容器
介绍
虚拟化
-
虚拟化技术就是对资源的抽象,如虚拟机,虚拟内存等
-
分类
-
从资源提供角度分
- 硬件平台虚拟化
- 操作系统虚拟化
-
从虚拟化实现方式分
- Type I:半虚拟化,虚拟机直接运行在系统硬件上,被称为裸机型,没有所谓的宿主机操作系统。
- Type II:硬件辅助全虚拟化,虚拟机运行在传统操作系统上,同样创建的是硬件全仿真实例,被称为**托管(宿主)**型。
- Type III:
- 软件全虚拟化
- 操作系统虚拟化
-
Docker
- 官网:https://www.docker.com/
- Docker为16年以来,应用最广泛的容器管理系统,用于管理容器
- LXC是08年出现的第一套完整的容器管理解决方案,不需要任何补丁直接运行在linux内核之上的容器管理方案。特点是创建容器慢,不方便移植
- Docker是在LXC基础上发展起来的
- Docker是一个在2013年开源的应用程序,是基于go语言编写的PAAS服务
- Docker相比虚拟机的交付速度更快,资源消耗更低,Docker采用客户端、服务端架构,使用远程api来管理和创建Docker容器
- Docker生态系统:容器镜像,注册表,RestFul API及命令操作界面
- 17年之后Docker商业开源,dicker-ce社区版,docker-ee商业版
Docker&虚拟机
- 虚拟机
-
docker
-
优缺点对比
- 虚拟化
- 隔离性强,有独立的GUEST OS
- 网络传输效率低
- 虚拟机创建&启动慢,读文件逐个加载
- 操作系统会占用一定的资源,开销大
- 应用程序调用硬件响应时间长
- 镜像庞大,实例化时不能共享
- 容器
- 与物理机共享内核和OS,隔离性弱
- 快速响应用户请求
- 计算/存储无损耗,无GUEST OS开销
- 镜像小,实例化时可共享
- 学习成本增加,服务治理更加繁琐
- 虚拟化
云平台技术实现
- IaaS(Infrastructure as a Service)
- 硬件即服务
- 资源整合方式:虚拟机
- 如:阿里云ECS,OpenStack VM实例
- PaaS(Platform as a Service)
- 平台即服务
- 资源整合式:容器
- 如:Docker,LXC
- SaaS(Software as a Service)
- 软件即服务
- 资源整合方式:应用程序
- 如:王者荣耀
相关内核技术
NameSpace命名空间
- UTS:命名空间允许每个容器拥有独立的主机名和域名,从而虚拟出一个具有独立主机名和网络空间的环境,可以简单理解为一个NameSpace为一个独立主机
- IPC:每个容器依旧使用linux内核中进程交互的方法,进行进程间的通信
- Mount:容器的文件系统彼此独立
- Net:网络命名空间,容器的网络彼此隔离
- User:容器内需要使用特定的内部用户执行程序(容器与容器,容器与主机用户相互隔离,每个容器都有自己的root用户)
- PID:每个容器都拥有独立的进程树。容器本身为物理机的一个进程,所以容器的进程实际是物理机的线程
命名空间:应用程序运行环境隔离的空间,则为NameSpace,每个NameSpace都拥有UTS,IPC,Mount,Net,User,PID
CGroups控制组
主要用于实现容器的资源隔离(主机虚拟化实现资源隔离的方式:通过Hypervisor中的VMM实现),CGroups能够限制九大资源子系统,基于进程进行限制(Pam通过ulimit也可以对资源进行限制,但仅能限制用户)
九大资源子系统
- cpu:限制进程使用CPU的比例
- cpuacct:产生cgroup任务的cpu资源报告
- cpuset:用于多CPU执行cgroup时,对进程进行CPU分组
- memory:限制内存使用
- blkio:限制块设备的输入输出带宽
- devices:允许或拒绝设备访问
- freezer:暂停或恢复cgroup运行
- net_cls:标记网络包
- ns:NameSpace命名空间
案例1:限制CPU
安装并启动
[root@server1 ~]# yum install -y libcgroup*
[root@server1 ~]# systemctl start cgconfig.service
[root@server1 ~]# systemctl enable cgconfig.service
创建Cgroup组
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail -12 /etc/cgconfig.conf
group lesscpu {
cpu {
cpu.shares=200;
}
}
group morecpu {
cpu {
cpu.shares=800;
}
}
[root@server1 ~]# systemctl restart cgconfig.service
为保证验证效果,建议只留一个cpu
[root@server1 ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
[root@server1 ~]# echo 1 >/sys/devices/system/cpu/cpu0/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu1/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu2/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu3/online
[root@server1 ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0
Off-line CPU(s) list: 1-3
验证
#终端1
[root@server1 ~]# cgexec -g cpu:lesscpu md5sum /dev/zero
#终端2
[root@server1 ~]# cgexec -g cpu:morecpu sha1sum /dev/zero
#终端3
案例2:限制Mem
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail -8 /etc/cgconfig.conf
group lessmem {
memory {
#限制物理内存为256M
memory.limit_in_bytes=268435465;
#总内存限制(物理内存+swap)
memory.memsw.limit_in_bytes=268435465;
}
}
[root@server1 ~]# systemctl restart cgconfig.service
创建内存盘
[root@server1 ~]# mkdir /mnt/mem_test
[root@server1 ~]# mount -t tmpfs /dev/shm /mnt/mem_test/
[root@server1 ~]# df -h
文件系统 容量 已用 可用 已用% 挂载点
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 13M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/mapper/centos-root 36G 4.6G 31G 13% /
/dev/sda1 1014M 168M 847M 17% /boot
tmpfs 378M 64K 378M 1% /run/user/0
/dev/shm 1.9G 0 1.9G 0% /mnt/mem_test
测试
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=300
已杀死
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB)已复制,0.0849808 秒,2.5 GB/秒
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file2 bs=1M count=100
已杀死
Docker组成
- Docker客户端 client:客户端使用docker命令或其他工具调用docker api
- Docker主机 host:一个物理机或者虚拟机,用于运行docker服务进程和容器
- Docker仓库 registry:保存镜像的仓库,类似于git或svn这样的版本控制器
- Docker镜像 images:镜像可以理解为创建实例使用的模板
- Docker容器 container:容器是从镜像生成对外提供服务的一个或一组服务
Docker部署
官方文档
- https://docs.docker.com/engine/install/centos/
安装
- 卸载旧版本
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
- 设置yum源
安装yum-utils包(提供yum-config-manager 实用程序)
yum install -y yum-utils
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
加载yum源
yum clean all
yum makecache
- 安装 Docker
yum install -y docker-ce docker-ce-cli containerd.io
- 启动 Docker
systemctl start docker
systemctl enable docker
hello-world
通过运行映像来验证 Docker 引擎是否已正确安装
docker run hello-world
[root@server1 ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:97a379f4f88575512824f3b352bc03cd75e239179eea0fecc38e597b2209f49a
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
快速开始
查看本地镜像
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest feb5d9fea6a5 4 months ago 13.3kB
搜索镜像
[root@server1 ~]# docker search tomcat
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
tomcat Apache Tomcat is an open source implementati… 3254 [OK]
下载镜像
[root@server1 ~]# docker pull tomcat
Using default tag: latest
latest: Pulling from library/tomcat
0c6b8ff8c37e: Pull complete
412caad352a3: Pull complete
e6d3e61f7a50: Pull complete
461bb1d8c517: Pull complete
e442ee9d8dd9: Pull complete
542c9fe4a7ba: Pull complete
41de18d1833d: Pull complete
302c8c746cd9: Pull complete
eb0a0c97f800: Pull complete
80de1d500a54: Pull complete
Digest: sha256:4ceb3b972a1a6dfd01106a7743c51953d9a06acef271ce6168490e5d0087206a
Status: Downloaded newer image for tomcat:latest
docker.io/library/tomcat:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat latest 52691d316146 2 days ago 680MB
hello-world latest feb5d9fea6a5 4 months ago 13.3kB
拉取centos7的镜像
[root@server1 ~]# docker pull centos:7
7: Pulling from library/centos
2d473b07cdd5: Pull complete
Digest: sha256:9d4bcbbb213dfd745b58be38b13b996ebb5ac315fe75711bd618426a630e0987
