Docker容器的基本搭建和配置

作者: print("") 分类: linux 发布时间: 2018-04-13 14:27



一、Docker 和openstack 的对比

二、Docker能干嘛?

三、Docker改变了什么?

面向产品:产品交互

面向开发: 简化环境配置

面向测试:多版本测试

面向运维:环境一致性

面向架构:自动化扩容(微服务)

四、Docker 安装

[root@linux-node2 ~]# yum install -y docker
[root@linux-node2 ~]# systemctl start docker
[root@linux-node2 ~]# docker pull centos
Using default tag: latest
Trying to pull repository docker.io/library/centos ...
 latest: Pulling from docker.io/library/centos
af4b0a2388c6: Pull complete 
Digest: sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d

五、Docker镜像管理

5.1查看镜像

[root@linux-node2 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos    latest              ff426288ea90        16 hours ago        207.2 MB

5.2导入镜像

[root@linux-node2 ~]# docker sava centos >/opt/Centos.tar.gz

5.3.导出

[root@linux-node2 ~]# docker load < /opt/Centos.tar.gz

5.4删除

[root@linux-node2 ~]# docker rmi ff426288ea90



5.5 Docker 创建并启动容器


[root@linux-node2 ~]# docker run centos /bin/echo "hello world"
hello world
[root@linux-node2 ~]#

进入这个容器

[root@linux-node2 ~]# docker run --name mydocker -t -i centos /bin/bash
[root@aff216047fcf /]#
[root@aff216047fcf /]# exit
exit

退出之后容器是成为exit的状态。那么如何启动关闭的容器

[root@linux-node2 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
163cde815719        centos              "/bin/bash"              5 minutes ago       Exited (0) 3 minutes ago                        mydockera
aff216047fcf        centos              "/bin/bash"              7 minutes ago       Exited (0) 6 minutes ago                        mydocker
ff2af6544380        centos              "/bin/echo 'hello wor"   10 minutes ago      Exited (0) 10 seconds ago                       stoic_feynman
[root@linux-node2 ~]#

5.6启动

[root@linux-node2 ~]# docker start ff2af6544380
ff2af6544380


查看

[root@linux-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
aff216047fcf        centos              "/bin/bash"         9 minutes ago       Up 31 seconds                           mydocker
[root@linux-node2 ~]#

5.7怎么再次进入容器

[root@linux-node2 ~]# docker attach aff216047fcf

这个命令退出之后还是会停止的。所以建议用如下命令:

nsenter  如果没有这个命令 yum install util-linux

首先需要查看到容器的PID

[root@linux-node2 ~]# docker inspect --format "{{.State.Pid}}" aff216047fcf
3702
[root@linux-node2 ~]#

进入

[root@linux-node2 ~]# nsenter -t 3702 -u -i -n -p

5.8进入容器脚本

[root@linux-node2 ~]# cat ns.sh 
#!/bin/sh

PID=$(docker inspect --format "{{.State.Pid}}" $1)
nsenter -t $PID -u -i -n -p

测试一下(测试成功)

[root@linux-node2 ~]# ./ns.sh 163cde815719
[root@163cde815719 ~]# 
[root@163cde815719 ~]# 
[root@163cde815719 ~]# ifconfig

5.9删除容器

[root@linux-node2 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
163cde815719        centos              "/bin/bash"              23 minutes ago      Up 10 minutes                                   mydockera
aff216047fcf        centos              "/bin/bash"              24 minutes ago      Up 8 minutes                                    mydocker
ff2af6544380        centos              "/bin/echo 'hello wor"   28 minutes ago      Exited (0) 17 minutes ago                       stoic_feynman
[root@linux-node2 ~]# docker rm ff2af6544380  (这个可以选择名称或者ID)
(如果想删除正在运行的容器。需要加一个 -f)
ff2af6544380
[root@linux-node2 ~]# 

如果只是尝试一个普通的试验可以在测试完成之后就删除容器

[root@linux-node2 ~]# docker run --rm centos /bin/echo "hehe"
hehe
[root@linux-node2 ~]#

杀死所有运行的容器

[root@linux-node2 ~]# docker kill $(ps -a -q)

六、Docker 网络和存储

6.1 网络

查看一下iptables 发现会有一个有很多规则。那个是docker自动创建的。

[root@linux-node2 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 360 packets, 24880 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  4036 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   10  1326 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9  2710 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 340 packets, 23116 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   10  1326 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.4           tcp dpt:80

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   19  4036 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
[root@linux-node2 ~]#

