[toc]
docker笔记(一)
Virtualization And Container
主机级虚拟化
- Type-I 直接在硬件上做虚拟化;
- Type-II 启动系统后,再做虚拟化;
- 真正能产生生产力的,是应用层面;
- 系统运行两颗树:进程树和文件系统树;
- 基于用户层面的隔离(UTS,Mount,IPC,PID,User,Net);
- namespaces:名称空间,系统调用,向外输出(clone(),setns());
Linux Namespaces
| namespace | 系统调用参数 | 隔离内容 | 内核版本 |
|---|---|---|---|
| UTS | CLONE_NEWUTS | 主机名和域名 | 2.6.19 |
| IPC | CLONE_NEWIPC | 信号量、消息队列和共享内存 | 2.6.19 |
| PID | CLONE_NEWPID | 进程编号 | 2.6.24 |
| Network | CLONE_NEWNET | 网络设备、网络栈、端口号等 | 2.6.29 |
| Mount | CLONE_NEWNS | 挂载点(文件系统) | 2.4.19 |
| User | CLONE_NEWUSER | 用户和用户组 | 3.8 |
Control Groups(cGroups)
把系统级的资源分成多个组
- lxc-create,template
- nmp
- machine+swarm+compose
- mesos+marathon
- kubernetes -> k8s
- libcontainer -> runC
- Moby, CNCF
- docker中的容器
lxc -> libcontainer -> runC - OCI Open Container Initiative
旨在围绕容器式和运行时制定一个开放的式业化标准
the Runtime Specification(runtime-spec)
the Image Specification(image-spec) - runC Open Container Format
https:hub.docker.com
- docker 的两个版本
docker-ee
docker-ce - docker architecture
The Docker daemon
The Docker client
Docker registries - yum 中的仓库 repository,repo
docker 中的仓库 repository, repo
镜像名称 nginx:1.10 以此来命令镜像,nginx:1.15 nginx:latest 而镜像的默认版是最新版的
nginx:1.14 nginx:stable 最新稳定版
镜像:静态;
容器:动态,有生命周期,特别类似于程序;
容器常用资源: images, containers, networks, volumes, plugins,安装及使用docker
依赖的环境
64 bits CPU
Linux Kernel 3.10+
Linux Kernel cgrups and namespaceCentOS 7
“Extras” repositoryDocker Daemon
systemctl start docker.serviceDocker Client
docker[OPTIONS] COMMAND [arg …]
# cd /etc/yum.repos.d/ # wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum makecache # yum repolist # yum remove docker docker-common container-selinux docker-selinux docker-engine # yum install docker-ce
仓库配置文件: https://dowland.docker.com/linux/centos/docker-ce.repo
Docker组件:
docker程序环境:
环境配置文件: /etc/sysconfig/docker-network /etc/sysconfig/docker-storage /etc/sysconfig/docker Unit FIle: /usr/lib/systemd/system/docker.serivce Docker Registry配置文件 /etc/contalners/registries.conf docker-ce: 配置文件:/etc/docker/daemon.json
注册阿里云账号,专用加速器地址获得路径:
https://cr.console.aliyun.com/#/accelerator
Docker镜像加速
docker cn 阿里云加速器 中国科技大学 { "registry-mirrors":["https://registry.docker-cn.com"] }
# mkdir /etc/docker # vim /etc/docker/daemon.json { "registry-mirrors":["https://registry.docker-cn.com"] } # systemctl start docker
查看docker 版本信息
# docker version Client: Version: 18.06.1-ce API version: 1.38 Go version: go1.10.3 Git commit: e68fc7a Built: Tue Aug 21 17:23:03 2018 OS/Arch: linux/amd64 Experimental: false Server: Engine: Version: 18.06.1-ce API version: 1.38 (minimum version 1.12) Go version: go1.10.3 Git commit: e68fc7a Built: Tue Aug 21 17:25:29 2018 OS/Arch: linux/amd64 Experimental: false # docker info
常用操作
