner perms nsems
root@ubuntu20:~# netstat -anput | grep apache2
tcp6 0 0 :::80 :::* LISTEN 29364/apache2
root@ubuntu20:~# curl 192.168.100.128
root@ubuntu20:~# vim test.c
int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD, NULL);
root@ubuntu20:~# gcc -Wall test.c -o ipc.o
root@ubuntu20:~# ./ipc.o
程序开始:
在子进程中!
root@ChangeName:~# ipcmk -Q
Message queue id: 0
root@ChangeName:~# ipcmk -Q
Message queue id: 1
root@ChangeName:~# ipcmk -Q
Message queue id: 2
root@ChangeName:~# ipcmk -Q
Message queue id: 3
root@ChangeName:~# ipcmk -Q
Message queue id: 4
root@ChangeName:~# ipcmk -Q
Message queue id: 5
root@ChangeName:~# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
0xfd1e8bf2 0 root 644 0 0
0xd9b745a8 1 root 644 0 0
0x97b215ba 2 root 644 0 0
0xc497504a 3 root 644 0 0
0x86157534 4 root 644 0 0
0xbe4517e1 5 root 644 0 0
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
------ Semaphore Arrays --------
key semid owner perms nsems
root@ChangeName:~# exit
exit
已退出
root@ubuntu20:~# ipcs
------ Message Queues --------
key msqid owner perms used-bytes messages
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
------ Semaphore Arrays --------
key semid owner perms nsems
root@ChangeName:~# ps af
PID TTY STAT TIME COMMAND
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
30271 pts/0 S 0:00 \_ ./ipc.o
30272 pts/0 S 0:00 \_ /bin/bash
30327 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ChangeName:~# ll /proc/1585/ns
total 0
dr-x--x--x 2 root root 0 Apr 21 07:04 ./
dr-xr-xr-x 9 root root 0 Apr 21 06:59 ../
lrwxrwxrwx 1 root root 0 Apr 21 07:29 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 uts -> 'uts:[4026531838]'
root@ChangeName:~# ll /proc/30272/ns
total 0
dr-x--x--x 2 root root 0 Apr 21 07:30 ./
dr-xr-xr-x 9 root root 0 Apr 21 07:27 ../
lrwxrwxrwx 1 root root 0 Apr 21 07:30 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 ipc -> 'ipc:[4026532644]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 21 07:30 uts -> 'uts:[4026532643]'
root@ubuntu20:~# docker run -itd --name test centos:7 bash
1bb9cb9b1629ce0d845ced1a74a59b8a5b5020c8917b7e3117fc5875cbd199e2
root@ubuntu20:~# docker exec -it test bash
[root@1bb9cb9b1629 /]# yum install httpd -y
[root@1bb9cb9b1629 /]# systemctl start httpd
Failed to get D-Bus connection: Operation not permitted //没有权限
root@ubuntu20:~# ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:03 /sbin/init maybe-ubiquity
root@ubuntu20:~# pstree
systemd─┬─ModemManager───2*[{ModemManager}]
├─NetworkManager───2*[{NetworkManager}]
├─VGAuthService
├─accounts-daemon───2*[{accounts-daemon}]
├─agetty
├─apache2───2*[apache2───26*[{apache2}]]
├─atd
├─containerd───9*[{containerd}]
├─containerd-shim─┬─bash
│ └─11*[{containerd-shim}]
├─cron
├─dbus-daemon
├─dockerd───9*[{dockerd}]
├─irqbalance───{irqbalance}
├─multipathd───6*[{multipathd}]
├─networkd-dispat
├─polkitd───2*[{polkitd}]
├─rsyslogd───3*[{rsyslogd}]
├─snapd───13*[{snapd}]
├─sshd───sshd───sshd───bash───su───bash───pstree
├─systemd───(sd-pam)
├─systemd-journal
├─systemd-logind
├─systemd-network
├─systemd-resolve
├─systemd-timesyn───{systemd-timesyn}
├─systemd-udevd
├─udisksd───4*[{udisksd}]
├─unattended-upgr───{unattended-upgr}
├─vmtoolsd───2*[{vmtoolsd}]
└─wpa_supplicant
root@ubuntu20:~# ll /sbin/init
lrwxrwxrwx 1 root root 20 Jan 10 04:56 /sbin/init -> /lib/systemd/systemd* //可以看到是软连接过来的
root@ChangeName:~# echo $$
31284
root@ChangeName:~# ps af
PID TTY STAT TIME COMMAND
30732 pts/0 Ss+ 0:00 bash
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
31283 pts/0 S 0:00 \_ ./ipc.o
31284 pts/0 S 0:00 \_ /bin/bash
31295 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ubuntu20:~# vi test.c
int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD, NULL);
root@ubuntu20:~# gcc -Wall test.c -o pid.o
root@ubuntu20:~# ./pid.o
程序开始:
在子进程中!
