Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Docker installation and some operations

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Introduction

What is a container?

Container Technology is a Virtualization solution

The traditional virtual machine runs one or more independent machines on the hardware through the middle tier.

While the container runs directly on top of the system kernel, the user space

Therefore, container virtualization is also known as operating system virtualization

Because it runs on the operating system, the container can only run operating systems with the same or similar kernel

Container: docker, k8s

What is docker?

Docker is an open source engine that automatically deploys developed applications to containers.

Github address: https://github.com/docker/docker

Docker is an open source Container container engine based on LXC technology from docker.lnc. The source code is hosted on GitHub, based on the Go language and open source in accordance with the Apache2.0 protocol.

Docker provides container resource isolation and security through kernel virtualization technology (namespaces (command space) and cgroups (control group). Because docker is isolated through the virtualization of the operating system layer, the docker container does not need the additional operating system overhead of the virtual machine (VM) to improve resource utilization.

Note: this kernel is the linux kernel

Docker official website: www.docker.com

The website where hub.docker.com uploads and downloads docker images

What makes docker special:

Docker adds an application deployment engine to the virtualized container execution environment.

The target of the engine:

Provide a lightweight and fast environment that can run developers' programs, facilitate convenient and efficient deployment from the developer environment to the test environment, and then deploy to the production environment.

Advantages of docker:

1. Provide a simple and lightweight modeling method to run in seconds.

2. The logical separation of responsibilities. Developers only need to relate to the programs running in the container, while operators only need to care about how to manage the programs.

The purpose of docker design is to enhance the consistency between the development environment where developers write code and the production environment that the application environment is to deploy.

3. Fast and efficient development life cycle.

Shorten the life cycle of code from development to testing to running online. Make applications and programs portable. Developed in a container and delivered in the form of a container.

4. encourage the use of service-oriented architecture.

Docker recommends that a single container run only one program or one process. This forms a distributed application model.

In this model, applications or services can be represented as a series of interconnected containers, which makes it very easy for distributed interconnected programs to extend or debug applications.

This is the idea commonly used in development: high cohesion and low coupling.

Usage scenarios of docker:

1. Develop, test and deploy services using docker containers

2. Create an isolated operating environment

3. Set up the test environment

4. Build a multi-user platform as a service (PaaS) infrastructure

Provide software as a service (SaaS) applications

6. High-performance, super-large-scale host deployment

Three core ideas:

Build a container based on an image

Transport to the system

Run in Container

Build a container, put it somewhere, and run it.

Docker runs an application (APP), which can be tomcat, nginx, apache and other services.

Docker composition:

1. Docker client / daemon

Cs architecture (client architecture)

Docker client

Docker server

Bs architecture: web architecture

Web website page

Server

Generally use the client to interact with the server

2. Docker components:

Mirror (image)

The cornerstone of the docker container. The container starts and runs based on the image, which is like the source code of the container, saving various conditions for starting the container.

Cascading read-only file system.

Joint loading

B

At the bottom is the boot file system, or bootfs. In fact, when a container starts, the boot file system is unmounted

The second layer is the root file system, which is located on top of bootfs. It can be one or more file systems

Container (Container)

Warehouse (Repository)

Public warehouse docker hub

Private warehouse

Install docker in the centos version:

