Shulou(Shulou.com)06/02 Report--

1. Docker installation

If you are installing docker on centos, it is recommended that you install it on 7 series.

Install dependency packages

Yum install-y yum-utils device-mapper-persistent-data lvm2

Add Docker package source

Yum-config-manager-- add-repo https://download.docker.com/linux/centos/docker-ce.repo

Install Docker CE

Yum install docker-ce-y

Start

Systemctl start docker

Boot up

Systemctl enable docker

View Docker information

Docker info

Configure docker Accelerator

Curl-sSL https://get.daocloud.io/daotools/set_mirror.sh|sh-s http://bc437cce.m.daocloud.io

Foreign official images connected to Docker by default usually vary from network to network, and the access time is sometimes slow, and the acquisition speed is very slow most of the time. To improve efficiency, you can build a self-built warehouse or modify it as a domestic warehouse source to improve the speed of pulling images.

Vim / etc/docker/daemon.json

{

"registry-mirrors": ["https://pee6w651.mirror.aliyuncs.com"]"

}

Systemctl restart docker

2. Docker management

2.1Create a nginx container and run it in the background

Docker container run-d nginx

2.2 list the currently running containers

Docker container ls

Specify container name, hostname, and set environment variable

Docker container run-d-name nginx01-e TEST=123-h nginx01 nginx

2.3 enter the container for viewing

Docker container exec-it nginx01 bash

Root@nginx01:/# echo $TEST

one hundred and twenty three

Root@nginx01:/# hostname

Nginx01

2.4 give users access to the container

Docker container run-d-name nginx02-p 88:80 nginx

[root@salt-master ~] # netstat-tnlp | grep 88

Tcp6 0 0: 88: * LISTEN 23224/docker-proxy

The browser visits as follows

2.5 Container resource management

Containers are intensive, and a large number of containers are started. If there is no resource restriction on containers, it is inevitable that a container will occupy a lot of resources, resulting in the exhaustion of host resources. Common options for resource restrictions.

All the options related to memory limitations that can be used when executing the docker run command are as follows

Option description

The format is numeric plus unit, and the unit can be bmemorie krecovermpeng. The minimum is 4m

-- the amount of memory that memory-swap allows to swap to disk

-- the percentage of memory-swappiness containers swapped with SWAP partitions. (0-100, default is-1

-- whether oom-kill-disable prevents OOM killer kill from dropping containers. It is not set by default.

-- the priority of the oom-score-adj container by OOM killer kill. The range is [- 1000, 1000]. The default is 0.

-- kernel-memory core memory limit. The format is the same as above, the minimum is 4m

-- the CPU set allowed by cpuset-cpus= ". The value can be 0-3, 0, 0, and 1.

-- the number of cpu that cpus can use

Limit container memory usage

Docker container run-d-name nginx03-memory='100m'-memory-swap='100m'-oom-kill-disable nginx

View the current container memory limit and usage

[root@salt-master] # docker stats-- no-stream nginx03

CONTAINER ID NAME CPU% MEM USAGE / LIMIT MEM% NET I PIDS O BLOCK I Bank O PIDS

01fde633ae01 nginx03 0.005% 3.691MiB / 100MiB 3.69% 648B / 0B 2.1MB / 0B 2

Cpu quota

Allow containers to use up to 50% of cpu

[root@salt-master] # docker container run-d-- name nginx04-- cpus= ".5" nginx

Recommendation: set memory and then disable oom killer,cpu use no more than 50%.

3. Summary of docker commands commonly used in production environment

3.1 docker info

Displays Docker system information, including images and number of containers.

Docker version displays docker version information

3.2 Docker pull

Download the image from the docker repository

Such as docker pull docker.io/nginx

3.3 Docker run

Start the nginx image based on docker run and boot to the / bin/bash interpreter

Docker run-itd docker.io/nginx / bin/bash

-I indicates: interactive interaction

-t means: tty terminal

D: daemon is started at background

Start the nginx image based on docker run, boot to the / bin/bash interpreter, and map local port 80 to container port 80

Docker run-p 80:80-itd docker.io/nginx / bin/bash

-p port mapping, the first 80 host listening port and the second 80 port for container listening

Enter the host IP+80 port in the browser to access the service of port 80 in the container.