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat latest 52691d316146 2 days ago 680MB
hello-world latest feb5d9fea6a5 4 months ago 13.3kB
centos 7 eeb6ee3f44bd 5 months ago 204MB
centos latest 5d0da3dc9764 5 months ago 231MB
运行容器
[root@server1 ~]# docker run -it --name=c7 centos:7 /bin/bash
[root@ae4e73acf002 /]#
查看启动时间
[root@ae4e73acf002 /]# uptime
14:06:35 up 2 days, 21:55, 0 users, load average: 0.03, 0.04, 0.05
在容器内安装httpd,iproute等(如果出现yum找不到或者镜像源之类的错误,可以尝试更换镜像或版本)
[root@ae4e73acf002 /]# yum install -y httpd
[root@ae4e73acf002 /]# yum install -y iproute
[root@ae4e73acf002 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@ae4e73acf002 /]# echo hello >> /var/www/html/index.html
开启httpd
[root@ae4e73acf002 /]# httpd -k start
AH00558: httpd: Could not reliably determine the servers fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
测试
[root@ae4e73acf002 /]# curl 172.17.0.2
hello
退出容器
[root@ae4e73acf002 /]# exit
查看正在运行的容器
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
查看所有容器
[root@server1 ~]# docker ps --all
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ae4e73acf002 centos:7 "/bin/bash" 6 days ago Exited (255) 3 days ago c7
f9051be53ca6 centos:latest "/bin/bash" 6 days ago Exited (1) 6 days ago c0
bc62efa28781 tomcat:latest "/bin/bash" 6 days ago Exited (0) 6 days ago c1
ebc1e5937f2e hello-world "/hello" 7 days ago Exited (0) 7 days ago upbeat_nash
再次进入容器
[root@server1 ~]# docker start c7
c7
[root@server1 ~]# docker attach c7
[root@ae4e73acf002 /]#
[root@ae4e73acf002 /]# httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@ae4e73acf002 /]# curl 172.17.0.2
hello
Docker Daemon远程管理容器
- 关闭docker守护进程
[root@server1 ~]# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
- 修改配置文件/usr/lib/systemd/system/docker.service
如果想使用/etc/docker/daemon.json管理docker daemon,默认情况下,/etc/docker目录中并没有daemon.json文件,强行手动添加后会导致docker daemon无法启动,在添加daemon.json文件之前需要修改/usr/lib/systemd/system/docker.service 文件
[root@server1 ~]# vim /usr/lib/systemd/system/docker.service
13 #ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
13 ExecStart=/usr/bin/dockerd
- 重启docker
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl start docker
- 添加配置文件/etc/docker/daemon.json,实现远程管理
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
[root@server1 ~]# systemctl restart docker
[root@server1 ~]# ss -tnalp |grep 2375
LISTEN 0 128 [::]:2375 [::]:* users:(("dockerd",pid=10572,fd=9))
- 远程连接测试
[root@server2 ~]# docker -H 192.168.139.10 version
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:41 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:44:05 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12
GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.19.0
GitCommit: de40ad0
[root@server2 ~]# docker -H 192.168.139.10 pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest
Docker使用
Docker容器管理
docker命令分类:
普通命令
管理类命令:是普通命令的整合与扩展
镜像获取
- 镜像搜索
[root@server1 ~]# docker search centos
- 镜像下载
普通命令下载(不指定版本,会默认下载最新版)
[root@server1 ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest
管理命令下载(不指定版本,会默认下载最新版)
[root@server1 ~]# docker image pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest
镜像传输
- 本地镜像打包
[root@server1 ~]# docker save -o centos.tar centos:latest
- 镜像传输
[root@server1 ~]# scp centos.tar 192.168.139.20:/root
- 镜像导入
[root@server2 ~]# docker load -i centos.tar
74ddd0ec08fa: Loading layer 238.6MB/238.6MB
Loaded image: centos:latest
[root@server2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 5d0da3dc9764 5 months ago 231MB
容器运行
- 容器运行bash
普通命令运行
-i:交互
-t:开启终端
[root@server2 ~]# docker run -it --name=c1 centos:latest /bin/bash
[root@7ce3c0f9eedb /]# exit
exit
管理命令运行
[root@server2 ~]# docker container run -it --name=c2 centos:latest /bin/bash
[root@cda7901b8d09 /]# exit
exit
- 容器运行httpd(建议使用centos7)
[root@server2 ~]# docker pull centos:7
[root@server2 ~]# docker run -it --name=c0 centos:7 /bin/bash
[root@63ef4da19cc4 /]# yum install -y httpd
[root@63ef4da19cc4 /]# which httpd
/usr/sbin/httpd
[root@63ef4da19cc4 /]# /usr/sbin/httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@63ef4da19cc4 /]# echo test >> /var/www/html/index.html
[root@63ef4da19cc4 /]# curl 127.0.0.1
test
容器生成镜像
- 容器正在运行,也可以导出
[root@server2 ~]# docker export -o centos7_httpd.tar c0
- 导入基于容器生成的镜像
[root@server2 ~]# scp centos7_httpd.tar 192.168.139.10:/root
[root@server1 ~]# docker import -m httpd centos7_httpd.tar centos7_httpd:v1
sha256:ab81a74818e988a41ba11655c6786d1f9c0e39b80466b78019b536c97f0be50a
[root@server1 ~]# docker images|grep v1
centos7_httpd v1 ab81a74818e9 43 seconds ago 367MB
- 启动容器并启动httpd服务
[root@server1 ~]# docker run -it --name=ch1 centos7_httpd:v1 /bin/bash
[root@55d5f4bd076f /]# httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@55d5f4bd076f /]# curl 127.0.0.1
test
容器ip
- 安装docker后,物理机会默认增添docker0网卡
[root@server2 ~]# ip a
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:04:9e:d4:bc brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:4ff:fe9e:d4bc/64 scope link
valid_lft forever preferred_lft forever
- 查看容器ip
[root@63ef4da19cc4 /]# yum install -y iproute
[root@63ef4da19cc4 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
该ip地址为网桥自动分配
[root@63ef4da19cc4 /]# ping www.baidu.com
PING www.a.shifen.com (112.80.248.75) 56(84) bytes of data.
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=1 ttl=127 time=7.73 ms
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=2 ttl=127 time=8.05 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 7.732/7.893/8.055/0.184 ms
ctrl+p+q:不退出容器,切换回linux终端
- 终端查看ip
[root@server2 ~]# docker inspect c0
[
...
