[toc]
docker 笔记(二)
Docker Data Volume
关闭并重启容器,其数据不受影响; 但删除Docker容器,则其更将会全部丢失;
存在的问题
存储于联合文件系统中,不易于宿主机访问;
容器间数据共享不便;
删除容其数据会全部丢失;
解决方案:”卷(volume)”
“卷”是容器上的一个或多个”目录”,此类目录可绕过联合文件系统,与宿主机上的某目录”绑定(关联)”
Volume 于容器初始化之时即会创建,由base image提供的卷中的数据会于此期间完成复制
Volume 的初衷是独立于容器的生命周期实现数据持久化,因此删除容器时即不会删除卷,也
不会对哪怕未被引用的卷做垃圾回收操作;
Docker有两种类型的卷,每种类型都在容器中存在一个挂载点,但其在宿主机上的位置有所不同;
# docker run --name b2 -it -v /data busybox
打开另一个终端查看Mount信息
# docker inspect b2 "Mounts": [ { "Type": "volume", "Name": "5d2aaa4a60dd5724bed6011c92d71df8eb093de43bae2038c992f746f97f6e7d", "Source": "/var/lib/docker/volumes/5d2aaa4a60dd5724bed6011c92d71df8eb093de43bae2038c992f746f97f6e7d/_data", "Destination": "/data", "Driver": "local", "Mode": "", "RW": true, "Propagation": "" } ], # echo "hello container" >> /var/lib/docker/volumes/5d2aaa4a60dd5724bed6011c92d71df8eb093de43bae2038c992f746f97f6e7d/_data/test.html
在容器中查看
/ # cat data/test.html hello container / # echo "test rj" >> data/test.html
在宿主机上查看
# cat /var/lib/docker/volumes/5d2aaa4a60dd5724bed6011c92d71df8eb093de43bae2038c992f746f97f6e7d/_data/test.html hello container test rj
当容器退出并删除后,数据依然存在
# docker run --name b2 -it --rm -v /data/volumes/b2:/data busybox # docker inspect b2 | grep volume "/data/volumes/b2:/data" "Source": "/data/volumes/b2",
查看inspect元素
# docker inspect -f {{.Mounts}} b2 [{bind /data/volumes/b2 /data true rprivate}]
注: 两个容器可以共享同一个存储卷
# docker run -it --name c1 -v /docker/volumes/v1:/data busybox # docker run -it --name c2 -v /docker/volumes/v1:/data busybox
复制使用其它容器的卷,为docker run 命令使用 —volumes-from选项
# docker run -it --name bbox1 -v /docker/volumes/v1:/data busybox # docker run -it --name bbox2 --volumes-from bbox1 busybox
docker file
FROM
FROM的指令是最重的一个且必须为Dockefile文件开篇的第一个非注释行,
用于为映像文件构建过程指定基准镜像,后续的指令运行于此基准镜像所提供的
运行环境。
实践中,基准镜像可以是任何可用镜像文件,默认情况下,docker build会在
docker 主机上查找指定的镜像文件,在其不存在时,则会从Docker Hub
Registry上拉取所需要的镜像文件
如果找不到指定的镜像文件,docker build会返回一个错误信息。
Syntax
FROM
FROM <resository>@
# vim Dockerfile #Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html # vim index.html <h1> ssjinyao httpd server.</h1> # docker build -t ssjinyaohttpd-img:v0.1-1 ./ Sending build context to Docker daemon 3.072kB Step 1/3 : FROM busybox:latest ---> e1ddd7948a1c Step 2/3 : MAINTAINER "Jinyao <renjin@ssjinyao.com>" ---> Running in aa9838facca1 Removing intermediate container aa9838facca1 ---> 71258688ebeb Step 3/3 : COPY index.html /data/web/html ---> b23d8149125a Successfully built b23d8149125a Successfully tagged ssjinyaohttpd-img:v0.1-1
验证
# docker run --name ssjinyao-web1 --rm ssjinyaohttpd-img:v0.1-1 cat /data/web/html/index.html <h1> ssjinyao httpd server.</h1>
复制目录
FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html/ COPY yum.repos.d /etc/yum.repos.d/ # ls Dockerfile index.html yum.repos.d # docker build -t tinyhttpd:v0.1-2 ./ # docker build -t tinyhttpd:v0.1-2 ./ Sending build context to Docker daemon 26.11kB Step 1/4 : FROM busybox:latest ---> e1ddd7948a1c Step 2/4 : MAINTAINER "ssjinayo <renjin@ssjinyao.com>" ---> Using cache ---> 708bad816b72 Step 3/4 : COPY index.html /data/web/html/ ---> Using cache ---> 758051947b4d Step 4/4 : COPY yum.repos.d /etc/yum.repos.d/ ---> a4c01bf4fe8d Successfully built a4c01bf4fe8d Successfully tagged tinyhttpd:v0.1-2 # docker run --name tinyweb1 --rm tinyhttpd:v0.1-2 ls /etc/yum.repos.d/ CentOS-Base.repo CentOS-CR.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Sources.repo CentOS-Vault.repo CentOS-fasttrack.repo docker-ce.repo epel-testing.repo epel.repo
