Docker容器的基本搭建和配置
一、Docker 和openstack 的对比
二、Docker能干嘛?
三、Docker改变了什么?
面向产品:产品交互
面向开发: 简化环境配置
面向测试:多版本测试
面向运维:环境一致性
面向架构:自动化扩容(微服务)
四、Docker 安装
[root@linux-node2 ~]# yum install -y docker [root@linux-node2 ~]# systemctl start docker [root@linux-node2 ~]# docker pull centos Using default tag: latest Trying to pull repository docker.io/library/centos ... latest: Pulling from docker.io/library/centos af4b0a2388c6: Pull complete Digest: sha256:2671f7a3eea36ce43609e9fe7435ade83094291055f1c96d9d1d1d7c0b986a5d
五、Docker镜像管理
5.1查看镜像
[root@linux-node2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/centos latest ff426288ea90 16 hours ago 207.2 MB
5.2导入镜像
[root@linux-node2 ~]# docker sava centos >/opt/Centos.tar.gz
5.3.导出
[root@linux-node2 ~]# docker load < /opt/Centos.tar.gz
5.4删除
[root@linux-node2 ~]# docker rmi ff426288ea90
5.5 Docker 创建并启动容器
[root@linux-node2 ~]# docker run centos /bin/echo "hello world"
hello world
[root@linux-node2 ~]#
进入这个容器
[root@linux-node2 ~]# docker run --name mydocker -t -i centos /bin/bash [root@aff216047fcf /]# [root@aff216047fcf /]# exit exit
退出之后容器是成为exit的状态。那么如何启动关闭的容器
[root@linux-node2 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 163cde815719 centos "/bin/bash" 5 minutes ago Exited (0) 3 minutes ago mydockera aff216047fcf centos "/bin/bash" 7 minutes ago Exited (0) 6 minutes ago mydocker ff2af6544380 centos "/bin/echo 'hello wor" 10 minutes ago Exited (0) 10 seconds ago stoic_feynman [root@linux-node2 ~]#
5.6启动
[root@linux-node2 ~]# docker start ff2af6544380
ff2af6544380
查看
[root@linux-node2 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES aff216047fcf centos "/bin/bash" 9 minutes ago Up 31 seconds mydocker [root@linux-node2 ~]#
5.7怎么再次进入容器
[root@linux-node2 ~]# docker attach aff216047fcf
这个命令退出之后还是会停止的。所以建议用如下命令:
nsenter 如果没有这个命令 yum install util-linux
首先需要查看到容器的PID
[root@linux-node2 ~]# docker inspect --format "{{.State.Pid}}" aff216047fcf
3702
[root@linux-node2 ~]#
进入
[root@linux-node2 ~]# nsenter -t 3702 -u -i -n -p
5.8进入容器脚本
[root@linux-node2 ~]# cat ns.sh
#!/bin/sh
PID=$(docker inspect --format "{{.State.Pid}}" $1)
nsenter -t $PID -u -i -n -p
测试一下(测试成功)
[root@linux-node2 ~]# ./ns.sh 163cde815719 [root@163cde815719 ~]# [root@163cde815719 ~]# [root@163cde815719 ~]# ifconfig
5.9删除容器
[root@linux-node2 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 163cde815719 centos "/bin/bash" 23 minutes ago Up 10 minutes mydockera aff216047fcf centos "/bin/bash" 24 minutes ago Up 8 minutes mydocker ff2af6544380 centos "/bin/echo 'hello wor" 28 minutes ago Exited (0) 17 minutes ago stoic_feynman [root@linux-node2 ~]# docker rm ff2af6544380 (这个可以选择名称或者ID) (如果想删除正在运行的容器。需要加一个 -f) ff2af6544380 [root@linux-node2 ~]#
如果只是尝试一个普通的试验可以在测试完成之后就删除容器
[root@linux-node2 ~]# docker run --rm centos /bin/echo "hehe" hehe [root@linux-node2 ~]#
杀死所有运行的容器
[root@linux-node2 ~]# docker kill $(ps -a -q)
六、Docker 网络和存储
6.1 网络
查看一下iptables 发现会有一个有很多规则。那个是docker自动创建的。
[root@linux-node2 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 360 packets, 24880 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19 4036 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
10 1326 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 2710 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 340 packets, 23116 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
10 1326 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.4 tcp dpt:80
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
