Docker之docker部署
Docker 版本选择
Docker之前没有区分版本,但是2017年初推出(将docker更名为)新的项目Moby,github地址:https://github.com/moby/moby,Moby项目属于Docker项目的全新上游Docker将是一个隶属于Moby的子产品,而且之后的版本开始区分为CE版本(社区版本)和EE(企业收费版),CE社区版本和EE企业版本都是每个季度发布一个新版本,但是EE版本提供后期安全维护1年,而CE版本是4个月。
与kubernetes结合使用的时候,要安装经过kubernetes官方测试通过的docker版本,避免出现不兼容等未知的及不可预估的问题发生,juberbetes测试过的docker版本可以在github查询,具体如下:
https://github.com/kubernetes/kubernetes/blob/master/build/dependencies.yaml
官方安装方法
卸载旧版本
apt-get remove docker docker-engine docker.io containerd runc安装docker依赖
apt-get -y install ca-certificates curl gnupg lsb-release添加docker官方 GPG key
mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg添加软件源信息
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null更新仓库信息
apt-get update安装Docker Engine
apt-get -y install docker-ce docker-ce-cli containerd.io docker-compose-pluginubuntu安装docker
安装依赖
sudo apt-get remove docker docker-engine docker.io
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common添加GPG公钥
curl -fsSL https://mirrors.huaweicloud.com/docker-ce/linux/ubuntu/gpg | sudo gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/huawei.gpg --importchmod a+r /etc/apt/trusted.gpg.d/huawei.gpg添加仓库
sudo add-apt-repository "deb [arch=amd64] https://mirrors.huaweicloud.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"更新索引文件
sudo apt-get update安装 docker ce
sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin配置docker
cat >> /etc/docker/daemon.json << EOF
{
"registry-mirrors":[
"https://7590njbk.mirror.aliyuncs.com",
"https://reg-mirror.qiniu.com",
"https://registry.docker-cn.com",
"https://0961b8c584000f7f0fd6c0041a439240.mirror.swr.myhuaweicloud.com"
],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF删除docker-ce
root@ubuntu:~# apt-get purge docker-ce docker-ce-cli containerd.io
root@ubuntu:~# rm -rf /var/lib/docker
root@ubuntu:~# rm -rf /var/lib/containerd二进制安装docker
创建docker组
# groupadd -g 998 -o -r docker下载docker二进制包
# VERSION_STRING=23.0.2
# wget https://download.docker.com/linux/static/stable/x86_64/docker-${VERSION_STRING}.tgz
# tar xf docker-${VERSION_STRING}.tgz
# cp docker/* /usr/bin/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.targetdocker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket containerd.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.targetdocker.socket
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target运行docker
# systemctl enable containerd.service docker.socket docker
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.# systemctl start docker
# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-11-08 18:10:08 CST; 8min ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 926 (dockerd)
Tasks: 9
Memory: 72.5M
CGroup: /system.slice/docker.service
└─926 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock验证docker信息
root@ubuntu:/opt# docker version
Client:
Version: 20.10.9
API version: 1.41
Go version: go1.16.8
Git commit: c2ea9bc
Built: Mon Oct 4 16:03:22 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.9
API version: 1.41 (minimum version 1.12)
Go version: go1.16.8
Git commit: 79ea9d3
Built: Mon Oct 4 16:07:30 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.11
GitCommit: 5b46e404f6b9f661a205e28d59c982d3634148f8
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2d
docker-init:
Version: 0.19.0
GitCommit: de40ad0centos7安装docker
删除旧版本
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine安装依赖
yum install -y yum-utils设置源
# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum makecache fast更新并安装docker-ce
sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin安装docker 指定版本
查看可用版本列表
# apt-cache madison docker-ce | awk '{ print $3 }'5:20.10.16~3-0~ubuntu-jammy
5:20.10.15~3-0~ubuntu-jammy
