本文共 11167 字,大约阅读时间需要 37 分钟。
Docker的组成
Docker 是Docker.lnc公司开源的一个基于LXC技术之上构建的Container容器引擎,源代码托管在GitHub上,基于Go语言并遵从Apache2.0协议开源。Docker是通过内核虚拟化技术(namespaces及cgroups等)来提供容器的资源隔离与安全保障等。 Docker由Docker Server和 Docker Client组成。 Docker组件分为:镜像(Image)、容器(Container)和仓库(Repository)。
Docker与Kvm的区别和优势:
1、更快捷的交付部署: Docker 可以快速创建容器,快速迭代应用程序,并让整个过程全程可见,使团队中的其他成员更容易理解应用程序是如何创建和工作的。 Docker 容器很轻很快!容器的启动时间是秒级的,大量地节约开发、测试、部署的时间。 2、更高效的虚拟化:Docker 容器的运行不需要额外的 hypervisor 支持,它是内核级的虚拟化,因此可以实现更高的性能和效率。 3、更轻松的迁移和扩展:ocker 容器几乎可以在任意的平台上运行,包括物理机、虚拟机、公有云、私有云、个人×××、服务器等。这种兼容性可以让用户把一个应用程序从一个平台直接迁移到另外一个。 4、更简单的管理:就可以替代以往大量的更新工作。所有的修改都以增量的方式被分发和更新,从而实现自动化并且高效的管理。 5、跟Kvm的区别: 
Docker与openstack的对比
Docker能干什么
Docker的局限性
1、LXC是基于cgroup等linux kernel功能的,因此container的guest系统只能是linux base的。
2、Docker的隔离性跟KVM等的虚拟化相比还是有些欠缺,所有container公用一部分的运行库。
3、container随着用户进程的停止而销毁,container中的log等用户数据不便收集。4、Docker是面向应用的,其终极目标是构建PAAS平台,而现有虚拟机主要目的是提供一个灵活的计算资源池,是面向架构的,其终极目标是构建一个IAAS平台,所以它不能替代传统虚拟化解决方案。一张图总结Docker的使用:
Docker的安装
准备:
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backupwget lsyum clean allwget yum makecache安装:
yum install docker 1.12.6(centos7系统)centos6系统
yum install docker-io(版本最高1.7.1,建议用7)yum install device-mapper-event-libs关闭selinux
vim /etc/selinux/config setenforce 0启动:
systemctl start dockersystemctl enable docker配置国内镜像站:
vim /etc/docker/daemon.json{ "registry-mirrors": [""]}systemctl restart docker
查找镜像
docker search centos下载镜像docker pull centos查看镜像docker images启动镜像docker run -it -d --name nginx /bin/bash查看ip地址ip ad li查看启动的镜像docker ps查看所有docker ps -a访问私有镜像站,配置:
在/etc/sysconfig/docker添加:ADD_REGISTRY='--add-registry 172.16.234.101:5000'
BLOCK_REGISTRY='--block-registry docker.io'
INSECURE_REGISTRY='--insecure-registry 172.16.234.101:5000'
重启docker
再pull镜像默认就从234.101下载了docker pull nginx问题解决
WARNING: IPv4 forwarding is disabled. Networking will not work.vim /usr/lib/sysctl.d/00-system.confnet.ipv4.ip_forward=1systemctl restart networkdocker基本操作
导出镜像
docker save centos > /opt/centos.tar.gzdocker save -o centos7 centos导入镜像
docker load centos < /opt/centos.tar.gzdocker load --input 本地镜像导出容器快照
docker export -o mysql-date +%Y%m%d.tar a404c6c174a2导入容器快照docker import my_ubuntu_v3.tar runoob/ubuntu:v4 
在官方下载一个镜像
docker pull centos查看下载的镜像
docker images运行一个命令
docker run centos /bin/echo "hello"查看当前docker运行情况
docker ps -a运行一个命令并指定名称
docker run --name madocker -t -i centos /bin/bash- --name 指定名字
- -t 分配一个伪终端
- -i 保持终端打开状态
- centos 镜像名称
- 命令
启动一个容器
docker start 容器ID进入一个容器
docker attach 容器ID- 这种进入方式显示是同步的,类似openstack的VNC连接方式。
- 使用exit命令,docker容器会停止运行,因为退出了bash。
另一种进入容器的方式
nsenter -t 容器PID -u -n -i -p- 如果没有这个命令,需要安装一个包,yum install util-linux -y
- -t 指定容器PID
- 获取容器PID的方法:1、启动容器:docker start 容器ID2、获取PID:docker inspect --format "{ {.State.Pid}}" 容器ID
- -u 用户空间,user namespace
- -n network namespace
- -i 进程间通信空间
- -p pid
