企业运维容器之 docker 镜像
Posted 123坤
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了企业运维容器之 docker 镜像相关的知识,希望对你有一定的参考价值。
企业运维容器之 docker 镜像
1. 镜像的分层结构
- 共享宿主机的
kernel; - base 镜像提供的是最小的 Linux 发行版;
- 同一
docker主机支持运行多种 Linux 发行版; - 采用分层结构的最大好处是:共享资源;
Copy-on-Write可写容器层,相当于虚拟机的快照;- 容器层以下所有镜像层都是只读的;
- docker从上往下依次查找文件;
- 容器层保存镜像变化的部分,并不会对镜像本身进行任何修改;
- 一个镜像最多127层;
2. 镜像的构建
- docker commit 构建新镜像三部曲
运行容器
修改容器
将容器保存为新的镜像
缺点:
效率低、可重复性弱、容易出错;
使用者无法对镜像进行审计,存在安全隐患.
- 构建镜像
[root@server1 ~]# docker pull busybox ##拉取镜像
Using default tag: latest
latest: Pulling from library/busybox
92f8b3f0730f: Pull complete
Digest: sha256:b5fc1d7b2e4ea86a06b0cf88de915a2c43a99a00b6b3c0af731e5f4c07ae8eff
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@server1 ~]# docker images ##查看镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest d3cd072556c2 4 days ago 1.24MB
yakexi007/game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@server1 ~]# docker history busybox:latest
##查看镜像的构建历史,可以看到其分层结构;一层是官网信息,另外一层是得到一个shell
IMAGE CREATED CREATED BY SIZE COMMENT
d3cd072556c2 4 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 4 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
[root@server1 ~]# docker run -it --name demo busybox
##以交互模式来打开容器,获得一个 shell
/ # uname -r
3.10.0-957.el7.x86_64
/ # free -m
total used free shared buff/cache available
Mem: 3950 242 2977 0 730 3463
Swap: 2047 0 2047
/#
用ctrl +d来退出,退出直接就关闭了docker ;用 ctrl+p+q 来将其打入后台运行;
[root@server1 ~]# docker run -it --name demo busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ # touch zxk1
/ # touch zxk2
/ # ls
bin dev etc home proc root sys tmp usr var zxk1 zxk2
/ # ##此处用 ctrl +d 来退出之后,容器就被关闭了
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c28320d96c6 busybox "sh" 27 seconds ago Exited (0) 11 seconds ago demo
[root@server1 ~]# docker start demo ##可以用 start 来开启容器;
demo
[root@server1 ~]# docker attach demo ##然后用 attach 来进入容器
/ # ls
bin dev etc home proc root sys tmp usr var zxk1 zxk2
/ #
用参数ctrl +p +q 退出之后,是将容器打入后台继续在运行;
[root@server1 ~]# docker attach demo
/ # ls
bin dev etc home proc root sys tmp usr var zxk1 zxk2
/ # touch zxkfile1
/ # touch zckfile2
/ # ls
bin etc proc sys usr zckfile2 zxk2
dev home root tmp var zxk1 zxkfile1
/ # read escape sequence
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c28320d96c6 busybox "sh" 3 minutes ago Up 2 minutes demo
运行的容器是能分配到 IP 的,可以用命令 docker inspect demo` 来查看运行容器的 IP ;此 IP 是桥接的方式和主机进行连接的;
[root@server1 ~]# docker inspect demo
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
[root@server1 ~]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.180 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.050 ms
^C
--- 172.17.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.050/0.115/0.180/0.065 ms
对于桥接的查看可以下载一个工具包来进行查看;
[root@server1 ~]# yum install bridge-utils.x86_64 -y ##下载来查看桥接的状态
[root@server1 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024226b06bff no veth8a55abb
[root@server1 ~]# docker stop demo
demo
[root@server1 ~]# brctl show
##当容器关闭后,此时资源就被释放,当别的容器再次运行时,便会依次获得IP
bridge name bridge id STP enabled interfaces
docker0 8000.024226b06bff no
对于容器的删除:
刚刚的只是停掉了容器,但容器还在;可以将其不需要的容器删除;
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4c28320d96c6 busybox "sh" 17 minutes ago Exited (137) 2 minutes ago demo
[root@server1 ~]# docker rm demo ##删除没有运行的容器
demo
[root@server1 ~]# docker ps ##查看运行的容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker ps -a ##查看所有的容器
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
当容器删除之后,此时之前新建的文件时在容器层,此时再次开启镜像,但是看不到之前的信息;
[root@server1 ~]# docker run -it --name demo busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ # touch 111 ##修改容器
/ # touch 222
/ # ls
111 222 bin dev etc home proc root sys tmp usr var
/ #
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4f26670e58f0 busybox "sh" 43 seconds ago Exited (0) 17 seconds ago demo
[root@server1 ~]# docker commit --help
Usage: docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
Create a new image from a container's changes
Options:
-a, --author string Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")
-c, --change list Apply Dockerfile instruction to the created image
-m, --message string Commit message
-p, --pause Pause container during commit (default true)
[root@server1 ~]# docker commit -m "add file" demo busybox:v1 ##将容器保存为新的镜像
sha256:ec156da5008793b690ab6b9859daa4074e24d04bcc9302b27a2095f74e0e6182
[root@server1 ~]# docker images ##查看镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox v1 ec156da50087 11 seconds ago 1.24MB
busybox latest d3cd072556c2 6 days ago 1.24MB
yakexi007/game2048 latest 19299002fdbe 4 years ago 55.5MB
[root@server1 ~]# docker history busybox:latest
IMAGE CREATED CREATED BY SIZE COMMENT
d3cd072556c2 6 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 6 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
[root@server1 ~]# docker history busybox:v1 ##查看构建历史
IMAGE CREATED CREATED BY SIZE COMMENT
ec156da50087 33 seconds ago sh ##此处别人不知道做了什么,存在安全隐患 26B add file
d3cd072556c2 6 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 6 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
[root@server1 ~]# docker rm demo ##删除之前的容器
demo
[root@server1 ~]# docker run -it --name demo busybox:v1 ##对新打包的镜像运行
/ # ls
111 222 bin dev etc home proc root sys tmp usr var
/ #
[root@server1 ~]# docker rm demo
demo
[root@server1 ~]# docker run -it --name demo busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ #
3. Dockerfile
上面的方式构建的镜像存在一定的安全隐患,因为别人无法从构建历史中知道做了那些事。
dockerfile常用指令
- FROM
指定base镜像,如果本地不存在会从远程仓库下载。 - MAINTAINER
设置镜像的作者,比如用户邮箱等。 - COPY
把文件从build context复制到镜像
支持两种形式:COPY src dest 和 COPY [“src”, “dest”]
src必须指定build context中的文件或目录 - ADD
用法与COPY类似,不同的是src可以是归档压缩文件,文件会被自动解压到dest,也可以自动下载URL并拷贝到镜像:
ADD html.tar /var/www
ADD http://ip/html.tar /var/www - ENV
设置环境变量,变量可以被后续的指令使用:
ENV HOSTNAME sevrer1.example.com - EXPOSE
如果容器中运行应用服务,可以把服务端口暴露出去:
EXPOSE 80 - VOLUME
申明数据卷,通常指定的是应用的数据挂在点:
VOLUME ["/var/www/html"] - WORKDIR
为RUN、CMD、ENTRYPOINT、ADD和COPY指令设置镜像中的当前工作目录,如果目录不存在会自动创建。 - RUN
在容器中运行命令并创建新的镜像层,常用于安装软件包:
RUN yum install -y vim
创建 Dockerfile 文件
创建一个空目录,然后在空目录中创建 Dockerfile 文件;
COPY:用于当前目录,不能指定为根目录。
[root@server1 ~]# mkdir docker
[root@server1 ~]# cd docker/
[root@server1 docker]# ls
[root@server1 docker]# vim Dockerfile
