https://github.com/docker/distribution
daocloud
数人云
时速云
http://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/ 容器为什么不用ssh去连接
https://github.com/jpetazzo/nsenter 同上
https://segmentfault.com/a/1190000002931564 Docker 环境 Storage Pool 用完解决方案:resize-device-mapper
http://www.oschina.net/news/57894/daocloud
http://blog.csdn.net/qinyushuang/article/details/43342553 Docker学习笔记(3)-- 如何使用Dockerfile构建镜像
http://geek.csdn.net/news/detail/35121 docker镜像
http://www.csdn.net/article/2014-11-18/2822693 镜像与容器分析
http://www.blogjava.net/yongboy/archive/2013/12/12/407498.html Docker学习笔记之一,搭建一个JAVA Tomcat运行环境
DOCKER_STORAGE_OPTIONS=-s devicemapper --storage-opt dm.datadev=/home/dock-data --storage-opt dm.metadatadev=/home/dock-meta
为了解决报错,要设置以上变量
结果却明白了字符设备与块设备的区别,以上创建的是一个普通文件,也就是一个字符设备,
[root@docker1 ~]# docker run busybox /bin/echo Hello Docker
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-optl dm.no_warn_on_loop_devices=true` to suppress this warning.
The warning message occurs because your Docker storage configuration is using a "loopback device" -- a virtual block device such as /dev/loop0 that is actualled backed by a file on your filesystem. This was never meant as anything more than a quick hack to get Docker up and running quickly as a proof of concept.
You don't want to suppress the warning; you want to fix your storage configuration such that the warning is no longer issued. The easiest way to do this is to assign some local disk space for use by Docker's devicemapper storage driver and use that.
If you're using LVM and have some free space available on your volume group, this is relatively easy. For example, to give docker 100G of space, first create a data and metadata volume:
# lvcreate -n docker-data -L 100G /dev/my-vg
# lvcreate -n docker-metadata -L1G /dev/my-vg
And then configure Docker to use this space by editing /etc/sysconfig/docker-storage to look like:
DOCKER_STORAGE_OPTIONS=-s devicemapper --storage-opt dm.datadev=/dev/my-vg/docker-data --storage-opt dm.metadatadev=/dev/my-vg/docker-metadata
If you're not using LVM or don't have free space available on your VG, you could expose some other block device (e.g., a spare disk or partition) to Docker in a similar fashion.
DOCKER_STORAGE_OPTIONS=-s devicemapper --storage-opt dm.datadev=/home/dock-data --storage-opt dm.metadatadev=/home/dock-meta
[root@kvm1 docker]# touch dock-data
[root@kvm1 docker]# touch dock-meta
[root@kvm1 docker]# systemctl start docker
[root@kvm1 docker]# systemctl status docker -l
docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Thu 2016-06-16 21:09:37 CST; 7s ago
Docs: http://docs.docker.com
Process: 9190 ExecStart=/bin/sh -c /usr/bin/docker-current daemon $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY 2>&1 | /usr/bin/forward-journald -tag docker (code=exited, status=0/SUCCESS)
Main PID: 9190 (code=exited, status=0/SUCCESS)
Jun 16 21:09:36 kvm1.zf.com systemd[1]: Starting Docker Application Container Engine...
Jun 16 21:09:36 kvm1.zf.com forward-journal[9194]: Forwarding stdin to journald using Priority Informational and tag docker
Jun 16 21:09:37 kvm1.zf.com forward-journal[9194]: time="2016-06-16T21:09:37.023360992+08:00" level=error msg="Error getblockdevicesize: inappropriate ioctl for device"
Jun 16 21:09:37 kvm1.zf.com forward-journal[9194]: time="2016-06-16T21:09:37.023710458+08:00" level=fatal msg="Error starting daemon: error initializing graphdriver: Can't get data size Can't get block size"
Jun 16 21:09:37 kvm1.zf.com systemd[1]: Started Docker Application Container Engine.
