一、第一个容器
1.Docker版本
A.community-edition社区版
Docker CE是免费的Docker产品的新名称,Docker CE包含了完整的Docker平台,非常适合开发人员和运维团队构建容器APP。
B.enterprise-edition企业版
Docker EE由公司支持,可在经过认证的操作系统和云提供商中使用,并可运行来自Docker Store的、经过认证的容器和插件。
Docker EE提供三个服务层次:
- Basic 包含用于认证基础设施的Docker平台,Docker公司的支持,经过认证的、来自Docker Store的容器与插件
- Standard 添加高级镜像与容器管理,LDAP/AD用户集成,基于角色的访问控制(Docker Datacenter)
- Advanced 添加Docker安全扫描,连续漏洞监控
2.Centos 7 安装并启动Docker
yum remove docker docker-common docker-selinux docker-engine
yum -y update
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
systemctl start docker
3.Docker信息
[root@bogon ~]# docker version
Client:
Version: 17.09.0-ce
API version: 1.32
Go version: go1.8.3
Git commit: afdb6d4
Built: Tue Sep 26 22:41:23 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.0-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: afdb6d4
Built: Tue Sep 26 22:42:49 2017
OS/Arch: linux/amd64
Experimental: false
[root@bogon ~]# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 17.09.0-ce
Storage Driver: overlay
Backing Filesystem: xfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-514.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.796GiB
Name: bogon
ID: XW37:75N5:RGMZ:624K:TEC4:ONHO:6ACS:NM5W:VF32:NHTR:6AUJ:XT7W
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
二、Docker镜像
1.编译Docker镜像
克隆webapp的GIT仓库
[root@bogon ~]# git clone https://github.com/docker-training/webapp.git
Cloning into 'webapp'...
remote: Counting objects: 45, done.
remote: Total 45 (delta 0), reused 0 (delta 0), pack-reused 45
Unpacking objects: 100% (45/45), done.
使用docker build来编译镜像
-t 用于给镜像做标签
[root@bogon webapp]# docker build -t hubuser/webapp .
Sending build context to Docker daemon 121.3kB
Step 1/10 : FROM ubuntu:14.04
14.04: Pulling from library/ubuntu
bae382666908: Pull complete
29ede3c02ff2: Pull complete
da4e69f33106: Pull complete
8d43e5f5d27f: Pull complete
b0de1abb17d6: Pull complete
Digest: sha256:6e3e3f3c5c36a91ba17ea002f63e5607ed6a8c8e5fbbddb31ad3e15638b51ebc
Status: Downloaded newer image for ubuntu:14.04
---> dea1945146b9
Step 2/10 : MAINTAINER Docker Education Team <education@docker.com>
---> Running in c70ce7fad85e
---> 06e621d6b0f2
Removing intermediate container c70ce7fad85e
Step 3/10 : RUN apt-get update
---> Running in a72a6899c375
...省略部分
Get:22 http://archive.ubuntu.com trusty/restricted amd64 Packages [16.0 kB]
Get:23 http://archive.ubuntu.com trusty/universe amd64 Packages [7589 kB]
Get:24 http://archive.ubuntu.com trusty/multiverse amd64 Packages [169 kB]
Fetched 21.1 MB in 1min 31s (229 kB/s)
Reading package lists...
