Docker基础 - 03容器管理
一、docker 常见操作
- docker search: Search the Docker Hub for images
- docker pull: Pull an image or a repository from a registry
- docker images: List images
- docker create: Create a new container
- docker run: Run a command in a new container
- docker start: Start one or more stopped containers
- docker attach: Attach local standard input, output, and error streams to a running container
- docker exec: Run a command in a running container
- docker ps: List containers
- docker logs: Fetch the logs of a container
- docker restart: Restart one or more containers
- docker stop: Stop one or more running containers
- docker kill: Kill one or more running containers
- docker rm: Remove one or more containers
1.1 拉取镜像
[root@component ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@component ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
01c2cdc13739: Pull complete
Digest: sha256:15e927f78df2cc772b70713543d6b651e3cd8370abf86b2ea4644a9fba21107f
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@component ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest cabb9f684f8b 2 days ago 1.24MB
1.2 启动容器
[root@component ~]# docker run -it --name b1 busybox:latest
/ # ls /
bin dev etc home proc root sys tmp usr var
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
在容器内,启动httpd服务,在宿主机进行访问
/ # mkdir -pv /data/html
created directory: '/data/'
created directory: '/data/html'
/ # vi /data/html/index.html
/ # cat /data/html/index.html
Busybox httpd server.
/ # httpd -f -h /data/html/
[root@component ~]# curl 172.17.0.2
Busybox httpd server.
docker 容器后台运行,必须有一个前台进行,否则会自动退出。
- docker run -it --name centos1 tomcat | -it 交互式终端
- docker run -d --name centos2 tomcat
- docker run -d centos /bin/bash -c "while true; do echo hello zzyy;sleep 2;done"
- docker ps -a | docker ps -q | docker ps -l | docker ps -n 2
- docker kill XXX
- docker rm XXX | docker rm -f XXX
- docker logs -t -f --tail 3 XXX
- 查看容器内的进程: docker top XXX
- 查看容器内部细节: docker inspect XXX
- 进入正在运行的容器并以命令行交互: docker attach XXX | docker exec -it XXX /bin/bash | docker exec -t XXX ls -l /tmp
- 从容器拷贝文件到宿主机上: docker cp XXX:/path /tmp
docker run -m 512m --memory-swap 1G -it -p 58080:8080 --restart=alway
--name bvrfis --volumes-from logdata mytomcat:4.0
/root/run
.sh
1.3 docker event state
1.4 Docker restart policy机制
Docker提供了restart policy机制,可以在容器退出或者Docker重启时控制容器能够自启动。这种Restart policy可以保证相关容器按照正确顺序启动。
虽然也可以通过进程监控的方式(如systemd)来完成这种动作,但Docker还是建议尽量避免使用进程监控的方式来 "自启动" 容器。
Docker的 Restart policy与dockerd命令的--live-restore启动标志还有区别:--live-restore标志可以在Docker升级的时候保证容器继续运行,但是网络以及用户终端输入会被中断。
1.4.1 使用restart policy
restart policy在使用docker run启动容器时通过--restart标志指定,这个标志有多个value可选,不同的value有不同的行为。
- no 不自动重启容器. (默认value)
- on-failure 容器发生error而退出(容器退出状态不为0)重启容器 on-failure:3 在容器非正常退出时,重启容器,最多重启3次
- always 在容器已经stop掉或Docker stoped/restarted的时候才重启容器
- unless-stopped 在容器已经stop掉或Docker stoped/restarted的时候才重启容器,但是不考虑在Docker守护进程启动时就已经停止了的容器
docker run的退出状态码如下:
- 0, 表示正常退出
- 非0,表示异常退出(退出状态码采用chroot标准)
- 125:Docker守护进程本身的错误
- 126:容器启动后,要执行的默认命令无法调用
- 127:容器启动后,要执行的默认命令不存在
- 其他状态码:容器启动后正常执行命令,退出命令时该命令的返回状态码作为容器的退出状态码
--restart选项不能与--rm选项同时使用。显然,--restart选项适用于detached模式的容器,而--rm选项适用于foreground模式的容器。
1.4.2 Restart policy细节
- 容器只有在成功启动后restart policy才能生效。这里的"成功启动"是指容器处于up至少10秒且已经处于docker监管。这是避免没有成功启动的容器陷入restart的死循环。
- 如果手动(manually)的stop一个容器,容器设置的restart policy将会被忽略,除非Docker daemon重启或者容器手动重启。这是避免了另外一种死循环。
- restart policies只能用于容器,对于swarm services其restart policies有不通过的配置。
1.4.3 配置 restart policy
- 启动容器时,指定restart policy
- $ docker run -itd --restart=unless-stopped redis
- $ docker run -itd --restart=on-failure:10 busybox
- 更新已启动的容器
- $ docker container update --restart=always 容器名字
- 停止容器;修改配置文件,在/var/lib/docker/containers/容器ID/hostconfig.json文件, "RestartPolicy":{"Name":"no","MaximumRetryCount":0}
- 查看容器重启次数: docker inspect -f "{{ .RestartCount }}" busybox-demo
- 查看容器最后一次的启动时间: docker inspect -f "{{ .State.StartAt }}" busybox-demo
[root@cl-server ~]# docker inspect 25d96325f6b8 "RestartPolicy": { "Name": "unless-stopped", "MaximumRetryCount": 0 }, [root@cl-server ~]# docker inspect --format={{.HostConfig.RestartPolicy.Name}} 25d96325f6b8 always
[root@component ~]# docker run --help
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
-a, --attach list Attach to STDIN, STDOUT or STDERR
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--cap-add list Add Linux capabilities
--cap-drop list Drop Linux capabilities
--cgroup-parent string Optional parent cgroup for the container
--cgroupns string Cgroup namespace to use (host|private)
'host': Run the container in the Docker host's cgroup namespace
