2019独角兽企业重金招聘Python工程师标准>>>
峰回路转 (qq:275868299) 2017.11.27
#第一部分 安装docker ##1.1,docker安装前检查
安装要求
1,docker只能使用在64位系统上
2,docker运行在linux的kernel3.8以上
3,最好使用ubuntu16.04以上版本
本文档安装环境:
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core) #uname -r
3.10.0-514.6.1.el7.x86_64
建议升级到4.10以上
##1.2,安装docker 安装
#yum install docker
#docker -v
Docker version 1.12.5, build 047e51b/1.12.5
启动
#systemctl start docker
# docker info
Containers: 0Running: 0Paused: 0Stopped: 0
Images: 0
Server Version: 1.12.5
Storage Driver: devicemapperPool Name: docker-253:0-4297873-poolPool Blocksize: 65.54 kBBase Device Size: 10.74 GBBacking Filesystem: xfsData file: /dev/loop0Metadata file: /dev/loop1Data Space Used: 11.8 MBData Space Total: 107.4 GBData Space Available: 6.832 GBMetadata Space Used: 581.6 kBMetadata Space Total: 2.147 GBMetadata Space Available: 2.147 GBThin Pool Minimum Free Space: 10.74 GBUdev Sync Supported: trueDeferred Removal Enabled: falseDeferred Deletion Enabled: falseDeferred Deleted Device Count: 0Data loop file: /var/lib/docker/devicemapper/devicemapper/dataWARNING: Usage of loopback devices is strongly discouraged for production use. Use `-- storage-opt dm.thinpooldev` to specify a custom block storage device.Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadataLibrary Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:Volume: localNetwork: bridge null host overlay
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-514.6.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 2
Total Memory: 1.797 GiB
Name: localhost.localdomain
ID: 5P4J:HNJ4:AR7Z:Q7UC:3SYQ:M3KW:7RRM:DYR2:QJI2:JYPL:BOZM:ZZOD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: /
Insecure Registries:127.0.0.0/8
Registries: docker.io (secure)
#第二部分 docker镜像 ##2.1,获取镜像
#docker pull NAME[:TAG]
默认是从docker官网上下载镜像。
其它下载的地方
.html
/
/
设置默认镜像
# vim /etc/sysconfig/docker
ADD_REGISTRY='--add-registry docker.mirrors.ustc.edu'# /bin/systemctl restart docker.service
##2.2,一些关于镜像的命令
查看镜像
#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
给镜像打tag
#docker tag docker.io/centos:latest docker.io/centos:7
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
tag信息用于标记来自同一仓库的不同镜像,例如centos仓库有多个镜像,一般通过tag信息来区分发行版本。 以上这两个镜像的ID是完全一致的,说明是指向同一个镜像。 镜像自身是只读的,容器从镜像启动的时候,docker会在镜像的最上层创建一个可写层,镜像本身保持不变。
获取镜像的详细信息
# docker inspect 98d35105a391
[{"Id": "sha256:98d35105a391b7e429e2c51ea137670f7ec0d4341a42c985772a75cfa43ad85f","RepoTags": ["docker.io/centos:7","docker.io/centos:latest"],"RepoDigests": [],"Parent": "","Comment": "","Created": "2017-03-15T21:49:52.758118314Z","Container": "e8cc0aad77cfd7500966b5f434d8041508370a5ec5a44a71892aa9f0799c0204","ContainerConfig": {"Hostname": "2cd7b0a690e2","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"Tty": false,"OpenStdin": false,"StdinOnce": false,"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd": ["/bin/sh","-c","#(nop) ","CMD ["/bin/bash"]"],"Image": "sha256:94765cfa3aaaf006425db71faa4b98466ee27e998d38e608b64d94b011aa5c11","Volumes": null,"WorkingDir": "","Entrypoint": null,"OnBuild": null,"Labels": {"build-date": "20170315","license": "GPLv2","name": "CentOS Base Image","vendor": "CentOS"}},"DockerVersion": "1.12.1","Author": "","Config": {"Hostname": "2cd7b0a690e2","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"Tty": false,"OpenStdin": false,"StdinOnce": false,"Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd": ["/bin/bash"],"Image": "sha256:94765cfa3aaaf006425db71faa4b98466ee27e998d38e608b64d94b011aa5c11","Volumes": null,"WorkingDir": "","Entrypoint": null,"OnBuild": null,"Labels": {"build-date": "20170315","license": "GPLv2","name": "CentOS Base Image","vendor": "CentOS"}},"Architecture": "amd64","Os": "linux","Size": 192493946,"VirtualSize": 192493946,"GraphDriver": {"Name": "devicemapper","Data": {"DeviceId": "4","DeviceName": "docker-253:0-4297873-477c7526e6d60930eea19b1913414260a00ed 16e26159959e88fb660b62b4820","DeviceSize": "10737418240"}},"RootFS": {"Type": "layers","Layers": ["sha256:9b198ff9ff5b314b0367bea097cfc320046b36ebfa6c9a1e2ba2a78665d58d87"]}}
]
搜索镜像
# docker search --filter=stars=10 centos
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/centos The official build of CentOS. 3221 [OK]
docker.io docker.io/jdeathe/centos-ssh CentOS-6 6.8 x86_64 / CentOS-7 7.3. 63 [OK]
docker.io docker.io/jdeathe/centos-ssh-apache-php CentOS-6 6.8 x86_64 - Apache / PHP-FPM / P... 25 [OK]
docker.io docker.io/consol/centos-xfce-vnc Centos container with "headless" 24 [OK]
docker.io docker.io/nimmis/java-centos This is docker images of CentOS 7 23 [OK]
docker.io docker.io/gluster/gluster-centos Official GlusterFS Image [ CentOS-7 + 18 [OK]
docker.io docker.io/million12/centos-supervisor Base CentOS-7 with supervisord launcher, h... 14 [OK]
删除镜像
[root[@localhost]() ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB[root[@localhost]() ~]# docker rmi docker.io/centos:7
Untagged: docker.io/centos:7[root[@localhost]() ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
docker rmi docker.io/centos:7只会删除该标签,镜像和建立在镜像的其他标签不会受影响
如果镜像上有容器存在,正确的删除方式
[root[@localhost]() ~]# docker run docker.io/centos:7 echo "hello,I am here"
hello,I am here[root[@localhost]() ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a0e039f9a4f docker.io/centos:7 "echo 'hello,I am her" 13 seconds ago Exited (0) 12 seconds ago high_bose[root@localhost ~]# docker rmi docker.io/centos:7
Untagged: docker.io/centos:7[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
执行了删除操作后,容器仍然存在。[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a0e039f9a4f 98d35105a391 "echo 'hello,I am her" About a minute ago Exited (0) About a minute ago high_bose[root@localhost ~]# docker rm 7a0e039f9a4f
7a0e039f9a4f[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
正确的删除方式是,先删除容器,后删除镜像。
创建镜像
创建镜像的三种方式:基于以有镜像的容器创建,基于本地模板导入,基于dockerfile创建。
基于以有镜像的容器创建
[root@localhost ~]# docker run -ti centos:7 /bin/bash[root@1a447290aa9b /]# touch test[root@1a447290aa9b /]# exit
exit[root@localhost ~]# docker commit -m "miaoshu" -a "duxuefeng" 1a447290aa9b centos_test
sha256:c16d722e10ba2872c0a686e884d2ed522ee88278cecce021d6931347eb28a28e[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos_test latest c16d722e10ba 7 minutes ago 192.5 MB
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
基于本地模板导入
模板下载地址:/
[root@localhost ~]# ls
anaconda-ks.cfg centos-6-x86_ centos_7.tar[root@localhost ~]# cat centos-6-x86_ | docker import - centos:6
sha256:9a031f7a0de5f9302d8dcded33742f12bc126b9540ed975852f666f6d3c7f8da[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 6 9a031f7a0de5 8 seconds ago 553 MB
centos_test latest c16d722e10ba 32 minutes ago 192.5 MB
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
存出导入镜像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos_test latest c16d722e10ba 18 minutes ago 192.5 MB
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB[root@localhost ~]# docker save -o centos_7.tar docker.io/centos:7 [root@localhost ~]# docker rmi docker.io/centos:7
Untagged: docker.io/centos:7[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos_test latest c16d722e10ba 18 minutes ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB[root@localhost ~]# ls
anaconda-ks.cfg centos_7.tar[root@localhost ~]# docker load --input centos_7.tar 或者 docker load < centos_7.tar
Loaded image: docker.io/centos:7[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos_test latest c16d722e10ba 19 minutes ago 192.5 MB
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
#第三部分 容器
##3.1,新建启动容器
[root@localhost ~]# docker run centos:7 /bin/echo 'hello world'
hello world
当利用docker run创建并启动容器时,docker后台执行的操作:
例子:
[root@localhost ~]# docker run -t -i centos:7 /bin/bash
-t 让docker分配一个伪终端并绑定到容器的标准输入上
-i 让容器的标准输入保持打开状态[root@6330918ea39a /]# ls
anaconda-post.log dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var守护态运行
[root@localhost ~]# docker run -d centos:7 /bin/bash -c "while true; do echo hello world; sleep 1; done"
cf03fed72e1883445ba4ffb075cb7608584b60fbe5ddb64d56cb86917c16227f[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 7 seconds ago Up 6 seconds naughty_noyce[root@localhost ~]# docker logs cf03fed72e18
hello world
hello world
hello world
...
