一、容器概念
虚拟化技术:
- 主机级虚拟化:VMware,xen,kvm等
- Type-I:硬件上直接跑虚拟机
- Type-II:硬件上装宿主机操作系统,在宿主机中安装虚拟化软件
- 容器级虚拟化
- FreeBSD:jail(监狱)
- vserver(linux平台,chroot功能)
- lxc,docker
名称空间:namespaces
- 主机名和域名:UTS
- 文件系统:Mount
- 进程间通信:IPC
- 进程编号:PID
- 用户和用户组:User
- 网络设备,网络栈,端口:Network
资源控制:C Group
二、LXC
Linux Container:linux容器
# yum install lxc lxc-templates -y
# lxc-create -n test01 -t centos
# chroot /var/lib/lxc/test01/rootfs passwd
# lxc-start -n centos
# lxc-ls -f
# lxc-console -n centos
三、docker
镜像:分层镜像,联合挂载
docker的编排工具
- machine + swarm + compose
- mesos + marathon
- kubernets
容器引擎:lxc -- libcontainer -- runC
由client向docker daemon发起docker run命令,docker host会向registry拉取images,并加载到本地,在containers中运行
- image == 镜像名:标签,如:nginx:latest,nginx:stable等
Docker objects
- images
- containers
- nerworks
- volumes
- plugins
1、docker环境
依赖的基础环境
- 64 bits CPU
- Linux Kernel 3.10+
- Linux Kernel cgroups and namespaces
CentOS 7
- "Extras" repository
- "Docker-ce" repository
2、安装docker
配置yum源
# vim /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
安装docker-ce
# wget https://mirrors.aliyun.com/centos-vault/7.3.1611/extras/x86_64/Packages/container-selinux-2.9-4.el7.noarch.rpm
# yum localinstall container-selinux-2.9-4.el7.noarch.rpm -y
# yum install docker-ce -y
配置docker镜像加速器:docker cn ,中国科技大学 或 阿里云(需要注册)
# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
启动docker daemon
# systemctl start docker
# systemctl enable docker
3、docker的基本使用
查看版本及信息
# docker version
# docker info
常用命令
docker search
docker pull
docker images
docker create
docker start
docker run
docker attach #重新连入终端
docker ps
docker logs
docker restart
docker stop
docker kill
docker rm
pull镜像
# docker image pull nginx:1.14-alpine
# docker pull busybox:latest
查看镜像
# docker image ls
# docker image ls --no-trunc
删除镜像
# docker image rm nginx:1.14-alpine
# docker rmi busybox:latest
列出所有容器
# docker ps
# docker container ls
# docker container ls -a
启动一个容器
# docker run --name b1 -it busybox:latest
查看容器的详细信息
# docker inspect b1
# docker inspect b1 |grep -w IPAddress
启动、停止容器
# docker stop b1
# docker start b1
# docker exec -it b1 sh
启动nginx容器
# docker run --name web1 -d nginx:1.14-alpine
# docker exec -it web1 sh
获取docker中进程日志
# docker logs web1
显示docker网络
# docker network ls
四、docker的镜像
docker采用分层构建机制,最底层为bootfs,其之为rootfs
- bootfs:用于系统引导的文件系统,包括bootloader和kernel,容器启动完成后会被卸载以节约内存资源;
- rootfs:位于bootfs之上,表现为docker容器的根文件系统
Aufs:advanced multi-layered unification filesystem 高级多层统一文件系统,aufs是之前的UnionFS的重新实现,2006年由Junjiro Okajima开发
overlayfs:叠加文件系统,从3.18版后被合并到linux内核
Docker Registry 分类
- Sponsor Registry:第三方的registry,供客户和Docker社区使用
- Mirror Registry:第三方的registry,供客户使用,如阿里云,docker cn等
- Vendor Registry:由发布docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry
1、制作镜像
# docker run --name b2 -it busybox
/ # mkdir -p /data/html
/ # vi /data/html/index.html
welcome httpd busybox page.
