2.3.2 安装Docker
在不同版本的RedHat中,安装过程略有不同。
2.在RHEL 7 中安装Docker
RHEL 7 或更高的版本可以按照代码清单2-24 所示的指令来安装Docker
2、使用 root 权限登录 Centos。确保 yum 包更新到最新。
$ sudo yum update
3、卸载旧版本(如果安装过旧版本的话)
$ sudo yum remove docker docker-common docker-selinux docker-engine
4、安装需要的软件包, yum-util 提供yum-config-manager功能,另外两个是devicemapper驱动依赖的
$ sudo yum install -y yum-utils device-mapper-persistent-data lvm2
5、 安装docker
yum install -y docker
需要创建docker用户和组
6、启动并加入开机启动
[root@docker ~]# systemctl start docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
7.关闭防火墙和selinux
[root@docker ~]# systemctl stop firewalld
[root@docker ~]# systemctl disable firewalld
[root@docker ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
5月 21 01:00:22 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
5月 21 01:00:31 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
5月 21 01:01:53 docker systemd[1]: Stopping firewalld - dynamic firewall daemon...
5月 21 01:01:54 docker systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@docker ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=disabled
$ sudo systemctl start docker
切记,请勿将docker设置为开启启动
$ sudo systemctl enable docker
[root@docker ~]# systemctl start docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
[root@docker ~]# systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 五 2019-05-24 14:23:44 CST; 6s ago
Docs: http://docs.docker.com
Process: 9266 ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --init-path=/usr/libexec/docker/docker-init-current --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY $REGISTRIES (code=exited, status=1/FAILURE)
Main PID: 9266 (code=exited, status=1/FAILURE)
5月 24 14:23:43 docker systemd[1]: Starting Docker Application Container Engine...
5月 24 14:23:43 docker dockerd-current[9266]: time="2019-05-24T14:23:43.428004876+08:00" level=info msg="libcontainerd: new containerd process, pid: 9272"
5月 24 14:23:44 docker dockerd-current[9266]: time="2019-05-24T14:23:44.439665367+08:00" level=warning msg="overlay2: the backing xfs filesystem is formatted without d_type support, which...
5月 24 14:23:44 docker dockerd-current[9266]: Error starting daemon: SELinux is not supported with the overlay2 graph driver on this kernel. Either boot into a newer kernel or...abled=false)
5月 24 14:23:44 docker systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
5月 24 14:23:44 docker systemd[1]: Failed to start Docker Application Container Engine.
5月 24 14:23:44 docker systemd[1]: Unit docker.service entered failed state.
5月 24 14:23:44 docker systemd[1]: docker.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
重新编辑docker配置文件:
vi /etc/sysconfig/docker
改为:--selinux-enabled=false
此时启动docker成功:
[root@docker ~]# systemctl start docker
[root@docker ~]#
8、验证安装是否成功(有client和service两部分表示docker安装启动都成功了)
[root@docker ~]# docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Wed May 1 14:55:20 2019
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Wed May 1 14:55:20 2019
OS/Arch: linux/amd64
Experimental: false
启动docker守护进程:
安装完Docker后,需要确认Docker的守护进程是否运行。Docker以root权限运行它的守护进程,
来处理普通用户无法完成的操作(如挂载文件系统).
docker 程序是Docker守护进程的客户端程序,同样也需要以root身份运行。
用户可以使用dockert daemon命令控制Dockert守护进程
在Docker1.8之前,Docker守护进程是通过-d标志来控制的,而没有docker daemon子命令
[root@docker ~]# docker daemon
Command "daemon" is deprecated, and will be removed in Docker 1.16. Please run `dockerd` directly.
Error starting daemon: pid file found, ensure docker is not running or delete /var/run/docker.pid
[root@docker ~]# ls -ltr /var/run/docker.sock
srw-rw----. 1 root docker 0 5月 24 14:26 /var/run/docker.sock
当Dockert软件包安装完毕后,默认会立即启动Docker守护进程。 守护进程监听/var/run/docker.sock
这个unix 套接字文件,来获取来自客户端的Docker请求。
如果系统中存在为docker的用户组的话,Docker则会将套接字文件的所有者设置为该用户组。
这样,docker用户组的所有用户都可以直接运行Docker,而无需再使用sudo命令了。
2.9.1 配置Docker守护进程 :
运行Docker守护进程时,可以用-H标志调整守护进程绑定监听接口的方式
可以使用-H 标志指定不同的网络接口和端口配置。例如,要想绑定到网络接口,命令如下:
[root@docker ~]# docker daemon -H tcp://0.0.0.0:2375
Command "daemon" is deprecated, and will be removed in Docker 1.16. Please run `dockerd` directly.
