docker(二)
一、搭建配置harbor私有仓库
安装docker
#! /bin/bash apt update # 安装依赖包 apt install -y \ apt-transport-https \ ca-certificates \ curl \ gnupg \ lsb-release \ software-properties-common # 安装GPG证书 curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=$(dpkg --print-architecture)] http://mirrors.aliyun.com/docker-ce/linux/ubuntu \ $(lsb_release -cs) stable" apt update # apt-cache madison docker-ce docker-ce-cli apt -y install docker-ce=5:19.03.15~3-0~ubuntu-$(lsb_release -cs) \ docker-ce-cli=5:19.03.15~3-0~ubuntu-$(lsb_release -cs) # 关闭防火墙 systemctl disable firewalld && systemctl stop firewalld # 在/etc/hosts中添加IP、主机名 cat >> /etc/hosts <<EOF `hostname -I|awk '{print $1}'` `hostname` EOF # 内核参数优化 cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf br_netfilter EOF cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sudo sysctl --system # 设置docker的cgroup driver # docker 默认的 cgroup driver 是 cgroupfs,可以通过 docker info 命令查看 # 如果用户没有在 KubeletConfiguration 下设置 cgroupDriver 字段,则 kubeadm 将默认为systemd,需要将docker cgroup driver更改为systemd # 配置docker hub镜像加速 cat <<EOF >/etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "registry-mirrors": ["https://ung2thfc.mirror.aliyuncs.com", "https://registry.docker-cn.com", "http://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"] } EOF systemctl daemon-reload systemctl restart docker # 关闭swap # 在/etc/fstab注释swap那一行 sed -ri 's/(^[^#]*swap)/#\1/' /etc/fstab echo 'swapoff -a' >> /etc/profile swapoff -a # 修改grub sed -i '/GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"/c GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 cgroup_enable=memory swapaccount=1"' /etc/default/grub update-grub reboot
安装docker-compose
# 安装pip apt install python3-pip -y # 安装docker-compose pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
安装docker harbor
参考:https://goharbor.io/docs/2.5.0/install-config/download-installer/
-
下载安装包
下载地址: https://github.com/goharbor/harbor/releases/download/v2.4.3/harbor-offline-installer-v2.4.3.tgz
-
解压harbor
tar xvf harbor-offline-installer-v2.4.3.tgz -C /usr/local/src -
配置harbor.yml文件
cd /usr/local/src/harbor #egrep -v '^\s*#|^$' harbor.yml.tmpl > harbor.yml cp harbor.yml.tmpl harbor.yml 根据实际修改hostnanme、harbor_admin_password、database等
若无https证书,需将https配置注释
sed -i "s/hostname: reg.mydomain.com/hostname: `hostname -I|awk '{print $1}'`/" harbor.yml [root@harbor harbor]#egrep -v '^\s*#|^$' harbor.yml hostname: 10.0.0.22 http: port: 80 harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 100 max_open_conns: 900 data_volume: /data trivy: ignore_unfixed: false skip_update: false offline_scan: false insecure: false jobservice: max_job_workers: 10 notification: webhook_job_max_retry: 10 chart: absolute_url: disabled log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.4.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy
-
执行harbor安装脚本
[root@harbor harbor]#./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 19.03.15 [Step 1]: checking docker-compose is installed ... /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " Note: docker-compose version: 1.29.2 [Step 2]: loading Harbor images ... c84d341a47f7: Loading layer [==================================================>] 37.68MB/37.68MB ...... Loaded image: goharbor/nginx-photon:v2.4.3 a3e0b41de875: Loading layer [==================================================>] 5.75MB/5.75MB ...... Loaded image: goharbor/chartmuseum-photon:v2.4.3 [Step 3]: preparing environment ... [Step 4]: preparing harbor configs ... prepare base dir is set to /usr/local/src/harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/portal/nginx.conf Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " [Step 5]: starting Harbor ... /usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (3.0.4) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " Creating network "harbor_harbor" with the default driver Creating harbor-log ... done Creating harbor-db ... done Creating harbor-portal ... done Creating registryctl ... done Creating redis ... done Creating registry ... done Creating harbor-core ... done Creating harbor-jobservice ... done Creating nginx ... done ✔ ----Harbor has been installed and started successfully.---- 安装完成后会生成docker-compose.yml文件
[root@harbor harbor]#ls /usr/local/src/harbor/ LICENSE common common.sh docker-compose.yml harbor.v2.4.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare
-
若更新配置,可执行prepare
# 修改harbor.yml配置文件 [root@harbor harbor]# vim /usr/local/src/harbor/harbor.yml # 执行prepare [root@harbor harbor]#/usr/local/src/harbor/prepare
-
查看本地镜像
[root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB goharbor/redis-photon v2.4.3 b168e9750dc8 3 months ago 154MB goharbor/trivy-adapter-photon v2.4.3 a406a715461c 3 months ago 251MB goharbor/notary-server-photon v2.4.3 da89404c7cf9 3 months ago 109MB goharbor/notary-signer-photon v2.4.3 38468ac13836 3 months ago 107MB goharbor/harbor-registryctl v2.4.3 61243a84642b 3 months ago 135MB goharbor/registry-photon v2.4.3 9855479dd6fa 3 months ago 77.9MB goharbor/nginx-photon v2.4.3 0165c71ef734 3 months ago 44.4MB goharbor/harbor-log v2.4.3 57ceb170dac4 3 months ago 161MB goharbor/harbor-jobservice v2.4.3 7fea87c4b884 3 months ago 219MB goharbor/harbor-core v2.4.3 d864774a3b8f 3 months ago 197MB goharbor/harbor-portal v2.4.3 85f00db66862 3 months ago 53.4MB goharbor/harbor-db v2.4.3 7693d44a2ad6 3 months ago 225MB goharbor/prepare v2.4.3 c882d74725ee 3 months ago 268MB -
查看端口
[root@harbor harbor]#ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 64 0.0.0.0:2049 0.0.0.0:* LISTEN 0 4096 127.0.0.1:1514 0.0.0.0:* LISTEN 0 4096 0.0.0.0:54861 0.0.0.0:* LISTEN 0 64 0.0.0.0:37775 0.0.0.0:* LISTEN 0 4096 0.0.0.0:50383 0.0.0.0:* LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 4096 0.0.0.0:39353 0.0.0.0:* LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* LISTEN 0 64 [::]:34879 [::]:* LISTEN 0 64 [::]:2049 [::]:* LISTEN 0 4096 [::]:33513 [::]:* LISTEN 0 4096 [::]:111 [::]:* LISTEN 0 4096 *:80 *:* LISTEN 0 4096 [::]:39537 [::]:* LISTEN 0 4096 [::]:41683 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:6010 [::]:* -
Web登录Harbor管理界面
用户名:admin
密码:Harbor12345
-
进入管理界面首页
上传镜像
-
配置docker文件,实现连接harbor仓库
注意:若使用HTTP连接harbor仓库必须进行如下设置
# 添加harbor仓库信息 [root@harbor harbor]#cat /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"], "registry-mirrors": ["https://ung2thfc.mirror.aliyuncs.com", "https://registry.docker-cn.com", "http://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"], "insecure-registries": ["10.0.0.22:80"] } # 重启docker [root@harbor harbor]#systemctl restart docker 或者在service添加
--insecure-registry[root@harbor harbor]#vim /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.22 # 重启docker [root@harbor1 harbor]#systemctl daemon-reload [root@harbor1 harbor]#systemctl restart docker 重启harbor
