[TOC]
Docker入門基礎
課題簡述
簡單入門docker的基本使用,文本介紹docker命令的基礎使用,docker鏡像庫,網絡,存儲的一些知識
環境
- ubuntu16.04
- python3.6
- Docker version 1.13.1
- Docker ID(爲了鏡像在公共倉庫的pull,push)
一、Install Docker
1.1 安裝docker-ce
sudo apt-get update
sudo apt-get install apt-transport-https ca-certificates
sudo apt-key adv \
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
#append this to /etc/apt/sources.list
deb https://apt.dockerproject.org/repo ubuntu-xenial main
sudo apt-get update
apt-cache policy docker-engine
apt-get upgrade
sudo apt-get install linux-image-extra-$(uname -r) linux-image-extra-virtual
sudo apt-get install docker-engine
1.2 默認安裝系統自帶的docker
apt-get update
# 默認將會安裝最新版的docker1.13.1
apt-get install docker.io
1.2.1 docker1.13帶來的新功能
- 正式支持服務棧:
docker stack
- 正式支持插件:
docker plugin
- 添加在 Swarm 集羣環境下對密碼、密鑰管理的 secret 管理服務:
docker secret
- 增加
docker system
命令 - 可以直接使用 docker-compose.yml 進行服務部署
- 添加
docker service
滾動升級出故障後回滾的功能 - 增加強制再發布選項
docker service update –force
- 允許
docker service create
映射宿主端口,而不是邊界負載均衡網絡端口 - 允許 docker run 連入指定的 swarm mode 的 overlay 網絡
- 解決中國 GFW 牆掉 docker-engine apt/yum 源的問題
1.3 配置加速器
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
# --registry-mirror=http://alaudademo13.m.alauda.cn
1.4 瞭解docker安裝目錄
編號 | 路徑名 | 意義 |
---|---|---|
1 | /var/lib/docker/devicemapper/devicemapper/data | 用來存儲相關的存儲池數據 |
2 | /var/lib/docker/devicemapper/devicemapper/metadata | 用來存儲相關的元數據 |
3 | /var/lib/docker/devicemapper/metadata/ | 用來存儲 device_id、大小、以及傳輸_id、初始化信息 |
4 | /var/lib/docker/devicemapper/mnt | 用來存儲掛載信息 |
5 | /var/lib/docker/container/ | 用來存儲容器信息 |
6 | /var/lib/docker/graph/ | 用來存儲鏡像中間件及鏡像的元數據信息、以及依賴信息 |
7 | /var/lib/docker/repositores-devicemapper | 用來存儲鏡像基本信息 |
8 | /var/lib/docker/tmp | docker臨時目錄 |
9 | /var/lib/docker/trust | docker信任目錄 |
10 | /var/lib/docker/volumes | docker卷目錄 |
二、Docker基礎命令
2.1 命令的分類
子命令分類 | 子命令 |
---|---|
與鏡像相關的命令 | images,search,pull,push,login,logout,commit,build,rmi(127) |
容器生命週期管理 | create,exec,kill,pause,restart,rm,run,start,stop,unpause |
環境信息相關 | info,version |
系統維護相關 | images,inspect,build,commit,pause/unpause,ps,rm,rmi,run,start/stop/restart,top,kill,... |
日誌信息相關 | events,history,logs |
Docker ID 相關 | login,logout |
與容器相關的命令 | run, kill, stop, start, restart, logs, export, import |
2.2 命令的基礎使用
2.2.1 使用man,help學習docker命令
man docker subcommand
docker help subcommand
docker command --help
2.2.2 Docker鏡像的操作
- 顯示鏡像信息
# 列出鏡像的信息 docker images # 自定義表顯示鏡像的信息 docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
- 查詢鏡像
- docker search IMAGE_NAME
- search images from docker hub
- 鏡像的拉取刪除與修改,重命名,創建
# 拉取鏡像 docker pull busybox # docker ID登錄 ➜ ~ docker login -u bluerdocker Password: Login Succeeded # 鏡像重命名(bluerdocker是我的docker ID) docker tag busybox bluerdocker/busybox:latest # 上傳鏡像 ➜ ~ docker push bluerdocker/busybox The push refers to a repository [docker.io/bluerdocker/busybox] 0271b8eebde3: Mounted from library/busybox latest: digest: sha256:91ef6c1c52b166be02645b8efee30d1ee65362024f7da41c404681561734c465 size: 527 # 刪除鏡像 # 刪除鏡像時,如果存在打標籤的鏡像,那麼只有到最後有一個鏡像被刪除時,鏡像才被刪除 ➜ ~ docker rmi bluerdocker/busybox Untagged: bluerdocker/busybox:latest Untagged: bluerdocker/busybox@sha256:91ef6c1c52b166be02645b8efee30d1ee65362024f7da41c404681561734c465 ➜ ~ docker rmi busybox Untagged: busybox:latest Untagged: busybox@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 Deleted: sha256:6ad733544a6317992a6fac4eb19fe1df577d4dec7529efec28a5bd0edad0fd30 Deleted: sha256:0271b8eebde3fa9a6126b1f2335e170f902731ab4942f9f1914e77016540c7bb # 從已有dockerfile創建鏡像(download from docker hub) docker build -t nginx/marion:v1 -m 1024 . ➜ dockerfile1 docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx/marion v1 64220f7e39ab 2 minutes ago 108 MB
還有一些其他的命令
