**
如何進入服務容器內部
**
##################################################################
使用exec命令進入
[root@foundation15 ~]# docker run -d --name vm1 nginx
41a0572cdd0e3b70e09ac9f74dcfc341c21ceef2c07dee714f0a24d94b1aa77f
[root@foundation15 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
41a0572cdd0e nginx "nginx -g 'daemon ..." 4 seconds ago Up 3 seconds 80/tcp vm1
[root@foundation15 ~]# docker container exec -it vm1 bash
root@41a0572cdd0e:/#
##################################################################
##########################################################################
創建容器時直接打開交互界面shell
[root@foundation15 ~]# docker run -it --name vm2 nginx bash
root@d5f787395834:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
##########################################################
**
使用supervisord同時打開多個服務
**
封裝一個新的鏡像
####################################################################
編寫新的Dockerfile
FROM rhel7
EXPOSE 22 80
COPY yum.repo /etc/yum.repos.d/yum.repo
RUN rpmdb --rebuilddb&& yum install -y openssh-server supervisor openssh-clients httpd&& yum clean all root:westos | chpasswd
RUN echo root:westos | chpasswd
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -q -N ""
RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -q -N ""
COPY supervisord.conf /etc/supervisord.conf
CMD ["/usr/bin/supervisord"]
ssh部分生產環境可以寫在一起 但實驗化環境爲了清除了理解過程分開寫
supervisord配置文件
[supervisord]
nodaemon=true
[program:sshd]
command=/usr/sbin/sshd -D
[program:httpd]
command=/usr/sbin/httpd
####################################################
######################################################
build創建新鏡像即可
[root@foundation15 docker]# docker build -t rhel7:v3 .
Sending build context to Docker daemon 7.168 kB
Step 1/9 : FROM rhel7
---> 0a3eb3fde7fd
Step 2/9 : EXPOSE 22 80
---> Using cache
---> 1ec0317a22b7
Step 3/9 : COPY yum.repo /etc/yum.repos.d/yum.repo
---> Using cache
---> de3c79e1b8df
Step 4/9 : RUN rpmdb --rebuilddb&& yum install -y openssh-server supervisor openssh-clients httpd&& yum clean all root:westos | chpasswd
---> Using cache
---> 4b108c1cd6ab
Step 5/9 : RUN echo root:westos | chpasswd
---> Running in d549e2f4dc2d
---> 916e64011fea
Removing intermediate container d549e2f4dc2d
Step 6/9 : RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -q -N ""
---> Running in 23d52c8a575c
---> cba68be457bc
Removing intermediate container 23d52c8a575c
Step 7/9 : RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -q -N ""
---> Running in 200c813e6e7e
---> 6317ae0edd48
Removing intermediate container 200c813e6e7e
Step 8/9 : COPY supervisord.conf /etc/supervisord.conf
---> 2dd5c9ef0be1
Removing intermediate container 2666c11d86dd
Step 9/9 : CMD /usr/bin/supervisord
---> Running in 2a15083c3b60
---> 15846d8145b3
Removing intermediate container 2a15083c3b60
Successfully built 15846d8145b3
[root@foundation15 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v3 15846d8145b3 13 seconds ago 202 MB
##################################################################
##################################################################
使用新鏡像創建容器
[root@foundation15 docker]# docker run -d --name vm1 -v /tmp/docker/web/:/var/www/html rhel7:v3
5d6054ef42d8c01dfb9191b90ade1302fa85db3b12e6b775225623ed36bda53b
[root@foundation15 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d6054ef42d8 rhel7:v3 "/usr/bin/supervisord" 2 seconds ago Up 2 seconds 22/tcp, 80/tcp vm1
##################################################################
##################################################################
測試
[root@foundation15 docker]# ssh 172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
RSA key fingerprint is 38:a9:59:49:4b:2f:bc:32:25:81:72:ce:aa:67:b4:74.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.2' (RSA) to the list of known hosts.
[email protected]'s password:
-bash-4.2# ip addr
-bash: ip: command not found
-bash-4.2# ^C
-bash-4.2# ^C
-bash-4.2# ^C
-bash-4.2# logout
Connection to 172.17.0.2 closed.
[root@foundation15 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d6054ef42d8 rhel7:v3 "/usr/bin/supervisord" 50 seconds ago Up 50 seconds 22/tcp, 80/tcp vm1
[root@foundation15 docker]# curl 172.17.0.2
www.westos.org
##################################################################
**
doker中關於內存的使用
**
目前 Docker 支持內存資源限制選項
-m, --memory=""
Memory limit (format: <number>[<unit>]). Number is a positive integer. Unit can be one of b, k, m, or g. Minimum is 4M.