root@ChangeName:~# echo $$
1
root@ChangeName:~# ps af
PID TTY STAT TIME COMMAND
30732 pts/0 Ss+ 0:00 bash
1563 pts/0 Ss 0:00 -bash
1583 pts/0 S 0:00 \_ su - root
1585 pts/0 S 0:00 \_ -bash
31372 pts/0 S 0:00 \_ ./pid.o
31373 pts/0 S 0:00 \_ /bin/bash
31386 pts/0 R+ 0:00 \_ ps af
1034 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root@ChangeName:~# ll /proc/1585/ns
total 0
dr-x--x--x 2 root root 0 Apr 21 07:04 ./
dr-xr-xr-x 9 root root 0 Apr 21 06:59 ../
lrwxrwxrwx 1 root root 0 Apr 21 07:29 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 21 07:29 uts -> 'uts:[4026531838]'
root@ChangeName:~# ll /proc/31373/ns
total 0
dr-x--x--x 2 root root 0 Apr 21 07:56 ./
dr-xr-xr-x 9 root root 0 Apr 21 07:55 ../
lrwxrwxrwx 1 root root 0 Apr 21 07:56 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 ipc -> 'ipc:[4026532709]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 pid -> 'pid:[4026532710]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 pid_for_children -> 'pid:[4026532710]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 21 07:56 uts -> 'uts:[4026532708]'
cd /proc/
207 ls
208 netstat -anpt | grep apache2
209 cd 29364
210 cat mountstats 文件系统设备信息,包括挂的文件,记录文件的系统类型,挂载的位置等等
211 cat mounts 所有挂载点到当前的namespace中的文件系统
root@ubuntu20:~# vi test.c
int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD, NULL);
root@ubuntu20:~# gcc -Wall test.c -o mnt.o
root@ubuntu20:~# ./mnt.o
程序开始:
在子进程中!
root@ChangeName:~# mount --make-private -t proc proc /proc
root@ChangeName:~# ls /proc/
1 consoles fb kcore locks net slabinfo timer_list
9 cpuinfo filesystems keys mdstat pagetypeinfo softirqs tty
acpi crypto fs key-users meminfo partitions stat uptime
asound devices interrupts kmsg misc pressure swaps version
buddyinfo diskstats iomem kpagecgroup modules sched_debug sys version_signature
bus dma ioports kpagecount mounts schedstat sysrq-trigger vmallocinfo
cgroups driver irq kpageflags mpt scsi sysvipc vmstat
cmdline execdomains kallsyms loadavg mtrr self thread-self zoneinfo
root@ChangeName:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 7236 3960 pts/0 S 08:13 0:00 /bin/bash
root 10 0.0 0.0 8888 3320 pts/0 R+ 08:14 0:00 ps aux
因为宿主机是一个shell挂载 所有你得把这个变成私有挂载
root@serverb:~# mount --make-private -t proc proc /proc/
root@serverb:~# ls /proc/
宿主机这个状态下 恢复正常
然后看
root@serverb:~# ./mnt.o
程序开始:
在子进程中!