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "4fedee9b1f956c11e90c4373715fac28f8de6e789294c4a2aa7c8d2ab3ea1eaa",
"EndpointID": "d20e90a3f7f33f7aa5eb7426bec5bc63073790191cd1278a7d5e37c109b924bb",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
}
}
]
[root@server2 ~]# docker exec c0 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
停止并重新进入容器
- 查看正在运行容器
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55d5f4bd076f centos7_httpd:v1 "/bin/bash" 13 hours ago Up 13 hours ch1
- 关闭容器
[root@server1 ~]# docker stop ch1
ch1
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
#关闭多个:docker stop ch1 ch2
- 重新开启已停止的容器
[root@server1 ~]# docker start ch1
ch1
[root@server1 ~]# docker attach ch1
[root@55d5f4bd076f /]#
删除容器
- 停止容器
终端退出,直接停止容器
root@bc62efa28781:/usr/local/tomcat# exit
exit
停止后台运行的容器
[root@server1 ~]# docker stop c1
c1
- 删除
[root@server1 ~]# docker rm c1
c1
端口映射
报错:WARNING: IPv4 forwarding is disabled. Networking will not work.
原因:CentOS的内核中的ip_forward(IP转发)是默认关闭的,需要手动打开
解决:
vim /usr/lib/sysctl.d/00-system.conf # 追加 net.ipv4.ip_forward=1
- 端口映射
将本机80端口映射为容器80端口(访问本机80端口,即为访问容器80端口)
[root@server1 ~]# docker run -it -p80:80 --name=c2 centos:7 /bin/bash
[root@bd84b8c3ae20 /]# [root@server1 ~]#
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd84b8c3ae20 centos:7 "/bin/bash" 25 seconds ago Up 24 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp c2
经指定容器端口,不指定本机端口,主机会随机添加映射到容器80端口
[root@server1 ~]# docker run -it -p:80 --name=c3 centos:7 /bin/bash
[root@3c015e013f22 /]# [root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3c015e013f22 centos:7 "/bin/bash" 13 seconds ago Up 12 seconds 0.0.0.0:49153->80/tcp, :::49153->80/tcp c3
bd84b8c3ae20 centos:7 "/bin/bash" 5 hours ago Up 5 hours 0.0.0.0:80->80/tcp, :::80->80/tcp c2
指定映射主机的IP
[root@server1 ~]# docker run -it -p192.168.139.10::80 --name=c4 centos:7 /bin/bash
[root@3c015e013f22 /]# [root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fe7603d0cea0 centos:7 "/bin/bash" 13 seconds ago Up 12 seconds 192.168.139.10:49154->80/tcp c4
3c015e013f22 centos:7 "/bin/bash" 6 minutes ago Up 6 minutes 0.0.0.0:49153->80/tcp, :::49153->80/tcp c3
bd84b8c3ae20 centos:7 "/bin/bash" 5 hours ago Up 5 hours 0.0.0.0:80->80/tcp, :::80->80/tcp c2
数据持久化存储
将数据保存在docker Host上实现持久化存储
将docker内的/data目录挂载到docker Host的/mnt/docker-c5目录下
[root@server1 ~]# mkdir /mnt/docker-c5
[root@server1 ~]# docker run -it -v /mnt/docker-c5/:/data --name=c5 centos:7 /bin/bash
测试
[root@934894a5764d /]# [root@server1 ~]#
[root@server1 ~]# echo test >> /mnt/docker-c5/test.txt
[root@server1 ~]# docker attach c5
[root@934894a5764d /]# ls /data/
test.txt
[root@934894a5764d /]# cat /data/test.txt
test
- 部署httpd服务
[root@server1 ~]# mkdir /mnt/httpd
[root@server1 ~]# docker run -it -p80:80 -v /mnt/httpd/:/var/www/html --name=c1 centos:7 /bin/bash
[root@589987cd58f5 /]# yum install -y httpd
[root@589987cd58f5 /]# httpd -k start
[root@589987cd58f5 /]# echo hello >> /var/www/html/index.html
[root@589987cd58f5 /]# [root@server1 ~]#
[root@server1 ~]# cat /mnt/httpd/index.html
hello
容器&主机时间同步
[root@server1 ~]# docker run -it -v /etc/localtime:/etc/localtime --name=c2 centos:7 /bin/bash
[root@1670d938968a /]# date
Sun Mar 6 23:51:50 CST 2022
容器外执行命令
查看正在运行的容器
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1670d938968a centos:7 "/bin/bash" 5 days ago Up 5 days c2
589987cd58f5 centos:7 "/bin/bash" 5 days ago Up 5 days 0.0.0.0:80->80/tcp, :::80->80/tcp c1
容器外执行命令
[root@server1 ~]# docker exec c1 ls /
anaconda-post.log
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
[root@server1 ~]# docker exec c1 yum install -y httpd
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* extras: mirrors.cn99.com
* updates: mirrors.cn99.com
Package httpd-2.4.6-97.el7.centos.4.x86_64 already installed and latest version
Nothing to do
容器互联
-
使用场景:容器编排
-
被依赖的容器先创建
创建被依赖的容器
[root@server1 ~]# docker run -it --name c3 centos:7 /bin/bash
[root@75a611252083 /]# [root@server1 ~]#
使用--link参数(可指定别名),创建联系
[root@server1 ~]# docker run --link c3:web_server -it --name c4 centos:7 /bin/bash
容器通过主机名互联,而非IP地址(容器ip不稳定)
[root@af9bc5e7f0a1 /]# ping web_server
PING web_server (172.17.0.4) 56(84) bytes of data.
64 bytes from web_server (172.17.0.4): icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from web_server (172.17.0.4): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from web_server (172.17.0.4): icmp_seq=3 ttl=64 time=0.039 ms
^C
--- web_server ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.037/0.058/0.098/0.028 ms
[root@af9bc5e7f0a1 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.4 web_server 75a611252083 c3
172.17.0.5 af9bc5e7f0a1
Docker镜像管理
镜像介绍
- 镜像获取流程:
- docker client向docker daemon发起容器创建请求
- docker daemon查找有无客户端需要的镜像
- 若无,则到容器镜像仓库中下载需要的镜像
- 拿到容器镜像后,启动容器
- 镜像介绍:
- Docker 镜像就是一组只读的目录,或者叫只读的 Docker 容器模板,镜像中含有一个Docker 容器运行所需要的文件系统,所以我们说Docker 镜像是启动一个Docker 容器的基础。
- 可以将Docker 镜像看成是Docker 容器的静态时,也可将Docker 容器看成是Docker镜像的运行时。
- 联合文件系统(UnionFS)是一种轻量级的高性能分层文件系统,它支持将文件系统中的修改信息作为一次提交,并层层叠加,同时可以将不同目录挂载到同一个虚拟文件系统下,应用看到的是挂载的最终结果。
- 联合文件系统是实现Docker镜像的技术基础。Docker镜像可以通过分层来进行继承。用户基于基础镜像来制作各种不同的应用镜像。这些镜像共享同一个基础镜像层,提高了存储效率。此外,当用户改变了一个Docker镜像(比如升级程序到新的版本),则会创建一个新的层(layer)。因此,用户不需要替换整个原镜像或者重新建立,只需要添加新层即可。用户分发镜像的时候,也只需要分发被改动的新层内容(增量部分)。这让Docker的镜像管理变得十分轻量级和快速。
镜像制作
- 制作基础镜像
准备最小化的操作系统
略
打包操作系统根目录
#需要排除proc目录(保存了进程pid,文件描述符fd等信息),dev目录(设备映射目录,建议排除),sys目录(系统内核相关)
# --numeric-owner 将文件的属主,属组都数字化
[root@server8 ~]# tar --numeric-owner --exclude=/proc --exclude=/sys -cvf centos7u6.tar /
[root@server8 ~]# ll -h
总用量 1.4G
-rw-------. 1 root root 1.3K 3月 4 00:54 anaconda-ks.cfg
-rw-r--r--. 1 root root 1.4G 3月 4 00:56 centos7u6.tar
将打包的文件导入docker host