19 4036 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@linux-node2 ~]#
查看一下那个桥接的端口 发现有一个docker0 的地址转换
[root@linux-node2 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242fce799ba no vetha4cea7d
vethc44c41e
vethee5c44a
[root@linux-node2 ~]#
那么我们下载一个nginx 的镜像
[root@linux-node2 ~]# docker run -d -P nginx abbce8ddf4a0d34da163228d33316054efb214726f24cc32e37106b8260ee250
查看一下容器发现有一个端口映射
[root@linux-node2 ~]# docker ps -a -l CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES abbce8ddf4a0 nginx "nginx -g 'daemon off" 5 minutes ago Up 5 minutes 0.0.0.0:32768->80/tcp tender_brown [root@linux-node2 ~]#
物理机的32768 端口映射到容器的80端口,那么可以直接访问本机的32768端口查看到容器的80端口。在浏览器访问一下即可
查看nginx的容器的日志
[root@linux-node2 ~]# docker logs abbce8ddf4a0 192.168.57.1 - - [09/Jan/2018:13:54:12 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" "-" 2018/01/09 13:54:13 [error] 6#6: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.57.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.57.145:32768", referrer: "http://192.168.57.145:32768/" 192.168.57.1 - - [09/Jan/2018:13:54:13 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "http://192.168.57.145:32768/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36" "-" [root@linux-node2 ~]#
指定端口启动容器
[root@linux-node2 ~]# docker run -d -p 81:80 nginx b74843b3027b7a5b8c50b4ca936f504284f4f3389eb5a4058ab773fe0fa61703 [root@linux-node2 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b74843b3027b nginx "nginx -g 'daemon off" 29 seconds ago Up 28 seconds 0.0.0.0:81->80/tcp boring_cori
6.2存储
[root@linux-node2 ~]# docker run -it --name volume-test1 -v /data centos [root@8dc9ad7c51cd /]#exit [root@linux-node2 ~]# docker start volume-test1 volume-test1
那么这个/data 的实际目录在哪里呢?
[root@linux-node2 volumes]# docker inspect 8dc9ad7c51cd |grep vo
"Name": "/volume-test1",
"Source": "/var/lib/docker/volumes/5f244be1ff275a48a1340fb7ba5c900af93f13437501782fc3cddd0b87205a0a/_data",
指定目录存储
[root@linux-node2 ~]# docker run -it /opt:/opt centos [root@62dd07fa9e89 /]# cd /opt/ [root@62dd07fa9e89 opt]# ls 12 3
指定权限
[root@linux-node2 ~]# docker run -it /opt:/opt:rw centos
挂载单个文件
[root@linux-node2 ~]# docker run -it -v ~/.bash_history:/.bash_history centos
[root@eec4bf3bf27b /]# history
1 history
数据卷创建方式
[root@linux-node2 ~]# docker run -it --name nfs -v /liang centos [root@0c19548680c1 /]# cd /liang/ [root@0c19548680c1 liang]# ls [root@0c19548680c1 liang]# touch 1 2 3
在起另一个容器利用nfs这个容器
[root@linux-node2 ~]# docker run -it --name test1 --volumes-from nfs centos [root@a6776a77f307 /]# cd /liang/ [root@a6776a77f307 liang]# ls [root@a6776a77f307 liang]# ls 1 2 3
数据是一模一样的
七、手动构建镜像
首先需要建立一个容器后面我们可以操作
[root@linux-node2 ~]# docker run --name mynginx -it centos
安装一个epel源
rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm Retrieving https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm warning: /var/tmp/rpm-tmp.Oyyp8w: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Preparing... ################################# [100%] Updating / installing... 1:epel-release-7-11 ################################# [100%] [root@452845b5abbc /]#
安装nginx
[root@452845b5abbc /]# yum install -y nginx
安装完后就退出
现在把mynginx这个容器作为镜像来提交上去
[root@linux-node2 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 452845b5abbc centos "/bin/bash" 7 minutes ago Up 7 minutes mynginx a6776a77f307 centos "/bin/bash" 10 days ago Up 10 days test1 0c19548680c1 centos "/bin/bash" 10 days ago Up 10 days nfs [root@linux-node2 ~]#
提交一下
