Docker配置手册-基本操作与管理
snow chuai汇总、整理、撰写---2020/2/8
最后更订日期---2021/06/14
1. Docker安装与加速
1) 安装Docker
[root@docker1 ~]# yum install docker -y
2) 配置加速器
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"]
}
3) 启动Docker
[root@docker1 ~]# systemctl enable --now docker
|
2. Docker基本使用
1) 在仓库中查找Docker镜像
[root@docker1 ~]# docker search centos
[root@docker1 ~]# docker search ubuntu
2) 下载Docker镜像
[root@docker1 ~]# docker pull centos
Using default tag: latest
Trying to pull repository docker.io/library/centos ...
latest: Pulling from docker.io/library/centos
8a29a15cefae: Pull complete
Digest: sha256:fe8d824220415eed5477b63addf40fb06c3b049404242b31982106ac204f6700
Status: Downloaded newer image for docker.io/centos:latest
3) 查看本地Docker镜像
[root@docker1 ~]# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest 470671670cac 2 weeks ago 237 MB
4) 调用Docker容器里的命令
[root@docker1 ~]# docker run -i -t centos cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 53cacd9d59b0
5) 使用Docker容器
参数说明: -i 交互, -t 启用终端
[root@docker1 ~]# docker run -it centos /bin/bash
[root@e94e1ca24346 /]#exit
exit # 退出容器,容器也自动停止
[root@docker1 ~]#
6) 设定容器使用的内存数量
[root@docker1 ~]# docker run -it -m 300M --memory-swap 300M centos /bin/bash
[root@b65555bd80e8 /]# [^p][^q] # ^p^q为退出容器,但让容器继续运行
7) 查看当前正在运行的容器
[root@docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b65555bd80e8 centos "/bin/bash" 3 minutes ago Up 3 minutes kind_meninsky
8) 确认被锁定的内容容器信息---[仅想查看一次可,追加--no-stream参数]
root@docker1 ~]# docker stats b655
CONTAINER CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
b655 0.00% 528 KiB / 300 MiB 0.17% 656 B / 656 B 0 B / 0 B 1
root@docker1 ~]# docker stats b655 --no-stram | awk 'NR==2{print $2}'
0.00%
9-1) 限制容器仅能够使用1个CPU
[root@docker1 ~]# docker run -it -m="500m" --cpus="1" centos /bin/bash
9-2) 限制容器在CPU上的第1和第2上核心上使用资源
[root@docker1 ~]# docker run -it --cpuset-cpus="0,1" centos /bin/bash
10) 限制容器使用磁盘I/0
[root@docker1 ~]# docker run -it --device-write-bps /dev/sda:30MB centos /bin/bash
11) 查看所有容器(包括退出的容器)
[root@docker1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
be6ea6b7d9d9 centos "/bin/bash" 7 minutes agoUp 7 minutes objective_lamport
b65555bd80e8 centos "/bin/bash" 20 minutes ago Up 20 minutes kind_meninsky
e94e1ca24346 centos "/bin/bash" 24 minutes ago Exited (0) 22 minu... agitated_noether
12) 启动/停止容器
使用语法: start/stop 容器的ID或者是容器名
[root@docker1 ~]# docker start e94e
e94e1ca24346 centos "/bin/bash" 32 minutes ago Up 2 seconds
[root@docker1 ~]# docker start e94e
e94e1ca24346 centos "/bin/bash" 33 minutes ago Exited (0) 2 seconds ago
13) 恢复后台容器的会话
[root@docker1 ~]# docker start be6e
be6e
[root@docker1 ~]# docker attach be6e
[root@be6ea6b7d9d9 /]#
在docker v1.3版本之后可以直接使用exec指令,如:
[root@docker1 ~]# docker exec -it be6e /bin/bash
[root@be6ea6b7d9d9 /]#
14) 删除已退出的容器
[root@docker1 ~]# docker rm b655
b655
[root@docker1 ~]# docker rm $(docker ps -a | awk '{print $1}' | sed 1d)
be6ea6b7d9d9
e94e1ca24346
53cacd9d59b0
[root@docker1 ~]# docker container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Total reclaimed space: 0 B
删除已退出的容器及强制删除正在运行的容器
[root@docker1 ~]# docker rm $(docker ps -a | awk '{print $1}' | sed 1d) -f
be6ea6b7d9d9
e94e1ca24346
53cacd9d59b0
0577a0234a80
9a99a66c0e6f
181025f8adc5
[root@docker1 ~]# docker rm $(docker ps -q) -f
be6ea6b7d9d9
e94e1ca24346
53cacd9d59b0
0577a0234a80
9a99a66c0e6f
181025f8adc5
15) 停止正在运行的容器
[root@docker1 ~]# docker kill be6e
be6e
[root@docker1 ~]# docker rm be6e
be6e
16) 为容器命名为snowchuai
参数说明: -d 使容器在后台运行
[root@docker1 ~]# docker run -itd --name snowchuai centos /bin/bash
181025f8adc5cc3a42cd426c33148e6761cac0c369cec851ee9b711acaee0c18
[root@docker1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
181025f8adc5 centos "/bin/bash" 3 seconds ago Up 1 second snowchuai
17) 输出容器的信息
[root@docker1 ~]# docker logs snowchuai
18) 导出容器
[root@docker1 ~]# docker export snowchuai > chuai.tar
[root@docker1 ~]# ls -l chuai.tar
-rw-r--r-- 1 root root 245033984 Feb 8 15:35 chuai.tar
19) 导入容器
[root@docker1 ~]# cat chuai.tar | docker import - chuai:test
sha256:cb49b18cb1777b19c4f03838b4b61d182021ae31dad1d036f62ff169202de3f1
[root@docker1 ~]# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
chuai test cb49b18cb177 19 seconds ago 237 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
20) 指定docker的各种其他参数
# 参数解释:
--name:指定容器name
-h:指定容器hostname
--dns-search:指定容器主机所隶属的域
--dns:指定dns服务器地址
[root@docker1 ~]# docker run -ti --name gzliu -h server --dns-search=1000cc.net --dns=8.8.8.8 --dns=8.8.4.4 centos:latest /bin/bash
[root@snowchuai /]#
21) 更改镜像名与标签
# 操作说明:docker tag 原镜像名:原标签 新镜像名:新标签
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
chuai test cb49b18cb177 5 minutes ago 237 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
[root@docker1 ~]# docker tag chuai:test chuai:ok
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
chuai ok cb49b18cb177 5 minutes ago 237 MB
chuai test cb49b18cb177 5 minutes ago 237 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
22) 删除镜像
[root@docker1 ~]# docker rmi chuai:test
Untagged: chuai:test
Deleted: sha256:cb49b18cb1777b19c4f03838b4b61d182021ae31dad1d036f62ff169202de3f1
Deleted: sha256:8db5f909d72e4f4820e56a4c7c828aaf12b46c86ade44143bbf49ab25a226a91
23) 开机容器自启动
# 参数说明:
--restart具体参数值详细信息:
no :容器退出时,不重启容器;
on-failure :只有在非0状态退出时才从新启动容器;
always:无论退出状态是如何,都重启容器;
[root@docker1 ~]# docker run -itd --restart=always --name gzlau centos /bin/bash
24) 定义容器自启动次数
# 参数说明:--restart=on–failure:N N为尝试次数
[root@docker1 ~]# docker run -itd --name c8 --restart=on-failure:10 cento7 /bin/bash
25) 对已存在的容器容器设置自启动
[root@docker1 ~]# docker update --restart=always gzliu
gzliu
26) 获取docker镜像下载到的本地路径
[root@docker1 ~]# docker info | grep 'Docker Root Dir'
Docker Root Dir: /var/lib/docker
27) 更改docker存放的路径为/data/tools/docker(方法1)
(1) 备份/var/lib/docker下的所有目录及文件
(2) 修改docker.service文件
[root@docker1 ~]# vim /usr/lib/systemd/system/docker.service
找到:ExecStart=/usr/bin/dockerd-current行,在下面创建新行并添加如下内容
ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --graph /data/tools/docker
(3) 恢复备份文件
(4) 重启docker服务
28) 更改docker存放的路径(方法2)
(1) 备份所有/var/lib/docker目录中的所有镜像及文件
(2) 挂载一块硬盘至/var/lib/docker目录,并写入fstab中实现自动挂载
(3) 恢复备份至/var/lib/docker中
29) 查看一个或多个镜像的信息
[root@srv1 ~]# docker inspect centos:7
[
{
"Id": "sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9",
"RepoTags": [
"docker.io/centos:7"
],
......
......
......
......
......
......
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02"
]
}
}
]
30) 设定环境变量
[root@srv1 ~]# docker run -it -e os=centos_7 -e env=1000y centos:7
[root@ebfcd0c91131 /]# echo $os
centos_7
[root@ebfcd0c91131 /]# echo $env
1000y
[root@ebfcd0c91131 /]# exit
exit
[root@srv1 ~]#
31) 确定容器的根目录及文件系统在本地系统上的挂载
[root@srv1 ~]# docker run -d -h websrv --name websrv -p 80:80 nginx
9193860905f17d6fd51740d78d5cfc18301fbc3d84030e251e49af89d58b314e
[root@srv1 ~]# docker exec -it websrv /bin/bash
root@websrv:/# echo "hello world" > /usr/share/nginx/html/index.html
root@websrv:/# exit
exit
[root@srv1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS
d1de53e2c208 nginx "/docker-entrypoin..." About a minute ago Up About a minute
PORTS NAMES
0.0.0.0:80->80/tcp websrv
[root@srv1 ~]# docker inspect websrv
......