build Build an image from a Dockerfile history Show the history of an image import Import the contents from a tarball to create a filesystem image inspect Display detailed information on one or more images load Load an image from a tar archive or STDIN ls List images prune Remove unused images pull Pull an image or a repository from a registry push Push an image or a repository to a registry rm Remove one or more images save Save one or more images to a tar archive (streamed to STDOUT by default) tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE # 把一個鏡像保存成一個tarball. docker image save nginx -o nginx.tar
2.2.3 容器的生命週期管理
Commands:
attach # 進入一個正在運行的容器,不建議使用
commit # 把一個正在運行的容器打包成一個新的鏡像
cp # 在容器與本地文件系統之間進行文件/文件夾拷貝
create # 創建一個新的容器
diff # 檢查運行的容器與所使用鏡像之間的變化
exec # 進入正在運行的容器
export # 把一個容器的文件系統歸檔成一個tar包
inspect # 顯示一個/多個容器的詳細信息
kill # 殺掉一個/多個正在運行的容器
logs # 查看容器中進程的運行日誌
ls # 列出容器列表
pause # 暫停一個/多個容器中的所有進程
port # 顯示容器與docker host的端口映射
prune # 移除所有所有停掉的容器
rename # 重命名容器
restart # 重啓容器
rm # 刪除一個或多個容器
run # 運行一個容器
start # 啓動一個或多個容器
stats # 顯示容器資源的使用信息
stop # 停止一個或多個容器
top # 顯示容器中的進程
unpause # 恢復暫停的容器
update # 更新容器的配置(cpu,mem,重啓的策略等)
wait # 阻塞運行直到容器停止,然後打印出它的退出代碼
2.2.4 run wordpress on docker
- Deploy MYSQL
docker pull mysql
- 掛載卷保存數據文件
mkdir -p /mysql/data chmod -p 777 /mysql/data
- MySQL使用過程中的環境變量
Num | Env Variable | Description |
---|---|---|
1 | MYSQL_ROOT_PASSWORD | root用戶的密碼 |
2 | MYSQL_DATABASE | 創建一個數據庫 |
3 | MYSQL_USER,MYSQL_PASSWORD | 創建一個用戶以及用戶密碼 |
4 | MYSQL_ALLOW_EMPTY_PASSWORD | 允許空密碼 |
- 創建網絡
docker network create --subnet 10.0.0.0/24 --gateway 10.0.0.1 marion docker network ls ➜ ~ docker network ls | grep marion 6244609a83bb marion bridge local
- 創建MYSQL container
➜ ~ docker run -v /mysql/data:/var/lib/mysql --name mysqldb --restart=always -p 3306:3306 -e MYSQL_DATABASE='wordpress' -e MYSQL_USER='marion' -e MYSQL_PASSWORD='marion' -e MYSQL_ALLOW_EMPTY_PASSWORD='yes' -e MYSQL_ROOT_PASSWORD='marion' --network=marion --ip=10.0.0.2 -d mysql
➜ ~ docker ps -a
➜ marion docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3013c407c74b mysql "docker-entrypoint..." 4 minutes ago Up 4 minutes 0.0.0.0:3306->3306/tcp mysqldb
➜ marion docker exec -it 3013c407c74b /bin/bash
root@3013c407c74b:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:00:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:aff:fe00:2/64 scope link
valid_lft forever preferred_lft forever
root@3013c407c74b:/# apt-get install net-tools -y
root@3013c407c74b:/# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:45485 0.0.0.0:* LISTEN -
tcp6 0 0 :::3306 :::* LISTEN -
udp 0 0 127.0.0.11:48475 0.0.0.0:* -
root@3013c407c74b:/# mysql -u marion -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.20 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.01 sec)