Jun 16 21:08:12 kvm1.zf.com forward-journal[9050]: Forwarding stdin to journald using Priority Informational and tag docker
Jun 16 21:08:12 kvm1.zf.com forward-journal[9050]: time="2016-06-16T21:08:12.586347689+08:00" level=fatal msg="Error starting daemon: error initializing graphdriver: open /home/docker/dock-data: is a directory"
构建镜像
构建镜像的两种方法:
使用docker commit 命令
使用docker build命令和Dockerfile文件
Dockerfile更抢到、灵活,推荐使用。
一般来说不是真的“创建”新镜像,而是基于一个已有的基础镜像,比如Ubuntu、Fedora等,构建新的镜像而已。从零构建一个全新的镜像可参考这篇文章
https://docs.docker.com/engine/userguide/eng-image/baseimages/ 从头构建镜像--create a base image
运行,修改,保存镜像,然后上传到私服上,就可以作为公共镜像来被下载使用了。
1261 docker run -it centos bash
1263 docker ps -l
1264 docker commit 949 centos-man
1265 docker images
镜像地址
echo “DOCKER_OPTS=”$DOCKER_OPTS –registry-mirror=http://your-id.m.daocloud.io -d”” >> /etc/default/docker
sudo sed -i 's|other_args="|other_args="--registry-mirror=http://a984be05.m.daocloud.io |g' /etc/sysconfig/docker
sudo sed -i "s|OPTIONS='|OPTIONS='--registry-mirror=http://a984be05.m.daocloud.io |g" /etc/sysconfig/docker
sudo sed -i 'N;s|[Service] |[Service] EnvironmentFile=-/etc/sysconfig/docker |g' /usr/lib/systemd/system/docker.service
sudo sed -i 's|fd://|fd:// $other_args |g' /usr/lib/systemd/system/docker.service
sudo systemctl daemon-reload
sudo service docker restart
搭建私服
http://lishaofengstar.blog.163.com/blog/static/131972852201411585441354/
这篇博客讨论了如何部署一个带 SSL 加密、HTTP 验证并有防火墙防护的私有 Docker Registry 。Docker Registry是一个存储和分享 Docker 镜像的服务。本文中我们使用的操作系统是 Ubuntu,任何支持 Upstart 的系统都可以。我们用 Nginx 作为 Docker Registry 的前端代理服务器,同时也用 Nginx 完成 SSL 加密和基本的 HTTP 验证。我们用 Gunicorn 运行 Docker Registry 并用 Upstart 管理 Gunicorn。我们还用 Redis 实现一个 LRU(Least Recently Used,近期最少使用算法) 缓存机制来减少 Docker Registry 和硬盘之间的数据存取。
https://github.com/docker/distribution/blob/master/docs/deploying.md$ docker pull samalba/docker-registry $ docker run -d -p 5000:5000 samalba/docker-registry # 我们先pull下来一个简单的镜像(或者自己做一个也可以) $ docker pull busybox $ docker tag busybox localhost:5000/busybox $ docker push localhost:5000/busybox
https://segmentfault.com/a/1190000000801162
docker-registry既然也是软件应用,自然最简单的方法就是使用官方提供的已经部署好的镜像registry。官方文档中也给出了建议,直接运行sudo docker run -p 5000:5000 registry命 令。这样确实能启动一个registry服务器,但是所有上传的镜像其实都是由docker容器管理,放在了/var/lib/docker/....某 个目录下。而且一旦删除容器,镜像也会被删除。因此,我们需要想办法告诉docker容器镜像应该存放在哪里。registry镜像中启动后镜像默认位置 是/tmp/registry,因此直接映射这个位置即可,比如到本机的/opt/data/registry目录下。
[root@kvm2 mnt]# docker run -d -p 5000:5000 -v /root/my_registry:/tmp/registry registry
先做一个私服,顺便就启动了。通过下面的docker ps可以看到。 [root@kvm2 mnt]# docker run -d -p 5000:5000 --restart=always --name registry registry:2 Unable to find image 'registry:2' locally Trying to pull repository docker.io/library/registry ... 2: Pulling from library/registry 17bd2058e0c6: Pull complete 3f0d3d140ce1: Pull complete 47339bdfc690: Pull complete 03a7f8ec3d4f: Pull complete d2501a6dc689: Pull complete 9ca18bbd0cd5: Pull complete dd0dda9b2298: Pull complete 79ec4549598b: Pull complete 5d322e774cf2: Pull complete Digest: sha256:c5455f3918e5235e641bb6d8dc8ff0780df197d5df12c589bf0c283e25fc0650 Status: Downloaded newer image for docker.io/registry:2 cf3554af4427c2700fbc2ffecf02332cf4087dd07c8da53ebf0dd54db9d2323a Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning. [root@kvm2 mnt]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cf3554af4427 registry:2 "/bin/registry serve " 10 seconds ago Up 8 seconds 0.0.0.0:5000->5000/tcp registry 查看镜像,多了个registry:2 [root@kvm2 mnt]# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE centos-man latest 44cc4eec11d1 About an hour ago 282.4 MB docker.io/registry 2 5d322e774cf2 7 days ago 171.5 MB docker.io/httpd latest 6bce6ad2c6a9 9 days ago 198.5 MB docker.io/centos latest a65193109361 2 weeks ago 196.7 MB 将本地的centos-man打标为man