'private': Run the container in its own private cgroup namespace
'': Use the cgroup namespace as configured by the
default-cgroupns-mode option on the daemon (default)
--cidfile string Write the container ID to the file
--cpu-period int Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period int Limit CPU real-time period in microseconds
--cpu-rt-runtime int Limit CPU real-time runtime in microseconds
-c, --cpu-shares int CPU shares (relative weight)
--cpus decimal Number of CPUs
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
-d, --detach Run container in background and print container ID
--detach-keys string Override the key sequence for detaching a container
--device list Add a host device to the container
--device-cgroup-rule list Add a rule to the cgroup allowed devices list
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--disable-content-trust Skip image verification (default true)
--dns list Set custom DNS servers
--dns-option list Set DNS options
--dns-search list Set custom DNS search domains
--domainname string Container NIS domain name
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env list Set environment variables
--env-file list Read in a file of environment variables
--expose list Expose a port or a range of ports
--gpus gpu-request GPU devices to add to the container ('all' to pass all GPUs)
--group-add list Add additional groups to join
--health-cmd string Command to run to check health
--health-interval duration Time between running the check (ms|s|m|h) (default 0s)
--health-retries int Consecutive failures needed to report unhealthy
--health-start-period duration Start period for the container to initialize before starting health-retries countdown
(ms|s|m|h) (default 0s)
--health-timeout duration Maximum time to allow one check to run (ms|s|m|h) (default 0s)
--help Print usage
-h, --hostname string Container host name
--init Run an init inside the container that forwards signals and reaps processes
-i, --interactive Keep STDIN open even if not attached
--ip string IPv4 address (e.g., 172.30.100.104)
--ip6 string IPv6 address (e.g., 2001:db8::33)
--ipc string IPC mode to use
--isolation string Container isolation technology
--kernel-memory bytes Kernel memory limit
-l, --label list Set meta data on a container
--label-file list Read in a line delimited file of labels
--link list Add link to another container
--link-local-ip list Container IPv4/IPv6 link-local addresses
--log-driver string Logging driver for the container
--log-opt list Log driver options
--mac-address string Container MAC address (e.g., 92:d0:c6:0a:29:33)
-m, --memory bytes Memory limit
--memory-reservation bytes Memory soft limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--memory-swappiness int Tune container memory swappiness (0 to 100) (default -1)
--mount mount Attach a filesystem mount to the container
--name string Assign a name to the container
--network network Connect a container to a network
--network-alias list Add network-scoped alias for the container
--no-healthcheck Disable any container-specified HEALTHCHECK
--oom-kill-disable Disable OOM Killer
--oom-score-adj int Tune host's OOM preferences (-1000 to 1000)
--pid string PID namespace to use
--pids-limit int Tune container pids limit (set -1 for unlimited)
--platform string Set platform if server is multi-platform capable
--privileged Give extended privileges to this container
-p, --publish list Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--pull string Pull image before running ("always"|"missing"|"never") (default "missing")
--read-only Mount the container's root filesystem as read only
--restart string Restart policy to apply when a container exits (default "no")
--rm Automatically remove the container when it exits
--runtime string Runtime to use for this container
--security-opt list Security Options
--shm-size bytes Size of /dev/shm
--sig-proxy Proxy received signals to the process (default true)
--stop-signal string Signal to stop a container (default "SIGTERM")
--stop-timeout int Timeout (in seconds) to stop a container
--storage-opt list Storage driver options for the container
--sysctl map Sysctl options (default map[])
--tmpfs list Mount a tmpfs directory
-t, --tty Allocate a pseudo-TTY
--ulimit ulimit Ulimit options (default [])
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
--userns string User namespace to use
--uts string UTS namespace to use
-v, --volume list Bind mount a volume
--volume-driver string Optional volume driver for the container
--volumes-from list Mount volumes from the specified container(s)
-w, --workdir string Working directory inside the container