docker search : 搜索镜像 # docker search nginx docker pull: 下载镜像到本地 # docker pull nginx:1.14-alpine-perl # docker pull busybox:latest # docker image pull nginx:1.14-alpine-perl # docker docker images: 列出本地镜像 # docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx 1.14-alpine-perl a47b6006585d 2 weeks ago 51.6MB busybox latest e1ddd7948a1c 8 weeks ago 1.16MB # docker image rm a47b6006585d # 删除镜像 # docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox latest e1ddd7948a1c 8 weeks ago 1.16MB # docker image ls --no-trunc # 列出完整image id信息 REPOSITORY TAG IMAGE ID CREATED SIZE nginx 1.14-alpine-perl sha256:a47b6006585d03b999ee55c6eec4331430fb2bcddb5ce8f76f294cc997482ca2 2 weeks ago 51.6MB busybox latest sha256:e1ddd7948a1c31709a23cc5b7dfe96e55fc364f90e1cebcde0773a1b5a30dcda 8 weeks ago 1.16MB # docker container ls # 列出所有容器 # docker ps: 列出所有容器 # docker images: 列出所有镜像 # docker create: 创建新的container # docker start: Start one or more stopped contaners # docker run: Run a command in a new container # docker attacth: Attach to a running container # docker ps: List containers
apline: 能够能程序提供基础环境,但是体积非常小,所以在生产环境中不建议使用apline版;
busybox: 能够用一个busybox实现linux系统的多个命令,当链接busybox为ls 时,它可以执行ls命令;
链接成pwd时,可以实现pwd命令。kernel+busybox可以实现一个微linux系统;
所畏的android系统也是linux+busybox+jvm所运行的系统;
容器使用
# docker run --name b2 -it busybox:latest / # # docker run --name b1 -it busybox:latest / # mkdir /data/www -p / # vi /data/www/index.html <h1>www.ssjinyao.com</h1> / # httpd -f -h /data/www/ # docker inspect b1 # 查看 docker 容器的启动信息 # 在另一个终端中访问 curl 172.17.0.2 <h1>www.ssjinyao.com</h1>
docker 再启动
# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 57c80d23f0e5 busybox:latest "sh" 6 minutes ago Exited (130) 4 minutes ago b1 # docker container start -i -a b1
docker 容器终止
# docker kill b1 # docker stop b1
docker 启动nginx镜像
# docker run --name web1 -d nginx:1.14-alpine-perl # docker inspect web1 # [root@ssjinyao-node1:~]# curl 172.17.0.2 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
注: 一个容器就是为了运行一个程序,如果程序跑后台运行,那么容器认为程序终止了。
因为,如果程序在容器运行在后台,那么程序一启动,容器就会终止。
直接搜索下载镜像并运行
# docker run --name kvstor1 -d redis:4-alpine
绕过容器的边界,交互式接入进去
# docker exec -it kvstor1 /bin/sh /data # ps PID USER TIME COMMAND 1 redis 0:00 redis-server 12 root 0:00 /bin/sh 16 root 0:00 ps
查看docker启动容器后的日志信息
# docker logs web1
docker event state
Docker 镜像的使用与管理
Docker:码头工人
一般我们部署应用程序时,我们都是散装的。而docker可以进行集装的;
Docker 镜像含有启动容器所需要的文件系统及其内容,因此,其用于创建并启动docker容器
采用分层构建机制,最底层为bootfs,其之为rootfs bootfs: 用于系统引导的文件系统,包括bootloader和kernel, 容器启动完成后会被卸载以节约内在资源 rootfs: 位于bootfs之上,表现为docker容器的根文件系统: 传统模式中,系统启动之时,内核挂载rootfs时会首先将其挂载为"只读"模式, 完整性自检后将其重新挂载为读写模式; docker中,rootfs由内核挂载为"只读"模式,而后通过"联合挂载"技术额外提供一个可写层;
Aufs: advnaced multi-layered unification filesystem: 高级多层统一文件系统
CentOS 为求稳定,不整合此文件系统
overlayfs 从3.18版本开始被合并到Linux内核;
# docker info # 可以看出前端用的文件系统是overlay2,而后端用的是xfs Storage Driver: overlay2 Backing Filesystem: xfs
Docker Registry
启动容器时,docker daemon 会试图从本地获取镜像; 本地镜像不存在时 将Registry 中的镜像下载保存到本地;
Docker Registry 分类
Registry用于保存docker镜像,包括镜像的层次结构和元数据;
用户可自建Registry,也可以用官方的Docker Hub
分类
Sponsor Registry: 第三方的registry, 供客户和Docker社区使用
Mirror Registry: 第三方的registry,只让客户使用
Vendor Registry: 由发布Docker镜像的供应商提供的registry
Private Rgeistry: 通过设有防火墙和客外的安全层的私有实体提供的registry
Repository
由某特定的docker镜像的所有迭代版本组成的镜像仓库 一个Registry中可能存在多个Repository Repository 可分为"顶层仓库" 和 "用户仓库" 用户仓库名称格式为"用户名/仓库名" 每个仓库可以包含多个Tag(标签),每个标签对应一个镜像