为需要push到私有registry的image打tag [root@kvm2 mnt]# docker tag centos-man localhost:5000/man [root@kvm2 mnt]# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE localhost:5000/man latest 44cc4eec11d1 About an hour ago 282.4 MB centos-man latest 44cc4eec11d1 About an hour ago 282.4 MB docker.io/registry 2 5d322e774cf2 7 days ago 171.5 MB docker.io/httpd latest 6bce6ad2c6a9 9 days ago 198.5 MB docker.io/centos latest a65193109361 2 weeks ago 196.7 MB 然后将本地的man推送到私服里 [root@kvm2 mnt]# docker push localhost:5000/man The push refers to a repository [localhost:5000/man] (len: 1) 44cc4eec11d1: Pushed a65193109361: Pushed df0fc3863fbc: Pushed latest: digest: sha256:9b95cacf2aa3a4fb25ed897dd7233cd135708d527cde54d86119e221a7f8201f size: 4621
docker1上命令顺序
存储
制作本地其他分区存储或VG,而不使用loop设备
[root@localhost ~]# vi /usr/lib/docker-storage-setup/docker-storage-setup
[root@localhost ~]# docker-storage-setup
镜像
sed -i "s|OPTIONS='|OPTIONS='--registry-mirror=http://a984be05.m.daocloud.io |g" /etc/sysconfig/docker
systemctl restart docker
私服
docker run -d -p 5000:5000 --restart=always --name registry registry:2
docker pull httpd
31 docker run -p 8076:80 -d -it httpd
35 docker exec eb7 ls /usr/local/apache2/htdocs
37 docker cp index.html eb7:/usr/local/apache2/htdocs
38 docker commit eb7 httpd-gai
39 docker images
40 docker ps
41 docker tag httpd-gai localhost:5000/gai
42 docker ps
43 docker images
44 docker push localhost:5000/gai
docker2上命令顺序
制作本地其他分区存储或VG,而不使用loop设备
[root@localhost ~]# vi /usr/lib/docker-storage-setup/docker-storage-setup
[root@localhost ~]# docker-storage-setup
以下是在另外一个机器上拉取pull刚才在上面主机上发布push的镜像 先修改下面这个文件,去掉注释,加入ip,因为使用的是https [root@my graph]# vi /etc/sysconfig/docker INSECURE_REGISTRY='--insecure-registry 192.168.1.22:5000' 然后再拉取,运行,修改文件,浏览器测试访问, [root@my graph]# docker pull 192.168.1.22:5000/man
698 docker run -d -p 7965:80 192.168.10.112:5000/gai
699 docker ps
700 ip addr
701 docker ps
702 vi index.html
703 docker cp index.html 8d0:/usr/local/apache2/htdocs
看json格式文件用cat json |python -mjson.tool
[root@kvm2 1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e]# pwd
/var/lib/docker/graph/1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e
[root@kvm2 1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e]# cat json |python -mjson.tool { "container_config": { "AttachStderr": false, "AttachStdin": false, "AttachStdout": false, "Cmd": [ "/bin/sh -c #(nop) MAINTAINER The CentOS Project <cloud-ops@centos.org>" ], "Domainname": "", "Entrypoint": null, "Env": null, "Hostname": "", "Image": "", "Labels": null, "OnBuild": null, "OpenStdin": false, "StdinOnce": false, "Tty": false, "User": "", "Volumes": null, "WorkingDir": "" }, "created": "2015-09-07T19:05:48.678585881Z", "layer_id": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" } [root@kvm2 1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e]# cat json {"container_config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh -c #(nop) MAINTAINER The CentOS Project u003ccloud-ops@centos.orgu003e"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2015-09-07T19:05:48.678585881Z","layer_id":"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"}[root@kvm2 1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e]#