[root@server8 ~]# scp centos7u6.tar 192.168.139.10:/root
[root@server1 ~]# docker import centos7u6.tar centos7u6:latest
sha256:592ba953c5f959be15bdf45e15884a64f4b6aca777dcb950f1b7719ec9a30aaa
[root@server1 ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7u6 latest 592ba953c5f9 29 seconds ago 1.42GB
tomcat latest 52691d316146 4 weeks ago 680MB
hello-world latest feb5d9fea6a5 5 months ago 13.3kB
centos 7 eeb6ee3f44bd 5 months ago 204MB
centos latest 5d0da3dc9764 5 months ago 231MB
使用基础镜像启动容器
[root@server1 ~]# docker run -it --name=c5 centos7u6:latest /bin/bash
[root@7539e17de8bd /]# ls
bin dev home lib64 mnt proc run srv tmp usr WP
boot etc lib media opt root sbin sys upload var
[root@7539e17de8bd /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
28: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:06 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.6/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@7539e17de8bd /]#
- 应用镜像制作
[root@server1 ~]# docker attach c5
[root@7539e17de8bd /]# yum install -y httpd
Rpmdb checksum is invalid: dCDPT(pkg checksums): httpd-tools.x86_64 0:2.4.6-97.el7.centos.4 - u
报错:Rpmdb checksum is invalid: dCDPT(pkg checksums): httpd-tools.x86_64 0:2.4.6-97.el7.centos.4 - u
场景:容器内安装软件
解决:yum clean all
[root@7539e17de8bd /]# yum clean all
已加载插件:fastestmirror
正在清理软件源: base extras updates
Cleaning up list of fastest mirrors
[root@7539e17de8bd /]# yum install -y httpd
应用镜像制作(提交时会暂时暂停镜像)
[root@server1 ~]# docker commit c5 centos7u6-httpd:v1
sha256:ba470b1ba5a68169fb0ef729284fed1394d36ef95dac43f230633db2bfe2eb3d
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7u6-httpd v1 ba470b1ba5a6 About a minute ago 1.62GB
centos7u6 latest 592ba953c5f9 18 minutes ago 1.42GB
tomcat latest 52691d316146 4 weeks ago 680MB
hello-world latest feb5d9fea6a5 5 months ago 13.3kB
centos 7 eeb6ee3f44bd 5 months ago 204MB
centos latest 5d0da3dc9764 5 months ago 231MB
使用应用镜像启动容器
[root@server1 ~]# docker run -it --name httpd centos7u6-httpd:v1 /bin/bash
[root@397e1d4a248a /]# echo test >> /var/www/html/index.html
[root@397e1d4a248a /]# httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.7. Set the 'ServerName' directive globally to suppress this message
[root@397e1d4a248a /]# curl 127.0.0.1
test
使用Dockerfile创建应用镜像
- Dockerfile工作原理
- 在Dockerfile定义所要执行的命令,使用docker build创建镜像。过程中会按照Dockerfile文件所定义的内容创建新的临时性容器,把Dockerfile中所定义的每行命令在临时容器中执行,然后生成镜像分层。所有命令结束后,生成一个新应用镜像,中间过程为commit(暂停–>打包–>启动)
- 执行命令越多,容器应用镜像越大,优化命令是必要的
- docker build命令
关键字:
FROM:指定基础镜像
MAINTAINER:指定镜像创建者信息
MATNTAINER "name|email|..."
RUN:运行指定命令
CMD:设置容器时所执行的操作,一次执行一条
ENRTYPOINT:设置容器时所执行的操作,一次执行多条
USER:设置容器启动用户
EXPOSE:暴露容器映射到宿主机的端口
ENV:设置环境变量
ADD:复制文件
ADD <src> <dest>
VOLUME:指定挂载点
WORKDIR:切换目录
ONBUILD:在子镜像中执行
- 案例1:实现启动容器时直接启动httpd服务的镜像
实现思路:选择基础镜像–>安装httpd服务–>通过脚本启动httpd,放在前端执行(只要httpd还在执行,容器就不会退出)–>暴露80/tcp端口–>添加测试文件,验证服务可用性
- 创建目录,目录中应包含Dockerfile文件以及制作镜像需要的其他文件(如站点文件,启动脚本)
创建目录 [root@server1 ~]# mkdir test 创建httpd启动脚本 [root@server1 ~]# cd test [root@server1 test]# vim run-httpd.sh [root@server1 test]# cat run-httpd.sh #!/bin/bash # 删除httpd的pid进程(如果有) rm -rf /var/run/httpd/* # 指定httpd在前端运行(注意httpd命令的位置) exec /usr/sbin/httpd -D FOREGROUND 创建网站首页文件 [root@server1 test]# vim index.html [root@server1 test]# cat index.html hello! 创建Dockerfile文件 [root@server1 test]# vim Dockerfile [root@server1 test]# cat Dockerfile # 指定基础镜像 FROM centos7u6:latest # 指定镜像维护者信息 MAINTAINER "hello [email protected]" # 安装httpd RUN yum clean all && rpm --rebuilddb && yum install -y httpd # 将本地run-httpd.sh文件传入容器 ADD run-httpd.sh /run-httpd.sh # 给容器内的/run-httpd.sh文件加执行权限 RUN chmod -v +x /run-httpd.sh # 将本地index.html文件传到容器站点根目录 ADD index.html /var/www/html/ # 暴露容器80端口 EXPOSE 80 # 切换目录 WORKDIR / # 执行脚本 CMD ["/bin/bash","/run-httpd.sh"]
- docker build读取Dockerfile创建镜像
-t 指定镜像名和版本号 [root@server1 test]# docker build -t centos7u6-httpd:v1 . Sending build context to Docker daemon 4.608kB Step 1/9 : FROM centos7u6:latest ---> 592ba953c5f9 Step 2/9 : MAINTAINER "hello [email protected]" ---> Using cache ---> 5853c941dbe7 Step 3/9 : RUN yum clean all && rpm --rebuilddb && yum install -y httpd ---> Running in 81aebb2b83cc ...安装httpd... Removing intermediate container 81aebb2b83cc ---> c13ccb5eaafd Step 4/9 : ADD run-httpd.sh /run-httpd.sh ---> aca4eb1f5660 Step 5/9 : RUN chmod -v +x /run-httpd.sh ---> Running in e13889039ea6 mode of '/run-httpd.sh' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x) Removing intermediate container e13889039ea6 ---> 886bc48382a2 Step 6/9 : ADD index.html /var/www/html/ ---> 4a3237b9ef0e Step 7/9 : EXPOSE 80 ---> Running in db802cb690a8 Removing intermediate container db802cb690a8 ---> af1d91263859 Step 8/9 : WORKDIR / ---> Running in ee8a565b43bf Removing intermediate container ee8a565b43bf ---> e3877c37bcdd Step 9/9 : CMD ["/bin/bash","/run-httpd.sh"] ---> Running in 66ce489bcf2a Removing intermediate container 66ce489bcf2a ---> 324c348ce68a Successfully built eeaba8b83515 Successfully tagged centos7u6-httpd:v1
- 验证:使用已创建的镜像启动容器
查看镜像 [root@server1 test]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos7u6-httpd v1 eeaba8b83515 20 seconds ago 1.62GB centos7u6 latest 592ba953c5f9 2 days ago 1.42GB centos 7 eeb6ee3f44bd 6 months ago 204MB 启动容器 [root@server1 test]# docker run -d centos7u6-httpd:v1 aaab87bbae50049e8b39f4665b6cf2f118f77b5cec57bfbd6de6a35b51062955 查看运行的容器 [root@server1 test]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES aaab87bbae50 centos7u6-httpd:v1 "/bin/bash /run-http…" 5 seconds ago Up 4 seconds 80/tcp wonderful_kirch 查看IP地址 [root@server1 test]# docker inspect aaa "IPAddress": "172.17.0.2", 访问测试 [root@server1 test]# curl 172.17.0.2 hello!