##3.2,终止容器
交互模式容器终止
当容器中的应用终结时,容器也自动终止。例如在交互式模式下用户通过exit命令或ctril+d来退出终端时,所创建的容器立刻终止
守护态容器终止
可以通过docker stop来终止一个运行中的容器
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 16 minutes ago Up 9 seconds naughty_noyce
6330918ea39a centos:7 "/bin/bash" 21 minutes ago Exited (0) 17 minutes ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 27 minutes ago Exited (0) 27 minutes ago sleepy_hugle
可以看到cf03fed72e18的STATUS处于运行状态[root@localhost ~]# docker ps -a -q
cf03fed72e18
6330918ea39a
07a974ede13f[root@localhost ~]# docker stop cf03fed72e18
cf03fed72e18
关闭cf03fed72e18容器[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 17 minutes ago Exited (137) 4 seconds ago naughty_noyce
6330918ea39a centos:7 "/bin/bash" 22 minutes ago Exited (0) 18 minutes ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 28 minutes ago Exited (0) 28 minutes ago sleepy_hugle
可以看到cf03fed72e18的STATUS处于关闭状态 [root@localhost ~]# docker start cf03fed72e18
cf03fed72e18
开启容器 [root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 17 minutes ago Up 3 seconds naughty_noyce
6330918ea39a centos:7 "/bin/bash" 23 minutes ago Exited (0) 18 minutes ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 28 minutes ago Exited (0) 28 minutes ago sleepy_hugle
##3.3,进入容器
exec方式进入
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 17 minutes ago Up 3 seconds naughty_noyce
6330918ea39a centos:7 "/bin/bash" 23 minutes ago Exited (0) 18 minutes ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 28 minutes ago Exited (0) 28 minutes ago sleepy_hugle[root@localhost ~]# docker exec -ti cf03fed72e18 /bin/bash[root@cf03fed72e18 /]# ls
anaconda-post.log dev home lib64 media opt root sbin sys usr
bin etc lib lost+found mnt proc run srv tmp var[root@cf03fed72e18 /]# exit
exit[root@localhost ~]# docker exec -ti 6330918ea39a /bin/bash
Error response from daemon: Container 6330918ea39afd4a33b8b171f7b148260986826af97aa01efcd7b5a241353e22 is not running
测试证明只有运行的容器可以进入
nsenter方式进入
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 42 hours ago Up 42 hours naughty_noyce[root@localhost ~]# docker inspect -f {{.State.Pid}} naughty_noyce
6072[root@localhost ~]# docker inspect -f {{.State.Pid}} cf03fed72e18
6072[root@localhost ~]# nsenter --target 6072 --mount --uts --ipc --net --pid[root@cf03fed72e18 /]# exit
logout
##3.4,删除容器
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17c26246299e centos:7 "/bin/bash -c 'while " 31 seconds ago Up 30 seconds hopeful_sammet
cf03fed72e18 centos:7 "/bin/bash -c 'while " 43 hours ago Up 42 hours naughty_noyce
6330918ea39a centos:7 "/bin/bash" 43 hours ago Exited (0) 43 hours ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 43 hours ago Exited (0) 43 hours ago sleepy_hugle[root@localhost ~]# docker rm 17c26246299e
Error response from daemon: You cannot remove a running container 17c26246299e5b080063bab3f3374f779173aaa0758668728b224e60b1b66b6b. Stop the container before attempting removal or use -f
不能删除正在运行的容器,如果想删除加-f参数[root@localhost ~]# docker rm -f 17c26246299e
17c26246299e
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 43 hours ago Up 42 hours naughty_noyce
6330918ea39a centos:7 "/bin/bash" 43 hours ago Exited (0) 43 hours ago angry_noether
07a974ede13f centos:7 "/bin/echo 'hello wor" 43 hours ago Exited (0) 43 hours ago sleepy_hugle[root@localhost ~]# docker rm 07a974ede13f
07a974ede13f
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 43 hours ago Up 42 hours naughty_noyce
6330918ea39a centos:7 "/bin/bash" 43 hours ago Exited (0) 43 hours ago angry_noether
##3.5,导入导出容器
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf03fed72e18 centos:7 "/bin/bash -c 'while " 43 hours ago Up 42 hours naughty_noyce
6330918ea39a centos:7 "/bin/bash" 43 hours ago Exited (0) 43 hours ago angry_noether[root@localhost ~]# docker export cf03fed72e18 > test_for_run.tar
导出正在运行的容器[root@localhost ~]# docker export 6330918ea39a > test_for_stop.tar
导出停止运行的容器[root@localhost ~]# ls
test_for_run.tar test_for_stop.tar[root@localhost ~]# cat test_for_stop.tar | docker import - test/centos:7
sha256:f5310b70a7b92d69bd5fd8c94c067ea42fe2a37be8ff7bf5cdeef85de3980f7e
导入容器成images[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
test/centos 7 f5310b70a7b9 3 seconds ago 192.5 MB
centos 6 9a031f7a0de5 43 hours ago 553 MB
centos_test latest c16d722e10ba 44 hours ago 192.5 MB
docker.io/centos 7 98d35105a391 2 weeks ago 192.5 MB
docker.io/centos latest 98d35105a391 2 weeks ago 192.5 MB
#第四部分 仓库
##4.1,官方仓库
公共仓库:https://hub.docker
基本操作:见镜像一章
##4.2,私有仓库
创建私有仓库
测试仓库服务器:10.1.13.231
#docker run -d -p 5000:5000 -v /data/docker_registry:/var/lib/registry daocloud.io/library/registry
Registry服务默认会将上传的镜像保存在容器的/var/lib/registry,我们将主机的/data/docker_registry目录挂载到该目录,即可实现将镜像保存到主机的/data/docker_registry目录了。[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69f96b24af09 daocloud.io/library/registry "/entrypoint.sh /etc/" 8 minutes ago Up 1 seconds 0.0.0.0:5000->5000/tcp gloomy_hamilton
说明我们已经启动了registry服务,浏览器访问或命令行curl访问127.0.0.1:5000/v2,出现下面情况说明registry运行正常# curl :5000/v2/
{}
测试服务器:10.1.13.232
[root@localhost ~]# docker tag centos 10.1.13.231:5000/centos:6[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 6 9a031f7a0de5 2 days ago 553 MB
10.1.13.231:5000/centos 6 98d35105a391 2 weeks ago 192.5 MB[root@localhost ~]# docker push 10.1.13.231:5000/centos
The push refers to a repository [10.1.13.231:5000/centos]
Get :5000/v1/_ping: http: server gave HTTP response to HTTPS client
报错:从错误信息来看,client与Registry交互,默认将采用https访问,但我们在install Registry时并未配置指定任何tls相关的key和crt文件,https访问定然失败
解决:修改Registry server上的Docker daemon的配置,参数增加–insecure-registry 10.1.13.231:5000[root@localhost ~]# vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.1.13.231:5000'
[root@localhost ~]# systemctl restart docker[root@localhost ~]# docker push 10.1.13.224:5000/centos
The push refers to a repository [10.1.13.224:5000/centos]
b51149973e6a: Retrying in 1 second
received unexpected HTTP status: 500 Internal Server Error
push返回500错误,需要关闭防火墙和selinux
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0[root@localhost ~]# docker push 10.1.13.231:5000/centos:6
The push refers to a repository [10.1.13.231:5000/centos]
9b198ff9ff5b: Pushed
6: digest: sha256:d7f3db1caf4ea76117abce89709ebfc66c9339e13866016b8b2e4eee3ab4bea0 size: 529[root@localhost ~]# curl :5000/v2/_catalog
{"repositories":["centos"]}
验证
在另外的一台机器做验证
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.1.13.231:5000' [root@localhost ~]# docker pull 10.1.13.231:5000/centos:6
Trying to pull repository 10.1.13.231:5000/centos ...
