一、Docker简介与部署
1.整理namespace 和 cgroup
Namespace命名空间
Namespace是Linux系统的底层概念,Linux内核用来隔离内核资源的方式;Docker容器是没有单独的内核,是与宿主机共享内核,而宿主机是通过Namespace来控制每个容器的资源隔离。
namespace隔离类型:
MNT Namespace(mount):提供磁盘挂载点和文件系统的隔离能力
IPC Namespace(Inter-Process Communication):提供进程间通信的隔离能力
UTS Namespace(UNIX Timesharing System):提供主机名隔离能力,hostname和domainname
PID Namespace(Process Identification):提供进程隔离能力
Net Namespace(network):提供网络隔离能力
User Namespace(user):提供用户隔离能力
以上namespace隔离要求liunx内核版本为2.4.19及以上
Linux Control Groups
Linux Cgroups全称是Linux Control Groups,作用是限制一个进程组能够使用的资源上限,包括CPU、内存、磁盘、网络带宽等,还可以限制进程优先级,Cgroups在内核层默认已开启
在一个容器中,如果不对其做任何资源限制,则宿主机会允许其占用无限大的内存空间
Cgroups实现方式:
blkio(Block/Io):块设备IO限制
cpu:使用调度程序为cgroup任务提供cpu访问
cpuacct(cpu accout):产生cgroup任务的cpu资源报告,统计cgroup中的进程的cpu占用
cpuset:如果是多核心的cpu,这个子系统会为cgroup任务分配单独的cpu和内存(此处内存仅使用于NUMA架构)
devices:允许或拒绝cgroup任务对设备的访问
freezer:暂停和恢复cgroup任务
memory:设置每个cgroup的内存限制以及产生内存资源报告
net_cls:标记每个网络包以供cgroup方便使用
ns:命名空间子系统
perf_event:增加了对每个cgroup的监测跟踪的能力,可以监测属于某个特定的cgroup的所有线程以及运行在特定cpu上的线程
二.docker的安装
1.使用apt-get安装
1.1 系统环境
root@docker-server1:~# uname -a
Linux docker-server1 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
1.2 安装依赖包
root@docker-server1:~# apt-get update
root@docker-server1:~# apt-get install apt-transport-https ca-certificates curl software-properties-common -y
1.3 安装GPR证书
root@docker-server1:~# curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
1.4 写入软件源信息
root@docker-server1:~# add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
1.5 更新并安装docker-ce
root@docker-server1:~# apt-get -y update
root@docker-server1:~# apt-get -y install docker-ce
root@docker-server1:~# systemctl enable docker
2.使用二进制包安装
2.1 系统环境
root@docker-server1:~# uname -a
Linux docker-server1 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
2.2 新建docker目录
root@docker-server2:~# mkdir /data/docker
root@docker-server2:~# cd /data/docker/
2.3 解压安装包
root@docker-server2:/data/docker# tar xf docker-19.03.15-binary-install.tar.gz
root@docker-server2:/data/docker# ll
total 153128
drwxr-xr-x 2 root root 4096 Apr 11 2021 ./
drwxr-xr-x 4 root root 4096 Dec 28 05:40 ../
-rw-r--r-- 1 root root 647 Apr 11 2021 containerd.service
-rw-r--r-- 1 root root 78156440 Dec 28 03:18 docker-19.03.15-binary-install.tar.gz
-rw-r--r-- 1 root root 62436240 Feb 5 2021 docker-19.03.15.tgz
-rwxr-xr-x 1 root root 16168192 Jun 24 2019 docker-compose-Linux-x86_64_1.24.1*
-rwxr-xr-x 1 root root 2708 Apr 11 2021 docker-install.sh*
-rw-r--r-- 1 root root 1683 Apr 11 2021 docker.service
-rw-r--r-- 1 root root 197 Apr 11 2021 docker.socket
-rw-r--r-- 1 root root 454 Apr 11 2021 limits.conf
-rw-r--r-- 1 root root 257 Apr 11 2021 sysctl.conf
2.4 bash运行脚本进行安装
root@docker-server2:/data/docker# bash docker-install.sh
三.docker的常用命令使用
1.Docker 容器信息
1.1 查看docker容器版本
root@docker-server1:~# docker version
1.2 查看docker容器信息
root@docker-server1:~# docker info
