实验部分
1、docker的部署过程
配置软件仓库
[root@docker-node1 etc]# cd /etc/yum.repos.d/
[root@docker-node1 yum.repos.d]# ls redhat.repo rhel9.repo
[root@docker-node1 yum.repos.d]# vim docker.repo
[root@docker-node1 yum.repos.d]# cd
[root@docker-node1 ~]# yum install docker-ce -y
安装docker-ce并启动服务
[root@docker-node1 ~]# vim /usr/lib/systemd/system/docker.service
[root@docker-node1 ~]# systemctl enable --now docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
[root@docker-node1 ~]# docker info
启动容器
[root@docker-node1 ~]# docker run -d --name test --rm -p 80:8080 timinglee/mari o:latest 1b4e3a695d37c76a4e1bdcb9a341971f0c893350e2b46b4861605f02b55a72f5
2、Docker的基本操作
查看镜像
[root@docker-node1 ~]# docker image inspect nginx:1.23
导出镜像
#保存镜像
[root@Docker-node1 ~]# docker image save nginx:latest -o nginx-latest.tar.gz
[root@Docker-node1 ~]# docker image save nginx:latest nginx:1.26-alpine -o nginx.tag.gz
#保存所有镜像
[root@Docker-node1 ~]# docker save docker images | awk 'NR>1{print $1":"$2}' - o images.tar.gz
[root@Docker-node1 ~]# docker ps #查看当前运行容器
[root@Docker-node1 ~]# docker ps -a #查看所有容器
[root@Docker-node1 ~]# docker inspect busybox #查看容器运行的详细信息
[root@Docker-node1 ~]# docker stop busybox #停止容器
[root@Docker-node1 ~]# docker kill busybox #杀死容器,可以使用信号
[root@Docker-node1 ~]# docker start busybox #开启停止的容器
[root@Docker-node1 ~]# docker rm centos7 #删除停止的容器
[root@Docker-node1 ~]# docker rm -f busybox #删除运行的容器
[root@Docker-node1 ~]# docker container prune -f #删除所有停止的容器
容器内容提交
复制
[root@docker-node1 ~]# docker cp dbbfile exam:/dbbfile
Successfully copied 1.54kB to exam:/dbbfile
查看日志
3、构建参数使用
[root@docker-node1 ~]# mkdir docker/
[root@docker-node1 ~]# cd docker/
[root@docker-node1 docker]# touch leefile
[root@docker-node1 docker]# vim Dockerfile
[root@docker-node1 docker]# touch leefile{1..3}
[root@docker-node1 docker]# tar zcf leefile.gz leefile
[root@docker-node1 docker]# vim Dockerfile
4、docker镜像构建
配置centos7环境
[root@docker-node1 docker]# dnf install httpd -y
[root@docker-node1 docker]# vim /etc/httpd/conf/httpd.conf
[root@docker-node1 docker]# systemctl start httpd
[root@docker-node1 docker]# mkdir /var/www/html/rhel7.9
[root@docker-node1 docker]# mount /dev/sr1 /var/www/html/rhel7.9/
mount: /var/www/html/rhel7.9: WARNING: source write-protected, mounted read-only.