6: Pulling from 10.1.13.231:5000/centos
Digest: sha256:d7f3db1caf4ea76117abce89709ebfc66c9339e13866016b8b2e4eee3ab4bea0[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.1.13.231:5000/centos 6 98d35105a391 2 weeks ago 192.5 MB
设置默认使用私有仓库
# vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.1.13.231:5000'
ADD_REGISTRY='--add-registry 10.1.13.231:5000'# docker pull centos:6
Trying to pull repository 10.1.13.231:5000/centos ...
6: Pulling from 10.1.13.231:5000/centos
4969bbd91a1e: Pull complete
Digest: sha256:d7f3db1caf4ea76117abce89709ebfc66c9339e13866016b8b2e4eee3ab4bea0# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.1.13.231:5000/centos 6 98d35105a391 2 weeks ago 192.5 MB
#第五部分 数据管理
##5.1,数据卷
特性:
1,数据卷可以在容器之间共享和重用
2,对数据卷的修改会马上生效
3,对数据卷的更新,不会影响镜像
4,卷会一直存在,直到没有容器使用
在容器内创建一个数据卷
[root@localhost ~]# docker run -it --name web -v /data docker.io/centos:7 [root@97913ebaae69 /]# ls
anaconda-post.log bin data dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
挂载一个主机目录作为数据卷
问题:
[root@localhost ~]# docker run -it --name web -v /data/wwwroot:/data:rw docker.io/centos:7 [root@6013616fad9d /]# cd /data/[root@6013616fad9d data]# ls
ls: cannot open directory .: Permission denied解决:
[root@localhost ~]# docker run -it --privileged=true --name web -v /data/wwwroot:/data docker.io/centos:7[root@0fa11af5d212 /]# cd /data/[root@0fa11af5d212 data]# ls
test
##5.2,数据卷容器
创建一个数据卷容器
[root@localhost ~]# docker run -it --name datadocker -v /data docker.io/centos:7 [root@f20dfc369021 /]# ls
anaconda-post.log bin data dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var[root@f20dfc369021 /]# cd data/[root@f20dfc369021 data]# ls创建新docker,并连接到数据卷容器,并测试
[root@localhost ~]# docker run -it --volumes-from datadocker --name testdata1 docker.io/centos:7 [root@3ab18f1456ff /]# ls
anaconda-post.log bin data dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var[root@3ab18f1456ff /]# cd data/[root@3ab18f1456ff data]# ls[root@3ab18f1456ff data]# touch testdata1[root@3ab18f1456ff data]# ls
testdata1在数据卷容器上查看
[root@f20dfc369021 data]# ls
testdata1
数据卷容器删除
删除顺序,应该先删除挂载数据卷容器的容器,再删除数据卷容器。如果反过来执行,挂载数据卷容器的容器仍然可以写入数据,但是如果退出后再挂载进入容器就会报错。另外原数据卷容器删除再挂载目录为空。
##5.3,备份数据卷
备份 窗口1 [root@localhost ~]# docker run --privileged=true -it -v /webdata --name webdocker docker.io/centos:7
[root@5d030ddacbf0 ~]# ls /webdata/
窗口2
[root@localhost ~]# docker run --privileged=true --volumes-from webdocker -v $(pwd):/backup --name webdata.bak docker.io/centos:7 tar cvf /backup/backup.tar /webdata
tar: Removing leading `/' from member names
/webdata/
/
$(pwd)就是指宿主机的当前目录,/root窗口1
在执行备份的当前目录下查看
[root@localhost ~]# ls
backup.tar
恢复
窗口1
[root@localhost ~]# docker run --privileged=true -it -v /webdata --name webdocker2 docker.io/centos:7 [root@d51a14c3a1b1 /]# cd /webdata/[root@d51a14c3a1b1 webdata]# ls[root@d51a14c3a1b1 webdata]#窗口2
[root@localhost ~]# docker run --privileged=true -it --volumes-from webdocker2 -v $(pwd):/backup docker.io/centos:7 tar xvf /backup/backup.tar
webdata/
窗口1
[root@d51a14c3a1b1 webdata]# ls
#第六部分 网络
##6.1,端口映射实现访问容器
下载nginx镜像
[root@localhost ~]# docker pull daocloud.io/library/nginx:1.7.1-P:随机方式映射本地端口到docker
[root@localhost ~]# docker run -d -P daocloud.io/library/nginx:1.7.1
a7526362757d74257fe175ba54401f19a7874e8b21dbc161a51b7066c3104620[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a7526362757d daocloud.io/library/nginx:1.7.1 "nginx" 4 seconds ago Up 3 seconds 0.0.0. 0:32769->80/tcp sick_murdock[root@localhost ~]# curl 10.1.13.232:32769
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
... -p:指定方式映射本地端口都docker
[root@localhost ~]# docker run -d -p 80:80 daocloud.io/library/nginx:1.7.1
822d1b66480d960d0e35d7c48c5b6508a1840927fde00833d738d8baddac197a[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
822d1b66480d daocloud.io/library/nginx:1.7.1 "nginx" 6 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp pensive_meninsky[root@localhost ~]# curl 10.1.13.232:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
... -p:映射指定地址的ip
[root@localhost ~]# docker run -d -p 127.0.0.1:8000:80 daocloud.io/library/nginx:1.7.1
a710dec3bfb29f6eae4867852f265833b79bf03cdbbd3d17737ba70529386343[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a710dec3bfb2 daocloud.io/library/nginx:1.7.1 "nginx" 11 seconds ago Up 9 seconds 127.0.0.1:8000->80/tcp clever_hamilton-p:映射指定地址的任意端口
[root@localhost ~]# docker run -d -p 127.0.0.1::80 daocloud.io/library/nginx:1.7.1
739c20fe63e277158424633513159d772b4977ce8b0b7c2e8cf2ff0363db9825[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
739c20fe63e2 daocloud.io/library/nginx:1.7.1 "nginx" 6 seconds ago Up 4 seconds 127.0.0.1:32768->80/tcp sharp_yonath
查看映射端口配置
[root@localhost ~]# docker port 739c20fe63e2 80
127.0.0.1:32768[root@localhost ~]# docker port 822d1b66480d 80
0.0.0.0:80
##6.2,容器互联
[root@localhost ~]# docker run --name mysql_local -e MYSQL_ROOT_PASSWORD=123456 -d -P daocloud.io/mysql:5.7.6[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b5cd65599eb9 daocloud.io/mysql:5.7.6 "/entrypoint.sh mysql" 27 minutes ago Up 27 minutes 0.0.0.0:32772->3306/tcp mysql_local[root@localhost ~]# docker run -it --name testnet --link mysql_local:mysql docker.io/centos[root@e084b78d4343 /]# ping mysql
PING mysql (172.17.0.3) 56(84) bytes of data.
