文章目錄
1. 重啓docker服務,容器全部退出的解決辦法
方法一:docker run --restart=always
方法二:"live-restore": true
docker server配置文件/etc/docker/daemon.json參考
{
"registry-mirrors": ["http://b7a9017d.m.daocloud.io"],
"insecure-registries":["10.0.0.11:5000"],
"live-restore": true
}
#harbor 企業級容器 docker-compose down
2. Docker Machine安裝docker服務
Docker Machine 二進制 10.0.0.11
10.0.0.12 免密碼登陸 從docker的官網下載二進制的包,去安裝docker
10.0.0.13 免密碼登陸
ansible:
shell
3. Docker網絡類型(插件形式)
Docker:網絡模式詳解
Docker網絡模式測試
查看容器的詳細信息(可以查看網絡類型Networks)
docker container inspect 容器ID
[root@controller ~]# docker network ls
NAME DRIVER SCOPE
bridge bridge local
host host local
none null local
None: | 不爲容器配置任何網絡功能, | –net=none |
Container: | 與另一個運行中的容器共享 | Network Namespace,–net=container:containerID(K8S) |
Host: | 與宿主機共享 | Network Namespace,–network=host 性能最高 |
Bridge: | Docker設計的NAT網絡模型 默認類型 |
[root@docker01 ~]# docker run --help|grep -i '\-n'
--name string Assign a name to the container
--network network Connect a container to a network
--network-alias list Add network-scoped alias for the
--no-healthcheck Disable any container-specified
3.1 host(主機)
與宿主機共用一個網絡 --network=host
[root@docker01 ~]# docker run --network=host -d centos6.9_nginx:v2
47fcdc6d02a2fcaf96f94c01dd8c4e30f8d18f4554ecd041a5b92291dee3e72e
[root@docker01 ~]# docker inspect 47fcdc6d02a2 |grep -i network
"NetworkMode": "host",
"NetworkSettings": {
"Networks": {
"NetworkID": "5755f7d4fc1e6e3b78efa629294ddc7f86a93a7d7863e
[root@docker01 /]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 :::5000 :::* LISTEN -
tcp 0 0 :::80 :::* LISTEN 1/nginx
tcp 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp 0 0 ::1:323 :::* -
3.2 bridge(橋接式網絡)(默認)
啓動容器時,首先會在主機上創建一個docker0的虛擬網橋,相當於交換機,同時自動分配一對網卡設備,一半在容器(eth0),一半在宿主機,並且還關聯到了docker0,從而進行連接。 每創建一個容器啓動時自動分配地址以後會生成iptables規則,iptables -t nat -vnL 查看postrouting ,從任何接口進來,只要不從docker0跳出去,源地址任何網絡地址,無論到達任何主機,都要做地址僞裝,自動選擇主機物理源地址
[root@docker01 ~]# yum install bridge-utils -y
[root@docker01 ~]# docker run --network=bridge -d centos6.9_nginx:v2
[root@docker01 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242dffbd98d no vetha7e18ee
[root@docker01 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242dffbd98d no veth4e42c2f
vetha30a6de
3.3 Container(K8S會常用)
與另一個運行得容器共用一個網絡Network Namespace --network=container:容器ID
默認先起一個容器:
docker run -d phpwind:v1
隨便啓一個容器共用phpwind:v1的網絡
docker run -it --network container:2735c9b78546 nginx
這時nginx容器和phpwind的ip都是相同的 ,同樣誰先佔用80端口就是誰的
##查看網絡類型
docker inspect nginx容器ID |grep -i network
NetworkMode
3.4 none (空)
不爲容器配置任何網絡功能 --network=none 不使用任何網絡類型
docker run --network=none -d phpwind:v1 /bin/bash
沒有網絡適合聯繫使用,只有基礎命令
4. Docker跨主機容器之間的通信macvlan
默認一個物理網卡,只有一個物理mac地址,虛擬多個mac地址
##創建macvlan網絡
docker network create --driver macvlan --subnet 10.0.0.0/24 --gateway 10.0.0.254 -o parent=eth0 macvlan_1
##設置eth0的網卡爲混雜模式
ip link set eth1 promisc on
##創建使用macvlan網絡的容器
docker run -it --network macvlan_1 --ip=10.0.0.200 busybox
作業1:docker跨主機容器間的通信flannel
[root@docker01 ~]# docker network create --driver macvlan --subnet 10.0.0.0/24 --gateway 10.0.0.254 -o parent=eth0 macvlan_1
[root@docker01 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