It is recommended to install docker container in linux environment. Setting up Docker,window environment is complicated and error-prone. It is convenient to use Centos7+yum to install Docker environment. Install Docker, an operating system-level virtualization tool that automatically deploys applications in containers. The Docker package is already included in the default CentOS-Extras software source. So to install docker, simply run the following yum command: note: the centos virtual machine must be networked, otherwise it cannot be installed. 1. Configure repo repository cd / etc/yum.repos.d/vi docker.repos [dockerrepo] name=Docker Repositorybaseurl= https://yum.dockerproject.org/repo/main/centos/$releasever/enabled=1gpgcheck=1gpgkey=https://yum.dockerproject.org/gpg2. Install dockeryum-y install docker to check whether the installation method: docker version3. Start and set to open the systemctl enable dockersystemctl start docker from startup to this point, the docker container installation is complete, and the startup is successful. Mirror operation: find images (query from Docker Hub by default) docker search httpd / / find all httpd-related images docker pull httpd / / download images view local image list docker images / / view all images (you can also query separately followed by warehouse name and label) docker inspect 2211e1f06c4e / / specify ID number to view details note: each option description: REPOSITORY: indicates the image Repository source docker.ioTAG: indicates the label of the image IMAGE ID: indicates the IDCREATED of the image: indicates the creation time of the image SIZE: indicates the size of the image adds a new name and a new label This API is used to rename docker tag httpd httpd:centos. Before deleting the image, make sure it is not used by the container. If any container is used, delete the container first. The docker rmi image name or the image id image cannot be deleted until it is successfully deleted, and only the name docker rmi-f image ID / / permanently delete docker rmi-f $(docker images | grep "" | awk "{print\ $3}") Delete all unused images save out images and load images docker save-o httpd httpd / / Save the local image as a file httpd Save in the current directory docker save-o file name image name docker load

