Docker實現的兩個基本理論知識
一、NameSpace:內核的實現技術,隔離機制。
●PID NameSpace:(隔離pid)每一個用戶空間都有一個唯一的PID號,彼此之間不會干擾。從Linux2.6.24內核版本開始引入的,是一種最新的技術。
●Network NameSpace:真正起源於Linux2.6.29,實現與網絡用戶隔離的。(網絡設備、網絡線、端口資源隔離)
●User NameSpace:實現用戶和用戶組資源隔離的。Linux3.8
●IPC NameSpace: 進程間通信機制。多個用戶之間的通信(信號量、消息隊列和共享內存)也是隔離的。Linux 2.6.19
●UTC NameSpace: Linux 2.6.19 主機名和域名的隔離。
●Mount NameSpace: 實現掛載文件系統隔離的。Linux2.4.19
實現容器技術所需的API:
clone()克隆是實現線程的系統調用。
sents() 實現某個進程加入到某個NameSpace的。
unshare()非共享機制。進程脫離某個NameSpace。
二、CGroup: Linux Control Group Linux2.6.24被收入到內核中去的。
內核級別,限制、控制與一個進程組羣的資源;NameSpace實現上述6種隔離,CGroup實現在每個用戶空間配配比資源。如每個用戶空間之間的CPU個數,內存大小,以及硬件網絡IO等
資源限制:CPU,內存,IO
功能:
Resouce limitation:資源限制;
Prioritization:優先級控制;
Accounting:審計和統計,主要爲計費;
Control:掛起進程,恢復進程;
yum install libcgroup-tools
lssbusys -m
[root@docker-vm ~]# lssubsys -m cpuset /sys/fs/cgroup/cpuset cpu,cpuacct /sys/fs/cgroup/cpu,cpuacct memory /sys/fs/cgroup/memory devices /sys/fs/cgroup/devices freezer /sys/fs/cgroup/freezer net_cls /sys/fs/cgroup/net_cls blkio /sys/fs/cgroup/blkio perf_event /sys/fs/cgroup/perf_event hugetlb /sys/fs/cgroup/hugetlb
CGroup的子系統(subsystem):
blkio:設定塊設備的IO限制;(主要是磁盤)
cpu: 設定CPU的限制;
cpuacct: 報告cgroup中所使用的CPU資源;
cpuset:爲cgroup中的任務分配CPU和內存資源;
memory:設定內存的使用限制;
device:控制cgroup中的任務對設備的訪問;
freezer:掛起或恢復cgroup中的任務;
net_cls:(classid),使用等級級別標識符來標記網絡數據包,以實現基於tc完成對不同的cgroup中產生的流量控制;
perf_event:使用後使cgroup中的任務可以進行統一的性能測試;
hugetlb:對HugeTLB系統進行限制;
CGroups中的術語:
task(任務):進程或線程
cgroup:一個獨立的資源控制單位,可以包含一個或多個子系統;
subsystem:子系統
hierarchy:層級
三、AUFS: UnionFS 聯合文件系統
UnioFS:把不同的物理位置的目錄合併到同一個目錄中。實現機制是疊加。類似於winpe,LVM
Another UFS.Alternative UFS,Adanced UFS (一個日本人寫的)但是沒有進入Linux內核中。
Docker是基於AUFS上的,在生產環境中沒有AUFS的Docker是不建議使用的。centos不支持AUFS.