--memory-swap=""
Total memory limit (memory + swap, format: <number>[<unit>]). Number is a positive integer. Unit can be one of b, k, m, or g.
--memory-swappiness=""
Tune a container’s memory swappiness behavior. Accepts an integer between 0 and 100.
--shm-size=""
Size of /dev/shm. The format is <number><unit>. number must be greater than 0. Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g(gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m.
根據實際需求設置,這裏不作過多的介紹
--memory-reservation=""
Memory soft limit (format: <number>[<unit>]). Number is a positive integer. Unit can be one of b, k, m, or g.
--kernel-memory=""
Kernel memory limit (format: <number>[<unit>]). Number is a positive integer. Unit can be one of b, k, m, or g. Minimum is 4M.
kernel memory 沒有特殊需求,則無需額外設置
--oom-kill-disable=false
Whether to disable OOM Killer for the container or not.
#####################################################################
使用stress來壓力測試
[root@foundation15 ~]# docker run --rm -it --name vm1 -m 100M stress --vm 1 --vm-bytes 150M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [7] forked
stress: dbug: [7] allocating 157286400 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: dbug: [7] freed 157286400 bytes
stress: dbug: [7] allocating 157286400 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: dbug: [7] freed 157286400 bytes
在物理機top查看使用情況
#######################################################################333
默認交換分區爲物理內存的兩倍 當壓力測試大於兩倍時 出現錯誤
[root@foundation15 ~]# docker run --rm -it --name vm1 -m 100M stress --vm 1 --vm-bytes 400M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [7] forked
stress: dbug: [7] allocating 419430400 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: FAIL: [1] (416) <-- worker 7 got signal 9
stress: WARN: [1] (418) now reaping child worker processes
stress: FAIL: [1] (422) kill error: No such process
stress: FAIL: [1] (452) failed run completed in 2s
**
限制容器讀寫速度
**
##################################################################
[root@foundation15 ~]# docker run --rm -it --device-write-bps /dev/sda:10M ubuntu
root@6adf79762aa2:/# dd if=/dev/zero of=testfile bs=1M count=100 oflag=direct
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 9.9563 s, 10.5 MB/s
###############################################################
**
cgroup控制內存 cpu等參數
**
###################################################################
內存 cpu控制
[root@server0 mnt]# vim /etc/cgconfig.conf
group x1 {
memory {
memory.limit_in_bytes = 20480000;
memory.memsw.limit_in_bytes = 20480000;
}
}
group x2 {
cpu{
cpu.shares = 100;
}
}
在控制內存時 vim /etc/cgrules.conf
指定用戶來限制內存使用
bobo:memapp1 memory x1/
bobo:memapp2 memory x2/
~
#################################################################
**
限制磁盤的讀寫速度
**
首先找到磁盤對應的id
[root@server0 ~]# ls -l /dev/vda
brw-rw---- 1 root disk 252, 0 Aug 21 14:25 /dev/vda
[root@server0 ~]# ls -l /dev/vda1
brw-rw---- 1 root disk 252, 1 Aug 21 14:25 /dev/vda1
如圖 252:0 爲vda 252:1爲vda1的id
在寫入配置文件即可
group x3 {
blkio {
blkio.throttle.read_bps_device = "252:0 1000000";
}
}
重啓服務
cgexec -g blkio:x3 dd if=/dev/vda of=/dev/null &
iotop查看速度即可
**
搭建自己的本地倉庫
**
#########################################################################
創建registry
[root@foundation15 ~]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
4064ffdc82fe: Pull complete
c12c92d1c5a2: Pull complete
4fbc9b6835cc: Pull complete
765973b0f65f: Pull complete
3968771a7c3a: Pull complete
Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa832943c8ad8f7da2ddad6355b3c8
Status: Downloaded newer image for registry:2
2436ae2d9ec2601ca0e49748506e3f2f6b0641cc111ddc34b281d64639ea3e65
#############################################################
##################################################################
將nginx作爲測試鏡像放入本地倉庫中
docker push localhost:5000/nginx
The push refers to a repository [localhost:5000/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
在倉庫中查看
[root@foundation15 registry]# ls
docker
#############################################################
#######################################################################
查看鏡像文件
看到已經添加進去
[root@foundation15 registry]# docker images
REPOSITORY TAG IMAGE ID
localhost:5000/nginx latest c82521676580 3 weeks ago 109 MB
nginx latest c82521676580 3 weeks ago 109 MB
registry 2 b2b03e9146e1 6 weeks ago 33.3 MB