< cobbler //将镜像文件导入到docker镜像中小结 搜索 : docker search 关键字 下载 : docker pull 关键字 查看:docker images 查看镜像内容信息:docker inspect 镜像名(ID) 删除:docker rmi 镜像名(ID) 导出镜像:docker save -o 保存的文件名 镜像名(ID) 导入镜像:docker load < 保存的文件 更改镜像名称及标签docker tag 镜像id 新的镜像名:标签 docker容器操作Docker容器操作容器是镜像的一个运行实例。所不同的是,镜像是静态的只读文件,而容器带有运行时需要的可写文件层。如果认为虚拟机是模拟运行的一整套操作系统(包括内核、应用运行态环境和其他系统环境)和跑在上面的应用,那么Docker容器就是独立运行的一个(或一组)应用,以及它们必需的运行环境。创建容器对容器进行操作就跟直接操作应用一样简单、快速。Docker容器实在太轻量级了,用户可以随时创建或删除容器。1.新建容器可以使用docker create命令新建一个容器,例如:$ docker create -it ubuntu:latest //基于镜像创建容器,默认是没有运行的$ docker ps -a //查看所有容器使用docker create命令新建的容器处于停止状态,可以使用docker start命令来启动它。create命令和后续的run命令支持的选项都十分复杂,主要包括如下几大类:与容器运行模式相关、与容器和环境配置相关、与容器资源限制和安全保护相关。create命令与容器运行模式相关的选项:选项 说明-a,--attach=[] 是否绑定到标准输入、输出和错误-d,--detach=true|false 是否在后台运行容器,默认为否--detach-keys="" 从attach模式退出的快捷键--expose=[] 指定容器会暴露出来的端口或端口范围--group-add=[] 运行容器的用户组-i,--interactive=true|false 保持标准输入打开,默认为false--ipc="" 容器IPC命名空间,可以为其它容器或主机--isolation="default" 容器使用的隔离机制--log-driver="json-file" 指定容器的日志驱动类型,可以为json-file,syslog,journald,gelf,fluentd,awslogs,splunk,etwlogs,gcplogs或none--log-opt=[] 传递给日志驱动的选项--net="bridge" 指定容器网络模式,包括bridge,none,其它容器网络,host的网络或者某个现有网络--net-alias=[] 容器在网络中的别名-P,--publish-all=true|false 通过NAT机制将容器标记暴露的端口自动映射到本地主机的临时端口-p,--publish=[] 指定如何映射到本地主机端口,例如-p 11234-12234:1234-2234--pid=host 容器的PID命名空间--userns="" 启用userns-remap时配置用户命名空间的模式--uts=host 容器的PID命名空间--restart="no" 容器的重启策略,包括no、on-failure[:max-retry]、always、unless-stopped等--rm=true|false 容器退出后是否自动删除,不能跟-d同时使用-t,--tty=true|false 容器运行时指定伪终端--tmpfs=[] 挂载临时文件系统到容器-v|--volume host-dir:container-dir 挂载主机上的文件卷到容器内--volume-driver="" 挂载文件卷的驱动类型--volumes-from=[] 从其他容器挂载卷-w,--workdir="" 容器内的默认工作目录create命令与容器环境和配置相关的选项:选项 说明--add-host=[ ] 在容器内添加一个主机名到IP地址的映射关系(通过/etc/hosts文件)--device=[ ] 映射物理机上的设备到容器内--dns-search=[ ] DNS搜索域--dns-opt=[ ] 自定义的DNS选项--dns=[ ] 自定义的DNS服务器-e,--env=[ ] 指定容器内环境变量--env-file=[ ] 从文件中读取环境变量到容器内-h,--hostname="" 指定容器内的主机名--ip="" 指定容器的IPv4地址--ip6="" 指定容器的IPv6地址--link=[ :alias] 连接到其它容器--mac-address="" 指定容器的Mac地址--name="" 指定容器的别名create命令与容器资源限制和安全保护相关的选项:选项 说明--blkio-weight=10~1000 容器读写块设备的I/O性能权重,默认为0--blkio-weight-device=[device_name:weight] 指定各个块设备的I/O性能权重--cpu-shares=0 允许容器使用CPU资源的相对权重,默认一个容器能用满一个核的CPU--cap-add=[ ] 增加容器的linux指定安全能力--cap-drop=[ ] 移除容器的linux指定安全能力--cgroup-parent="" 容器cgroups限制的创建路径--cidfile="" 指定容器的进程ID号写到文件--cpu-period=0 限制容器在CFS调度器下的CPU占用时间片--cpuset-cpus="" 限制容器能使用哪些CPU核心--cpuset-mems="" NUMA架构下使用哪些核心的内存--device-read-bps=[ ] 挂载设备的读吞吐率(以bps为单位)限制--device-write-bps=[ ] 挂载设备的写吞吐率(以bps为单位)限制--device-read-iops=[ ] 挂载设备的读速率(以每秒i/o次数为单位)限制--device-write-iops=[ ] 挂载设备的写速率(以每秒i/o次数为单位)限制--kernel-memory="" 限制容器使用内核的内存大小,单位可以是b,k,m或g-m,--memory="" 限制容器内应用使用的内存,单位可以是b、k、m或g--memory-reservation="" 当系统中内存过低时,容器会被强制限制内存到给定值,默认情况下等于内存限制值--memory-swap="LIMIT" 限制容器使用内存和交换区的总大小--oom-kill-disable=true|false 内存耗尽(out-of-memory)时是否杀死容器--oom-score-adj="" 调整容器的内存耗尽参数--pids-limit="" 限制容器的pid个数--privileged=true|false 是否给容器以高权限,这意味着容器内应用将不受权限下限制,一般不推荐--read-only=true|false 是否让容器内的文件系统只读--security-opt=[ ] 指定一些安全参数,包括权限、安全能力、apparmor等--stop-signal=STGTERM 指定停止容器的系统信号--shm-size="" /dev/shm的大小--sig-proxy=true|false 是否代理收到的信号给应用,默认为true,不能代理SIGCHLD、SIGSTOP和SIGKILL信号--memory-swappiness="0-100" 调整容器的内存交换区参数-u,--user="" 指定在容器内执行命令的用户信息--ulimit=[ ] 通过ulimit来限制最大文件数、最大进程数等其他比较重要的选项还包括:·-l,--label=[]:以键值对方式指定容器的标签信息;·--label-file=[]:从文件中读取标签信息。启动容器使用docker start命令来启动一个已经创建的容器:docker start 容器ID //开启容器docker stop 容器ID //关闭容器docker容器的状态:up 开启状态Exited 终止状态Create 创建状态(Paused) 暂停状态状态没有 停止状态docker pause/unpause centos/httpd //暂停docker容器docker stop centos/httpd //停止指定docker容器新建并启动容器除了创建容器后通过start命令来启动,也可以直接新建并启动容器。所需要的命令主要为docker run,等价于先执行docker create命令,再执行docker start命令。docker run centos/lamp /bin/bash -c ls / //创建容器的同时启动并运行相关程序,命令完成容器就停止。启动一个bash终端,允许用户进行交互:$ docker run -it ubuntu:14.04 /bin/bashroot@af8bae53bdd3:/#其中,-t选项让Docker分配一个伪终端(pseudo-tty)并绑定到容器的标准输入上,-i则让容器的标准输入保持打开。更多的命令选项可以通过man docker-run命令来查看。在交互模式下,用户可以通过所创建的终端来输入命令。守护态运行更多的时候,需要让Docker容器在后台以守护态(Daemonized)形式运行。此时,可以通过添加-d参数来实现。下面的命令会在后台运行容器:$ docker run -d ubuntu /bin/sh -c "while true; do echo hello world; sleep 1; done"进入运行中的容器中,对容器做各种操作:docker exec -it 容器id /bin/bash 进入容器中退出方法:1、输入exit2、Ctrl+p, Ctrl+q键返回主机控制台连接到容器的会话docker attach 容器id号//将容器导出成文件docker export 13198d132fbe >

