【笔记】Docker入门

这个文章讲的比较透彻，就不复制粘贴了 《Docker从入门到实践》阅读笔记

Docker安装

环境

root@fudonghai:~# uname -a
Linux fudonghai 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@fudonghai:~# cat /etc/issue
Ubuntu 16.04.5 LTS \n \l

卸载旧版本

root@fudonghai:~# apt-get remove docker docker-engine docker.io

由于 apt 源使用 HTTPS 以确保软件下载过程中不被篡改。因此，我们首先需要添加使用 HTTPS 传输的软件包以及 CA 证书。

root@fudonghai:~# apt-get update

鉴于国内网络问题，强烈建议使用国内源，官方源请在注释中查看。为了确认所下载软件包的合法性，需要添加软件源的 GPG 密钥。

$ curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -


# 官方源
# $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

然后，我们需要向 source.list 中添加 Docker 软件源，文件在/etc/apt/sources.list

$ sudo add-apt-repository \
    "deb [arch=amd64] https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu \
    $(lsb_release -cs) \
    stable"


# 官方源
# $ sudo add-apt-repository \
#    "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
#    $(lsb_release -cs) \
#    stable"

终于开始安装dock了

root@fudonghai:~# apt-get update

root@fudonghai:~# apt-get install docker-ce

在aws上提示E: Package 'docker-ce' has no installation candidate，使用下面语句解决

sudo echo "deb https://download.docker.com/linux/ubuntu zesty edge" > /etc/apt/sources.list.d/docker.list

sudo apt update && sudo apt install docker-ce

 

启动docker

root@fudonghai:~# systemctl enable docker
Synchronizing state of docker.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable docker
root@fudonghai:~# systemctl start docker

 默认情况下，docker 命令会使用 Unix socket 与 Docker 引擎通讯。而只有 root 用户和 docker 组的用户才可以访问 Docker 引擎的 Unix socket。出于安全考虑，一般 Linux 系统上不会直接使用 root 用户。因此，更好地做法是将需要使用 docker 的用户加入 docker 用户组。

建立Docker组：

root@fudonghai:~# groupadd docker
groupadd: group 'docker' already exists

将当前用户加入docker组：

root@fudonghai:~# echo $USER
root
root@fudonghai:~# usermod -aG docker $USER

测试Docker是否安装正确

root@fudonghai:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete 
Digest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

镜像加速器,  国内从 Docker Hub 拉取镜像有时会遇到困难，此时可以配置镜像加速器。

Ubuntu 16.04+、Debian 8+、CentOS 7
对于使用 systemd 的系统，请在 /etc/docker/daemon.json 中写入如下内容（如果文件不存在请新建该文件）

{
  "registry-mirrors": [
    "https://registry.docker-cn.com"
  ]
}

 

之后重启服务

root@fudonghai:~# systemctl daemon-reload
root@fudonghai:~# systemctl restart docker
root@fudonghai:~# docker info
Client:
 Debug Mode: false
省略若干
 Registry Mirrors:
  https://registry.docker-cn.com/   #说明成功
 Live Restore Enabled: false

 

nginx镜像和容器

后台运行nginx容器，如果本机没有镜像，则会先下载

root@fudonghai:~# docker run -d --name mynginx nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
f5d23c7fed46: Pull complete 
918b255d86e5: Pull complete 
8c0120a6f561: Pull complete 
Digest: sha256:eb3320e2f9ca409b7c0aa71aea3cf7ce7d018f03a372564dbdb023646958770b
Status: Downloaded newer image for nginx:latest
c5a247c65e97cafec001d24f371b627201f3a57a4268fd8a9a26538897ac86ff

查看容器

root@fudonghai:~# docker ps -l
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
c5a247c65e97        nginx               "nginx -g 'daemon of…"   2 minutes ago       Up 2 minutes        80/tcp              mynginx

nginx容器使用attach命令进入，不仅进不去还会导致容器退出

root@fudonghai:~# docker attach c5a247c65e97
^C
root@fudonghai:~# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
c5a247c65e97        nginx               "nginx -g 'daemon of…"   9 minutes ago       Exited (0) 24 seconds ago                       mynginx

nsenter命令可以使用另外一个进程的命名空间，通过容器pid进入容器中

重新启动

root@fudonghai:~# docker ps -l
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
c5a247c65e97        nginx               "nginx -g 'daemon of…"   17 minutes ago      Exited (0) 7 minutes ago                       mynginx
root@fudonghai:~# docker start c5a247c65e97
c5a247c65e97
root@fudonghai:~# docker ps -l
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
c5a247c65e97        nginx               "nginx -g 'daemon of…"   18 minutes ago      Up 5 seconds        80/tcp              mynginx