- 更改网站内容:新建容器实现
[root@server1 test]# mkdir /www [root@server1 test]# echo world >> /www/index.html [root@server1 test]# docker run -d -v /www:/var/www/html centos7u6-httpd:v1 be1b0a843642406e0728c1843702cd6ddd4cda18d33f059d27cc070454cdae97 [root@server1 test]# docker inspect be1 "IPAddress": "172.17.0.3", [root@server1 test]# curl 172.17.0.3 world
- 案例2:nginx应用容器化
创建目录
[root@server1 ~]# mkdir docker-nginx
[root@server1 ~]# cd docker-nginx/
[root@server1 docker-nginx]#
创建测试文件
[root@server1 docker-nginx]# echo 'hello nginx!' >> index.html
创建Dockerfile文件
[root@server1 docker-nginx]# vim Dockerfile
[root@server1 docker-nginx]# cat Dockerfile
FROM centos:7
MAINTAINER "[email protected]"
# 安装yum-plugin-ovl为了防止yum缓存报错,等同于rpm --rebuilddb
RUN yum clean all && yum install -y yum-plugin-ovl && yum install -y epel-release && yum install -y nginx
ADD index.html /usr/share/nginx/html/
# 取消nginx后台运行
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
EXPOSE 80
CMD /usr/sbin/nginx
创建镜像
[root@server1 docker-nginx]# docker build -t centos7-nginx:v1 .
Sending build context to Docker daemon 3.072kB
Step 1/7 : FROM centos:7
---> eeb6ee3f44bd
Step 2/7 : MAINTAINER "[email protected]"
---> Running in 698d43ab396d
Removing intermediate container 698d43ab396d
---> b8887cfc248d
Step 3/7 : RUN yum clean all && yum install -y yum-plugin-ovl && yum install -y epel-release && yum install -y nginx
---> Running in 2a70b689e164
...软件包安装...
Removing intermediate container 2a70b689e164
---> d88d004a7bb4
Step 4/7 : ADD index.html /usr/share/nginx/html/
---> 7bf523b1f36e
Step 5/7 : RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
---> Running in da866942aad9
Removing intermediate container da866942aad9
---> a42c3412d4e5
Step 6/7 : EXPOSE 80
---> Running in 4be21c1a730c
Removing intermediate container 4be21c1a730c
---> b1f29a6b48af
Step 7/7 : CMD /usr/sbin/nginx
---> Running in a3f529feb6c1
Removing intermediate container a3f529feb6c1
---> e66f7de25290
Successfully built e66f7de25290
Successfully tagged centos7-nginx:v1
[root@server1 docker-nginx]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7-nginx v1 e66f7de25290 2 minutes ago 437MB
centos7u6-httpd v1 eeaba8b83515 32 minutes ago 1.62GB
centos7u6 latest 592ba953c5f9 2 days ago 1.42GB
centos 7 eeb6ee3f44bd 6 months ago 204MB
创建容器
[root@server1 docker-nginx]# docker run -d centos7-nginx:v1
96fc6c0547a74326b3410606f0bbf65797921c0f49a194ef5c4ecec4477122b8
[root@server1 docker-nginx]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
96fc6c0547a7 centos7-nginx:v1 "/bin/sh -c /usr/sbi…" 4 seconds ago Up 3 seconds 80/tcp trusting_rhodes
be1b0a843642 centos7u6-httpd:v1 "/bin/bash /run-http…" 24 minutes ago Up 24 minutes 80/tcp blissful_darwin
aaab87bbae50 centos7u6-httpd:v1 "/bin/bash /run-http…" 32 minutes ago Up 32 minutes 80/tcp wonderful_kirch
访问测试
[root@server1 docker-nginx]# docker inspect 96f
"IPAddress": "172.17.0.4",
[root@server1 docker-nginx]# curl 172.17.0.4
hello nginx!
镜像储存位置
- docker的容器镜像以及容器本身的数据都存放在**/var/lib/docker**目录中
- 不同linux发行版存储方式不同,Ubuntu上存储方式为AUFS(联合文件系统),CentOS上储存方式为Overlay或Overlay2
- OverlayFS是一个类似AUFS的联合文件系统,速度更快,实现简单
[root@server1 ~]# cd /var/lib/docker/
[root@server1 docker]# ls
buildkit containers image network overlay2 plugins runtimes swarm tmp trust volumes
[root@server1 docker]# cd overlay2/
[root@server1 overlay2]# ls
31defc9106f569ecdeffc14f21b0303d1c84a73170c0b7fe1efc904f8820b07e
45304352f9a16cb6bade04df883077917d4ae94aac6191f5d8c0b2c864cd5a77
6119d1823b21afec0a3ccb96b6622ff3857c1a95cf845dc86b3771881166ae6e
616168a7f1471f43604022fc9a16e74b169bfd1b5afd6ab09acc0234a8ac8f16
65984770c2d8bedf020303bdec82f025b9a46d2c77414a84d02715b82843c376
a4d506a4522a6064e15a4c34dfa1003235a38dda401af5519337a1e1f1713b89
b8f4fd78df9e5555e779c5e3e0c59577444fede045de8ca2fa80de937290979f
backingFsBlockDev
be63c03fa26bac673e8f6f8758bd24ce0c4b09fef421a44513787347329917df
c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598
c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598-init
cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329
cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329-init
ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f
ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f-init
f03c20efb44663a24211a1155b68e6366d32d0f8c6bbfbdbe47904ef41910cf2
l
[root@server1 overlay2]# ll ./l
总用量 0
lrwxrwxrwx 1 root root 72 3月 16 14:49 52MW66F3OZ4QQ7MC6TCUMCNICA -> ../f03c20efb44663a24211a1155b68e6366d32d0f8c6bbfbdbe47904ef41910cf2/diff
lrwxrwxrwx 1 root root 72 3月 16 14:49 5PBS62L2S6Z4D4S2VAPQWUJBZX -> ../45304352f9a16cb6bade04df883077917d4ae94aac6191f5d8c0b2c864cd5a77/diff
lrwxrwxrwx 1 root root 72 2月 14 22:05 BK2CRKRCR3O3GJLVB6XGDGJA57 -> ../31defc9106f569ecdeffc14f21b0303d1c84a73170c0b7fe1efc904f8820b07e/diff
lrwxrwxrwx 1 root root 72 3月 16 15:23 COL6FEZLQ5NHXDZ6MTLNPH7SRE -> ../cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/diff
lrwxrwxrwx 1 root root 72 3月 16 15:19 DBP6NOORVJ2OEOUHYKEGAIMD5R -> ../65984770c2d8bedf020303bdec82f025b9a46d2c77414a84d02715b82843c376/diff
lrwxrwxrwx 1 root root 72 3月 16 15:19 DKRFINFUO3ONOMJLY72JX6Y66A -> ../b8f4fd78df9e5555e779c5e3e0c59577444fede045de8ca2fa80de937290979f/diff
lrwxrwxrwx 1 root root 77 3月 16 14:58 IB7TXGSUW2HORBVNB2GAAW5LUX -> ../c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598-init/diff