Index
维护用户帐户、镜像的校验以及公共命名空间的信息; 相当于为Registry提 相当于为Registry提供了一个完成用户认证等功能
Docker Registry中的镜像通常由开发人员制作,而后推送至”公共”或”私有”Registry上保存;
供其他人员使用,例如”部署”到生产环境;
# docker pull registry>[:<prot>]/[<namespace>/]<name>:<tag>
quay.io 也可以下载多种镜像
# docker pull quay.io/coreos/flannel:v0.10.0-amd64 #指定站点pull镜像
镜像制作
镜像的生成途径
Dockerfile
基于容器制作
Docker Hub automated builds
| Namespace | Example( |
|---|---|
| organization | redhat/kubernets |
| login(user name) | alice/application, bob/application |
| role | devel/database, test/database, prod/database |
# docker container run --name busybox1 -it busybox WARNING: IPv4 forwarding is disabled. Networking will not work. / # / # / # mkdir -p /data/html / # echo "<h1>www.ssjinyao.com</h1>" > /data/html/index.html
暂时不关闭容器,再打开一个终端来制作镜像
# docker commit -p busybox1 # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE <none> <none> d5ab408117c0 8 seconds ago 1.16MB redis 4-alpine db23f46600bc 2 weeks ago 30MB nginx 1.14-alpine-perl a47b6006585d 2 weeks ago 51.6MB busybox latest e1ddd7948a1c 2 months ago 1.16MB quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 8 months ago 44.6MB # 再给标签打标签 # docker tag d5ab408117c0 ssjinyao/httpd:v0.1.1-1 # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd v0.1.1-1 d5ab408117c0 About a minute ago 1.16MB redis 4-alpine db23f46600bc 2 weeks ago 30MB nginx 1.14-alpine-perl a47b6006585d 2 weeks ago 51.6MB busybox latest e1ddd7948a1c 2 months ago 1.16MB quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 8 months ago 44.6MB # docker tag ssjinyao/httpd:v0.1.1-1 ssjinyao/httpd:latest # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd latest d5ab408117c0 3 minutes ago 1.16MB ssjinyao/httpd v0.1.1-1 d5ab408117c0 3 minutes ago 1.16MB
一个IMAGE ID 对应多个Tag时,删除 Tag 不会删除镜像,而像软链一下,删除链接
# docker image rm ssjinyao/httpd:latest Untagged: ssjinyao/httpd:latest # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd v0.1.1-1 d5ab408117c0 5 minutes ago 1.16MB redis 4-alpine db23f46600bc 2 weeks ago 30MB nginx 1.14-alpine-perl a47b6006585d 2 weeks ago 51.6MB busybox latest e1ddd7948a1c 2 months ago 1.16MB quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 8 months ago 44.6MB # docker tag ssjinyao/httpd:v0.1.1-1 ssjinyao/httpd:latest # docker images REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd latest d5ab408117c0 6 minutes ago 1.16MB ssjinyao/httpd v0.1.1-1 d5ab408117c0 6 minutes ago 1.16MB redis 4-alpine db23f46600bc 2 weeks ago 30MB nginx 1.14-alpine-perl a47b6006585d 2 weeks ago 51.6MB busybox latest e1ddd7948a1c 2 months ago 1.16MB quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 8 months ago 44.6MB
制作镜像加入Command指令
# docker commit -a "ssjinyao" -c 'CMD ["/bin/httpd", "-f", "-h","/data/html"]' -p busybox1 ssjinyao/httpd:v0.1.1.1-2 # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd v0.1.1.1-2 0ec8103a1bb2 53 seconds ago 1.16MB # docker run --name busybox2 ssjinyao/httpd:v0.1.1.1-2 # 肯据创建的镜像启动容器 # docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 27403687efa0 ssjinyao/httpd:v0.1.1.1-2 "/bin/httpd -f -h /d…" 30 seconds ago Up 29 seconds busybox2 6373ae374a7a redis:4-alpine "docker-entrypoint.s…" 4 days ago Up 4 days 6379/tcp kvstor1 a5ffdd373b90 nginx:1.14-alpine-perl "nginx -g 'daemon of…" 4 days ago Up 4 days 80/tcp web1 # docker inspect # 查看容器信息 # curl 172.17.0.4 <h1>www.ssjinyao.com</h1>
在 docker hub 建立帐号,并创建REPOSITORY