获取容器pid

root@fudonghai:~# docker inspect --format "{{.State.Pid}}" mynginx     #或者c5a247c65e97
7966

进入容器

root@fudonghai:~# nsenter --target 7966 --mount --uts --ipc --net --pid /bin/bash

在容器内找不到ps命令，原因是使用了nginx:latest版本不带，下次选一个带的

root@c5a247c65e97:/# ps -aux
bash: ps: command not found

于是自己装

root@c5a247c65e97:/# apt-get update

root@c5a247c65e97:/# apt-get install procps

安装完后可以使用

root@c5a247c65e97:/# ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  10624  5400 ?        Ss   12:50   0:00 nginx: master process nginx -g daemon off;
nginx        6  0.0  0.0  11096  2680 ?        S    12:50   0:00 nginx: worker process
root        15  0.0  0.0   4000  3244 ?        S    13:02   0:00 /bin/bash
root       347  0.0  0.0   7640  2704 ?        R+   13:12   0:00 ps -aux

自己做了一个小试验，把这个容器停掉，重新启动，得到新的PID，然后进入，发现ps仍然可以，说明安装是有持久性的（但是新run起来的nginx镜像里面还是没有ps命令）

root@fudonghai:~# docker stop c5a247c65e97
c5a247c65e97
root@fudonghai:~# docker ps -l
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
c5a247c65e97        nginx               "nginx -g 'daemon of…"   47 minutes ago      Exited (0) 3 seconds ago                       mynginx

root@fudonghai:~# docker start c5a247c65e97
c5a247c65e97
root@fudonghai:~# docker inspect --format "{{.State.Pid}}" c5a247c65e97
8614

root@fudonghai:~# nsenter --target 8614 --mount --uts --ipc --net --pid /bin/bash
root@c5a247c65e97:/# ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1  10624  5444 ?        Ss   13:20   0:00 nginx: master process nginx -g daemon off;
nginx        7  0.0  0.0  11096  2648 ?        S    13:20   0:00 nginx: worker process
root         8  0.0  0.0   4000  3168 ?        S    13:21   0:00 /bin/bash
root         9  0.0  0.0   7640  2736 ?        R+   13:21   0:00 ps -aux

官方镜像的配置文件放在/etc/nginx

root@c5a247c65e97:/# cd /etc/nginx/
root@c5a247c65e97:/etc/nginx# ls
conf.d    fastcgi_params    koi-utf  koi-win  mime.types  modules  nginx.conf  scgi_params    uwsgi_params  win-utf

root@c5a247c65e97:/etc/nginx# cat nginx.conf 

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

root@c5a247c65e97:/etc/nginx# cat conf.d/default.conf 
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;   #root目录很重要
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

 做成一个in.sh脚本，方便使用，如./in.sh mynginx

#!/bin/bash
CNAME=$1
CPID=$(docker inspect --format "{{.State.Pid}}" $CNAME)
nsenter --target "$CPID" --mount --uts --ipc --net --pid /bin/bash

不理解：nginx必须运行在前台，如果运行在后台就会退出

 

 

网络访问

主机端查看网络配置，发现docker0网桥，ip是172.17.0.1

root@fudonghai:~# ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:65:cd:6e:d0  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:65ff:fecd:6ed0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2596 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2581 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:148242 (148.2 KB)  TX bytes:8943856 (8.9 MB)

root@fudonghai:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0  

NAT表

root@fudonghai:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           #做了一个地址转换

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

进入容器看看能不能上网

root@fudonghai:~# ./in.sh mynginx
root@c5a247c65e97:/# ping www.baidu.com
bash: ping: command not found

然后发现ping也没有，抓狂，安装后测试可以上网

root@c5a247c65e97:/# apt-get install iputils-ping
root@c5a247c65e97:/# ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=46 time=4.40 ms

下面这个是管ifconfig的

apt-get install net-tools

下面这个管ip

apt-get install iproute2

查看路由表

root@c5a247c65e97:/# ip ro li
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2 

 

下面进行端口映射 -P，随机映射端口

root@fudonghai:~# docker run -d -P --name mynginx1 nginx
b43280a11ebb9cb4721c5e4d490960b144db66245ad03ca7399fbc6a2a5c0fec
root@fudonghai:~# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
b43280a11ebb        nginx               "nginx -g 'daemon of…"   7 seconds ago       Up 6 seconds        0.0.0.0:32768->80/tcp   mynginx1