lrwxrwxrwx 1 root root 72 3月 16 15:19 IGZXSMKVQ4BDFAHUOZW2JCWNIK -> ../616168a7f1471f43604022fc9a16e74b169bfd1b5afd6ab09acc0234a8ac8f16/diff
lrwxrwxrwx 1 root root 72 3月 16 14:51 KAYQOFYRUO2QRU35ACBED3KXOX -> ../ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/diff
# 可以看见l文件夹里保存的是镜像的软连接,用于挂载使用(linux系统挂载时,限制镜像名为128个字符)
- OverlayFS原理
-
OverlayFS
文件系统主要有三个角色,lowerdir
、upperdir
和merged
。lowerdir
是只读层,用户不能修改这个层的文件;upperdir
是可读写层,用户能够修改这个层的文件merged
是合并层,把lowerdir
层和upperdir
层的文件合并展示- 当需要修改一个文件时,使用CoW(写时复制技术)将文件从只读的
lowerdir
层复制到可写的upperdir
层进行修改,结果保存在upperdir
层 - 在Docker中,底下的只读层就是image,可写层就是Container
[root@server1 ~]# docker info|grep Storage Storage Driver: overlay2 WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled [root@server1 ~]# mount |grep overlay2 overlay on /var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/OYS3ZZ3QJ35DISKDHCHZEPZ553:/var/lib/docker/overlay2/l/PIZABUMQHMYOD3DDIBWUYPGBO2:/var/lib/docker/overlay2/l/M6ZMLCESK2WI2DK635I3QAC4FG:/var/lib/docker/overlay2/l/5PBS62L2S6Z4D4S2VAPQWUJBZX:/var/lib/docker/overlay2/l/52MW66F3OZ4QQ7MC6TCUMCNICA:/var/lib/docker/overlay2/l/R425GC2OANG2RBQZM2ICKCXPBB,upperdir=/var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/diff,workdir=/var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/work) overlay on /var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/IB7TXGSUW2HORBVNB2GAAW5LUX:/var/lib/docker/overlay2/l/PIZABUMQHMYOD3DDIBWUYPGBO2:/var/lib/docker/overlay2/l/M6ZMLCESK2WI2DK635I3QAC4FG:/var/lib/docker/overlay2/l/5PBS62L2S6Z4D4S2VAPQWUJBZX:/var/lib/docker/overlay2/l/52MW66F3OZ4QQ7MC6TCUMCNICA:/var/lib/docker/overlay2/l/R425GC2OANG2RBQZM2ICKCXPBB,upperdir=/var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/diff,workdir=/var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/work) overlay on /var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/TNCXK37C2PSX5QXNOIMSN2UGOQ:/var/lib/docker/overlay2/l/DKRFINFUO3ONOMJLY72JX6Y66A:/var/lib/docker/overlay2/l/DBP6NOORVJ2OEOUHYKEGAIMD5R:/var/lib/docker/overlay2/l/IGZXSMKVQ4BDFAHUOZW2JCWNIK:/var/lib/docker/overlay2/l/BK2CRKRCR3O3GJLVB6XGDGJA57,upperdir=/var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/diff,workdir=/var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/work)
官方镜像仓库
-
网址:https://hub.docker.com/
-
邮箱注册
-
创建自己的仓库
- 命令行登入登出
登入
[root@server1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xiaotanggao 用户名
Password: 密码(#姓名+.)
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
登出
[root@server1 ~]# docker logout
Removing login credentials for https://index.docker.io/v1/
- 镜像上传与下载
上传前需要标记
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7-nginx v1 e66f7de25290 24 hours ago 437MB
xiaotanggao/nginx v1 e66f7de25290 24 hours ago 437MB
centos7u6-httpd v1 eeaba8b83515 25 hours ago 1.62GB
centos7u6 latest 592ba953c5f9 3 days ago 1.42GB
centos 7 eeb6ee3f44bd 6 months ago 204MB
[root@server1 ~]# docker tag centos:7 xiaotanggao/nginx:v1
登录
[root@server1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xiaotanggao
Password:
上传
[root@server1 ~]# docker push xiaotanggao/nginx:v1
The push refers to repository [docker.io/xiaotanggao/nginx]
174f56854903: Layer already exists
v1: digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f size: 529
# 如果官方仓库中有该镜像,会做成一个软连接
# 如果官方仓库中没有该镜像,会慢慢上传,很耗时
登出
[root@server1 ~]# docker logout
Removing login credentials for https://index.docker.io/v1/
下载:可以不登录,直接下载
[root@server1 ~]# docker pull xiaotanggao/nginx:v1
v1: Pulling from xiaotanggao/nginx
Digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f
Status: Image is up to date for xiaotanggao/nginx:v1
docker.io/xiaotanggao/nginx:v1
[root@server1 ~]# docker pull ansible/centos7-ansible
Using default tag: latest
latest: Pulling from ansible/centos7-ansible
45a2e645736c: Pull complete
1c3acf573616: Pull complete
edcb61e55ccc: Pull complete
cbae31bad30a: Pull complete
aacbdb1e2a62: Pull complete
fdeea4fb835c: Pull complete
Digest: sha256:39eff7d56b96530d014083cd343f7314c23acbd1ecf37eb75a71a2f6584d0b02
Status: Downloaded newer image for ansible/centos7-ansible:latest
docker.io/ansible/centos7-ansible:latest
镜像加速器
- 用于加快镜像下载速度
- 阿里云加速器:https://cr.console.aliyun.com/cn-hangzhou/instances
- 按要求配置
[root@server1 ~]# cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
EOF
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker
测试(明显感到速度变快)
[root@server1 ~]# docker rmi ansible/centos7-ansible:latest
[root@server1 ~]# docker pull ansible/centos7-ansible
Using default tag: latest
latest: Pulling from ansible/centos7-ansible
45a2e645736c: Pull complete
1c3acf573616: Pull complete
edcb61e55ccc: Pull complete
cbae31bad30a: Pull complete
aacbdb1e2a62: Pull complete
fdeea4fb835c: Pull complete
Digest: sha256:39eff7d56b96530d014083cd343f7314c23acbd1ecf37eb75a71a2f6584d0b02
Status: Downloaded newer image for ansible/centos7-ansible:latest
docker.io/ansible/centos7-ansible:latest
本地镜像仓库
- 作用:用于局域网内使用,方便与其他系统进行集成,上传和下载大镜像方便
- 搭建本地镜像仓库
下载registry镜像
[root@server1 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete
0d96da54f60b: Pull complete
5b27040df4a2: Pull complete
e2ead8259a04: Pull complete
3790aef225b9: Pull complete
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7-nginx v1 e66f7de25290 25 hours ago 437MB
