[toc]
Docker初步使用
一、说明
lxc linux container,openvz;
容器中各虚拟机只有一个内核,而是多个用户空间;
在库中完成虚拟化,比如wine 或者在windows中运行bash;
在应用程序的运行级别提供虚拟化,比如jvm;
pstree , pid 为1 的进程 这个进程是直接和内核来打交道的;
容器之间,和虚拟机之间隔离的技术;
容器之间的隔离相对比较困难;
NameSpace,(名称空间);
内核级别,环境隔离
- PID NameSpace: 用于隔离pid号的 Linux 2.6.24 PID隔离;
- Network NameSpace : Linux 2.6.29 网络名称空间的隔离 网络设备、网络栈、端口等网络设备隔离;
- User NameSpace: Linux 用户空间的隔离 Linux 3.8 甚至 3.10之后 用户和用户组资源隔离;
- IPC NameSpace: 进程间通信技术 Linux 2.6.19 signal 信号量、消息队列和共享内存的隔离;
- UTS NameSpace: Linux 2.6.19 , 主机名和域名的隔离;
- Mount NameSpace: Linux 2.4.19 挂载点(文件系统 )隔离;
- API:clone()实现线程系统调用,用来创建新线程;
- setns()设定一个新的属性,将某(进程|或设备)加入到新的NameSpace中去的;
- unshare()非共享机制,脱离NameSpace,而关联至新NameSpace;
- 将NameSpace隔离开来没有问题,而问题在于,恶意用户强行调用资源,一个用户完全可以将系统资源耗尽,cpu占用至100%;
- 因此带来了另一种机制的出现;
- CGroup: Linux Control Group,控制组 Linux 2.6.24被收入进内核
- 内核级别,限制、控制与一个进程组群的资源;
- 资源:CPU,内存,IO 级别来进行定义
- google工程师:2006开始此技术,命令为进程容器而后命令为CGroup
功能:
- Resource limitation:资源限制;
- Prioritization:优先级控制;
- Accounting:审计和统计,主要为计费;
- Contorl:挂起进程,恢复进程;
- CGroup 基于单根倒树状结构来实现
- 在CentOS7 中可以用mount 命令来查看其资源组的隔离技术已经被使用
/sys/fs/cgroup
# mount
# lssubsys -m
CGroup的子系统:
- blkio:设定块设备的IO限制,而设定的子系统;
- cpu:设定CPU的限制;
- cpuacct:报告cgroup中所使用的CPU资源;
- cpuset:为cgroup中的任务分配 CPU和内存资源 ;
- memory:设定内存的使用限制;
- devices:控制cgroup中的任务对设备的访问能务;
- freezer: 挂起和恢复cgroup中的任务;
- net_cls:(classid) ,使用等级级别标识符来标记网络数据包;
- tc: 流量整形命令 ;
- perf_event:对用户空间中任务,对用户空间产生的进程进行分类;
- 使用后使cgrup中的任务可以进行统一的性能测试;
- hugetlb:转换后元缓冲区,对HugeTLB子系统进行限制;
CGroup中的术语:
- task(任务):进程或线程;
- cgroup:一个独立的资源控制单位,可以包含一个或多个子系统;
- subsystem:子系统,
- hierarchy:层级
- AUFS:UnionFS:
- UnionFS:把不同的物理位置的目录合并到同一个目录中。
- Another UFS,Alternative UFS,Adanced UFS 几乎完全重写了unix FS
# tc
# lssubsys -m
Device mapper:
- linux 2.6内核引入的最重要的技术之一,用于在内核中支持逻辑卷管理的通用设备映射技术;
- Mapped Device
- Mapping Table
- Target Device
- 在内核空间只能开启一个端,但是可以映射至其它的用户空间
Device mapper:
- Linux2.6 内核引入的最重要的技术之一,用于在内核 中支持逻辑卷管理的通用设备映射机制;
- Mapped Device
- Mapping Table
- Target Device
Docker
- 2013,GO,Apache 2.0,dotCloud
C/S:
- Docker Client:发起docker相关的请求
- Docker Server:窗口运行的节点;
- Containers 容器
- images docker映像文件 –> 存于仓库之中
- 启动docker容器需要加载镜像文件 –> docker仓库上的镜像加载进来
- docker允许我们创建私有仓库
- 比较难的,如何创建映像文件
- dockerfile:
- namespace cgroup
解决方案
lxc,openvz
lxc,linux container
libcontainer
Host OS –> hypervisor –> Guest OS
Host OS –> hpervisor –> user space(n个)
核心组件:
docker client:docker的客户端工具,是用户使用docker的主要接口,docker client 与docker daemon通信并将结果返回给用户
docker deamon:运行于宿主机上,Docker守护进程 ,用户可通过docker client其交互
image:镜像文件是只读的;用来创建container,一个镜像可以运行多个container
镜像文件可以通Dockerfile文件来创建,可以从docker hub/registry下载;
repository
公共仓库:Docker hub/registry
私有仓库:docker registry
仓库可以存有:nginx image httpd image tomcat image
docker container: docker的运行实例,容器是一个隔离环境;
另外两个重要组件:
docker link: 各docker容器这间能够通信
docker volume:
二、Docker YUM源的安装配置
安装使用docker 通过使用epel源来实现, CentOS7 自带的就有了
dockerfile
自定义的docker 源
[root@node1 ~]# vim /etc/yum.repos.d/docker.repo
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
[jin]
name=renjin2
baseurl=https://mirrors.aliyun.com/centos/7/os/x86_64/
gpgcheck=0
enabled=1
[extra]
name=renjin3
baseurl=https://mirrors.aliyun.com/centos/7/extras/x86_64/
gpgcheck=0
enabled=1
[epel]
name=renji4
baseurl=https://mirrors.aliyun.com/epel/7Server/x86_64/
gpgcheck=0
enabled=1