game2048 latest 19299002fdbe 20 months ago 55.5 MB
ubuntu latest 07c86167cdc4 2 years ago 188 MB
stress latest db646a8f4087 4 years ago 282 MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140 MB
###################################################################3
爲了便於區分 將原有的nginx刪除
[root@foundation15 registry]# docker rmi nginx
Untagged: nginx:latest
Untagged: nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
在將新的loalninx改名
[root@foundation15 registry]# docker tag localhost:5000/nginx ninx
在刪除localhostnginx
[root@foundation15 registry]# docker rmi localhost:5000/nginx
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f
查看鏡像 只有nginx了
[root@foundation15 registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ninx latest c82521676580 3 weeks ago 109 MB
registry 2 b2b03e9146e1 6 weeks ago 33.3 MB
game2048 latest 19299002fdbe 20 months ago 55.5 MB
ubuntu latest 07c86167cdc4 2 years ago 188 MB
stress latest db646a8f4087 4 years ago 282 MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140 MB
至此 基本的搭建完成
####################################################################
**
邏輯卷的掛載
**
####################################################################
在不指定本地目錄時 使用dokcer自行指定的邏輯卷作爲掛載點存儲數據
和指定掛載點並沒有太大區別
查看所有掛載過的邏輯卷 因爲刪除容器後沒有同時刪除邏輯卷掛載 所以u可以看到許多殘留
[root@foundation15 ~]# docker volume ls
DRIVER VOLUME NAME
local 10b21ff1335efa3ed71077f41ef9b36a52918382c4009964b038569c6b5c1058
local 435f78e48a9515559435de3a779c95325c386668e74a5c18d3903a57cd2f8f5c
local b9a591dcba34c93c3564aa2d13611438d8e4f665b544df0811f8eb568b611729
local ce3ce97cdb37b3241bf6fabe6ecb916fcd53c553ea8ae931667010874385d704
local dbe20bc0669457137e7027e4ec24bb3e159e25613e087f6f8e0c8f4f19a7ff20
local fd42632d66a12a2f647ea3b1a843833eb00298feb4e4c66aa054f43369c5bf19
刪除所有殘留
[root@foundation15 ~]# docker volume rm `docker volume ls -q `
10b21ff1335efa3ed71077f41ef9b36a52918382c4009964b038569c6b5c1058
435f78e48a9515559435de3a779c95325c386668e74a5c18d3903a57cd2f8f5c
b9a591dcba34c93c3564aa2d13611438d8e4f665b544df0811f8eb568b611729
ce3ce97cdb37b3241bf6fabe6ecb916fcd53c553ea8ae931667010874385d704
dbe20bc0669457137e7027e4ec24bb3e159e25613e087f6f8e0c8f4f19a7ff20
fd42632d66a12a2f647ea3b1a843833eb00298feb4e4c66aa054f43369c5bf19
[root@foundation15 ~]# docker volume ls
DRIVER VOLUME NAME
################################################################
#################################################################
不指定掛載點測試
[root@foundation15 ~]# docker run -d --name vm1 -v /usr/share/nginx/html nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
2417e33adf7e6c411f3b9a0ab6f56422ff302bd4ff9a9339ee9ce6d55618d22a
看到doker自定義的掛載位置依然在物理機
[root@foundation15 ~]# docker inspect vm1|grep vol
"Type": "volume",
"Source": "/var/lib/docker/volumes/18975c4e2e3bbd1cbcae8f376fd67e35e6b22a597ed8ff5b4ba7e6d28fbd3236/_data",
[root@foundation15 ~]# cd /var/lib/docker/volumes/18975c4e2e3bbd1cbcae8f376fd67e35e6b22a597ed8ff5b4ba7e6d28fbd3236/_data
[root@foundation15 _data]# ls
50x.html index.html
用鏡像保存數據 使應用直接讀取
Dockerfile
FROM rhel7
ADD html.tar /usr/share
VOLUME ["/usr/share/nginx/html"]
製作tar包用於add
tar zcvf html.tar nginx/
nginx目錄中存放用於讀取的數據
製作鏡像
docker build -t rhel7:v5 .
create容器作爲邏輯卷讀取
docker create --name vol1 rhel7:v5 bash
創建新容器用邏輯卷讀取數據
docker run -d --name vm3 --volumes-from vol1 nginx
curl測試即可
[root@foundation15 test]# curl 172.17.0.4
www.westos.org
www.westos.org
www.westos.org
www.westos.org
**
倉庫https加密的解決
**
##################################################################3
https加密的解決
mkdir /etc/docker/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
再common那裏選擇自己的域名 westos.org
其他隨便
運行私有倉庫
docker run -d --restart=always --name registry -v `pwd`/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2
WARNING: IPv4 forwarding is disabled. Networking will not work.
dda9f7f81a451c40cd7618238c40cd18b2e918571cafa44dcd7b1e8407bafd1d
######################################################################3
[root@foundation15 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
dda9f7f81a45 registry:2 "/entrypoint.sh /e..." 8 seconds ago Up 6 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
#########################################################################3
將產生的證書發送給系統和doker
系統
[root@foundation15 certs]# cd /etc/pki/ca-trust/source/anchors/
[root@foundation15 anchors]# cp /etc/docker/certs/domain.crt .
