Shulou(Shulou.com)06/03 Report--

Introduction to docker: container: container technology is a virtualized solution container: docker, k8sdocker:docker is an open source engine that automatically deploys developed applications to containers. Github address: https://github.com/docker/dockerdocker official website: www.docker.comhub.docker.com uploads and downloads docker images docker is special: docker adds an application deployment engine in the virtualized container execution environment. The goal of the engine: to provide a lightweight and fast environment that can run developer programs, facilitate convenient and efficient deployment from the developer environment to the test environment, and then deploy to the production environment. The advantages of docker: 1, provide simple and lightweight modeling, run seconds 2, logical separation of responsibilities. Developers only need to relate to the programs running in the container, while operators only need to care about how to manage the programs. The purpose of docker design is to enhance the consistency between the development environment where developers write code and the production environment that the application environment is to deploy. 3. Fast and efficient development life cycle. Shorten the life cycle of code from development to testing to running online. Make applications and programs portable. Developed in a container and delivered in the form of a container. 4. encourage the use of service-oriented architecture. Docker recommends that a single container run only one program or one process. This forms a distributed application model. In this model, applications or services can be represented as a series of interconnected containers, which makes it very easy for distributed interconnected programs to extend or debug applications. This is the common idea in development: the usage scenario of high cohesion and low coupling docker: 1. Develop, test and deploy services using docker container. 2. Create an isolated operating environment 3, build a test environment 4, build a multi-user platform as a service (PaaS) infrastructure 5, provide software as a service (SaaS) applications 6, high performance, Three core concepts of super-large-scale host deployment: build image-based construction container transport to the system running in the container docker container installation: install docker container: note: centos virtual machine must be connected to the network Otherwise, it cannot be installed. 1. Configure repo repository cd / etc/yum.repos.d/vi docker.repos [dockerrepo] name=Docker Repositorybaseurl= https://yum.dockerproject.org/repo/main/centos/$releasever/enabled=1gpgcheck=1gpgkey=https://yum.dockerproject.org/gpgyum clean allyum makecache2. Install dockeryum-y install dockercd to check whether the installation method: docker version3. Start and set to open the systemctl start dockersystemctl enable dockerdocker version from startup to this point, the docker container installation is complete, and the startup is successful. Docker image operation: there are three ways to get an image: 1) download an image (download from Docker Hub by default) 2) convert the container to an image 3) create an image (generate an image through dockerfile) find an image (query from Docker Hub by default) docker search httpd / / find all httpd-related images download images (default query from Docker Hub) docker pull docker.io/httpd view the list of local images docker images / / check Look at all the images (you can also query separately followed by the warehouse name and tag) docker inspect 2211e1f06c4e or docker.io/httpd / / specify the ID number to view details REPOSITORY: indicates the repository source of the image docker.ioTAG: indicates the tag of the image IMAGE ID: indicates the IDCREATED of the image: indicates the creation time of the image SIZE: indicates the size of the image adds a new name and a new tag This API is used to rename docker tag httpd httpd:centos. Before deleting the image, make sure it is not used by the container. If any container is used, delete the container first. The docker rmi image name or the image id image cannot be deleted until it is successfully deleted, and only the name docker rmi-f image ID / / permanently delete docker rmi-f $(docker images | grep "" | awk "{print\ $3}") Delete all unused images save out the image and load the image docker save-o httpd httpd / / save the local image as a file httpd Save in the current directory docker save-o file name image name docker load