Device mapper: 類似於AUFS
Linux2.6內核引入的最重要的技術之一,用於在內核中支持邏輯卷管理的通用設備映射機制;
Mapped Device
Mapping Table
Target Device
不建議在生產環境中應用。
四、Docker核心組件:
Docker:
2013,GO Apache 2.0,dotCloud
基於C/S架構
Docker daemon
Docker daemon是Docker最核心的後臺進程,它負責響應來自Docker clinet的請求,然後將這些請求翻譯成系統調用完成容器管理的操作。
DockerClinet
Docker clinet是一個返泛稱,用來向指定的Docker daemon發起請求,執行相應的容器管理操作。
Graph
graph組件負責維護已下載的鏡像信息及他們之前的關係。
GraphDB
Docker daemon通過GraphDB記錄它維護的所有容器(節點)以及它們之間的link關係(邊),這也就是爲什麼這裏採用了一個圖結構來保存這些數據。
Driver
Docker daemon負責將用戶請求轉譯成系統調用,進而創建和管理容器的核心進程。而在具體事項過程中,爲了將這些系統調用抽象成容器管理驅動、網絡管理驅動、文件存儲驅動3種,分別對應爲execdriver、networkdriver和graphdriver
centos6.5還是使用的是lxc:linux containers,
centos7已經全部替換成了libcontainer
幾個核心組件概念:
p_w_picpath:鏡像文件是隻讀的,用來創建container,一個鏡像可以運行多個container;鏡像文件可以通過Dockfile文件創建,也可以從docker hub/registry下載
repository
公共倉庫:Docker hub/registry
私有倉庫:docker registry
docker contanier:docker的運行實例。容器是一個隔離環境;
另外兩個組件:
docker link: 容器網絡等。
docker volume: 容器實現數據持久機制。
五、docker安裝
本文直接使用centos7來安裝
Docker 軟件包已經包括在默認的 CentOS-Extras 軟件源裏。因此想要安裝 docker,只需要運行下面的 yum 命令:
[root@localhost ~]# yum install docker
啓動 Docker 服務
[root@localhost ~]# systemctl start docker.service [root@localhost ~]# systemctl enable docker.service
docker search:查找docker centos官方鏡像。
[root@docker-vm ~]# docker search centos INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker.io docker.io/centos The official build of CentOS. 2777 [OK] docker.io docker.io/ansible/centos7-ansible Ansible on Centos7 90 [OK] docker.io docker.io/jdeathe/centos-ssh CentOS-6 6.8 x86_64 / CentOS-7 7.2.1511 x8... 43 [OK] docker.io docker.io/jdeathe/centos-ssh-apache-php CentOS-6 6.8 x86_64 - Apache / PHP / PHP M... 22 [OK] docker.io docker.io/nimmis/java-centos This is docker p_w_picpaths of CentOS 7 with dif... 17 [OK] docker.io docker.io/consol/centos-xfce-vnc Centos container with "headless" VNC sessi... 14 [OK] docker.io docker.io/gluster/gluster-centos Official GlusterFS Image [ CentOS7 + Glus... 13 [OK] docker.io docker.io/million12/centos-supervisor Base CentOS-7 with supervisord launcher, h... 12 [OK] docker.io docker.io/nickistre/centos-lamp LAMP on centos setup 8 [OK] docker.io docker.io/torusware/speedus-centos Always updated official CentOS docker imag... 8 [OK] docker.io docker.io/kinogmt/centos-ssh CentOS with SSH 6 [OK] docker.io docker.io/egyptianbman/docker-centos-nginx-php A simple and highly configurable docker co... 5 [OK] docker.io docker.io/nathonfowlie/centos-jre Latest CentOS p_w_picpath with the JRE pre-insta... 4 [OK] docker.io docker.io/centos/mariadb55-centos7 3 [OK] docker.io docker.io/centos/tools Docker p_w_picpath that has systems administrati... 3 [OK] docker.io docker.io/consol/sakuli-centos-xfce Sakuli JavaScript based end-2-end testing ... 2 [OK] docker.io docker.io/blacklabelops/centos CentOS Base Image! Built and Updates Daily! 1 [OK] docker.io docker.io/darksheer/centos Base Centos Image -- Updated hourly 1 [OK] docker.io docker.io/harisekhon/centos-java Java on CentOS (OpenJDK, tags jre/jdk7-8) 1 [OK] docker.io docker.io/harisekhon/centos-scala Scala + CentOS (OpenJDK tags 2.10-jre7 - 2... 1 [OK] docker.io docker.io/timhughes/centos Centos with systemd installed and running 1 [OK] docker.io docker.io/januswel/centos yum update-ed CentOS p_w_picpath 0 [OK] docker.io docker.io/repositoryjp/centos Docker Image for CentOS. 0 [OK] docker.io docker.io/smartentry/centos centos with smartentry 0 [OK] docker.io docker.io/ustclug/centos USTC centos 0 [OK]
douker pull 拉取鏡像文件到本地
下載一個busybox鏡像到本地,默認版本是latest
[root@docker-vm ~]# docker pull busybox Using default tag: latest Trying to pull repository docker.io/library/busybox ... latest: Pulling from docker.io/library/busybox 56bec22e3559: Pull complete Digest: sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912 Status: Downloaded newer p_w_picpath for docker.io/busybox:latest
下載一個centos鏡像到本地,默認版本是latest