......
......
......
......
......
"MergedDir": "/var/lib/docker/overlay2/4b96f928ee54578e6acd680d22ee27a5e44290f31e8031b90594e92e731da7e5/merged",
......
......
......
......
......
......
[root@srv1 ~]# cd /var/lib/docker/overlay2/4b96f928ee54578e6acd680d22ee27a5e44290f31e8031b90594e92e731da7e5/merged/usr/share/nginx/html
[root@srv1 html]# cat index.html
hello world
32) 复制文件至容器的根目录
[root@srv1 html]# docker cp my-test.txt f273:/
|
3. 自定义Docker镜像与镜像备份及恢复
3.1 创建带有ssh服务的Docker镜像
1) 开启一个新的容器,并在容器中安装ssh服务
[root@docker1 ~]# docker run --name snowchuai -h snow -it centos /bin/bash
[root@snow /]# yum install openssh openssh-server passwd -y
或
[root@snow /]# docker run centos /bin/bash -c "yum -y update; yum install openssh openssh-server passwd -y"
2) 做好服务的相关配置
3) 在容器中为sshd生成ssh所需的主机密码
[root@snow ~]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -q -N ''
[root@snow ~]# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -q -N ''
[root@snow ~]# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -q -N ''
4) 修改容器的root密码
[root@snow ~]# passwd
5) 退出docker容器
[root@snow ~]# exit
exit
6) 获取DockerID或Docker名
[root@docker1 ~]# dockerid=$(docker ps -a | awk '{print $1}' | sed 1d) && echo $dockerid
7) 生成Docker镜像
参数说明: -m “信息说明”
[root@docker1 ~]# docker commit -m 'centos-ssh' $dockerid snowchuai/centos-sshd
sha256:ae717ca509d99ac4adb9c821821c3b6cb9e8b89eaaa2d3f36ddc517d8f5fc17b
[root@docker1 ~]# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
snowchuai/centos-sshd latest ae717ca509d9 12 seconds ago 279 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
8) 将容器sshd服务的22端口映射至本地2222端口
[root@docker1 ~]# docker run --name gzliu -h server1 -d -p 22222:22 snowchuai/centos-sshd /usr/sbin/sshd -D
4ba86e21944bcf579b8091c34da76131b9f0bfff6266cd63e9df5798234d563e
[root@docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED
3f94b148602e snowchuai/centos-sshd "/usr/sbin/sshd -D" 17 seconds ago
STATUS PORTS NAMES
Up 15 seconds 0.0.0.0:22222->22/tcp gzliu
9) 确认本地端口22222开放
[root@docker1 ~]# netstat -lantp | grep 22222
tcp6 0 0 :::22222 :::* LISTEN 3351/docker-proxy-c
10) 测试
[root@docker1 ~]# ssh root@127.0.0.1 -p 22222
The authenticity of host '[127.0.0.1]:22222 ([127.0.0.1]:22222)' can't be established.
ECDSA key fingerprint is SHA256:7sg3oYSYESJmtzwXpUhNpbLl2pkqoeXX+s2hpbVE5OU.
ECDSA key fingerprint is MD5:2d:d6:15:57:cc:da:9d:16:02:c5:a5:7c:f4:48:90:3f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:22222' (ECDSA) to the list of known hosts.
root@127.0.0.1's password:
[root@server1 ~]#
|
3.2 创建带有http服务的Docker镜像
1) 开启一个新的容器,并在容器中安装ssh服务
[root@docker1 ~]# docker run --name snow -h snow -it centos /bin/bash
[root@snow /]# yum install httpd -y
或
[root@snow /]# docker run centos /bin/bash -c "yum -y update; yum install httpd -y"
2) 做好服务的相关配置
[root@snow /]# echo "docker web page" > /var/www/html/index.html
3) 退出docker容器
[root@snow ~]# [^p][^q]
4) 获取DockerID或Docker名
[root@docker1 ~]# docker ps
5) 生成Docker镜像
[root@docker1 ~]# docker commit -m 'centos-httpd' fb8d7a7c2452 snowchuai/centos-httpd
sha256:e35843943a72a11452048be9c7119e1e5914518b0f29c6485bf1daa5112f4923
[root@docker1 ~]# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
snowchuai/centos-httpd latest e35843943a72 9 seconds ago 283 MB
snowchuai/centos-sshd latest ae717ca509d9 25 minutes ago 279 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
6) 将容器web服务的80端口映射至本地8088端口
[root@docker1 ~]# docker run --name websrv -h websrv1 -d -p 8088:80 snowchuai/centos-httpd /usr/sbin/httpd -DFOREGROUND
59a644b03b20cf1c49b69d6fbffe33719c026bcebc0f472a1433357cb541246e
[root@docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED
59a644b03b20 snowchuai/centos-httpd "/usr/sbin/httpd -..." 3 seconds ago
STATUS PORTS NAMES
Up 1 second 0.0.0.0:8088->80/tcp websrv
7) 确认本地端口8088开放
[root@docker1 ~]# lsof -i tcp:8088
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 3989 root 4u IPv6 63258 0t0 TCP *:radan-http (LISTEN)
8) 测试
[root@docker1 ~]# curl localhost:8088
docker httpd web page
|
3.3 自建Docker镜像
1) 首先瞄准一个linux,然后在虚拟机上装好
2) 调整Linux系统
3) 生成一个新的镜像
参数说明:
--numeric-owner:以uid/gid方式记录文件的属主/属组
--exclude:排除范围
[root@c7 ~]# tar --numeric-owner --exclude=/proc --exclude=/sys --exclude=/tmp c7.tar /
4) 导入镜像
[root@docker1 ~]# cat c7.tar | docker import - linuxc7:laest
|
3.4 Docker镜像备份与恢复
1) 镜像备份
[root@docker1 ~]# docker images
[root@docker1 ~]# docker save centos:latest > centos.tar
2) 恢复备份
[root@docker1 ~]# docker rmi centos:latest
[root@docker1 ~]# docker images
[root@docker1 ~]# docker load < centos.tar
3) 备份所有镜像
[root@docker1 ~]# docker save $(docker images | sed 1d | awk '{print $1}') > centos-all.tar
[root@docker1 ~]# ls -lh centos-all.tar
-rw-r--r-- 1 root root 318M Feb 8 17:16 centos-all.tar
|
4. Docker网络实现--本地
4.1 Bridge模式实现
Bridge说明
bridge模式是docker的默认网络模式,默认通过本地主机docker0所包含的172.17.0.0/24网络段给docekr容器分配IP地址。不写--net参数,就是bridge模式。使用docker run -p时,docker实际是在iptables做了DNAT规则,实现端口转发功能。可以使用iptables -t nat -vnL查看。
+---------------------------------------------------------------------+
| +------------------------+ +------------------------+ |
| | docker容器1 | | docker容器2 | |
| +---------eth0-----------+ +----------eth0----------+ |
| | | |
|------------vethx-----------------------------------vethx------------|
| | | |
|------------------Local Host(docker0(172.17.0.1/24)------------------|
| | |
| | |
| IP-Forwarding |
| | |
| | |
+---------------------Local Host(eth0:192.168.10.21)------------------+
1) 使用Bridge
[root@docker1 ~]# docker rm -f $(docker ps -a | sed 1d | awk '{print $1}')
[root@docker1 ~]# docker run -ti --name snow -h lisa --net=bridge centos /bin/bash
[root@lisa /]# ip a s eth0
44: eth0@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever
2) 确认
[root@docker1 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242e1b7b458 no veth99852aa
[root@docker1 ~]# docker attach snow
[root@lisa /]# ping -c 2 www.1000cc.net.cn
PING www.1000cc.net.cn (122.51.252.99) 56(84) bytes of data.