进入容器脚本
vim ns.sh!/bin/bashPID=$(docker inspect --format "{ {.State.Pid}}" $1)nsenter -t $PID -u -n -i -pchmod +x ns.sh- ./ns.sh 容器ID 直接进入容器,并且退出时容器正常运行。
删除一个容器
docker rm {容器ID|容器名称}*如果要删除一个正在运行的容器,添加-f参数。在运行一个命令后自动删除容器
docker run --rm centos /bin/echo "hello"*执行完echo命令后,该容器自动被删除杀死所有正在运行的容器
docker kill $(docker ps -a -q)- -q 只列出容器ID
docker run -d --name nfs -v /data centos
手动构建一个镜像
docker run --name mynginx -it centos
rpm -ivh yum makecacheyum install vim nginx -yvim /etc/nginx/nginx.conf添加:daemon off;:wqexitdocker commit -m "my nginx" 容器id hetao/mynginx:v1*hetao/mynginx:v1,hetao,dockerhub上的目录,v1,版本号docker run -d -p 82:80 hetao/mynginx:v1 nginx
最后一个nginx为要传输的命令。
使用export import导出和导入docker容器
docker export -o mysql-date +%Y%m%d.tar a404c6c174a2
docker 网络和存储
docker inspect centos/容器id 列出容器centos的所有内容
docker commit
语法
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]OPTIONS说明:
-a :提交的镜像作者;-c :使用Dockerfile指令来创建镜像;-m :提交时的说明文字;-p :在commit时,将容器暂停。实例
将容器a404c6c174a2 保存为新的镜像,并添加提交人信息和说明信息。
docker file 构建镜像
This docker file
VERSION 1Author: luisBase image FROM centosMaintainer
MAINTAINER hetao hetao@gagogroup.comCommands
RUN rpm -ivh RUN yum makecacheRUN yum install vim nginx -yADD index.html /usr/share/nginx/html/index.htmlRUN echo "daemon off;" >>/etc/nginx/nginx.confEXPOSE 80CMD ["nginx"]centos7.3 搭建docker私库-harbor
系统信息: Centos 7.3 64
harbor版本:1.4.01、安装docker yum源(如果有epel base源,可以先备份,再下载epel和base源)wget -O /etc/yum.repos.d/docker-ce.repo wget -O /etc/yum.repos.d/epel.repo wget -O /etc/yum.repos.d/CentOS-Base.repo yum makecache fast2、安装docker docker-compose
yum install docker-ce docker-compose -ysystemctl start docker systemctl enable docker3、下载harbor在线安装包
mkdir /data/harborcd /data/harborwget tar xvf harbor-online-installer-v1.4.0.tgz4、修改harbor.cfg文件
hostname = harbor.51cto.wang (前端域名,也可以是IP,不能是localhost/127.0.0.1)ui_url_protocol = https (使用默认的http会导致docker login登录不了,且不安全)ssl_cert = /data/harbor/cert/server.crt (证书存放目录及文件名)ssl_cert_key = /data/harbor/cert/server.keyauth_mode = db_auth (本地数据库认证)harbor_admin_password = Harbor12345 (admin用户的密码)project_creation_restriction = adminonly (仅管理员可以创建项目,everyone为所有人可以创建项目)self_registration = on (开启自注册功能)5、创建证书
mkdir /data/harbor/cert && cd /data/harbor/certopenssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /data/harbor/cert/server.key -out /data/harbor/cert/server.crt(只填Common Name这一项,其他都默认回车)
Generating a 2048 bit RSA private key...........................+++
.....................................................................................................................+++
writing new private key to ‘/data/harbor/cert/server.key‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:harbor.51cto.wang
Email Address []:
6、生成配置文件并启动容器
cd /data/harbor/harbor./install.sh[Step 0]: checking installation environment ...