查看一下那个桥接的端口 发现有一个docker0 的地址转换

[root@linux-node2 ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.0242fce799ba       no              vetha4cea7d
                                                        vethc44c41e
                                                        vethee5c44a
[root@linux-node2 ~]#

那么我们下载一个nginx 的镜像

[root@linux-node2 ~]# docker run -d -P nginx 
abbce8ddf4a0d34da163228d33316054efb214726f24cc32e37106b8260ee250

查看一下容器发现有一个端口映射

[root@linux-node2 ~]# docker ps -a  -l
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
abbce8ddf4a0        nginx               "nginx -g 'daemon off"   5 minutes ago       Up 5 minutes        0.0.0.0:32768->80/tcp   tender_brown
[root@linux-node2 ~]#

物理机的32768 端口映射到容器的80端口,那么可以直接访问本机的32768端口查看到容器的80端口。在浏览器访问一下即可

查看nginx的容器的日志

[root@linux-node2 ~]# docker logs abbce8ddf4a0
192.168.57.1 - - [09/Jan/2018:13:54:12 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" "-"
2018/01/09 13:54:13 [error] 6#6: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.57.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.57.145:32768", referrer: "http://192.168.57.145:32768/"
192.168.57.1 - - [09/Jan/2018:13:54:13 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "http://192.168.57.145:32768/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" "-"
[root@linux-node2 ~]#

指定端口启动容器

[root@linux-node2 ~]# docker run -d -p 81:80 nginx
b74843b3027b7a5b8c50b4ca936f504284f4f3389eb5a4058ab773fe0fa61703
[root@linux-node2 ~]# docker ps -a 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
b74843b3027b        nginx               "nginx -g 'daemon off"   29 seconds ago      Up 28 seconds       0.0.0.0:81->80/tcp      boring_cori

6.2存储

[root@linux-node2 ~]# docker run -it --name volume-test1 -v /data centos 
[root@8dc9ad7c51cd /]#exit
[root@linux-node2 ~]# docker start volume-test1
volume-test1

那么这个/data 的实际目录在哪里呢?

[root@linux-node2 volumes]# docker inspect 8dc9ad7c51cd |grep vo
        "Name": "/volume-test1",
                "Source": "/var/lib/docker/volumes/5f244be1ff275a48a1340fb7ba5c900af93f13437501782fc3cddd0b87205a0a/_data",

指定目录存储

[root@linux-node2 ~]# docker run -it /opt:/opt centos
[root@62dd07fa9e89 /]# cd /opt/
[root@62dd07fa9e89 opt]# ls
12  3

指定权限

[root@linux-node2 ~]# docker run -it /opt:/opt:rw   centos

挂载单个文件

[root@linux-node2 ~]# docker run -it -v ~/.bash_history:/.bash_history centos
[root@eec4bf3bf27b /]# history 
    1  history

数据卷创建方式

[root@linux-node2 ~]# docker run -it --name nfs -v /liang centos
 [root@0c19548680c1 /]# cd /liang/
[root@0c19548680c1 liang]# ls
[root@0c19548680c1 liang]# touch 1 2 3

在起另一个容器利用nfs这个容器

[root@linux-node2 ~]# docker run -it --name test1 --volumes-from nfs centos
 [root@a6776a77f307 /]# cd /liang/
[root@a6776a77f307 liang]# ls
[root@a6776a77f307 liang]# ls
1  2  3

数据是一模一样的

七、手动构建镜像

首先需要建立一个容器后面我们可以操作

[root@linux-node2 ~]# docker run --name mynginx -it centos

安装一个epel

rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
Retrieving https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.Oyyp8w: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-11                ################################# [100%]
[root@452845b5abbc /]#

安装nginx

[root@452845b5abbc /]# yum install -y nginx

安装完后就退出

现在把mynginx这个容器作为镜像来提交上去

[root@linux-node2 ~]# docker ps -a 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
452845b5abbc        centos              "/bin/bash"         7 minutes ago       Up 7 minutes                            mynginx
a6776a77f307        centos              "/bin/bash"         10 days ago         Up 10 days                              test1
0c19548680c1        centos              "/bin/bash"         10 days ago         Up 10 days                              nfs
[root@linux-node2 ~]#

提交一下

[root@linux-node2 ~]# docker commit -m "my nginx" 452845b5abbc liang/nginx:v1
sha256:33d3217a7f4dc78dee66c0ead7ac9fbce2ab8dfebf745b3fcb4dd0e840344f8f

