docker知识图谱
2021-06-17 15:58:20 1 举报
AI智能生成
docker知识图谱
作者其他创作
大纲/内容
Docker是一个用于开发,交付和运行应用程序的开放平台
安装
安装工具&驱动
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
添加源
docker
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
aliyun
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
启用源
yum-config-manager --enable docker-ce-nightly
安装
yum install docker-ce docker-ce-cli containerd.io -y
启动
systemctl enable docker
systemctl start docker
测试
docker run -it hello-world
docker info
docker version
架构
分支主题
分支主题
技术
namesapce
pid
net
ipc
mnt
uts
cgroup
union file systems
镜像
镜像是用来创建docker容器的一个只读模板
存储驱动
overlay2
overlay
aufs
devicemapper
zfs
vfs
镜像仓库
https://hub.docker.com/
管理
docker search
查找
docker image pull
拉取镜像
docker image ls
获取本地镜像列表
docker image history
镜像历史构建信息
docker image inspect
镜像信息
docker image rm
删除镜像
docker image prune
清理未使用的镜像
docker image tag
为镜像设置tag
docker image push
将镜像推送到镜像仓库
docker image save
将镜像导出到tar文件
docker image load
将tar文件加载镜像
docker image import
将容器文件系统tar文件导入镜像
docker image build
从dockerfile构建镜像
容器
容器时一个镜像的容器实例
管理
docker container run
运行容器
常用参数
-i
交互式
-t
分配伪终端
-d
后台运行
--name
容器名称
--rm
在容器停止后自动删除
-e
设置环境变量
-p
发布端口
-h
设置主机名
--link
连接另一个容器
--add-host
添加hosts映射列表
--mount
挂在分区
-v
挂载目录
--restart
重启策略
-m
使用内存限制
--oom-kill-disable
禁用oom killer
--cpus
设置可使用的cpu数量
--cpu-shares
设置容器使用cpu权重
--network
指定容器加入的网络
docker create
创建容器
docker container ls
查看容器列表
docker container inspect
查看容器信息
docker container exec
在正在运行容器中执行命令
docker container start
启动容器
docker container stop
停止容器
docker container restart
重启容器
docker container kill
杀掉容器
docker container logs
查看容器日志
docker container rm
移除容器
docker container prune
移除已经停止的容器
docker container top
查看容器进程信息
docker container cp
拷贝文件到容器/到宿主机
docker container port
查看容器端口映射列表
docker container rename
为容器重命名
docker container stats
查看容器资源使用
docker container export
导出容器文件系统到tar文件
docker container commit
将容器提交为镜像
docker container update
更新容器的资源(cpu/mem)限制
挂载
类型
volumes
挂载到docker volume数据区
系统目录
/var/lib/docker/volumes
bind mounts
挂载宿主机系统磁盘目录
tmpfs
挂载在宿主机内存中
volumes
管理
docker volume create
创建卷
docker volume inspect
查看卷信息
docker volume ls
查看所有卷列表
docker volume rm
移除卷
docker volume prune
删除未使用的卷
使用
--mount src=volumeName,dst=dpath
-v volumeName:dpath
bind mounts
使用
--mount type=bind,src=spath,dst=dpath
-v spath:dpath
网络
网络模式
bridge
host
none
container
自定义网桥
管理
docker network create
docker network ls
docker network inspect
docker network rm
docker network prune
docker network connect
docker network disconnect
使用
--network bridgeName/host/none/containerName
dockerfile
常用指令
FROM
指定基础镜像
MAINTAINER
指定维护者信息
RUN
构建镜像运行的指令
ADD
拷贝文件或目录到容器中
可指定压缩文件进行自动解压或URL进行自动下载
COPY
拷贝文件或目录到容器中
ENV
设置容器环境变量
EXPOSE
声明容器暴漏的端口
VOLUME
指定挂载卷
自动创建匿名卷并进行挂载
WORKDIR
指定工作目录
USER
指定执行命令的用户
HEALTHCHECK
健康检查
HEALTHCHECK --interval=5m --timeout=3s --retries=3 CMD command || exit 1
CMD
运行容器时执行的命令
在运行容器时可被覆盖
ENTRYPOINT
运行容器时执行的命令
在运行容器时指定的命令和参数传递给ENTERYPOINT执行命令的参数
ARG
定义构建参数
构建镜像
docker image build .