# docker login -u ssjinyao Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
往 hub.docker.com 上面推镜像
# docker push ssjinyao/httpd
可以看到,上传的镜像
国内比较常用的镜像地址
在阿里云docker 镜像站点中创建REPOSITORY
上传本地的镜像
# docker tag ssjinyao/httpd:v0.1.1.1-2 registry.cn-qingdao.aliyuncs.com/ssjinyao/httpd # docker logout Removing login credentials for https://index.docker.io/v1/ # docker login --username=ssjinyao registry.cn-qingdao.aliyuncs.com Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded # docker push registry.cn-qingdao.aliyuncs.com/ssjinyao/httpd
docker 镜像的导入和导出
# docker save -o ssjinyao-busybox-image.gz ssjinyao/httpd:v0.1.1.1-3 ssjinyao/httpd:v0.1.1.1-2 # 将镜像复制到另一台服务器 # scp ssjinyao-busybox-image.gz root@node2:/root/ ssjinyao-busybox-image.gz 100% 1370KB 23.8MB/s 00:00
在另一台服务器上导入镜像
# docker load -i ssjinyao-busybox-image.gz f9d9e4e6e2f0: Loading layer 1.378MB/1.378MB e6baf59e35e7: Loading layer 4.608kB/4.608kB # docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ssjinyao/httpd v0.1.1.1-3 cfa66f44c384 About an hour ago 1.16MB ssjinyao/httpd v0.1.1.1-2 3dc1b07020fd About an hour ago 1.16MB # docker run --name busybox ssjinyao/httpd:v0.1.1.1-2 # 再开启一个终端 # # docker inspect busybox | grep "IPAddress" "SecondaryIPAddresses": null, "IPAddress": "172.17.0.2", "IPAddress": "172.17.0.2", # curl 172.17.0.2 <h1>www.ssjinyao.com</h1>
虚拟化网络管理
6种名称空间: UTS, User, Mount, IPC, Pid, Net;
Linux 内核支持二层和三层设备的模拟;
OVS: Open VSwitch;
# yum -y install bridge-utils # brctl show bridge name bridge id STP enabled interfaces docker0 8000.024288c640ef no veth5097b16 # ip link show #可以看到docker虚拟网卡信
在同一台服务器上启动两个容器
# docker start 27403687efa0 # docker container run --name busybox3 -it ssjinyao/httpd:v0.1.1.1-3 # 查看两个容器间基于nat的通信 # docker exec -it busybox2 /bin/sh / # wget -O - -q http://172.17.0.5 <h1>www.ssjinyao.com</h1>
{User,Mount,Pid}, {User,Mount,Pid} —> 共享{UTS,Net,IPC}
让容器使用管理宿主机的网络名称空间
# docker network inspect bridge
ip 名称空间管理
# yum -y install iproute # ip netns help Usage: ip netns list ip netns add NAME ip netns set NAME NETNSID ip [-all] netns delete [NAME] ip netns identify [PID] ip netns pids NAME ip [-all] netns exec [NAME] cmd ... ip netns monitor ip netns list-id
# ip netns add r1 # ip netns add r2 # ip netns exec r1 ifconfig -a # ip link add name veth1.1 type veth peer name veth1.2 # ip link show | grep veth1 34: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 35: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 # ip link set dev veth1.2 netns r1 # 将设veth1.2 称到名称空间r1 中 # ip netns exec r1 ifconfig -a lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth1.2: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether da:2a:32:c9:1e:e2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # ip