ADD 指令的使用
# vim Dockerfile #Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html/ COPY yum.repos.d /etc/yum.repos.d/ ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ # docker build -t tinyhttpd:v0.1-3 ./ Sending build context to Docker daemon 26.11kB Step 1/5 : FROM busybox:latest ---> e1ddd7948a1c Step 2/5 : MAINTAINER "ssjinyao <renjin@ssjinyao.com>" ---> Using cache ---> 708bad816b72 Step 3/5 : COPY index.html /data/web/html/ ---> Using cache ---> 758051947b4d Step 4/5 : COPY yum.repos.d /etc/yum.repos.d/ ---> Using cache ---> a4c01bf4fe8d Step 5/5 : ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ Downloading 1.025MB/1.025MB ---> 884e8bf3725f Successfully built 884e8bf3725f Successfully tagged tinyhttpd:v0.1-3 # docker run --name tinyweb1 --rm tinyhttpd:v0.1-3 ls /usr/local/src/ nginx-1.15.5.tar.gz
#Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html/ COPY yum.repos.d /etc/yum.repos.d/ #ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ ADD nginx-1.15.5.tar.gz /usr/local/src/ # ls Dockerfile index.html nginx-1.15.5.tar.gz yum.repos.d # docker build -t tinyhttpd:v0.1-4 ./ # docker run --name tinyweb --rm tinyhttpd:v0.1-4 ls /usr/local/src nginx-1.15.5
另外一种写法
# vim Dockerfile #Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html/ COPY yum.repos.d /etc/yum.repos.d/ #ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ WORKDIR /usr/local/src/ ADD nginx-1.15.5.tar.gz ./ #这里的./相当于WORKDIR指定的目录
#Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" COPY index.html /data/web/html/ COPY yum.repos.d /etc/yum.repos.d/ #ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ WORKDIR /usr/local/ ADD nginx-1.15.5.tar.gz ./src/ VOLUME /data/mysql/ # docker build -t tinyhttpd:v0.1-5 ./ Sending build context to Docker daemon 1.052MB Step 1/7 : FROM busybox:latest ---> e1ddd7948a1c Step 2/7 : MAINTAINER "ssjinyao <renjin@ssjinyao.com>" ---> Running in 206968a461e1 Removing intermediate container 206968a461e1 ---> acce38db09a6 Step 3/7 : COPY index.html /data/web/html/ ---> cfac93db1094 Step 4/7 : COPY yum.repos.d /etc/yum.repos.d/ ---> ccbddff1520b Step 5/7 : WORKDIR /usr/local/ ---> Running in 8bbda4faa5a4 Removing intermediate container 8bbda4faa5a4 ---> 1660db5c8614 Step 6/7 : ADD nginx-1.15.5.tar.gz ./src/ ---> cfd686660ff8 Step 7/7 : VOLUME /data/mysql/ ---> Running in e85008cba000 Removing intermediate container e85008cba000 ---> 529be777da05 Successfully built 529be777da05 Successfully tagged tinyhttpd:v0.1-5 # docker run --name tinweb1 --rm tinyhttpd:v0.1-5 mount | grep data /dev/mapper/centos-root on /data/mysql type xfs (rw,seclabel,relatime,attr2,inode64,noquota)
EXPOSE 指令使用
EXPOSE 1211/udp 11211/tcp # 启动镜像是要使用-P选项
ENV
用于为镜像定义所需要的环境变量,并可被Dockerfile文件中位于其后其它指令
(ENV,ADD,COPY等)所调用
#Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" ENV DOC_ROOT /data/web/html COPY index.html $DOC_ROOT COPY yum.repos.d /etc/yum.repos.d/ #ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/ WORKDIR /usr/local/ ADD nginx-1.15.5.tar.gz ./src/ VOLUME /data/mysql/ EXPOSE 80/tcp