Centoslamp exports the specified container to a file named centoslamp, which is a docker image file / / generate an image of the container file docker import file name image name: label / / Delete container docker rm d4e863a654aa specifies to delete a container docker rm-f d4e863a654aa to force the deletion of a running container It is not recommended that docker container prune delete all stopped containers docker rm $(docker ps-qf status=exited) delete container extensions in the specified state: hardware resource related 1, display container hardware resource usage docker stats [option] [0 or more running containers] docker stats displays all running containers 2 when no container is specified. Update the hardware resource limit of the container docker update [option] there may be an error: vi / etc/default/grubGRUB_CMDLINE_LINUX= ". Cgroup_enable=memory swapaccount=1 "3. Use the stress test tool stress to verify the effect using the existing stress image progrium/stress, open two terminals, execute the following command in one terminal: docker run-m 100m-- rm-it progrium/stress-- cpu 2-- io 1-- vm 10-- vm-bytes 9m execute docker stats in the other terminal to monitor and then open a terminal to execute # 9eb0 to start with the container id. Please replace it according to the actual situation. Docker update-m 200m 9eb0 summary: memory limit can only be increased but not reduced.

Create: docker create-itd image name (ID) / bin/bash

Startup container: docker start container name (ID)

Stop container: docker stop container name (ID)

Pause: docker pause container name (ID)

Unpause: docker unpause container name (ID)

Delete: docker rm-f container name (ID)