在不关闭容器的前提下做以下操作
# docker commit -p b2
# docker tag 17c6e41feabd dongfei/httpd:v0.1-1
# docker tag dongfei/httpd:v0.1-1 dongfei/httpd:latest
# docker run --name b3 -it dongfei/httpd:latest
2、制作制定启动进程
# docker commit -a "dongfei <www.dongfei.tech>" -c 'CMD ["/bin/httpd","-f","-h","/data/html"]' -p b2 dongfei/httpd:v0.2
# docker run --name b4 dongfei/httpd:v0.2
# docker inspect b4 |grep IPAddress
# curl http://172.17.0.5/
3、将镜像推送到docker hub
# docker login -u dongfeimg
# docker push dongfeimg/httpd:v0.1
4、将镜像推送到阿里云仓库
# docker login --username=xxxx@xxx.com registry.cn-beijing.aliyuncs.com
# docker tag dongfeimg/httpd:v0.1 registry.cn-beijing.aliyuncs.com/dongfeimg/httpd:v0.1
# docker push registry.cn-beijing.aliyuncs.com/dongfeimg/httpd:v0.1
5、将镜像打包及解包
# docker save -o myimages.gz dongfei/httpd:v0.1-1 dongfei/httpd:v0.2
# docker load -i myimages.gz
五、docker网络
- OVS:OpenVSwitch
- Overlay Network:叠加网络
# docker network ls
NETWORK ID NAME DRIVER SCOPE
eb6d42cfdd58 bridge bridge local
b21811ec07ff host host local
10ea20daaeb9 none null local
四种网络模式
- 仅主机
- NET
- 桥接
- 隧道:使用IP封装IP报文,如Overlay Network 叠加网络
# yum install bridge-utils
# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242d1a3e859 no veth605c425
veth62c6501
vethd7e0b6c
# ip link show #查看网卡信息
docker的网络类型
- bridge:表示容器连接到docker0网桥上
- host:表示容器使用物理机的网络名称空间
- none:表示只给容器lo网络,不给外界通信的网络
# docker network inspect bridge
网络名称空间(ip命令由iproute包提供)
# ip netns add r1 #增加网络名称空间
# ip netns add r2
# ip netns list #列出网络名称空间
# ip netns exec r1 ifconfig -a #在网络名称空间中查看网卡信息
# ip link add name veth1.1 type veth peer name veth1.2 #创建虚拟网卡对
# ip link show
# ip link set veth1.2 netns r1 #将veth1.2连接到r1名称空间中
# ip netns exec r1 ip link set dev veth1.2 name eth0 #将r1中的veth1.2改名为eth0
# ip netns exec r1 ifconfig -a
# ifconfig veth1.1 10.0.0.1/24 up
# ip netns exec r1 ifconfig eth0 10.0.0.2/24 up
# ping 10.0.0.2
# ip link set dev veth1.1 netns r2
# ip netns exec r2 ifconfig veth1.1 10.0.0.3/24 up
# ip netns exec r2 ping 10.0.0.2
docker使用网络名称空间
# docker run --name t1 -it --rm busybox:latest
# docker run --name t1 -it --network bridge --rm busybox:latest
# docker run --name t1 -it --network none --rm busybox:latest
# docker run --name t1 -it --network none -h t1.dongfei.tech --rm busybox:latest
# docker run --name t1 -it --network none -h t1.dongfei.tech --dns 114.114.114.114 --rm busybox:latest
# docker run --name t1 -it --network none -h t1.dongfei.tech --dns 114.114.114.114 --add-host www.dongfei.tech:1.1.1.1 --rm busybox:latest
将容器端口映射到宿主机
# docker run --name t1 -it --network bridge -p 80 --rm dongfeimg/httpd:v0.1
# docker run --name t2 -it --network bridge -p 192.168.0.8::80 --rm dongfeimg/httpd:v0.1
# docker run --name t3 -it --network bridge -p 80:80 --rm dongfeimg/httpd:v0.1
# docker port t3
联盟式容器网络