或者可以使用自带的源 https://mirrors.aliyun.com/centos/7.2.1511/extras/x86_64
查看docker版本的详细信息
[root@node1 ~]# yum info docker-engine
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name : docker-engine
Arch : x86_64
Version : 17.04.0.ce
Release : 1.el7.centos
Size : 63 M
Repo : installed
From repo : dockerrepo
Summary : The open-source application container engine
URL : https://dockerproject.org
License : ASL 2.0
Description : Docker is an open source project to build, ship and run any application as a
: lightweight container.
:
: Docker containers are both hardware-agnostic and platform-agnostic. This means
: they can run anywhere, from your laptop to the largest EC2 compute instance and
: everything in between - and they don't require you to use a particular
: language, framework or packaging system. That makes them great building blocks
: for deploying and scaling web apps, databases, and backend services without
: depending on a particular stack or provider.
[root@node1 ~]# yum -y install docker-engine
[root@node1 ~]# systemctl start docker.service
三、Dcoker 的简单测试及使用
[root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@node1 ~]# docker search centos
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
centos The official build of CentOS. 3239 [OK]
jdeathe/centos-ssh CentOS-6 6.8 x86_64 / CentOS-7 7.3.1611 x8... 63 [OK]
jdeathe/centos-ssh-apache-php CentOS-6 6.8 x86_64 - Apache / PHP-FPM / P... 25 [OK]
consol/centos-xfce-vnc Centos container with "headless" VNC sessi... 24 [OK]
nimmis/java-centos This is docker images of CentOS 7 with dif... 24 [OK]
gluster/gluster-centos Official GlusterFS Image [ CentOS-7 + Glu... 18 [OK]
million12/centos-supervisor Base CentOS-7 with supervisord launcher, h... 15 [OK]
torusware/speedus-centos Always updated official CentOS docker imag... 8 [OK]
egyptianbman/docker-centos-nginx-php A simple and highly configurable docker co... 6 [OK]
nathonfowlie/centos-jre Latest CentOS image with the JRE pre-insta... 5 [OK]
centos/mariadb55-centos7 4 [OK]
centos/redis Redis built for CentOS 2 [OK]
harisekhon/centos-java Java on CentOS (OpenJDK, tags jre/jdk7-8) 2 [OK]
harisekhon/centos-scala Scala + CentOS (OpenJDK tags 2.10-jre7 - 2... 2 [OK]
blacklabelops/centos CentOS Base Image! Built and Updates Daily! 1 [OK]
darksheer/centos Base Centos Image -- Updated hourly 1 [OK]
freenas/centos Simple CentOS Linux interactive container 1 [OK]
timhughes/centos Centos with systemd installed and running 1 [OK]
januswel/centos yum update-ed CentOS image 0 [OK]
kz8s/centos Official CentOS plus epel-release 0 [OK]
grayzone/centos auto build for centos. 0 [OK]
repositoryjp/centos Docker Image for CentOS. 0 [OK]
otagoweb/centos Apache (with PHP7), built on CentOS 7 0 [OK]
vcatechnology/centos A CentOS Image which is updated daily 0 [OK]
grossws/centos CentOS 6 and 7 base images with gosu and l... 0 [OK]
之所以能搜索出来,是因为别人给我们做了公开的使用
[root@node1 ~]# docker search busybox
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
busybox Busybox base image. 973 [OK]
progrium/busybox 65 [OK]
radial/busyboxplus Full-chain, Internet enabled, busybox made... 12 [OK]
container4armhf/armhf-busybox Automated build of Busybox for armhf devic... 6 [OK]
odise/busybox-python 4 [OK]
