Shulou(Shulou.com)06/03 Report--

This article is to share with you the knowledge summary of learning docker system. I believe most people are not familiar with the operation of docker system. This article not only contains the concept of docker system, but also describes the operation steps in detail. Let's read on.

Download address

Http://www.linuxidc.com/Linux/2014-01/95513.htm

According to the above installation, it will not start up. After yum update device-mapper*, start ok.

Compatibility between linux and docker version

Uname-r

Yum update

Yum remove docker docker-common docker-selinux docker-engine

Yum install-y yum-utils device-mapper-persistent-data lvm2

Yum-config-manager-- add-repo https://download.docker.com/linux/centos/docker-ce.repo

Yum list docker-ce-- showduplicates | sort-r

Yum install docker-ce

Systemctl start docker

Systemctl enable docker

Docker version

The image cannot be deleted:

Cd / var/lib/docker/image/overlay2cat repositories.json

{"Repositories": {}} rm imagedb/content/sha256/*rm layerdb/sha256/*systemctl restart docker

Concept

Hostos: host operating system guestos: virtual machine operating system

Host-level Virtualization

1. Full virtualization: vmware,kvm,xen (hvm) |-- guestos- | |-vmm- | |-hostos- | |-hardware---- | 2. Paravirtualization: xen,uml hypervisor (vmm) runs directly on the hardware layer |-guestos (modfiled)-- | |-vmm- | |-hardware---- | 3. Simulation: qemu

Second, user space virtualization (container)

Lxc,openvz,solaris containers,freebsd jails

III. Library virtualization

Wine cygwin

IV. Application virtualization

Jvm,pvm

User space virtualization (container)

Chroot+6 namespaces + cgroups= containers

Lxc,openvz,solaris containers,freebsd jails isolation: namespace namespace uts (hostname domain name), mount,ipc,pid,user,net where user is added to the kernel control groups (cgroups) after kernel 3.8.It is a process resource restriction mechanism provided by the Linux kernel to group resources.

Lxc-linux container

Docker is an enhanced version of lxc

Hierarchical joint mount: each layer is read-only, such as the system layer and the application layer. Stack each layer into the container. When writing, add a read-write layer on the top floor. If you delete something from the reading layer, the mark is not visible. Each container shares a read-only layer.

For migration, do not store valid data inside the container, and mount the public network distributed system if necessary.

Basic usage

Docker architecture: CMARS architecture

They communicate directly using https/http default https.

Client:docker build

Docker pull

Docker run

Docker host: docker deamon

Containers

Images

Registry: authentication + warehouse + other components

Warehouse: warehouse name + tag uniquely identifies an image (nginx:1.1/nginx:latest;nginx:1.0/nginx:stable)

Mirroring: static

Containers: dynamic, with lifecycle

Docker object: images,containers,networks,volumes,plugins these objects can be added, deleted, changed and checked.

Installation: kernel 3.10 + must be greater than 3.8

Yum install docker-ce # Note that yum install docker is used in extras

Systemctl start docker.service

Configuration file: / etc/docker/daemon.json

Docker image acceleration:

Docker cn

Aliyun accelerator

University of Science and Technology of China

Cat / etc/docker/daemon.json displays the following:

{"registry-mirrors": ["https://registry.docker-cn.com"]}"

Docker command:

Format 1: docker command

Format 2:docker grouping command

Docker version docker info docker search nginx docker image pull nginx:1.14-alpine docker image ls docker image ls-- no-trunc # displays full image id information docker image rm nignx:1.14-alpine # docker rmi docker containers create docker containers start docker containers stop docker containers kill docker containers rm docker containers run # create and run docker run [options] image [command line] [arg..] Docker run-- name wbl-it busybox:latest # iMagt is the terminal interaction mode docker run-- name wbl2-d busybox:latest #-d is the background running mode docker network ls docker ps # view container list docker ps-a # view container list docker container ls docker container ls-a docker run-a #-a,-- attach= [] Login container (must be a container started with docker run-d) docker inspect wbl # view container details docker start-ai wbl # an is attach,i is interactive. Starting container docker kill wbl # is equivalent to-9 docker rm wbl # deletion

# Note: the program in the container cannot be run in the background, otherwise it will be terminated

Docker exec-it wbl / bin/sh # enter the running container docker logs wbl # to view the log in the container. The process log in the container does not store files but is output to the console.

