Docker概覽
Docker架構
Docker採用client-server架構,client和daemon間使用REST API進行通訊。client和daemon可以運行在相同或不同的機器。daemon間也可以通過Docker API通訊。
Docker Registry存儲image,Docker Hub和Docker Cloud是兩個公有Registry,默認使用Docker Hub,也可以配置使用私有的Registry。
使用Docker時會涉及image、container、network、volume、plugin等對象。
- Image是用來創建Container的只讀模板。一個Image可以建立在另一個Image之上,使用Dockerfile文件配置image。Dockerfile的每一指令創建一個image layer,當更改Dockerfile重建image時,僅更改的layer被重建。
- Container是Image的運行實例。
Docker版本
- Community Edition (CE)
- Enterprise Edition (EE)
Capabilities | Community Edition | Enterprise Edition Basic | Enterprise Edition Standard | Enterprise Edition Advanced |
---|---|---|---|---|
Container engine and built in orchestration, networking, security | yes | yes | yes | yes |
Certified infrastructure, plugins and ISV containers | yes | yes | yes | |
Image management | yes | yes | ||
Container app management | yes | yes | ||
Image security scanning | yes |
自17年3月,Docker版本號採用YY.mm.patch格式,YY.mm代表年月。
安裝和卸載
在CentOS 7或RHEL 7上可直接使用yum安裝,如下:
# yum install docker
# systemctl enable docker
# systemctl start docker
docker配置文件位置:
/etc/sysconfig/docker
/etc/docker目錄
安裝官方最新版本docker,步驟如下:
卸載舊版本
如安裝過Docker先卸載,舊版本稱爲docker或docker-engine,:
# yum remove docker docker-client docker-client-latest docker-common \
docker-latest docker-latest-logrotate docker-logrotate \
docker-selinux docker-engine-selinux docker-engine
目錄/var/lib/docker/下的內容不會刪除,其中包含images、containers、volumes、networks等。
安裝Docker CE
- 更新系統
# yum update
安裝最新版的container-selinux
# yum install -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.66-1.el7.noarch.rpm
如未更新container-selinux,在安裝Docker CE時可能會顯示如下錯誤:
Error: Package: docker-ce-18.06.0.ce-3.el7.x86_64 (docker-ce-edge)
Requires: container-selinux >= 2.9
- 安裝必須的Package
yum-utils提供yum-config-manager工具,用來配置Docker Repository;devicemapper storage driver需要device-mapper-persistent-data和lvm2
# yum install -y yum-utils device-mapper-persistent-data lvm2
- 配置Docker Repository
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
默認stable repository是啓用的,若要啓用edge或test repository(stable repository是必須的),執行如下命令:
# yum-config-manager --enable docker-ce-edge
# yum-config-manager --enable docker-ce-test
- 安裝Docker CE
# yum install docker-ce
# systemctl enable docker
# systemctl start docker
- 驗證docker安裝
# docker info
# docker --version
# docker version
運行hello-world:
# docker run hello-world
成功後輸出如下:
Unable to find image 'hello-world:latest' locally
Trying to pull repository docker.io/library/hello-world ...
latest: Pulling from docker.io/library/hello-world
1b930d010525: Pull complete
Digest: sha256:2557e3c07ed1e38f26e389462d03ed943586f744621577a99efb77324b0fe535
Status: Downloaded newer image for docker.io/hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
查看image和container:
# docker images
# docker ps
- 用戶管理
Docker Daemon綁定了Unix socket,而不是TCP端口,默認Unix socket由root和sudo權限的用戶擁有。爲了運行docker命令時不使用sudo,創建Unix group "docker"(Docker安裝後創建了docker group),將用戶添加到docker group即可。當docker daemon啓動時,讓docker group有讀/寫Unix Socket權限。
# groupadd docker
# usermod -aG docker $USER
執行以上命令後需重新登錄或重啓。
卸載Docker CE
# yum remove docker-ce
Images、 containers、 volumes、customized configuration files不會自動刪除,執行以下命令刪除:
# rm -rf /var/lib/docker
Docker CLI
CLI | Description |
---|---|
Engine CLI | The main CLI for Docker, includes all docker and dockerd commands |
Compose CLI | The CLI for Docker Compose, which allows you to build and run multi-container applications |
Machine CLI | Manages virtual machines that are pre-configured to run Docker |
DTR CLI | Deploy and manage Docker Trusted Registry |
UCP CLI | Deploy and manage Universal Control Plane |
Docke支持多方面的CLI,下面僅涉及Engine CLI docker。