root@ChangeName:~# mount --make-private -t proc proc /proc/
root@ChangeName:~# ls /proc/
1 diskstats kallsyms meminfo schedstat timer_list
9 dma kcore misc scsi tty
acpi driver keys modules self uptime
buddyinfo execdomains key-users mounts slabinfo version
bus fb kmsg mpt softirqs version_signature
cgroups filesystems kpagecgroup mtrr stat vmallocinfo
cmdline fs kpagecount net swaps vmstat
consoles interrupts kpageflags pagetypeinfo sys zoneinfo
cpuinfo iomem loadavg partitions sysrq-trigger
crypto ioports locks pressure sysvipc
devices irq mdstat sched_debug thread-self
然后看
root@ChangeName:~# exit
exit
已退出
root@serverb:~# ls /proc/
1 12 139 1955 259 4 492 99 kallsyms sched_debug
10 120 14 2 26 40 499 acpi kcore schedstat
100 121 140 20 27 405 502 buddyinfo keys scsi
101 122 141 2029 28 406 538 bus key-users self
1019 123 142 2038 286 41 546 cgroups kmsg slabinfo
102 124 143 2072 29 417 555 cmdline kpagecgroup softirqs
103 125 144 21 293 418 6 consoles kpagecount stat
106 126 145 2154 3 42 759 cpuinfo kpageflags swaps
107 127 1455 2192 30 428 762 crypto loadavg sys
109 128 146 2195 316 429 789 devices locks sysrq-trigger
11 129 148 22 32 43 833 diskstats mdstat sysvipc
110 13 149 223 33 430 839 dma meminfo thread-self
111 130 15 224 34 431 850 driver misc timer_list
112 131 159 226 35 437 874 execdomains modules tty
113 132 16 227 352 440 898 fb mounts uptime
114 133 162 228 353 441 9 filesystems mpt version
115 134 17 23 355 443 90 fs mtrr version_signature
116 135 175 230 36 444 91 interrupts net vmallocinfo
117 136 18 24 37 448 92 iomem pagetypeinfo vmstat
118 137 1953 257 38 470 93 ioports partitions zoneinfo
119 138 1954 258 39 491 98 irq pressure
为啥docker不能运行程序
root@serverb:~# ./mnt.o
程序开始:
在子进程中!
root@ChangeName:~# mount --make-private -t proc proc /proc/
root@ChangeName:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 10176 3944 pts/0 S 01:02 0:00 /bin/bash //因为这里1号进程错了
root 9 0.0 0.0 11772 3096 pts/0 R+ 01:02 0:00 ps aux
root@ChangeName:~# docker run -it --rm --name test centos:7 bash
[root@7c0690854764 /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.2 0.0 11836 2876 pts/0 Ss 17:05 0:00 bash
root 16 0.0 0.0 51740 3440 pts/0 R+ 17:06 0:00 ps aux
这里就可以安装程序运行了
root@ubuntu20:~# docker run -d --name runsys --privileged centos:7 /sbin/init //不推荐这种提权的方法
2f1813de507f003ee2926c5f9fa159ef5b605d6d0dfc66e9c2e282e79d5c168e
root@ubuntu20:~# docker exec -it runsys bash
[root@2f1813de507f /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.1 43176 4996 ? Ss 08:18 0:00 /sbin/init
root 26 0.0 0.1 39068 4564 ? Ss 08:18 0:00 /usr/lib/systemd/systemd-journald
root 30 0.1 0.0 35064 3248 ? Ss 08:18 0:00 /usr/lib/systemd/systemd-udevd
root 55 0.0 0.0 24268 2864 ? Ss 08:18 0:00 /usr/lib/systemd/systemd-logind
dbus 56 0.0 0.1 57988 4140 ? Ss 08:18 0:00 /usr/bin/dbus-daemon --system --address=sys
root 74 0.0 0.0 11836 2972 pts/0 Ss 08:19 0:00 bash
root 91 0.0 0.0 51740 3396 pts/0 R+ 08:19 0:00 ps aux
[root@2f1813de507f /]# yum -y install httpd
[root@2f1813de507f /]# systemctl restart httpd
[root@2f1813de507f /]# ps axf
PID TTY STAT TIME COMMAND
74 pts/0 Ss 0:00 bash
183 pts/0 R+ 0:00 \_ ps axf
1 ? Ss 0:00 /sbin/init
26 ? Ss 0:00 /usr/lib/systemd/systemd-journald
30 ? Ss 0:00 /usr/lib/systemd/systemd-udevd
55 ? Ss 0:00 /usr/lib/systemd/systemd-logind
56 ? Ss 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-a
176 ? Ss 0:00 /usr/sbin/httpd -DFOREGROUND
178 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND
179 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND
180 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND
181 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND
182 ? S 0:00 \_ /usr/sbin/httpd -DFOREGROUND
[root@2f1813de507f /]# vi /var/www/html/index.html
[root@2f1813de507f /]# exit
exit
root@ubuntu20:~# curl 172.17.0.2
aaaaaaaaaaaaaaaaa
root@serverb:~# vim /usr/lib/systemd/system/apache2.service
root@serverb:~# netstat -anput | grep apache2
tcp6 0 0 :::80 :::* LISTEN 1953/apache2
root@serverb:~# /usr/sbin/apachectl stop
root@serverb:~# netstat -anput | grep apache2
root@serverb:~# /usr/sbin/apachectl start
Invoking 'systemctl start apache2'.