[root@harbor harbor]#ls LICENSE common common.sh docker-compose.yml harbor.v2.4.3.tar.gz harbor.yml harbor.yml.tmpl install.sh prepare # 停止harbor [root@harbor harbor]#docker-compose down -v # 启动harbor [root@harbor harbor]#docker-compose up -d
-
登录harbor
[root@harbor harbor]#docker login 10.0.0.22:80 Username: admin Password: #Harbor12345 WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
-
上传镜像
-
导入镜像
# 先将制作好的nginx镜像导出,并拷到harbor服务器上 [root@docker ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx v1 64370d6d6ee0 4 days ago 607MB ...... [root@docker ~]#docker save nginx:v1 > /opt/test-nginx.tar.gz [root@docker ~]#scp /opt/test-nginx.tar.gz 10.0.0.22:/opt/ test-nginx.tar.gz 100% 592MB 95.9MB/s 00:06 # 将nginx镜像导入harbor仓库 [root@harbor harbor]#docker load </opt/test-nginx.tar.gz 174f56854903: Loading layer [==================================================>] 211.7MB/211.7MB 2f73541ad3ee: Loading layer [==================================================>] 385.1MB/385.1MB 2ecc78d434d9: Loading layer [==================================================>] 6.579MB/6.579MB da35a500cd65: Loading layer [==================================================>] 16.7MB/16.7MB b7e2706360c6: Loading layer [==================================================>] 4.096kB/4.096kB 5ebbae150dfc: Loading layer [==================================================>] 383.5kB/383.5kB Loaded image: nginx:v1 -
验证镜像导入成功
[root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx v1 64370d6d6ee0 4 days ago 607MB goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB goharbor/redis-photon v2.4.3 b168e9750dc8 3 months ago 154MB goharbor/trivy-adapter-photon v2.4.3 a406a715461c 3 months ago 251MB ...... -
镜像打tag,即修改images名称,须符合harbor仓库格式,格式为Harbor IP:Port/项目名/image名称:版本号,否则镜像无法上传至harbor仓库
[root@harbor harbor]#docker tag nginx:v1 10.0.0.22:80/nginx/test-nginx:v1 [root@harbor harbor]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE 10.0.0.22:80/nginx/test-nginx v1 64370d6d6ee0 4 days ago 607MB nginx v1 64370d6d6ee0 4 days ago 607MB goharbor/harbor-exporter v2.4.3 776ac6ee91f4 3 months ago 81.5MB goharbor/chartmuseum-photon v2.4.3 f39a9694988d 3 months ago 172MB -
在harbor管理界面创建项目(必须先创建项目,否则镜像将上传失败)
-
上传镜像至harbor仓库
[root@harbor harbor]#docker push 10.0.0.22:80/nginx/test-nginx:v1 The push refers to repository [10.0.0.22:80/nginx/test-nginx] 5ebbae150dfc: Pushed b7e2706360c6: Pushed da35a500cd65: Pushed 2ecc78d434d9: Pushed 2f73541ad3ee: Pushed 174f56854903: Pushed v1: digest: sha256:ae893c5462b52fe51a34ee0a39c3c3cc7316854089242d4c0ad733c1c9c27539 size: 1579 -
登录harbor web界面验证镜像上传成功
-
下载镜像
-
配置登录harbor仓库连接信息
# 添加harbor仓库信息 [root@harbor2 harbor]#cat /etc/docker/daemon.json {"insecure-registries":["10.0.0.22:80"]} # 重启docker [root@harbor2 harbor]#systemctl restart docker
-
登录harbor
[root@server ~]#docker login 10.0.0.22:80 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded 若项目设置为公开,则无须进行docke login登录harbor仓库
-
使用docker pull下载镜像
[root@server ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE # 下载镜像 [root@server ~]#docker pull 10.0.0.22:80/nginx/test-nginx:v1 v1: Pulling from nginx/test-nginx 2d473b07cdd5: Pull complete 0e116f4e7e10: Pull complete 5769256df076: Pull complete 33e7e8019bcb: Pull complete 0523cf308c94: Pull complete 7e7e7639b29a: Pull complete Digest: sha256:ae893c5462b52fe51a34ee0a39c3c3cc7316854089242d4c0ad733c1c9c27539 Status: Downloaded newer image for 10.0.0.22:80/nginx/test-nginx:v1 10.0.0.22:80/nginx/test-nginx:v1 # 查看下载镜像 [root@server ~]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE 10.0.0.22:80/nginx/test-nginx v1 64370d6d6ee0 4 days ago 607MB -