[root@kvm2 graph]# docker images -tree flag provided but not defined: -tree See '/usr/bin/docker-current images --help'. [root@kvm2 graph]# ll
total 0
drwx------ 2 root root 93 Jun 17 14:30 1544084fad81e27c28a8c12c08b2439451fd1e745e38c1dcecd862d240c4235e
drwx------ 2 root root 93 Jun 17 15:00 a3d54b467fad81f4b33c161c8a227c66cb45733ba5bbfdd971942083e6c666c7
drwx------ 2 root root 93 Jun 17 15:00 a65193109361c1c55a0baa79c2167ec417b977f284b3358f4d50b81e22f84ec5
drwx------ 2 root root 93 Jun 17 15:00 df0fc3863fbc60ba8576521b1ecb89133e66941ceef9b57716ccda2454c9e6fc
drwx------ 2 root root 6 Jun 17 15:00 _tmp
总共4层,一层依赖于一层 [root@kvm2 graph]# docker images -a REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE docker.io/centos latest a65193109361 2 weeks ago 196.7 MB <none> <none> a3d54b467fad 2 weeks ago 196.7 MB <none> <none> df0fc3863fbc 2 weeks ago 196.7 MB <none> <none> 1544084fad81 9 months ago 0 B
最后,当从一个镜像启动容器时,Docker会在该镜像的最顶层加载一个读写文件系统。我们想在Docker中运行的程序就是在这个读写层中执行的。
从上面我们可以知道容器的writable 层是保存在以容器ID为名的长ID目录里的,而ID+init后缀目录是保存容器的初始信息的。
构建镜像中很重要的一环就是如何共享和发布镜像。可以将镜像推送到Docker Hub或者用户自己的私有Registry中。为了完成这项工作,需要在Docker Hub上创建一个账号
[root@kvm2 docker]# docker-storage-setup ERROR: Docker has been previously configured for use with devicemapper graph driver. Not creating a new thin pool as existing docker metadata will fail to work with it. Manual cleanup is required before this will succeed. INFO: Docker state can be reset by stopping docker and by removing /var/lib/docker directory. This will destroy existing docker images and containers and all the docker metadata. [root@kvm2 docker]# docker images [root@kvm2 lib]# systemctl stop docker [root@kvm2 lib]# rm -rf /var/lib/docker/ [root@kvm2 lib]# docker-storage-setup Rounding up size to full physical extent 956.00 MiB Volume group "centos" has insufficient free space (16 extents): 239 required. [root@kvm2 lib]# vgdisplayr --- Volume group --- VG Name centos System ID Format lvm2 Metadata Areas 1 Metadata Sequence No 4 VG Access read/write VG Status resizable MAX LV 0 Cur LV 3 Open LV 3 Max PV 0 Cur PV 1 Act PV 1 VG Size 931.02 GiB PE Size 4.00 MiB Total PE 238341 Alloc PE / Size 238325 / 930.96 GiB Free PE / Size 16 / 64.00 MiB VG UUID njw2Ue-6opd-mjxl-7wVW-reJE-wAMf-54yF4t
所以先要留出一些分区空间,才能使用上面的命令,因为docker-storage-setup这个命令要使用块设备。
[root@localhost ~]# lvremove -v /dev/docker/docker-data
Using logical volume(s) on command line.
Do you really want to remove active logical volume docker-data? [y/n]: y
Removing docker-docker--data (253:2)
Archiving volume group "docker" metadata (seqno 2).
Releasing logical volume "docker-data"
Creating volume group backup "/etc/lvm/backup/docker" (seqno 3).
Logical volume "docker-data" successfully removed
如果不修改/usr/lib/docker-storage-setup/docker-storage-setup这个文件的DEVS和VG行,就会出现下面的报错。
[root@localhost ~]# docker-storage-setup
Rounding up size to full physical extent 52.00 MiB
Volume group "centos" has insufficient free space (11 extents): 13 required.