[root@docker-node1 ~]# docker inspect centos
[root@docker-node1 ~]# docker commit -m "add repo" centos centos:repo sha256:d3405633300686ecee84f9ff8e373f30655fde27fd7d18e2fb7b9fcb979302c1
[root@1a93258b3d66 ~]# exit
exit
[root@docker-node1 docker]# docker rm centos centos
建立构建目录,编写构建文件
[root@docker-node1 docker]# vim Dockerfile
通过dockerfile生成镜像
测试镜像可用性
[root@docker-node1 docker]# docker run -d --name checkimage nginx 808059cabaf8fe85190327e6d47aaab1154a8e1167a90106d196a1857940ec26
5、镜像优化
方法1.缩减镜像层
[root@docker-node1 docker]# vim Dockerfile
方法2.多阶段构建
[root@docker-node1 docker]# vim Dockerfile
方法3.使用最精简镜像
[root@docker-node1 docker]# vim Dockerfile
6、docker简单私有仓库的搭建
[root@docker-node1 ~]# docker run -d -p 5000:5000 --restart=always registry 402feafcb10ecef67534fc3bc6c35a1825031ad1fa3c4fe18a186869107b6878
[root@docker-node1 ~]# docker tag nginx:v4 172.25.254.10:5000/nginx:v4
[root@docker-node1 ~]# vim /etc/docker/daemon.json
[root@docker-node1 ~]# systemctl start docker
[root@docker-node1 ~]# docker inspect ecstatic_lamport
[root@docker-node1 docker]# curl 172.25.254.10:5000/v2/_catalog {"repositories":["nginx"]}
[root@docker-node1 repositories]# docker tag busybox:latest 172.25.254.10:5000/busybox:latest [root@docker-node1 repositories]# docker push 172.25.254.10:5000/busybox:latest
The push refers to repository [172.25.254.10:5000/busybox] d51af96cf93e: Pushed latest: digest: sha256:28e01ab32c9dbcbaae96cf0d5b472f22e231d9e603811857b295e61197e40a9b size: 527
[root@docker-node1 docker]# curl 172.25.254.10:5000/v2/_catalog
{"repositories":["busybox","nginx"]}
7、docker仓库数据传输加密
#生成认证key和证书
[root@docker-node1 ~]# vim /etc/docker/daemon.json 删除
[root@docker-node1 ~]# systemctl restart docker
[root@docker-node1 ~]# mkdir certs
[root@docker-node1 ~]# vim /etc/hosts
[root@docker-node1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/timinglee.org.key -addext "subjectAltName = DNS:reg.timinglee.org" -x509 -days 365 -out certs/timinglee.org.crt
启动registry仓库
[root@docker-node1 ~]# mkdir -p /etc/docker/certs.d/reg.timinglee.org -p
[root@docker-node1 certs]# cp /root/certs/timinglee.org.crt /etc/docker/certs.d/reg.timinglee.org/ca.crt
[root@docker-node1 ~]# ls /etc/docker/certs.d/reg.timinglee.org/ca.crt /etc/docker/certs.d/reg.timinglee.org/ca.crt
[root@docker-node1 ~]# curl -k https://reg.timinglee.org/v2/_catalog {"repositories":["nginx"]}
8、docker仓库用户认证
[root@docker-node1 ~]# yum install httpd-tools -y
[root@docker-node1 ~]# mkdir auth
[root@docker-node1 ~]# htpasswd -Bc auth/.htpasswd lee
New password:
Re-type new password:
Adding password for user lee
[root@docker-node1 ~]# cat auth/.htpasswd lee:$2y$05$hKXaGAu6XKmGmnJg080JM.6MBSTd4N8dWsRb6BYzvHmYBdI1rxR2G [root@docker-node1 ~]# htpasswd -B auth/.htpasswd hyl
New password:
Re-type new password:
Adding password for user hyl
[root@docker-node1 ~]# cat auth/.htpasswd lee:$2y$05$hKXaGAu6XKmGmnJg080JM.6MBSTd4N8dWsRb6BYzvHmYBdI1rxR2G hyl:$2y$05$JZ33JbqB.AubdM26dpNjIuBd/7TXjuvFHCwuKbiB4WADDuUWS.