查看一下

 [root@linux-node2 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
liang/nginx         v1                  33d3217a7f4d        5 seconds ago       383.5 MB
docker.io/centos    latest              ff426288ea90        11 days ago         207.2 MB
docker.io/nginx     latest              3f8a4339aadd        3 weeks ago         108.5

启动一个这个实例

[root@linux-node2 ~]# docker run -it  --name nginxv1 liang/nginx:v1
[root@bd04f3ff82fd /]# 

修改nginx,把后端改为前端

/etc/nginx/nginx.conf 中添加一句

daemon off;

保存退出之后,重新提交成v2

[root@linux-node2 ~]# docker commit -m "my nginx" bd04f3ff82fd liang/nginx:v2

再次查看

[root@linux-node2 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
liang/nginx         v2                  25462eee67e5        38 seconds ago      383.5 MB
liang/nginx         v1                  33d3217a7f4d        8 minutes ago       383.5 MB
docker.io/centos    latest              ff426288ea90        11 days ago         207.2 MB
docker.io/nginx     latest              3f8a4339aadd        3 weeks ago         108.5 MB

创建一个nginx容器

[root@linux-node2 ~]# docker run -d -p 82:80 liang/nginx:v2 nginx
636384eef62fdb1d1114463a3e42a37c483de67c50c5c001759f78718026a466

查看一下端口是否启动

[root@linux-node2 ~]# netstat -ntlp|grep 82
tcp6       0      0 :::82                   :::*                    LISTEN      9370/docker-proxy-c 

查看一下端口指向

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                NAMES
636384eef62f        liang/nginx:v2      "nginx"             3 minutes ago       Up 3 minutes        0.0.0.0:82->80/tcp   tender_newton

访问一下

八、通过dockerfile构建镜像

Dockerfile 分类

一、基础镜像信息

二、维护者信息

三、镜像操作指令

四、容器启动时执行指令

Dockerfile的一些指令


写了一个如下的Dockerfile (名字一定是Dockerfile

# This docker file
# version v1
# Author: Jack Ben
# base image
FROM centos

#Maintainer 
MAINTAINER Jack Ben 1249648969@qq.com

#Commands
RUN rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
RUN yum install -y nginx
ADD index.html /usr/share/nginx/html/index.html
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx"]

再建立一个index.html文件

Html里面我就写了一个liang

后面构建

[root@linux-node2 nginx]# docker build -t  liang/nginx:v3 /opt/dockerfile/nginx/
Sending build context to Docker daemon 3.072 kB
Step 1 : FROM centos
 ---> ff426288ea90
Step 2 : MAINTAINER Jack Ben 1249648969@qq.com
 ---> Running in 9a5228ce9abe
 ---> 843b36998cfc
Removing intermediate container 9a5228ce9abe
Step 3 : RUN rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
 ---> Running in aac89d88eebd
warning: /var/tmp/rpm-tmp.N81GVD: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Step 8 : CMD nginx
 ---> Running in 9175930b81ac
 ---> c284589102ad
Removing intermediate container 9175930b81ac

查看一下images (里面有一个v3

[root@linux-node2 nginx]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
liang/nginx         v3                  c284589102ad        18 seconds ago      403.5 MB
liang/nginx         v2                  25462eee67e5        3 hours ago         383.5 MB
liang/nginx         v1                  33d3217a7f4d        3 hours ago         383.5 MB
docker.io/centos    latest              ff426288ea90        11 days ago         207.2 MB
docker.io/nginx     latest              3f8a4339aadd        3 weeks ago         108.5 MB
[root@linux-node2 nginx]#

那么启动一个容器把

[root@linux-node2 nginx]# docker run -d -p 83:80 liang/nginx:v3 
f89a8f08223a3b3b85f1de19bfa1cd5258cf01750908075540fcbfd02856b879

访问一下把


九、构建私有仓库

[root@linux-node2 nginx]# docker pull registry
Using default tag: latest
Trying to pull repository docker.io/library/registry ... 
latest: Pulling from docker.io/library/registry
81033e7c1d6a: Pull complete 
b235084c2315: Pull complete 
c692f3a6894b: Pull complete 
ba2177f3a70e: Pull complete 
a8d793620947: Pull complete 
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
[root@linux-node2 nginx]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
liang/nginx          v3                  c284589102ad        51 minutes ago      403.5 MB
liang/nginx          v2                  25462eee67e5        4 hours ago         383.5 MB
liang/nginx          v1                  33d3217a7f4d        4 hours ago         383.5 MB
docker.io/registry   latest              d1fd7d86a825        10 days ago         33.26 MB
docker.io/centos     latest              ff426288ea90        11 days ago         207.2 MB
docker.io/nginx      latest              3f8a4339aadd        3 weeks ago         108.5 MB
[root@linux-node2 nginx]#