netns exec r1 ip link set dev veth1.2 name eth0 # 将名称空间中的veth1.2更名为eth0 # ip netns exec r1 ifconfig -a eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether da:2a:32:c9:1e:e2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # ifconfig veth1.1 10.1.0.1/24 up # 激活网卡veth1.1 # ip netns exec r1 ifconfig eth0 10.1.0.2/24 up # 激活r1名称空间中的 eth0 # ip netns exec r1 ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.1.0.2 netmask 255.255.255.0 broadcast 10.1.0.255 inet6 fe80::d82a:32ff:fec9:1ee2 prefixlen 64 scopeid 0x20<link> ether da:2a:32:c9:1e:e2 txqueuelen 1000 (Ethernet) RX packets 8 bytes 648 (648.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 648 (648.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # ping 10.1.0.2 PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.945 ms 64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.061 ms # ip link set dev veth1.1 netns r2 # 将 veth1.1 移到名称空间r2中 # ip netns exec r2 ifconfig veth1.1 10.1.0.3/24 up # 启用r2名称空间中的veth1.1 # ip netns exec r2 ping 10.1.0.2 # 在名称空间r2中ping 名称空间r1的eth0绑定的ip地址 PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.214 ms 64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.080 ms --rm 容器停止后,将容器删除 # docker run --name t1 -it --network bridge -h www.ssjinyao.com --rm busybox:latest / # hostname www.ssjinyao.com / # ping www.ssjinyao.com PING www.ssjinyao.com (172.17.0.6): 56 data bytes 64 bytes from 172.17.0.6: seq=0 ttl=64 time=0.094 ms --- www.ssjinyao.com ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.094/0.094/0.094 ms / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.6 www.ssjinyao.com www / # cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 10.180.66.2
只要配置了正确的域名服务器,可以正解的解析
/ # nslookup -type=A nas.ssjinyao.com Server: 10.180.66.2 Address: 10.180.66.2:53 Non-authoritative answer: Name: nas.ssjinyao.com Address: 47.104.201.165
# docker run --name t1 -it --network bridge -h www.ssjinyao.com --dns 114.114.114.114 --dns 8.8.8.8 --rm busybox:latest / # cat /etc/resolv.conf search localdomain nameserver 114.114.114.114 nameserver 8.8.8.8 / # hostname www.ssjinyao.com # docker run --name t1 -it --network bridge -h t1.ssjinyao.com --dns 114.114.114.114 --dns-search ssjinyao.com --add-host www.ssjinyao.com:1.1.1.1 --rm busybox:latest / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 1.1.1.1 www.ssjinyao.com 172.17.0.6 t1.ssjinyao.com t1
将容器的端口进行暴露
# docker run --name myweb --rm -p 80 ssjinyao/httpd:v0.1.1.1-2 # docker container ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 97212485437e ssjinyao/httpd:v0.1.1.1-3 "/bin/httpd -f -h /d…" 4 minutes ago Up 4 minutes 0.0.0.0:32773->80/tcp myweb
Opening inbound communication
-p 选项的使用格式 -p <containerPort> 将指定的容器端口映射至主机所有地址的一个动态端口; -p <hostPort>:<containerPort> 将容器端口<containerPort>映射至指定的主机端口<hostPort> -p <ip>::<containerPort> 将指定的容器端口<containerPort>映射至主机指定<ip>的端口<hostPort>
# docker run --name myweb --rm -p 10.180.66.11:8080:80 ssjinyao/httpd:v0.1.1.1-3 # docker port myweb 80/tcp -> 10.180.66.11:8080
Joined container(联盟式容器)