# docker run --name by1 -it busybox
# docker run --name by2 --network container:by1 -it --rm busybox
使用宿主机的网络名称空间
# docker run --name nginx --network host -it --rm nginx
修改docker0桥的配置
# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://l41p0ay6.mirror.aliyuncs.com"],
"bip": "10.0.0.1/16"
}
# systemctl restart docker
docker deamon监听本机端口
# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://l41p0ay6.mirror.aliyuncs.com"],
"bip": "10.0.0.1/16",
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
# systemctl restart docker
# docker -H 192.168.0.8:2375 image ls
创建docker桥
# docker network create -d bridge --subnet "172.20.0.0/16" --gateway "172.20.0.1" mybr0
# ip link set br-d02527a671f3 down
# ip link set dev br-d02527a671f3 name docker1
六、docker镜像
Docker镜像由多个只读叠加而成,启动容器时,Docker会加载只读镜像层并在镜像栈顶部添加一个读写层
如果运行中的容器修改了现有的一个已经存在的文件,那该文件将会从读写层下面的只读层复制到读写层,该文件的只读版本任然存在,只是已经被读写层中该文件的副本所隐藏,此即“写时复制COW”机制
- volume 存储卷:是容器上的一个或多个目录,此类目录可绕过联合文件系统,与宿主机上的某目录绑定关联
- 在容器中使用volumes
由docker deamon管理的卷
# docker run --name b5 -it -v /data busybox
# docker inspect b5 |grep Source
手动指定的卷路径
# docker run --name b6 -it -v /data/volumes/b6:/data busybox
# docker inspect -f {{.Mounts}} b6
- 复制其他容器的卷配置
# docker run -it --name b7 --volumes-from b6 busybox
七、Dockerfile
# mkdir img1
# cd img1/
img1]# vim Dockerfile
# Description: test image
FROM busybox:latest
LABEL maintainer="Dongfei <652117746@qq.com>"
COPY index.html /data/web/html/
img1]# vim index.html
this is a test page.
img1]# docker build -t tinyhttpd:v0.1 ./
# docker run --name tinyweb1 --rm tinyhttpd:v0.1 cat /data/web/html/index.html
this is a test page.
- COPY指令
# Description: test image
FROM busybox:latest
LABEL maintainer="Dongfei <652117746@qq.com>"
COPY index.html /data/web/html/
COPY yum.repos.d /etc/yum.repos.d/
- ADD指令
ADD http://nginx.org/download/nginx-1.15.5.tar.gz /usr/local/src/
# docker build -t tinyhttpd:v0.3 ./
使用ADD命令,如果是本地压缩包则在容器中展开,如果是url则会下载到容中
img1]# wget http://nginx.org/download/nginx-1.15.5.tar.gz
img1]# vim Dockerfile
# Description: test image
FROM busybox:latest
LABEL maintainer="Dongfei <652117746@qq.com>"
COPY index.html /data/web/html/
COPY yum.repos.d /etc/yum.repos.d/
WORKDIR /usr/local/src/
ADD nginx-1.15.5.tar.gz ./
img1]# docker build -t tinyhttpd:v0.4 ./
# docker run --rm tinyhttpd:v0.4 ls /usr/local/src/nginx-1.15.5/
- VOLUME
VOLUME /data/mysql/
- EXPOSE
EXPOSE 80/tcp
# docker run -P --name tinyweb1 --rm tinyhttpd:v0.6 /bin/httpd -f -h /data/web/html
- ENV
ENV DOC_ROOT=/data/web/html/
WEB_SERVER_PACKAGE="nginx-1.15.5"
- RUN:在docker build过程中运行
WORKDIR /usr/local/src/
ADD http://nginx.org/download/nginx-1.15.5.tar.gz ./
