docker使用问题总结
解决国内不能访问gcr.io的问题
国内可以通过https://dashboard.daocloud.io来下载。
比如?gcr.io/google_containers/pause, 可以
dao pull google/pause,
然后
docker tag google/pause ?gcr.io/google_containers/pause?
docker tag google/pause gcr.io/google_containers/pause:0.8.0?
重启docker服务器后 遇到 'device or resource busy'错误
解决方式是先找出没有umount的路径
cat /proc/mounts | grep "mapper/docker" | awk '{print $2}'
然后依次unmount
# systemctl stop docker.service
# thin_check /var/lib/docker/devicemapper/devicemapper/metadata
If there were no errors then proceed with:
# thin_check --clear-needs-check-flag /var/lib/docker/devicemapper/devicemapper/metadata
# systemctl start docker.service
If there were errors, you are on your own, but 'man thin_check' and 'man thin_repair' may be helpful...
========================================================
2. docker默认添加的iptables(ip相关的自己定制):
docker nat表部分:
docker0IP=`ifconfig docker0 |grep 'inet' | cut -d ' ' -f 10`
iptables -A POSTROUTING -t nat -s $docker0IP/30 ! -o docker0 -j MASQUERADE
DockerChain="DOCKER"
iptables -t nat -nL $DockerChain
if [ "x$?" != "x0" ] ; then
iptables -t nat -N $DockerChain
fi
iptables -A PREROUTING -m addrtype --dst-type LOCAL -t nat -j $DockerChain
iptables -A OUTPUT -m addrtype --dst-type LOCAL -t nat -j $DockerChain ! --dst 127.0.0.0/8
参考代码:
https://github.com/docker/docker/blob/2ad81da856c123acf91eeff7ab607376bd27d9ba/vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go
https://github.com/docker/docker/blob/2ad81da856c123acf91eeff7ab607376bd27d9ba/vendor/src/github.com/docker/libnetwork/iptables/iptables.go
=========================================================
3.docker报类似如下错误【chown socket at step GROUP: No such process】,导致启动失败:
# journalctl -xn
-- Logs begin at Tue 2014-12-30 13:07:53 EST, end at Tue 2014-12-30 13:25:23 EST. --
Dec 30 13:12:30 ITX kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 30 13:22:53 ITX systemd[1]: Starting Cleanup of Temporary Directories...
-- Subject: Unit systemd-tmpfiles-clean.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has begun starting up.
Dec 30 13:22:53 ITX systemd[1]: Started Cleanup of Temporary Directories.
-- Subject: Unit systemd-tmpfiles-clean.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit systemd-tmpfiles-clean.service has finished starting up.
--
-- The start-up result is done.
Dec 30 13:25:23 ITX systemd[1]: Starting Docker Socket for the API.
-- Subject: Unit docker.socket has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.socket has begun starting up.
Dec 30 13:25:23 ITX systemd[1868]: Failed to chown socket at step GROUP: No such process
Dec 30 13:25:23 ITX systemd[1]: docker.socket control process exited, code=exited status=216
Dec 30 13:25:23 ITX systemd[1]: Failed to listen on Docker Socket for the API.
-- Subject: Unit docker.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.socket has failed.
--
-- The result is failed.
Dec 30 13:25:23 ITX systemd[1]: Dependency failed for Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has failed.
--
-- The result is dependency.
Dec 30 13:25:23 ITX systemd[1]: Unit docker.socket entered failed state.