[root@linux-node2 ~]# docker commit -m "my nginx" 452845b5abbc liang/nginx:v1 sha256:33d3217a7f4dc78dee66c0ead7ac9fbce2ab8dfebf745b3fcb4dd0e840344f8f
查看一下
[root@linux-node2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE liang/nginx v1 33d3217a7f4d 5 seconds ago 383.5 MB docker.io/centos latest ff426288ea90 11 days ago 207.2 MB docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5
启动一个这个实例
[root@linux-node2 ~]# docker run -it --name nginxv1 liang/nginx:v1 [root@bd04f3ff82fd /]#
修改nginx,把后端改为前端
在/etc/nginx/nginx.conf 中添加一句
daemon off;
保存退出之后,重新提交成v2
[root@linux-node2 ~]# docker commit -m "my nginx" bd04f3ff82fd liang/nginx:v2
再次查看
[root@linux-node2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE liang/nginx v2 25462eee67e5 38 seconds ago 383.5 MB liang/nginx v1 33d3217a7f4d 8 minutes ago 383.5 MB docker.io/centos latest ff426288ea90 11 days ago 207.2 MB docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB
创建一个nginx容器
[root@linux-node2 ~]# docker run -d -p 82:80 liang/nginx:v2 nginx 636384eef62fdb1d1114463a3e42a37c483de67c50c5c001759f78718026a466
查看一下端口是否启动
[root@linux-node2 ~]# netstat -ntlp|grep 82 tcp6 0 0 :::82 :::* LISTEN 9370/docker-proxy-c
查看一下端口指向
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 636384eef62f liang/nginx:v2 "nginx" 3 minutes ago Up 3 minutes 0.0.0.0:82->80/tcp tender_newton
访问一下
八、通过dockerfile构建镜像
Dockerfile 分类
一、基础镜像信息
二、维护者信息
三、镜像操作指令
四、容器启动时执行指令
Dockerfile的一些指令
写了一个如下的Dockerfile (名字一定是Dockerfile)
# This docker file # version v1 # Author: Jack Ben # base image FROM centos #Maintainer MAINTAINER Jack Ben 1249648969@qq.com #Commands RUN rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm RUN yum install -y nginx ADD index.html /usr/share/nginx/html/index.html RUN echo "daemon off;" >> /etc/nginx/nginx.conf EXPOSE 80 CMD ["nginx"]
再建立一个index.html文件
Html里面我就写了一个liang
后面构建
[root@linux-node2 nginx]# docker build -t liang/nginx:v3 /opt/dockerfile/nginx/ Sending build context to Docker daemon 3.072 kB Step 1 : FROM centos ---> ff426288ea90 Step 2 : MAINTAINER Jack Ben 1249648969@qq.com ---> Running in 9a5228ce9abe ---> 843b36998cfc Removing intermediate container 9a5228ce9abe Step 3 : RUN rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm ---> Running in aac89d88eebd warning: /var/tmp/rpm-tmp.N81GVD: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Step 8 : CMD nginx ---> Running in 9175930b81ac ---> c284589102ad Removing intermediate container 9175930b81ac
查看一下images (里面有一个v3)
[root@linux-node2 nginx]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE liang/nginx v3 c284589102ad 18 seconds ago 403.5 MB liang/nginx v2 25462eee67e5 3 hours ago 383.5 MB liang/nginx v1 33d3217a7f4d 3 hours ago 383.5 MB docker.io/centos latest ff426288ea90 11 days ago 207.2 MB docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB [root@linux-node2 nginx]#
那么启动一个容器把
[root@linux-node2 nginx]# docker run -d -p 83:80 liang/nginx:v3 f89a8f08223a3b3b85f1de19bfa1cd5258cf01750908075540fcbfd02856b879
访问一下把
九、构建私有仓库
[root@linux-node2 nginx]# docker pull registry Using default tag: latest Trying to pull repository docker.io/library/registry ... latest: Pulling from docker.io/library/registry 81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 [root@linux-node2 nginx]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE liang/nginx v3 c284589102ad 51 minutes ago 403.5 MB liang/nginx v2 25462eee67e5 4 hours ago 383.5 MB liang/nginx v1 33d3217a7f4d 4 hours ago 383.5 MB docker.io/registry latest d1fd7d86a825 10 days ago 33.26 MB docker.io/centos latest ff426288ea90 11 days ago 207.2 MB docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB [root@linux-node2 nginx]#