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=1 ttl=50 time=36.2 ms
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=2 ttl=50 time=35.9 ms
--- www.1000cc.net.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 60ms
rtt min/avg/max/mdev = 35.892/36.064/36.236/0.172 ms
3) 查看容器的IP
语法: docker inspect --format '{{ .NetworkSettings.IPAddress }}' 容器ID/容器名
[root@docker1 ~]# docker inspect --format '{{ .NetworkSettings.IPAddress }}' snow
172.17.0.2
4) 查看所有容器IP
[root@docker1 ~]# vim look-container-ip.sh
#! /bin/bash
name=$( docker ps | sed 1d | awk '{print $NF}')
for nic in $name
do
ipaddr=`docker inspect --format '{{ .NetworkSettings.IPAddress }}' $nic`
echo "$nic:$ipaddr"
done
[root@docker1 ~]# chmod 700 look-container-ip.sh
[root@docker1 ~]# ./look-container-ip.sh
gzliu:172.17.0.3
snow:172.17.0.2
5) 查看指定容器IP的脚本
[root@docker1 ~]# vim look-ip.sh
#! /bin/bash
for nic in $@
do
cutip () {
ipaddr=`docker inspect --format '{{ .NetworkSettings.IPAddress }}' $nic`
echo "$nic: $ipaddr"
}
cutip
done
[root@docker1 ~]# chmod 700 look-ip.sh
[root@docker1 ~]# ./look-ip.sh snow gzliu
snow: 172.17.0.2
gzliu: 172.17.0.3
|
4.2 Host模式实现
Host说明
使用host模式,容器将不会获得一个独立的Network Namespace,而是和宿主机共用一个Network Namespace。容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。但是,容器的其他方面,如文件系统、进程列表等还是和宿主机隔离的。
+---------------------------------------------------------------------+
| +------------------------+ +------------------------+ |
| | docker容器1 | | docker容器2 | |
| +--eth0(192.168.10.xx)----+ +--eth0(192.168.10.xx)--+ |
| | | |
+---------------------Local Host(eth0:192.168.10.21)------------------+
1) 实现host模式
[root@docker1 ~]# docker run -it --net=host --name lisa -h lisa centos /bin/bash
2) 验证
[root@lisa /]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:50:da:36 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.21/24 brd 192.168.10.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::bf48:bfc:a2b0:a8e6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@lisa /]# ping -c 2 www.1000cc.net.cn
PING www.1000cc.net.cn (122.51.252.99) 56(84) bytes of data.
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=1 ttl=51 time=37.0 ms
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=2 ttl=51 time=36.1 ms
--- www.1000cc.net.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 36.149/36.582/37.016/0.473 ms
|
4.3 Container模式实现
Container说明
1. Container模式指定新创建的容器和已经存在的一个容器共享一个 Network Namespace,而不是和宿主机共享。
2. 新创建的容器不会创建自己的网卡,配置自己的 IP,而是和一个指定的容器共享 IP、端口范围等。
3. 同样,两个容器除了网络方面,其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过 lo 网卡设备通信。。
+----------------------------------------------------------------------+
| +-----------------------+ +-----------------------+ |
| | docker容器1 +--(共享eth0)--+ docker容器2 | |
| +-----------------------+ | +-----------------------+ |
| | |
|---------------------------------vethx--------------------------------|
| | |
|------------------Local Host(docker0(172.17.0.1/24)-------------------|
| | |
| | |
| IP-Forwarding |
| | |
| | |
+---------------------Local Host(eth0:192.168.10.21)-------------------+
1) 实现Container模式
(1) 启动一个容器,网络模式为Bridge
[root@docker1 ~]# docker rm -f $(docker ps -a | sed 1d | awk '{print $1}')
[root@docker1 ~]# docker run -tid --name gzliu -h gzlau --net=bridge centos /bin/bash
[root@docker1 ~]# docker inspect --format '{{ .NetworkSettings.IPAddress }}' gzliu
172.17.0.2
(2) 实现Container网络模式
[root@docker1 ~]# docker run -it --net=container:gzliu --name snowchuai centos /bin/bash
[root@gzlau /]# ip a s eth0 # 注意,以关联到gzlau容器
50: eth0@if51: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever
|
4.4 None模式实现
Container说明
1. none模式,Docker容器拥有自己的Network Namespace,但是,并不为Docker容器进行任何网络配置。
2. 这个Docker容器没有网卡、IP、路由等信息。需要我们自己为Docker容器添加网卡、配置IP。
+----------------------------------------------------------------------+
| +-----------------------+ +-----------------------+ |
| | docker容器1 | | docker容器2 | |
| +-----------------------+ +-----------------------+ |
| |
| |
| |
+---------------------Local Host(eth0:192.168.10.21)-------------------+
1) 实现None网络模式
[root@docker1 ~]# docker run -ti --net=none --name c7 centos /bin/bash
[root@673082ca2fc5 /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
|
4.5 为docker容器添加网络段并指定IP地址
# 仅允许在自定义网络上指定IP,不允许在默认的网络(Bridge)指定IP
[root@docker1 ~]# docker network create --driver bridge --subnet=172.22.0.0/16 --gateway=172.22.0.1 1000y
577593accc9ff1b72163da7661964351f9c95ee07abee7d1bfdff6cbf8c6ee53
[root@sdocker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
577593accc9f 1000y bridge local
975cbfa47932 bridge bridge local
0aee05d74865 host host local
e44aca320f04 none null local
[root@docker1 ~]# docker network inspect 1000y
# 以下为输出内容
[
{
"Name": "1000y",
"Id": "577593accc9ff1b72163da7661964351f9c95ee07abee7d1bfdff6cbf8c6ee53",
"Created": "2020-07-21T03:35:29.345620264+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.22.0.0/16",
"Gateway": "172.22.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
[root@docker1 ~]# docker run -itd --net=1000y --ip 172.22.0.222 --name lisa -h lisa centos /bin/bash
[root@docker1 ~]# docker inspect lisa | grep IPv4
"IPv4Address": "172.22.0.222"
|
5. Docker网络实现-跨主机
5.1 直接路由
+--------------------------------+ +--------------------------------+
| +------------------------+ | | +------------------------+ |
| | docker容器1 | | | | docker容器2 | |
| +---------eth0-----------+ | | +----------eth0----------+ |
| | | | | |
|------------vethx---------------| |------------vethx---------------|
| | | | | |
|-----docker0(172.16.1.1/24)-----+ |-----docker0(172.16.2.1/24)-----+
| | | | | |
| | | | | |
| IP-Forwarding | | IP-Forwarding |
| | | | | |
| | | | | |
+-Local Host(eth0:192.168.10.21)-+ +-Local Host(eth0:192.168.10.22)-+
| |
| |
| +---------------+ |
+----------| Switch |-----------+
+---------------+
1) 修改各个docker主机的配置
(1) docker版本
[root@docker1 ~]# vim /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="--bip=172.16.1.1/24"
[root@docker1 ~]# systemctl restart docker
(2) docker-ce版本
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"bip": "172.16.1.1/24"
}
[root@docker1 ~]# systemctl restart docker
# 设定路由及追加防火墙规则
[root@docker1 ~]# route add -net 172.16.2.0/24 gw 192.168.10.22
[root@docker1 ~]# iptables -t nat -F POSTROUTING
[root@docker1 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 ! -d 172.16.0.0/16 -j MASQUERADE
[root@docker1 ~]# iptables -A FORWARD -s 172.16.2.0/24 -d 172.16.1.0/24 -j ACCEPT
[root@docker1 ~]# ip a s docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8a:4d:e9:10 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.1/24 scope global docker0
valid_lft forever preferred_lft forever
######### docker2节点设置
(1) docker
[root@docker2 ~]# vim /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="--bip=172.16.2.1/24"
[root@docker2 ~]# systemctl restart docker
(2) docker-ce版本
[root@docker2 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"bip": "172.16.2.1/24"
}
[root@docker2 ~]# systemctl restart docker
# 设定路由及追加防火墙规则
[root@docker2 ~]# route add -net 172.16.1.0/24 gw 192.168.10.21
[root@docker2 ~]# iptables -t nat -F POSTROUTING
[root@docker2 ~]# iptables -t nat -A POSTROUTING -s 172.16.2.0/24 ! -d 172.16.0.0/16 -j MASQUERADE
[root@docker2 ~]# iptables -A FORWARD -s 172.16.1.0/24 -d 172.16.2.0/24 -j ACCEPT
[root@docker2 ~]# ip a s docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:62:8c:1a:df brd ff:ff:ff:ff:ff:ff
inet 172.16.2.1/24 scope global docker0
valid_lft forever preferred_lft forever
2) 各个docker启动一个容器,并确认容器的IP
[root@docker1 ~]# docker run -it --name snow -h snow centos /bin/bash
[root@snow /]# ip a s eth0
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:bc:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.1.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fea8:bc02/64 scope link
valid_lft forever preferred_lft forever
[root@docker2 ~]# docker run -it --name gzliu -h gz centos /bin/bash
[root@gz /]# ip a s eth0
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:bd:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.2.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fea8:bd02/64 scope link
valid_lft forever preferred_lft forever
3) 测试
让docker1主机上的容器ping通docker2主机上的容器
[root@snow /]# ping -c 2 172.16.2.2
PING 172.16.2.2 (172.16.2.2) 56(84) bytes of data.
64 bytes from 172.16.2.2: icmp_seq=1 ttl=62 time=0.779 ms
64 bytes from 172.16.2.2: icmp_seq=2 ttl=62 time=0.686 ms
--- 172.16.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 0.686/0.732/0.779/0.053 ms
|
5.2 Pipework实现网络通信
+--------------------------------+ +--------------------------------+
| +------------------------+ | | +------------------------+ |
| | docker容器1 | | | | docker容器2 | |
| +---------eth0-----------+ | | +----------eth0----------+ |
| | | | | |
|------------vethx---------------| |------------vethx---------------|
| | | | | |
|-------br0(172.16.1.1/24)-------+ |-------br0(172.16.1.1/24)-------+
| | | | | |
| | | | | |
| | | | | |
+-Local Host(eth0:192.168.10.21)-+ +-Local Host(eth0:192.168.10.22)-+
| |
| |
| +---------------+ |
+----------| Switch |-----------+
+---------------+
1) 设置br0桥接设备
(1) 为docker1主机设置br0
[root@docker1 ~]# nmcli connection add type bridge autoconnect yes con-name br0 ifname br0
Connection 'br0' (491dd4da-1641-4ff2-bf5b-17a928d700d1) successfully added.