[root@docker-node1 ~]# docker run -d -p 443:443 --restart=always -v /root/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/timinglee.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/timinglee.org.key -v /root/auth:/auth -e REGISTRY_AUTH=htpasswd -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd registry 02085041efd1de26bd3916f012662275b20ce8191c8326b65fa25ac2cc20ba71
[root@docker-node1 ~]# curl -k https://reg.timinglee.org/v2/_catalog -u hyl:hyl {"repositories":["nginx"]}
9、docker-harbor仓库的搭建
[root@docker harbor]# vim harbor.yml
[root@docker-node1 harbor]# ll /data/
总用量 0 drwxr-xr-x 3 root root 18 9月 22 17:56 secret
[root@docker-node1 harbor]# cp /root/certs/ /data/ -r
[root@docker-node1 harbor]# ls /data/
certs secret
[root@docker-node1 harbor]# ls
common config
[root@docker-node1 harbor]# ls /data/certs/
timinglee.org.crt timinglee.org.key
[root@docker-node1 harbor]# ./install.sh --with-chartmuseum
#管理harbor的容器
本地解析
C:\Windows\System32\drivers\etc\hosts
测试
#未登录上传失败
登录
[root@docker-node1 harbor]# docker logout reg.timinglee.org
Removing login credentials for reg.timinglee.org
[root@docker-node1 harbor]# docker login reg.timinglee.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credential-stores Login Succeeded
#私有仓库作为默认下载仓库
[root@docker-node1 reg.timinglee.org]# cp /data/certs/timinglee.org.crt ^C
[root@docker-node1 reg.timinglee.org]# cd ..
[root@docker-node1 certs.d]# ls reg.timinglee.org
[root@docker-node1 certs.d]# cd ..
[root@docker-node1 docker]# ls certs.d daemon.json
[root@docker-node1 docker]# vim daemon.json
[root@docker-node1 docker]# systemctl restart docker
[root@docker-node1 docker]# docker info
[root@docker-node1 harbor]# docker pull timinglee/nginx:v4
v4: Pulling from timinglee/nginx Digest:
sha256:e7b51e47f6e4e415ef6f1ea2435aaa6302173858e4e46dc663e4b929608bdeb8
Status: Downloaded newer image for timinglee/nginx:v4
docker.io/timinglee/nginx:v4
#若出现问题
[root@docker-node1 docker]# docker pull timinglee/nginx:v4
Error response from daemon: Get "https://registry-1.docker.io/v2/": context deadline exceeded ( Client.Timeout exceeded while awaiting headers)
10、docker的webUI工具
#访问
[root@docker-node1 1panel-v1.10.13-lts-linux-amd64]# 1pctl user-info
面板地址: http://$LOCAL_IP:4444/c2c56e339d
面板用户: 23e19dd318 面板密码: !@#$%*_,
提示:修改密码可执行命令:1pctl update password
11.docker原生网络及自定义桥接网络
docker原生bridge网路
[root@docker-node1 ~]# grubby --update-kernel ALL --args iptables=true
[root@docker-node1 ~]# reboot
[root@docker-node1 ~]# cd 1panel-v1.10.13-lts-linux-amd64/
[root@docker-node1 1panel-v1.10.13-lts-linux-amd64]# ls 1panel 1panel.service
1pctl docker install.log install.sh LICENSE README.md
#恢复默认网络
不使用iptables
[root@docker-node1 harbor]# nft list ruleset
docker原生网络host---直连网络
[root@docker-node1 harbor]# docker rm webserver webserver
docker原生网络none
docker的自定义网络
自定义桥接网络---net
原生的桥接网络当中没有dns插件
##webserve、test1都退出
[root@docker-node1 ~]# docker network create mynet1 -d bridge cb9b2d5c2690cc8214a6ee32c813d7593614f0c79c5ba3758ed79523b45f95de
[root@docker-node1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fe4b1832ecca bridge bridge local
81e88a23fb22 host host local