共享b1容器的网络
# docker run --name b1 -it --rm busybox # docker run --name b2 --network container:b1 -it --rm busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # echo "Joined container" > /tmp/index.html / # httpd -h /tmp/ / # netstat -tnl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 :::80 :::* LISTEN / # wget -O - -q 127.0.0.1 Joined container
共享宿主机网络
# docker run --name b2 --network host -it --rm busybox / # / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:88:C6:40:EF inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::42:88ff:fec6:40ef/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:347 errors:0 dropped:0 overruns:0 frame:0 TX packets:371 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:35796 (34.9 KiB) TX bytes:40247 (39.3 KiB) ens33 Link encap:Ethernet HWaddr 00:0C:29:F8:70:D5 inet addr:10.180.66.11 Bcast:10.180.66.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fef8:70d5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:123421 errors:0 dropped:0 overruns:0 frame:0 TX packets:39524 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:81346864 (77.5 MiB) TX bytes:8253033 (7.8 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:80 errors:0 dropped:0 overruns:0 frame:0 TX packets:80 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:6944 (6.7 KiB) TX bytes:6944 (6.7 KiB)
更改docker0 桥的ip地址
# vim /etc/docker/daemon.json { "registry-mirrors":["https://registry.docker-cn.com"], "bip": "10.0.0.1/16", "hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"] } # ifconfig docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255 inet6 fe80::42:88ff:fec6:40ef prefixlen 64 scopeid 0x20<link> ether 02:42:88:c6:40:ef txqueuelen 0 (Ethernet) RX packets 347 bytes 35796 (34.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 371 bytes 40247 (39.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # docker -H 10.180.66.11:2375 image ls
创建网桥
# docker network create -d bridge --subnet "172.26.0.0/16" --gateway "172.26.0.1" mbr0 # ifconfig br-76b59a5dfce3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.26.0.1 netmask 255.255.0.0 broadcast 172.26.255.255 ether 02:42:ea:15:d6:9e txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # ip link set dev br-76b59a5dfce3 name docker1 RTNETLINK answers: Device or resource busy # ifconfig br-76b59a5dfce3 down # ifconfig docker1 up # ifconfig docker1 down # 更改名称后默认docker 调用时会找不到docker1这个虚拟网卡 # ip link set dev docker1 name br-76b59a5dfce3 # docker run --name t1 -it --net mbr0 busybox:latest / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:1A:00:02 inet addr:172.26.0.2 Bcast:172.26.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:258 (258.0 B) TX bytes:0 (0.0 B)
自定义docker0桥的网络属性信息: /etc/docker/daemon.json文件
{ "bip": "192.168.1.5/24", "fixed-cidr": "10.20.0.0/16", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2", "10.20.1.3"]
docker守护进程的C/S,其默认监听Unix SOcket格式的地址,/var/run/docker.sock;如果使用TCP套接字, /etc/docker/daemon.json:
“hosts”: [“tcp://0.0.0.0:2375”, “unix:///var/run/docker.sock”]