[root@docker1 ~]# nmcli connection modify br0 ipv4.addresses 192.168.10.121/24 ipv4.method manual
[root@docker1 ~]# nmcli connection modify br0 ipv4.gateway 192.168.10.1
[root@docker1 ~]# nmcli connection modify br0 ipv4.dns 114.114.114.114
# 将eth0加入至br0中
[root@docker1 ~]# nmcli connection delete eth0
Connection 'eth0' (43e81ba8-5171-4ca6-ae34-58c64d73d9a9) successfully deleted.
[root@docker1 ~]# nmcli connection add type bridge-slave autoconnect yes con-name eth0 ifname eth0 master br0
Connection 'eth0' (b3eea871-56c1-4cfb-a57b-d7df454ee8a8) successfully added.
[root@docker1 ~]# nmcli device disconnect br0
Device 'br0' successfully disconnected.
[root@docker1 ~]# nmcli device connect eth0
Device 'eth0' successfully activated with 'b3eea871-56c1-4cfb-a57b-d7df454ee8a8'.
[root@docker1 ~]# ip a s br0
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:13:3c:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.121/24 brd 192.168.10.255 scope global noprefixroute br0
valid_lft forever preferred_lft forever
inet6 fe80::f855:966f:1de9:eed6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
(2) 为docker2主机设置br0
[root@docker2 ~]# nmcli connection add type bridge autoconnect yes con-name br0 ifname br0
[root@docker2 ~]# nmcli connection modify br0 ipv4.addresses 192.168.10.122/24 ipv4.method manual
[root@docker2 ~]# nmcli connection modify br0 ipv4.gateway 192.168.10.1
[root@docker2 ~]# connection modify br0 ipv4.dns 114.114.114.114
# 将eth0加入至br0中
[root@docker2 ~]# nmcli connection delete eth0
[root@docker2 ~]# nmcli connection add type bridge-slave autoconnect yes con-name eth0 ifname eth0 master br0
[root@docker2 ~]# nmcli device disconnect br0
[root@docker2 ~]# nmcli device connect eth0
[root@docker2 ~]# ip a s br0
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:13:3c:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.122/24 brd 192.168.10.255 scope global noprefixroute br0
valid_lft forever preferred_lft forever
inet6 fe80::f855:966f:1de9:eed6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
2) 修改各个docker主机的配置
(1) docker版
[root@docker1 ~]# vim /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="-b=br0"
[root@docker1 ~]# systemctl restart docker
[root@docker2 ~]# vim /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="-b=br0"
[root@docker2 ~]# systemctl restart docker
(2) docker-ce版
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"bridge": "br0"
}
[root@docker1 ~]# systemctl restart docker
[root@docker2 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"bridge": "br0"
}
[root@docker2 ~]# systemctl restart docker
2) 下载pipework
[root@docker1 ~]# yum install git -y
[root@docker1 ~]# git clone https://github.com/jpetazzo/pipework
[root@docker1 ~]# cp pipework/pipework /usr/local/bin/
[root@docker2 ~]# yum install git -y
[root@docker2 ~]# git clone https://github.com/jpetazzo/pipework
[root@docker2 ~]# cp pipework/pipework /usr/local/bin/
3) 生成容器,并使用none网络模式
[root@docker1 ~]# docker run -it --net=none --name snow -h snow centos /bin/bash
[root@snow /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@snow /]# [^p][^q]
[root@docker2 ~]# docker run -it --net=none --name gzliu -h gz centos /bin/bash
[root@gz /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@gz /]# [^p][^q]
4) 给容器分配IP
(1) docker1主机配置
# 语法: pipework br0 容器ID/Name 所分配的IP/子网@网关
[root@docker1 ~]# pipework br0 snow 192.168.10.123/24@192.168.10.1
[root@docker1 ~]# docker attach snow
[root@snow /]# ip a s eth1
7: eth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:29:53:db:41:5a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.10.123/24 brd 192.168.10.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5029:53ff:fedb:415a/64 scope link
valid_lft forever preferred_lft forever
[root@snow /]# ip r s
default via 192.168.10.1 dev eth1
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.123
# 如果网络中有DHCP服务,可让pipwork给容器通过dhcp服务分配IP地址
[root@docker1 ~]# pipework br0 snow dhcp
(2) docker2主机配置
# 语法: pipework br0 容器ID/Name 所分配的IP/子网@网关
[root@docker1 ~]# pipework br0 gzliu 192.168.10.124/24@192.168.10.1
[root@docker1 ~]# docker attach gzliu
[root@gz /]# ip a s eth1
11: eth1@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether de:f5:e9:85:ea:19 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.10.124/24 brd 192.168.10.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::dcf5:e9ff:fe85:ea19/64 scope link
valid_lft forever preferred_lft forever
[root@gz /]# ip r s
default via 192.168.10.1 dev eth1
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.124
5) 测试
[root@snow /]# ping -c 2 192.168.10.124
PING 192.168.10.124 (192.168.10.124) 56(84) bytes of data.
64 bytes from 192.168.10.124: icmp_seq=1 ttl=64 time=0.726 ms
64 bytes from 192.168.10.124: icmp_seq=2 ttl=64 time=0.624 ms
--- 192.168.10.124 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 0.624/0.675/0.726/0.051 ms
|
5.3 Flannel网络实现
5.3.1 Flannel网络拓扑说明
+--------------------------------+ +--------------------------------+
| docker1.1000cc.net | | docker1.1000cc.net |
| Docker(含容器) | | Docker(含容器) |
| Etcd. Flannel | | Flannel |
+------(eth0:192.168.10.21)------+ +------(eth0:192.168.10.22)------+
| |
+--------------------------------------+
如果跟随上面实验完成到此,请先删除br0
|
5.3.2 实现Flannel网络--主控节点
1) 配置hosts文件
[root@docker1 ~]# vim /etc/hosts
......
......
......
......
......
......
192.168.10.21 docker1.1000cc.net
192.168.10.21 etcd
192.168.10.22 docker2.1000cc.net
[root@docker1 ~]# scp /etc/hosts root@192.168.10.22:/etc/
hosts 100% 244 200.1KB/s 00:00
2) 安装及配置etcd
[root@docker1 ~]# yum install -y etcd
[root@docker1 ~]# cp /etc/etcd/etcd.conf /etc/etcd/etcd.conf.bak
[root@docker1 ~]# vim /etc/etcd/etcd.conf
......
......
......
......
......
......
# 修改第3行为以下内容
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
......
......
......
......
......
......
# 修改第6行,设定监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379,http://0.0.0.0:4001"
......
......
......
......
......
......
# 修改第9行
ETCD_NAME=master
......
......
......
......
......
......
# 修改21行,设置通知客户端
ETCD_ADVERTISE_CLIENT_URLS="http://etcd:2379,http://etcd:4001"
......
......
......
......
......
......
[root@docker1 ~]# systemctl enable --now etcd
3) 测试etcd
# 设置相关key及value,并测试是否能够返回值
[root@docker1 ~]# etcdctl set testdir/testkey0 0
0
[root@docker1 ~]# etcdctl get testdir/testkey0
0
# etcd健康检查
[root@docker1 ~]# etcdctl -C http://etcd:4001 cluster-health
member 8e9e05c52164694d is healthy: got healthy result from http://etcd:2379
cluster is healthy
[root@docker1 ~]# etcdctl -C http://etcd:2379 cluster-health
member 8e9e05c52164694d is healthy: got healthy result from http://etcd:2379
cluster is healthy
4) 安装Flannel
[root@docker1 ~]# yum install flannel -y
5) 配置Flannel
[root@docker1 ~]# cp /etc/sysconfig/flanneld /etc/sysconfig/flanneld.bak
[root@docker1 ~]# vim /etc/sysconfig/flanneld
......
......
......
......
......
......
# 将第4行、第8行改为如下内容
FLANNEL_ETCD_ENDPOINTS="http://etcd:2379"
......
......
......
......
......
......
FLANNEL_ETCD_PREFIX="/1000cc.io/network"
6) 配置Flannel key
[root@docker1 ~]# etcdctl --endpoints http://etcd:2379 set /1000cc.io/network/config '{"Network": "172.16.0.0/16"}'
{"Nework":"172.16.0.0/16"}
7) 启动Flannel服务
[root@docker1 ~]# systemctl enable --now flanneld.service
8) 重启docker服务
# 将/etc/sysconfig/docker-network里面的值删除
# 将/run/flannel/docker文件中"DOCKER_NETWORK_OPTIONS="值删除
[root@docker1 ~]# systemctl restart docker
9) 确认接口信息
[root@docker1 ~]# ip a s
......