---> 9cf5900247f6
Removing intermediate container a72a6899c375
Step 4/10 : RUN DEBIAN_FRONTEND=noninteractive apt-get install -y -q python-all python-pip
---> Running in be2a1c692bfc
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
binutils build-essential ca-certificates cpp cpp-4.8 dpkg-dev fakeroot g++
g++-4.8 gcc gcc-4.8 libalgorithm-diff-perl libalgorithm-diff-xs-perl
libalgorithm-merge-perl libasan0 libatomic1 libc-dev-bin libc6-dev
libcloog-isl4 libdpkg-perl libfakeroot libfile-fcntllock-perl libgcc-4.8-dev
libgmp10 libgomp1 libisl10 libitm1 libmpc3 libmpfr4 libpython-stdlib
libpython2.7-minimal libpython2.7-stdlib libquadmath0 libstdc++-4.8-dev
libtimedate-perl libtsan0 linux-libc-dev make manpages manpages-dev openssl
patch python python-chardet python-chardet-whl python-colorama
python-colorama-whl python-distlib python-distlib-whl python-html5lib
python-html5lib-whl python-minimal python-pip-whl python-pkg-resources
python-requests python-requests-whl python-setuptools python-setuptools-whl
python-six python-six-whl python-urllib3 python-urllib3-whl python-wheel
python2.7 python2.7-minimal python3-pkg-resources xz-utils
Suggested packages:
binutils-doc cpp-doc gcc-4.8-locales debian-keyring g++-multilib
g++-4.8-multilib gcc-4.8-doc libstdc++6-4.8-dbg gcc-multilib autoconf
automake1.9 libtool flex bison gdb gcc-doc gcc-4.8-multilib libgcc1-dbg
libgomp1-dbg libitm1-dbg libatomic1-dbg libasan0-dbg libtsan0-dbg
libquadmath0-dbg glibc-doc libstdc++-4.8-doc make-doc man-browser ed
diffutils-doc python-doc python-tk python-genshi python-lxml
python-distribute python-distribute-doc python2.7-doc binfmt-support
python3-setuptools
Recommended packages:
python-dev-all
The following NEW packages will be installed:
binutils build-essential ca-certificates cpp cpp-4.8 dpkg-dev fakeroot g++
g++-4.8 gcc gcc-4.8 libalgorithm-diff-perl libalgorithm-diff-xs-perl
libalgorithm-merge-perl libasan0 libatomic1 libc-dev-bin libc6-dev
libcloog-isl4 libdpkg-perl libfakeroot libfile-fcntllock-perl libgcc-4.8-dev
libgmp10 libgomp1 libisl10 libitm1 libmpc3 libmpfr4 libpython-stdlib
libpython2.7-minimal libpython2.7-stdlib libquadmath0 libstdc++-4.8-dev
libtimedate-perl libtsan0 linux-libc-dev make manpages manpages-dev openssl
patch python python-all python-chardet python-chardet-whl python-colorama
python-colorama-whl python-distlib python-distlib-whl python-html5lib
python-html5lib-whl python-minimal python-pip python-pip-whl
python-pkg-resources python-requests python-requests-whl python-setuptools
python-setuptools-whl python-six python-six-whl python-urllib3
python-urllib3-whl python-wheel python2.7 python2.7-minimal
python3-pkg-resources xz-utils
0 upgraded, 69 newly installed, 0 to remove and 5 not upgraded.
Need to get 46.9 MB of archives.
After this operation, 140 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/main libasan0 amd64 4.8.4-2ubuntu1~14.04.3 [63.1 kB]
...省略部分
Message from syslogd@bogon at Oct 23 16:17:23 ...
kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1
...省略部分
Extracting templates from packages: 100%
Preconfiguring packages ...
Fetched 46.9 MB in 5min 6s (153 kB/s)
...省略部分
Processing triggers for libc-bin (2.19-0ubuntu6.13) ...
Processing triggers for ca-certificates (20170717~14.04.1) ...
Updating certificates in /etc/ssl/certs... 148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
---> b8c56991b833
Removing intermediate container be2a1c692bfc
Step 5/10 : ADD ./webapp/requirements.txt /tmp/requirements.txt
---> 8170b67cfebc
Step 6/10 : RUN pip install -qr /tmp/requirements.txt
---> Running in 4884119a0ab4
Compiling /tmp/pip_build_root/Jinja2/jinja2/asyncfilters.py ...
File "/tmp/pip_build_root/Jinja2/jinja2/asyncfilters.py", line 7
async def auto_to_seq(value):
^
SyntaxError: invalid syntax
Compiling /tmp/pip_build_root/Jinja2/jinja2/asyncsupport.py ...