一定修改/usr/lib/docker-storage-setup/docker-storage-setup这个文件,修改/etc/sysconfig/docker-storage-setup这个文件会报各种问题
# cat <<EOF > /etc/sysconfig/docker-storage-setup DEVS=/dev/vdb VG=docker-vg EOF
下面的是给定的VG容量不够的输出。
[root@localhost ~]# docker-storage-setup
Rounding up size to full physical extent 52.00 MiB
Logical volume "docker-poolmeta" created.
INFO: DATA_SIZE=40%FREE is smaller than MIN_DATA_SIZE=2G. Will create data volume of size specified by MIN_DATA_SIZE.
Logical volume "docker-pool" created.
WARNING: Converting logical volume docker/docker-pool and docker/docker-poolmeta to pool's data and metadata volumes.
THIS WILL DESTROY CONTENT OF LOGICAL VOLUME (filesystem etc.)
Converted docker/docker-pool to thin pool.
Logical volume "docker-pool" changed.
[root@localhost ~]# vi /usr/lib/docker-storage-setup/docker-storage-setup
[root@localhost ~]# docker-storage-setup
Rounding up size to full physical extent 24.00 MiB
Logical volume "docker-poolmeta" created.
Logical volume "docker-pool" created.
WARNING: Converting logical volume docker/docker-pool and docker/docker-poolmeta to pool's data and metadata volumes.
THIS WILL DESTROY CONTENT OF LOGICAL VOLUME (filesystem etc.)
Converted docker/docker-pool to thin pool.
Logical volume "docker-pool" changed.
上面启动好后,fdisk -l 会发现下面的几个卷,而在/var/lib/docker/devicemapper/下面已没有devicemapper子目录,证明没有用/dev/loop0和/dev/loop1两个回环设备。
Disk /dev/mapper/docker-docker--pool_tmeta: 25 MB, 25165824 bytes, 49152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/docker-docker--pool_tdata: 8577 MB, 8577351680 bytes, 16752640 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/docker-docker--pool: 8577 MB, 8577351680 bytes, 16752640 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 524288 bytes / 524288 bytes
Disk /dev/mapper/docker-253:0-34783213-a931702e612b6d6e2c6cb63d93f9ae19a5c309e6eb18443e32bf52f01ebabb21: 107.4 GB, 107374182400 bytes, 209715200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 524288 bytes / 524288 bytes
[root@localhost lvm]# docker-storage-setup
ERROR: Found LVM2_member signature on device /dev/vdb at offset 0x218. Wipe signatures using wipefs or use WIPE_SIGNATURES=true and retry.
[root@localhost lvm]# vi /etc/sysconfig/docker-storage-setup
[root@localhost lvm]# docker-storage-setup
INFO: Wipe Signatures is set to true. Any signatures on /dev/vdb will be wiped.
wipefs: error: /dev/vdb: probing initialization failed: Device or resource busy
ERROR: Failed to wipe signatures on device /dev/vdb
[root@localhost ~]# docker-storage-setup
Checking that no-one is using this disk right now ...
OK
Disk /dev/vdb: 104025 cylinders, 16 heads, 63 sectors/track
sfdisk: /dev/vdb: unrecognized partition table type
Old situation:
sfdisk: No partitions found
New situation:
Units: sectors of 512 bytes, counting from 0
Device Boot Start End #sectors Id System
/dev/vdb1 2048 104857599 104855552 8e Linux LVM
/dev/vdb2 0 - 0 0 Empty
/dev/vdb3 0 - 0 0 Empty
/dev/vdb4 0 - 0 0 Empty
Warning: partition 1 does not start at a cylinder boundary
Warning: partition 1 does not end at a cylinder boundary
Warning: no primary partition is marked bootable (active)
This does not matter for LILO, but the DOS MBR will not boot this disk.
Successfully wrote the new partition table
Re-reading the partition table ...
If you created or changed a DOS partition, /dev/foo7, say, then use dd(1)
to zero the first 512 bytes: dd if=/dev/zero of=/dev/foo7 bs=512 count=1
(See fdisk(8).)