Use 'systemctl status apache2' for more info.
Warning: The unit file, source configuration file or drop-ins of apache2.service changed on disk. Run 'systemctl daemon-reload' to reload units.
root@serverb:~# netstat -anput | grep apache2
tcp6 0 0 :::80 :::* LISTEN 3236/apache2
root@ubuntu20:~# docker run -itd --name runsys centos:7 bash
491bac0a6ad63bf890c79c99e0aa20110f8d2c2607151ef5322f5bdd35d47acc
root@ubuntu20:~# docker exec -it runsys bash
[root@491bac0a6ad6 /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 11836 2852 pts/0 Ss+ 08:29 0:00 bash
root 15 0.3 0.0 11836 2988 pts/1 Ss 08:29 0:00 bash
root 29 0.0 0.0 51740 3376 pts/1 R+ 08:29 0:00 ps aux
[root@491bac0a6ad6 /]# yum install passwd iproute openssh-server openssh-client -y
[root@491bac0a6ad6 /]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.
[root@491bac0a6ad6 /]#
[root@3606d5385bee /]# vi /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
ssh-keygen -q -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key
回车
回车
ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
vim /etc/ssh/sshd_config
改#PAM=no
#sandbox=no
ppermitrootlogin yes
查看IP地址
/usr/sbin/sshd -D &
exit
ssh [email protected]
打开容器的三种方法 提权 绕开程序找到命令
网络隔离
veth pair成对儿
root@servera:~# ip netns add testns
root@servera:~# ip netns
testns
root@servera:~# ip netns exec testns ip a
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@servera:~# ip netns exec testns ip link set dev lo up
root@servera:~# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=2.31 ms
ip link add veth0 type veth peer name veth1
ip a
ip link set veth1 netns testns
ip a
ip netns exec testns ip a
ip netns exec testns ifconfig veth1 1.1.1.1/24 up
ifconfig veth0 1.1.1.2/24 up
ip a
ping 1.1.1.1
ip netns exec testns ping 1.1.1.2
ip netns exec testns ip r
iptables -L
ip netns exec testns iptabeles -L
libxxx库文件 告诉系统要用那些文件
/proc 伪文件系统计算机内存信息对操作系统的映射(内存中跑的啥东西)
/sys/ 为文件 计算机开机后操作系统临时打开文件的映射
启动程序三个方式
源码包启动
绕过启动程序
提权
第三天
属性权限>rwx>root超级用户
chattr +i 锁死文件 chattr -i
小写t是下面有遮挡的x权限
T是没有遮挡
权限chattr
A 创建文件时间不可修改 S 直接写入硬盘 a 只能增加不能减少
c 压缩权限 d dump权限保留底层块文件 i 锁定文件 s 从硬盘永远删除 u 永久保存
linux本地权限有25 个权限 取合集
设置权限逻辑
将用户放到组里 对组设置权限
将进程放到cgroup 对cgroup设置权限
服务端的selinux 会影响访问
cgroup是本地 取合集
伪文件系统 proc cgroup
cgroup可以到达线程级别
Docker核心原理之cgroup
“把用户放到组里面,对组进行权限设置”
Control groups: 进程(tasks)放到组里面,对组进行权限设置”
Process Control
四个功能
1.资源控制:进制超出某个限制。比如内存上限(不是所有的都能限制)
2.优先级分配:使用硬件的权重值 cpu 、blkio..
3.资源统计: 使用硬件资源的用量 time..