......
......
......
......
......
4: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.16.72.0/16 scope global flannel0
valid_lft forever preferred_lft forever
inet6 fe80::2348:9f6d:f9ac:f80b/64 scope link flags 800
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f0:69:69:bf brd ff:ff:ff:ff:ff:ff
inet 172.16.72.1/24 scope global docker0
valid_lft forever preferred_lft forever
|
5.3.3 被控节点
1) 配置完成/etc/hosts解析文件
2) 安装Flannel
[root@docker2 ~]# yum install flannel -y
3) 配置Flannel
[root@docker2 ~]# cp /etc/sysconfig/flanneld /etc/sysconfig/flanneld.bak
[root@docker2 ~]# vim /etc/sysconfig/flanneld
# 将第4行、第8行改为如下内容
......
......
......
......
......
......
FLANNEL_ETCD_ENDPOINTS="http://etcd:2379"
......
......
......
......
......
......
FLANNEL_ETCD_PREFIX="/1000cc.io/network"
4) 启动Flannel服务
[root@docker2 ~]# systemctl enable --now flanneld.service
5) 重启docker服务
# 将/etc/sysconfig/docker-network里面的值删除
# 将/run/flannel/docker文件中"DOCKER_NETWORK_OPTIONS="值删除
[root@docke2 ~]# systemctl restart docker
6) 确认接口信息
[root@docker2 ~]# systemctl restart docker
[root@docker2 ~]# ip a s
4: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 172.16.28.0/16 scope global flannel0
valid_lft forever preferred_lft forever
inet6 fe80::7b7c:c37a:417e:c282/64 scope link flags 800
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:41:e7:de:f7 brd ff:ff:ff:ff:ff:ff
inet 172.16.28.1/24 scope global docker0
valid_lft forever preferred_lft forever
|
5.3.4 验证通信
(1) Docker1主机启动容器并确认Ip地址
[root@docker1 ~]# docker run -it --name snow -h snowchuai centos /bin/bash
[root@snowchuai /]# ip a s
......
......
......
......
......
......
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.72.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link tentative
valid_lft forever preferred_lft forever
(3) Docker2主机启动容器并确认IP地址
[root@docker2 ~]# docker run -it --name gz -h gzliu centos /bin/bash
[root@gzliu /]# ip a s
......
......
......
......
......
......
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.28.2/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link tentative
valid_lft forever preferred_lft forever
(3) 外网访问测试
[root@snowchuai /]# ping -c 2 www.1000cc.net
PING 1000cc.net.cn (122.51.252.99) 56(84) bytes of data.
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=1 ttl=50 time=37.1 ms
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=2 ttl=50 time=35.6 ms
--- 1000cc.net.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 56ms
rtt min/avg/max/mdev = 35.649/36.354/37.060/0.730 m
[root@gzliu /]# ping -c 2 www.1000cc.net
PING 1000cc.net.cn (122.51.252.99) 56(84) bytes of data.
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=1 ttl=50 time=38.4 ms
64 bytes from 122.51.252.99 (122.51.252.99): icmp_seq=2 ttl=50 time=37.9 ms
--- 1000cc.net.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 37.880/38.135/38.391/0.321 ms
(4) 内网访问测试
[root@docker1 ~]# iptables -P FORWARD ACCEPT
[root@docker2 ~]# iptables -P FORWARD ACCEPT
[root@snowchuai /]# ping -c 2 172.16.28.2
PING 172.16.28.2 (172.16.28.2) 56(84) bytes of data.
64 bytes from 172.16.28.2: icmp_seq=1 ttl=60 time=1.50 ms
64 bytes from 172.16.28.2: icmp_seq=2 ttl=60 time=1.14 ms
--- 172.16.28.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 1.141/1.321/1.501/0.180 ms
[root@gzliu /]# ping -c 2 172.16.72.2
PING 172.16.72.2 (172.16.72.2) 56(84) bytes of data.
64 bytes from 172.16.72.2: icmp_seq=1 ttl=60 time=1.68 ms
64 bytes from 172.16.72.2: icmp_seq=2 ttl=60 time=1.05 ms
--- 172.16.72.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 1.048/1.362/1.676/0.314 ms
|
6. 存储管理
6.1 将本地目录挂载至容器中
1) 为容器创建一个数据卷--volume模式
[root@srv1 ~]# docker volume create nginx-vol
nginx-vol
[root@srv1 ~]# docker volume ls
DRIVER VOLUME NAME
local nginx-vol
[root@srv1 ~]# docker volume inspect nginx-vol
[
{
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/nginx-vol/_data",
"Name": "nginx-vol",
"Options": {},
"Scope": "local"
}
]
[root@srv1 ~]# docker run -d --name=websrv -h websrv -p 80:80 -v nginx-vol:/usr/share/nginx/html nginx
dbd57aba999e640124ab5c381a5fd27f3023dbbaee8d9c1018ab770aaea7f169
[root@srv1 ~]# echo "hello world" > /var/lib/docker/volumes/nginx-vol/_data/index.html
2) 为容器创建一个savedisk目录---mount bind模式
[root@docker1 ~]# docker run -it --name snow -h snowchuai -v /savedisk centos /bin/bash
[root@snowchuai /]# ls -ld /savedisk
drwxr-xr-x 2 root root 4096 Feb 8 17:00 /savedisk
3) 将主机目录/docker-disk挂载至容器的/mnt目录
[root@docker1 ~]# mkdir /docker-disk
[root@docker1 ~]# touch /docker-disk/test.txt
[root@docker1 ~]# docker run -it --name snow -h snowchuai -v /docker-disk:/mnt centos /bin/bash
[root@snowchuai /]# ls -l /mnt/
total 0
-rw-r--r-- 1 root root 0 Feb 8 16:53 test.txt
[root@snowchuai /]# touch /mnt/abc.txt
[root@snowchuai /]# exit
[root@docker1 ~]# ls -l /docker-disk/
total 0
-rw-r--r-- 1 root root 0 Feb 9 00:55 a.txt
-rw-r--r-- 1 root root 0 Feb 9 00:53 test.txt
4) 将主机目录/docker-disk挂载至容器的/mnt目录,并设置为"只读"权限
[root@docker1 ~]# docker run -it --name snow -h snowchuai -v /docker-disk:/mnt:ro centos /bin/bash
[root@snowchuai /]# touch /mnt/xyz.txt
touch: cannot touch '/mnt/xyz.txt': Read-only file system
|
6.2 容器间共享数据卷
1) 容器间共享卷
(1) 生成第1个容器:snow,并挂载主机本地目录/docker-disk至容器/mnt下
[root@docker1 ~]# docker run -it --name snow -h snowchuai -v /docker-disk:/mnt centos /bin/bash
[root@snowchuai /]# ls -l /mnt/
total 0
-rw-r--r-- 1 root root 0 Feb 8 16:55 a.txt
-rw-r--r-- 1 root root 0 Feb 8 16:53 test.txt
(2) 生成第2个容器:lisa,并挂载容器snow的卷
[root@docker1 ~]# docker run -it --name lisa -h lisa --volumes-from snow centos /bin/bash
[root@lisa /]# ls -l /mnt/
total 0
-rw-r--r-- 1 root root 0 Feb 8 16:55 a.txt
-rw-r--r-- 1 root root 0 Feb 8 16:53 test.txt
(3) 挂载其他容器卷的同时挂载本地目录
[root@docker1 ~]# docker run -it --name gz -h gzliu --volumes-from snow -v /tmp:/savedisk centos /bin/bash
(4) 卷的备份
[root@docker1 ~]# docker run -it --name snow -h snowchuai -v /docker-disk:/mnt centos tar cfpz /mnt/etc.tgz /etc
[root@docker1 ~]# ls -l /docker-disk/etc.tgz
-rw-r--r-- 1 root root 800837 Feb 9 01:25 /docker-disk/etc.tgz
(5) 恢复备份
[root@docker1 ~]# mkdir -v /data
[root@docker1 ~]# docker run -itd --name snow -h snowchuai -v /data/:/data centos /bin/bash
[root@docker1 ~]# docker run -it --name gz -h gzliu --volumes-from snow -v /docker-disk/:/backup centos tar xvfz /backup/etc.tgz -C /data
[root@docker1 ~]# ls -l /data
total 4
drwxr-xr-x 51 root root 4096 Feb 9 01:25 etc
|
7. 创建私有仓库
7.1 建立私有仓库
1) 下载docker的仓库镜像
[root@docker1 ~]# docker pull registry
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
snowchuai/centos-httpd latest 5c087779ee61 9 hours ago 283 MB
snowchuai/centos-sshd latest ae717ca509d9 9 hours ago 279 MB
docker.io/registry latest 708bc6af7e5e 2 weeks ago 25.8 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
2) 建立私有仓库
[root@docker1 ~]# docker run -idt --restart=always \
--name registry -v /opt/registry:/var/lib/registry \
-p 5000:5000 registry
e0860472aa25387698c73feebed06e281543f589620f2027c0c6261804192a43
3) 在docker1客户端配置私有docker仓库
(1) docker版本
[root@docker1 ~]# vim /etc/sysconfig/docker
OPTIONS='--insecure-registry docker1.1000cc.net:5000 --selinux-enabled --log-driver=journald.....'