[root@linux-node2 ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
8b322df3b705ea0716201182df022123207d0d575205da6822079b8b15bb3227 

 

首先先打个标签

[root@linux-node2 ~]# docker tag liang/nginx:v3 192.168.57.145:5000/liang/nginx:latest

后面在加一个https

因为push 是https 所以我们需要弄一个CA证书。在本机中安装一个nginx

yum install nginx

/etc/nginx/conf.d 中建立一个docker-registry.conf

文件内容如下:

upstream docker-registry {
 server 127.0.0.1:5000;
}

server {
 listen 443;
 server_name linux-node2;
 ssl on;
 ssl_certificate        /etc/ssl/nginx.crt;
 ssl_certificate_key    /etc/ssl/nginx.key;
 proxy_set_header Host          $http_host;
 proxy_set_header X-Real-IP     $remote_addr;
 client_max_body_size 0;
 chunked_transfer_encoding on;
 location / {
        auth_basic    "Docker";
        auth_basic_user_file  /etc/nginx/conf.d/docker-registry.htpasswd;
        proxy_pass http://linux-node2;
}

 location /_ping {
        auth_basic off;
        proxy_pass http://linux-node2; }

 location /v1/_ping {
        auth_basic off;
        proxy_pass http://linux-node2;

}

}

建立CA证书

[root@linux-node2 conf.d]# cd /etc/pki/CA/
[root@linux-node2 CA]# touch ./{serial,index.txt}
[root@linux-node2 CA]# echo "00" >serial

生成根证书

[root@linux-node2 CA]# openssl genrsa -out private/cakey.pem 2048
[root@linux-node2 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing   
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:liang   
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:linux-node2
Email Address []:admin@linux-node2

生成nginx证书

[root@linux-node2 CA]# cd /etc/ssl/
[root@linux-node2 ssl]# openssl genrsa -out nginx.key 2048
[root@linux-node2 ssl]# openssl req -new -key nginx.key -out nginx.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:liang
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:linux-node2
Email Address []:admin@linux-node2

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

签发证书

[root@linux-node2 ssl]# openssl ca -in nginx.csr -days 3650 -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jan 20 06:59:26 2018 GMT
            Not After : Jan 18 06:59:26 2028 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = liang
            organizationalUnitName    = docker
            commonName                = linux-node2
            emailAddress              = admin@linux-node2
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E4:03:41:79:8A:0D:51:04:84:71:94:26:4D:39:EF:C2:37:04:BC:F5
            X509v3 Authority Key Identifier: 
                keyid:72:3C:AD:5E:4F:E7:DB:FD:07:42:B7:65:C2:F8:C9:DF:9E:DB:4C:92

Certificate is to be certified until Jan 18 06:59:26 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

让系统接收证书

[root@linux-node2 ssl]# cat /etc/pki/CA/cacert.pem >>/etc/pki/tls/certs/ca-bundle.crt

建立登录用户

[root@linux-node2 ssl]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd liang 
New password: 
Re-type new password: 
Adding password for user liang
[root@linux-node2 ssl]#

启动nginx  (如果有报错。看日志文件。/var/log/nginx/error.log

[root@linux-node2 ssl]# systemctl start nginx
[root@linux-node2 ssl]# 

Push 到仓库中

[root@linux-node2 ssl]# docker push 192.168.57.145:5000/liang/nginx:lates
The push refers to a repository [192.168.57.145:5000/liang/nginx]
Get https://192.168.57.145:5000/v1/_ping: http: server gave HTTP response to HTTPS client

查看一下

[root@linux-node2 ssl]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
192.168.57.145:5000/liang/nginx   latest              c284589102ad        2 hours ago         403.5 MB
liang/nginx                       v3                  c284589102ad        2 hours ago         403.5 MB
liang/nginx                       v2                  25462eee67e5        5 hours ago         383.5 MB
liang/nginx                       v1                  33d3217a7f4d        5 hours ago         383.5 MB
docker.io/busybox                 latest              f9b6f7f7b9d3        4 days ago          1.143 MB
docker.io/registry                latest              d1fd7d86a825        10 days ago         33.26 MB
docker.io/centos                  latest              ff426288ea90        11 days ago         207.2 MB
docker.io/nginx                   latest              3f8a4339aadd        3 weeks ago         108.5 MB






如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

说点什么

avatar
  Subscribe  
提醒