File "/tmp/pip_build_root/Jinja2/jinja2/asyncsupport.py", line 22
async def concat_async(async_gen):
^
SyntaxError: invalid syntax
---> 9010ec5b7e5f
Removing intermediate container 4884119a0ab4
Step 7/10 : ADD ./webapp /opt/webapp/
---> 6416bfb827c1
Step 8/10 : WORKDIR /opt/webapp
---> 20e91a8bc5e2
Removing intermediate container 5e2e80b5a18f
Step 9/10 : EXPOSE 5000
---> Running in 9d8baa35a4da
---> 7be117cd2934
Removing intermediate container 9d8baa35a4da
Step 10/10 : CMD python app.py
---> Running in 1f97d2626adb
---> cbe52807fcad
Removing intermediate container 1f97d2626adb
Successfully built cbe52807fcad
Successfully tagged hubuser/webapp:latest
[root@bogon webapp]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hubuser/webapp latest cbe52807fcad 20 minutes ago 362MB
ubuntu 14.04 dea1945146b9 5 weeks ago 188MB
2.推送Docker镜像到资源库
默认配置是将镜像推送到Docker Hub(开放资源库)
登录https://hub.docker.com创建一个私有库
[root@bogon ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: hdlptz
Password:
Login Succeeded
推送镜像到Docker Hub
[root@bogon ~]# docker push hubuser/webapp
The push refers to a repository [docker.io/hubuser/webapp]
03540df98ba0: Preparing
905b70fe5239: Preparing
d01de91709c6: Preparing
256c1ee6192f: Preparing
d0807f9f7656: Preparing
7fb9ba64f896: Waiting
4e1e6ac5b9d6: Waiting
48daf661d621: Waiting
bf59e7acf5c4: Waiting
c47d9b229ca4: Waiting
denied: requested access to the resource is denied
上面提示访问拒绝,因为tag的名字斜线前面部分learn不是本人的用户名,所以修改成Hub用户名即可。
[root@bogon ~]# docker tag cbe52807fcad hdlptz/webapp:latest
[root@bogon ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hdlptz/webapp latest cbe52807fcad 31 minutes ago 362MB
hubuser/webapp latest cbe52807fcad 31 minutes ago 362MB
ubuntu 14.04 dea1945146b9 5 weeks ago 188MB
[root@bogon ~]# docker push hdlptz/webapp
The push refers to a repository [docker.io/hdlptz/webapp]
03540df98ba0: Pushed
905b70fe5239: Pushed
d01de91709c6: Pushed
256c1ee6192f: Pushing [=> ] 4.92MB/148MB
d0807f9f7656: Pushing [=====> ] 2.286MB/21.07MB
7fb9ba64f896: Pushed
4e1e6ac5b9d6: Pushed
48daf661d621: Pushed
bf59e7acf5c4: Pushed
c47d9b229ca4: Pushing [> ] 525.3kB/187.8MB
3.从Hub中拉取Docker镜像
用于从Hub获取其他现有Docker镜像来构建自己的镜像。
docker rmi hdlptz/webapp
docker pull hdlptz/webapp
docker images
4.运行Docker容器
A.暴露容器端口
为了使容器外的用户可访问;
[root@bogon webapp]# vim Dockerfile
FROM ubuntu:14.04
MAINTAINER Docker Education Team <education@docker.com>
RUN apt-get update
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y -q python-all python-pip
ADD ./webapp/requirements.txt /tmp/requirements.txt
RUN pip install -qr /tmp/requirements.txt
ADD ./webapp /opt/webapp/
WORKDIR /opt/webapp
EXPOSE 5000
CMD ["python", "app.py"]
[root@bogon webapp]# docker run --name webapp -d hdlptz/webapp
Unable to find image 'hdlptz/webapp:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 202.106.0.20:53: read udp 10.0.2.4:47876->202.106.0.20:53: i/o timeout.