64 bytes from mysql (172.17.0.3): icmp_seq=1 ttl=64 time=0.107 ms
64 bytes from mysql (172.17.0.3): icmp_seq=2 ttl=64 time=0.152 ms
64 bytes from mysql (172.17.0.3): icmp_seq=3 ttl=64 time=0.125 ms
^C
--- mysql ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6000ms
rtt min/avg/max/mdev = 0.106/0.132/0.152/0.020 ms[root@51000c252130 /]#yum install mysql -y[root@51000c252130 /]# mysql -hmysql -P3306 -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MySQL connection id is 6
Server version: 5.7.6-m16 MySQL Community Server (GPL)Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.MySQL [(none)]> show databaes;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'databaes' at line 1
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e084b78d4343 docker.io/centos "/bin/bash" 9 seconds ago Up 8 seconds testnet
b5cd65599eb9 daocloud.io/mysql:5.7.6 "/entrypoint.sh mysql" 30 minutes ago Up 30 minutes 0.0.0.0:32772->3306/tcp mysql_local
查看容器见的连接信息
在容器中查询
[root@e084b78d4343 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 mysql b5cd65599eb9 mysql_local
容器外查询
[root@localhost ~]# docker run --rm --name nginx_local --link mysql_local:mysql daocloud.io/library/nginx:1.7.1 env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=c189b6d0935b
MYSQL_PORT=tcp://172.17.0.3:3306
MYSQL_PORT_3306_TCP=tcp://172.17.0.3:3306
MYSQL_PORT_3306_TCP_ADDR=172.17.0.3
MYSQL_PORT_3306_TCP_PORT=3306
MYSQL_PORT_3306_TCP_PROTO=tcp
MYSQL_NAME=/nginx_local/mysql
MYSQL_ENV_MYSQL_ROOT_PASSWORD=123456
MYSQL_ENV_MYSQL_MAJOR=5.7
MYSQL_ENV_MYSQL_VERSION=5.7.6-m16
HOME=/
#第七部分 dockerfile
基本格式
FROM daocloud.io/library/centos:latest
#基于那个镜像
#在版本1.7以上,FROM可以直接指定docker images中的镜像。 如果使用--pull=true会优先从线上仓库中拉取镜像MAINTAINER duxuefeng duxuefeng@oasgames
#镜像的作者信息RUN rpm -ivh .arch.rpm
RUN yum install telnet curl net-tools -y
RUN yum install nginx -y
RUN echo "daemon off;" >> /etc/fRUN ["mkdir","/mydata"]
RUN ["mkdir","-p","/data/htdocs"]CMD nginx -c /etc/f
#在实际执行变更为:CMD [ "sh", "-c", "echo $HOME" ]
#CMD ["nginx","-g","daemon off;"]
#ENTRYPOINT ["docker-enterypoint.sh"]
#无论放在那个位置都会在最后执行docker-enterypoint.sh#RUN是在building image时会运行的指令, 在Dockerfile中可以写多条RUN指令.
#CMD和ENTRYPOINT则是在运行container 时会运行的指令, 都只能写一条, 如果写了多条, 则最后一条生效.
#CMD和ENTRYPOINT的区别是:
#CMD在运行时会被command覆盖, ENTRYPOINT不会被运行时的command覆盖, 但是也可以指定.COPY ./COPY*.test /mydata/
ADD ADD_ /mydata
#复制文件时,尽可能使用COPY,只有需要自动解压缩的情况下使用ADDENV VERSION=1.0 DEBUG=on NAME="test dockerfile"
#后面的指令或者是RUN,都可以使用这里定义的环境变量VOLUME ["data/htdocs","/data/wwwroot"]
#容器应尽量保持容器存储层不发生写操作,所以尽量不挂载本地卷到容器中
#VOLUME ["/mydata","/data"]
#对于数据库类要保存动态数据的应用,数据库文件应保存在卷中。所以在安装mysql时应制定数据文件及log的存放位置为/dataEXPOSE 80
#1,帮助镜像使用者理解这个镜像服务的守护端口,以方便配置映射
#2,在运行时使用随机端口映射时,也就是 docker run -P 时,会自动随机映射 EXPOSE 的端口。WORKDIR /mydata
#以后的层都会在该目录下执行命令。
RUN echo "WORKDIR test" > st
#指定工作目录,使用方式和cd类似
#RUN cd /mydata
#RUN echo "hello world" >
#如果使用cd,由于docker有一个分层的概念,所以执行cd和执行echo并不是一个读写层上,所以就找不到这个文件。
WORKDIR /RUN useradd duxuefeng
USER duxuefeng
#切换用户,以后的层都会在该用户下执行命令。
RUN echo "USER test" >> /home/st
USER rootHEALTHCHECK --interval=5s --timeout=3s CMD curl -fs localhost/ || exit 1#每 5 秒检查一次(这里为了试验所以间隔非常短,实际应该相对较长),如果健康检查命令超过 3 秒没响应就视为失败,并且使用 curl -fs localhost/ || exit 1 作为健康检查命令。
#当运行该镜像后,可以通过 docker ps 看到最初的状态为 (health: starting):
#STATUS
#Up 2 seconds (health: starting)#在等待几秒钟后,再次 docker ps,就会看到健康状态变化为了 (healthy):
#STATUS
#Up 2 seconds (health)#如果健康检查连续失败超过了重试次数,状态就会变为 (unhealthy)。
#为了帮助排障,健康检查命令的输出(包括 stdout 以及 stderr)都会被存储于健康状态里,可以用 docker inspect 来查看
#docker inspect --format '{{json .State.Health}}' web | python -lONBUILD RUN echo "ONBUILD test" > st
#假设当前为A镜像,ONBUILD后的命令不被执行。
#新建一个B镜像,是基于A镜像的,B镜像会执行A镜像dockerfile中的ONBUILD后的命令
构建镜像
[root@localhost ~]# docker build -t dockerfile/nginx:v1 .
或
[root@localhost ~]# docker build -t dockerfile/nginx:v1 - < Dockerfile
或
[root@localhost ~]# docker build -t dockerfile/nginx:v1 - <
使用images
[root@localhost ~]# docker run -d --name web dockerfile/nginx:v1[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c88bae1554e5 dockerfile/nginx:v1 "/bin/sh -c 'nginx -c" 28 minutes ago Up 28 minutes (healthy) 80/tcp web[root@localhost ~]# docker exec -it c88bae1554e5 /bin/bash
[root@c88bae1554e5 /]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 09:35 ? 00:00:00 nginx: master process nginx -c /etc/f
nginx 5 1 0 09:35 ? 00:00:00 nginx: worker process
root 2230 0 0 10:06 ? 00:00:00 /bin/bash
root 2247 2230 0 10:06 ? 00:00:00 ps -ef
#第八部分 高级网络配置
##8.1,配置容器的dns和主机名
[root@localhost ~]# docker run -it 22f57c447f0f /bin/bash [root@22f57c447f0f /]# mount
...
/dev/mapper/cl-root on /f type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
#每次启动会同步宿主机上的/f
/dev/mapper/cl-root on /etc/hostname type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
#只记录容器自身的主机名
/dev/mapper/cl-root on /etc/hosts type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
#只记录容器自身的一些地址和名称
...