[root@docker-vm ~]# docker pull centos Using default tag: latest Trying to pull repository docker.io/library/centos ... latest: Pulling from docker.io/library/centos 8d30e94188e7: Pull complete Digest: sha256:2ae0d2c881c7123870114fb9cc7afabd1e31f9888dac8286884f6cf59373ed9b Status: Downloaded newer p_w_picpath for docker.io/centos:latest
docker p_w_picpaths:列出本地鏡像
[root@docker-vm ~]# docker p_w_picpaths REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/busybox latest e02e811dd08f 3 weeks ago 1.093 MB docker.io/centos latest 980e0e4c79ec 7 weeks ago 196.7 MB
docker run:運行一個容器在交互模式下
[root@docker-vm ~]# docker run -it busybox:latest /bin/sh / # ls bin dev etc home proc root run sys tmp usr var / #
docker run:運行一個hello world程序,可以看到運行完成後,容器就終止了。應用結束了,容器就結束了。使命就完成了。
[root@docker-vm ~]# docker run busybox:latest /bin/echo "hello world" hello world [root@docker-vm ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@docker-vm ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7b6f1bb9540c busybox:latest "/bin/echo 'hello wor" 21 seconds ago Exited (0) 20 seconds ago trusting_swanson
run其他參數用法
docker run --name 給容器啓用一個名字
-i,--interactive=false Keep STDIN open even if not attached 啓動交互式模式
-t, tty=false 啓動一個僞終端
-d --detach=false 以守護進程後臺運行程序
例子:啓動一個名字叫做busybox,鏡像爲busybox:latest的終端
[root@docker-vm ~]# docker run -it --name=busybox busybox:latest /bin/sh / #
例子停止容器:
[root@docker-vm ~]# docker stop busybox busybox root@docker-vm ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 73f8bba68272 busybox:latest "/bin/sh" 3 minutes ago Exited (137) 28 seconds ago busybox
啓動容器,並進入一個啓動的容器中
attach:關聯和附加至一個運行中的容器
[root@docker-vm ~]# docker start 73f8bba68272 73f8bba68272 [root@docker-vm ~]# docker attach 73f8bba68272 或者用 [root@docker-vm ~]# docker start -i 73f8bba68272 / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:648 (648.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
總結run使用過程:
1、檢查本地是否存在指定的鏡像,不存在則從registry下載;
2、利用鏡像啓動容器
3、分配一個文件系統,並且在只讀的鏡像層之外掛載一個可讀寫層;
4、從宿主機配置的網絡接口橋接一個虛擬接口
5、從地址池中分配一個地址給容器;
6、執行用戶指定的應用程序;
7、程序執行完成後,容器即終止;
對於交互式模式啓動的容器,終止可使用exit命令或者crtl+d
logs命令:獲取一個容器的日誌,獲取其輸出信息;
[root@docker-vm ~]# docker logs 73f8bba68272 / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:648 (648.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # ps PID USER TIME COMMAND 1 root 0:00 /bin/sh 7 root 0:00 ps
docker ps:列出當前宿主機中運行的容器
[root@docker-vm ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 731525df2a5d busybox:latest "/bin/sh" About a minute ago Up About a minute goofy_mcclintock
docker 常用命令:
環境相關info,version
[root@docker-vm ~]# docker info Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 1 Server Version: 1.10.3 #docker版本號 Storage Driver: devicemapper Pool Name: docker-253:0-135130169-pool Pool Blocksize: 65.54 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 22.48 MB Data Space Total: 107.4 GB Data Space Available: 52.49 GB Metadata Space Used: 593.9 kB Metadata Space Total: 2.147 GB Metadata Space Available: 2.147 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Data loop file: /var/lib/docker/devicemapper/devicemapper/data WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning. Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata Library Version: 1.02.107-RHEL7 (2015-10-14) Execution Driver: native-0.2 Logging Driver: journald Plugins: Volume: local Network: null host bridge Kernel Version: 3.10.0-327.el7.x86_64 #kernel版本信息 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 Number of Docker Hooks: 2 CPUs: 24 #cpu核心數 Total Memory: 125.7 GiB #主機內存大小 Name: docker-vm ID: Z4Q6:MROS:ES5N:SYVJ:HOKQ:BOMI:DXRZ:PX7L:AMF4:OMO4:3YMC:TBLC WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Registries: docker.io (secure)
docker version列出版本相關信息
