docker commandline

https://docs.docker.com/engine/reference/commandline/run/

https://docs.docker.com/engine/reference/commandline/exec/

  • docker run – Runs a command in a new container.
  • docker start – Starts one or more stopped containers
  • docker stop – Stops one or more running containers
  • docker build – Builds an image form a Docker file
  • docker pull – Pulls an image or a repository from a registry
  • docker push – Pushes an image or a repository to a registry
  • docker export – Exports a container’s filesystem as a tar archive
  • docker exec – Runs a command in a run-time container
  • docker search – Searches the Docker Hub for images
  • docker attach – Attaches to a running container
  • docker commit – Creates a new image from a container’s changes

--ipc=host and --ipc=container:id选项已添加到Docker createrun命令中以共享IPC资源。

--ipc=""  : Set the IPC mode for the container,
             'container:<name|id>': reuses another container's IPC namespace
             'host': use the host's IPC namespace inside the container

Configure namespaced kernel parameters (sysctls) at runtime

The --sysctl sets namespaced kernel parameters (sysctls) in the container. For example, to turn on IP forwarding in the containers network namespace, run this command:

$ docker run --sysctl net.ipv4.ip_forward=1 someimage

Note

Not all sysctls are namespaced. Docker does not support changing sysctls inside of a container that also modify the host system. As the kernel evolves we expect to see more sysctls become namespaced.

CURRENTLY SUPPORTED SYSCTLS

IPC Namespace:

  • kernel.msgmaxkernel.msgmnbkernel.msgmnikernel.semkernel.shmallkernel.shmmaxkernel.shmmnikernel.shm_rmid_forced.
  • Sysctls beginning with fs.mqueue.*
  • If you use the --ipc=host option these sysctls are not allowed.

Network Namespace:

  • Sysctls beginning with net.*
  • If you use the --network=host option using these sysctls are not allowed.

 

System V共享内存(shmget、shmat、shmdt)以及Mmap映射Regular File。System V共享内存支持一定程度上的内存数据持久化,即当程序创建共享内存对象后,如果不显式删除或物理主机重启,该IPC对象会一直保留,其中的数据也不会丢 失;mmap映射Regular File的方式支持内存数据持久化到文件中,即便物理主机重启,这部分数据依旧不会丢失,除非显式删除文件。

mmap常见的有两类共享内存映射方式,一种映射到/dev/zero,另外一种则是映射到 Regular Fiile。前者在程序退出后数据自动释放,后者则保留在映射的文件中。

一个启动的Docker容器就是一个拥有了自己的内核名字空间的进程,其pid、net、ipc、mnt、uts、user等均与其他进程隔离,对于运行于该容器内的程序而言,它仿佛会觉得它独占了一台“主机”。

在docker容器中的centos无法使用gdb调试:在docker run 命令中加上参数--cap-add=SYS_PTRACE

 

docker机器上不能使用date -s修改时间: --cap-add=SYS_TIME

 

posted on 2021-06-05 17:50  呆雁  阅读(78)  评论(0编辑  收藏  举报

导航