#运行中的容器里可以直接编辑修改这三个文件,但是都是临时生效,只要退出容器便失效。
修改方式
#修改hostname,hosts
[root@localhost ~]# docker run -it -st a8493f5f50ff /bin/bash[root@rename /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 st[root@rename /]# cat /etc/hostname
st
#修改dns[root@localhost ~]# docker run -it -st --dns=8.8.8.8 a8493f5f50ff /bin/bash [root@rename /]# cat /f
nameserver 8.8.8.8
##8.2,容器访问外部实现
假设容器内部的网络地址是172.17.0.2,本地网络地址为10.1.13.231,容器要能访问外部网络,源地址不能为172.17.0.2,需要进行源地址映射,在容器启动时,会自动添加iptables规则进行源地址映射。
[root@localhost ~]# iptables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 97 packets, 6596 bytes)pkts bytes target prot opt in out source destination 443 27569 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 1792 123K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1792 123K POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1792 123K POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
##8.3,外部访问容器
外部访问容器,可以在启动容器的时候加上-p或-P指定绑定宿主机的端口。执行启动命令时会在宿主机上添加一条iptables规则。
[root@localhost ~]#docker run -d -p 5000:5000 -v /data/docker_images:/tmp/registry daocloud.io/library/registry[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69f96b24af09 daocloud.io/library/registry "/entrypoint.sh /etc/" 3 weeks ago Up 3 weeks 0.0.0. 0:5000->5000/tcp gloomy_hamilton[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 3443K packets, 485M bytes)pkts bytes target prot opt in out source destination 74 4300 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT 2837K packets, 371M bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 2484 bytes)pkts bytes target prot opt in out source destination 4 240 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT 41 packets, 2484 bytes)pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:5000Chain DOCKER (2 references)pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 66 3960 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:172.17.0.2:5000
##8.4,自定义网桥
安装bridge-utils
[root@localhost ~]# yum install bridge-utils
自定义网桥
[root@localhost ~]# systemctl stop docker
[root@localhost ~]# ip link set dev docker0 down
[root@localhost ~]# brctl delbr docker0
[root@localhost ~]# brctl addbr br0
[root@localhost ~]# ip addr add 192.168.1.1/24 dev br0
[root@localhost ~]# ip link set dev br0 up
[root@localhost ~]# ip addr show br0
42: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000link/ether ae:a4:7a:8c:c3:f3 brd ff:ff:ff:ff:ff:ffinet 192.168.1.1/24 scope global br0valid_lft forever preferred_lft foreverinet6 fe80::70ca:3fff:fec7:5180/64 scope link valid_lft forever preferred_lft forever[root@localhost ~]# vim /etc/sysconfig/docker
...OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -b=br0'systemctl start docker
...[root@localhost ~]# docker run -it docker.io/centos /bin/bash [root@35265fd51ae0 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.2 35265fd51ae0
##8.5,docker网络创建过程
docker允许在启动容器的时候通过--net参数指定不同的网络类型。
--net=bridge:默认值,桥接到默认的网桥。--net=host:不将容器网络放到隔离的namespace,此时docker不会容器化容器内的网络,这样创建出来的容器使用的是本地的网络,拥有完全的本地主机接口访问权限。--net=contianer:name_or_id:使用一个已经存在的容器的网络栈,共享已存在容器的ip地址和端口等网络资源。--net=none:将新容器放到隔离的网络栈中,不进行网络配置,我们为容器配置网络需要指定该项。
--net=none,docker网络创建过程
[root@localhost ~]# docker run -it --rm --name=mynetwork --net=none duxuefeng/centos:7 /bin/bash [root@fe45a4c90f52 /]# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0#另起一个终端
[root@localhost ~]# PID=$(docker inspect -f '{{.State.Pid}}' mynetwork)
[root@localhost ~]# mkdir -p /var/run/netns
[root@localhost ~]# ln -s /proc/$PID/ns/net /var/run/netns/$PID
[root@localhost ~]# ip link add A type veth peer name B
[root@localhost ~]# brctl addif docker0 A
[root@localhost ~]# ip link set A up
[root@localhost ~]# ip link set B netns $PID
[root@localhost ~]# ip netns exec $PID ip link set dev B name eth0
[root@localhost ~]# ip netns exec $PID ip link set eth0 up
[root@localhost ~]# ifconfig
A: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet6 fe80::68eb:a5ff:fe87:3746 prefixlen 64 scopeid 0x20<link>ether 6a:eb:a5:87:37:46 txqueuelen 1000 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0br0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::70ca:3fff:fec7:5180 prefixlen 64 scopeid 0x20<link>ether 00:00:00:00:00:00 txqueuelen 1000 (Ethernet)RX packets 4774 bytes 238605 (233.0 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5522 bytes 11840622 (11.2 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:79ff:fecf:91fa prefixlen 64 scopeid 0x20<link>ether 02:42:79:cf:91:fa txqueuelen 0 (Ethernet)RX packets 16 bytes 1072 (1.0 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.1.13.231 netmask 255.255.240.0 broadcast 10.1.15.255inet6 fe80::766a:fdcd:a625:9467 prefixlen 64 scopeid 0x20<link>inet6 fe80::2f37:6f59:83d:7e82 prefixlen 64 scopeid 0x20<link>ether 08:00:27:9a:94:7a txqueuelen 1000 (Ethernet)RX packets 42228479 bytes 4629098928 (4.3 GiB)RX errors 21 dropped 26215 overruns 0 frame 21TX packets 337090 bytes 277401689 (264.5 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 9488 bytes 72749522 (69.3 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 9488 bytes 72749522 (69.3 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@localhost ~]# ip netns exec $PID ip addr add 172.17.0.5/24 dev eth0[root@localhost ~]# ip netns exec $PID ip route add default via 172.17.0.1#在容器中查看网卡信息
[root@6a5821b10eb6 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.17.0.5 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::50fe:b7ff:fe9a:dc7f prefixlen 64 scopeid 0x20<link>ether 52:fe:b7:9a:dc:7f txqueuelen 1000 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
##8.6,docker的网络配置工具pipework
#pipework工具的安装
[root@localhost ~]# wget .zip[root@localhost ~]# unzip master.zip
Archive: master.zip
2ed107e43be8aebc63f884a158535c14d71fa0aacreating: pipework-master/extracting: pipework-master/.gitignore inflating: pipework-master/LICENSE inflating: pipework-master/README.md inflating: l creating: pipework-master/doctoc/inflating: pipework-master/doctoc/Dockerfile inflating: pipework-master/pipework inflating: pipework-master/pipework.spec [root@localhost ~]# cp pipework-master/pipework /usr/local/bin/[root@localhost ~]# chmod +x /usr/local/bin/pipework #pipework使用
#方法1
[root@localhost ~]# did=$(docker run -it -d --net=none duxuefeng/centos:7) [root@localhost ~]# pipework br0 $did 192.168.1.2/24@192.168.1.1[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fb450e3606be duxuefeng/centos:7 "/bin/bash" 2 minutes ago Up 2 minutes trusting_poitras[root@localhost ~]# docker exec -it fb450e3606be /bin/bash[root@fb450e3606be /]# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255inet6 fe80::f400:8dff:fe47:ca17 prefixlen 64 scopeid 0x20<link>ether f6:00:8d:47:ca:17 txqueuelen 1000 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 9 bytes 690 (690.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@fb450e3606be /]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
#方法2
[root@localhost ~]# docker run -itd --st duxuefeng/centos:7 /bin/bash
359459f5e44c05182b295466d122f81dc1c35c851998ea40ffee10d9852f9a35[root@localhost ~]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::70ca:3fff:fec7:5180 prefixlen 64 scopeid 0x20<link>ether d6:31:65:2e:9e:ad txqueuelen 1000 (Ethernet)RX packets 4797 bytes 240129 (234.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5522 bytes 11840622 (11.2 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:79ff:fecf:91fa prefixlen 64 scopeid 0x20<link>ether 02:42:79:cf:91:fa txqueuelen 0 (Ethernet)RX packets 41 bytes 2573 (2.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 13 bytes 970 (970.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...veth375ce49: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet6 fe80::d431:65ff:fe2e:9ead prefixlen 64 scopeid 0x20<link>ether d6:31:65:2e:9e:ad txqueuelen 0 (Ethernet)RX packets 6 bytes 508 (508.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 3 bytes 258 (258.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@localhost ~]# pipework st dhcp
Unable to find image 'busybox:latest' locally
Trying to pull repository docker.io/library/busybox ...
latest: Pulling from docker.io/library/busybox
7520415ce762: Pulling fs layer
7520415ce762: Verifying Checksum
7520415ce762: Download complete
7520415ce762: Pull complete
Digest: sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f[root@localhost ~]# pipework st 192.168.1.3/24@192.168.1.1
Link veth1pl25477 exists and is up[root@localhost ~]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.1 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::70ca:3fff:fec7:5180 prefixlen 64 scopeid 0x20<link>ether 7a:be:69:f3:f1:52 txqueuelen 1000 (Ethernet)RX packets 4799 bytes 240241 (234.6 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5522 bytes 11840622 (11.2 MiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:79ff:fecf:91fa prefixlen 64 scopeid 0x20<link>ether 02:42:79:cf:91:fa txqueuelen 0 (Ethernet)RX packets 41 bytes 2573 (2.5 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 13 bytes 970 (970.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...