[root@docker-vm ~]# docker version Client: Version: 1.10.3 API version: 1.22 Package version: docker-common-1.10.3-46.el7.centos.14.x86_64 Go version: go1.6.3 Git commit: cb079f6-unsupported Built: Fri Sep 16 13:24:25 2016 OS/Arch: linux/amd64 Server: Version: 1.10.3 API version: 1.22 Package version: docker-common-1.10.3-46.el7.centos.14.x86_64 Go version: go1.6.3 Git commit: cb079f6-unsupported Built: Fri Sep 16 13:24:25 2016 OS/Arch: linux/amd64
系統維護相關:p_w_picpaths,inspect,bulid,commit,pause/unpause,ps,rm,rmi,run,start/stop/restart,top,kill
日誌信息相關:event,history,logs
Docker hub服務相關:login,logout,pull,push.search
例子:docker kill 一個容器
[root@docker-vm ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cfe1c1f31d40 centos:latest "/bin/bash" 3 minutes ago Up 3 minutes admiring_almeida [root@docker-vm ~]# docker kill cfe1c1f31d40 cfe1c1f31d40 [root@docker-vm ~]# docker ps CONTAINER ID IMAGE
例子:docker ps -a 列出所有鏡像文件,包括已退出的鏡像
root@docker-vm ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cfe1c1f31d40 centos:latest "/bin/bash" 9 minutes ago Exited (137) 6 minutes ago admiring_almeida 731525df2a5d busybox:latest "/bin/sh" 23 minutes ago Exited (0) 31 minutes ago goofy_mcclintock
docker run --rm 當容器退出時自動刪除此容器
[root@docker-vm ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cfe1c1f31d40 centos:latest "/bin/bash" 9 minutes ago Exited (137) 6 minutes ago admiring_almeida 731525df2a5d busybox:latest "/bin/sh" 23 minutes ago Exited (0) 31 minutes ago goofy_mcclintock [root@docker-vm ~]# docker rm 731525df2a5d 731525df2a5d [root@docker-vm ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cfe1c1f31d40 centos:latest "/bin/bash" 13 minutes ago Exited (137) 9 minutes ago admiring_almeida
docker commit創建一個修改後的容器鏡像。創建一個用戶
[root@docker-vm ~]# docker run -it centos:latest /bin/bash [root@7cef59f68ead /]# useradd bjia [root@7cef59f68ead /]# id bjia uid=1000(bjia) gid=1000(bjia) groups=1000(bjia) [root@docker-vm ~]# docker ps #查看這個鏡像的ID CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7cef59f68ead centos:latest "/bin/bash" 9 minutes ago Up 8 minutes grave_pike [root@docker-vm ~]# docker commit 7cef59f68ead centos:newuser #創建一個名叫centos:newuser的容器鏡像。 sha256:8c65e1448eb970ee1173a4b2f67ac31164ac94109e8b3ba1c2cef2addc4188fb [root@docker-vm ~]# docker p_w_picpaths #查看後已經創建了新的newuser的鏡像。 REPOSITORY TAG IMAGE ID CREATED SIZE centos newuser 8c65e1448eb9 9 seconds ago 196.7 MB docker.io/busybox latest e02e811dd08f 3 weeks ago 1.093 MB docker.io/centos latest 980e0e4c79ec 7 weeks ago 196.7 MB
停止和刪除之前的centos容器
[root@docker-vm ~]# docker kill 7cef59f68ead 7cef59f68ead [root@docker-vm ~]# docker rm 7cef59f68ead
創建一個剛剛建立id=bjia的centos容器。可以看到bjia這個用戶存在的。這就是commit的作用
[root@docker-vm ~]# docker run -it --rm centos:newuser /bin/bash [root@4bf44b9af9dc /]# id bjia uid=1000(bjia) gid=1000(bjia) groups=1000(bjia)
六、docker私有倉庫
在另外一臺機器上安裝docker-registry
[root@node2 ~]# yum -y install docker-registry #啓動服務 [root@node2 ~]# systemctl start docker-registry.service 默認監聽在5000端口上。 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:5000 *:* LISTEN 0 128
對一個本地的鏡像打一個TAG,名字叫busybox:1.2.1
[root@node1 ~]# docker p_w_picpaths; REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/registry latest c9bd19d022f6 2 weeks ago 33.27 MB docker.io/busybox latest e02e811dd08f 4 weeks ago 1.093 MB [root@node1 ~]# docker tag e02e811dd08f 192.168.254.17:5000/busybox:1.2.1
push一個鏡像到私有倉庫,直接push會報錯,如下:
[root@node1 ~]# docker push 192.168.254.17:5000/busybox:1.2.1 The push refers to a repository [192.168.254.17:5000/busybox] unable to ping registry endpoint https://192.168.254.17:5000/v0/ v2 ping attempt failed with error: Get https://192.168.254.17:5000/v2/: dial tcp 192.168.254.17:5000: getsockopt: no route to host v1 ping attempt failed with error: Get https://192.168.254.17:5000/v1/_ping: dial tcp 192.168.254.17:5000: getsockopt: no route to host
因爲默認使用https協議進行連接。如果不想用https訪問可以如下修改
vim /etc/sysconfig/docker ADD_REGISTRY='--add-registry 192.168.254.17:5000' #添加一個倉庫IP地址和端口 INSECURE_REGISTRY='--insecure-registry 192.168.254.17:5000' #啓用非安全方式連接 [root@node1 ~]# systemctl restart docker #重啓服務生