cb9b2d5c2690 mynet1 bridge local
0ca32642ad25 none null local
12、docker容器间的网络通信
[root@docker-node1 ~]# docker network create mynet2 -d bridge fba196630d53dc8efd1f8b4bebadaafcbc4ae2bffad2028a206a3cf3629e6285
[root@docker-node1 ~]# iptables -nL
[root@docker-node1 ~]# docker rm test1
test1
[root@docker-node1 ~]# docker rm webserver
webserver
/ # ping webserver ping: bad address 'webserver'
##两个容器用不同的站
[root@docker-node1 ~]# docker network connect mynet1 webserver
###两个容器用同一个站
[root@docker-node1 ~]# docker rm test1
test1
[root@docker-node1 ~]# docker rm webserver
webserver
###走回环接口
[root@docker-node1 ~]# docker rm test1
test1
[root@docker-node1 ~]# docker rm webserver
webserver
[root@docker-node1 ~]# docker run -it --name webserver --network container:test1 centos:7
####mysql、php
[root@docker-node1 ~]# docker load -i mysql-5.7.tar.gz
[root@docker-node1 ~]# docker load -i phpmyadmin-latest.tar.gz
##暴露端口
13、docker中容器内外网访问原理
内网访问外网
[root@docker-node1 ~]# docker rm -f mysq
l mysql
[root@docker-node1 ~]# docker rm -f mysqladmin
mysqladmin
[root@docker-node1 ~]# docker run -d --name test --rm nginx -p80:80 58183c0e503d65cf585a405df66412d67d9ea5825957f9d3101d7aff7992c295
[root@docker-node1 ~]# ps ax | grep docker-proxy 12095 pts/1 R+ 0:00 grep --color=auto docker-proxy
rhel9----默认nft
外网访问内网----haproxy、火墙策略双保险
[root@docker-node1 ~]# docker inspect test
[root@docker-node1 ~]# ps ax
14、docker中容器的跨主机通
####实验环境 双主机双网卡
##docker-node2配置docker环境
##安装docker包
[root@docker-node2 ~]# ls
docker.tar.gz
[root@docker-node2 ~]# tar zxf docker.tar.gz
[root@docker-node2 ~]# ls
containerd.io-1.7.20-3.1.el9.x86_64.rpm
docker-buildx-plugin-0.16.2-1.el9.x86_64.rpm
docker-ce-27.1.2-1.el9.x86_64.rpm
docker-ce-cli-27.1.2-1.el9.x86_64.rpm
docker-ce-rootless-extras-27.1.2-1.el9.x86_64.rpm
docker-compose-plugin-2.29.1-1.el9.x86_64.rpm
docker.tar.gz
[root@docker-node2 ~]# dnf install *.rpm -y
##启动docker
[root@docker-node2 ~]# systemctl start docker
[root@docker-node2 ~]# docker info
###打开网卡混杂模式
eth1这款网卡在vmware中要设定为仅主机模式
[root@docker-node1 ~]# ip link set eth1 promisc on
[root@docker-node1 ~]# ip link set up eth1
[root@docker-node1 ~]# nmcli networking
enabled
[root@docker-node1 ~]# docker network create -d macvlan --subnet 4.4.4.0/24 \
> --gateway 4.4.4.4 \
> -o parent=eth1 mynet1
f17541a6acfc30394014da67d4c585c07a4eb372431633430970a81ee23869c5
[root@docker-node1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fe4b1832ecca bridge bridge local
81e88a23fb22 host host local
f17541a6acfc mynet1 macvlan local
0ca32642ad25 none null local
15、docker数据卷简介及bindmount模式
默认数据卷
[root@docker-node1 ~]# cd /var/lib/docker/
[root@docker-node1 docker]# ls
buildkit engine-id network plugins swarm volumes
containers image overlay2 runtimes tmp
[root@docker-node1 docker]# cd volumes/
bind mount 数据卷------限制移植性
[root@docker-node1 volumes]# cd
[root@docker-node1 ~]# mkdir /lee
[root@docker-node1 ~]# touch /lee/leefile{1..5}
[root@docker-node1 ~]# ls /lee/
leefile1 leefile2 leefile3 leefile4 leefile5
[root@docker-node1 ~]# docker run -it --rm --name test -v /lee:/data1:rw -v /etc/passwd:/data2/passwd busybox
/ # ls