centos7u6-httpd v1 eeaba8b83515 26 hours ago 1.62GB
centos7u6 latest 592ba953c5f9 3 days ago 1.42GB
registry latest b8604a3fe854 4 months ago 26.2MB
centos 7 eeb6ee3f44bd 6 months ago 204MB
xiaotanggao/nginx v1 eeb6ee3f44bd 6 months ago 204MB
ansible/centos7-ansible latest 688353a31fde 5 years ago 447MB
创建registry镜像仓库的挂载点,实现持久化储存
[root@server1 ~]# mkdir /mnt/registry
使用registry镜像启动容器
--restart=always 表达一旦容器挂了,总是重启
[root@server1 ~]# docker run -d -p 5000:5000 -v /mnt/registry:/var/lib/registry --restart=always registry:latest
77dff96850d0d3136781a80a065e3ed61600f01c304ca46f8e737c970acb69ed
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
77dff96850d0 registry:latest "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp affectionate_gauss
验证
[root@server1 ~]# curl 192.168.139.10:5000/v2/_catalog
{"repositories":[]}
# 显示为空仓库
- 上传至本地镜像仓库
修改/etc/docker/daemon.json
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10:5000"],
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker
标记上传镜像
[root@server1 ~]# docker tag centos7-nginx:v1 192.168.139.10:5000/centos7-nginx:v1
上传
[root@server1 ~]# docker push 192.168.139.10:5000/centos7-nginx:v1
The push refers to repository [192.168.139.10:5000/centos7-nginx]
271152a56ebf: Pushed
b4f12a07bd95: Pushed
77dbbafd209d: Pushed
174f56854903: Pushed
v1: digest: sha256:8080974be0483ed84c5c5f482e59e10aeb3de680d26372262419783d7a3438c0 size: 1157
查看挂载点
[root@server1 ~]# ls /mnt/registry/
docker
[root@server1 ~]# ls /mnt/registry/docker/registry/v2/repositories/
centos7-nginx
- 其他主机也可使用此仓库
[root@server1 ~]# vim /usr/lib/systemd/system/docker.service
[root@server1 ~]# grep ExecStart /usr/lib/systemd/system/docker.service
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10:5000"]
}
[root@server1 ~]# systemctl daemon-reload && systemctl restart docker
[root@server1 ~]# docker pull 192.168.139.10:5000/centos7-nginx:v1
Harbor实现通过web管理本地仓库
-
harbor介绍:
- vmware公司开源,使用广泛
- 有良好的中文web管理界面
-
harbor软件获取
-
harbor部署
安装pip3
[root@server1 ~]# yum install -y epel-release.noarch
[root@server1 ~]# yum install -y python3-pip
[root@server1 ~]# pip3 install --upgrade pip
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting pip
Downloading https://files.pythonhosted.org/packages/a4/6d/6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b/pip-21.3.1-py3-none-any.whl (1.7MB)
100% |████████████████████████████████| 1.7MB 929kB/s
Installing collected packages: pip
Successfully installed pip-21.3.1
下载docker-compose
[root@server1 ~]# pip3 install docker-compose --ignore-install requests
[root@server1 ~]# docker-compose -v
docker-compose version 1.29.2, build unknown
解压harbor
[root@server1 ~]# ls harbor-offline-installer-v2.4.2.tgz
harbor-offline-installer-v2.4.2.tgz
[root@server1 ~]# tar -xf harbor-offline-installer-v2.4.2.tgz
配置
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh harbor.v2.4.2.tar.gz harbor.yml.tmpl install.sh LICENSE prepare
[root@server1 harbor]# cp harbor.yml.tmpl harbor.yml
[root@server1 harbor]# grep -Ev "#|^$" harbor.yml
hostname: 192.168.139.10 主机IP
http:
port: 80 端口
# https: 没有证书,暂时注释
# port: 443
# certificate: /your/certificate/path
# private_key: /your/private/key/path
harbor_admin_password: Harbor12345 默认用户名及密码
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data
trivy:
ignore_unfixed: false
skip_update: false
offline_scan: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.4.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
[root@server1 harbor]# vim /etc/docker/daemon.json
[root@server1 harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
[root@server1 harbor]# systemctl daemon-reload
[root@server1 harbor]# systemctl restart docker
配置
[root@server1 harbor]# ./prepare
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
安装
[root@server1 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
[root@server1 harbor]# docker images|grep goharbor
goharbor/harbor-exporter v2.4.2 ddbe51a2d92c 2 days ago 84.3MB
goharbor/chartmuseum-photon v2.4.2 4c8a43a14da1 2 days ago 175MB
goharbor/redis-photon v2.4.2 61d136910774 2 days ago 158MB
goharbor/trivy-adapter-photon v2.4.2 f32f7db1569e 2 days ago 167MB
goharbor/notary-server-photon v2.4.2 1465d8e1d2e5 2 days ago 112MB
goharbor/notary-signer-photon v2.4.2 547245607828 2 days ago 110MB
goharbor/harbor-registryctl v2.4.2 f43545bdfd12 2 days ago 138MB
goharbor/registry-photon v2.4.2 1927be8b8775 2 days ago 80.8MB
goharbor/nginx-photon v2.4.2 4189bfe82749 2 days ago 47.3MB
goharbor/harbor-log v2.4.2 b2279d3a2ba5 2 days ago 162MB
goharbor/harbor-jobservice v2.4.2 d22f0a749835 2 days ago 222MB
goharbor/harbor-core v2.4.2 672a56385d29 2 days ago 199MB
goharbor/harbor-portal v2.4.2 bc60d9eaf4ad 2 days ago 56.3MB
goharbor/harbor-db v2.4.2 91d13ec46b2c 2 days ago 226MB
goharbor/prepare v2.4.2 d2100ed70ba4 2 days ago 269MB
- 浏览器访问192.168.139.10
- 上传镜像到harbor镜像仓库
重启Harbor:
docker-compose down -v
docker-compose up -d
修改/etc/docker/daemon.json
[root@server1 harbor]# vim /etc/docker/daemon.json
[root@server1 harbor]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10"],
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
重启docker
[root@server1 harbor]# systemctl daemon-reload
[root@server1 harbor]# systemctl restart docker
重启Harbor!!!!!!!!!!!!