< cobbler //将镜像文件导入到docker镜像中小结： 镜像操作： 搜索 : docker search 关键字 下载 : docker pull 关键字 查看：docker images 查看镜像内容信息：docker inspect 镜像名（ID） 删除：docker rmi 镜像名（ID） 导出镜像：docker sava -o 保存的文件名 镜像名（ID） 导入镜像：docker load < 保存的文件 更改镜像名称及标签docker tag 镜像id 新的镜像名: 标签 docker容器操作：docker容器操作容器是镜像的一个运行实例。所不同的是，镜像是静态的只读文件，而容器带有运行时需要的可写文件层。如果认为虚拟机是模拟运行的一整套操作系统（包括内核、应用运行态环境和其他系统环境）和跑在上面的应用，那么Docker容器就是独立运行的一个（或一组）应用，以及它们必需的运行环境。创建容器对容器进行操作就跟直接操作应用一样简单、快速。Docker容器实在太轻量级了，用户可以随时创建或删除容器。1.新建容器可以使用docker create命令新建一个容器，例如：docker create -it ubuntu:latest //基于镜像创建容器，默认是没有运行的docker ps -a //查看所有容器使用docker create命令新建的容器处于停止状态，可以使用docker start命令来启动它。create命令和后续的run命令支持的选项都十分复杂，主要包括如下几大类：与容器运行模式相关、与容器和环境配置相关、与容器资源限制和安全保护相关。create命令与容器运行模式相关的选项：选项 说明-a,--attach=[] 是否绑定到标准输入、输出和错误-d,--detach=true|false 是否在后台运行容器，默认为否--detach-keys="" 从attach模式退出的快捷键--expose=[] 指定容器会暴露出来的端口或端口范围--group-add=[] 运行容器的用户组-i,--interactive=true|false 保持标准输入打开，默认为false--ipc="" 容器IPC命名空间，可以为其它容器或主机--isolation="default" 容器使用的隔离机制--log-driver="json-file" 指定容器的日志驱动类型，可以为json-file，syslog，journald，gelf，fluentd，awslogs，splunk，etwlogs，gcplogs或none--log-opt=[] 传递给日志驱动的选项--net="bridge" 指定容器网络模式，包括bridge，none，其它容器网络，host的网络或者某个现有网络--net-alias=[] 容器在网络中的别名-P，--publish-all=true|false 通过NAT机制将容器标记暴露的端口自动映射到本地主机的临时端口-p，--publish=[] 指定如何映射到本地主机端口，例如-p 11234-12234:1234-2234--pid=host 容器的PID命名空间--userns="" 启用userns-remap时配置用户命名空间的模式--uts=host 容器的PID命名空间--restart="no" 容器的重启策略，包括no、on-failure[:max-retry]、always、unless-stopped等--rm=true|false 容器退出后是否自动删除，不能跟-d同时使用-t，--tty=true|false 容器运行时指定伪终端--tmpfs=[] 挂载临时文件系统到容器-v|--volume host-dir:container-dir 挂载主机上的文件卷到容器内--volume-driver="" 挂载文件卷的驱动类型--volumes-from=[] 从其他容器挂载卷-w，--workdir="" 容器内的默认工作目录 create命令与容器环境和配置相关的选项： 选项 说明 --add-host=[ ] 在容器内添加一个主机名到IP地址的映射关系（通过/etc/hosts文件） --device=[ ] 映射物理机上的设备到容器内 --dns-search=[ ] DNS搜索域 --dns-opt=[ ] 自定义的DNS选项 --dns=[ ] 自定义的DNS服务器 -e，--env=[ ] 指定容器内环境变量 --env-file=[ ] 从文件中读取环境变量到容器内 -h，--hostname="" 指定容器内的主机名 --ip="" 指定容器的IPv4地址 --ip6="" 指定容器的IPv6地址 --link=[ :alias] 连接到其它容器 --mac-address="" 指定容器的Mac地址 --name="" 指定容器的别名 create命令与容器资源限制和安全保护相关的选项：选项 说明--blkio-weight=10~1000 容器读写块设备的I/O性能权重，默认为0--blkio-weight-device=[device_name:weight] 