1.3 查看docker容器帮助
root@docker-server1:~# docker --help
2.镜像操作
2.1 镜像查看
##列出本地images
root@docker-server1:~# docker images
##列出本地所有images(含中间映像层,默认情况下,过滤掉中间映像层)
root@docker-server1:~# docker images -a
##只显示images ID
root@docker-server1:~# docker images -q
##列出本地所有images ID(含中间映像层,默认情况下,过滤掉中间映像层)
root@docker-server1:~# docker images -qa
##显示指定镜像的历史创建
root@docker-server1:~# docker history nginx
2.2 镜像搜索
root@docker-server1:~# docker search centos
2.3 镜像下载
root@docker-server1:~# docker pull redis
2.4 镜像删除
##单个镜像删除
root@docker-server1:~# docker rmi redis
##强制删除镜像(针对已在运行的镜像)
root@docker-server1:~# docker rmi -f redis
##多个镜像删除
root@docker-server1:~# docker rmi redis nginx tomcat
2.5 镜像构建(设计dockfile 下次上完课再补)
3.容器操作
3.1 容器启动
##新建并启动容器,参数:-it以交互模式运行容器,为容器重新分配一个伪输入终端;--name 为容器指定一个名称;-d 后台启动容器,已守护方式启动容器;-p 80:80将容器端口映射到宿主机上
root@docker-server1:~# docker run -itd -p 80:80 nginx
##容器的启动/停止/重启
root@docker-server1:~# docker start/stop/restart nginx
3.2 容器进程
##列出容器中运行进程
root@docker-server1:~# docker top `docker ps -q`
3.3 容器日志
##查看nginx容器日志
root@docker-server1:~# docker logs 2225ccdc1fec
##参数:-f跟踪日志输出;-t显示时间戳;--tail仅列出最新N条容器日志;
root@docker-server1:~# docker logs -ft --tail=10 2225ccdc1fec
3.4 容器的进入与退出
##使用run方式在创建时进入
root@docker-server1:~# docker run -it tomcat /bin/bash
##关闭容器并退出
root@b47cad8e8661:/usr/local/tomcat# exit
##仅退出容器,不关闭
快捷键:Ctrl + P + Q
##使用exec退出容器终端,不会导致容器的停止;参数:-i即使没有附加也保持STDIN打开;-t分配一个伪终端
root@docker-server1:~# docker exec -it b83057cacd91 /bin/bash
##以交互模式在容器中执行命令,结果返回到当前终端屏幕
root@docker-server1:~# docker exec -it b83057cacd91 ls -l /tmp
total 4
drwxr-xr-x 1 root root 4096 Dec 22 17:07 hsperfdata_root
##以分离模式在容器中执行命令,程序后台运行,结果不会反馈到当前终端
root@docker-server1:~# docker exec -d b83057cacd91 ls -l /tmp
3.5 容器的查看
##查看正在运行的容器
root@docker-server1:~# docker ps
##查看所有容器(包含已停止)
root@docker-server1:~# docker ps -a
##查看正在运行的容器的ID
root@docker-server1:~# docker ps -q
##显示运行容器总文件大小
root@docker-server1:~# docker ps -s
##显示最近创建容器
root@docker-server1:~# docker ps -l
##获取镜像nginx的元信息
root@docker-server1:~# docker inspect nginx
3.6 容器的删除
##杀掉一个运行中的容器(如果容器未停止,则无法kill)
root@docker-server1:~# docker kill b83057cacd91
##删除容器
root@docker-server1:~# docker rm b83057cacd91
##强制删除容器
root@docker-server1:~# docker rm -f b83057cacd91
3.7 生成镜像
##基于当前nginx容器创建一个新的镜像;参数:-a 提交的镜像作者;-c 使用Dockerfile指令来创建镜像;-m 提交时的说明文字;-p 在commit时,将容器暂停
root@docker-server1:~# docker commit -a="kevin" -m="nginx-app" 2225ccdc1fec nginx:v1.1
sha256:81c4b1177a6c543e3ee02a256f674141cfd3dfb66b02e60106b40c31f4e02f77
root@docker-server1:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1.1 81c4b1177a6c 14 seconds ago 141MB
tomcat latest fb5657adc892 6 days ago 680MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 7 days ago 141MB
3.8 容器与宿主机间的数据拷贝
##从nginx容器拷贝文件到宿主机 data目录下
root@docker-server1:/data# docker cp 2225ccdc1fec:/etc/nginx/nginx.conf .