bin data1 data2 dev etc home lib lib64 proc root sys tmp usr var
/ # ls data1
leefile1 leefile2 leefile3 leefile4 leefile5
/ # touch data1/leefile6
/ # ls data1
leefile1 leefile2 leefile3 leefile4 leefile5 leefile6/ # vi /data2/passwd 读写挂载
此文件不能随意改动
[root@docker-node1 ~]# docker run -it --rm --name test -v /lee:/data1:rw -v /etc/passwd:/data2/passwd:ro busybox
/ # vi /data2/passwd
16、docker数据卷的managed模式
[root@docker-node1 ~]# docker run -d --rm --name mysql -e MYSQL_ROOT_PASSWORD=lee mysql:5.7
ed10fa495167c7bc8730a357cdcefc5d35925006f4d7c144f18e865f4b2854af
[root@docker-node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ed10fa495167 mysql:5.7 "docker-entrypoint.s…" 4 seconds ago Up 3 seconds 3306/tcp, 33060/tcp mysql
[root@docker-node1 ~]# docker inspect mysql
清理未使用的 Docker 数据卷
[root@docker-node1 volumes]# docker volume create mysqldate
mysqldate
[root@docker-node1 volumes]# ll /var/lib/docker/volumes/
总用量 32
drwx-----x 3 root root 19 9月 22 17:19 95bb492c95b5461dcffc96022974557c932cea36f721d7505fa 3b19a4e37726a
brw------- 1 root root 253, 0 9月 22 19:09 backingFsBlockDev
drwx-----x 3 root root 19 9月 23 17:24 d6cc0eddc22aaf80c5198e791b005cbee008e23abdc758374d9 d2d579c935cb1
-rw------- 1 root root 65536 9月 23 17:38 metadata.db
drwx-----x 3 root root 19 9月 23 17:38 mysqldate
[root@docker-node1 volumes]# docker rm -f mysql
mysql
[root@docker-node1 volumes]# docker run -d --rm --name mysql -e MYSQL_ROOT_PASSWORD=lee -v mysqldate:/var/lib/mysql mysql:5.7
e73e7fe026a57c57153e8db946685cef27d993e1eeb7132620d3e7cd5354e8ac
[root@docker-node1 volumes]# docker inspect mysql
[root@docker-node1 volumes]# cd mysqldate/
[root@docker-node1 mysqldate]# ls
_data
[root@docker-node1 mysqldate]# cd _data/
[root@docker-node1 _data]# ls
auto.cnf ca.pem client-key.pem ibdata1 ib_logfile1 mysql performance_schema public_key.pem ca-key.pem client-cert.pem ib_buffer_pool ib_logfile0 ibtmp1 mysql.sock private_key.pem server-cert.
###保持持久化
mysql停止后数据还在
[root@docker-node1 _data]# docker stop mysql
mysql
[root@docker-node1 _data]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-node1 _data]# cd /var/lib/docker/volumes/
[root@docker-node1 volumes]# ls
95bb492c95b5461dcffc96022974557c932cea36f721d7505fa3b19a4e37726a metadata.db
backingFsBlockDev mysqldate
d6cc0eddc22aaf80c5198e791b005cbee008e23abdc758374d9d2d579c935cb1
[root@docker-node1 volumes]# cd mysqldate/
[root@docker-node1 mysqldate]# ls
_data
[root@docker-node1 mysqldate]# cd _data/
[root@docker-node1 _data]# ls
auto.cnf client-cert.pem ibdata1 mysql private_key.pem server-key.pem
ca-key.pem client-key.pem ib_logfile0 mysql.sock public_key.pem sys
ca.pem ib_buffer_pool ib_logfile1 performance_schema server-cert.pem
###删除数据卷
17、docker数据的备份及迁移
备份数据卷
#建立容器并指定使用卷到要备份的容器
[root@docker ~]# docker run --volumes-from test \-v `pwd`:/backup busybox \ # 把当前目录挂在到容器中用于和容器交互保存要备份的容器tar zcf /backup/data1.tar.gz /data1 # 备份数据到本地
数据恢复
docker run -it --name test -v leevol1:/data1 -v `pwd`:/backup busybox /bin/sh - c "tar zxf /backup/data1.tar.gz;/bin/sh"/ # lsbackup data1 etc lib proc sys usrbin dev home lib64 root tmp var/ # cd data1/ # 查看数据迁移情况/data1 # lsindex.html leefile1