veth1pl25477: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500ether 7a:be:69:f3:f1:52 txqueuelen 1000 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0veth375ce49: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet6 fe80::d431:65ff:fe2e:9ead prefixlen 64 scopeid 0x20<link>ether d6:31:65:2e:9e:ad txqueuelen 0 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
pipework配置docker网络过程
1,pipework检查是否存在br0网桥,若不存在,就自己创建。若以”ovs”开头,就会创建OpenVswitch网桥,以”br”开头,创建Linux bridge。
2,创建veth pair设备,用于为容器提供网卡并连接到br0网桥。
3,使用docker inspect找到容器在主机中的PID,然后通过PID将容器的网络命名空间链接到/var/run/netns/ 目录下。这么做的目的是,方便在主机上使用ip netns命令配置容器的网络。因为,在Docker容器中,我们没有权限配置网络环境。
4,将之前创建的veth pair设备分别加入容器和网桥中。在容器中的名称默认为eth1,可以通过pipework的-i参数修改该名称。
5,然后就是配置新网卡的IP。若在IP地址的后面加上网关地址,那么pipework会重新配置默认路由。这样容器通往外网的流量会经由新配置的eth1 出去,而不是通过eth0和docker0。(若想完全抛弃自带的网络设置,在启动容器的时候可以指定--net=none)
##8.7,docker跨主机网络配置
###8.7.1,对容器网络的需求
###8.7.2,跨主机网络方案 1,flannel(vxlan)
优势
劣势
2,calico
Calico的优势
Calico的劣势
3,overlay
优势
劣势
###8.7.3,overlay方案
环境centos:7.3
docker:1.12.6
kernel:3.10.0-514.6.1.el7.x86_64 (最好升级到4.10以上)
consul:0.8.1
s221:10.1.13.221
c222:10.1.13.222注意:virtualbox上运行两套主机系统,设置使用桥接模式,网卡混杂模式开启全部允许.两台服务器都有的操作
# wget .8.1/consul_0.8.1_linux_amd64.zip
# unzip consul_0.8.1_linux_amd64.zip
# mv consul /usr/local/bin/
# mkdir /opt/consul
# systemctl stop firewalld[s221:10.1.13.221]
[root@s221 ~]# nohup consul agent -server -bootstrap -data-dir /opt/consul -node=s221 -bind=10.1.13.221 &[c222:10.1.13.222]
[root@c222 ~]# nohup consul agent -data-dir /opt/consul -join=10.1.13.221 -node=c222 -bind=10.1.13.222 &两台均可执行查看
# consul members
Node Address Status Type Build Protocol DC
c222 10.1.13.222:8301 alive client 0.8.1 2 dc1
s221 10.1.13.221:8301 alive server 0.8.1 2 dc1两台均执行
# vi /etc/sysconfig/docker
...
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store consul://127.0.0.1:8500 --cluster-advertise “对应机器的ip”:2375'
...–-cluster-store= 参数指向docker daemon所使用key value service的地址(本例中即consul的服务地址)
-–cluster-advertise= 参数决定了所使用网卡以及docker daemon端口信息,ip地址加端口号,如:10.1.13.221:2375. 也可以写成网卡名加端口如:enp0s3:2375(测试不成功),可能使用eth0:2375 可以把。# systemctl start docker两台均可执行添加网络配置
# docker network create -d overlay docker_ove# docker network ls
NETWORK ID NAME DRIVER SCOPE
e4b7bc0bd546 bridge bridge local
f9fe6d132994 docker_gwbridge bridge local
f65320896afb docker_ove overlay global
27553614f7dd host host local
6b5b7fca84c2 none null local 分别启动docker实例,指定网络类型
[s221:10.1.13.221]
[root@s221 ~]# docker run -it --net=docker_ove --name&#st duxuefeng/centos:7 /bin/bash[c222:10.1.13.222]
[root@c222 ~]# docker run -it --net=docker_ove --name&#st duxuefeng/centos:7 /bin/bash测试
[s221:10.1.13.221]
[root@414b4c7bd553 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 10.0.0.3 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:aff:fe00:3 prefixlen 64 scopeid 0x20<link>ether 02:42:0a:00:00:03 txqueuelen 0 (Ethernet)RX packets 14 bytes 1128 (1.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@414b4c7bd553 /]# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.740 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.471 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.413 ms
^Z
[2]+ Stopped ping 10.0.0.2[root@414b4c7bd553 /]# ping 10.1.13.221
PING 10.1.13.221 (10.1.13.221) 56(84) bytes of data.
64 bytes from 10.1.13.221: icmp_seq=1 ttl=64 time=0.076 ms
64 bytes from 10.1.13.221: icmp_seq=2 ttl=64 time=0.055 ms
^X^Z
[1]+ Stopped ping 10.1.13.221[root@414b4c7bd553 /]# ping 172.18.0.1
PING 172.18.0.1 (172.18.0.1) 56(84) bytes of data.
64 bytes from 172.18.0.1: icmp_seq=1 ttl=64 time=0.057 ms
64 bytes from 172.18.0.1: icmp_seq=2 ttl=64 time=0.053 ms
64 bytes from 172.18.0.1: icmp_seq=3 ttl=64 time=0.065 ms
^Z
[3]+ Stopped ping 172.18.0.1[c222:10.1.13.222]
[root@04ede6553cfe /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 10.0.0.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:aff:fe00:2 prefixlen 64 scopeid 0x20<link>ether 02:42:0a:00:00:02 txqueuelen 0 (Ethernet)RX packets 10 bytes 836 (836.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)RX packets 6 bytes 508 (508.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@04ede6553cfe /]# ping 10.1.13.223
PING 10.1.13.223 (10.1.13.223) 56(84) bytes of data.
64 bytes from 10.1.13.223: icmp_seq=1 ttl=64 time=0.077 ms
64 bytes from 10.1.13.223: icmp_seq=2 ttl=64 time=0.056 ms
^X^Z
[1]+ Stopped ping 10.1.13.223[root@04ede6553cfe /]# ping 172.18.0.1
PING 172.18.0.1 (172.18.0.1) 56(84) bytes of data.
64 bytes from 172.18.0.1: icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from 172.18.0.1: icmp_seq=2 ttl=64 time=0.054 ms
64 bytes from 172.18.0.1: icmp_seq=3 ttl=64 time=0.051 ms
^Z
[2]+ Stopped ping 172.18.0.1[root@04ede6553cfe /]# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.416 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.540 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.443 ms
^Z
[3]+ Stopped ping 10.0.0.3配置静态ip
两台均可执行添加网络配置
[s221:10.1.13.221]
[root@s221 ~]# docker network create -d overlay --ip-range=192.168.1.0/24 --gateway=192.168.1.1 --subnet=192.168.1.0/24 static_ovs
27526007c14e18cb41f3047226aca8ff593fb1bc0cfdbd99e9eb67251fd1ebb1[root@s221 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
29a9a96ab20d bridge bridge local
ffdca72a2e73 docker_gwbridge bridge local
f65320896afb docker_ove overlay global
109921d53cf8 host host local
04c85868abf3 none null local
27526007c14e static_ovs overlay global [root@s221 ~]# docker run -it --name&#st --net=static_ovs --ip=192.168.1.2 duxuefeng/centos:7 [root@c222 ~]# docker run -it --name&#st --net=static_ovs --ip=192.168.1.3 duxuefeng/centos:7 测试
[root@dba0a8df132c /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 192.168.1.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:c0ff:fea8:102 prefixlen 64 scopeid 0x20<link>ether 02:42:c0:a8:01:02 txqueuelen 0 (Ethernet)RX packets 10 bytes 848 (848.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.3 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:3 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:03 txqueuelen 0 (Ethernet)RX packets 6 bytes 508 (508.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@dba0a8df132c /]# ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.419 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.375 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.587 ms
^Z
[1]+ Stopped ping 192.168.1.3[root@1d2b05da35a9 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 192.168.1.3 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:c0ff:fea8:103 prefixlen 64 scopeid 0x20<link>ether 02:42:c0:a8:01:03 txqueuelen 0 (Ethernet)RX packets 10 bytes 836 (836.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.3 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:3 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:03 txqueuelen 0 (Ethernet)RX packets 6 bytes 508 (508.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 6 bytes 508 (508.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@1d2b05da35a9 /]# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.518 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.328 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.364 ms
^Z
[3]+ Stopped ping 192.168.1.2
如果所有配置都正确,但是两台docker仍然不通,可以尝试升级宿主机的内核到最新版本。
还可以使用docker镜像配置consul
两台均执行# systemctl stop firewalld
# setenforce 0
# docker pull consul:v0.6.4[s221:10.1.13.221]
[root@s221 ~]# vi /etc/sysconfig/docker
...