Note: docker version: 17.06.1
Note: docker-compose version: 1.9.0
[Step 1]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/envClearing the configuration file: ./common/config/ui/envClearing the configuration file: ./common/config/ui/app.confClearing the configuration file: ./common/config/ui/private_key.pemClearing the configuration file: ./common/config/db/envClearing the configuration file: ./common/config/jobservice/envClearing the configuration file: ./common/config/jobservice/app.confClearing the configuration file: ./common/config/registry/config.ymlClearing the configuration file: ./common/config/registry/root.crtClearing the configuration file: ./common/config/nginx/cert/server.crtClearing the configuration file: ./common/config/nginx/cert/server.keyClearing the configuration file: ./common/config/nginx/nginx.confClearing the configuration file: ./common/config/log/logrotate.confloaded secret from file: /data/secretkeyGenerated configuration file: ./common/config/nginx/nginx.confGenerated configuration file: ./common/config/adminserver/envGenerated configuration file: ./common/config/ui/envGenerated configuration file: ./common/config/registry/config.ymlGenerated configuration file: ./common/config/db/envGenerated configuration file: ./common/config/jobservice/envGenerated configuration file: ./common/config/log/logrotate.confGenerated configuration file: ./common/config/jobservice/app.confGenerated configuration file: ./common/config/ui/app.confCopied configuration file: ./common/config/uiprivate_key.pemCopied configuration file: ./common/config/registryroot.crtThe configuration files are ready, please use docker-compose to start the service.[Step 2]: checking existing instance of Harbor ...
Note: stopping existing Harbor instance ...
Stopping nginx ... doneStopping harbor-jobservice ... doneStopping harbor-adminserver ... doneStopping registry ... doneStopping harbor-db ... doneStopping harbor-log ... doneRemoving nginx ... doneRemoving harbor-jobservice ... doneRemoving harbor-ui ... doneRemoving harbor-adminserver ... doneRemoving registry ... doneRemoving harbor-db ... doneRemoving harbor-log ... doneRemoving network harbor_harbor[Step 3]: starting Harbor ...
Creating network "harbor_harbor" with the default driverCreating harbor-logCreating harbor-adminserverCreating harbor-dbCreating registryCreating harbor-uiCreating harbor-jobserviceCreating nginx✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at .
For more details, please visit .7、登录并推送第一个镜像
<本地登录>
1)登录web,创建一个名为test的项目2)推送一个测试镜像到test项目中docker login -u admin -p Harbor123456 harbor.51cto.wang (登录)docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEvmware/registry-photon v2.6.2-v1.4.0 8920f621ddd1 5 weeks ago 198MBvmware/nginx-photon v1.4.0 20c8a01ac6ab 5 weeks ago 135MBvmware/harbor-log v1.4.0 9e818c7a27ab 5 weeks ago 200MBvmware/harbor-jobservice v1.4.0 29c14d91b043 5 weeks ago 191MBvmware/harbor-ui v1.4.0 6cb4318eda6a 5 weeks ago 209MBvmware/harbor-adminserver v1.4.0 8145970fa013 5 weeks ago 182MBvmware/harbor-db v1.4.0 c38da34727f0 5 weeks ago 521MBtask/task v2 5e45422e6d29 2 months ago 1.76GBtask/task v1 78022f6d4a90 2 months ago 1.69GB将task:v2上传至harbor
docker tag task/task:v2 harbor.51cto.wang/test/task:testdocker push harbor.51cto.wang/test/task:testThe push refers to a repository [harbor.51cto.wang/test/task]196171e612cc: Pushed test: digest: sha256:09921659d583e6e53ade0a81dc5ebccc7be6245d8a2a2c84f22539d4f64d075d size: 529<异地登录>
1)拷贝证书(在registry所在的服务器上操作)mkdir -p /etc/docker/certs.d/harbor.51cto.wangcp /data/harbor/cert/server.crt /etc/docker/certs.d/harbor.51cto.wang/ca.crt2)在客户端上操作mkdir -p /etc/docker/certs.d/harbor.51cto.wang拷贝服务端ca.crt到该目录下docker login -u admin -p Harbor123456 harbor.51cto.wang WARNING! Using --password via the CLI is insecure. Use --password-stdin.Login SucceededFQA:
1、如执行脚本报错,可分开执行,./prepare && docker-compose up -d2、若在启动容器过程中提示端口被占用,可修改docker-compose.yml文件,修改端口3、登录时报错:Error response from daemon: Get : x509: certificate signed by unknown authority此种情况多发生在自签名的证书,报错含义是签发证书机构未经认证,无法识别。
chmod 644 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemcat /data/harbor/cert/server.crt >>/etc/pki/tls/certs/ca-bundle.crtchmod 444 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemsystemctl restart docker参考文档:
转载于:https://blog.51cto.com/ershao/2112637