18、docker中容器的安全加固思路
Docker 的安全优化 docker---安全隔离 虚拟化---完全隔离
[root@docker-node2 ~]# mount -t cgroup
[root@docker-node2 ~]# mount -t cgroup2
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recur siveprot)
[root@docker-node1 ~]# grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller"
[root@docker-node1 ~]# reboot
[root@docker-node2 ~]# grubby --update-kernel=/boot/vmlinuz-$(uname -r) --args="systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller"
[root@docker-node2 ~]# reboot
隔离机制
查看id
[root@docker-node1 ~]# docker inspect test | grep Pid
"Pid": 2337,
"PidMode": "",
"PidsLimit": null,
[root@docker-node1 31a23dcba6e722abfa35b88dcc4ead9bc5de6e7ee506c23c4900a01d1dc1a8ca]# cat tasks
2337
2382
2383
2384
2385
19、docker中对容器资源限制的原理及对cpu资源限制的方法
限制cpu的使用量
[root@docker-node1 ~]# docker run -it --rm --name test \
> --cpu-period 100000 \
> --cpu-quota 20000 ubuntu
root@fec0c26dc0fa:/# dd if=/dev/zero of=/dev/null &
[1] 9
root@fec0c26dc0fa:/# top
限制cpu的优先级
[root@docker-node1 cpu]# echo 0 > /sys/devices/system/cpu/cpu1/online
[root@docker-node1 cpu]# echo 0 > /sys/devices/system/cpu/cpu2/online
[root@docker-node1 cpu]# echo 0 > /sys/devices/system/cpu/cpu3/online
开启容器与其争抢
20、docker中对于内存使用的限制
#####红帽9软件仓库解决办法
安装libcgroup
[root@docker-node1 ~]# dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB,200 MiB)已复制,0.582844 s,360 MB/s
建立x1控制器
[root@docker-node1 x1]# echo 209715200 > memory.memsw.limit_in_bytes
[root@docker-node1 x1]# docker run -d --name test --memory 200M --memory-swap 200M nginx
af96d658fd6e1685cf9d8935022c7f3f9eef199bfc5712e0031ff4d4b72d928e
[root@docker-node1 x1]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af96d658fd6e nginx "/docker-entrypoint.…" 3 seconds ago Up 2 seconds 80/tcp test
[root@docker-node1 ~]# cgexec -g memory:docker/af96d658fd6e1685cf9d8935022c7f3f9eef199bfc5712e0031ff4d4b72d928e/ \
> dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=100
记录了100+0 的读入
记录了100+0 的写出
104857600字节(105 MB,100 MiB)已复制,0.319357 s,328 MB/s
[root@docker-node1 ~]# cgexec -g memory:docker/af96d658fd6e1685cf9d8935022c7f3f9eef199bfc5712e0031ff4d4b72d928e/ dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=150
记录了150+0 的读入
记录了150+0 的写出
157286400字节(157 MB,150 MiB)已复制,0.183725 s,856 MB/s
[root@docker-node1 ~]# cgexec -g memory:docker/af96d658fd6e1685cf9d8935022c7f3f9eef199bfc5712e0031ff4d4b72d928e/ dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=190
记录了190+0 的读入
记录了190+0 的写出
199229440字节(199 MB,190 MiB)已复制,0.169126 s,1.2 GB/s
[root@docker-node1 ~]# cgexec -g memory:docker/af96d658fd6e1685cf9d8935022c7f3f9eef199bfc5712e0031ff4d4b72d928e/ dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=200
已杀死
[root@docker-node1 ~]#
[root@docker-node1 ~]# docker rm -f test
test[root@docker-node1 ~]# docker run -d --name test1 --rm nginx
becc5c7be5df5ce1ae74b60370d9c31e169718ba434dc6f1ff28d15502713572
[root@docker-node1 ~]# cgexec -g memory:docker/becc5c7be5df5ce1ae74b60370d9c31e169718ba434dc6f1ff28d15502713572/ dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB,200 MiB)已复制,0.0727259 s,2.9 GB/s[root@docker-node1 ~]# cgexec -g memory:docker/becc5c7be5df5ce1ae74b60370d9c31e169718ba434dc6f1ff28d15502713572/ dd if=/dev/zero of=/dev/shm/bigfile bs=1M count=500
