docker 第一课
docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 20.10.8
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.934GiB
Name: ceshi
ID: GILH:FAOU:WBPL:TQIX:TJ2R:JEDT:4675:Z3OG:E5XM:ZOCD:EUK2:7E3B
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
ubuntu安装docker
apt -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt-cache madison docker-ce
apt install docker-ce=5:20.10.16~3-0~ubuntu-jammy docker-ce-cli=5:20.10.16~3-0~ubuntu-jammy containerd.io
systemctl daemon-reload
systemctl start docker
root@ubuntu:~# docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 20.10.16
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.15.0-52-generic
Operating System: Ubuntu 22.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.896GiB
Name: ubuntu
ID: 5Y7K:FM25:BPFS:BF7I:5G46:A6C6:5HQB:YPDE:WLMC:4I6X:ZPIC:75PF
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
MNT Namespace 提供磁盘过载点和文件系统的隔离能力
IPC Namespace 提供进程间通信的隔离能力
Net Namespace 提供网络隔离能力
UTS Namespace 提供主机名隔离能力
PID Namespace 提供进程隔离能力
User Namespace 提供用户隔离能力
Time Namespace 提供时间隔离能力
Syslog Namespace 提供syslog隔离能力
Control group Namespace 提供进程所属的控制组的身份隔离
容器数据券:如果要将写入容器中的数据永久保存,需要将主机上的目录挂在到容器中,容器往挂载点写数据,随着容器的删除,数据不会丢失。
创建数据卷:
docker volume --help 查看创建券的帮助
Usage: docker volume COMMAND
Manage volumes
Commands:
create Create a volume
inspect Display detailed information on one or more volumes
ls List volumes
prune Remove all unused local volumes
rm Remove one or more volumes
Run 'docker volume COMMAND --help' for more information on a command.
举个栗子
[root@awen ~]# docker volume create data
data
[root@awen ~]# docker volume ls
DRIVER VOLUME NAME
local data
docker run -it -d -p 80:80 -v data:/data nginx:alpine
挂载点容器本身会自动创建
主机数据券的位置
[root@awen ~]# ls /var/lib/docker/volumes
backingFsBlockDev data metadata.db
[root@harbor ~]# echo "222" >> /data/testapp/index.html
这里可以加载到重定向的文件 是因为是一个静态文件
[root@harbor ~]# docker run -d --name web2 -v /data/testapp:/usr/share/nginx/html/testapp:ro -p 81:80 nginx:1.22.0
# cat /usr/share/nginx/html/testapp/index.html
awen12345
222
asdfjkl
进入目录设置权限的容器
[root@harbor ~]# docker exec -it 27ac4e775a1d sh
# echo "asdfjkl" >> /usr/share/nginx/html/testapp/index.html
sh: 3: cannot create /usr/share/nginx/html/testapp/index.html: Read-only file system
这里不能写入
可以自定义多个数据券, 数据券可以加权限
[root@vm-4-14-centos ~]# docker network --help
Usage: docker network COMMAND
Manage networks
Options:
--help Print usage
Commands:
connect Connect a container to a network 链接一个网络
create Create a network 创建一个网络
disconnect Disconnect a container from a network 容器和网络断开
inspect Display detailed information on one or more networks 查看网络信息
ls List networks 列出网络信息
prune Remove all unused networks 删除未使用的网络
rm Remove one or more networks 删除一个或者多个网络
Run 'docker network COMMAND --help' for more information on a command.