[root@server1 harbor]# docker-compose down -v
[root@server1 harbor]# docker-compose up -d
标记待上传镜像
[root@server1 harbor]# docker tag centos7-nginx:v1 192.168.139.10/library/centos7-nginx:v1
登录
[root@server1 harbor]# docker login 192.168.139.10
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传
[root@server1 harbor]# docker push 192.168.139.10/library/centos7-nginx:v1
- 其他服务器使用harbor仓库
[root@server1 ~]# vim /usr/lib/systemd/system/docker.service
[root@server1 ~]# grep ExecStart /usr/lib/systemd/system/docker.service
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10"]
}
[root@server1 ~]# systemctl daemon-reload && systemctl restart docker
[root@server1 ~]# docker pull 192.168.139.10/centos7-nginx:v1
Docker网络
网络介绍
查看
[root@server1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
84f49d76ee7a bridge bridge local
97377fbbe546 host host local
0df3a8cad17b none null local
bridge
- 所有容器连接到桥docker0,通过NAT,使容器可以访问外网
- 默认为bridge
[root@server1 harbor]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:06:da:1a:80 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:6ff:feda:1a80/64 scope link
valid_lft forever preferred_lft forever
host
- 所有容器与docker host在同一网络中,可以让容器访问外网,外网也能访问容器内的服务
- 如果多容器运行同一服务,会造成端口冲突,不建议生产环境使用,仅测试使用
选择容器运行的网络
[root@server1 ~]# docker run -d --network host centos7-nginx:v1
60fcebc5fcf6e13c9df9049e0bfd2a6fc78dfc858c7414095cb721f037b25736
[root@server1 ~]# docker inspect 60f
# 没有IP
none
- 容器仅有lo网卡,无法连接外网,常在k8s的编排中使用
容器网络|联盟网络
- 容器间共享同一个网络命令空间,实现容器间的数据传输
跨主机容器通信
-
通信工具
- Pipework
- Flannel
- Weave
- Open V Swith(OVS)
- Calico
-
Weave介绍
- 原理:在每个宿主机上布置一个特殊的route容器,不同宿主机上的route容器互联。route会拦截所有普通容器的IP请求,通过udp包发送到其他宿主机中的普通容器上
-
Flannel介绍
- 机制:为集群中的所有节点重新规划IP地址的使用规则,使得不同节点上的容器能够获得同属一个内网且不重复的IP,从而实现不同节点的容器间的通信
- 原理:Flannel是Overlay网络,即覆盖型网络(应用层网络),Flannel为每个主机配置一个IP段和子网个数,通过etcd来维护分配的子网到实际IP地址的映射。对于数据路径,flannel使用udp(udp作为转发协议,可以穿透防火墙)来封装ip数据报,转发到远程主机
-
环境搭建
IP地址 | 主机名 | 部署 |
---|---|---|
192.168.139.10 | server1 | etcd,flannel,docker |
192.168.139.20 | server2 | flannel,docker |
- 环境准备
cat >> /etc/hosts <<EOF
192.168.139.10 server1
192.168.139.20 server2
EOF
yum install -y ntpdate
ntpdate cn.ntp.org.cn
yum install -y flannel
yum install -y etcd
- server1配置
配置etcd
[root@server1 ~]# vim /etc/etcd/etcd.conf
[root@server1 ~]# cat /etc/etcd/etcd.conf |grep -Ev "#|^$"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" 数据存放位置
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379,http://0.0.0.0:4001" 监听客户端地址
ETCD_NAME="default"
ETCD_ADVERTISE_CLIENT_URLS="http://server1:2379,http://server1:4001" 通知客户端地址
启动etcd
[root@server1 ~]# systemctl start etcd.service
[root@server1 ~]# systemctl enable etcd.service
[root@server1 ~]# ss -tnalp|grep 2379
LISTEN 0 128 [::]:2379 [::]:* users:(("etcd",pid=9752,fd=6))
[root@server1 ~]# ss -tnalp|grep 4001
LISTEN 0 128 [::]:4001 [::]:* users:(("etcd",pid=9752,fd=7))
测试etcd可用性
[root@server1 ~]# etcdctl set testdir/testkey0 1000
1000
[root@server1 ~]# etcdctl get testdir/testkey0
1000
[root@server1 ~]# etcdctl -C http://server1:4001 cluster-health
member 8e9e05c52164694d is healthy: got healthy result from http://server1:2379
cluster is healthy
flannel配置
[root@server1 ~]# grep -Ev "^$|#" /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://server1:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network" 默认前缀
在etcd中添加网段
[root@server1 ~]# etcdctl mk /atomic.io/network/config '{ "Network": "172.100.0.0/16"}'
{ "Network": "172.100.0.0/16"}
[root@server1 ~]# etcdctl get /atomic.io/network/config
{ "Network": "172.100.0.0/16"}
启动flannel
[root@server1 ~]# systemctl start flanneld.service
[root@server1 ~]# systemctl enable flanneld.service
[root@server1 ~]# ip a
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.100.34.0/16 scope global flannel0
valid_lft forever preferred_lft forever
inet6 fe80::f1c:4b4a:9877:38a1/64 scope link flags 800
valid_lft forever preferred_lft forever
配置docker
[root@server1 ~]# cat /run/flannel/subnet.env
FLANNEL_NETWORK=172.100.0.0/16
FLANNEL_SUBNET=172.100.34.1/24 #bip
FLANNEL_MTU=1472
FLANNEL_IPMASQ=false
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10"],
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"],
"bip": "172.100.34.1/24",
"mtu": 1472
}
重启docker
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker
[root@server1 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:e2:79:c1:5f brd ff:ff:ff:ff:ff:ff
inet 172.100.34.1/24 brd 172.100.34.255 scope global docker0
valid_lft forever preferred_lft forever
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.100.34.0/16 scope global flannel0
valid_lft forever preferred_lft forever
inet6 fe80::f1c:4b4a:9877:38a1/64 scope link flags 800
valid_lft forever preferred_lft forever
启动容器
[root@server1 ~]# docker run -it centos:7
[root@bcb13dfe7fad /]# [root@server1 ~]#
[root@server1 ~]# docker inspect bcb
"IPAddress": "172.100.34.2",
- server2配置
配置flannel
[root@server2 ~]# vim /etc/sysconfig/flanneld
[root@server2 ~]# grep -Ev "^$|#" /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://server1:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"
启动flannel
[root@server2 ~]# systemctl start flanneld.service
[root@server2 ~]# systemctl enable flanneld.service
获取subnet信息
[root@server2 ~]# cat /run/flannel/subnet.env
FLANNEL_NETWORK=172.100.0.0/16
FLANNEL_SUBNET=172.100.30.1/24
FLANNEL_MTU=1472
FLANNEL_IPMASQ=false
配置docker
[root@server2 ~]# vim /etc/docker/daemon.json
[root@server2 ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["http://192.168.139.10"],
"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"],
"bip": "172.100.30.1/24",
"mtu": 1472
}
重启docker
[root@server2 ~]# systemctl restart docker
[root@server2 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:49:14:48:21 brd ff:ff:ff:ff:ff:ff
inet 172.100.30.1/24 brd 172.100.30.255 scope global docker0
valid_lft forever preferred_lft forever
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.100.30.0/16 scope global flannel0
valid_lft forever preferred_lft forever
inet6 fe80::6d73:fc5d:fa63:1792/64 scope link flags 800
valid_lft forever preferred_lft forever
启动容器
[root@server2 ~]# docker pull centos:7
[root@server2 ~]# docker run -it centos:7
[root@94d7627a4b9b /]# [root@server2 ~]#
[root@server2 ~]# docker inspect 94d
"IPAddress": "172.100.30.2",
- 互通测试
[root@server1 ~]# docker exec bcb ping -c 2 172.100.30.2
PING 172.100.30.2 (172.100.30.2) 56(84) bytes of data.
64 bytes from 172.100.30.2: icmp_seq=1 ttl=60 time=3.40 ms
64 bytes from 172.100.30.2: icmp_seq=2 ttl=60 time=1.55 ms
--- 172.100.30.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 1.556/2.481/3.406/0.925 ms
[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.
--- 172.100.34.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms
现象:server1内的容器可以ping通server2
server2内的容器不能ping通server1
原因:server1中防火墙引起的,FORWARD链默认规则为DROP
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T8bbzZXQ-1647588683111)(%E5%AE%B9%E5%99%A8.assets/image-20220318152641746.png)]
解决:将FORWARD链默认规则改为ACCEPT
[root@server1 ~]# iptables -P FORWARD ACCEPT
[root@server1 ~]# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
oot@server2 ~]#
[root@server2 ~]# docker inspect 94d
“IPAddress”: “172.100.30.2”,
- 互通测试
```powershell
[root@server1 ~]# docker exec bcb ping -c 2 172.100.30.2
PING 172.100.30.2 (172.100.30.2) 56(84) bytes of data.
64 bytes from 172.100.30.2: icmp_seq=1 ttl=60 time=3.40 ms
64 bytes from 172.100.30.2: icmp_seq=2 ttl=60 time=1.55 ms
--- 172.100.30.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 1.556/2.481/3.406/0.925 ms
[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.
--- 172.100.34.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms
现象:server1内的容器可以ping通server2
server2内的容器不能ping通server1
原因:server1中防火墙引起的,FORWARD链默认规则为DROP
解决:将FORWARD链默认规则改为ACCEPT
[root@server1 ~]# iptables -P FORWARD ACCEPT
[root@server1 ~]# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.
64 bytes from 172.100.34.2: icmp_seq=1 ttl=60 time=1.15 ms
64 bytes from 172.100.34.2: icmp_seq=2 ttl=60 time=1.61 ms
--- 172.100.34.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 1.151/1.382/1.614/0.234 ms