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store consul://10.1.13.221:8500 --cluster-advertise 10.1.13.221:2375'
...[root@s221 ~]# systemctl restart docker[root@s221 ~]# docker run -d -h node1 -v /mnt:/data/docker.data -p 8300:8300 -p 8301:8301 -p 8301:8301/udp -p 8302:8302 -p 8302:8302/udp -p 8400:8400 -p 8500:8500 -p 53:53/udp consul:v0.6.4 agent -server -bootstrap -client=0.0.0.0 -advertise 10.1.13.221 -node=consul-s221[c222:10.1.13.222]
[root@s221 ~]# vi /etc/sysconfig/docker
...
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --cluster-store consul://10.1.13.221:8500 --cluster-advertise 10.1.13.222:2375'
...[root@c222 ~]# systemctl restart docker[root@c222 ~]# docker run -d -h node1 -v /mnt:/dat a/docker.data -p 8300:8300 -p 8301:8301 -p 8301:8301/udp -p 8302:8302 -p 8302:8302/udp -p 8400:8400 -p 8500:8500 -p 53:53/udp consul:v0.6.4 agent -server -advertise 10.1.13.222 -node=consul-c222 -join 10.1.13.221查看consul集群状态,两台均可操作
[root@c222 ~]# curl :8500/v1/status/leader
"10.1.13.221:8300"[root@c222 ~]# curl :8500/v1/status/peers
["10.1.13.222:8300","10.1.13.221:8300"]创建overlay网络
[root@c222 ~]# docker network create -d overlay n1[root@c222 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
b3bd058d1d78 bridge bridge local
f9fe6d132994 docker_gwbridge bridge local
27553614f7dd host host local
24c1a54840df n1 overlay global
6b5b7fca84c2 none null local [root@c221 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
00df21d79d53 bridge bridge local
ffdca72a2e73 docker_gwbridge bridge local
109921d53cf8 host host local
24c1a54840df n1 overlay global
04c85868abf3 none null local 两台宿主机上安装consul,为了查看consul状态。
上文有安装步骤宿主机上查看(两台均可)
[root@c221 ~]# consul members
Node Address Status Type Build Protocol DC
consul-c222 10.1.13.221:8301 alive server 0.6.4 2 dc1
consul-s221 10.1.13.221:8301 alive server 0.6.4 2 dc1测试
[root@s221 ~]# docker run -it --name&#st --net=n1 duxuefeng/centos:7[root@522f32e73bf5 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 10.0.0.3 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:aff:fe00:3 prefixlen 64 scopeid 0x20<link>ether 02:42:0a:00:00:03 txqueuelen 0 (Ethernet)RX packets 7 bytes 586 (586.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5 bytes 418 (418.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)RX packets 5 bytes 418 (418.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 5 bytes 418 (418.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@c222 ~]# docker run -it --name&#st --net=n1 duxuefeng/centos:7[root@b8747b7d4274 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450inet 10.0.0.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:aff:fe00:2 prefixlen 64 scopeid 0x20<link>ether 02:42:0a:00:00:02 txqueuelen 0 (Ethernet)RX packets 15 bytes 1206 (1.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.18.0.2 netmask 255.255.0.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe12:2 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:12:00:02 txqueuelen 0 (Ethernet)RX packets 8 bytes 648 (648.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 8 bytes 648 (648.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@522f32e73bf5 /]# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.321 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.367 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.368 ms
^Z
[1]+ Stopped ping 10.0.0.2[root@b8747b7d4274 /]# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.512 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.346 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.377 ms
^Z
[1]+ Stopped ping 10.0.0.3
###8.7.4,flannel方案
配置etcd集群(两台)
[root@s221 ~]# wget .2.0-rc.0/etcd-v3.2.0-rc.[root@s221 ~]# tar zxvf etcd-v3.2.0-rc. [root@s221 ~]# mv etcd-v3.2.0-rc.0-linux-amd64/etcd* /usr/local/bin/[root@s221 ~]# systemctl stop firewalld清理网卡,处理本机网卡和lo,其他都不要
[root@s221 ~]# ip link delete docker0[root@s221 ~]# nohup etcd --name infra0 --initial-advertise-peer-urls :2380 --listen-peer-urls :2380 --listen-client-urls :2379,127.0.0.1:2379 --advertise-client-urls :2379 --initial-cluster-token etcd-cluster-1 --initial-cluster infra0=:2380,infra1=:2380 --initial-cluster-state new &检查etcd状态
[root@s221 ~]# etcdctl cluster-health
member 8e9e05c52164694d is healthy: got healthy result from :2379
cluster is healthy查看集群结点的访问是否正常
[root@s221 ~]# curl -L :4012/version
{"etcdserver":"3.2.0-rc.0","etcdcluster":"3.2.0"}[root@s222 ~]# nohup etcd --name infra1 --initial-advertise-peer-urls :2380 --listen-peer-urls :2380 --listen-client-urls :2379,127.0.0.1:2379 --advertise-client-urls :2379 --initial-cluster-token etcd-cluster-1 --initial-cluster infra0=:2380,infra1=:2380 --initial-cluster-state new &设置分配给docker网络的网段
[root@s221 ~]# etcdctl mk /coreos/network/config '{"Network":"172.16.0.0/16", "SubnetMin": "172.16.1.0", "SubnetMax": "172.16.254.0"}'安装配置flanneld(两台)
[root@s221 ~]# wget .7.1/flannel-v0.7.[root@s221 ~]# tar zxvf flannel-v0.7. [root@s221 ~]# mv flanneld /usr/local/bin/ && mv mk-docker-opts.sh /usr/local/bin/启动flannel
[root@s221 ~]# nohup flanneld -etcd-endpoints=:2379 >> /var/log/flanneld.log 2>&1 &
[root@c222 ~]# nohup flanneld -etcd-endpoints=:2379 >> /var/log/flanneld.log 2>&1 & 配置docker
[root@s221 ~]# cat /etc/sysconfig/docker
...
OPTIONS="--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --bip=172.16.1.1/24 --mtu=1472"
...[root@c222 ~]# cat /etc/sysconfig/docker
...
OPTIONS="--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --bip=172.16.2.1/24 --mtu=1472"
...启动docker(两台)
#systemctl start docker测试
[root@s221 ~]# docker run -it daocloud.io/library/centos /bin/bash
[root@579a6732e834 /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1472inet 172.16.1.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe10:102 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:10:01:02 txqueuelen 0 (Ethernet)RX packets 5706 bytes 11897001 (11.3 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 4700 bytes 268788 (262.4 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@c222 ~]# docker run -it daocloud.io/library/centos /bin/bash [root@18f56f7cc54c /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1472inet 172.16.2.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::42:acff:fe10:202 prefixlen 64 scopeid 0x20<link>ether 02:42:ac:10:02:02 txqueuelen 0 (Ethernet)RX packets 5613 bytes 11881515 (11.3 MiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 4486 bytes 262831 (256.6 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@18f56f7cc54c /]# ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=62 time=0.735 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=62 time=0.761 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=62 time=0.969 ms
....
#第九部分 docker的监控
##9.1,cAdvisor+InfluxDB+Grafana监控docker
###9.1.1基础概念 cAdvisor
cAdvisor 为Docker容器用户提供了了解运行时容器资源使用和性能特征的工具。cAdvisor的容器抽象基于Google的lmctfy容器栈,因此原生支持Docker容器并能够“开箱即用”地支持其他的容器类型。cAdvisor部署为一个运行中的daemon,它会收集、聚集、处理并导出运行中容器的信息。这些信息能够包含容器级别的资源隔离参数、资源的历史使用状况、反映资源使用和网络统计数据完整历史状况的柱状图。
InfluxDB
InfluxDB 是一个开源分布式时序、事件和指标数据库。使用 Go 语言编写,无需外部依赖。其设计目标是实现分布式和水平伸缩扩展.