See 'docker run --help'
该错误解决方法(改用iptables):
[root@bogon webapp]# systemctl stop firewalld.service
[root@bogon webapp]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@bogon webapp]# firewall-cmd --state
not running
[root@bogon webapp]# yum update iptables
[root@localhost ~]# systemctl restart iptables.service
启动镜像
[root@localhost ~]# docker run -d --expose=4000-4500 --name webapp hubuser/webapp
e0294c4a650afa27564d341ca6f31e46ccb4dfbd767c39d0ae866dfc32f6f79f
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e0294c4a650a hubuser/webapp "python app.py" About a minute ago Up About a minute 5000/tcp webapp
B.发布容器端口
-P或--publish-all标签发布容器内所有已暴露的端口到Docker宿主机上随机高位端口(/proc/sys/net/ipv4/ip_local_port_range)
[root@localhost ~]# docker run -P -d --name exposed hubuser/webapp
944c67e9d101405a9bb7a55650ca87e62d590d4a388f38345136ec9d6f0b68da
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
944c67e9d101 hubuser/webapp "python app.py" 5 seconds ago Up 4 seconds 0.0.0.0:32768->5000/tcp exposed
e0294c4a650a hubuser/webapp "python app.py" 6 minutes ago Up 6 minutes 5000/tcp webapp
[root@localhost ~]# cat /proc/sys
sys/ sysrq-trigger sysvipc/
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_local_port_range
32768 60999
[root@localhost ~]# ss -lt 'sport = *:32768'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:ssh *:*
LISTEN 0 100 127.0.0.1:smtp *:*
LISTEN 0 128 :::ssh :::*
LISTEN 0 100 ::1:smtp :::*
LISTEN 0 128 :::32768 :::*
[root@localhost ~]# curl http://192.168.56.102:32768
Hello world!
-p或者--publish标签发布容器内没有主动暴露的端口
- containerPort
- hostPort:containerPort
- ip:containerPort
- ip:hostPort:containerPort
通过指明hostPort,可以指定映射到Docker宿主机上的某个端口而不是随机分配;
通过指明IP,可以限定从某个Docker宿主机的网络接口接收连接并返回相应数据包给映射的Docker容器端口。
[root@localhost ~]# docker run -d -p 127.0.0.1:80:5000 hubuser/webapp
5a1754f8433fafba4f9bcc0a24a1fa1743df72a0f045de486b47b7734a774df6
[root@localhost ~]# curl http://localhost
Hello world!
5.连接容器
容器链接在一起后,可以使源容器向目标容器发送消息,并且使通信中的容器以一种更安全的方式进行相互发现。
[root@localhost ~]# docker run --name source -d hubuser/webapp
74ef7227163a9cca05df9e61857214ccaf5e0929bff9c5c601475e1d57c007de
[root@localhost ~]# docker run --link source:webapp --name destination busybox /bin/ping webapp
[root@localhost ~]# docker inspect -f "{{ .HostConfig.Links }}" destination
[/source:/destination/webapp]
Docker宿主机在两个容器间创建一个安全通道,并通过以下两种方式暴露源容器信息。
- 环境变量
- /etc/hosts中的条目
[root@localhost ~]# docker inspect -f "{{ .NetworkSettings.IPAddress }}" source
172.17.0.5
[root@localhost ~]# docker inspect -f "{{ .NetworkSettings.IPAddress }}" destination
[root@localhost ~]# iptables -L DOCKER
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:commplex-main
6.交互式容器
-i标签使一个容器在前台运行,并接到标准输入流上;
-t标签可以给容器添加一个虚拟终端,与-i联合使用。
[root@localhost ~]# docker run -i -t --link source:webapp --name interactive_container busybox /bin/sh
检查暴露给目标容器的环境变量
env |grep WEBAPP
在相互链接的容器中,目标容器的发现特性是/etc/hosts文件。
通过建立HTTP请求到源容器的别名,实现访问源容器中运行的Web应用
nc webapp 5000
相互链接的容器间会创建如下环境变量:
- 对每个容器均有:
_NAME=/container_name/alias_name - 对每个已暴露端口的URL都有:
POST _
作为唯一前缀被添加到如下环境变量中
_ADDR:源容器的IP地址
_PORT:已暴露的端口
_PROTO:已暴露的端口采用的协议,TCP或UDP _PORT:源容器暴露的第一个端口
总结:
使用docker build命令,并用版本控制工具来管理Dockerfile。