[root@linux-node2 ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry 8b322df3b705ea0716201182df022123207d0d575205da6822079b8b15bb3227
首先先打个标签
[root@linux-node2 ~]# docker tag liang/nginx:v3 192.168.57.145:5000/liang/nginx:latest
后面在加一个https
因为push 是https 所以我们需要弄一个CA证书。在本机中安装一个nginx
yum install nginx
在/etc/nginx/conf.d 中建立一个docker-registry.conf
文件内容如下:
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name linux-node2;
ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "Docker";
auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd;
proxy_pass http://linux-node2;
}
location /_ping {
auth_basic off;
proxy_pass http://linux-node2; }
location /v1/_ping {
auth_basic off;
proxy_pass http://linux-node2;
}
}
建立CA证书
[root@linux-node2 conf.d]# cd /etc/pki/CA/
[root@linux-node2 CA]# touch ./{serial,index.txt}
[root@linux-node2 CA]# echo "00" >serial
生成根证书
[root@linux-node2 CA]# openssl genrsa -out private/cakey.pem 2048 [root@linux-node2 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:liang Organizational Unit Name (eg, section) []:docker Common Name (eg, your name or your server's hostname) []:linux-node2 Email Address []:admin@linux-node2
生成nginx证书
[root@linux-node2 CA]# cd /etc/ssl/ [root@linux-node2 ssl]# openssl genrsa -out nginx.key 2048 [root@linux-node2 ssl]# openssl req -new -key nginx.key -out nginx.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:liang Organizational Unit Name (eg, section) []:docker Common Name (eg, your name or your server's hostname) []:linux-node2 Email Address []:admin@linux-node2 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
签发证书
[root@linux-node2 ssl]# openssl ca -in nginx.csr -days 3650 -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 20 06:59:26 2018 GMT
Not After : Jan 18 06:59:26 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = liang
organizationalUnitName = docker
commonName = linux-node2
emailAddress = admin@linux-node2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E4:03:41:79:8A:0D:51:04:84:71:94:26:4D:39:EF:C2:37:04:BC:F5
X509v3 Authority Key Identifier:
keyid:72:3C:AD:5E:4F:E7:DB:FD:07:42:B7:65:C2:F8:C9:DF:9E:DB:4C:92
Certificate is to be certified until Jan 18 06:59:26 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
让系统接收证书
[root@linux-node2 ssl]# cat /etc/pki/CA/cacert.pem >>/etc/pki/tls/certs/ca-bundle.crt
建立登录用户
[root@linux-node2 ssl]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd liang New password: Re-type new password: Adding password for user liang [root@linux-node2 ssl]#
启动nginx (如果有报错。看日志文件。/var/log/nginx/error.log)
[root@linux-node2 ssl]# systemctl start nginx [root@linux-node2 ssl]#
Push 到仓库中
[root@linux-node2 ssl]# docker push 192.168.57.145:5000/liang/nginx:lates The push refers to a repository [192.168.57.145:5000/liang/nginx] Get https://192.168.57.145:5000/v1/_ping: http: server gave HTTP response to HTTPS client
查看一下
[root@linux-node2 ssl]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.57.145:5000/liang/nginx latest c284589102ad 2 hours ago 403.5 MB liang/nginx v3 c284589102ad 2 hours ago 403.5 MB liang/nginx v2 25462eee67e5 5 hours ago 383.5 MB liang/nginx v1 33d3217a7f4d 5 hours ago 383.5 MB docker.io/busybox latest f9b6f7f7b9d3 4 days ago 1.143 MB docker.io/registry latest d1fd7d86a825 10 days ago 33.26 MB docker.io/centos latest ff426288ea90 11 days ago 207.2 MB docker.io/nginx latest 3f8a4339aadd 3 weeks ago 108.5 MB