4.进程控制: 挂起、恢复
cd /proc/进程号task/进程号
cd cd/proc/进程号/ns
cd
task 表示进程本身
lssubsys查看计算机中有哪些子系统
lssubsys -m 告诉你子系统配置文件在哪里
块设备: 能够存储格式化的叫块设备 linux 一切皆设备
把task放到cgroup里面 对cgroup进行配置 subsystem子系统资源调度控制器
hierarchy: 层级树。逻辑上的结构
lssubsys -h 帮助 lssubsys -i 属于什么层级
做实验限制内存cpu的时候改成单核单进程 之前是单核
pstree -p 生成树
docker run -itd --name bb --cpu-shares 1024 ubuntu
docker run -itd --name aa --cpu-shares 512 ubuntu
cd /sys/fs/cgroup/
cd cpu
ls
/sys/fs/cgroup/cpu/docker
ls 有两个进程号
cat tasks
cat cpu.shares 区分那个是512 那个是1024
docker pull progrium/stress 压满cpu
第四天
vim /usr/lib/systemd/system/docker.service
fd:// -H tcp://0.0.0.0
root@servera:~# systemctl daemon-reload
root@servera:~# systemctl restart docker
netstat -anput | grep docker 出现进程号
docker -H 10.15.200.11 info
cd /var/lib/docker/
docker 框架
docker是由 images(层关系) 和 overlay2 (具体数据) 这两个存储的
硬盘里的数据不能被删掉能被覆盖 linux最小的格式单元叫扇区
linux内核 vim/boot/grub/grub.cfg 叫vmlinuxz
rootfs
计算机在开机的时候因为bios无法读取硬盘里的文件系统
所以计算机读取了一个假的文件系统从而读取一个真的操作系统
启动计算机rootfs(根目录)作为启动docker的引导程序是一个小的操作系统
union mount 联合挂载
容器和镜像的关系
用unionmount关系之上又打开了一个可读写
第一种镜像为
base镜像 不依赖其他镜像(其他镜像可以为之扩展)
alpine世界上最小的操作系统
docker pull alpine
docker run -it --rm --name test alpine ash
root@servera:~# docker run -itd --name web nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
a2abf6c4d29d: Already exists
a9edb18cadd1: Pull complete
589b7251471a: Pull complete
186b1aaa4aa6: Pull complete
b4df32aa5a72: Pull complete
a0bcbecc962e: Pull complete
Digest: sha256:0d17b565c37bcbd895e9d92315a05c1c3c9a29f762b011a10c54a66cd53c9b31
Status: Downloaded newer image for nginx:latest
af4e3164df83c700d365cf488f2c0a9ebcd67d7a57e226fd98dcec549e97dc46
root@servera:~# docker exec -it web
"docker exec" requires at least 2 arguments.
See 'docker exec --help'.
Usage: docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
Run a command in a running container
root@servera:~# docker exec -it web bash
root@af4e3164df83:/# cd /usr/share/nginx/
root@af4e3164df83:/usr/share/nginx# ls
html
root@af4e3164df83:/usr/share/nginx# cd html/
root@af4e3164df83:/usr/share/nginx/html# ls
50x.html index.html
root@af4e3164df83:/usr/share/nginx/html# echo 123 > index.html
root@af4e3164df83:/usr/share/nginx/html# echo 345 > 456
root@af4e3164df83:/usr/share/nginx/html# exit
exit
root@servera:~# docker diff web
C /etc
C /etc/nginx
C /etc/nginx/conf.d
C /etc/nginx/conf.d/default.conf
C /var
C /var/cache
C /var/cache/nginx
A /var/cache/nginx/scgi_temp
A /var/cache/nginx/uwsgi_temp
A /var/cache/nginx/client_temp
A /var/cache/nginx/fastcgi_temp
A /var/cache/nginx/proxy_temp
C /run
A /run/nginx.pid
C /usr
C /usr/share
C /usr/share/nginx
C /usr/share/nginx/html
C /usr/share/nginx/html/index.html
A /usr/share/nginx/html/456
C /root
A /root/.bash_history
root@servera:~#
docker diff web 查看容器层内更改的数据
第一种方法查看时区timedatectl
设置时区 tzselect
4 10 1 1
第二方法 ls /usr/share/zoneinfo/Asia/
vim Dockerfile
FROM busybox
RUN touch 1tmpfile
WORKDIR /tmp
RUN touch 2tmpfile
RUN /bin/sh -c echo " gaoyang debug images ..."