運行不帶任何參數的docker命令或docker help,可列出所有可用的docker命令。
爲了查看某一命令的幫助,執行如下命令:
$ docker run --help
option參數可以組合在一起:
docker run -i -t --name test busybox sh
可以寫成:
docker run -it --name test busybox sh
docker run
$ docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
啓動docker container有兩種模式:Detached、Foreground,默認是Foreground模式。
Foreground模式
Options:
-a=[] : Attach to `STDIN`, `STDOUT` and/or `STDERR`
-t : Allocate a pseudo-tty
--sig-proxy=true: Proxy all received signals to the process (non-TTY mode only)
-i : Keep STDIN open even if not attached
-i -t組合在一起使用,可以與容器進行交互:
$ docker run -a stdin -a stdout -i -t ubuntu /bin/bash
運行以上命令後,會執行以下操作:
- 如本地沒有ubuntu image,將從registry獲取,相當於手動執行docker pull ubuntu
- Docker創建新的容器,相當於運行docker container create
- Docker給容器分配可讀寫的文件系統
- Docker創建網絡接口連接容器到默認網絡
- Docker啓動容器並執行/bin/bash
容器啓動後,可以執行shell命令,如下:
root@f7cbdac22a02:/# hostname
root@f7cbdac22a02:/# cat /etc/hosts
root@f7cbdac22a02:/# yum install -y vim
- 輸入exit,終止/bin/bash,容器停止但不會被刪除,可以重新啓動。
root@f7cbdac22a02:/# exit
Detached模式
當指定-d選項後,啓用Detached模式,container將在後臺運行。
$ docker run -d -p 80:80 my_image nginx -g 'daemon off;'
Container identification
有三種類型:
Identifier type | Example value |
---|---|
UUID long identifier | “f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778” |
UUID short identifier | “f78375b1c487” |
Name | “evil_ptolemy” |
當運行container時,如未使用--name指定容器名,daemon將生成一隨機字符串作爲名字。
Attach to and detach from a running container
$ docker run -d --name topdemo ubuntu /usr/bin/top -b
$ docker attach topdemo
docker commit
使用docker commit可以從container創建image。
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
Options
Name, shorthand | Default | Description |
---|---|---|
--author , -a | Author (e.g., “John Hannibal Smith [email protected]”) | |
--change , -c | Apply Dockerfile instruction to the created image | |
--message , -m | Commit message | |
--pause , -p | true | Pause container during commit |
先創建一個Container
$ docker run -t -i training/sinatra /bin/bash
然後運行shell腳本更新container
$ root@0b2616b0e5a8:/# yum install vim
更新完畢後,運行exit退出。
最後使用docker commit創建image:
$ docker commit -m "Added json gem" -a "Kate Smith" 0b2616b0e5a8 ouruser/sinatra:v2
還可以使用--change修改後再創建image:
$ docker commit --change='CMD ["apachectl", "-DFOREGROUND"]' -c "EXPOSE 80" c3f279d17e0a svendowideit/testimage:version4
docker build
從Dockerfile創建image,這是最常用的方式。
docker build [OPTIONS] PATH | URL | -
下面演示從Dockerfile創建image:
Dockerfile
創建一個空目錄,在其內創建名爲Dockerfile的文件,內容如下:
# Use an official Python runtime as a parent image
FROM python:2.7-slim
# Set the working directory to /app
WORKDIR /app
# Copy the current directory contents into the container at /app
ADD . /app
# Install any needed packages specified in requirements.txt
RUN pip install --trusted-host pypi.python.org -r requirements.txt
# Make port 80 available to the world outside this container
EXPOSE 80
# Define environment variable
ENV NAME World
# Run app.py when the container launches
CMD ["python", "app.py"]
Dockerfile引用了文件app.py 和 requirements.txt,下面在相同目錄創建這兩個文件:
requirements.txt
Flask
Redis
app.py
from flask import Flask
from redis import Redis, RedisError
import os
import socket
# Connect to Redis
redis = Redis(host="redis", db=0, socket_connect_timeout=2, socket_timeout=2)
app = Flask(__name__)
@app.route("/")
def hello():
try:
visits = redis.incr("counter")
except RedisError:
visits = "<i>cannot connect to Redis, counter disabled</i>"
html = "<h3>Hello {name}!</h3>" \
"<b>Hostname:</b> {hostname}<br/>" \
"<b>Visits:</b> {visits}"
return html.format(name=os.getenv("NAME", "world"), hostname=socket.gethostname(), visits=visits)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
Build
$ docker build -t friendlyhello .