View container details: docker inspect container id

View the list of containers: docker ps-a

For none network, there is only a container's lo Nic under this network. You can use-- network=none to specify the use of none network normally without specifying a network: eth0 inet addr:172.17.0.7 specifies that the network is none: docker run-it-- network=none-- name network1 busybox has only one lo Nic. Generally speaking, what is the use of this closed network? Can be used for some highly secure applications that do not require networking. For example, a container whose only purpose is to generate random passwords can be placed in the none network to prevent passwords from being stolen. But most of the containers are the containers that need the host network of the network to connect to the host network and share the network stack of the docker host. The network configuration of the container is exactly the same as that of host. You can specify the host network docker run-it-- network=host-name network2 busybox in the container. What is the usage scenario of the host network in which the hostname is also the real machine? The biggest benefit of host network is performance; if the container requires high network transmission efficiency, you can choose host network. But host network also has its disadvantages: flexibility is not high. For example, to consider the flexibility of multiple ports, the port container already used on docker host cannot use doker host. Another purpose of doker host is to allow the container to configure host network directly. For example, some network solutions across host also run as containers. These solutions need to configure the network, such as iptables. When the bridge network container is used by default, a linux bridge with the command docker0 is created when the bridge network docker is installed. If you do not specify-- the container running by network=, will be hung on docker0 by default, you can use the "brctl show" command to view the "eth0"-- "veth9cfd9f7-- bridge of the real machine--" docker0 in the bridged Nic container. Note: the interface column is the virtual Nic of the container, if the container is closed. There will be no network card information. Only when docker is enabled can you see the interface network card. For example, when you see the interfaces column, you can see the information of the network card when veth58a8eca enters the container. Eth0: eth0 and veth58a8eca are a pair of veth pair. Veth pair is a special network device that appears in pairs. You can think of it as a pair of network cards connected by a virtual network cable. One end of the network card is called eth0@if315, and the other end is veth58a8eca hanging on the docker0. The effect is to hang the eth0@if315 on the docker0 and see that eth0@if315 is configured with 172.17.0.2 ip 16, and then runs a container. See if his ip is the same as the new container's IP is extended from 172.17.0.3, instead of a separate network segment, and why are all 172.17.0 network segments above this network segment? You can see the configuration information of the network card through docker network inspect bridge: the subnet is 172.17.0.0, the 16 grade gateway is 172.17.0.1, where does this network manager come from? You can see that the ip of docker0 on the host host is 172.17.0.1, so this network manager is the docker0 custom network which usually uses docker's bridge network by default. Users can also create user-defineddocker to provide three user-defined network drivers according to their own business needs: bridge,overlay,macvlan. Overlay and macvlan are used to create cross-host networks. You can use the bridge driver to create a similar default bridge network docker0docker network create-- driver bridge brnet1 sees through brctl show that a new bridge br-32a5cb322311 has been added to our newly-built network. The 32a5cb322311 here happens to be the container ID of the newly-built brnet1. By viewing the docker network inspect brnet1, you can see that the subnet of the newly-built brnet1 is 172.18.0.0x16 and the gateway is 172.18.0.1. The 172.18.0.0 brnet2 16 segment here is automatically assigned by docker or you can specify your own network segment and gateway:-- subent and-- gatewaydocker network create-- driver bridge-- subnet 192.168.2.0 brnet2 24-- gateway 192.168.2.1 docker run container to use the new network, you need to run the new network. Specify a static ip address by-- network=. You can specify docker run-it-- network=brnet2-- ip 192.168.2.222 busybox by-- ip Note: only networks created by-- subnet can specify static IP. It is best not to set the container to the same IP address range as host, otherwise the host of host will be disturbed. Of course, if you receive any interference, you can use docker network rm to delete the summary of this bridge:

Note: if you report such a misuse of the following command {Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables-- wait-t nat-I DOCKER-I br-01f51f70d9a8-j RETURN: iptables: No chain/target/match by that name.

(exit status 1))}

Pkill docker

Iptables-t nat-F

Ifconfig docker0 down

Systemctl start docker

Create a container using the specified network:

Docker run-it-- network bridge image id / bin/bash

Docker Network View:

Docker network ls

Create a docker network:

Docker network create-driver=bridge customized network name

Create a docker network and customize the network segments and gateways that can be assigned:

Docker network create-- driver=bridge-- subnet 192.168.80.0 Universe 24-- gateway 192.168.80.1 customized network name

Create a container using the specified network and assign a static IP address:

Docker run-it-- network network name (custom)-- ip 192.168.80.100 image name / bin/bash

Note: static IP addresses can be assigned only if the network segment is customized and specified using "--subnet"

View the details of the docker network:

Docker network inspect Network name

Delete the docker network:

Docker network rm Network name

Add a network card to the created container:

Docker network connect Network name [--ip ip address] Container name

Port Mapping and Container Interconnection Container access external Network

By default, the container specifies that the gateway is the docker0 internal interface on the docker0 bridge. The docker0 internal interface is also a local interface of the host. Therefore, the container can access the host locally by default. Furthermore, the container needs to be forwarded if it wants to access the external network through the host.

# sysctl net.ipv4.ip_forward to check whether forwarding is enabled. 1 means to enable it.

Net.ipv4.ip_forward = 1

If 0, forwarding is not enabled, so you need to turn it on manually:

# sysctl-w net.ipv4.ip_forward=1

More simply, set up when you start the Docker service-the ip-forward=true,Docker service will automatically turn on the forwarding service of the host system.