[root@foundation15 anchors]# ls
domain.crt
#################################################################
doker證書
[root@foundation15 certs]# cp domain.crt ../certs.d/westos.org/ca.crt
###############################################################
重啓下服務
推動鏡像
[root@foundation15 westos.org]# docker tag game2048 westos.org/game2048
[root@foundation15 westos.org]# docker push westos.org/game2048
The push refers to a repository [westos.org/game2048]
latest: digest: sha256:31a46998f55ed03da6d62197f3a91b0a100c0abdd7380d88142ea44bce325001 size: 1364
查看鏡像是否添加進去
[root@foundation15 westos.org]# docker images |grep game
game2048 latest 19299002fdbe 20 months ago 55.5 MB
westos.org/game2048 latest 19299002fdbe 20 months ago 55.5 MB
倉庫搭建完成
######################################################################
虛擬機使用私有倉庫
需要將鑰匙發送給虛擬機
虛擬機沒有目錄直接將所有目錄發送即可
[root@foundation15 westos.org]# scp -r /etc/docker/certs.d/ [email protected]:/etc/docker/
虛擬機添加解析 即可
172.25.15.250 westos.org
#########################################################################
測試拉取鏡像
[root@server1 ~]# docker pull westos.org/game2048
Using default tag: latest
latest: Pulling from game2048
28c417e954d8: Pull complete
0fa119b15092: Pull complete
445374954ee8: Pull complete
732a5643c5cf: Pull complete
1c5c2056838a: Pull complete
Digest: sha256:31a46998f55ed03da6d62197f3a91b0a100c0abdd7380d88142ea44bce325001
Status: Downloaded newer image for westos.org/game2048:latest
創建認證
$ mkdir auth
$ docker run \
--entrypoint htpasswd \
registry:2 -Bbn test westos > auth/htpasswd
如果加密沒有取消對應部分即可
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
docker login myregistrydomain.com:5000
添加第一部的認證用戶 就可以下載或上傳
**
compose的使用
**
創建compose目錄 用於存放配置
測試使用apache與nginx來測試 將需要的網頁文件存放在web中
haproxy的配置文件在對應目錄下
[root@foundation15 compose]# ls
docker-compose.yml haproxy web
編寫compose配置文件
apache:
image: rhel7:v1
expose:
- 80
volumes:
- ./web:/var/www/html
nginx:
image: nginx
expose:
- 80
haproxy:
image: haproxy
volumes:
- ./haproxy:/usr/local/etc/haproxy(創建容器是需要配置的文件從本地拷貝過去即可)
links:
- apache
- nginx
ports:
- "8080:80"(本機端口80被httpd佔用 使用其他空閒端口即可)
expose:
- 80
在haprxoy目錄下編寫配置文件
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
stats uri /status
frontend balancer
bind 0.0.0.0:80
default_backend web_backends
backend web_backends
balance roundrobin
server web1 nginx:80 check
server web2 apache:80 check
測試
[root@foundation15 haproxy]# curl 172.25.254.77:8080
第一次爲nginx界面
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@foundation15 haproxy]# curl 172.25.254.77:8080
第二次爲apache中拷貝過去的網頁
www.westos.org
測試成功 在compose端可以看到訪問數據
[root@foundation15 haproxy]# docker-compose up
Creating compose_nginx_1 ... done
Creating compose_apache_1 ... done
Creating compose_haproxy_1 ... done
Attaching to compose_apache_1, compose_nginx_1, compose_haproxy_1
apache_1 | AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
haproxy_1 | <7>haproxy-systemd-wrapper: executing /usr/local/sbin/haproxy -p /run/haproxy.pid -f /usr/local/etc/haproxy/haproxy.cfg -Ds
nginx_1 | 172.17.0.5 - - [22/Aug/2018:05:00:03 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1 | 172.17.0.5 - - [22/Aug/2018:05:00:03 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0" "-"
nginx_1 | 172.17.0.5 - - [22/Aug/2018:05:04:49 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-"
在瀏覽器中打開狀態界面
關閉nginx測試
網頁狀態看到nginx關閉 網頁只能瀏覽apache
在打開nginx
網頁恢復