e088d87e361f bridge bridge local
e7638e062d74 macvlan_1 macvlan local
[root@docker01 ~]# docker run -it --network macvlan_1 alpine:latest
/ #
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:0A:00:00:01
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
[root@docker01 ~]# docker run -it --network macvlan_1 --ip 10.0.0.100 alpine:latest
/ #
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:0A:00:00:64
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
[root@docker01 ~]# docker stats --no-stream
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
e1b597321916 laughing_nobel 0.00% 192KiB / 1.934GiB 0.01% 0B / 0B 0B / 0B 1
af48e50366d1 confident_hypatia 0.00% 188KiB / 1.934GiB 0.01% 0B / 0B 0B / 0B
5. Dcoker跨主機容器通信之overlay
docker_progrium_consul.tar.gz鏡像包下載鏈接_提取碼: uk8p
5.1 設置容器的主機名
consul:kv類型的存儲數據庫(key:value)
docker01上:
[root@docker01 ~]# wget http://192.168.37.202/linux59/docker_progrium_consul.tar.gz
[root@docker01 ~]# docker load -i docker_progrium_consul.tar.gz
[root@docker01 ~]# vim /etc/docker/daemon.json
{
"hosts":["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"cluster-store": "consul://10.0.0.11:8500",
"cluster-advertise": "10.0.0.11:2376"
}
[root@docker01 ~]# vim /usr/lib/systemd/system/docker.service
...
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock
[root@docker01 ~]# systemctl daemon-reload
[root@docker01 ~]# systemctl restart docker
docker02上:
[root@docker02 ~]# wget http://192.168.37.202/linux59/docker_progrium_consul.tar.gz
[root@docker02 ~]# docker load -i docker_progrium_consul.tar.gz
[root@docker02 ~]# vim /etc/docker/daemon.json
{
"hosts":["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"cluster-store": "consul://10.0.0.11:8500",
"cluster-advertise": "10.0.0.12:2376"
}
[root@docker02 ~]# vim /usr/lib/systemd/system/docker.service
...
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock
docker01上創建容器:
[root@docker01 ~]# docker run -d -p 8500:8500 -h consul --name consul progrium/consul -server -bootstrap
瀏覽器訪問10.0.0.11:8500
5.1.2 創建overlay網絡
[root@docker01 ~]# docker network create -d overlay --subnet 172.16.2.0/24 --gateway 172.16.2.254 ol1
[root@docker01 ~]# docker network ls
b2de7ebcc1f6 ol1 overlay global
#docker02上查看
[root@docker02 ~]# docker network ls
b2de7ebcc1f6 ol1 overlay global
5.1.3 啓動容器測試
[root@docker01 ~]# docker run -it --network ol1 --name test01 busybox:latest
[root@docker02 ~]# docker run -it --network ol1 --name test02 busybox:latest
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:10:02:02
inet addr:172.16.2.2 Bcast:172.16.2.255 Mask:255.255.255.0
/ # ping 172.16.2.1
64 bytes from 172.16.2.1: seq=0 ttl=64 time=1.665 ms
64 bytes from 172.16.2.1: seq=1 ttl=64 time=0.399 ms
#每個容器有兩塊網卡,eth0實現容器間的通訊,eth1實現容器訪問外網
5.2 搭建zabbix監控測試環境
docker01上:
# 添加--network ol1的網絡環境
上面已添加
docker run --name mysql-server -t --network ol1\
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-d mysql:5.7 \
--character-set-server=utf8 --collation-server=utf8_bin
docker run --name zabbix-java-gateway -t --network ol1\
-d zabbix/zabbix-java-gateway:latest
