运维实战 容器部分 Docker入门简介

Posted 洛冰音

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了运维实战 容器部分 Docker入门简介相关的知识,希望对你有一定的参考价值。

运维实战 容器部分 Docker入门简介

什么是Docker

简单来说:

  • IT 软件中所说的 Docker ,是指容器化技术,用于支持创建和使用Docker容器.
  • 借助 Docker,可将容器当做轻巧, 模块化的虚拟机使用. 同时,您还将获得高度的灵活性,从而实现对容器的高效创建, 部署及复制,并能将其从一个环境顺利迁移至另一个环境,从而有助于您针对云来优化您的应用.
  • Docker 使用 Google 公司推出的 Go 语言 进行开发实现,基于 Linux 内核的 cgroupnamespace,以及 OverlayFS 类的 Union FS 等技术,对进程进行封装隔离,属于 操作系统层面的虚拟化技术。由于隔离的进程独立于宿主和其它的隔离的进程,因此也称其为容器。

与传统虚拟化的区别

与传统虚拟化相比

  • 容器不需要模拟硬件层,传统虚拟化一定有虚拟化操作系统层.
  • 共享同一个宿主机的内核

安装Docker

对于Docker而言,需要预先知道以下内容.

Docker通过镜像创建容器,而镜像存储在仓库中.

容器内包含自己需要的内容和设置,与外部交互需要进行端口映射.

##安装依赖
yum install -y container-selinux-2.77-1.el7.noarch.rpm containerd.io-1.4.4-3.1.el7.x86_64.rpm 
##安装Docker-CE
yum install -y docker-ce-19.03.15-3.el7.x86_64.rpm docker-ce-cli-19.03.15-3.el7.x86_64.rpm 

##启用服务
systemctl start docker.service 
##查看Docker信息
docker info

这里为了讲解特别列出这一步.

[root@Server1 docker-ce]# docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.15
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 991MiB
 Name: Server1
 ID: BTTL:NBTO:2QFW:6AI3:6MAG:7XRR:MMZV:7RMH:W4WA:Z7JC:WIAQ:U5TX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

可以看到最后出现了两行警告信息.

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

这是由于Docker服务的实现需要借助网桥,而默认情况下这两项设置是可能没有打开的.

[root@Server1 sysctl.d]# sysctl -a | grep bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@Server1 docker-ce]# sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 0

[root@Server1 docker-ce]# sysctl -a | grep bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-ip6tables = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@Server1 docker-ce]# sysctl net.bridge.bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-ip6tables = 0

通过修改sysctl的配置更改其设定.

通常我们不直接更改sysctl.conf的内容而是在其配置目录中追加新的配置文件方便管理.

[root@Server1 docker-ce]# cd /etc/sysctl.d/
[root@Server1 sysctl.d]# ls
99-sysctl.conf
[root@Server1 sysctl.d]# vim docker.conf

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

##刷新配置看到生效
[root@Server1 sysctl.d]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/docker.conf ...
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
* Applying /etc/sysctl.conf ...

##再次查看信息,警告消失
[root@Server1 sysctl.d]# docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.15
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 991MiB
 Name: Server1
 ID: BTTL:NBTO:2QFW:6AI3:6MAG:7XRR:MMZV:7RMH:W4WA:Z7JC:WIAQ:U5TX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

简单入门

##从官方仓库中搜索用于简单联系的镜像
[root@Server1 sysctl.d]# docker search yakexi007

NAME                 DESCRIPTION         STARS               OFFICIAL            AUTOMATED
yakexi007/game2048                       0                                       
yakexi007/mario                          0                                       
yakexi007/nginx                          0    

##下载2048小游戏的镜像
[root@Server1 sysctl.d]# docker pull yakexi007/game2048

Using default tag: latest
latest: Pulling from yakexi007/game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for yakexi007/game2048:latest
docker.io/yakexi007/game2048:latest

##查看本地镜像列表
[root@Server1 sysctl.d]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
yakexi007/game2048   latest              19299002fdbe        4 years ago         55.5MB

##通过镜像构建容器
[root@Server1 sysctl.d]# docker run -d --name 2048 -p 80:80 yakexi007/game2048
2f6310c4fba15bf9c95ec50918c5ff2bc18d4309dd5fe8cec198470af4b21710

关于这一步命令的参数

-d		后台运行容器,并返回容器ID
--name	指定容器名
-p		指定端口映射,格式为 主机(宿主)端口:容器端口

最后为指定的镜像

结束后进行检查

##查看端口使用情况,可以看到80端口出现了docker-proxy
[root@Server1 sysctl.d]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3215/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3404/master         
tcp        0      0 172.25.5.1:22           172.25.5.250:45152      ESTABLISHED 3499/sshd: root@pts 
tcp6       0      0 :::80                   :::*                    LISTEN      4520/docker-proxy   
tcp6       0      0 :::22                   :::*                    LISTEN      3215/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      3404/master  

##列出运行中的容器
[root@Server1 sysctl.d]# docker ps
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                         NAMES
2f6310c4fba1        yakexi007/game2048   "/bin/sh -c 'sed -i …"   20 seconds ago      Up 20 seconds       0.0.0.0:80->80/tcp, 443/tcp   2048

##列出所有容器,包括未运行的
[root@Server1 sysctl.d]# docker ps -a
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                         NAMES
2f6310c4fba1        yakexi007/game2048   "/bin/sh -c 'sed -i …"   24 seconds ago      Up 23 seconds       0.0.0.0:80->80/tcp, 443/tcp   2048

以上是关于运维实战 容器部分 Docker入门简介的主要内容,如果未能解决你的问题,请参考以下文章

运维实战 容器部分 Docker Machine

运维实战 容器部分 Docker Compose

运维实战 容器部分 Docker安全

运维实战 容器部分 Docker网络

运维实战 容器部分 Docker数据卷

运维实战 容器部分 Docker仓库