Image introduction:

The docker image contains the file system and its contents needed to boot the container. Used to create a boot image.

Docker mirrors are layered: bootfs and rootfs

Bootfs: the boot file system, including bootloader and kernel, is unmounted after the container is started.

Rootfs: on top of bootfs, it represents the root file system of the docker container, mounts it in read-only mode, and then mounts an external writable layer through joint mount.

At startup, it is jointly mounted from the underlying layer by layer, and read-only is not shared with other containers. The top layer is the writable layer. You can delete the write layer when you delete the container.

Joint mount requires a dedicated hierarchical file system: when aufs,overlayfs,overlay2fs,btrfs,devicemapper docker info can view the storage type to launch the container, docker daemon will attempt to obtain the relevant image locally. The local image does not exist. The image will be downloaded from registry and saved locally. Docker client-http---- > docker daemon-https- > docker registry docker registry Classification: sponsor registry: third party, for customers and docker community use mirror registry: third party, only let customers use vendor registry: provided by the vendor that publishes the docker image, private registry: self-built security private entity with firewall. Registry consists of: 1) repository A registry has multiple repositories, a repository can be divided into top-level repositories (such as nginx) and user repositories (wbl/nginx), and each warehouse can also have multiple tag 2) index maintains user accounts, image verification and public information. Provide user retrieval function for registry. Images in docker registry are usually created by developers and then pushed to public or private registry for use by others. Docker hub function: image repositories: automated builds: can be based on dockerfile; or commit webhooks: organizations: dcoker pull [:] / [/]: git-> git hub-> docker hub-> docker repository other image repositories: quay.io: docker pull quay.io/coreos/flannel

The way to generate images:

Dockerfile

Based on container production

Docker hub automated builds

Dockerfile-build- > images-push- > docker registry images backup.tar images container images vethxx Docker0 (nat)-> physical machine Nic ip # enables ip forward host mode: container shares the physical ENI ip of the host To ensure the safety of the container. 1 move to the network namespace R1 ip netns exec R1 ifconfig-an ip netns exec R1 ip link set dev veth2.1 name eth0 # change the name of the network card in namesapce R1 ip netns exec R1 ifconfig eth0 192.168.5.1 up

Docker command parameter exposes port

Bridge bridging mode: docker port wbl # displays the mapping of the specified container. Docker-p # mapping container port to physical port address-p 80 container 80 is mapped to physical network card random port. Docker-P # Big P maps all ports to be exposed by the container to the host port. The container is 80 and the host is 80. Docker run wbl:v.1-- name wbl2-p hostip::80 # Mapping physical ip ports randomly to 80 docker run wbl:v.1 of the container-- name wbl2-p hostip:80:80 # Mapping physical ip port 80 to 80 docker run wbl:v.1 of the container-- name wbl2-p 80:80 # Mapping all physical ip ports 80 to 80 of the container

Host mode:

Docker run wbl:v.1-name wbl2-network host

Container mode:

Docker run wbl:v.1-- name wbl2-- network container:wbl1 # share the network namespace of container wbl1

None:

Docker run wbl:v.1-name wbl2-network none

Modify the default ip address of the docker0 bridge: vi / etc/docker/demon.json

{

"registry-mirrors": ["https://registry.docker-cn.com"],"

"bip": "192.168.74.1 Universe 24"

"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"

}

Systemctl daemon-reload

Systemctl restart docker

Restart the docker server.

Custom network mode:

Create a network

Docker network create wbl-- subnet 192.168.75.0 ip 24 # gateway is the first one to use the network by default.

Docker run-tid-name t8800-network wbl nginx:v.8800

Storage Volum

Cow: copy when writing, that is, when you modify the data in the write-only layer, copy the data to the writeable layer first, and then modify the data.

Delete data: marks the read-only layer data for deletion. Then the user layer is not visible.

Why use volume:

Close and restart the container without affecting the data, but delete the docker container and all its changes will be lost. It is stored in the federated file system and is not easily accessed by the host. It is inconvenient to share data between containers.