[root@vm-4-14-centos ~]# docker network ls 默认会有三个网络
NETWORK ID NAME DRIVER SCOPE
e64bc9b2777e bridge bridge local
f7f0936c5484 host host local
b94fe17e0635 none null local
[root@vm-4-14-centos ~]# docker exec -it ba23ffb9c8 sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:656 (656.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
通过地址为伪装 容器出去的时候伪装成宿主机
进来的时候 访问宿主机的某个端口是转发到目的容器, 这个端口是创建容器时的端口指定 docker调用内核控制iptablees规则
[root@vm-4-14-centos ~]# docker run -d -p 80:80 --net=bridge nginx:1.23.1-alpine
7892859718e22a1fc236ceefa5d66c321a1d421838f97438b7dedfd0f923c51c
[root@vm-4-14-centos ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7892859718e2 nginx:1.23.1-alpine "/docker-entrypoin..." 6 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp goofy_goldwasser
[root@vm-4-14-centos ~]# docker exec -it 7892859718e2 sh
/ # ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
99: eth0@if100: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
/ #
容器之间通信 是同一个主机 同一个 docker0 里 报文会发给虚拟网卡 由docker0 下一个容器的vethxxy 在装发给容器
跨主机 容器会发给网关 docker0 网关检查目的地址 发现不是目的地址 就发给eth0 由eth0出去 中间是由内核做源地址转换
查看网桥对应关系
[root@vm-4-14-centos ~]# yum -y install bridge-utils
再次启动一个容器
[root@vm-4-14-centos ~]# docker run -it -d -p 83:80 nginx:1.23.1-alpine
f9ec0ff55df70c3bcac7a0d00600212229acde9f9c68e341b119cbe8c83d3813
docker0
[root@vm-4-14-centos ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024266e717fd no veth903f498
vethb38466f
[root@vm-4-14-centos ~]# docker run -it --net=none nginx:1.23.1-alpine sh
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
ping: sendto: Network unreachable
[root@vm-4-14-centos ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5a65afb28b2c php:7.4.30-fpm-alpine "docker-php-entryp..." 11 minutes ago Up 11 minutes php-container
16ef4dadcdbe nginx:1.22.0-alpine "/docker-entrypoin..." 13 minutes ago Up 13 minutes 0.0.0.0:80->80/tcp nginx-container
[root@vm-4-14-centos ~]# docker exec -it 5a65afb28b2c sh
/var/www/html #
/var/www/html # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:656 (656.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/var/www/html # cat /etc/issue
Welcome to Alpine Linux 3.16
Kernel \r on an \m (\l)
/var/www/html # exit
[root@vm-4-14-centos ~]# docker exec -it 16ef4dadcdbe sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:656 (656.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # cat /etc/issue
Welcome to Alpine Linux 3.16
Kernel \r on an \m (\l)
[root@vm-4-14-centos ~]# ln -s /var/run/docker/netns/* /var/run/netns/
[root@vm-4-14-centos ~]# ip netns list
a620021e2bce (id: 1)
[root@vm-4-14-centos ~]# ll /var/run/netns/
total 0
lrwxrwxrwx 1 root root 34 Oct 20 15:03 a620021e2bce -> /var/run/docker/netns/a620021e2bce
[root@vm-4-14-centos ~]# ip netns exec a620021e2bce ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
103: eth0@if104: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever
172.17.0.2 是这个namespace的IP
cat /etc/sysctl.conf
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
vm.max_map_count=524288
fs.file-max=131072
lsmod |grep conntrack
modprobe ip_conntrack
modprobe br_netfilter
最新文章
- 脱离spring集成cxf(基于nutz框架)
- .Net分布式架构(二):基于Redis的Session共享
- opencv实现图像邻域均值滤波、中值滤波、高斯滤波
- Topcoder Arena插件配置和训练指南
- 【转】【Android】对话框 AlertDialog -- 不错不错
- try、catch、finally的使用分析---与 return 相关
- ActivityGroup相关--getLocalActivityManager()
- Xamarin.Forms Hello word
- 【翻译】JavaScript内存泄露
- JavaScript实现全屏显示
- Mac系统配置JDK环境变量
- css调用方式的方法
- c++—— 函数重载(Overroad)
- iOS开发-沙盒(sandbox)机制
- C中字符串分割函数strtok的一个坑
- Linux内核(12) - 子系统的初始化之那些入口函数
- Linux mysql 命令
- css等比例分割父级容器(完美三等分)
- django model项目外操作
- MATLAB等距扇形反投影分析