验证从镜像启动容器
[root@server ~]#docker run -d -p 80:80 10.0.0.22:80/nginx/test-nginx:v1 02ac63de6d0473843db5c9f182b12fa67a4d1fa2737e810fa08500b6c09222ee [root@server ~]#hostname -I 10.0.0.32 172.17.0.1 -
验证web访问
高可用方案参考:https://www.cnblogs.com/areke/p/16592981.html#:~:text=五、安装docker镜像仓库harbor%2C并实现高可用
二、掌握docker网络
docker主要有bridge、host、container、none四种网络模式,提供网络隔离、端口映射、容器间互通网络等各种支持。
| 网络模式 | 参数 | 说明 |
|---|---|---|
| Bridge(默认模式) | -–net=bridge | 此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。 |
| Host | -–net=host | 容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。 |
| Container | –-net= | 创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定的容器共享IP、端口范围。 |
| None | –-net=none | 该模式关闭了容器的网络功能,与宿主机、与其他容器都不连通的. |
安装Docker后,会自动创建三个网络(bridge、host、none),使用docker network ls命令查看
[root@server opt]#docker network ls NETWORK ID NAME DRIVER SCOPE 96adc4158429 bridge bridge local 1396ef3fcca6 host host local f2e6e64dfcf5 none null local
bridge
使用参数--net=bridge指定,不指定默认就是bridge模式,也是使用比较多的模式。
当Docker server启动时,会在主机上创建一个名为docker0的虚拟网桥,此主机上启动的Docker容器会连接到这个虚拟网桥上。虚拟网桥的工作方式和物理交换机类似,这样主机上的所有容器就通过交换机连在了一个二层网络中。
当新建一个 Docker 容器时还会创建一对 veth pair接口(当数据包发送到一个接口时,另外一个接口也可以收到相同的数据包)。这对接口一端在容器内,即 eth0;另一端在本地并被挂载到docker0 网桥,名称以 veth 开头(例如 vethAQI2QT)。通过这种方式,主机可以跟容器通信,容器之间也可以相互通信。Docker 就创建了在主机和所有容器之间一个虚拟共享网络。
示例:
# 创建容器 [root@server ~]#docker run -it -d --name nginx-web1 -p 80:80 test-nginx:v1 5bc984629fb53231375ab694739bbac34471c090ff5d4b96c76dc2bc55d834a0 [root@server ~]#docker run -it -d --name tomcat-web1 -p 8080:8080 test-tomcat:v1 dafa62b915a0171095acdb9f28c73e1da5a11ce33d5659e12b395b01435bfc68 # 进入容器nginx [root@server ~]#docker exec -it nginx-web1 /bin/bash [root@5bc984629fb5 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@5bc984629fb5 /]# # 进入容器tomcat [root@server ~]#docker exec -it tomcat-web1 /bin/bash root@dafa62b915a0:/usr/local/tomcat# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever root@dafa62b915a0:/usr/local/tomcat# # 容器nginx与tomcat网络互通正常 [root@5bc984629fb5 /]# ping 172.17.0.3 PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data. 64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.062 ms 64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.064 ms 64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.064 ms ^C --- 172.17.0.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2025ms rtt min/avg/max/mdev = 0.062/0.063/0.064/0.006 ms root@dafa62b915a0:/usr/local/tomcat# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.047 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.067 ms 64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.064 ms ^C --- 172.17.0.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2046ms rtt min/avg/max/mdev = 0.047/0.059/0.067/0.008 ms
host模式
使用参数--net=host指定。
启动的容器如果指定了使用host模式,那么新创建的容器不会创建自己的虚拟网卡,而是直接使用宿主机的网卡和IP地址,因此在容器里面查看到的IP信息就是宿主机的信息,访问容器的时候直接使用宿主机IP+容器端口即可,不过容器的文件系统、系统进程等其他资源还是和宿主机保持隔离。
此模式的网络性能最高,但是各容器之间端口不能相同,适用于运行容器端口比较固定的业务。
为避免端口冲突,可先删除所有容器确认宿主机端口没有占用80端口。
示例:
# 查看宿主机网络信息 [root@server opt]#ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:73:f8:58 brd ff:ff:ff:ff:ff:ff inet 10.0.0.32/24 brd 10.0.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe73:f858/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:30:6a:59:ca brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever
启动新容器,并指定网络模式为host
[root@server opt]#docker run -d --net=host test-nginx:v1 6c6f5c87c9a38efc5a14d0ff0a626be7e582e764dd42330b357b89a717358c70 # 查看容器的网络信息,与宿主机网络信息一致 [root@server opt]#docker exec -it 6c6f5c87c9a3 bash [root@server /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:73:f8:58 brd ff:ff:ff:ff:ff:ff inet 10.0.0.32/24 brd 10.0.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe73:f858/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:30:6a:59:ca brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:30ff:fe6a:59ca/64 scope link valid_lft forever preferred_lft forever
访问宿主机验证
说明
host模式不支持端口映射
[root@server opt]#docker run -d --net=host -p 81:80 test-nginx:v1 WARNING: Published ports are discarded when using host network mode d38b27cfbf258ca554fefdd7e946d3e363df7df48d906a4c704a99fc9ba659d5
container模式
使用参数--net=container:容器名称或ID指定。
此模式是指定其和已经存在的某个容器共享一个 Network Namespace,新创建的容器不会创建自己的网卡也不会配置自己的IP,此时这两个容器共同使用同一网卡、主机名、IP 地址,容器间通讯可直接通过本地回环 lo 接口通讯。但这两个容器在其他的资源上,如文件系统、进程信息等仍然保持隔离的。
示例:
# 创建容器nginx [root@server opt]#docker run -it -d --name nginx-web1 -p 80:80 --net=bridge test-nginx:v1 ced7341d4a33698337210ea1e342b35e0971301d8cc495b9814a7bf979422d79 # 创建容器tomcat [root@server opt]#docker run -it -d --name tomcat-web1 --net=container:nginx-web1 test-tomcat:v1 4e9c1a91a46b24c30728227e88689d91c5d46a9c40d280b79c7baa25efe79c6e # 进入容器nginx,查看IP、端口 [root@server opt]#docker exec -it nginx-web1 /bin/bash [root@ced7341d4a33 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@ced7341d4a33 /]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 1 127.0.0.1:8005 *:* LISTEN 0 100 *:8080 *:* LISTEN 0 511 *:80 *:* [root@ced7341d4a33 /]# # 进入容器tomcat,查看IP、端口 [root@server ~]#docker exec -it tomcat-web1 /bin/bash root@ced7341d4a33:/usr/local/tomcat# ifconfig -a eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet) RX packets 1951 bytes 8888261 (8.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1710 bytes 95101 (92.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@ced7341d4a33:/usr/local/tomcat# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1/java tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1/java tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
none模式
使用参数--net=none指定
在使用none模式后,docker容器不会进行任何网络配置,其没有网卡、没有IP、没有路由,因此默认无法与外界通信,需要手动添加网卡配置IP等。
示例:
[root@server opt]#docker run -it --net=none test-nginx:v1 /bin/bash [root@eb525afef2ff /]# ifconfig -a lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@eb525afef2ff /]#
三、安装docker-compose并利用它组装一个多容器的服务:如nginx、mysql、php
官方说明:https://docs.docker.com/compose/reference/
docker-compose.yaml配置常用字段
-
build
指定Dockerfile文件名,要指定Dockerfile文件需要在build标签的子级标签中使用dockerfile标签指定
-
dockerfile
构建镜像上下文路径
-
context
可以是dockerfile的路径,或者是指向git仓库的url地址
-
image
指定镜像
-
command
执行命令,覆盖容器启动后默认执行的命令
-
container name
指定容器名称,由于容器名称是唯一的,如果指定自定义名称,则无法scale
-
deploy
指定部署和运行服务相关配置,只能在Swarm模式使用
-
environment
添加环境变量
-
networks
加入网络,引用顶级networks下条目
-
ports
暴露容器端口,与-p相同,但端口不能低于60
-
volumes
挂载一个宿主机目录或命令卷到容器,命名卷要在顶级volume定义卷名称
-
volumes_from
从另一个服务或容器挂载卷,可选参数:ro和:rw
-
hostname
容器主机名
-
sysctls
在容器内设置内核参数
-
links
连接到另外一个容器,- 服务名称[:服务别名]
-
restart