root@docker-server1:/data# ll
total 36
drwxr-xr-x 3 root root 4096 Dec 29 01:35 ./
drwxr-xr-x 21 root root 4096 Dec 27 08:16 ../
drwx------ 2 root root 16384 Dec 27 07:59 lost+found/
-rw-r--r-- 1 root root 648 Nov 2 15:01 nginx.conf
-rw-r--r-- 1 root root 5122 Sep 10 2019 test.sh
##从宿主机data目录拷贝test.sh文件到容器/usr/local/src/
root@docker-server1:/data# docker cp test.sh 2225ccdc1fec:/usr/local/src
root@docker-server1:/data# docker exec -it 2225ccdc1fec /bin/bash
root@2225ccdc1fec:/# ls /usr/local/src/
test.sh
四.部署单机harbor
4.部署安装harbor
4.1 上传安装包并解压
root@docker-server3:/data# tar xf harbor-offline-installer-v2.3.2.tgz
root@docker-server3:/data# ll
total 591320
drwxr-xr-x 4 root root 4096 Dec 29 02:16 ./
drwxr-xr-x 21 root root 4096 Dec 27 08:16 ../
drwxr-xr-x 2 root root 4096 Dec 29 02:16 harbor/
-rw-r--r-- 1 root root 605477475 Dec 27 04:43 harbor-offline-installer-v2.3.2.tgz
drwx------ 2 root root 16384 Dec 27 07:59 lost+found/
root@docker-server3:/data# cd harbor/
root@docker-server3:/data/harbor# ll
total 594392
drwxr-xr-x 2 root root 4096 Dec 29 02:16 ./
drwxr-xr-x 4 root root 4096 Dec 29 02:16 ../
-rw-r--r-- 1 root root 3361 Aug 18 08:51 common.sh
-rw-r--r-- 1 root root 608611132 Aug 18 08:52 harbor.v2.3.2.tar.gz
-rw-r--r-- 1 root root 7840 Aug 18 08:51 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2500 Aug 18 08:51 install.sh*
-rw-r--r-- 1 root root 11347 Aug 18 08:51 LICENSE
-rwxr-xr-x 1 root root 1881 Aug 18 08:51 prepare*
4.2 配置harbor.yml文件
root@docker-server3:/data/harbor# cp harbor.yml.tmpl harbor.yml
root@docker-server3:/data/harbor# ll
total 594400
drwxr-xr-x 2 root root 4096 Dec 29 02:23 ./
drwxr-xr-x 4 root root 4096 Dec 29 02:16 ../
-rw-r--r-- 1 root root 3361 Aug 18 08:51 common.sh
-rw-r--r-- 1 root root 608611132 Aug 18 08:52 harbor.v2.3.2.tar.gz
-rw-r--r-- 1 root root 7840 Dec 29 02:23 harbor.yml
-rw-r--r-- 1 root root 7840 Aug 18 08:51 harbor.yml.tmpl
-rwxr-xr-x 1 root root 2500 Aug 18 08:51 install.sh*
-rw-r--r-- 1 root root 11347 Aug 18 08:51 LICENSE
-rwxr-xr-x 1 root root 1881 Aug 18 08:51 prepare*
root@docker-server3:/data/harbor# vim harbor.yml
##修改以下两行,并注释https
hostname: 10.0.0.10
harbor_admin_password: 123456
4.3 执行安装脚本进行harbor安装,并登录访问默认账号为admin
root@docker-server3:/data/harbor# ./install.sh --with-trivy --with-chartmuseum
4.4 配置harbor
4.5 docker-server配置访问harbor
root@docker-server1:/data# find / -name docker.service
/var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/docker.service
/sys/fs/cgroup/blkio/system.slice/docker.service
/sys/fs/cgroup/pids/system.slice/docker.service
/sys/fs/cgroup/devices/system.slice/docker.service
/sys/fs/cgroup/memory/system.slice/docker.service
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/unified/system.slice/docker.service
/usr/lib/systemd/system/docker.service
/etc/systemd/system/multi-user.target.wants/docker.service
root@docker-server1:/data# vim /usr/lib/systemd/system/docker.service
##在下行最后添加--insecure-registry 10.0.0.10
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.10
root@docker-server1:/data# systemctl daemon-reload
root@docker-server1:/data# systemctl restart docker
root@docker-server1:/data# docker login 10.0.0.10
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
4.6 测试harbor下载上传
root@docker-server1:/data# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1.1 81c4b1177a6c About an hour ago 141MB
tomcat latest fb5657adc892 6 days ago 680MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
root@docker-server1:/data# docker tag nginx:v1.1 10.0.0.10/test/nginx:v1.1
root@docker-server1:/data# docker push 10.0.0.10/test/nginx:v1.1
The push refers to repository [10.0.0.10/test/nginx]
56340a5f4f83: Pushed
51a4ac025eb4: Pushed
4ded77d16e76: Pushed
32359d2cd6cd: Pushed
4270b63061e5: Pushed
5f5f780b24de: Pushed
2edcec3590a4: Pushed
v1.1: digest: sha256:5f52d15fc2f2f34e5a9cb00ebd68c1cf183492a38328c3469b85b5a088d3e543 size: 1777
root@docker-server1:/data# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat latest fb5657adc892 6 days ago 680MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