其主要特色功能 基于时间序列,支持与时间有关的相关函数(如最大,最小,求和等) 可度量性:你可以实时对大量数据进行计算 基于事件:它支持任意的事件数据 InfluxDB的主要特点
无结构(无模式):可以是任意数量的列可拓展的 支持min, max, sum, count, mean, median 等一系列函数,方便统计 原生的HTTP支持,内置HTTP API 强大的类SQL语法 自带管理界面,方便使用 Grafana
Graphite 是一款开源的监控绘图工具。可以实时收集、存储、显示时间序列类型的数据(time series data),有些类似Kibana的东西。 - 以下是官方的说明
用于可视化大型测量数据的开源程序,他提供了强大和优雅的方式去创建、共享、浏览数据。dashboard中显示了你不同metric数据源中的数据。 常用于因特网基础设施和应用分析,但在其他领域也有机会用到,比如:工业传感器、家庭自动化、过程控制等等。 有热插拔控制面板和可扩展的数据源,目前已经支持Graphite、Cloudwatch、Prometheus、InfluxDB、Elasticsearch。
###9.1.2 环境搭建
启动cadvisor
[root@monitor ~]# docker run -d -p 8083:8083 -p 8086:8086 --expose 8090 --expose 8099 --name influxsrv -e PRE_CREATE_DB=cadvisor tutum/influxdb:0.13
注:默认情况下,InfluxDB使用以下网络端口:TCP端口8083用于InfluxDB的管理面板TCP端口8086用于通过InfluxDB的HTTP API进行客户端 - 服务器的通信
创建完成后,打开浏览器,访问宿主机ip:8083,默认用户名,密码是root、root启动influxsrv
[root@monitor ~]# docker run --volume=/:/rootfs:ro --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=8080:8080 --detach=true --link influxsrv:influxsrv --name=cadvisor google/cadvisor:latest -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_host=influxsrv:8086启动grafana
[root@monitor ~]# docker run -d -p 3000:3000 -e INFLUXDB_HOST=localhost -e INFLUXDB_PORT=8086 -e INFLUXDB_NAME=cadvisor -e INFLUXDB_USER=root -e INFLUXDB_PASS=root --link influxsrv:influxsrv --name grafana grafana/grafana:4.0.2
打开浏览器,访问宿主机ip:3000/ Grafana界面,用户名密码都是admin
###9.1.3 使用
主要是在grafana中配置监控项
宿主机ip:3000/
监控项添加见:.htm
#第十部分 docker的web界面管理
##10.1,Docker集中化web界面管理平台-Shipyard
###10.1.1,shipyard概念
engine
一个shipyard管理的docker集群可以包含一个或多个engine(引擎),一个engine就是监听tcp端口的docker daemon。shipyard管理docker daemon、images、containers完全基于Docker API,不需要做其他的修改。另外,shipyard可以对每个engine做资源限制,包括CPU和内存;因为TCP监听相比Unix socket方式会有一定的安全隐患,所以shipyard还支持通过SSL证书与docker后台进程安全通信。
rethinkdb
RethinkDB是一个shipyard项目的一个docker镜像,用来存放账号(account)、引擎(engine)、服务密钥(service key)、扩展元数据(extension metadata)等信息,但不会存储任何有关容器或镜像的内容。一般会启动一个shipyard/rethinkdb容器shipyard-rethinkdb-data来使用它的/data作为数据卷供另外rethinkdb一个挂载,专门用于数据存储。
###10.1.2,Shipyard生态介绍 shipyard是由shipyard控制器以及周围生态系统构成,都是以容器封装,以下按照启动顺序进行介绍。
1)RethinkDB
首先启动的就是RethinkDB容器,shipyard采用RethinkDB作为数据库来保存账户,引擎,服务键值以及元信息等信息。
2)Discovery
为了使用Swarm的选举机制,我们需要一个外部的密钥值存储容器,shipyard默认采用了etcd。
3)shipyard_certs
证书管理容器,实现证书验证功能
4)Proxy
默认情况下,Docker引擎只监听Socket,我们可以重新配置引擎使用TLS或者使用一个代理容器,转发请求从TCP到Docker监听的UNIX Socket。
5)Swarm Manager
Swarm管理器
6)Swarm Agent
Swarm代理,运行在每个节点上。
7)Controller
shipyard控制器,Remote API的实现和web的实现。
###10.1.3, 安装配置
环境介绍
centos:7.3
docker:1.12.6
kernel:3.10.0-514.6.1.el7.x86_64 (4.11)
s221:10.1.13.221
c222:10.1.13.222关闭防火墙(两台)
# systemctl stop firewalld[root@s221 ~]# vi /etc/sysconfig/docker
...
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock'
...安装shipyard
[root@s221 ~]# curl -sSL | bash -s ==> 中文版
[root@s221 ~]# curl -sSL | bash -s ==> 英文版
...
Shipyard available at :8080
Username: admin Password: shipyard[root@s221 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61a4696f240d shipyard/shipyard:latest "/bin/controller --de" 7 minutes ago Up 7 minutes 0.0.0.0:8080->8080/tcp shipyard-controller
1714fad470e9 swarm:latest "/swarm j --addr 10.1" 7 minutes ago Up 7 minutes 2375/tcp shipyard-swarm-agent
acdf1c4998bd swarm:latest "/swarm m --replicati" 7 minutes ago Up 7 minutes 2375/tcp shipyard-swarm-manager
260eda87461d shipyard/docker-proxy:latest "/usr/local/bin/run" 7 minutes ago Up 7 minutes 0.0.0.0:2375->2375/tcp shipyard-proxy
e185ffdf342a alpine "sh" 7 minutes ago Up 7 minutes shipyard-certs
61a98498df26 microbox/etcd:latest "/bin/etcd -addr 10.1" 7 minutes ago Up 7 minutes 0.0.0.0:4001->4001/tcp, 0.0.0.0:7001->7001/tcp shipyard-discovery
5ceba925acd6 rethinkdb "rethinkdb --bind all" 7 minutes ago Up 7 minutes 8080/tcp, 28015/tcp, 29015/tcp shipyard-rethinkdb至此,shipyard就已经安装完成了。使用:8080就可以访问了添加节点
[root@c222 ~]# curl -sSL | ACTION=node DISCOVERY=etcd://10.1.13.221:4001 bash -s ==> 中文版
[root@c222 ~]# curl -sSL | ACTION=node DISCOVERY=etcd://10.1.13.221:4001 bash -s ==> 英文版删除shipyard(在节点机上执行,就会将节点从shipyard管理里踢出)
[root@c222 ~]# curl | ACTION=remove bash -s ==> 中文版
[root@c222 ~]# curl -sSL | ACTION=remove bash -s ==> 英文版注意:如果进入到:8080页面中不能显示本机正在运行的docker,可能的原因是内核版本低,需要升级到最新的版本。
###10.1.4, 使用
界面功能介绍
CONTAINERS:查看正在运行的docker,等同与命令行:docker ps
IMAGES:查看本机上的images,等同与命令行:docker images
NODES:查看有那些宿主机器被管理
REGISTRIES:添加仓库地址,最好使用私有仓库。
ACCOUNTS:shipyard用户管理
EVENTS:查看操作记录
使用
登录界面后,首先应该做的是添加仓库地址,添加私有仓库的时候可能会有以下报错: Cannot ping registry
原因:shipyard不支持registry v2
解决:
另一种解决方案:在docker启动配置文件中指定私有仓库地址,这样虽然在REGISTRIES下看不到仓库地址,但是该私有仓库下的镜像可以直接使用。
[root@localhost ~]# vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.1.13.231:5000'
注:10.1.13.231:5000是私有仓库地址
使用中发现,Shipyard 似乎不支持网页上部署其他节点的容器,只能部署本节点的。可能这个版本的 Shipyard 有 bug。
添加containers时报错如下:
<no resources available to schedule container
版本
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.1.13.224:5000/mycentos latest 8140d0c64310 13 days ago 192.6 MB
alpine latest 02674b9cb179 2 weeks ago 3.987 MB
rethinkdb latest b66f932ecd3c 2 weeks ago 182.7 MB
nginx latest 3448f27c273f 2 weeks ago 109.4 MB
ehazlett/curl latest c8127af118e0 3 months ago 6.38 MB
swarm latest 36b1e23becab 4 months ago 15.85 MB
shipyard/shipyard latest 36fb3dc0907d 7 months ago 58.84 MB
shipyard/docker-proxy latest cfee14e5d6f2 17 months ago 9.468 MB
microbox/etcd latest 6aef84b9ec5a 21 months ago 17.87 MB
转载于:
本文发布于:2024-01-28 17:43:58,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/17064350419143.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