[root@docker1 ~]# systemctl restart docker
(2) docker-ce版本
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"insecure-registries": ["docker1.1000y.net:5000"]
}
[root@docker1 ~]# systemctl restart docker
5) 给镜像打tag
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
snowchuai/centos-httpd latest 5c087779ee61 9 hours ago 283 MB
snowchuai/centos-sshd latest ae717ca509d9 9 hours ago 279 MB
docker.io/registry latest 708bc6af7e5e 2 weeks ago 25.8 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
[root@docker1 ~]# docker tag snowchuai/centos-sshd docker1.1000cc.net:5000/centos-sshd
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
snowchuai/centos-httpd latest 5c087779ee61 9 hours ago 283 MB
docker1.1000cc.net:5000/centos-sshd latest ae717ca509d9 10 hours ago 279 MB
snowchuai/centos-sshd latest ae717ca509d9 10 hours ago 279 MB
docker.io/registry latest 708bc6af7e5e 2 weeks ago 25.8 MB
docker.io/centos latest 470671670cac 3 weeks ago 237 MB
6) 上传镜像至私有仓库
[root@docker1 ~]# docker push docker1.1000cc.net:5000/centos-sshd
The push refers to a repository [docker1.1000cc.net:5000/centos-sshd]
6eb13f7822dd: Pushed
0683de282177: Pushed
latest: digest: sha256:d2fa4f352f2c5de6174ad71cc89c8a4c6fc890d3ecad632d9b7c82cc5f8a628a size: 741
7) 查询私有仓库镜像
[root@docker1 ~]# curl -XGET http://docker1.1000cc.net:5000/v2/_catalog
{"repositories":["centos-sshd"]}
8) 查询私有仓库镜像tags列表
[root@docker1 ~]# curl -XGET http://docker1.1000cc.net:5000/v2/centos-sshd/tags/list
{"name":"centos-sshd","tags":["latest"]}
9) 测试私有仓库镜像
[root@docker1 ~]# docker rmi docker1.1000cc.net:5000/centos-sshd
Untagged: docker1.1000cc.net:5000/centos-sshd:latest
Untagged: docker1.1000cc.net:5000/centos-sshd@sha256:d2fa4f352f2c5de6174ad71cc89c8a4c6fc890d3ecad632d9b7c82cc5f8a628a
[root@docker1 ~]# docker pull docker1.1000cc.net:5000/centos-sshd
Using default tag: latest
Trying to pull repository docker1.1000cc.net:5000/centos-sshd ...
latest: Pulling from docker1.1000cc.net:5000/centos-sshd
Digest: sha256:d2fa4f352f2c5de6174ad71cc89c8a4c6fc890d3ecad632d9b7c82cc5f8a628a
Status: Downloaded newer image for docker1.1000cc.net:5000/centos-sshd:latest
[root@docker1 ~]# docker run -it --name test docker1.1000cc.net:5000/centos-sshd /bin/bash
[root@d940054d57fb /]#
|
7.2 建立带有SSL的私有仓库
1) 创建一个证书
[root@docker1 ~]# mkdir -p /opt/docker/registry/certs
[root@docker1 ~]# openssl genrsa -aes128 2048 > /opt/docker/registry/certs/domain.key
[root@docker1 ~]# openssl rsa -in /opt/docker/registry/certs/domain.key -out /opt/docker/registry/certs/domain.key
[root@docker1 ~]# openssl req -utf8 -new -key /opt/docker/registry/certs/domain.key -out /opt/docker/registry/certs/domain.csr
Generating a 4096 bit RSA private key
................................................................
................................................................
................................................................
................................................................
........................................................++
.....................................................++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:1000cc.net
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:docker1.1000cc.net
Email Address []:
[root@docker1 /etc/pki/tls/certs]# vim /etc/pki/tls/openssl.cnf
......
......
......
......
......
......
# 于文件最后追加如下内容
[ 1000y.cloud ]
subjectAltName = DNS:docker1.1000y.net, IP:192.168.1.11
[root@docker1 ~]# openssl x509 -in /opt/docker/registry/certs/domain.csr \
-out /opt/docker/registry/certs/domain.crt \
-req -signkey /opt/docker/registry/certs/domain.key -days 365 \
-extfile /etc/pki/tls/openssl.cnf -extensions 1000y.cloud
2) 让registry容器启动并增加SSL
[root@docker1 ~]# docker run -itd --restart=always \
--name registry -v /opt/registry/:/var/lib/registry \
-v /opt/docker/registry/certs:/certs -p 5000:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
91daadaaec4e733ac9439131592e9f69b77e8b9ac53dba0fe2efa18efc67f924
3) 客户端准备存放证书的路径,并将crt证书复制到客户端
[root@docker2 ~]# mkdir -p /etc/docker/certs.d/docker1.1000cc.net:5000
[root@docker2 ~]# scp -p root@docker1.1000cc.net:/opt/docker/registry/certs/domain.crt /etc/docker/certs.d/docker1.1000cc.net\:5000/ca.crt
domain.crt 100% 2041 1.3MB/s 00:00
[root@docker2 ~]# ls -l /etc/docker/certs.d/docker1.1000cc.net\:5000/ca.crt
-rw-r--r-- 1 root root 2041 Feb 9 02:32 /etc/docker/certs.d/docker1.1000cc.net:5000/ca.crt
4) 在docker2客户端配置私有docker仓库
(1) docker版本
[root@docker2 ~]# vim /etc/sysconfig/docker
OPTIONS='--insecure-registry docker1.1000cc.net:5000 --selinux-enabled --log-driver=journald.....'
[root@docker2 ~]# systemctl restart docker
(2) docker-ce版本
[root@docker2 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"insecure-registries": ["docker1.1000y.net:5000"]
}
[root@docker2 ~]# systemctl restart docker
5) 将客户端的镜像打一个标签
[root@docker2 ~]# docker tag centos docker1.1000cc.net:5000/centos:latest
6) 上传至带有SSL的私有仓库
[root@docker2 ~]# docker push docker1.1000cc.net:5000/centos:latest
The push refers to a repository [docker1.1000cc.net:5000/centos]
0683de282177: Pushed
latest: digest: sha256:9e0c275e0bcb495773b10a18e499985d782810e47b4fce076422acb4bc3da3dd size: 529
7) 查看仓库镜像
[root@docker2 ~]# curl -X GET https://docker1.1000cc.net:5000/v2/_catalog -k
{"repositories":["centos","centos-sshd"]}
8) 在镜像仓库的主机上查看镜像信息
[root@docker1 ~]# ls /opt/registry/docker/registry/v2/repositories/centos
_layers _manifests _uploads
|
7.3 建立基于SSL的身份验证的私有Docker仓库
1. 停掉以前的registry容器
2. 安装httpd-tools工具
[root@docker1 ~]# yum install httpd-tools -y
3. 建立认证账户与口令
[root@docker1 ~]# htpasswd -Bc /etc/docker/.htpasswd snow
New password:
Re-type new password:
Adding password for user snow
4. 开启容器仓库
[root@docker1 ~]# docker run -itd --restart=always --name registry \
-v /opt/registry/:/var/lib/registry -v /opt/docker/registry/certs:/certs \
-v /etc/docker:/auth -p 5000:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" registry
2bf60244f1408c3fbfaa244d1f18f44f79ad7bbb0450e16c8f45fbbdf6ccba60
5) 客户端登录测试
[root@docker2 ~]# docker login docker1.1000cc.net:5000
Username: snow
Password: # 输入密码
Login Succeeded
6) 客户端查看仓库的镜像信息
[root@docker2 ~]# curl --user snow:123456 -XGET https://docker1.1000cc.net:5000/v2/_catalog -k
{"repositories":["centos","centos-sshd"]}
7) 上传测试
(1) 给镜像打tag
[root@docker2 ~]# docker tag busybox docker1.1000cc.net:5000/busybox
(2) 确认客户端登录凭证
[root@docker2 ~]# cat ~/.docker/config.json
{
"auths": {
"docker1.1000cc.net:5000": {
"auth": "c25vdzoxMjM0NTY="
}
}
}
(3) 上传镜像
[root@docker2 ~]# docker push docker1.1000cc.net:5000/busybox
The push refers to a repository [docker1.1000cc.net:5000/busybox]
195be5f8be1d: Pushed
latest: digest: sha256:edafc0a0fb057813850d1ba44014914ca02d671ae247107ca70c94db686e7de6 size: 527
(4) 客户端登出
[root@docker2 ~]# docker logout docker1.1000cc.net:5000
Removing login credentials for docker1.1000cc.net:5000
[root@docker2 ~]# cat ~/.docker/config.json
{
"auths": {}
}
|
8. DockerFile
8.1 编写Dockerfile文件
[root@docker1 ~]# mkdir DockerFile
[root@docker1 ~]# vim ./DockerFile/Dockerfile
FROM centos
MAINTAINER snowchuai <chuailiming@1000cc.net>
ADD auto.sh /usr/sbin/auto.sh
RUN dnf install -y openssh-server httpd iproute passwd && \
ssh-keygen -t rsa -q -N '' -f /etc/ssh/ssh_host_rsa_key && \
ssh-keygen -t ecdsa -q -N '' -f /etc/ssh/ssh_host_ecdsa_key && \
ssh-keygen -t ed25519 -q -N '' -f /etc/ssh/ssh_host_ed25519_key && \
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_config && \
sed -i 's/^#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config && \
sed -i 's/^GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config && \
echo "123456" | passwd --stdin root && \
echo "1000cc.net" > /var/www/html/index.html && \
chmod 755 /usr/sbin/auto.sh
EXPOSE 22 80
CMD /usr/sbin/auto.sh
[root@docker1 ~]# vim DockerFile/auto.sh
#! /bin/bash
/usr/sbin/sshd -D &
/usr/sbin/httpd -D FOREGROUND
|
8.2 生成镜像
[root@docker1 ~]# cd DockerFile
[root@docker1 DockerFile]# docker build -t centos-ssh2web .