RUN cd /usr/local/src &&
tar -xf nginx-1.15.5.tar.gz
- CMD:镜像启动为容器时默认运行的命令
FROM busybox
LABEL maintainer="Dongfei <652117746@qq.com>" app="httpd"
ENV WEB_DOC_ROOT="/data/web/html/"
RUN mkdir ${WEB_DOC_ROOT} &&
echo '<h1>Busybox httpd server.</h1>' > ${WEB_DOC_ROOT}/index.html
CMD /bin/httpd -f -h ${WEB_DOC_ROOT}
CMD ["/bin/sh","-c",/bin/httpd","-f","-h /data/web/html"]
- ENTRYPOINT
ENTRYPOINT /bin/httpd -f -h ${WEB_DOC_ROOT}
- 制作一个nginx
img3]# vim entrypoint.sh
#!/bin/sh
cat > /etc/nginx/conf.d/www.conf << EOF
server {
server_name $HOSTNAME;
listen ${IP:-0.0.0.0}:${PORT:-80};
root ${NGX_DOC_ROOT:-/usr/share/nginx/html};
}
EOF
exec "$@"
img3]# vim Dockerfile
FROM nginx:1.14-alpine
LABEL maintainer="Dongfei <652117746@qq.com>"
ENV NGX_DOC_ROOT='/data/web/html'
ADD index.html ${NGX_DOC_ROOT}
ADD entrypoint.sh /bin/
CMD ["/usr/sbin/nginx","-g","daemon off"]
ENTRYPOINT ["/bin/entrypoint.sh"]
- USER指定运行容器的用户
- HEALTHCHECK
HEALTHCHECK --start-period=3s CMD wget -O - -q http://${IP:-0.0.0.0}:${PORT:-80}/
- ARG
- ONBUILD
八、Docker Registry
- Sponsor Registry:第三方的registry,供客户和Docker社区使用
- Mirror Registry:第三方的registry,只让客户使用
- Vendor Registry:由发布Docker镜像的供应商提供的registry
- Private Registry:通过设有防火墙和额外的安全层的私有提供的registry
1、部署docker-distribution
1、安装
# yum install docker-registry
2、配置
# vim /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
3、启动服务
# systemctl start docker-distribution
4、将registry标记为非https
# vim /etc/docker/daemon.json
{
"insecure-registries": ["node01.dongfei.tech:5000"]
}
# systemctl restart docker
5、推送image
# docker tag myweb:v0.3 node01.dongfei.tech:5000/myweb:v0.3
# docker push node01.dongfei.tech:5000/myweb:v0.3
2、harbor安装使用
1、获取
# wget https://storage.googleapis.com/harbor-releases/release-1.4.0/harbor-offline-installer-v1.4.0.tgz
2、安装
# yum install docker-compose -y (epel)
# tar xf harbor-offline-installer-v1.4.0.tgz -C /usr/local/
# cd /usr/local/harbor
# vim harbor.cfg
hostname = node01.dongfei.tech
harbor_admin_password = Harbor12345
db_password = root123
# ./install.sh
访问:192.168.0.8 admin/Harbor12345
九、资源限制
- 内存限制
-m or --memory=
--memory-swap
- CPU限制
--cpu-shares:按比例分配
--cpus:分配几个CPU
--cpuset-cpus:分配哪些CPU
压力测试
# docker pull lorel/docker-stress-ng
# docker run --name stress -it --rm -m 256m lorel/docker-stress-ng stress --vm 2
# docker top stress
# docker state
# docker run --name stress -it --rm --cpus 2 lorel/docker-stress-ng stress --cpu 8
# docker run --name stress -it --rm --cpuset-cpus 0,2 lorel/docker-stress-ng stress --cpu 8
# docker run --name stress -it --rm --cpu-shares 1024 lorel/docker-stress-ng stress --cpu 8
# docker run --name stress2 -it --rm --cpu-shares 512 lorel/docker-stress-ng stress --cpu 8
感谢阅读!