[root@server1 docker]# cat Dockerfile
FROM busybox ##指定镜像,如果不存在会从远程仓库下载
COPY index.html / ##把文件从复制到镜像
[root@server1 docker]# echo www.westos.org > index.html
[root@server1 docker]# docker build -t busybox:v2 . ##构建镜像
Sending build context to Docker daemon 3.072kB
Step 1/2 : FROM busybox
---> d3cd072556c2
Step 2/2 : COPY index.html /
---> bac12c96f3cf
Successfully built bac12c96f3cf
Successfully tagged busybox:v2
[root@server1 docker]# docker history busybox:v2
##用 Dockerfile 文件构建镜像的过程会有详细的过程
IMAGE CREATED CREATED BY SIZE COMMENT
bac12c96f3cf About a minute ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
d3cd072556c2 4 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 4 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
RUN
[root@server1 docker]# vim Docker
[root@server1 docker]# cat Dockerfile
FROM busybox
COPY index.html /
RUN touch testfile ##在容器中运行命令并创建新的镜像层,常用于安装软件包
[root@server1 docker]# docker build -t busybox:v3 .
Sending build context to Docker daemon 3.072kB
Step 1/3 : FROM busybox
---> d3cd072556c2
Step 2/3 : COPY index.html /
---> Using cache
---> bac12c96f3cf
Step 3/3 : RUN touch testfile
---> Running in 1a97d38ee1dc
Removing intermediate container 1a97d38ee1dc
---> af6759a259ae
Successfully built af6759a259ae
Successfully tagged busybox:v3
[root@server1 docker]# docker history busybox:v3
IMAGE CREATED CREATED BY SIZE COMMENT
af6759a259ae 3 seconds ago /bin/sh -c touch testfile 0B
bac12c96f3cf 2 minutes ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
d3cd072556c2 4 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 4 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
ADD
[root@server1 docker]# vim Dockerfile
[root@server1 docker]# cat Dockerfile
FROM busybox
COPY index.html /
RUN touch testfile
ADD nginx-1.18.0.tar.gz /
[root@server1 docker]# ls
Dockerfile index.html nginx-1.18.0.tar.gz
[root@server1 docker]# docker build -t busybox:v4 .
Sending build context to Docker daemon 1.043MB
Step 1/4 : FROM busybox
---> d3cd072556c2
Step 2/4 : COPY index.html /
---> Using cache
---> bac12c96f3cf
Step 3/4 : RUN touch testfile
---> Using cache
---> af6759a259ae
Step 4/4 : ADD nginx-1.18.0.tar.gz /
---> 4a5ec9658a0a
Successfully built 4a5ec9658a0a
Successfully tagged busybox:v4
[root@server1 docker]# docker history busybox:v4
IMAGE CREATED CREATED BY SIZE COMMENT
4a5ec9658a0a About a minute ago /bin/sh -c #(nop) ADD file:46b14d1c307d23f50… 6.25MB
af6759a259ae 8 minutes ago /bin/sh -c touch testfile 0B
bac12c96f3cf 10 minutes ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
d3cd072556c2 4 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 4 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
[root@server1 docker]# docker run --rm busybox:v4 ls ##--rm 表示运行完后直接回收掉容器
bin
dev
etc
home
index.html
nginx-1.18.0 ##当前目录生成解压文件
proc
root
sys
testfile
tmp
usr
var
ENV、EXPOSE 、VOLUME
[root@server1 docker]# vim Dockerfile
[root@server1 docker]# cat Dockerfile
FROM busybox
COPY index.html /
RUN touch testfile
ADD nginx-1.18.0.tar.gz /mnt
ENV HOSTNAME server1
EXPOSE 22
VOLUME ["/data"] ##挂载
[root@server1 docker]# docker build -t busybox:v6 .