# docker run --name tinyweb1 --rm -P tinyhttpd:v0.1-7 printenv # 打印输出环境变量 # docker run --name tinyweb --rm -P -e WEB_SERVER_PACKAGE="nginx-1.15.1" tinyhttpd:v0.1-7 printenv # -e 可以外部更改或指定环境变量的
#Deskription: test image FROM busybox:latest MAINTAINER "ssjinyao <renjin@ssjinyao.com>" # LABEL maintainer="ssjinyao" ENV DOC_ROOT=/data/web/html/ \ WEB_SERVER_PACKAGE="nginx-1.15.5.gz" #当没有 COPY index.html ${DOC_ROOT: -/data/web/html/} COPY yum.repos.d /etc/yum.repos.d/ ADD http://nginx.org/download/${WEB_SERVER_PACKAGE} /usr/local/src/ WORKDIR /usr/local/ #ADD ${WEB_SERVER_PACKAGE}.tar.gz ./src/ VOLUME /data/mysql/ EXPOSE 80/tcp RUN cd /usr/local/src && \ tar xvf ${WEB_SERVER_PACKAGE}
FROM busybox LABEL maintainer="ssjinyao <renjin@ssjinyao.com>" app="httpd" ENV WEB_DOC_ROOT="/data/web/html" RUN mkdir -p $WEB_DOC_ROOT && \ echo '<h1>Busybox httpd server.</h1>' > ${WEB_DOC_ROOT}/index.html # COM /bin/httpd -f -h ${WEB_DOC_ROOT} CMD ["/bin/httpd", "-f", "-h ${EWB_DOC_ROOT}"] ENTRYPOINT /bin/sh -c
Dockerfile Nginx镜像 示例
# mkdir img_nginx # cd img_nginx # vim Dockerfile FROM nginx:1.14-alpine ARG author="ssjinyao <rejin@ssjinyao.com>" LABEL maintainer="${author}" ENV NGX_DOC_ROOT="/data/web/html/" ADD index.html ${NGX_DOC_ROOT} ADD entrypoint.sh /bin/ EXPOSE 80/tcp HEALTHCHECK --start-period=3s CMD wget -O - -q http://${IP:-0.0.0.0}:${PORT:-80}/ CMD ["/usr/sbin/nginx", "-g", "daemon off;"] ENTRYPOINT ["/bin/entrypoint.sh"] # vim index.html <h1> Dockerfile Nginx Test Page.</h1> # vim entrypoint.sh #!/bin/sh # cat > /etc/nginx/conf.d/www.conf <<EOF server { server_name ${HOSTNAME}; listen ${IP:-0.0.0.0}:${PORT:-80}; root ${NGINX_DOC_ROOT:-/usr/share/nginx/html}; } EOF exec "$@" # docker run --name myweb1 --rm -P -e "PORT=8080" nginx_web:v0.0-1 127.0.0.1 - - [03/Oct/2018:07:43:31 +0000] "GET / HTTP/1.1" 200 612 "-" "Wget" "-" 127.0.0.1 - - [03/Oct/2018:07:44:01 +0000] "GET / HTTP/1.1" 200 612 "-" "Wget" "-"
自建docker-registry
# yum -y install docker-registry # rpm -ql docker-distribution /etc/docker-distribution/registry/config.yml /usr/bin/registry /usr/lib/systemd/system/docker-distribution.service /var/lib/registry
注: docker push 客户端默认是https工作的,因此在客户端配置不加密传输
# vim /etc/docker/daemon.json { "registry-mirrors":["https://registry.docker-cn.com"], "bip": "10.0.0.1/16", "hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"], "insecure-registries": ["node2:5000"] } # docker tag ssjinyao/httpd:v0.1.1.1-2 node2:5000/ssjinayo-web:v0.1.1.1-2 # docker push node2:5000/ssjinayo-web The push refers to repository [node2:5000/ssjinayo-web] e6baf59e35e7: Pushed f9d9e4e6e2f0: Pushed v0.1.1.1-2: digest: sha256:2f3d6d2f468ee189b4b43ff2b9f99a6e3895d9832b606522176f804cba738037 size: 734
服务端镜像默认保存的路径
# ls /var/lib/registry/docker/registry/v2/repositories/ssjinayo-web _layers _manifests _uploads
私有docker 源pull 使用, 前提也要配置不加密传输
# docker pull node2:5000/ssjinayo-web:v0.1.1.1-2 v0.1.1.1-2: Pulling from ssjinayo-web Digest: sha256:2f3d6d2f468ee189b4b43ff2b9f99a6e3895d9832b606522176f804cba738037 Status: Downloaded newer image for node2:5000/ssjinayo-web:v0.1.1.1-2
vmware-harbor私有源的安装与使用
vmware/harbor安装
vmware/harbor下载
| Resource | Capacity | Description |
|---|---|---|
| CPU | minimal 2 CPU | 4 CPU is prefered |
| Mem | minimal 4GB | 8GB is prefered |
| Disk | minimal 40GB | 160GB is prefered |