docker run --name zabbix-server-mysql -t --network ol1\
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-e ZBX_JAVAGATEWAY="zabbix-java-gateway" \
--link mysql-server:mysql \
--link zabbix-java-gateway:zabbix-java-gateway \
-p 10051:10051 \
-d zabbix/zabbix-server-mysql:latest
docker02上:
#上傳zabbix-web-nginx-mysql.tar.gz的鏡像並導入鏡像
[root@docker02 ~]# ls zabbix-web-nginx-mysql.tar.gz
zabbix-web-nginx-mysql.tar.gz
[root@docker02 ~]# docker load -i zabbix-web-nginx-mysql.tar.gz
#在docker02上添加zabbix-web-nginx-mysql容器
docker run --name zabbix-web-nginx-mysql -t --network ol1\
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--link mysql-server:mysql \
--link zabbix-server-mysql:zabbix-server \
-p 80:80 \
-d zabbix/zabbix-web-nginx-mysql:latest
瀏覽器訪問10.0.0.12
6. docker企業級鏡像倉庫harbor(vmware 中國團隊)
部署,維護(處理故障),高可用,監控,優化,代碼更新
官方安裝文檔
6.1 配置harbor詳細步驟
在docker02上
#配置epel源下載docker-compose
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum install -y docker-compose
#上傳 harbor-offline-installer-v1.5.1.tgz 的包並解壓
[root@docker02 opt]# ls harbor
common docker-compose.notary.yml ha install.sh NOTICE
docker-compose.clair.yml docker-compose.yml harbor.cfg LICENSE prepare
#修改配置文件
[root@docker02 harbor]# vim harbor.cfg
hostname = 10.0.0.12
harbor_admin_password = 123456
#把腳本中的這一行註釋掉,安裝就變快了
[root@docker02 harbor]# vim install.sh
# docker load -i ./harbor*.tar.gz
#執行腳本安裝harbor
[root@docker02 harbor]# docker-compose up -d
[root@docker02 harbor]# ./install.sh
docker01上:
#修改daemon.json配置文件,指定倉庫IP爲10.0.0.12
[root@docker01 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["10.0.0.11:5000","10.0.0.12"],
"hosts":["tcp://0.0.0.0:2376","unix:///var/run/docker.sock"],
"cluster-store": "consul://10.0.0.11:8500",
"cluster-advertise": "10.0.0.11:2376"
}
#重啓docker
[root@docker01 ~]# systemctl restart docker
#上傳鏡像並下載鏡像,要先登錄10.0.0.12(admin 123456)
[root@docker01 ~]# docker tag kod:v3 10.0.0.12/library/kod:v3
[root@docker01 ~]# docker push 10.0.0.12/library/kod:v3
[root@docker01 ~]# docker login 10.0.0.12
Username: admin
Password: <123456>
#上傳alpine的鏡像,並下載測試
[root@docker01 ~]# docker tag alpine:latest 10.0.0.12/library/alpine:latest
[root@docker01 ~]# docker push 10.0.0.12/library/alpine:latest
下載鏡像的方法
6.2 harbor配置https
#上傳https證書文件並解壓
[root@docker02 opt]# ls blog.qstack.com.cn.zip
blog.qstack.com.cn.zip
[root@docker02 opt]# mv blog.qstack.com.cn.zip certs/
[root@docker02 opt]# cd certs/
[root@docker02 opt]# unzip blog.qstack.com.cn.zip
#修改harbor配置文件
[root@docker02 harbor]# vim harbor.cfg
hostname = blog.blog.qstack.com.cn
ui_url_protocol = https
ssl_cert = /opt/certs/Nginx/1_blog.qstack.com.cn_bundle.crt
ssl_cert_key = /opt/certs/Nginx/2_blog.qstack.com.cn.key
#修改腳本文件註釋這一行
[root@docker02 harbor]# vim install.sh
# docker load -i ./harbor*.tar.gz
#執行腳本安裝harbor
[root@docker02 harbor]# ./install.sh
6.3 自動化腳本
[root@docker01 ~]# vim /server/scripts/a.sh
#!/bin/bash
for i in `ls /opt/myregistry/docker/registry/v2/repositories/`
do
image=$i
echo 鏡像名稱:$image
for v in `ls /opt/myregistry/docker/registry/v2/repositories/nginx/_manifests/tags/`
do
docker pull 10.0.0.11:5000/$image:$v
docker tag 10.0.0.11:5000/$image:$v blog.qstack.com.cn/library/$image:$v