指定各个块设备的I/O性能权重--cpu-shares=0 允许容器使用CPU资源的相对权重，默认一个容器能用满一个核的CPU--cap-add=[ ] 增加容器的linux指定安全能力--cap-drop=[ ] 移除容器的linux指定安全能力--cgroup-parent="" 容器cgroups限制的创建路径--cidfile="" 指定容器的进程ID号写到文件--cpu-period=0 限制容器在CFS调度器下的CPU占用时间片--cpuset-cpus="" 限制容器能使用哪些CPU核心--cpuset-mems="" NUMA架构下使用哪些核心的内存--device-read-bps=[ ] 挂载设备的读吞吐率（以bps为单位）限制--device-write-bps=[ ] 挂载设备的写吞吐率（以bps为单位）限制--device-read-iops=[ ] 挂载设备的读速率（以每秒i/o次数为单位）限制--device-write-iops=[ ] 挂载设备的写速率（以每秒i/o次数为单位）限制--kernel-memory="" 限制容器使用内核的内存大小，单位可以是b，k，m或g-m，--memory="" 限制容器内应用使用的内存，单位可以是b、k、m或g--memory-reservation="" 当系统中内存过低时，容器会被强制限制内存到给定值，默认情况下等于内存限制值--memory-swap="LIMIT" 限制容器使用内存和交换区的总大小--oom-kill-disable=true|false 内存耗尽（out-of-memory）时是否杀死容器--oom-score-adj="" 调整容器的内存耗尽参数--pids-limit="" 限制容器的pid个数--privileged=true|false 是否给容器以高权限，这意味着容器内应用将不受权限下限制，一般不推荐--read-only=true|false 是否让容器内的文件系统只读--security-opt=[ ] 指定一些安全参数，包括权限、安全能力、apparmor等--stop-signal=STGTERM 指定停止容器的系统信号--shm-size="" /dev/shm的大小--sig-proxy=true|false 是否代理收到的信号给应用，默认为true，不能代理SIGCHLD、SIGSTOP和SIGKILL信号--memory-swappiness="0-100" 调整容器的内存交换区参数-u,--user="" 指定在容器内执行命令的用户信息--ulimit=[ ] 通过ulimit来限制最大文件数、最大进程数等其他比较重要的选项还包括：·-l,--label=[]：以键值对方式指定容器的标签信息；·--label-file=[]：从文件中读取标签信息。启动容器使用docker start命令来启动一个已经创建的容器：docker start 容器ID //开启容器docker stop 容器ID //关闭容器docker容器的状态：up 开启状态Exited 终止状态Create 创建状态(Paused) 暂停状态状态没有 停止状态docker pause/unpause centos/httpd //暂停docker容器docker stop centos/httpd //停止指定docker容器新建并启动容器除了创建容器后通过start命令来启动，也可以直接新建并启动容器。所需要的命令主要为docker run，等价于先执行docker create命令，再执行docker start命令。docker run centos/lamp /bin/bash -c ls / //创建容器的同时启动并运行相关程序，命令完成容器就停止。启动一个bash终端，允许用户进行交互：docker run -it ubuntu:14.04 /bin/bashroot@af8bae53bdd3:/#其中，-t选项让Docker分配一个伪终端（pseudo-tty）并绑定到容器的标准输入上，-i则让容器的标准输入保持打开。更多的命令选项可以通过man docker-run命令来查看。在交互模式下，用户可以通过所创建的终端来输入命令。守护态运行更多的时候，需要让Docker容器在后台以守护态（Daemonized）形式运行。此时，可以通过添加-d参数来实现。下面的命令会在后台运行容器：docker run -d ubuntu /bin/sh -c "while true; do echo hello world; sleep 1; done"进入运行中的容器中，对容器做各种操作：docker exec -it 容器id /bin/bash 进入容器中退出方法：1、输入exit2、Ctrl+p, Ctrl+q键返回主机控制台连接到容器的会话docker attach 容器id号//将容器导出成文件docker export 13198d132fbe >