WARN[0000] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]
INFO[0000] libcontainerd: previous instance of containerd still alive (9665)
WARN[0000] overlay2: the backing xfs filesystem is formatted without d_type support, which leads to incorrect behavior. Reformat the filesystem with ftype=1 to enable d_type support. Running without d_type support will no longer be supported in Docker 1.16.
INFO[0000] [graphdriver] using prior storage driver: overlay2
Error starting daemon: error while opening volume store metadata database: timeout
[root@docker ~]# service docker status
Redirecting to /bin/systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since 五 2019-05-24 15:30:37 CST; 6min ago
Docs: http://docs.docker.com
Main PID: 9847 (dockerd-current)
CGroup: /system.slice/docker.service
├─9847 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland...
└─9853 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libc...
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.119214374+08:00" level=warning msg="Your kernel does not support pids limit capabilities or the cgroup ... discarded."
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.119351649+08:00" level=info msg="Loading containers: start."
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.130414374+08:00" level=info msg="Firewalld running: false"
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.226258298+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16.... IP address"
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.255639925+08:00" level=info msg="Loading containers: done."
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.260041931+08:00" level=warning msg="Not using native diff for overlay2, this may cause degraded perform...ater to fix"
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.269865431+08:00" level=info msg="Daemon has completed initialization"
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.269907853+08:00" level=info msg="Docker daemon" commit="b2f74b2/1.13.1" graphdriver=overlay2 version=1.13.1
5月 24 15:30:37 docker systemd[1]: Started Docker Application Container Engine.
5月 24 15:30:37 docker dockerd-current[9847]: time="2019-05-24T15:30:37.280950017+08:00" level=info msg="API listen on /var/run/docker.sock"
Hint: Some lines were ellipsized, use -l to show in full.
[root@docker ~]# ps -ef | grep 9847
root 9847 1 0 15:30 ? 00:00:00 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --init-path=/usr/libexec/docker/docker-init-current --seccomp-profile=/etc/docker/seccomp.json --selinux-enabled=false --log-driver=journald --signature-verification=false --storage-driver overlay2
root 9853 9847 0 15:30 ? 00:00:00 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc --runtime-args --systemd-cgroup=true
root 9961 2112 0 15:37 pts/0 00:00:00 grep --color=auto 9847
[root@docker ~]# docker^C
[root@docker ~]# ps -A | grep -i docker
9847 ? 00:00:00 dockerd-current
9853 ? 00:00:00 docker-containe
Main PID: 9847 (dockerd-current) docker进程
9853进程是
dockerd 守护进程,是以root身份启动的。
有一个子进程 docker-containe,这个子进程是多线程工作
docker的远程访问
默认情况下,Docker守护进程会生成一个socket(/var/run/docker.sock)文件来进行本地进程通信,而不会监听任何端口,
因此只能在本地使用docker客户端或者使用Docker API进行操作。如果想在其他主机上操作Docker主机,
就需要让Docker守护进程监听一个端口,这样才能实现远程通信。
修改docker守护进程启动选项
-H tcp://host:port
unix:///path/to/sockt //默认守护进程配置
fd://* or fd://socktfd
[root@docker /]# docker daemon -H tcp://0.0.0.0:2375
Command "daemon" is deprecated, and will be removed in Docker 1.16. Please run `dockerd` directly.
Error starting daemon: pid file found, ensure docker is not running or delete /var/run/docker.pid
docker daemon -H tcp://0.0.0.0:2375 -H
编辑/usr/lib/systemd/system/docker.service,配置远程访问。主要是在[Service]这个部分,添加下列参数:
[root@docker /]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current
--default-runtime=docker-runc
--exec-opt native.cgroupdriver=systemd
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current
--init-path=/usr/libexec/docker/docker-init-current
--seccomp-profile=/etc/docker/seccomp.json
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
$OPTIONS
$DOCKER_STORAGE_OPTIONS
$DOCKER_NETWORK_OPTIONS
$ADD_REGISTRY
$BLOCK_REGISTRY
$INSECURE_REGISTRY
$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
[root@docker /]# systemctl daemon-reload
[root@docker /]# systemctl restart docker
[root@docker /]#
[root@docker /]# netstat -na | grep 2375
tcp6 0 0 :::2375 :::* LISTEN
[root@docker /]#