3.4 Docker images

View a list of downloaded local docker images

3.5 Docker ps

View currently running containers, docker ps-a view all containers of the current Linux system, including running and stopped, other containers (all containers)

3.6 Docker search

Search for images from the docker repository

Such as docker search nginx docker search tomcat

3.7 docker inspect

Docker inspect Container ID views container details

Docker exec

Enter docker container operation related commands

For example, the container runs the instruction in Docker: df-h

[root@salt-master] # docker exec 1c1d2d958de9 df-h

Filesystem Size Used Avail Use% Mounted on

Overlay 17G 7.5G 9.6G 44% /

Tmpfs 64m 0 64m 0% / dev

Tmpfs 493M 0 493M 0% / sys/fs/cgroup

/ dev/mapper/cl-root 17G 7.5G 9.6G 44% / etc/hosts

Shm 64m 0 64m 0% / dev/shm

Tmpfs 493M 0 493M 0% / proc/acpi

Tmpfs 493M 0 493M 0% / proc/scsi

Tmpfs 493M 0 493M 0% / sys/firmware

Docker exec-it 1c1d2d958de9 / bin/bash enters the container for interaction

3.8 docker kill

Kill drops a container that is running

Docker kill 1c1d2d958de9

3.9 docker rm

Delete a specified stopped Docker container, plus the-f parameter to force the deletion of a specified running Docker container

3.10 docker rmi

Remove a mirror from the Docker images list

There are other commands, as follows:

Docker push pushes the specified image or library image to the docker source server

Docker history shows a history of mirror formation

The specified running image of attach connection under the current shell of docker attach

Docker build customizes the image through Dockerfile, such as docker build.

Docker commit submits the current container as a new image

Docker cp copies the specified file or directory from the container to the host

Docker create creates a new container, same as run, but does not start the container

Docker diff View docker Container changes

Docker events acquires container real-time events from docker service

The content stream of the docker export export container as a tar archive file [corresponding to import]

Docker import creates a new file system image from the contents of the tar package [corresponding to export]

Docker load loads an image from a tar package [corresponding save]

Docker login registers or logs in to a docker source server

Docker logout Dockerregistry exit

Docker logs outputs the current container log information

Docker port views the internal source port of the container corresponding to the mapped port.

Docker pause pause container

Docker restart restarts the running container

Docker save saves an image as a tar package [corresponding to load]

Docker tag tags the image in the source

Docker top views the process information running in the container

Docker unpause unpauses the container

Docker wait intercepts the exit status value when the container stops

4. Analysis of the principle of Docker mirror image

A complete Docker image can support the operation of a Docker container, and it mainly provides file system data support during the operation of the Docker container. Docker image is hierarchical and consists of multiple levels. Each level stores a variety of software to implement a function. Docker image, as the most basic concept in Docker, has the following features:

1) the mirrors are layered, and each mirror consists of one or more mirror layers

2) A new image can be obtained by adding a certain mirror layer to a certain mirror.

3) implement image creation by writing Dockerfile or based on container Commit

4) each mirror layer has a unique mirror. By default, the ID,Docker engine recognizes images by mirroring ID.

5) mirrors share the same mirror layer when they are stored and used. When PULL mirrors are mirrored, existing mirror layers automatically skip downloading.

6) each mirror layer is read-only, and even if it is started as a container, it cannot be really modified, and the modification will only affect the top container layer.

As shown in the figure, a complete Docker container system can be seen:

The Docker container is one or more running processes, and these running processes will occupy the corresponding memory, corresponding CPU computing resources, corresponding virtual network devices and corresponding file system resources. The file system resources consumed by the Docker container are provided through mirror layer files mirrored by Docker. Based on the Json file of each image, you can parse the json file of the Docker image to know what kind of process should be run on this image and what environment variables should be configured for the process, while the Docker daemon has realized the transition from static to dynamic.

Docker virtual citation is also an application of the C _ hand S (Client/Server) structure, as shown in the figure

The figure is a complete architecture diagram of Docker virtualization, including the following components:

1) Docker Server is a resident process

2) REST API implements the interaction protocol between client and server.

3) Docker CLI implements the management of containers and images, providing users with a unified operation interface

4) Images provides unified underlying storage of software and files for containers.

5) Container is the product of Docker virtualization and is directly used in production.

6) Network provides complete network communication for Docker container

7) Volume provides additional disks and file storage objects for the Docker container.

5. Best practices for Dockerfile image management and optimization

Although there are hundreds of thousands of free images in the official warehouse, they can not meet the company's business needs, so we need to build our own images.

Docker can automatically build images through Dockerfile, and Dockerfile is a text document that contains all the commands on the user's command line to combine images. Build automatically using docker build.