Physical volume "/dev/vdb1" successfully created
Volume group "docker1" successfully created
ERROR: Old mode of passing data and metadata logical volumes to docker is not supported. Exiting.
aufs: AUFS (AnotherUnionFS) 是一种Union FS,简单来说就是支持将不同目录挂载到同一个虚拟文件系统下的文件系统。Aufs driver是Docker最早支持的driver,但是aufs只是Linux内核的一个补丁集,而且不太可能会被加入到Linux内核中。但是由于aufs是唯一一个可以实现容器间共享可执行代码和运行库的storage driver,所以当你跑成千上百个拥有相同程序代码或者运行库的时候,aufs是个相当不错的选择。 device mapper: Device mapper是Linux 2.6内核中提供的一种从逻辑设备到物理设备的映射框架机制,在该机制下,用户可以很方便的根据自己的需要制定实现存储资源的管理策略。 Device mapper driver会创建一个100G的简单文件包含你的镜像和容器。每一个容器被限制在10G大小的卷内, 可以调整。 你可以在启动Docker daemon时用参数-s 指定driver:docker -d -s devicemapper。 Btrfs: Btufs driver 在Docker build时可以很高效。但是跟device mapper一样不支持设备间共享存储。
在没有aufs支持的Linux发行版本上(CentOS、openSUSE等),安装Docker可能就使用了device mapper driver。
查看你的Linux发行版有没有aufs支持:lsmod | grep aufs
最后,当从一个镜像启动容器时,Docker会在该镜像的最顶层加载一个读写文件系统。我们想在Docker中运行的程序就是在这个读写层中执行的。
从上面我们可以知道容器的writable 层是保存在以容器ID为名的长ID目录里的,而ID+init后缀目录是保存容器的初始信息的。
构建镜像中很重要的一环就是如何共享和发布镜像。可以将镜像推送到Docker Hub或者用户自己的私有Registry中。为了完成这项工作,需要在Docker Hub上创建一个账号
docker run -d -p 50001:22 ubuntu/ruby:v2 /usr/sbin/sshd -D 一般容器不开sshd
容器与主机互传文件两种方法:cp与-v
docker run -d -p 7965:80 192.168.10.112:5000/gai 将主机的目录挂在容器的/mnt下
#docker run -d -p 5000:5000 -v /root/my_registry:/tmp/registry registry docker run -d -p 7965:80 -v /home/zf/:/mnt 192.168.10.112:5000/gai ./ent.sh 8d0
[root@my jj]# docker run -v /tmp/vol1 --name="vol2" -it 45b
[root@my jj]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3176547d7062 45b "bash" 12 seconds ago Exited (0) 5 seconds ago vol2
[root@my jj]# docker start 317
317
[root@my jj]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3176547d7062 45b "bash" 28 seconds ago Up 2 seconds vol2
c949de9826f5 192.168.1.22:5000/httpd-b "httpd-foreground" 24 hours ago Up 51 minutes 0.0.0.0:7975->80/tcp jovial_engelbart
30b3bd502c74 192.168.1.22:5000/httpd-a "httpd-foreground" 24 hours ago Up 51 minutes 0.0.0.0:7965->80/tcp ecstatic_kare
[root@my ~]# ./aa.sh 317
Last login: Tue Jun 21 07:45:04 UTC 2016
[root@3176547d7062 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/docker-253:0-67459471-3176547d70627f3a125f734ea145163eceaa367e45ad31534eef86be91d6ae60 100G 306M 100G 1% /
tmpfs 493M 0 493M 0% /dev
tmpfs 493M 0 493M 0% /sys/fs/cgroup
tmpfs 493M 0 493M 0% /run/secrets
/dev/mapper/centos-root 48G 2.7G 45G 6% /tmp/vol1
shm 64M 0 64M 0% /dev/shm
与容器交互数据的不同方式
有-v方式本机目录与容器目录之间共享数据,查看对比如下
docker run -v /home/ff:/mnt/ -it 45b
[root@my ff]# cp /root/RanZhi.3.3.zbox_64.tar.gz ./
[root@my ff]# /root/aa.sh b7d
Last login: Tue Jun 21 08:00:31 UTC 2016
[root@b7d745dac2c4 ~]# cd /mnt/
[root@b7d745dac2c4 mnt]# ls
RanZhi.3.3.zbox_64.tar.gz foef passwd
[root@my ff]# cp /root/aa.sh ./
[root@my ff]# docker exec b7d ls /mnt
RanZhi.3.3.zbox_64.tar.gz
aa.sh
foef
passwd
有-v方式
docker run -v /tmp/vol1 --name="vol2" -it 45b
容器里面的路径是/tmp/vol1
[root@my ~]# docker inspect -f '{{.State.StartedAt}}' 317
2016-06-21T07:43:44.775004038Z
docker inspect -f '{{.Mounts}}' 317
获取volume在主机中的路径
touch /var/lib/docker/volumes/81557ef21a02e117585e41dba692a70eed5a9d7d96195679edc397e6dfecd835/_data/eif
所以只需要往_data这个目录里复制文件即可
数据卷共享,容器之间共享卷。
docker run -it --volumes-from 317 45b
这样会将上面容器317中的/tmp/vol1挂到新容器之中,因为新容器与317容器使用同一个卷,就是
/var/lib/docker/volumes/81557ef21a02e117585e41dba692a70eed5a9d7d96195679edc397e6dfecd835/_data
容器启动时没有-v选项,就用docker cp 来处理
[root@my ff]# docker cp /root/RanZhi.3.3.zbox_64.tar.gz c94:/usr/local/apache2/htdocs/
[root@my ff]# docker exec c94 ls /usr/local/apache2/htdocs
RanZhi.3.3.zbox_64.tar.gz
anaconda-ks.cfg
world.sql
交互脚本 主要利用nsenter.