Centoslamp exports the specified container to a file named centoslamp, which is a docker image file / / generate an image of the container file docker import file name image name: label / / Delete container docker rm d4e863a654aa specifies to delete a container docker rm-f d4e863a654aa to force the deletion of a running container It is not recommended that docker container prune delete all stopped containers docker rm $(docker ps-qf status=exited) delete container extensions in the specified state: hardware resource related 1, display container hardware resource usage docker stats [option] [0 or more running containers] docker stats displays all running containers 2 when no container is specified. Update the hardware resource limit of the container docker update [option] there may be an error: vi / etc/default/grubGRUB_CMDLINE_LINUX= ". Cgroup_enable=memory swapaccount=1 "3. Use the stress test tool stress to verify the effect using the existing stress image progrium/stress, open two terminals, execute the following command in one terminal: docker run-m 100m-- rm-it progrium/stress-- cpu 2-- io 1-- vm 10-- vm-bytes 9m execute docker stats in the other terminal for monitoring, and then open a terminal to execute 9eb0 to start with the container id. Please replace it according to the actual situation. Memory limit can only be increased, not reduced docker update-m 200m 9eb0 summary:

Container operation:

Create: docker create-it image name (ID) / bin/bash

Startup container: docker start container name (ID)

Stop container: docker stop container name (ID)

Pause: docker pause container name (ID)

Unpause: docker unpause container name (ID)

Delete: docker rm-f container name (ID)

Delete all stopped containers: docker container prune

View container details: docker inspect container id

View the list of containers: docker ps-a

Create and run: docker run-itd image id / bin/bash

Save the container to a file: docker export container id > file name

Import container file into image: docker import file name image name: label

Docker network: the coverage of docker network can be divided into: container network on a single host and network across multiple host. When docker is installed, three networks are automatically created on host. You can use docker network ls to look up none, host, and bridge. In addition, there are two other ways: 1. The none network has only container lo network cards under this network. When creating a container, you can use-- network=none to specify the use of none network normally without specifying a network: eth0 inet addr:172.17.0.7 specifies that the network is none: docker run-it-- network=none-- name network1 busybox has only one lo network card. Generally speaking, what is the use of this closed network? Can be used for some highly secure applications that do not require networking. For example, a container whose only purpose is to generate random passwords can be placed in the none network to prevent passwords from being stolen. But most containers need network 2. Host network: containers connected to host network share the network stack of docker host. The network configuration of the container is exactly the same as that of host. You can specify host network docker run-it-- network=host-- name network2 busybox in the container. What is the usage scenario of host network that even hostname is the real machine? The biggest benefit of host network is performance; if the container requires high network transmission efficiency, you can choose host network. But host network also has its disadvantages: flexibility is not high. For example, to consider the flexibility of multiple ports, the port container already used on docker host cannot use doker host. Another purpose of doker host is to allow the container to configure host network directly. For example, some network solutions across host also run as containers. These solutions need to configure the network, such as iptables. 3. Bridge network: when bridge network docker is installed, a linux bridge with the command docker0 is created when the container is used by default. If you do not specify-- the container running by network=, will be hung on docker0 by default, you can use the "brctl show" command to view the "eth0"-- "veth9cfd9f7-- bridge of the real machine--" docker0 in the bridged Nic container. Note: the interface column is the virtual Nic of the container, if the container is closed. There will be no network card information. Only when docker is enabled can you see the interface network card. For example, when you see the interfaces column, you can see the information of the network card when veth58a8eca enters the container. Eth0: eth0 and veth58a8eca are a pair of veth pair. Veth pair is a special network device that appears in pairs. You can think of it as a pair of network cards connected by a virtual network cable. One end of the network card is called eth0@if315, and the other end is veth58a8eca hanging on the docker0. The effect is to hang the eth0@if315 on the docker0 and see that eth0@if315 is configured with 172.17.0.2 ip 16, and then runs a container. See if his ip is the same as the new container's IP is extended from 172.17.0.3, instead of a separate network segment, and why are all 172.17.0 network segments above this network segment? You can see the configuration information of the network card through docker network inspect bridge: the subnet is 172.17.0.0, the 16 grade gateway is 172.17.0.1, where does this network manager come from? You can see that the ip of docker0 on the host host is 172.17.0.1, so this network manager is docker04 and custom network: docker's bridge network is usually used by default, and users can also create user-defineddocker to provide three user-defined network drivers according to their own business needs: bridge,overlay,macvlan. Overlay and macvlan are used to create cross-host networks. You can use the bridge driver to create a similar default bridge network docker0docker network create-- driver bridge brnet1 sees through brctl show that a new bridge br-32a5cb322311 has been added to our newly-built network. The 32a5cb322311 here happens to be the container ID of the newly-built brnet1. By viewing the docker network inspect brnet1, you can see that the subnet of the newly-built brnet1 is 172.18.0.0x16 and the gateway is 172.18.0.1. The 172.18.0.0 brnet2 16 segment here is automatically assigned by docker or you can specify your own network segment and gateway:-- subent and-- gatewaydocker network create-- driver bridge-- subnet 192.168.2.0 brnet2 24-- gateway 192.168.2.1 docker run container to use the new network, you need to run the new network. Specify a static ip address by-- network=. You can specify docker run-it-- network=brnet2-- ip 192.168.2.222 busybox by-- ip Note: only networks created by-- subnet can specify static IP. It is best not to set the container to the same IP address range as host, otherwise the host of host will be disturbed. Of course, if you receive any interference, you can use docker network rm to delete the summary of this bridge:

Create a container using the specified network:

Docker run-it-- network bridge image id / bin/bash

Docker Network View:

Docker network ls

Create a docker network:

Docker network create-driver=bridge customized network name

Create a docker network and customize the network segments and gateways that can be assigned:

Docker network create-- driver=bridge-- subnet 192.168.80.0 Universe 24-- gateway 192.168.80.1 customized network name

Create a container using the specified network and assign a static IP address:

Docker run-it-- network network name (custom)-- ip 192.168.80.100 image name / bin/bash

Note: static IP addresses can be assigned only if the network segment is customized and specified using "--subnet"

View the details of the docker network:

Docker network inspect Network name

Delete the docker network:

Docker network rm Network name

Port mapping: 1. Container access external network container specifies that the gateway is the docker0 internal interface on the docker0 bridge by default. The docker0 internal interface is also a local interface of the host. Therefore, the container can access the host locally by default. Furthermore, the container needs to be forwarded if it wants to access the external network through the host. # sysctl net.ipv4.ip_forward to check whether forwarding is enabled. 1 means to enable net.ipv4.ip_forward=1. If net.ipv4.ip_forward=1 is 0, if forwarding is not enabled, you need to enable it manually: # sysctl-w net.ipv4.ip_forward=1 is easier to set when you start the Docker service-the ip-forward=true,Docker service will automatically turn on the forwarding service of the host system. 2. Some network applications can be run in the port mapping container. To make these applications accessible externally, you can specify the port mapping through the-P (uppercase) or-p (lowercase) parameters. 1. When using the-P flag, Docker will randomly map a 49000-49900 port to the open network port 2 of the internal container, and-p (lowercase) can specify the IP and port to be mapped, but only one container can be bound on a specified port. The supported formats are: real Port: container Port hostPort:containerPort (mapping all interface addresses) maps local port 5000 to container port 5000: docker run-d-p 5000 training/webapp / bin/bash binds all addresses on all local interfaces by default. Ip:hostPort:containerPort specifies that the mapping uses a specific address, such as the localhost address 127.0.0.1 docker run-d-p 127.0.0.1 training/webapp / bin/bash ip::containerPort (any port that maps the specified address) binds any port of localhost to port 5000 of the container, and the local host automatically assigns a port. Docker run-d-p 127.0.0.1 udp udp can also be used to specify udp port docker run-d-p 127.0.0.1:5000:5000/udp training/webapp / bin/bash view mapped port configuration use docker port to view the currently mapped port configuration You can also check the bound address docker ps-a port-- > Port Note: the container has its own internal network and ip address (all variables can be obtained using docker inspect, and Docker can also have a variable network configuration. )-p flag can be used multiple times to bind multiple ports for example: docker run-d-p 5000-p 3000 DNS 80 training/webapp / bin/bash container interconnection: 1, two containers must be on the same network segment, while establishing a unified network 2, DNS: only use a custom network and custom network segment can use dns how to make ping between two different network segments 1. Add routing: if there is a route for each network on the host and ip forwarding,host is turned on on the operating system, it becomes a route Networks hanging from different bridges can ping each other. You can see if this condition is met on host. Ip r look at the routing table on host and open the route forwarding function. Centos7 version: vi / etc/sysctl.confnet.ipv4.ip_forward = 1centos 6 version: echo 1 > / proc/sys/net/ipv4/ip_forwardsysctl-pcat / proc/sys/net/ipv4/ip_forward see if it is 1 but iptables DROP is dropped. Bidirectional traffic between bridge docker0 and br-5d863e9f78b6. From the naming DOCKER-ISOLATION of the rule, we can see that docker is designed to isolate different netwrok. 2. Solve the problem by adding a new network card docker network connect brnet2 to the container using docker network connect-- ip 192.168.2.22 Container ID adds the network card eth2 to the container through the command docker network connect, and let this network card use another bridge. Now the container building between different bridge can communicate.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.