浏览器测试http://114.115.147.49:32768/ 没有问题

 

使用-p，指定端口映射

root@fudonghai:~# docker run -d -p 30000:80 --name mynginx2 nginx
3be3207d7d5c986c72aa485dc04af5d92475ab445641a0fc783c51f3348c4808
root@fudonghai:~# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
3be3207d7d5c        nginx               "nginx -g 'daemon of…"   4 seconds ago       Up 4 seconds        0.0.0.0:30000->80/tcp   mynginx2

 

删除容器后，使用ps -a就看不到了

root@fudonghai:~# docker rm b43280a11ebb
b43280a11ebb
root@fudonghai:~# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
3be3207d7d5c        nginx               "nginx -g 'daemon of…"   14 minutes ago      Up 14 minutes       0.0.0.0:30000->80/tcp   mynginx2
c5a247c65e97        nginx               "nginx -g 'daemon of…"   2 days ago          Up 2 days           80/tcp                  mynginx

 

数据管理

数据卷。绕过ufs，直接写在宿主机上

注意，nginx镜像不支持下面这种数据卷 -v 操作，运行会没有反应

root@fudonghai:~# docker run -it --name volume-test1 -v /data nginx

更换ubuntu镜像试试，成功

root@fudonghai:~# docker run -it --name volume-test1 -v /data ubuntu
Unable to find image 'ubuntu:latest' locally
开始下载镜像
root@06ccca061b5e:/# ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.0  18508  3404 pts/0    Ss   05:45   0:00 /bin/bash
root        13  0.0  0.0  34400  2896 pts/0    R+   05:46   0:00 ps -aux
root@06ccca061b5e:/# uname -a
Linux 06ccca061b5e 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@06ccca061b5e:/# cat /etc/issue
Ubuntu 18.04.2 LTS \n \l

 

在宿主机上使用查找挂载文件位置命令出错，可能是ubuntu问题，centos可能没问题

root@fudonghai:/# docker inspect -f {{.volumes}} volume-test1

Template parsing error: template: :1:2: executing "" at <.volumes>: map has no entry for key "volumes"

解决方法：

root@fudonghai:/#  docker inspect volume-test1 | grep Mounts -A 10
        "Mounts": [
            {
                "Type": "volume",
                "Name": "e30a2482f41058cd6ad46a2b2cdce64fcec2aa3e8f483543cbd7c30e057a5eb4",
                "Source": "/var/lib/docker/volumes/e30a2482f41058cd6ad46a2b2cdce64fcec2aa3e8f483543cbd7c30e057a5eb4/_data",
                "Destination": "/data",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            }

就是宿主机上/var/lib/docker/volumes/e30a2482f41058cd6ad46a2b2cdce64fcec2aa3e8f483543cbd7c30e057a5eb4/_data

对应容器内 /data

使用 echo 123 > test 测试成功

 

指定宿主机目录，挂载到容器内：   -v 宿主机目录:容器内目录

root@fudonghai:/# docker run -it --name volume-test2  -v /opt:/opt ubuntu
root@80ea323125c5:/# ls 
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@80ea323125c5:/# echo hello world! > /opt/hello
root@80ea323125c5:/# cat /opt/hello 
hello world!
root@80ea323125c5:/# exit
exit
root@fudonghai:/# cat /opt/hello 
hello world!

 

数据卷容器，使用其他容器的数据卷，共享方式  --volumes-from 其他容器名

root@fudonghai:/# docker run -it --name volume-test4 --volumes-from volume-test1 ubuntu

新容器容器内的目录和 volume-test1相同，都是 /data

宿主机的目录都是 /var/lib/docker/volumes/e30a2482f41058cd6ad46a2b2cdce64fcec2aa3e8f483543cbd7c30e057a5eb4/_data

 

构建镜像

 先运行centos容器，然后进行nginx构建

root@fudonghai:/# docker run --name nginx-man -it centos

 

安装支持包

yum install -y wget gcc gcc-c++ make openssl-devel

 如果在ubuntu下是：

apt-get update
apt-get install wget gcc make g++
apt-get install openssl libssl-dev
apt-get install zlib1g zlib1g.dev

 

下载nginx

wget http://nginx.org/download/nginx-1.9.3.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.gz