Sending build context to Docker daemon 3.584 kB
Step 1/6 : FROM centos
---> a1bef37e0f61
Step 2/6 : MAINTAINER snowchuai <chuailiming@1000cc.net>
---> Running in d0167a7f7c55
---> 5917a53a734e
Removing intermediate container d0167a7f7c55
Step 3/6 : ADD auto.sh /usr/sbin/auto.sh
---> e1212810223f
......
......
Successfully built 3a153d862633
[root@docker1 DockerFile]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-ssh2web latest 3a153d862633 58 seconds ago 285 MB
......
......
......
......
......
......
|
8.3 容器测试
[root@docker1 ~]# docker run -itd --name test -p 8080:80 -p 2222:22 centos-ssh2web
c3a0f8cce342782764b6ff8a8d16fa1892af351b77bc6544d605401356d8450a
[root@docker1 ~]# curl localhost:8080
1000cc.net
[root@docker1 ~]# ssh root@localhost -p 2222
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Y6Wc18jnkKEP/QBgl7LtcKSfeGv2QvTIMFjD35aWwfw.
ECDSA key fingerprint is MD5:2b:08:29:2e:e8:12:e5:9b:d0:27:80:54:15:c4:c2:19.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
root@localhost's password:
[root@c3a0f8cce342 ~]#
|
9. Docker Compose
9.1 安装Docker Compose
# 在CentOS7中,不要下载大于1.26.2版本的compose,否则将在docker build生成新镜像时报错: unknown flag: --iidfile
[root@docker1 ~]# curl -L \
"https://github.com/docker/compose/releases/download/1.26.2/docker-compose-Linux-x86_64" \
-o /usr/local/bin/docker-compose
[root@docker1 ~]# chmod 755 /usr/local/bin/docker-compose
[root@docker1 ~]# ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
|
9.2 编写Compose文件
1) 编写web及ssh的dockerfile
(1) 编写web的dockerfile
[root@docker1 ~]# cd DockerFile
[root@docker1 DockerFile]# vim Dockerfile
FROM centos
MAINTAINER snow <chuai@1000cc.net>
RUN yum update -y
RUN yum install httpd -y
EXPOSE 80
CMD ["/usr/sbin/apachectl", "-D", "FOREGROUND"]
2) 编写compose
[root@docker1 DockerFile]# vim docker-compose.yml
version: '3'
services:
db:
image: mariadb
volumes:
- /var/lib/docker/disk01:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_USER: snow
MYSQL_PASSWORD: password
MYSQL_DATABASE: snow_db
ports:
- "3306:3306"
web:
build: .
ports:
- "8080:80"
volumes:
- /var/lib/docker/disk02:/var/www/html
4) 目录及文件结构
[root@docker1 DockerFile]# tree
.
├── docker-compose.yml
├── Dockerfile
0 directories, 2 files
3) 通过Compose生成镜像并启动容器
[root@docker1 DockerFile]# docker-compose up -d
......
......
......
......
......
......
Creating dockerfile_db_1 ... done
Creating dockerfile_web_1 ... done
[root@docker1 DockerFile]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dockerfile_web latest da7b6fc0ea72 18 seconds ago 412 MB
......
......
......
......
......
......
[root@docker1 DockerFile]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a403c68e881d dockerfile_web "/usr/sbin/apachec..." 2 minutes ago Up 2 minutes 0.0.0.0:8080->80/tcp dockerfile_web_1
aad47e5fc73d mariadb "docker-entrypoint..." 2 minutes ago Up 2 minutes 0.0.0.0:3306->3306/tcp dockerfile_db_1
|
9.3 部署Harbor仓库
1) 安装好docker-ce或docekr 1.13+及docker-compose
2) 创建一个证书
[root@srv2 ~]# mkdir -p /opt/docker/registry/certs
[root@srv2 ~]# openssl req -newkey rsa:4096 -nodes -sha256 \
-keyout /opt/docker/registry/certs/domain.key -x509 -days 365 \
-out /opt/docker/registry/certs/domain.crt
Generating a 4096 bit RSA private key
................................................................
................................................................
................................................................
................................................................
........................................................++
.....................................................++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:srv2.1000y.cloud
Email Address []:
3) 配置及安装harbor
[root@srv2 ~]# curl -O \
https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-offline-installer-v2.9.0.tgz
[root@srv2 ~]# tar xfz harbor-offline-installer-v2.9.0.tgz
[root@srv2 ~]# cd harbor/
[root@srv2 harbor]# cp harbor.yml.tmpl harbor.yml
[root@srv2 harbor]# vim harbor.yml
......
......
......
......
......
......
# 修改第5行,更改HarBor主机名称
hostname: srv2.1000y.cloud
......
......
......
......
......
......
# 修改第17-18行,更改证书所在路径及文件名
certificate: /opt/docker/registry/certs/domain.crt
private_key: /opt/docker/registry/certs/domain.key
......
......
......
......
......
......
# 注意36行,harbor_admin_password的密码
arbor_admin_password: Harbor12345
......
......
......
......
......
......
[root@srv2 ~]# ./prepare
prepare base dir is set to /root/harbor
Unable to find image 'goharbor/prepare:v2.9.0' locally
Trying to pull repository docker.io/goharbor/prepare ...
v2.9.0: Pulling from docker.io/goharbor/prepare
......
......
......
......
......
......
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@srv2 ~]# ./install.sh
[Step 0]: checking if docker is installed ...
......
......
......
......
......
......
✔ ----Harbor has been installed and started successfully.----
[root@srv2 ~]# docker-compose ps
################################################## 错误汇总 ##################################################
1. 如果重启docker服务后,可能会导致harbor有些进程无法启动,导致无法访问harbor.可按以下操作
[root@srv2 ~]# docker-compose ps
[root@srv2 ~]# cd harbor/
[root@srv2 harbor]# docker-compose up -d
2. 停止所有由docker-compose启动的服务
[root@srv2 ~]# docker-compose stop
################################################## 汇总结束 ##################################################
4) 访问harbor
[浏览器]---> http://harbor_srv_fqdn/
5) 客户端准备存放证书的路径,并将crt证书复制到客户端
[root@srv1 ~]# mkdir -p /etc/docker/certs.d/srv2.1000y.cloud
[root@srv1 ~]# scp -p root@srv2.1000y.cloud:/opt/docker/registry/certs/domain.crt /etc/docker/certs.d/srv2.1000y.cloud/ca.crt
domain.crt 100% 2041 1.3MB/s 00:00
[root@srv1 ~]# ls -l /etc/docker/certs.d/srv2.1000y.cloud/ca.crt
-rw-r--r-- 1 root root 2041 Sep 24 17:05 /etc/docker/certs.d/srv2.1000y.cloud/ca.crt
6) 在srv12客户端配置私有docker仓库
(1) docker版
[root@srv1 ~]# vim /etc/sysconfig/docker
OPTIONS='--insecure-registry srv2.1000y.cloud --selinux-enabled --log-driver=journald.....'
[root@docker2 ~]# systemctl restart docker
(2) docker-ce版
[root@srv1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"],
"insecure-registries": ["srv2.1000y.cloud"]
}
[root@docker2 ~]# systemctl restart docker
7) 镜像上传测试
[root@srv1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest 605c77e624dd 21 months ago 141 MB
[root@srv1 ~]# docker tag docker.io/nginx:latest srv2.1000y.cloud/library/nginx
[root@srv1 ~]# docker login srv2.1000y.cloud
Username: admin
Password:
Login Succeeded
[root@srv1 ~]# docker push srv2.1000y.cloud/library/nginx
The push refers to a repository [srv2.1000y.cloud/library/nginx]
d874fd2bc83b: Pushed
32ce5f6a5106: Pushed
f1db227348d0: Pushed
b8d6e692a25e: Pushed
e379e8aedd4d: Pushed
2edcec3590a4: Pushed
latest: digest: sha256:ee89b00528ff4f02f2405e4ee221743ebc3f8e8dd0bfd5c4c20a2fa2aaa7ede3 size: 1570
8) Chart测试
(1) 安装helm操作
[root@srv1 ~]# wget https://mirrors.huaweicloud.com/helm/v3.12.3/helm-v3.12.3-linux-amd64.tar.gz
[root@srv1 ~]# tar xfz helm-v3.12.3-linux-amd64.tar.gz
[root@srv1 ~]# cp linux-amd64/helm /usr/local/bin/
[root@srv1 ~]# helm version
version.BuildInfo{Version:"v3.12.3", GitCommit:"......