Container相關命令
Command | Description |
---|---|
docker attach | Attach local standard input, output, and error streams to a running container |
docker container | Manage containers |
docker cp | Copy files/folders between a container and the local filesystem |
docker create | Create a new container |
docker diff | Inspect changes to files or directories on a container’s filesystem |
docker exec | Run a command in a running container |
docker export | Export a container’s filesystem as a tar archive |
docker kill | Kill one or more running containers |
docker logs | Fetch the logs of a container |
docker pause | Pause all processes within one or more containers |
docker port | List port mappings or a specific mapping for the container |
docker ps | List containers |
docker rename | Rename a container |
docker restart | Restart one or more containers |
docker rm | Remove one or more containers |
docker run | Run a command in a new container |
docker start | Start one or more stopped containers |
docker stats | Display a live stream of container(s) resource usage statistics |
docker stop | Stop one or more running containers |
docker top | Display the running processes of a container |
docker unpause | Unpause all processes within one or more containers |
docker update | Update configuration of one or more containers |
docker wait | Block until one or more containers stop, then print their exit codes |
示例:
List containers
$ docker ps -a
-a 顯示所有的container,默認僅顯示運行的container
Stop one or more running containers
$ docker stop CONTAINER [CONTAINER...]
Remove one or more containers
$ docker rm CONTAINER [CONTAINER...]
Remove all containers
$ docker rm `docker ps -a -q`
Start one or more stopped containers
$ docker start CONTAINER [CONTAINER...]
Fetch the logs of a container
$ docker logs -f --until=2s my_container
Run a command in a running container
$ docker exec -d my_container touch /tmp/execWorks
Image相關命令
Command | Description |
---|---|
docker build | Build an image from a Dockerfile |
docker commit | Create a new image from a container’s changes |
docker history | Show the history of an image |
docker image | Manage images |
docker images | List images |
docker import | Import the contents from a tarball to create a filesystem image |
docker load | Load an image from a tar archive or STDIN |
docker manifest | Manage Docker image manifests and manifest lists |
docker pull | Pull an image or a repository from a registry |
docker push | Push an image or a repository to a registry |
docker rmi | Remove one or more images |
docker save | Save one or more images to a tar archive (streamed to STDOUT by default) |
docker search | Search the Docker Hub for images |
docker tag | Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE |
docker trust | Manage trust on Docker images |
示例:
pull an image
$ docker pull hello-world
Push an image
$ docker push hello-world:latest
List images
$ docker images
Search images
$ docker search centos
Remove one or more images
$ docker rmi IMAGE [IMAGE...]
Remove all images
$ docker rmi `docker images -a -q`
Registry命令
Command | Description |
---|---|
docker login | Log in to a Docker registry |
docker logout | Log out from a Docker registry |
docker pull | Pull an image or a repository from a registry |
docker push | Push an image or a repository to a registry |
搭建私有Registry
docker常用命令結構:
docker <command> <registry-hostname>:<registry-port>/<namespace>/<image>:<tag>
默認Registry爲Docker Hub,默認namespace爲/library,以下三個命令效果相同:
# docker pull hello-world
# docker pull docker.io/hello-world
# docker pull docker.io/library/hello-world
使用Docker中國官方鏡像registry.docker-cn.com可以享受到更快的下載速度和更強的穩定性,但只包含流行的公有鏡像。
# docker pull registry.docker-cn.com/library/hello-world
可以配置Docker守護進程默認使用Docker中國官方鏡像,這樣無需在每次拉取時指定registry.docker-cn.com,修改文件/etc/docker/daemon.json添加registry-mirrors鍵值:
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
保存後重啓Docker以使配置生效。
初識Registry
- 使用官方registry鏡像創建私有Registry
# mkdir /mnt/registry/docker
# docker run -d -p 5000:5000 --restart always -v /mnt/registry:/var/lib/registry --name registry registry
參數說明:
--restart always 容器異常退出或重啓docker後自動重啓容器
-v /mnt/registry:/var/lib/registry 綁定/mnt/registry到容器/var/lib/registry目錄(存放鏡像文件的目錄)來實現數據持久化
selinux
如系統啓用了selinux,要爲/mnt/registry設置selinux安全上下文類型,如下:
# semanage fcontext -a -t container_file_t "/mnt/registry(/.*)?"
# restorecon -R -v /mnt/registry
- 上傳image
爲image打標籤後上傳到倉庫:
$ docker tag hello-world localhost:5000/hello-world:latest
$ docker push localhost:5000/hello-world:latest
tag語法:
Usage: docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
也可以使用IMAGE ID:
$ docker tag fce289e99eb9 localhost:5000/hello-world:latest
如系統啓用了selinux,但未設置安全上下文類型,上傳時會一直retry,報如下錯誤(可運行journalctl -xe查看原因):
SELinux is preventing /bin/registry from add_name access on the directory docker.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow registry to have add_name access on the docker directory
Then you need to change the label on docker
Do
# semanage fcontext -a -t FILE_TYPE 'docker'
where FILE_TYPE is one of the following: container_file_t, container_var_lib_t, nfs_t, svirt_home_t, tmpfs_t, virt_home_t.