Delete container data lost

Solution: use volume volume

Externally mount to the container directory.

Volume volume type:

Manually create the directory of the container and host and mount it

Create the container directory manually, and docker automatically manages and mounts the host directory. / var/lib/docker/vfs/

In this way, if you delete the container and then start it, the directory that docker automatically mounts again may not be the same as last time. So the data are different.

Command:

Docker run-it-- name wbl123-v / data nginx:v1.1 #-v specifies the container directory, automatically creates the volume on the host and mounts it

Docker run-it-v host dir: container dir-- name wbl123 nginx:v1.1 # is manually specified; directories on both sides are automatically created if they do not exist; hostdir is the host directory: container directory

Docker inspect-f {{.Mounts}} wbl123 # to view details,-f is specified, filter meaning

Docker run-it-- rm-- name wbl0-v / data/wbl0:/data/wbl0 nginx-wbl:v8800 ls / data

Sharing volumes copies volumes from other containers: docker run-it-- name wbl1-v / wbl:/data nginx:v.1.1 docker run-it-- name wbl3-- volumes-from wbl1 nginx:v.1.1 docker run-it-- name wbl4-- network container:wbl-- volumes-from wbl1 nginx:v.1.1 # can use a container as the underlying container. It's only good that it exists.

Dockerfile: command docker build # docker build-t wbl:v.1.

Leader:

There are three ways to change the configuration file of nginx: {1: go to the container to modify; 2: use the host to mount the volume of the container; 3: make your own image}

There are two ways to make your own image: {1: make image based on container; 2: make image based on Dockerfile}

Dockerfile format: {instruction: parameter} # instructions are not case-sensitive, but the underlying rules are all uppercase. Working logic: create a dedicated working directory wbl; wbl directory to have the file Dockerfile (the first letter must be capitalized, no suffix), all files need to be placed in the wbl directory, not the parent directory of wbl. Hide the file .dockeringore to exclude directory files, one per line, and you can use wildcards. Docker build: based on the basic images and files in the wbl directory, hide and launch a container, and then make a new image, just like the artificial image. Docker directive: FROM: must be the first non-comment line of the dockerfile, referring to the underlying image on which to make the image. All subsequent instruction runs are based on the environment provided by this image. When docker build, it will look for it locally on the host first. There is no syntax to pull from docker hub registry: FROM repository name: tag # No tag is latest FROM warehouse name @ digest # for safe use of hash code MAINTAINER: author information LABEL: higher version instead of maintainer LABLE KEY=VALUE # LABLE maintainer= "wbl" COPY: copy from files in the current wbl directory of the host COPY aaa / data/aaa2 COPY in the new image created ["aaa" "/ data/aaa2"] # destination uses absolute path Otherwise, COPY specifies that the path starts with WORKDIR If the source file is a directory, the subdirectories and files will be copied recursively, but the directory itself # will not copy # if the source directory is multiple or wildcards are used, the destination must be a directory And ends with / # if the target directory does not exist, ADD is automatically created: similar to COPY, supporting package compression and url paths. For example, ADD http://www.aaa.com/a.tar.gz / data/wbl/ # a.tar.gz will be downloaded to the / data/wbl directory, and if you do not expand ADD a.tar.gz / data/wbl/ # a.tar.gz, it will be automatically decompressed and expanded to the / data/wbl directory. WORKDIR:/data/wbl # ADD a.tar.gz. / workdir is equivalent to the root path VOLUME: which mount path in the image to the host machine # VOLUME / data/wbl means that the volume in the / data/wbl directory in capacity uses the volume of the host. Docker inspect View EXPOSE: specify the port that is exposed to the outside. Only after it is specified, add-P when starting the container before it can be exposed. You can specify more than one port at a time EXPOSE 11211/udp 11211/tcp # unassisted default tcp ENV: define the environment variable ENV key value # wbl=123 If value includes spaces, you can escape, or quote value, or continue the line ENV key=valude # wbl 123456 123456 is when the variable calls ${wbl} EVN DOC_ROOT=/data/wbl/\ NAME=wbl to start the container You can enter the variable docker run-- name wbl-- rm-P image name printenv # print environment variable docker run-- name wbl-- rm-P-e NAME= "WBL2" image name printenv file-docker build {RUN}-> image-docker run {CMD}-> Container # RUN is the command to run when the image is generated. After the image is generated, the command in the RUN is no longer executed when the container is run. CMD will execute. RUN: use the commands you want to run in the process of making the image, based on the underlying mirror environment. Syntax: RUN commad RUN ["commad", "param1", "param2"] RUN COMMAND1 & &\ COMMAND2 RUN yum install-y lrzsz description: the first is usually a shell command, run it with "/ bin/sh-c", in the container process pid is not 1, can not receive unix signal, when docker stop stops the container, this process does not receive the signal. The second is the json format array, which does not run with / bin/sh-c. So common shell operations such as wildcards don't work. If you want to use shell operation, you can use the following words RUN ["/ bin/bash", "- c", "commad", "param1"] CMD: similar to RUN, the startup container specifies that the program should be run by default, and the container is terminated after running. The command specified by CMD will be overridden by the command options of docker run. The difference from RUN is: {1, the running time is different (RUN is run when docker build is mirrored; CMD is executed when docker run is a container, by this time the running command in RUN has already generated a static image. Syntax: CMD command CMD ["command", "param1", "param2"] CMD ["param1", "param2"] the third is used to provide default parameters for the ENTRYPOINT instruction.