记录了500+0 的读入
记录了500+0 的写出
524288000字节(524 MB,500 MiB)已复制,1.46611 s,358 MB/s
21、docker中对于磁盘io速录限制
###写数据位置
####运行速率
####限速
[root@docker-node1 ~]# docker run -it --rm --device-write-bps /dev/nvme0n1:30M ubuntu
root@127c406e7593:/# dd if=/dev/zero of=bigfile bs=1M count=500 oflag=direct
^C292+0 records in
292+0 records out
306184192 bytes (306 MB, 292 MiB) copied, 9.73781 s, 31.4 MB/s
22.docker容器的信息隔离
内存没有隔离开
###安装lxcfs
####运行lxcfs并解决容器隔离性
[root@docker-node1 mnt]# lxcfs /var/lib/lxcfs &
[root@docker-node1 mnt]# cd /var/lib/lxcfs/
[root@docker-node1 lxcfs]# ls
cgroup proc sys[root@docker-node1 lxcfs]# docker run -it --rm --name test \
-v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
-v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
-v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
-v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
-v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
-v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
-m 200M \
ubuntu
root@0c3bf60890b9:/#
23.docker容器特权
使用容器时一些资源不能被修改
#####添加容器特权
容器特权的白名单
24.docker-compose命令详解
[root@docker-node1 ~]# vim ~/.vimrc
[root@docker-node1 ~]# mkdir test
[root@docker-node1 ~]# cd test/
[root@docker-node1 test]# ls
[root@docker-node1 test]# vim docker-compose.yml
启动配置文件中定义的所有服务
可以使用 -d 参数在后台启动服务可以使用-f 来指定yml文件[root@docker-node1 test]# ls
docker-compose.yml
[root@docker-node1 test]# mv docker-compose.yml timinglee.yml
[root@docker-node1 test]# ls
timinglee.yml
[root@docker-node1 test]# docker compose up -d
no configuration file provided: not found
[root@docker-node1 test]# docker compose -f timinglee.yml up -d
[+] Running 2/0
✔ Container test-testnode-1 Running 0.0s
✔ Container test-web-1 Runningdocker-compose down : 停止并删除配置文件中定义的所有服务以及相关的网络和存储卷docker-compose start : 启动已经存在的服务,但不会创建新的服务docker-compose stop : 停止正在运行的服务docker-compose restart : 重启服务
查看日志
构建和重新构建服务
[root@docker-node1 test]# cd /root/docker/
[root@docker-node1 docker]# ls
Dockerfile leefile1 leefile3 nginx-1.22.1.tar.gz nginx-1.26.2.tar.gz
leefile leefile2 leefile.gz nginx-1.23.tar.gz
[root@docker-node1 docker]# rm -fr /root/docker/*
[root@docker-node1 docker]# ls
[root@docker-node1 docker]# vim Dockerfile
[root@docker-node1 docker]# vim lee
[root@docker-node1 ~]# cd test/
[root@docker-node1 test]# ls
timinglee.yml
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# docker compose down
[+] Running 3/3
✔ Container lee2 Removed 10.2s
✔ Container lee1 Removed 10.2s
✔ Network test_default Removed 0.3s
[root@docker-node1 test]# docker rmi test1
Untagged: test1:latest
Deleted: sha256:f59224b1ab289e217e27c834a55755a4fe1112ea361f406214cc6830e40de8da
[root@docker-node1 test]# docker rmi test2
Untagged: test2:latest
Deleted: sha256:a7b86343e8368d5ea65f55d502040869e830757473bd785a29ef50c40de1e81b----可以指定构建
docker-compose pull :拉取配置文件中定义的服务所使用的镜像。[root@docker test]# docker compose -f test.yml pull[+] Pulling 2/2✔ test Pulled✔ ec562eabd705 Pull completedocker-compose config :验证并查看解析后的 Compose 文件内容[root@docker test]# docker compose -f test.yml config -q