Then execute:
restorecon -v 'docker'
- 從本地registry運行容器
$ docker run localhost:5000/hello-world
- 查看registry中的image
列出所有image:
curl http://localhost:5000/v2/_catalog
列出hello-world image:
curl http://localhost:5000/v2/hello-world/tags/list
- 外部訪問registry
通過上面方式創建的registry其協議爲http,是不安全的,只適用於本地使用,若要從外部訪問registry,需要編輯/etc/docker/daemon.json,增加insecure-registries,如下:
{
"insecure-registries": ["192.168.122.1:5000"]
}
配置完畢後需重啓docker。
SSL Registry
- 獲取證書
以自簽名證書爲例,Registry URL爲registry.itrunner.org,生成自簽名證書:
$ cd /mnt/registry
$ mkdir certs
$ openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt -subj /C=CN/ST=Beijing/L=Beijing/CN=registry.itrunner.org/OU=itrunner/O=itrunner/[email protected]
同樣,如系統啓用了selinux,需給certs目錄指定安全上下文:
# semanage fcontext -a -t container_file_t "certs(/.*)?"
# restorecon -R -v certs
每臺使用這個Registry的主機都需將自簽名證書拷貝到/etc/docker/certs.d/registry.itrunner.org目錄下:
# mkdir /etc/docker/certs.d/registry.itrunner.org
# cp certs/domain.crt /etc/docker/certs.d/registry.itrunner.org
- 刪除當前運行的Registry
$ docker stop registry
$ docker rm registry
- 配置證書重新運行Registry
$ docker run -d --restart always --name registry -v /mnt/registry:/var/lib/registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry
- 測試
$ curl -k https://registry.itrunner.org/v2/
$ docker tag hello-world registry.itrunner.org/hello-world
$ docker push registry.itrunner.org/hello-world
$ docker pull registry.trunner.org/hello-world
Registry Proxy
每次都從遠程Registry獲取image浪費網絡資源,效率低下。雖然我們可以先從遠程pull,再push到私有Registry,但這樣操作非常煩瑣。Registry Proxy可以本地存儲image,減少了重複的pull操作。Registry Proxy不支持push。
這次我們使用配置文件運行registry,執行以下命令獲取默認配置文件:
$ docker run -it --rm --entrypoint cat registry /etc/docker/registry/config.yml > config.yml
文件內容如下:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
增加proxy配置:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: 0.0.0.0:443
headers:
X-Content-Type-Options: [nosniff]
tls:
certificate: /var/lib/registry/certs/domain.crt
key: /var/lib/registry/certs/domain.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
proxy:
remoteurl: https://registry-1.docker.io
修改/etc/docker/daemon.json:
{
"registry-mirrors": ["https://registry.itrunner.org"]
}
重啓docker後運行registry:
$ docker run -d --restart always --name registry-proxy -p 443:443 -v /mnt/registry:/var/lib/registry \
registry /var/lib/registry/config.yml
測試:
$ docker pull hello-world
查看proxy:
$ curl -k https://registry.itrunner.org/v2/_catalog
{"repositories":["library/hello-world"]}
可以看到hello-world已保存到proxy中。
搭建Nexus私服
除默認Registry外,使用docker時必須指定Registry域名,能否像Maven一樣統一使用一個倉庫呢?Nexus 3已支持Docker Repository,同Maven一樣分爲三種類型:group、hosted、proxy。hosted相當於私有Registry,用來存儲公司內部image;proxy爲代理Registry;group可以將hosted、proxy、group三者組合在一起。
待續
常見問題
docker error initializing network controller
刪除/var/lib/docker/network/files下的文件,重新啓動。
參考文檔
Docker Documentation
Product Manuals
Docker Glossary
Reference Documentation
Docker Samples
Docker中國
Best practices for writing Dockerfiles
How to Set Up a Registry Proxy Cache with Docker Open Source Registry
Jenkins與Docker的自動化CI/CD實戰