解决办法:
方法1.添加docker用户组(groupadd docker,如果/etc/group用统一配置管理的话记得在源group文件中添加docker组信息)
方法2.修改/usr/lib/systemd/system/docker.socket文件:
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker 这里改成:SocketGroup=root 或其他存在的组
[Install]
WantedBy=sockets.target
如下操作可选:
systemctl enable docker.service && systemctl enable docker.socket:
# systemctl list-unit-files | grep docker
docker.service disabled
docker.socket disabled
# chkconfig docker on #如果chkconfig不能使用则执行:systemctl enable docker.service
Note: Forwarding request to 'systemctl enable docker.service'.
ln -s '/usr/lib/systemd/system/docker.service' '/etc/systemd/system/multi-user.target.wants/docker.service'
# systemctl list-unit-files|grep docker
docker.service enabled
docker.socket disabled
# systemctl enable docker.socket
ln -s '/usr/lib/systemd/system/docker.socket' '/etc/systemd/system/sockets.target.wants/docker.socket'
# systemctl list-unit-files|grep docker
docker.service enabled
docker.socket enabled
参考链接:
http://www.milliondollarserver.com/?cat=7
http://www.milliondollarserver.com/?p=622
===============================================================
4.当宿主机上只有一个容器时,删除容器有时会导致宿主机网路瞬断
解决方法:
1.修改/etc/sysconfig/ntpd配置文件增加"-L"选项,如
cat /etc/sysconfig/ntpd
# Command line options for ntpd
OPTIONS="-g -L"
2.重启ntpd服务:systemctl restart ntpd
参考链接:
https://access.redhat.com/solutions/261123
========================================================
5.docker1.6+按照官方文档搭建的私有registry, 但是docker login的时候报错
Username: ever
Password:
Email:
Error response from daemon: Unexpected status code [404] : <html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.3</center>
</body>
</html>
解决方法:大概说就是docker 1.6+ 需要registry 2.0, 此外还需要nginx的一个配置,而且这个配置官方文档错的,本来应该用set_more_header,文档用的add_header
官方v1 image和 v2 image迁移工具,可以看一下 https://github.com/docker/migrator,推荐书籍浙大的《docker 容器和容器云》
========================================================
6.docker1.8 pull镜像服务端的访问日志:
127.0.0.1 - - [16/Oct/2015:10:08:52 +0000] "GET /v2/ HTTP/1.1" 401 194 "-" "docker/1.8.3 go/go1.4.2 git-commit/f4bf5c7 kernel/4.2.0-1.el7.elrepo.x86_64 os/linux arch/amd64" "-"
127.0.0.1 - - [16/Oct/2015:10:08:52 +0000] "GET /v1/_ping HTTP/1.1" 404 168 "-" "docker/1.8.3 go/go1.4.2 git-commit/f4bf5c7 kernel/4.2.0-1.el7.elrepo.x86_64 os/linux arch/amd64" "-"
127.0.0.1 - - [16/Oct/2015:10:08:52 +0000] "POST /v1/users/ HTTP/1.1" 404 168 "-" "docker/1.8.3 go/go1.4.2 git-commit/f4bf5c7 kernel/4.2.0-1.el7.elrepo.x86_64 os/linux arch/amd64" "-"
docker应该访问v2接口却去访问v1的接口了
解决方法:docker和registry之间通过一个header来协商api的版本
========================================================
7.docker容器重启或宿主的iptables服务重启后容器无法接收到udp数据包(Failed to receive UDP traffic):
原因:重启容器或重启宿主的iptables服务,在重启过程中,因为在某个时间点,对docker服务做的nat会因为重启失效,物理机会返回端口不可用(如:8888 port unreachable)的错误,这条返回会更新ip_conntrack表的缓存为类似这样:
ipv4 2 udp 17 29 src=xx.xx.xx.xx dst=xx.xx.xx.xx sport=xxxx dport=xxxx [UNREPLIED] src=xx.xx.xx.xx dst=xx.xx.xx.xx sport=xxxx dport=xxxx mark=0 zone=0 use=2
解决方法:清理conntrack缓存(可以使用conntrack-tool: conntrack -F)
相关链接:https://github.com/docker/docker/issues/8795 清理conntrack