重启策略,默认为no,另有always/no-failure/unless-stoped no,默认策略,在容器退出时不重启容器。 no-failure,在容器非正常退出时(退出状态非0),才会重启容器。 on-failure:3,在容器非正常退出时重启容器,最多重启3次。 always,在容器退出时总是重启容器。 unless-stopped,在容器退出时总是重启容器,但是不考虑在Docker守护进程启动时就已经停止了的容器
-
depends_on
在使用Compose时,最大的好处就是少打启动命令,但一般项目容器启动的顺序是由要求的,如果直接从上到下启动容器,可能会因为容器依赖问题而启动失败。例如在没启动数据库容器的时候启动应用容器,应用容器会因为找不到数据库而退出。depends_on标签用于解决容器的依赖、启动先后的问题。
docker-compose常用命令
-
docker-compose build
重新构建服务
-
docker-compose ps
列出容器
-
docker-compose up
创建和启动容器,-d 在后台运行服务容器
-
docker-compose exec
在容器里面执行命令
-
docker-compose scale
指定一个服务容器启动数量
-
docker-compose top
显示容器进程
-
docker-compose logs
查看容器输出
-
docker-compose down
down -v 删除容器、网络、数据卷和镜像
-
docker-compose stop/start/restart
停止/启动/重启服务
安装docker-compose
# 安装pip apt install python3-pip -y # 安装docker-compose pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple docker-compose
查看docker-compose版本
docker-compose version 1.29.2, build unknown docker-py version: <module 'docker.version' from '/usr/local/lib/python3.8/dist-packages/docker/version.py'> CPython version: 3.8.10 OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
准备镜像
[root@docker-compose lnmp]#docker images REPOSITORY TAG IMAGE ID CREATED SIZE lnmp_php v1 b4f5067b2484 2 days ago 1.17GB lnmp_nginx v1 1a4fc02b5746 3 days ago 607MB mysql 5.7 c20987f18b13 11 months ago 448MB
编写docker-compose.yaml文件
service-nginx: image: lnmp_nginx:v1 container_name: lnmp_nginx expose: - 80 - 443 ports: - "80:80" - "443:443" volumes: - /data/lnmp/nginx/nginx.conf:/usr/local/nginx/conf/nginx.conf - /data/lnmp/html:/usr/local/nginx/html links: - service-php - service-mysql service-php: image: lnmp_php:v1 container_name: lnmp_php expose: - 9000 ports: - "9000:9000" volumes: - /data/lnmp/php/php.ini:/etc/php/php.ini - /data/lnmp/php/php-fpm.conf:/usr/local/php/etc/php-fpm.conf - /data/lnmp/php/www.conf:/usr/local/php/etc/php-fpm.d/www.conf - /data/lnmp/html:/usr/local/nginx/html links: - service-mysql service-mysql: image: mysql:5.7 container_name: lnmp_mysql expose: - 3306 ports: - "3306:3306" environment: MYSQL_ROOT_PASSWORD: 123456
准备配置文件
nginx
nginx.conf
user nginx; worker_processes auto; daemon off; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location ~ \.php$ { #实现php-fpm root /usr/local/nginx/html; #php中的目录 fastcgi_pass lnmp_php:9000; #php容器的名称 fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_hide_header X-Powered-By; #隐藏php版本信息 } location /phpmyadmin { root /usr/local/nginx/html; index index.html index.htm index.php ; } location ~ /phpmyadmin/(?<after_ali>(.*)\.(php|php5)?$) { root /usr/local/nginx/html; fastcgi_pass lnmp_php:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_hide_header X-Powered-By; #隐藏php版本信息 } } }
php
php.ini
[PHP] engine = On short_open_tag = Off precision = 14 output_buffering = 4096 zlib.output_compression = Off implicit_flush = Off unserialize_callback_func = serialize_precision = -1 disable_functions = disable_classes = zend.enable_gc = On zend.exception_ignore_args = On zend.exception_string_param_max_len = 0 expose_php = On max_execution_time = 30 max_input_time = 60 memory_limit = 128M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off display_startup_errors = Off log_errors = On ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On variables_order = "GPCS" request_order = "GP" register_argc_argv = Off auto_globals_jit = On post_max_size = 8M auto_prepend_file = auto_append_file = default_mimetype = "text/html" default_charset = "UTF-8" doc_root = user_dir = enable_dl = Off file_uploads = On upload_max_filesize = 2M max_file_uploads = 20 allow_url_fopen = On allow_url_include = Off default_socket_timeout = 60 [CLI Server] cli_server.color = On [Date] [filter] [iconv] [imap] [intl] [sqlite3] [Pcre] [Pdo] [Pdo_mysql] pdo_mysql.default_socket= [Phar] [mail function] SMTP = localhost smtp_port = 25 mail.add_x_header = Off [ODBC] odbc.allow_persistent = On odbc.check_persistent = On odbc.max_persistent = -1 odbc.max_links = -1 odbc.defaultlrl = 4096 odbc.defaultbinmode = 1 [MySQLi] mysqli.max_persistent = -1 mysqli.allow_persistent = On mysqli.max_links = -1 mysqli.default_port = 3306 mysqli.default_socket = mysqli.default_host = mysqli.default_user = mysqli.default_pw = mysqli.reconnect = Off [mysqlnd] mysqlnd.collect_statistics = On mysqlnd.collect_memory_statistics = Off [OCI8] [PostgreSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 [bcmath] bcmath.scale = 0 [browscap] [Session] session.save_handler = files session.use_strict_mode = 0 session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.cookie_samesite = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.referer_check = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.sid_length = 26 session.trans_sid_tags = "a=href,area=href,frame=src,form=" session.sid_bits_per_character = 5 [Assertion] zend.assertions = -1 [COM] [mbstring] [gd] [exif] [Tidy] tidy.clean_output = Off [soap] soap.wsdl_cache_enabled=1 soap.wsdl_cache_dir="/tmp" soap.wsdl_cache_ttl=86400 soap.wsdl_cache_limit = 5 [sysvshm] [ldap] ldap.max_links = -1 [dba] [opcache] [curl] [openssl] [ffi]
php-fpm.conf
[global] pid = run/php-fpm.pid include=/usr/local/php/etc/php-fpm.d/*.conf
www.conf
[www] user = www group = www listen = 0.0.0.0:9000 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3
html
下载phpMyAdmin的数据库管理工具:https://files.phpmyadmin.net/phpMyAdmin/4.9.1/phpMyAdmin-4.9.1-all-languages.zip
解压并重命名
cd /data/lnmp/html unzip phpMyAdmin-4.9.1-all-languages.zip mv phpMyAdmin-4.9.1-all-languages phpmyadmin
修改配置
cd /data/lnmp/html/phpmyadmin mv config.sample.inc.php config.inc.php sed -i 's/localhost/lnmp_mysql/' config.inc.php
文件结构
[root@docker-compose lnmp]#tree -L 2 /data/lnmp /data/lnmp ├── docker-compose.yaml ├── html │ ├── phpmyadmin │ └── test.php ├── mysql #可忽略 │ └── my.cnf ├── nginx │ └── nginx.conf └── php ├── php-fpm.conf ├── php.ini └── www.conf
启动docker-compose
创建容器
[root@docker-compose lnmp]#cd /data/lnmp/ [root@docker-compose lnmp]#docker-compose up -d Creating lnmp_mysql ... done Creating lnmp_php ... done Creating lnmp_nginx ... done
查看容器
[root@docker-compose lnmp]#docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4e135008270e lnmp_nginx:v1 "nginx" 33 seconds ago Up 32 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp lnmp_nginx 8b2c7019c5bc lnmp_php:v1 "/usr/local/php/sbin…" 34 seconds ago Up 33 seconds 0.0.0.0:9000->9000/tcp lnmp_php 44f18e3c8299 mysql:5.7 "docker-entrypoint.s…" 34 seconds ago Up 33 seconds 0.0.0.0:3306->3306/tcp, 33060/tcp lnmp_mysql
停止容器
[root@docker-compose lnmp]#docker-compose down -v Stopping lnmp_nginx ... done Stopping lnmp_php ... done Stopping lnmp_mysql ... done Removing lnmp_nginx ... done Removing lnmp_php ... done Removing lnmp_mysql ... done
验证测试
浏览器访问,输入数据库用户名密码
正常进入首页
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?