参数
-t
镜像名称
-f
构建文件
--build-arg
构建参数
docker-compose
使用docker-compose.yaml模板文件定义一组相关联的应用容器为一个项目
概念
服务
一个应用的容器,可以运行若干容器实例
项目
由一组关联的容器组成的完整业务单元
docker-compose.yaml
github
https://github.com/docker/compose
安装
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose --version
资源文件
docker-compose.yaml
示例
version: "3"
services:
web:
build: .
depends_on:
- redis
ports:
- "8888:80"
redis:
image: redis
version
docker-compose文件版本
services
定义服务
services.name
服务名称
services.name.build
服务通过dockerfile进行构建
services.name.build.context
dockerfile目录
services.name.build.dockerfile
dockerfile文件名
services.name.build.args
dockerfile参数
services.name.image
服务通过镜像进行构建
services.name.ports
服务暴露端口
services.name.depends_on
服务依赖
services.name.cap_add
添加内核能力
services.name.cap_drop
删除内核能力
services.name.command
覆盖容器执行命令
services.name.container_name
容器名称
services.name.dns
dns列表
services.name.tmpfs
挂载tmpfs文件系统到容器
services.name.env_file
环境变量文件列表
services.name.environment
环境变量
services.name.expose
暴露端口(不被映射,只被链接的服务访问)
services.name.extra_hosts
hosts映射
services.name.healthcheck
健康检查
services.name.healthcheck.test
services.name.healthcheck.interval
services.name.healthcheck.timeout
services.name.healthcheck.retries
services.name.labels
容器标签
services.name.logging
日志记录
services.name.logging.driver
syslog
json-file
none
services.name.logging.options
syslog
syslog-address
json-file
max-size
max-file
services.name.network_mode
网络模式
bridge
host
service:service_name
container:container_name
services.name.networks
容器链接网络
services.name.pid
容器与主机共享进程命名空间
host
services.name.secrets
敏感数据列表
services.name.stop_signal
设置停止容器信号
services.name.sysctls
内核参数配置
services.name.ulimits
ulimits限制
services.name.volumes
数据卷挂载
services.name.entrypoint
容器执行入口文件
services.name.user
运行应用用户
services.name.working_dir
工作目录
services.name.domainname
设置域名
services.name.hostname
设置主机名
services.name.mac_address
设置mac地址
services.name.privileged
是否允许特权命令
true
services.name.restart
称其策略
always
unless-stopped
none
services.name.read_only
只读模式挂载root文件系统(不能修改容器内容)
true
services.name.stdin_open
打开标准输出
true
services.name.tty
伪终端
true
services.networks
定义网络
services.volumes
定义数据卷
命令
docker-compose config
检查docker-compose.yaml是否正确
docker-compose build
构建镜像
docker-compose up
启动容器
-d
docker-compose images
查看镜像
docker-compose exec
进入容器
docker-compose logs
查看日志
docker-compose port
查看端口映射
docker-compose ps
查看容器列表
docker-compose stop
停止服务
docker-compose start
启动服务
docker-compose restart
重启服务
docker-compose scale
调整容器数量
docker-compose top
查看进程
docker-compose run
运行命令
docker-compose down
停止容器
docker-compose pull
拉去镜像
docker-compose push
推送镜像到镜像仓库
自建私有镜像仓库
harbor
https://github.com/goharbor/harbor
下载地址
https://github.com/goharbor/harbor/releases
部署
部署手册
https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
安装Docker
安装docker-compose
生成TLS证书
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 36500 \
-subj "/C=CN/ST=XI'AN/L=XI'AN/O=silence/OU=personal/CN=ca.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out server.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=XI'AN/L=XI'AN/O=silence/OU=personal/CN=registry.silence.com" \
-key server.key \
-out server.csr
openssl x509 -req -sha512 -days 36500 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt
配置harbor.yaml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: registry.silence.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/pki/server.crt
private_key: /opt/pki/server.key
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: root123
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 50
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 100 for postgres.
max_open_conns: 100
# The default data volume
data_volume: /data
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disabled: false
# Clair configuration
clair:
# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
updaters_interval: 12
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 10
chart:
# Change the value of absolute_url to enabled can enable absolute url in chart
absolute_url: disabled
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 1.9.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# clair:
# host: clair_db_host
# port: clair_db_port
# db_name: clair_db_name
# username: clair_db_username
# password: clair_db_password
# ssl_mode: disable
# notary_signer:
# host: notary_signer_db_host
# port: notary_signer_db_port
# db_name: notary_signer_db_name
# username: notary_signer_db_username
# password: notary_signer_db_password
# ssl_mode: disable
# notary_server:
# host: notary_server_db_host
# port: notary_server_db_port
# db_name: notary_server_db_name
# username: notary_server_db_username
# password: notary_server_db_password
# ssl_mode: disable
# Uncomment external_redis if using external Redis server
# external_redis:
# host: redis
# port: 6379
# password:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy: 127.0.0.1,localhost,.local,.internal,log,db,redis,nginx,core,portal,postgresql,jobservice,registry,registryctl,clair
components:
- core
- jobservice
- clair
hostname
https
harbor_admin_password
准备
./prepare
安装
./install.sh
查看
docker-compose ps
访问
https://10.1.0.202
使用
配置域名与IP关系
/etc/hosts
echo "10.1.0.202 registry.silence.com" >> /etc/hosts
配置crt证书
mkdir -p /etc/docker/certs.d/registry.silence.com/
scp root@10.1.0.202:/opt/pki/server.crt /etc/docker/certs.d/registry.silence.com/
登陆
docker login registry.silence.com
push镜像
docker image tag nginx:latest registry.silence.com/test/nginx:v1
pull镜像
docker push registry.silence.com/test/nginx:v1
0 条评论
下一页