Official document: https://docs.docker.com/engine/reference/builder/

Docker automatically builds the image by reading the specified image from a Dockerfile text file that contains all the commands that build the given image in order. An Dockerfile follows a specific format and instruction set, and the common instruction set is as follows:

5.1 build nginx basic image

Write the Dockerfile file, the Dockerfile-nginx content is as follows

FROM centos:7

MAINTAINER https://blog.51cto.com/tuwei

RUN yum install-y gcc gcc-c++ make\

Openssl-devel pcre-devel gd-devel libxslt-devel\

Iproute net-tools telnet wget curl & &\

Yum clean all & &\

Rm-rf / var/cache/yum/

RUN wget http://nginx.org/download/nginx-1.14.2.tar.gz & & tar xf nginx-1.14.2.tar.gz & & cd nginx-1.14.2 & &. / configure-- prefix=/usr/local/nginx\

-- with-http_ssl_module\

-- with-http_v2_module\

-- with-http_realip_module\

-- with-http_image_filter_module\

-- with-http_gunzip_module\

-- with-http_gzip_static_module\

-- with-http_secure_link_module\

-- with-http_stub_status_module\

-- with-stream\

With-stream_ssl_module & &\

Make-j 4 & & make install & &\

Mkdir-p / usr/local/nginx/conf/vhost & &\

Rm-rf / usr/local/nginx/html/ & &\

Echo "ok" > / usr/local/nginx/html/status.html & &\

Rm-rf.. / nginx-1.14.2

ENV PATH $PATH:/usr/local/nginx/sbin

WORKDIR / usr/local/nginx

EXPOSE 80

CMD ["nginx", "- g", "daemon off;"]

Construct docker build-t nginx-114-f Dockerfile-nginx.

5.2 build php image

The Dockerfile-php content is as follows

FROM centos:7

MAINTAINER https://blog.51cto.com/tuwei

RUN yum install epel-release-y & &\

Yum install-y gcc gcc-c++ make gd-devel libxml2-devel\

Libcurl-devel libjpeg-devel libpng-devel openssl-devel\

Libmcrypt-devel libxslt-devel libtidy-devel autoconf\

Iproute net-tools telnet wget curl & &\

Yum clean all & &\

Rm-rf / var/cache/yum/

RUN wget http://docs.php.net/distributions/php-5.6.36.tar.gz & &\

Tar zxf php-5.6.36.tar.gz & &\

Cd php-5.6.36 & &\

. / configure-- prefix=/usr/local/php\

-- with-config-file-path=/usr/local/php/etc\

-- with-config-file-scan-dir=/usr/local/php/etc/php.d\

-enable-fpm-enable-opcache-enable-static=no\

-with-mysql-with-mysqli-with-pdo-mysql\

-enable-phar-with-pear-enable-session\

-enable-sysvshm-with-tidy-with-openssl\

-with-zlib-- with-curl-- with-gd-- enable-bcmath\

-with-jpeg-dir-with-png-dir-with-freetype-dir\

-with-iconv-enable-posix-enable-zip\

-enable-mbstring-- with-mhash-- with-mcrypt-- enable-hash\

-- enable-xml-- enable-libxml-- enable-debug=no & &

Make-j 4 & & make install & &\

Cp php.ini-production / usr/local/php/etc/php.ini & &\

Cp sapi/fpm/php-fpm.conf / usr/local/php/etc/php-fpm.conf & &\

Sed-I "90a\ daemonize = no" / usr/local/php/etc/php-fpm.conf & &\

Mkdir / usr/local/php/log & &\

Rm-rf.. / php*

ENV PATH $PATH:/usr/local/php/sbin

WORKDIR / usr/local/php

EXPOSE 9000

CMD ["php-fpm"]

Construction

Docker build-t php-56-f Dockerfile-php.

5.3 Project Mirror

With the base image, you can encapsulate the project into a new image.

[root@localhost project] # cat Dockerfile-nginx

FROM nginx-114

COPY nginx.conf / usr/local/nginx/conf/

[root@localhost project] # cat Dockerfile-php

FROM php-56

COPY wwwroot / wwwroot

CMD ["php-fpm"]

Nginx configuration file. Increase the processing of php

[root@localhost project] # cat nginx.conf

User nobody

Worker_processes 1

Error_log logs/error.log info

Events {

Worker_connections 1024

}

Http {

Include mime.types

Default_type application/octet-stream

Log_format main'$remote_addr-$remote_user [$time_local] "$request"'

'$status $body_bytes_sent "$http_referer"'

'"$http_user_agent"$http_x_forwarded_for"'

Sendfile on

Keepalive_timeout 65

Server {

Listen 80

Server_name localhost

Access_log logs/host.access.log main

Location / {

Root html

Index index.html index.htm

}

Location ~ .php ${

Fastcgi_pass 127.0.0.1 fastcgi_pass 9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params;}}

}

Deployment:

Docker network create lnmp

Docker volume create wwwroot

Docker container run-d-name lnmp_nginx-p 88:80-net lnmp-mount src=wwwroot,dst=/usr/local/nginx/html nginx:v1

Docker container run-d-name lnmp_php-net container:lnmp_nginx-mount src=wwwroot,dst=/usr/local/nginx/html php:v1

When creating the PHP container, specify the same network as the Nginx container, so that Nginx can proxy 127.0.0.1 Nginx 9000 to PHP-FPM.