Sending build context to Docker daemon 1.043MB
Step 1/7 : FROM busybox
---> d3cd072556c2
Step 2/7 : COPY index.html /
---> Using cache
---> bac12c96f3cf
Step 3/7 : RUN touch testfile
---> Using cache
---> af6759a259ae
Step 4/7 : ADD nginx-1.18.0.tar.gz /mnt
---> Using cache
---> 2bd486599e5d
Step 5/7 : ENV HOSTNAME server1
---> Running in 585940a17fef
Removing intermediate container 585940a17fef
---> 815841bf0454
Step 6/7 : EXPOSE 22
---> Running in 020e1555035d
Removing intermediate container 020e1555035d
---> bf1c448c8e88
Step 7/7 : VOLUME ["/data"]
---> Running in e752fadafca6
Removing intermediate container e752fadafca6
---> 079d588ee2b0
Successfully built 079d588ee2b0
Successfully tagged busybox:v6
[root@server1 docker]# docker history busybox:v6
IMAGE CREATED CREATED BY SIZE COMMENT
079d588ee2b0 17 seconds ago /bin/sh -c #(nop) VOLUME [/data] 0B
bf1c448c8e88 17 seconds ago /bin/sh -c #(nop) EXPOSE 22 0B
815841bf0454 17 seconds ago /bin/sh -c #(nop) ENV HOSTNAME=server1 0B
2bd486599e5d 3 minutes ago /bin/sh -c #(nop) ADD file:46b14d1c307d23f50… 6.25MB
af6759a259ae 13 minutes ago /bin/sh -c touch testfile 0B
bac12c96f3cf 15 minutes ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
d3cd072556c2 4 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 4 days ago /bin/sh -c #(nop) ADD file:c423dc64e02718dd3… 1.24MB
[root@server1 docker]# docker run -it --rm busybox:v6 env ##查询变量
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=server1
TERM=xterm
HOME=/root
[root@server1 docker]# docker run -it --rm busybox:v6
/ # cd /data/
/data # ls
/data # touch file1
/data # ls
file1
/data # [root@server1 docker]# docker ps ##此时可以看到暴露的端口号
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
89b679669449 busybox:v6 "sh" 46 seconds ago Up 45 seconds 22/tcp quirky_buck
[root@server1 docker]# docker inspect quirky_buck
##此名称为 ps 后看到的结果,用此命令可以看到挂载
[root@server1 docker]# cd /var/lib/docker/volumes/f3890ceefa0cf175ba9477be8dc027fcbac07e83237ac0183e5cac034eafca8d/_data
[root@server1 _data]# ls ##在挂载中可以看到其容器中新建的文件
file1
[root@server1 _data]# rm -fr file1
[root@server1 _data]# ls
[root@server1 _data]# touch file2 ##在该目录中修改文件
[root@server1 _data]# ls
file2
[root@server1 _data]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
89b679669449 busybox:v6 "sh" 4 minutes ago Up 4 minutes 22/tcp quirky_buck
[root@server1 _data]# docker attach 89b679669449 ##也可以用ID加进取,可以看到其修改后的文件信息
/data # ls
file2
/data #
WORKDIR
[root@server1 docker]# vim Dockerfile
[root@server1 docker]# cat Dockerfile
FROM busybox
COPY index.html /
RUN touch testfile
ADD nginx-1.18.0.tar.gz /mnt
ENV HOSTNAME server1
EXPOSE 22
VOLUME ["/data"]
WORKDIR /nginx-1.18.0.tar.gz ##指定进入容器所在目录
[root@server1 docker]# docker build -t busybox:v7 .
Sending build context to Docker daemon 1.043MB
Step 1/8 : FROM busybox
---> d3cd072556c2
Step 2/8 : COPY index.html /
---> Using cache
---> bac12c96f3cf
Step 3/8 : RUN touch testfile
---> Using cache
---> af6759a259ae
Step 4/8 : ADD nginx-1.18.0.tar.gz /mnt
---> Using cache
---> 2bd486599e5d
Step 5/企业级Docker镜像仓库的管理和运维