mysql>
-
3、運行nginx-php
mkdir -p /var/www/html docker run --name php7 -p 9000:9000 -p 80:80 -v /var/www/html:/usr/local/nginx/html --restart=always --network=marion --ip=10.0.0.3 -d skiychan/nginx-php7 docker ps docker exec -it cfb9556b71b3 /bin/bash cd /usr/local/php/etc vim php.ini date.timezone =Asia/Shanghai
- 編輯nginx配置文件/usr/local/nginx/conf/nginx.conf
user www www; #modify
worker_processes auto; #modify
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
error_log /var/log/nginx_error.log crit; #add
#pid logs/nginx.pid;
pid /var/run/nginx.pid; #modify
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
client_max_body_size 100m; #add
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 120; #65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
root /usr/local/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root /usr/local/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
#add
##########################vhost#####################################
include vhost/*.conf;
}
daemon off;
- 測試配置文件是否有問題
[root@cfb9556b71b3 sbin]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
- 重新加載配置文件
[root@cfb9556b71b3 sbin]# /usr/local/nginx/sbin/nginx -s reload [root@cfb9556b71b3 sbin]#
2.2.5 容器的重啓策略
- no
- on-failure
- always
- unless-stopped
三、Dockerfile
Comment
INSTRUCTION arguments
1. FROM
基於哪個base鏡像
2. RUN
- 執行命令並創建新的鏡像層,run經常用於安裝軟件包
3. MAINTAINER
鏡像創建者
4. copy
將文件從build context複製到鏡像
#1
COPY ["src","dest"]
COPY src dest
#注意:src只能指定build context中的文件
5. CMD
- container啓動時執行的命令,但是一個Dockerfile中只能有一條CMD命令,多條則只執行最後一條CMD。CMD主要用於container啓動時指定的服務
- 當docker run command的命令匹配到CMD command時,會替換CMD執行的命令。
- 存在三種使用格式
- Exec: CMD ["Command","param1","param2"]
- CMD ["param1","param2"] 爲ENTRYPOINT提供額外的參數,此時ENTRYPOINT必須使用exec格式
- CMD command param1 param2
6. ENTRYPOINT
container啓動時執行的命令,但是一個Dockerfile中只能有一條ENTRYPOINT命令,如果多條,則只執行最後一條。ENTRYPOINT沒有CMD的可替換特性
- ENTRYPOINT的exec格式用於設置執行的命令及其參數,同時可通過CMD提供額外的參數
- ENTRYPOINT的shell格式會忽略任何CMD或docker run提供的參數
7. USER
使用哪個用戶跑container
8. EXPOSE
container內部服務開啓的端口。主機上要用還得在啓動container時,做host-container的端口映射:
docker run -d -p 127.0.0.1:3000:22 ubuntu-ssh
container ssh服務的22端口被映射到主機的33301端口
9. ENV
用來設置環境變量,比如:ENV ROOT_PASS tenxcloud
10. ADD
將文件<src>拷貝到container的文件系統對應的路徑<dest>。ADD只有在build鏡像的時候運行一次,後面運行container的時候不會再重新加載了。如果src是一個tar,zip,tgz,xz文件,文件會被自動的解壓到dest
11. VOLUME
可以將本地文件夾或者其他container的文件夾掛載到container中。
12. WORKDIR
切換目錄用,可以多次切換(相當於cd命令),對RUN、CMD、ENTRYPOINT生效
13. ONBUILD
ONBUILD 指定的命令在構建鏡像時並不執行,而是在它的子鏡像中執行
14. 兩種方式shell
,EXEC
指定run,cmd和entrypoint要運行的命令
- CMD和ENTRYPOINT建議使用Exec格式
- RUN則兩種都是可以的
注意
構建dockerfile時,必須提前轉備好build context中的文件
四、Docker registry
4.1 搭建本地鏡像倉庫
#檢查端口5000是否被佔用
netstat -tunlp | grep 5000
# pull registry
mkdir -p /opt/myregistry
docker run -d -p 5000:5000 --name registry --restart=always -v /opt/myregistry:/var/lib/registry registry:2.4.1
curl http://172.17.0.1:5000/v2
# modify https to http
echo "{"insecure-registries:["172.17.0.1:5000"]"}" > /etc/docker/daemon.json
# 拉取busybox鏡像做測試
docker pull busybox
# tag鏡像
docker tag busybox 172.17.0.1:5000/busybox01
# 刪除tag爲latest的鏡像
docker rmi busybox
# push鏡像到本地倉庫
docker push 172.17.0.1:5000/busybox01
# check
tree -l 4 /opt/myregistry
# 刪除下載的busybox鏡像
docker rmi 172.17.0.1:5000/busybox01