COPY testfile /
第五天
冷数据不变的放在镜像内
热数据发生变化的放在容器内
docker ps -s 能查看出虚拟内存
virtual代表只读层的大小 代表在镜像占用的大小
images overlays2 存镜像
contatinerd 存容器
docker images inspect 名字 查看镜像详细信息
docker run -itd --name aa acme/my-final-images:1.0 bash
a2301756477ea3d01e88e4adca2f47237878af6389ecca26c67ade6b7a9011e7
root@servera:~/cow-test# docker run -itd --name bb acme/my-final-images:1.0 bash
e48aacf1b5b0456c36d7309a79642660b4c0641b04eabb6e8ff3fc114c71e975
root@servera:~/cow-test# docker run -itd --name cc acme/my-final-images:1.0 bash
1024e1247756a7dad61e5c5192d5384b3b93886df63bdf4f8df5a67d97516e80
root@servera:~/cow-test# docker run -itd --name dd acme/my-final-images:1.0 bash
e5f7cab28548fab0ab2e00cd92dbbd39a9ac9028e123b6edf885cbb513d0ac4e
root@servera:~/cow-test# docker run -itd --name ee acme/my-final-images:1.0 bash
docker ps --size
docker ps --size --format "table {{.ID}}\t{{.Image}}\t{{.Names}}\t{{.Size}}"
root@servera:~# docker exec aa sh -c 'echo helo > /out.txt'
root@servera:~# docker exec bb sh -c 'echo helo > /out.txt'
vim /etc/docker/daemon.json 修改docker驱动器为 ”storage-driver": "aufs"
systemctl daemon-reload
docker启动时占36个k
下一代镜像构建神器 buildkit
1. 相同硬件 构建时间节省10%
2. 从嘴笑道最繁杂变化的顺序
3.应该避免使用copy
4.尽量使用官方镜像
secret 构建的时候吧容器内的文件放进去 执行 退出来的时候就不见了
5. 使用最小的alpine镜像
secret 放文件再删除 一般放密码 秘钥
将软件包做成镜像
apt install -y unzip
unzip app.zip
5.16 第六天
docker network create --driver
docker network ls 查看
none 网络是一个封闭 的网络 安全隔离
host网络 两块网卡 一块ens33 一块docker0 网络传输性能高
使用物理机的桥接卡会抢占物理机的端口号和协议
joiner 让两个容器使用相同的网络
apt install bridge-utils -y 安装桥接卡
brctl show 查看
bridge 网关地址是桥接卡的地址
--network-alias 别名
网络再什么生效
协议相同 在同一个vlan 同一个广播域
5.17 第七天
tcpdump -i ens33 -n icmp
tcpdump -i docker0 -n icmp
检测抓包
Bind mount:把宿主机目录挂载到容器内 物理机目录:容器目录
Volume:将容器内的目录挂载到物理机中 文件名:容器目录
Tmpfs:把容器中的某个目录挂载到内存中
卷容器 不必用像bind mount一样一个个指定 实现了解耦
有利于配置的标准化
5.18
下载一个nginx的镜像 docker pull nginx
下载nginx
mkdir /nginx
mkdir /nginx/index{1..3}
usr/share/nginx/html/网页目录
/etc/nginx/nginx.conf配置文件
映射网页文件
docker run -itd --name web1 -p 8081:80 -v /nginx/index1/index.html:/usr/share/nginx/html/index.html:ro nginx
docker run -itd --name web2 -p 8082:80 -v /nginx/index2/index.html:/usr/share/nginx/html/index.html:ro nginx
docker run -itd --name web3 -p 8083:80 -v /nginx/index3/index.html:/usr/share/nginx/html/index.html:ro nginx
wget http://nginx.org/download/nginx-1.20.0.tar.gz
tar -zxvf nginx-1.20.0.tar.gz
cd nginx-1.12.0/
apt install gcc libpcre3 libpcre3-dev zlib1g zlib1g-dev make -y
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
useradd nginx
nginx -t
vi /usr/local/nginx/conf/nginx.conf
upstream wwwbackend {
server 192.168.100.101:8081 weight=1;
server 192.168.100.101:8082 weight=1;
server 192.168.100.101:8083 weight=1;
}
proxy_pass http://wwwbackend;
nginx -s reload
killall nginx
5.19
compose
root@servera:~# vi /etc/docker/daemon.json //永久
{
"registry-mirrors": ["https://2369rxfg.mirror.aliyuncs.com"],
"storage-driver": "overlay2",
"features":{"buildkit":true }
}
buildkit构建
5.20
5.24
k8s 运行以及部署
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#-strong-api-groups-strong-
vim nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployments
spec:
selector:
matchLabels:
app: nginx
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.20
ports:
- containerPort: 80
crictl ps 客户机查看命令