解压

root@b69d51510091:/# mv *.gz /usr/local/src
root@b69d51510091:/# cd /usr/local/src/
root@b69d51510091:/usr/local/src# tar zxf pcre-8.38.tar.gz 
root@b69d51510091:/usr/local/src# tar zxf nginx-1.9.3.tar.gz 
root@b69d51510091:/usr/local/src# ls
nginx-1.9.3  nginx-1.9.3.tar.gz  pcre-8.38  pcre-8.38.tar.gz

新建www用户

root@b69d51510091:/usr/local/src# useradd -s /sbin/nologin -M www

 配置并安装

root@b69d51510091:/usr/local/src/nginx-1.9.3# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-pcre=/usr/local/src/pcre-8.38
[root@99925ed2ce2c nginx-1.9.3]# make
[root@99925ed2ce2c nginx-1.9.3]# make install

nginx得放到前台来运行

vi /usr/local/nginx/conf/nginx.conf
daemon off;                  #在第一行加入

在容器内配置启动nginx（后来证明不行，容器会退出）

[root@99925ed2ce2c nginx-1.9.3]# vi /etc/rc.local
/usr/local/nginx/sbin/nginx  #最后一行加入启动命令

退出容器后，提交镜像

root@fudonghai:/# docker commit -m "my nginx" 99925ed2ce2c fudonghai/my-nginx:v1

镜像已经准备好，开始运行

docker run -d -p 30001:80 fudonghai/my-nginx:v1

运行后发现会退出，于是重新编辑，把新增的启动命令/usr/local/nginx/sbin/nginx删除掉

root@fudonghai:/# docker run -it fudonghai/my-nginx:v1
[root@f4fb55971ae6 /]# vi /etc/rc.local

退出重新提交，注意使用新的容器ID

[root@f4fb55971ae6 /]# exit
exit
root@fudonghai:/# docker ps -l
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS                      PORTS               NAMES
f4fb55971ae6        fudonghai/my-nginx:v1   "/bin/bash"         45 seconds ago      Exited (0) 17 seconds ago                       priceless_hertz
root@fudonghai:/# docker commit -m "v2" f4fb55971ae6 fudonghai/my-nginx:v2

把启动命令加到命令行里面，重新运行

root@fudonghai:/# docker run -d -p 30001:80 fudonghai/my-nginx:v2 /usr/local/nginx/sbin/nginx
1def5a7d02ed582650cce692eb58c8c3d406f0821ac9af172f5e9e279cf0e884
root@fudonghai:/# docker ps -l
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                   NAMES
1def5a7d02ed        fudonghai/my-nginx:v2   "/usr/local/nginx/sb…"   8 seconds ago       Up 7 seconds        0.0.0.0:30001->80/tcp   adoring_chatelet

浏览器测试正常

 

使用DockerFile构建镜像

文件包含四类信息：

基础镜像信息

维护者信息

镜像操作指令

容器启动时执行指令

 

Dockerfile文件如下

# This is My first Dockerfile
# Version 1.0
# Author: fu

#Base Image
FROM centos

#MAINTAINER
MAINTAINER fu

#ADD
ADD pcre-8.38.tar.gz /usr/local/src
ADD nginx-1.9.3.tar.gz /usr/local/src

#RUN
RUN yum install -y wget gcc gcc-c++ make openssl-devel
RUN useradd -s /sbin/nologin -M www

#WORKDIR
WORKDIR /usr/local/src/nginx-1.9.3
RUN ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-pcre=/usr/local/src/pcre-8.38 && make && make install
RUN echo "daemon off;" >> /usr/local/nginx/conf/nginx.conf

ENV PATH /usr/local/nginx/sbin:$PATH
EXPOSE 80

CMD ["nginx"]   #搭配ENV PATH 使用，只需要使用nginx命令

步骤

1，在/opt/docker-file/nginx 下面准备文件，Dockerfile文件在上面，两个gz文件需要下载

root@fudonghai:/opt/docker-file/nginx# ls
Dockerfile  nginx-1.9.3.tar.gz  pcre-8.38.tar.gz

2，使用构建命令

docker build -t nginx-file:v1 /opt/docker-file/nginx/

3，查看构建的镜像

root@fudonghai:/opt/docker-file/nginx# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
nginx-file           v1                  54453e437d81        28 minutes ago      458MB

4，运行镜像

docker run -d -p 30002:80 nginx-file:v1

 

Docker原理

Docker资源隔离

使用Linux 的LXC，具体是namespace功能。namespace分pid，net，ipc，mnt，uts，user，

Docker资源限制

使用 内核的cgroup进行资源限制。分CPU，内存，磁盘手动

使用压力测试工具stress

准备工作

root@fudonghai:/opt/docker-file# mkdir stress
root@fudonghai:/opt/docker-file# ls
nginx  stress
root@fudonghai:/opt/docker-file# cd stress/
root@fudonghai:/opt/docker-file/stress# wget http://mirrors.aliyun.com/repo/epel-6.repo

 

Dockerfile

ROM centos
ADD epel-6.repo /etc/yum.repos.d/
RUN yum -y install stress && yum clean all
ENTRYPOINT ["stress"]

 

构建镜像

docker build -t stress .