util-linux包中含有nsenter.
[root@my ~]# ./aa.sh 30b
nsenter: failed to execute su: No such file or directory
如果出现上面的报错,只需要将脚本里的su改为/bin/su.原因是容器中的PATH 路径问题,使用/bin/su 即可。
#!/bin/sh if [ -e $(dirname "$0")/nsenter ]; then # with boot2docker, nsenter is not in the PATH but it is in the same folder NSENTER=$(dirname "$0")/nsenter else NSENTER=nsenter fi if [ -z "$1" ]; then echo "Usage: `basename "$0"` CONTAINER [COMMAND [ARG]...]" echo "" echo "Enters the Docker CONTAINER and executes the specified COMMAND." echo "If COMMAND is not specified, runs an interactive shell in CONTAINER." else PID=$(docker inspect --format "{{.State.Pid}}" "$1") if [ -z "$PID" ]; then exit 1 fi shift OPTS="--target $PID --mount --uts --ipc --net --pid --" if [ -z "$1" ]; then # No command given. # Use su to clear all host environment variables except for TERM, # initialize the environment variables HOME, SHELL, USER, LOGNAME, PATH, # and start a login shell. "$NSENTER" $OPTS su - root else # Use env to clear all host environment variables. "$NSENTER" $OPTS env --ignore-environment -- "$@" fi fi
c/s本地与远程访问
vi /etc/sysconfig/docker
要使远程可以访问就加入-H 0.0.0.0:5555监听端口,否则就只能本地访问。
要本地与远程同时可以访问就加入-H 0.0.0.0:5555和-H unix:///var/run/docker.sock。
OPTIONS='-H 0.0.0.0:5555 --registry-mirror=http://a984be05.m.daocloud.io --registry-mirror=http://a984be05.m.daocloud.io --selinux-enabled'
docker -H 192.168.1.22:5555 images
docker -H 192.168.1.22:5555 ps
默认情况下,Docker守护进程会生成一个socket(/var/run/docker.sock)文件来进行本地进程通信,而不会监听任何端口,因此只能在本地使用docker客户端或者使用Docker API进行操作。 如果想在其他主机上操作Docker主机,就需要让Docker守护进程监听一个端口,这样才能实现远程通信。 修改Docker服务启动配置文件,添加一个未被占用的端口号,重启docker守护进程。 # vim /etc/sysconfig/docker OPTIONS='-H 0.0.0.0:5555' # systemctl restart docker 此时发现docker守护进程已经在监听5555端口,在另一台主机上可以通过该端口访问Docker进程了。 # docker -H IP:5555 images 但是我们却发现在本地操作docker却出现问题。 # docker images FATA[0000] Cannot connect to the Docker daemon. Is 'docker -d' running on this host? 这是因为Docker进程只开启了远程访问,本地套接字访问未开启。我们修改/etc/sysconfig/docker,然后重启即可。 # vim /etc/sysconfig/docker OPTIONS='-H unix:///var/run/docker.sock -H 0.0.0.0:5555' # systemctl restart docker 现在本地和远程均可访问docker进程了。