(2) 登录仓库
[root@srv1 ~]# helm registry login srv2.1000y.cloud --insecure
Username: admin
Password: # 输入管理员密码
Login Succeeded
(3) 准备一个已经做好的chart包
(4) push测试
[root@srv1 ~]# helm push coredns-1.26.0.tgz oci://srv2.1000y.cloud/ibrary/chart \
--insecure-skip-tls-verify
Pushed: srv2.1000y.cloud/k8s/chart/coredns:1.26.0
Digest: sha256:9e824163c1530296d3b9a151f40bbba9e9d5367cb0a92d0287b1912f1b84e8ca
(5) pull测试
[root@srv1 ~]# helm pull oci://srv2.1000y.cloud/ibrary/chart/coredns \
--version=1.26.0 --insecure-skip-tls-verify
Pulled: srv2.1000y.cloud/k8s/chart/coredns:1.26.0
Digest: sha256:9e824163c1530296d3b9a151f40bbba9e9d5367cb0a92d0287b1912f1b84e8ca
(6) logout
[root@srv7 ~]# helm registry logout srv7.1000y.cloud
Removing login credentials for srv7.1000y.cloud
|
10. Docker Swarm
10.1 拓扑
------------+---------------------------+---------------------------+------------
| | |
eth0|192.168.10.21 eth0|192.168.10.22 eth0|192.168.10.23
+-----------+-----------+ +-----------+-----------+ +-----------+-----------+
| [ Manager Node ] | | [ Worker Node ] | | [ Worker Node ] |
| [docker1.1000cc.net] | | [docker2.1000cc.net] | | [docker3.1000cc.net] |
+-----------------------+ +-----------------------+ +-----------------------+
|
10.2 配置Swarm
1) 确认所有节点Docker版本均大于1.12
[root@docker1 ~]# docker -v
Docker version 1.13.1, build 4ef4b30/1.13.1
2) 在所有节点关闭”live-restore”选项并重启docker
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors":["https://3laho3y3.mirror.aliyuncs.com"],
"live-restore":false
}
[root@docker1 ~]# systemctl restart docker
3) 在管理节点初始化Swarm
[root@docker1 ~]# docker swarm init
Swarm initialized: current node (59v5v5gt7f87re13107b6l69p) is now a manager.
To add a worker to this swarm, run the following command:
# 输出提示,将节点通过以下方式及token加入至Swarm中
docker swarm join \
--token SWMTKN-1-0n487fzobo6q8ahqgqb308743eoa676l9rsgfdsheq7w9xsn4u-48blm7ayxap6zei0okytb5et7 \
192.168.10.21:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
4) 将Worker Node加入至Swarm
[root@docker2 ~]# docker swarm join \
--token SWMTKN-1-0n487fzobo6q8ahqgqb308743eoa676l9rsgfdsheq7w9xsn4u-48blm7ayxap6zei0okytb5et7 \
192.168.10.21:2377
This node joined a swarm as a worker.
[root@docker3 ~]# docker swarm join \
--token SWMTKN-1-0n487fzobo6q8ahqgqb308743eoa676l9rsgfdsheq7w9xsn4u-48blm7ayxap6zei0okytb5et7 \
192.168.10.21:2377
This node joined a swarm as a worker.
5) 在Manager Node确认节点加入且处于Active状态
[root@docker1 ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
59v5v5gt7f87re13107b6l69p * docker1.1000cc.net Ready Active Leader
l5r2c40aswzh42cpdsdsdqp1s docker3.1000cc.net Ready Active
qg02gqftuwcf9h47fpeku6rer docker2.1000cc.net Ready Active
6) 在所有节点创建一个镜像,且镜像名一致
(1) Manager Node
[root@docker1 ~]# vim Dockerfile
FROM centos
MAINTAINER snow <chuai@1000cc.net>
RUN yum -y install httpd
RUN echo "docker1.1000cc.net" > /var/www/html/index.html
EXPOSE 80
CMD ["-D", "FOREGROUND"]
ENTRYPOINT ["/usr/sbin/httpd"]
[root@docker1 ~]# docker build -t web_srv:latest .
[root@docker1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web_srv latest c19913c7dd7c 54 seconds ago 283 MB
......
......
......
......
......
......
(2) Node2 Node
[root@docker2 ~]# vim Dockerfile
FROM centos
MAINTAINER snow <chuai@1000cc.net>
RUN yum -y install httpd
RUN echo "docker2.1000cc.net" > /var/www/html/index.html
EXPOSE 80
CMD ["-D", "FOREGROUND"]
ENTRYPOINT ["/usr/sbin/httpd"]
[root@docker2 ~]# docker build -t web_srv:latest .
[root@docker2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web_srv latest b064abb85035 54 seconds ago 283 MB
......
......
......
......
......
......
(3) Node3 Node
[root@docker3 ~]# vim Dockerfile
FROM centos
MAINTAINER snow <chuai@1000cc.net>
RUN yum -y install httpd
RUN echo "docker3.1000cc.net" > /var/www/html/index.html
EXPOSE 80
CMD ["-D", "FOREGROUND"]
ENTRYPOINT ["/usr/sbin/httpd"]
[root@docker3 ~]# docker build -t web_srv:latest .
[root@docker3 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web_srv latest 98c0416fade6 54 seconds ago 283 MB
......
......
......
......
......
......
7) 启动swarm集群,设定replicas为2
[root@docker1 ~]# docker service create --name scluster --replicas=2 -p 80:80 web_srv:latest
unable to pin image web_srv:latest to digest: manifest unknown: manifest unknown
8byp551bcgcox7uk6jhjtr5zs
################################################## 错误汇总 ##################################################
1. Error response from daemon: rpc error: code = 4 desc = context deadline exceeded
2. 查看 tali -f /var/log/messages | grep docker 日志,发现错误为"create serivce..."
# 解决方法:
1. 编辑/etc/docker/daemon.json文件
2. 将"registry-mirrors":["https://3laho3y3.mirror.aliyuncs.com"],部分删除
3. 重启启动docker服务
4. 待成功建立service之后,在将"registry-mirrors":["https://3laho3y3.mirror.aliyuncs.com"],加入即可
################################################## 汇总结束 ##################################################
稍等一会,REPLICAS就会准备好
[root@docker1 ~]# docker service list
ID NAME MODE REPLICAS IMAGE
8byp551bcgco scluster replicated 2/2 web_srv:latest
8) 检查cluster状态
[root@docker1 ~]# docker service inspect scluster --pretty
ID: 8byp551bcgcox7uk6jhjtr5zs
Name: scluster
Service Mode: Replicated
Replicas: 2
Placement:
UpdateConfig:
Parallelism: 1
On failure: pause
Max failure ratio: 0
ContainerSpec:
Image: web_srv:latest
Resources:
Endpoint Mode: vip
Ports:
PublishedPort 80
Protocol = tcp
TargetPort = 80
9) 检查服务状态
[root@docker1 ~]# docker service ps scluster
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE
puuzn36n63mx scluster.1 web_srv:latest docker2.1000cc.net Running Running 4 minutes ago
9f034679yr4b scluster.2 web_srv:latest docker1.1000cc.net Running Running 4 minutes ago
ERROR PORTS
10) 测试swarm负载均衡
[root@docker1 ~]# curl http://127.0.0.1
docker1.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker2.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker1.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker2.1000cc.net
10) 增加副本节点
[root@docker1 ~]# docker service scale scluster=3
unable to pin image web_srv:latest to digest: manifest unknown: manifest unknown
scluster scaled to 3
[root@docker1 ~]# docker service list
ID NAME MODE REPLICAS IMAGE
8byp551bcgco scluster replicated 3/3 web_srv:latest
11) 扩展副本节点的测试
[root@docker1 ~]# curl http://127.0.0.1
docker3.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker1.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker2.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker3.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker1.1000cc.net
[root@docker1 ~]# curl http://127.0.0.1
docker2.1000cc.net
|
11. 安装Docker-CE
1) 先卸载现有的Docker
1) 安装Docker-CE
[root@docker1 ~]# yum install yum-utils -y
[root@docker1 ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@docker1 ~]# sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
[root@docker1 ~]# yum install docker-ce -y
[root@docker1 ~]# systemctl enable --now docker
[root@docker1 ~]# docker version
Client: Docker Engine - Community
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:46:54 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:45:28 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
[root@docker1 ~]# systemctl enable --now docker
2) 配置加速器
[root@docker1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"]
}
3) 启动Docker
[root@docker1 ~]# systemctl restart docker
|
如对您有帮助,请随缘打个赏。^-^