multiarch/busybox multiarch ports of ubuntu-debootstrap 2 [OK]
azukiapp/busybox This image is meant to be used as the base... 2 [OK]
ofayau/busybox-jvm Prepare busybox to install a 32 bits JVM. 2 [OK]
zanner/busybox https://github.com/sergej-kucharev/zanner-... 1 [OK]
ofayau/busybox-libc32 Busybox with 32 bits (and 64 bits) libs 1 [OK]
elektritter/busybox-teamspeak Leightweight teamspeak3 container based on... 1 [OK]
getblank/busybox Docker container busybox for Blank 1 [OK]
prom/busybox Prometheus Busybox Docker base images 1 [OK]
skomma/busybox-data Docker image suitable for data volume cont... 1 [OK]
odise/busybox-curl 1 [OK]
jahroots/busybox Busybox containers 0 [OK]
ggtools/busybox-ubuntu Busybox ubuntu version with extra goodies 0 [OK]
cucy/busybox aouto build busybox 0 [OK]
freenas/busybox Simple Busybox interactive Linux container 0 [OK]
sdurrheimer/prom-busybox Moved to https://hub.docker.com/r/prom/bus... 0 [OK]
jiangshouzhuang/busybox busybox 0 [OK]
padcom/busybox-java Oracle Java on BusyBox 0 [OK]
futurenda/busybox Mini busybox 0 [OK]
hongtao12310/busybox for busybox image based on the gcr.io/goog... 0 [OK]
ddn0/busybox fork of official busybox 0 [OK]
[root@node1 ~]# docker pull buxybox
[root@node1 ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
7520415ce762: Pull complete
Digest: sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f 校验码
Status: Downloaded newer image for busybox:latest
[root@node1 ~]# docker pull hub.magedu.com:5000/busybox ##指定到哪台服务器上获取busybox [root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 00f017a8c2a6 3 weeks ago 1.11MB
[root@node1 ~]# docker run -it busybox:latest /bin/sh ##启动一台虚拟机的实例
/ # ls
bin dev etc home proc root sys tmp usr var
[root@node1 ~]# docker ps ##查看正在运行的主机
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7090d8fd9861 busybox:latest "/bin/sh" 2 minutes ago Up 2 minutes boring_archimedes
四、 docker的常用命令总结
环境信息相关:
- info
- version
[root@node1 ~]# docker info ##查看docker的环境信息
[root@node1 ~]# docker version ##查看docker的版本号
系统维护相关:
- images
- inspect
- build 创建映像文件
- commint 基于运行中的容器创建映像文件
- pause/unpause
- ps
- rm
- rmi
- run
- start/stop/restart
- top
- kill
日志信息相关:
- events
- history
- logs
- Docer hub服务相关
- login
- logout
- pull
- push
- search
基本操作:
- 获取映像:pull
- 启动容器:run
[root@node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7090d8fd9861 busybox:latest "/bin/sh" 17 minutes ago Up 17 minutes boring_archimedes
[root@node1 ~]# docker kill 7090d8fd9861
7090d8fd9861
[root@node1 ~]# docker ps #结束一个docker进程
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node1 ~]# docker ps -a #但不会删除容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7090d8fd9861 busybox:latest "/bin/sh" 20 minutes ago Exited (137) 3 minutes ago boring_archimedes
[root@node1 ~]# docker rm 7090d8fd9861 #此时会删除container
7090d8fd9861
[root@node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2bca1aa3d38d busybox:latest "/bin/sh" 4 minutes ago Up 4 minutes naughty_goldberg
[root@node1 ~]# docker
docker docker-containerd-ctr dockerd docker-proxy
docker-containerd docker-containerd-shim docker-init docker-runc
[root@node1 ~]# docker commit 2bca1aa3d38d centos:newuser
sha256:08d1d05a6e490c31b0e4e3ffb9532a25bb3d9e8f588b30990338f1ae64b34286
[root@node1 ~]# docker