25、docker容器编排中servers用法
[root@docker-node1 ~]# cd test/
[root@docker-node1 test]# ls
docker-compose.yml timinglee.yml
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# docker compose up -d
WARN[0000] Found orphan containers ([lee2]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 1/0
✔ Container lee1 Running 0.0s
[root@docker-node1 test]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2fa62fc9747a test2 "/bin/sh -c 'sleep 1…" 19 hours ago Up 19 hours lee2
5e5b254285e6 test1 "/bin/sh -c 'sleep 1…" 19 hours ago Up 19 hours lee1
[root@docker-node1 test]# docker compose down
[+] Running 2/1
✔ Container lee1 Removed 10.1s
! Network test_default Resource is still in use 0.0s
[root@docker-node1 test]# vim docker-compose.yml
端口映射(ports):
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# docker compose down
[+] Running 2/2
✔ Container webserver Removed 0.2s
✔ Network test_default Removed 0.3s
环境变量(environment):
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# docker compose up -d
[+] Running 2/2
✔ Network test_default Created 0.3s
✔ Container test-test1-1 Started 0.3s
[root@docker-node1 test]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORT NAMES
a277a1238c73 mysql:5.7 "docker-entrypoint.s…" 5 seconds ago Up 4 seconds 3306/tcp, 33060/tcp test-test1-1
[root@docker-node1 test]# docker inspect test-test1-1
[root@docker-node1 test]# docker compose down
[+] Running 2/2
✔ Container test-test1-1 Removed 1.1s
✔ Network test_default Removed 0.2s
存储卷(volumes):
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# docker inspect test-test1-1
[root@docker-node1 test]# docker compose down
[+] Running 2/2
✔ Container test-test1-1 Removed 1.6s
✔ Network test_default Removed 0.2s
网络(networks):
默认建立
[root@docker-node1 test]# vim docker-compose.yml
#使用本机自带bridge网络
[root@docker-node1 test]# vim docker-compose.yml
none
[root@docker-node1 test]# vim docker-compose.yml
自定义
[root@docker-node1 test]# vim docker-compose.yml
26、docker-compose 中网络设定
[root@docker-node1 test]# vim docker-compose.yml
自建网络
[root@docker-node1 test]# vim docker-compose.yml
指定ip
[root@docker-node1 test]# vim docker-compose.yml
27、docker-compose中数据卷设定------持久化
[root@docker-node1 test]# vim docker-compose.yml
28、dockercompose企业示例
[root@docker-node1 ~]# mkdir /var/lib/docker/volumes/conf
[root@docker-node1 ~]# dnf install haproxy -y --downloadonly --downloaddir=/mnt
[root@docker-node1 mnt]# cd etc/
[root@docker-node1 etc]# ls
haproxy logrotate.d sysconfig
[root@docker-node1 etc]# cd haproxy/
[root@docker-node1 haproxy]# ls
conf.d haproxy.cfg
[root@docker-node1 haproxy]# cp haproxy.cfg /var/lib/docker/volumes/conf/
[root@docker-node1 haproxy]# cd /var/lib/docker/volumes/conf/
[root@docker-node1 conf]# ls
haproxy.cfg
[root@docker-node1 conf]# vim haproxy.cfg
[root@docker-node1 ~]# docker images | grep haproxy
haproxy 2.3 7ecd3fda00f4 2 years ago 99.4MB
[root@docker-node1 test]# vim docker-compose.yml
[root@docker-node1 test]# echo webserver1 > /var/lib/docker/volumes/data_web1/_data/index.html
[root@docker-node1 test]# echo webserver2 > /var/lib/docker/volumes/data_web2/_data/index.html