5.5 Writing Dockerfile best practices

5.5.1 reduce the mirror layer

A RUN instruction forms a new layer, and Shell commands are written on one line as far as possible, reducing the mirror layer.

5.5.2 optimize image size: clean up useless data

Once RUN forms a new layer, if it is not deleted in the same layer, it will be taken to the next layer regardless of whether the file is last deleted or not, so clean up the corresponding residual data in each layer to reduce the image size.

5.5.3 reduce network transmission time

It is best to have a place to store the software package internally, which is similar to the official download address of PHP mentioned above. If an operation like maven construction is used, it is also changed to a private maven repository to reduce network transmission time and improve the speed of image construction.

5.5.4 Multi-stage image construction

What if you run a project and, as we did above, copy the code directly into the base image? what if it's a project that needs to be pre-compiled? For example, Java language, how to compile and deploy the code together to complete!

The above practice requires building a basic image in a Dockerfile in advance, including the project runtime environment and dependent libraries, and then writing a Dockerfile to copy the project to the runtime environment, which is a bit complicated.

Languages like JAVA also need to build the source code if the code is compiled in Dockerfile, but only the package is built at runtime, which has a certain security risk and increases the size of the image.

To solve the above problems, Docker 17.05 began to support multi-phase build (multi-stage builds), which can simplify Dockerfile and reduce image size.

For example, build the JAVA project image:

Git clone https://github.com/b3log/solo.git

Cd solovi Dockerfile

FROM maven AS build

ADD. / pom.xml pom.xml

ADD. / src src/

RUN mvn clean package

FROM tomcat-85

RUN rm-rf / usr/local/tomcat/webapps/ROOT

COPY-from=build target/*.war / usr/local/tomcat/webapps/ROOT.war

CMD ["catalina.sh", "run"]

Construct docker build-t solo:v1-f Dockerfile-solo.

Docker container run-d-v / usr/local/jdk1.8:/usr/local/jdk solo:v1

First, an AS keyword is added after the first FROM to give this stage a name.

Then, the second part of FROM uses the Tomcat image we built above, and the COPY keyword adds the-- from parameter, which is used to copy files from a certain stage to the current stage. Such a Dockerfile will be done.

Summary: a small image has many benefits, such as rapid deployment and quick rollback. Reduce service outage time, while the image repository takes up less disk space.

6. Building harbor in Enterprise Private Warehouse

In addition to using Registry, you can also use Harbor to build a Docker repository.

The following are the disadvantages of Registry:

Lack of authentication mechanism, anyone can pull and upload images at will, lack of security; lack of image cleaning mechanism, images can be push but can not be deleted, over time, it will take up more and more space; lack of corresponding expansion mechanism

In view of the above shortcomings, we usually do not directly use docker registry to provide mirror services in a production environment.

6.1 introduction to harbor

Harbor is an enterprise-class Registry server for storing and distributing Docker images, extending open source Docker Distribution by adding some essential features of the enterprise, such as security, identity, and management.

As an enterprise-class private Registry server, Harbor provides better performance and security. Improve the efficiency of users using Registry to build and run the environment to transfer images. Harbor supports replication of image resources installed on multiple Registry nodes, and all images are stored in private Registry to ensure that data and intellectual property rights are controlled in the company's internal network. In addition, Harbor also provides advanced security features, such as user management, access control and activity auditing.

6.2 Harbor Warehouse deployment

There are two ways to deploy the Harbor warehouse, one is off-line, and the other is on-line, that is, offline and online installation. Choose offline installation here.

6.2.1 install the Docker-Compose Quick orchestration tool

Yum install epel-release-y

Yum install python-pip-y

Pip install-upgrade pip

Pip install docker-compose

6.2.2 download Habor and extract the installation

Download the offline installation package on the Internet, unzip it, modify the Habor configuration file harbor.cfg, modify hostname to the native IP address, and then run the script to install.

Other docker clients need to upload images to the harbor repository, and modify the docker repository source to the harbor address.

Vim / usr/lib/systemd/system/docker.service

The address added by ExecStart=/usr/bin/dockerd-H fd://-- containerd=/run/containerd/containerd.sock-- insecure-registry=192.168.56.134 is the harbor address. Then restart the docker service.

After the harbor warehouse is built, you can create a project and register members. Other docker clients can log in to the harbor repository.

For example, for docker login 192.168.56.134/library, if you need to upload an image to the harbor repository, modify the image format after logging in, for example:

Docker tag centos:7 192.168.56.134/library/centos:7

Push should be mirrored to the harbor repository

Docker push 192.168.56.134/library/centos:7

View the harbor warehouse:

Enterprise production environment generally uses jenkins to pull the replacement code, then packages it into a docker image and uploads it to the harbor repository, and then pulls the image from harbor to deploy to the actual environment.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.