# 從本地鏡像倉庫下載
docker pull 172.17.0.1:5000/busybox01
4.2 公有倉庫Docker Hub
- sign up a docker id
- sign in docker hub
- Docker Cloud
4.3 企業級harbor倉庫
4.3.1 download harbor offline tar package
wget https://github.com/vmware/harbor/releases/download/v1.2.2/harbor-offline-installer-v1.2.2.tgz -o /home/marion/docker
tar xf /home/marion/docker/harbor-offline-installer-v1.2.2.tgz
cd /home/marion/docker/harbor
4.3.2 添加域名解析
vim /etc/hosts
## append this
10.0.0.128 www.proharbor.com
## 檢查是否正常
ping www.proharbor.com
4.3.3 創建自簽證書
mkdir /home/marion/docker/harbor/newcert
cd /home/marion/docker/harbor/newcert
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout proharbor.com.key -out proharbor.com.csr
openssl x509 -req -days 3650 -in proharbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out proharbor.com.crt
mkdir -pv /etc/docker/certs.d/www.proharbor.com
cp /home/marion/docker/harbor/newcert/ca.crt /etc/docker/certs.d/www.proharbor.com/
cp /home/marion/docker/harbor/newcert/proharbor.com.crt /usr/local/share/ca-certificates/www.proharbor.com.crt
update-ca-certificates
4.3.4 更新配置文件
4.3.4.1 更新harbor.cfg
hostname = www.proharbor.com
ui_url_protocol = https
ssl_cert = /home/marion/docker/harbor/newcert/proharbor.com.crt
ssl_cert_key = /home/marion/docker/harbor/newcert/proharbor.com.key
4.3.4.2 更新docker-compose.yml
# 創建本地倉庫鏡像的存儲目錄
cd /home/marion/docker/harbor
mkdir /home/marion/harborregistry/
vim docker-compose.yml
# ------以下是docker-compose.yml修改後的內容------
version: '2'
services:
log:
image: vmware/harbor-log:v1.2.2
container_name: harbor-log
restart: always
volumes:
- /var/log/harbor/:/var/log/docker/:z
ports:
- 127.0.0.1:1514:514
networks:
- harbor
registry:
image: registry:2.4.1
container_name: registry
restart: always
volumes:
- /home/marion/harborregistry:/storage:z
- ./common/config/registry/:/etc/registry/:z
networks:
- harbor
environment:
- GODEBUG=netdns=cgo
command:
["serve", "/etc/registry/config.yml"]
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "registry"
mysql:
image: vmware/harbor-db:v1.2.2
container_name: harbor-db
restart: always
volumes:
- /data/database:/var/lib/mysql:z
networks:
- harbor
env_file:
- ./common/config/db/env
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "mysql"
adminserver:
image: vmware/harbor-adminserver:v1.2.2
container_name: harbor-adminserver
env_file:
- ./common/config/adminserver/env
restart: always
volumes:
- /data/config/:/etc/adminserver/config/:z
- /data/secretkey:/etc/adminserver/key:z
- /data/:/data/:z
networks:
- harbor
depends_on:
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "adminserver"
ui:
image: vmware/harbor-ui:v1.2.2
container_name: harbor-ui
env_file:
- ./common/config/ui/env
restart: always
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z
networks:
- harbor
depends_on:
- log
- adminserver
- registry
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "ui"
jobservice:
image: vmware/harbor-jobservice:v1.2.2
container_name: harbor-jobservice
env_file:
- ./common/config/jobservice/env
restart: always
volumes:
- /data/job_logs:/var/log/jobs:z
- ./common/config/jobservice/app.conf:/etc/jobservice/app.conf:z
- /data/secretkey:/etc/jobservice/key:z
networks:
- harbor
depends_on:
- ui
- adminserver