如果宿主机有1核cpu，使用--cpu 1 参数运行，如果启动2个容器，则各占50%。如果宿主机有2核，指定--cpu 2，则运行一个容器会启动两个进程，每个独占1个核

docker run -it --rm stress --cpu 1

使用-c 指定权重，默认是1024，-c 512 是一半的权重

docker run -it --rm -c 512 stress --cpu 1

使用--cpuset-cpus=?，指定运行在那个cpu核上

docker run -it --rm  --cpuset-cpus=0 stress --cpu 1

内存资源的限制，指定了128M，使用到128M就会退出

root@fudonghai:/opt/docker-file/stress# docker run  -it --rm -m 128m stress --vm 1 --vm-bytes 128m --vm-hang 0
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: FAIL: [1] (415) <-- worker 6 got signal 9
stress: WARN: [1] (417) now reaping child worker processes
stress: FAIL: [1] (421) kill error: No such process
stress: FAIL: [1] (451) failed run completed in 0s

 

网络模式

默认使用桥接模式，主要依赖于iptables

root@fudonghai:/opt/docker-file/stress# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  tcp  --  172.17.0.4           172.17.0.4           tcp dpt:80
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:80

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:30000 to:172.17.0.4:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:30001 to:172.17.0.3:80

host模式，容器和宿主机用同一个网络和端口

 

DockerRegistry

 1，使用官方的http://dockerhub.com，需要注册一个用户名XXX，记住密码

登录

root@fudonghai:/opt/docker-file/stress# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.c
Username: XXX
Password: 

 

推送之前先打一个tag

root@fudonghai:/opt/docker-file/stress# docker tag nginx-file:v1 XXX/nginx-file:v1
root@fudonghai:/opt/docker-file/stress# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx-file             v1                  54453e437d81        23 hours ago        458MB
XXX/nginx-file         v1                  54453e437d81        23 hours ago        458MB

推送

root@fudonghai:/opt/docker-file/stress# docker push XXX/nginx-file:v1
The push refers to repository [docker.io/XXX/nginx-file]
44505ee7adb6: Pushed 
3bb66e7316b0: Pushed 
7a2f86e0f3b5: Pushed 
895dd72590ac: Pushed 
bca36cca1852: Pushed 
e66e81338148: Pushed 
d69483a6face: Pushed 
v1: digest: sha256:0f26c5eacfe5b099b44841e490260d819c9168643fc75a60a4861896dd9e6bdd size: 1789

登录https://cloud.docker.com/u/XXX/repository/list 可以查看上传完毕的镜像

 

2，使用阿里云，也需要有阿里云帐号XXX@XXX.com

登录
docker login --username=XXX@XXX.com registry.cn-beijing.aliyuncs.com
拉取
docker pull registry.cn-beijing.aliyuncs.com/空间名/hello:[镜像版本号]
打tag
docker tag [ImageId] registry.cn-beijing.aliyuncs.com/空间名/hello:[镜像版本号]
推送
docker push registry.cn-beijing.aliyuncs.com/空间名/hello:[镜像版本号]

推送例子

root@fudonghai:~# docker tag hello-world:latest registry.cn-beijing.aliyuncs.com/od/hello:v1
root@fudonghai:~# docker images
REPOSITORY                                  TAG                 IMAGE ID            CREATED             SIZE
hello-world                                 latest              fce289e99eb9        7 months ago        1.84kB
registry.cn-beijing.aliyuncs.com/od/hello   v1                  fce289e99eb9        7 months ago        1.84kB

root@fudonghai:~# docker push registry.cn-beijing.aliyuncs.com/od/hello:v1
The push refers to repository [registry.cn-beijing.aliyuncs.com/od/hello]
af0b15c8625b: Pushed 
v1: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524

 

强制删除所有镜像，慎用

docker rmi -f $(docker images -q)