root@docker-server1:/data# docker pull 10.0.0.10/test/nginx:v1.1
v1.1: Pulling from test/nginx
a2abf6c4d29d: Already exists
f3409a9a9e73: Already exists
9919a6cbae9c: Already exists
fc1ce43285d7: Already exists
1f01ab499216: Already exists
13cfaf79ff6d: Already exists
9d8c8a6e469f: Pull complete
Digest: sha256:5f52d15fc2f2f34e5a9cb00ebd68c1cf183492a38328c3469b85b5a088d3e543
Status: Downloaded newer image for 10.0.0.10/test/nginx:v1.1
10.0.0.10/test/nginx:v1.1
root@docker-server1:/data# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.10/test/nginx v1.1 81c4b1177a6c 2 hours ago 141MB
tomcat latest fb5657adc892 6 days ago 680MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
5.实现基于负载均衡的harbor高可用
5.环境准备
1台docker-server
docker-server1 IP:10.0.0.7 OS:ubuntu20.04 docker version: 20.10.12
2台harbor服务器
harbor-server1 IP:10.0.0.10 OS:ubuntu20.04 docker version: 20.10.12 docker-compose version: 1.25.0 harbor version: v2.3.2
harbor-server2 IP:10.0.0.12 OS:ubuntu20.04 docker version: 20.10.12 docker-compose version: 1.25.0 harbor version: v2.3.2
1台HA服务器
HA-server IP:10.0.0.8 OS:ubuntu20.04
5.1 配置两个harbor仓库同步规则
5.2 测试同步规则是否生效
root@docker-server1:/data# docker tag nginx:v1.1 10.0.0.10/test/nginx:v1.1
root@docker-server1:/data# docker push 10.0.0.10/test/nginx:v1.1
The push refers to repository [10.0.0.10/test/nginx]
56340a5f4f83: Pushed
51a4ac025eb4: Pushed
4ded77d16e76: Pushed
32359d2cd6cd: Pushed
4270b63061e5: Pushed
5f5f780b24de: Pushed
2edcec3590a4: Pushed
v1.1: digest: sha256:5f52d15fc2f2f34e5a9cb00ebd68c1cf183492a38328c3469b85b5a088d3e543 size: 1777
5.3 安装haproxy并进行配置
root@ha-server:~# apt install haproxy
root@ha-server:~# vim /etc/haproxy/haproxy.cfg
##在最后添加一下几行
listen harbor-80
bind 10.0.0.8:80
mode tcp
balance source
server 10.0.0.10 10.0.0.10:80 check inter 3s fall 3 rise 5
server 10.0.0.12 10.0.0.12:80 check inter 3s fall 3 rise 5
root@ha-server:~# systemctl restart haproxy
root@ha-server:~# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:36491 0.0.0.0:*
LISTEN 0 491 10.0.0.8:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::1]:6010 [::]:*
5.4 修改docker-server1的仓库信任
root@docker-server1:~# vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.8
root@docker-server1:~# systemctl daemon-reload
root@docker-server1:~# systemctl restart docker
5.5 测试验证高可用
root@docker-server1:~# docker login 10.0.0.8
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@docker-server1:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.10/test/nginx v1.1 81c4b1177a6c 7 hours ago 141MB
tomcat latest fb5657adc892 6 days ago 680MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
root@docker-server1:~# docker tag redis:latest 10.0.0.8/test/redis:v1.1
root@docker-server1:~# docker push 10.0.0.8/test/redis:v1.1
The push refers to repository [10.0.0.8/test/redis]
8e5669d83291: Pushed
9975392591f2: Pushed
529cdb636f61: Pushed
4b8e2801e0f9: Pushed
9b24afeb7c2f: Pushed
2edcec3590a4: Pushed
v1.1: digest: sha256:563888f63149e3959860264a1202ef9a644f44ed6c24d5c7392f9e2262bd3553 size: 1573
root@harbor-server1:/data/harbor# docker-compose stop
root@docker-server1:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tomcat latest fb5657adc892 6 days ago 680MB
10.0.0.8/test/redis v1.1 7614ae9453d1 7 days ago 113MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
root@docker-server1:~# docker pull 10.0.0.8/test/nginx:v1.1
v1.1: Pulling from test/nginx
a2abf6c4d29d: Already exists
f3409a9a9e73: Already exists
9919a6cbae9c: Already exists
fc1ce43285d7: Already exists
1f01ab499216: Already exists
13cfaf79ff6d: Already exists
9d8c8a6e469f: Pull complete
Digest: sha256:5f52d15fc2f2f34e5a9cb00ebd68c1cf183492a38328c3469b85b5a088d3e543
Status: Downloaded newer image for 10.0.0.8/test/nginx:v1.1
10.0.0.8/test/nginx:v1.1
root@docker-server1:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
10.0.0.8/test/nginx v1.1 81c4b1177a6c 7 hours ago 141MB
tomcat latest fb5657adc892 6 days ago 680MB
10.0.0.8/test/redis v1.1 7614ae9453d1 7 days ago 113MB
redis latest 7614ae9453d1 7 days ago 113MB
nginx latest f6987c8d6ed5 8 days ago 141MB