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "jobservice"
proxy:
image: vmware/nginx-photon:1.11.13
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 80:80
- 443:443
- 4443:4443
depends_on:
- mysql
- registry
- ui
- log
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "proxy"
networks:
harbor:
external: false
4.3.4.3 倉庫根目錄配置文件
這個文件可以看到容器中鏡像存儲的根目錄,根據此可以把其共享到docker host
version: 0.1
log:
level: debug
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /storage
maintenance:
uploadpurging:
enabled: false
delete:
enabled: true
http:
addr: :5000
secret: placeholder
debug:
addr: localhost:5001
auth:
token:
issuer: harbor-token-issuer
realm: https://www.proharbor.com/service/token
rootcertbundle: /etc/registry/root.crt
service: harbor-registry
notifications:
endpoints:
- name: harbor
disabled: false
url: http://ui/service/notifications
timeout: 3000ms
threshold: 5
backoff: 1s
4.3.5 安裝harbor以及notary,clair
cd /home/marion/docker/harbor/
sudo ./install.sh --with-notary --with-clair
#關閉harbor所有的容器(必須在含有docker-compose.yml文件的目錄下執行)
docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml down -v
#啓動harbor相關的所有容器(必須在含有docker-compose.yml文件的目錄下執行)
docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml up -d
4.3.6 驗證查看
- 打開瀏覽器,輸入https://www.proharbor.com
- 用戶名/密碼:admin/Harbor12345(默認的)
- 打開終端:
docker login www.proharbor.com
,admin/Harbor12345
4.3.7 查看日誌
#日誌路徑各不相同,具體路徑根據docker-compose.yml或者*/harbor/common/目錄下的配置文件進行確定
cd /var/log/harbor
docker logs 容器功能名稱
4.3.8 push/pull
#push
root@dockermaster:/home/marion/docker/harbor# docker tag redis www.proharbor.com/harborssl/redis:dev
root@dockermaster:/home/marion/docker/harbor# docker push www.proharbor.com/harborssl/redis:dev
The push refers to a repository [www.proharbor.com/harborssl/redis]
d112bb627859: Pushed
265ab1ac61ec: Pushed
2341e66d779d: Pushed
9503917b6420: Pushed
aa84bbcc6553: Pushed
29d71372a492: Pushed
dev: digest: sha256:b707a0c39062f1769c8e16069015e1ba839add849deb441428fc0c1deee67c36 size: 1571
#pull
root@dockermaster:/home/marion/docker/harbor# docker pull www.proharbor.com/harborssl/redis:dev
dev: Pulling from harborssl/redis
Digest: sha256:b707a0c39062f1769c8e16069015e1ba839add849deb441428fc0c1deee67c36
Status: Downloaded newer image for www.proharbor.com/harborssl/redis:dev
4.3.9 harbor參考鏈接
五、Docker網絡
docker在安裝的時候就會配置一個docker0的linux bridge的方式,在不使用 --network
時, 這也是docker默認使用的方式。docker有三種常見的網絡模式,分別是none,bridge,host
➜ ~ docker network ls
NETWORK ID NAME DRIVER SCOPE
3ea8a3ad1a61 bridge bridge local
9043e76f315a host host local
eba2113c67eb none null local
5.1、docker network command
➜ ~ docker network --help
Usage: docker network COMMAND
Manage networks
Options:
--help Print usage
Commands:
connect 把一個容器連接到網絡
create 創建一個網絡
disconnect 從網絡中中斷容器的連接
inspect 在一個或多個網絡上顯示詳細信息
ls 列出網絡
prune 移除所有未使用的網絡
rm 移除一個或多個網絡
5.2、docker none network
➜ ~ docker run -it --network=none busybox
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
5.3、docker host network
host網絡模式,其實就是借用的docker host上的網卡信息
➜ ~ docker run -it --network=host busybox
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:D7:FD:FF:0D
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:d7ff:fefd:ff0d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:13785 (13.4 KiB)
...