docker docker-containerd-ctr dockerd docker-proxy
docker-containerd docker-containerd-shim docker-init docker-runc
[root@node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos newuser 08d1d05a6e49 9 seconds ago 1.11MB
busybox latest 00f017a8c2a6 3 weeks ago 1.11MB
[root@node1 ~]# docker run -it --rm centos:newuser /bin/sh
/ #
[root@node1 ~]# docker kill fee1da85d418
fee1da85d418
[root@node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- linux Kernel —> libcontainer —> (execdriver、networkdriver)—> Docker Daemon (GraphDB) —> API server —> 用户
在docker 之外有个重要存储还需要GraphDB GraphDB也称为图式数据库
Docker应用:
- 镜像:包含了启动Docker容器所需要的文件系统层给及其内容;
- 基于UninFS采用分层结构实现;
bootfs,rootfs; - registry:用于保存镜像的元数据,保存docker镜像层次结构和元数据;
- reposistory:由具有某个功能的镜像的所有相关版本构建成的集合;
- index:管理用户的账号、访问权限、镜像及镜像标签等等相关的;
- graph:从registry中下载的Docker镜像需要保存在本地,此功能即由graph完成;
- /var/lib/docker/graph;
与镜像相关的命令:
- docker images 列出本地的镜像
- docker search 搜索
- docker pull 下载镜像
- docker push 上传镜像
- docker login 登录
- docker logout 登出
创建镜像:commint,build
- 删除本地镜像: rmi
- 容器:也可以想象成一个虚拟机
- 独立运行的一个或一组应用,以及它们运行的环境
命令:
- run,kill,stop,start,restart ,log,export,import
启动方法:
- 通过镜像创建一个新的容器: run
- 启动一个处于停止状态的容器: start
容器本来就是应用的,当应用结束时,程序也会结束的;
[root@node1 ~]# docker run busybox:latest /bin/echo "hello world"
hello world
[root@node1 ~]# docker run -it --name=busybox busybox:latest /bin/sh
[root@node1 ~]# docker stop busybox ##正常停止一个容器,相当于正常关机
busybox
run命令:
–name= Assign a name to the container
-i,–interactive=false Keep STDIN open even if not attached
it,-tty=false Alocate a pseudo-TTY
–net=default Set the Network for the container
步骤:
检查本地是否存在指定的镜像,不存在则从registry下载;
利用镜像启动容器
分配一个文件系统,并且在只读的镜像层之外,挂载一个可读写层;
从宿主机配置的网桥口中,桥接一个虚拟接口给此容器;
从地址池中分配一个地址容器;
执行用户指定的应用程序;
程序执行完成后,容器即终止;
logs命令:获取一个容器的日志,获取其输出信息;
对于交互式模式启动的容器,终止可以使用exit 命令或ctrl+d组合键;
attach 附加至一个运行中的容器;
[root@node1 ~]# docker start 31a67d66b2c2
[root@node1 ~]# docker attach busybox
[root@node1 ~]# docker run busybox:latest /bin/echo "hello world"
[root@node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d35a2673722e busybox:latest "/bin/echo 'hello ..." 13 seconds ago Exited (0) 12 seconds
[root@node1 ~]# docker start d35a2673722e
d35a2673722e
[root@node1 ~]# docker logs cabd0e52f8f8 ##可以查看执行命令后的输出信息
hello world
hello world
hello world
/ # exit 终止当前容器 或者ctrl +d
attach
[root@node1 ~]# docker start -i busybox ##启动一个交互式一个接口
[root@node1 ~]# docker start busybox
[root@node1 ~]# docker attach busybox ##附加至一个运行中的容器;
/ #
Docker Hub
- registry有两种
- docker hub
- private registry
# docker login
# docker push busybox:latest
[root@node2 yum.repos.d]# yum -y install docker-registry
上条命令实质上安装的是另外的一个包
[root@node2 yum.repos.d]# yum -y installdocker-distribution-2.6.0-1.el7.x86_64
[root@node1 yum.repos.d]# systemctl start docker-distribution.service
[root@node1 yum.repos.d]# ss -tnl | grep 5000
LISTEN 0 128 :::5000 :::*
[root@node1 yum.repos.d]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos newuser 08d1d05a6e49 2 weeks ago 1.11MB
centos latest 98d35105a391 5 weeks ago 192MB
busybox latest 00f017a8c2a6 6 weeks ago 1.11MB
[root@node1 yum.repos.d]#
[root@node1 yum.repos.d]# docker tag 08d1d05a6e49 192.168.99.15:5000/centos:1.2.1 给一个镜像打标签
[root@node1 yum.repos.d]# docker push 192.168.99.15:5000/centos:1.2.1