Some network applications can be run in the port mapping container, and to make them accessible externally, you can specify the port mapping with the-P (uppercase) or-p (lowercase) parameters. 1. When using the-P flag, Docker will randomly map a 49000-49900 port to the open network port 2 of the internal container, and-p (lowercase) can specify the IP and port to be mapped, but only one container can be bound on a specified port. The supported formats are real Port: container Port, hostPort:containerPort (mapping all interface addresses) mapping local port 5000 to container port 5000: docker run-d-p 5000 training/webapp / bin/bash binds all addresses on all local interfaces by default. Ip:hostPort:containerPort specifies that the mapping uses a specific address, such as the localhost address 127.0.0.1 docker run-d-p 127.0.0.1 training/webapp / bin/bash ip::containerPort (any port that maps the specified address) binds any port of localhost to port 5000 of the container, and the local host automatically assigns a port. Docker run-d-p 127.0.0.1 udp udp can also be used to specify udp port docker run-d-p 127.0.0.1:5000:5000/udp training/webapp / bin/bash view mapped port configuration use docker port to view the currently mapped port configuration You can also check the bound address docker ps-a port-- > Port Note: the container has its own internal network and ip address (all variables can be obtained using docker inspect, and Docker can also have a variable network configuration. )-p flag can be used multiple times to bind multiple ports, for example: docker run-d-p 5000 5000-p 3000 bin/bash 80 training/webapp / port

2. Interconnection between containers (communication between containers)

Containers can communicate with each other through IP,Docker DNS Server or joined containers.

Docker network: none, host, bridge, custom (bridge,overlay,macvlan)

1. IP communication

For two containers to communicate, they must have a network card that belongs to the same network.

That is, two containers are in the same network segment.

Once this condition is met, the container can interact through IP.

The way to do this is to specify the appropriate network through-- network when the container is created, or to add the existing container to the specified network through docker network connect.

2 、 Docker DNS Server

Although accessing the container through IP meets the needs of communication, it is still not flexible enough. Because we may not be able to determine the IP before deploying the application, it will be troublesome to specify the IP to be accessed after deployment. This problem can be solved through the DNS service that comes with docker.

Starting with Docker version 1.10, docker daemon implements an embedded DNS server that allows containers to communicate directly through the container name.

The method is simple, as long as you name the container with-- name at startup.

Let's start two containers, bbox1 and bbox2:

Docker run-it-network=brnet2-name=web1 centos

Docker run-it-network=brnet2-name=web2 centos

Web2 can then ping directly to web1:

Note: there is a limitation in using docker DNS: it can only be used in custom networks. In other words, the default bridge network docker0 cannot use DNS. Let's verify this:

Create bbox3 and bbox4, both connected to the bridge network.

Docker run-it-- name=bbox3 busybox

Docker run-it-- name=bbox4 busybox

Bbox4 cannot ping to bbox3.

3. Joined container

Joined containers are another way to communicate between containers.

The joined container is very special in that it enables two or more containers to share a network stack, network card and configuration information, and joined containers can communicate directly through 127.0.0.1.

Example:

First create a httpd container named web1.

Docker run-d-it-- name=web1 httpd

Then create the centos container and specify the jointed container as web1 with-- network=container:web1:

Docker run-it-network=container:web1-name web2 centos

Go to the two containers to view the address

The network card mac addresses of web1 and web2 are exactly the same as IP, and they share the same network stack.

In this way, web2 can directly access web1's httpd service with 127.0.0.1.

The joined container is ideal for the following scenarios:

Programs in different containers want to communicate efficiently and quickly through loopback, such as web server and app server. You want to monitor the network traffic of other containers, such as network monitoring programs that run in separate containers.

Extend:

When two containers are in different bridge, there is no ping communication between containers.

How to make ping communication between two different network segments?

1. Add rout

If there is a route to each network on the host and ip forwarding,host is turned on on the operating system, it becomes a route, and the networks hanging on different bridges can ping each other.

You can see if this condition is met on host.

Ip r View the routing table on host

Turn on route forwarding function

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report