========================================================
8.docker宿主机新增分区(/ssd),docker必须重启,起容器时在该分区的数据卷(-v /ssd:/ssd)才能生效
解决方法(慎用):修改/usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS
ExecStartPost=/usr/bin/chmod 777 /var/run/docker.sock
LimitNOFILE=1048576
LimitNPROC=1048576
MountFlags=private #将这里修改成 MountFlags=shared
[Install]
WantedBy=multi-user.target
相关链接:https://huaminchen.wordpress.com/2015/05/19/how-docker-handles-mount-namespace/
========================================================
9.MFS+DOCKER的文件挂载问题
mfs在本地挂载如下
mfsmount /mnt -H ip -P port -S /
这样本地就有一个/mnt的mfs目录了
但是使用docker run -it -v /mnt:/mnt image:tags /bin/bash
之后发现容器内部还是本地的目录,并不是mfs的挂载目录。大小也不对。查看系统日志发现一个警告:
Jul 16 11:52:36 TENCENT64 docker: [error] mount.go:12 [warning]: couldn’t run auplink before unmount: exec: “auplink”: executable file not found
in $PATH
本地找不到这个auplink的命令,导致docker挂载异常,centos安装如下:
yum install aufs-util
然后需要重启docker
systemctl restart docker
重启容器就可以了
到现在为止docker挂载mfs总共莫名其妙的出过两次问题:
1.mfs修改了挂载目录,但是没有重启docker,结果不论如何启动,抓取日志,依旧没有办法在docker容器中看到mfs的挂载目录。
2.在启动进入容器之后,删除了大量的文件,操作过程已经结束,但是mfs有回收站机制,文件没放到了回收站,真正的数据清理其实并没有进行。这个状态你可以在mfs.cgi页面可以看到。结果在容器中mkdir创建文件夹的时候报device is busy.
这两个错误,我都是重启docker之后才解决的。我认为可能是docker底层的文件服务,cgroup或者aufs有点问题。这个问题暂且留着。
========================================================
10.docker v1版私有仓库,镜像第一次上传时索引写入db,但是镜像上传失败(search可以找到,但是delete接口删除失败),仓库报错如下:
原因:索引已经写入db,但是镜像上传失败,此时会再次写入索引,进而引起name不唯一的报错
解决方法:索引存在sqlite数据库中,去数据库中把报错的镜像索引删掉即可(sqlite3 docker-registry.db;.tables;select * from repository;)。
========================================================
11.device mapper discard的宕机。
原因:这个问题反复出现在某些服务器上,宕机重启后通过IPMI consule进入时系统已经重新挂载了CoreDump的Kernel,看到CoreDump生成dump之前进行Recover操作和Data Copying操作,导致恢复时间很慢。通过Coredump分析属于Kernel在DM discard方面的一个BUG,方法为禁用docker devicemapper的discard。
解决方法:设置docker启动参数"--storage-opt dm.mountopt=nodiscard --storage-opt dm.blkdiscard=false"
========================================================
12.docker启动报错[error] attach_loopback.go:42 There are no more loopback devices available,完整错误日志:
systemd[1]: Starting Docker Application Container Engine...
docker[47518]: 2016/02/03 14:50:32 docker daemon: 1.3.2 39fa2fa/1.3.2; execdriver: native; graphdriver:
docker[47518]: [b98612a1] +job serveapi(fd://, tcp://0.0.0.0:2375, unix:///var/run/docker.sock)
docker[47518]: [error] attach_loopback.go:42 There are no more loopback devices available.
docker[47518]: 2016/02/03 14:50:32 loopback mounting failed
systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Failed to start Docker Application Container Engine.
systemd[1]: Unit docker.service entered failed state.
systemd[1]: docker.service failed.
原因:because your host system does not have the loopback files in it's dev for docker to use.
解决方法:Use something like this on your host then run the container and it will pick up the devices.
#!/bin/bash
for i in {0..6}
do
mknod -m0660 /dev/loop$i b 7 $i
done
docker 官方issue:git issue
=========================其他链接================================