docker network網絡的優缺點:
- 好處
- docker host網絡的性能比較好
- docker host網絡傳輸效率高
- 缺點
- docker host的主機上使用的端口,容器不能繼續使用
5.4、docker bridge network
brctl show
將會顯示docker0
上的網絡設備,如果有容器運行的是bridge的網絡模式,就會把虛擬網卡掛在docker0上,這裏應該注意的是:容器內的虛擬網卡與docker0上掛的虛擬網卡是成對存在的pair
,
5.4.1 安裝brctl工具
apt-get install bridge-utils -y
5.4.2查看容器的網絡地址
➜ ~ docker run -it --network=bridge busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1459 (1.4 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
5.5 docker網絡模式之用戶自定義網絡
docker提供三種自定義的網絡驅動
bridge
overlay
:此次不sharemacvlan
:此次不share
5.5.1 創建自定義bridge網絡
docker network create --driver bridge bridge1
brctl show
docker network create --driver bridge --subnet 172.17.16.0/24 --dateway 172.17.16.1 bridge2
docker run -it --network=bridge2 busybox
----ifconfig
docker run -it --network=bridge2 --ip=172.17.16.3 busybox
5.6、docker容器之間的互聯互通
docker容器之間的互聯互通基於三種模式:IP
,Docker DNS
,joined
5.6.1 基於IP方式的互聯互通
docker run -it --network=bridge2 --ip=172.17.16.4 busybox
docker run -it --network=bridge2 --ip=172.17.16.5 busybox
ping -c 3 172.17.16.4(from 172.17.16.5)
5.6.2 基於Docker DNS之間的互聯互通
注意:docker dns只能使用在用戶自定的網絡模式下運行的容器
docker run -it --network=bridge2 --name=busyboxone busybox
docker run -it --network=bridge2 --name=busyboxtwo busybox
ping -c 3 busyboxone(form busyboxtwo)
5.6.3 基於join方式的互聯互通
仔細觀察此種模式下的網絡配置信息完全一樣,是通過127.0.0.1進行通信
docker run -it --name web1 httpd
docker run -it --network=container:web1 httpd
5.7 docker容器與外部是如何進行互相訪問的
5.7.1 docker容器訪問外部
docker默認的網絡是bridge網絡,因此只要docker host可以連接互聯網,那麼容器就是可以聯網的,但是容器訪問外部網絡的過程是如何實現的呢? 容器在向外部發送請求時,docker在NAT上將容器的源地址改爲了docker host的地址,因此訪問外部的源地址就變成了docker host的地址
ip r
iptables -t NAT -S
tcpdump -i docker0 -n icmp
tcpdump -i ens33 -n icmp
5.7.2 外部是如何訪問docker容器的
容器爲了響應外部的訪問請求,把容器自己的內部端口暴露給docker host,於是和docker host進行了 端口之間的映射
,外部進行訪問容器就會變成訪問docker host上的一個端口,當docker-proxy進行發現有訪問docker host上的容器映射的端口時,就會自動轉發給容器,這就是外部訪問容器的一個過程;
六、Docker存儲
docker存儲驅動storage driver(優先使用linux默認的storage driver,因爲比較穩定)
- ubuntu:aufs,/var/lib/docker/aufs
- redhat/centos:device mapper
- suse:btrfs
6.1 docker data mount
格式:-v <host_path>:<container_path> #指定docker host路徑與container的路徑
docker run -d -p 7001:80 -v /root/htdocs:/usr/local/apache2/htdocs httpd
docker run -d -p 7001:80 -v /root/htdocs:/usr/local/apache2/htdocs:ro httpd #(ro)表示只讀
# 類似於selinux這類標籤系統,可以在volume掛載時使用z或Z指定該volume是否可以共享,默認爲z即爲共享
此類型掛載數據是比較方便備份和遷移數據,但是對於容器的遷移是比較麻煩的
6.2 docker managed volume
docker run -d -p 7002:80 -v /usr/local/apache2/htdocs --name web1 httpd #只指定container path
docker inspect web1 #查找Source
docker volume ls
docker volume inspect VOLUME_NAME
6.3 docker data mount與docker managed volume對比
類型 | docker_data_mount | docker_managed_volume |
---|---|---|
volume location | anywhere | /var/lib/docker/volumes/... |
如果存在掛載點 | 隱藏並替換爲volume | 原有數據複製到volume |
是否支持單文件掛載 | yes | no(must dir) |
privileges | read-only & read-write | read_write |
移植性 | 弱,需要指定host path | 強,不需指定host目錄 |
6.4 volume container共享數據
docker create --name vc_data -v /root/htdocs:/usr/local/apache2/htdocs -v /var/www/html busybox
docker run -d -p 7006:80 --name web1 --volume-from vc_data httpd
6.5 數據卷的生命週期管理
6.5.1 備份
docker registry掛載的卷是本地的文件系統,因此針對文件系統備份就可以
6.5.2 恢復
使用備份的文件拷貝到docker registry掛載的本地文件系統中就可以
6.5.3 更新
registry version遷移數據
- docker stop CONTAINER:registry
- 啓用新的registry並mount原始的掛載文件系統
6.5.4 銷燬
docker rm #刪除容器
docker rm -v # 刪除容器以及容器使用的volume
docker volume ls
docker volume rm
docker volume rm $(docker volume ls -q)