ENTRYPOINT: similar to CMD, it specifies the default running program for the container. Unlike CMD, the ENTRYPOINT startup process is not overridden by the parameters specified by the docker run command, and will be passed to the ENTRYPOINT specified program as a parameter.

Note: docker run-- entrypoint can override the program specified by ENTRYPOINT.

The argument passed in by the docker run command overrides the contents of the CMD and acts as an argument to the ENTRYPOINT command.

Dockerfile files can use multiple ENTRYPOINT, but only the last one takes effect.

ENTRYPOINT ["ls"]

USER: HEALTHCHECK: health check HEALTHCHECK-- interval=35s CMD curl http://ip:8090/test.html-- interval=35s # check interval, default:30s-- timeout=35s # timeout. Default:30s-- start-perid=15s # starts the check 15 seconds after the container is packed Default:0s-- retries=2 # retries several times. The default:3 command returns a value of: 0:success 1:unhealthy 2: reserved Do not use example: HEALTHCHECK-- interval=5m-- timeout=3s\ CMD curl http://ip:8090/test.html | | exit 1 SHELL: specify the shell used Default / bin/sh-c STOPSIGNAL: syntax: STOPSIGNAL 9 # default is 15 ARG: applicable to build time when passing the parameter ARG aaa ENV WBL2=$ {aaa:-/data/wbl1/wbl2} docker build--build-arg aaa= "/ data/wbl1/wbl3"-t image name: v.1.1. / ONBUILD: define a trigger in dockerfile You can add triggers when you use dockerfile to make an image, which will be triggered when others use this image as the basic image of other dockerfile. All instructions except FROM,MAINTAINER and ONBUILD can be used. Naming tags such as ruby:2.0-onbuild Note: be careful that people don't have that file when using ADD COPY. Syntax: the ONBUILD COPY a b # command is an instruction for dockerfile.

Example:

[root@izj6chmozc373fzvc4vs9sz build-image] # cat Dockerfile

FROM nginx-wbl:v8800

MAINTAINER wbl:test.1

ARG AAA

ENV WBL2=$ {AAA:-/data/wbl1/wbl2}

RUN mkdir-pv $WBL2

# VOLUME $WBL2

COPY h.txt $WBL2

ADD zzz.tar.gz $WBL2

CMD ["/ bin/sh"]

# ENTRYPOINT ["ls"]

[root@izj6chmozc373fzvc4vs9sz build-image] # ls

Dockerfile h.txt zzz.tar.gz

[root@izj6chmozc373fzvc4vs9sz build-image] # docker build- t nginx-wbl:v8801

The above is the knowledge summary of docker system, the content is more comprehensive, the editor believes that there may be some knowledge points that we may see or use in our daily work. I hope you can learn more from this article.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.