docker push blog.qstack.com.cn/library/$image:$v
done
echo "-------------------------------------"
done
#docker01上登錄
[root@docker01 ~]# docker login blog.qstack.com.cn
Username: admin
Password: <123456>
#執行腳本
[root@docker01 ~]# sh /server/scripts/a.sh
鏡像名稱:alpine
latest: Pulling from alpine
Digest: sha256:d438c876bc7cbfe7732ca1c9a689cc3c24e15f2492ba6270d55f0a8984f96078
Status: Image is up to date for 10.0.0.11:5000/alpine:latest
10.0.0.11:5000/alpine:latest
The push refers to repository [blog.qstack.com.cn/library/alpine]
78cd8c87ab42: Pushed
60ab55d3379d: Pushed
latest: digest: sha256:d438c876bc7cbfe7732ca1c9a689cc3c24e15f2492ba6270d55f0a8984f96078 size: 735
-------------------------------------
鏡像名稱:nginx
latest: Pulling from nginx
Digest: sha256:204a9a8e65061b10b92ad361dd6f406248404fe60efd5d6a8f2595f18bb37aad
Status: Image is up to date for 10.0.0.11:5000/nginx:latest
10.0.0.11:5000/nginx:latest
The push refers to repository [blog.qstack.com.cn/library/nginx]
92b86b4e7957: Pushed
94ad191a291b: Pushed
8b15606a9e3e: Pushed
latest: digest: sha256:204a9a8e65061b10b92ad361dd6f406248404fe60efd5d6a8f2595f18bb37aad size: 948
-------------------------------------
鏡像名稱:test
Error response from daemon: manifest for 10.0.0.11:5000/test:latest not found: manifest unknown: manifest unknown
Error response from daemon: No such image: 10.0.0.11:5000/test:latest
The push refers to repository [blog.qstack.com.cn/library/test]
An image does not exist locally with the tag: blog.qstack.com.cn/library/test
-------------------------------------
7. docker cadvisor監控
docker cadvisor監控 + influxdb + grafana
docker zabbix監控 低級自動發現 自動創建監控項
#需要用到的命令
docker run -itd -p 8083:8083 -p 8086:8086 --name influxdb tutum/influxdb
docker run -itd --name cadvisor -p 8080:8080 --link influxdb:influxdb --mount type=bind,src=/,dst=/rootfs,ro --mount type=bind,src=/var/run,dst=/var/run --mount type=bind,src=/sys,dst=/sys,ro --mount type=bind,src=/var/lib/docker/,dst=/var/lib/docker,ro google/cadvisor -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_user=root -storage_driver_password=root -storage_driver_host=influxdb:8086
docker run -itd --name grafana -p 3000:3000 grafana/grafana
cadvisor 採集
influxdb 存儲
grafana 展示,報警
7.1 配置步驟
在docker02上
#上傳docker監控的鏡像,並導入docker中
[root@docker02 ~]# ls docker_monitor.tar.gz
docker_monitor.tar.gz
[root@docker02 ~]# docker load -i docker_monitor.tar.gz
#啓動數據庫—influxdb
#8083端口是web界面管理,8086端口是對外提供服務的
[root@docker02 ~]# docker run -itd -p 8083:8083 -p 8086:8086 --name influxdb tutum/influxdb
創庫授權
再啓動一個容器
docker run -itd --name cadvisor -p 8080:8080 --link influxdb:influxdb --mount type=bind,src=/,dst=/rootfs,ro --mount type=bind,src=/var/run,dst=/var/run --mount type=bind,src=/sys,dst=/sys,ro --mount type=bind,src=/var/lib/docker/,dst=/var/lib/docker,ro google/cadvisor -storage_driver=influxdb -storage_driver_db=cadvisor -storage_driver_user=root -storage_driver_password=root -storage_driver_host=influxdb:8086
瀏覽器訪問10.0.0.12:8080
7.2 添加grafana監控容器
docker run -itd --name grafana -p 3000:3000 grafana/grafana
瀏覽器訪問10.0.0.12:3000
導入模板
另外一種