# yum -y install docker-compose # vim harbor.cfg # 这里根据自己的需求更改配置文件 # vim docker-compose.yml # # cd /usr/local/src/harbor # ./install
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f01090bf5ba1 goharbor/nginx-photon:v1.6.0 "nginx -g 'daemon of…" 3 minutes ago Up 3 minutes (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp nginx 7e4849fcb12a goharbor/harbor-jobservice:v1.6.0 "/harbor/start.sh" 3 minutes ago Up 3 minutes harbor-jobservice 0d8ceb3ec5c0 goharbor/harbor-ui:v1.6.0 "/harbor/start.sh" 3 minutes ago Up 3 minutes (healthy) harbor-ui c5780037bc8f goharbor/harbor-adminserver:v1.6.0 "/harbor/start.sh" 3 minutes ago Up 3 minutes (healthy) harbor-adminserver b184110cfac2 goharbor/registry-photon:v2.6.2-v1.6.0 "/entrypoint.sh /etc…" 3 minutes ago Up 3 minutes (healthy) 5000/tcp registry 83b4b2ea3b2e goharbor/redis-photon:v1.6.0 "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 6379/tcp redis 9055f4dcdaeb goharbor/harbor-db:v1.6.0 "/entrypoint.sh post…" 3 minutes ago Up 3 minutes (healthy) 5432/tcp harbor-db 583dd6d3dc30 goharbor/harbor-log:v1.6.0 "/bin/sh -c /usr/loc…" 3 minutes ago Up 3 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
登录管理员后台
在 docker-vmware-harbor中创建普通用户,在普通用户中创建项目
# vim /etc/docker/daemon.json { "insecure-registries": ["blog.ssjinyao.com"] } # docker login blog.ssjinyao.com Username: ssjinyao Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@ssjinyao-node2:~]# docker push blog.ssjinyao.com/devel/ssjinyao-httpd The push refers to repository [blog.ssjinyao.com/devel/ssjinyao-httpd] e6baf59e35e7: Pushed f9d9e4e6e2f0: Pushed v0.1.1.1-1: digest: sha256:7248231aa495c62947519646d25acb453fd2caf3ed6bf778b41e6201bd3e31fc size: 734 e6baf59e35e7: Layer already exists f9d9e4e6e2f0: Layer already exists v0.1.1.1-2: digest: sha256:2f3d6d2f468ee189b4b43ff2b9f99a6e3895d9832b606522176f804cba738037 size: 734
push 镜像前可以查看vmware-harbor的打标签提示
# docker-compose pause 暂停 # docker-compose unpause 运行 # docker-compose stop 停止 # docker-compose start 启动
docker 资源限制
OOME
一旦发生OOME,任何进程都有可能被杀死,包括docker daemon在内
为此,Dokcer特地调整了docker daemon的OOM优先级,以名它被内核”正法”
但容器的优先级并未被调整
| —memory-swap | —memory | 功能 |
|---|---|---|
| 正数S | 正数M | 容器可用总空间为S,其中ram为M,swap为(S-M)若S=M,则无可用swap资源 |
| 0 | 正数M | 相当于未设置 swap(unset) |
| unset | 正数M | 若主机(Docker Host)启用了swap,则容器的可用swap为2*M |
| -1 | 正数M | 若主机(Docker Host)启用了swap,则容器可使用最大至主机上所的所有swap空间的资源 |
| 注意: 在容器使用free命令可以看到的swap空间并不是具有其所展现出的空间指示意义 |
pull 一个压测镜像
# docker pull lorel/docker-stress-ng # docker run --name stress -it --rm lorel/docker-stress-ng:latest stress --help # docker run --name stree -it --rm -m 256m lorel/docker-stress-ng:latest stress --vm 2
查看启用的docker进程
查看stress 容器的分配内存状态
同样的,当对cpu做压测时,指定上限为两个cpu,也就是使用率为200%,当压测为8个cpu时,cpu最高占用为200%
# docker run --name stress -it --rm --cpus 2 lorel/docker-stress-ng:latest stress --cpu 8 # docker run --name stress -it --cpuset-cpus 0,2 --rm lorel/docker-stress-ng:latest stress --cpu 8 #设定只运行在第0和2个cpu上 # docker run --name stress -it --cpus 2 --rm lorel/docker-stress-ng:latest stresss --cpu8 #设定cpus 2 ,说明所有核心都能用到,但是最多只能使用200% # docker run --name stress -it --cpu-shares 1024 --rm lorel/docker-stress-ng:latest stress --cpu 8 # 设定限制为尽可能多的分配cpu资源,最后这种模式,当再启一个容器时,会实时按比例分配cpu资源分到另一个容器, # docker run --name stress2 -it --cpu-shares 512 --rm lorel/docker-stress-ng:latest stress --cpu 8