5:20.10.14~3-0~ubuntu-jammy
5:20.10.13~3-0~ubuntu-jammy选择需要安装的版本
# VERSION_STRING=5:20.10.13~3-0~ubuntu-jammy
# sudo apt-get -y install docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io docker-buildx-plugin docker-compose-plugin验证是否安装成功
# sudo docker run hello-world查看docker相关信息
查看docker版本
点击查看代码
root@ubuntu:~# docker version
Client: Docker Engine - Community
Version: 20.10.10
API version: 1.40
Go version: go1.16.9
Git commit: b485636
Built: Mon Oct 25 07:42:57 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 19.03.15
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 99e3ed8919
Built: Sat Jan 30 03:15:20 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.11
GitCommit: 5b46e404f6b9f661a205e28d59c982d3634148f8
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.18.0
GitCommit: fec3683查看docker详细信息
点击查看代码
root@ubuntu:~# docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.6.3-docker)
scan: Docker Scan (Docker Inc., v0.9.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.15
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8
runc version: v1.0.2-0-g52b36a2
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-161-generic
Operating System: Ubuntu 18.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 985MiB
Name: ubuntu
ID: SCQL:4CVE:RNUG:KOSE:P3QB:I3WQ:5C5Z:VD6X:ESEQ:6NPV:TARW:KFOM
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support查看docker网卡信息
点击查看代码
root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:87:29:22 brd ff:ff:ff:ff:ff:ff
inet 172.16.10.248/24 brd 172.16.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe87:2922/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:14:9a:a1:3e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft foreverdocker 存储引擎
docker 存储引擎简介
目前docker的默认存储引擎为overlay2,不同的存储引擎需要相应的系统支持,如需要磁盘分区的时候传递d-type文件分层功能,即需要传递内核参数开启格式化磁盘的时候指定功能。
存储驱动类型:
- AUFS(AnotherUnionFS)是一种Union FS,是文件级的存储驱动。所谓Union FS就是吧不同物理位置的目录合并mount到同一个目录中。简单来说就是支持将不同目录挂载到同一个虚拟文件系统下的文件系统。这种文件系统可以一层一层地叠加修改文件。无论地下多少层都是只读的,只有最上层的文件系统是可写的,当需要修改一个文件时,AUFS创建该文件副本,使用COW将文件从只读层复制到可写层进行修改,结果也保存在可写层。在Docker中,底下的只读层就是image,可写层就是container,是Docker 18.06及更早版本的首选存储驱动程序.
- Overlay: 一种Union FS文件系统,Linux内核3.18后支持。
- overlay2:Overlay的升级版,到目前为止,所有linux发行版推荐使用的存储类型。
- devicemapper:是centos和rhel的推荐存储驱动程序,因为之前的内核版本不支持overlay2,但是当前较新版本的centos和rhel现在已经支持overlay2,因此推荐使用overlay2.
- ZFS/btrfs:目前没有广泛使用。
- vfs:用于测试环境,适用于无法使用copy-on-write文件系统的情况。此存储驱动程序的性能很差,通常不建议用于生产。
修改docker存储引擎
官方文档:https://docs.docker.com/storage/storagedriver/overlayfs-driver/
如果docker数据目录是一块单独的磁盘分区而且是xfs格式的,需要在格式化的时候加上参数-n ftype=1,否则后期在启动容器的时候会报错不支持d-type。
修改存储引擎会导致所有容器丢失,所以先备份在修改。
root@ubuntu:~# vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -s overlay2 -H fd:// --containerd=/run/containerd/containerd.sock
root@ubuntu:~# systemctl daemon-relaod
root@ubuntu:~# systemctl restart dockerdocker服务进程
查看宿主机进程树
点击查看代码
root@ubuntu:~# pstree -p
systemd(1)─┬─ModemManager(1031)─┬─{ModemManager}(1058)
│ └─{ModemManager}(1062)
├─NetworkManager(1018)─┬─{NetworkManager}(1074)
│ └─{NetworkManager}(1077)
├─accounts-daemon(1029)─┬─{accounts-daemon}(1037)
│ └─{accounts-daemon}(1046)
├─agetty(1132)
├─atd(1024)
├─ceph-crash(1025)
├─chronyd(1103)
├─containerd(7510)─┬─containerd-shim(11079)─┬─sh(11106)
│ │ ├─{containerd-shim}(11080)
│ │ ├─{containerd-shim}(11081)
│ │ ├─{containerd-shim}(11082)
│ │ ├─{containerd-shim}(11083)
│ │ ├─{containerd-shim}(11084)
│ │ ├─{containerd-shim}(11085)
│ │ ├─{containerd-shim}(11086)
│ │ └─{containerd-shim}(11087)
│ ├─{containerd}(7514)
│ ├─{containerd}(7515)
│ ├─{containerd}(7516)
│ ├─{containerd}(7517)
│ ├─{containerd}(7529)
│ ├─{containerd}(7530)
│ ├─{containerd}(7546)
│ └─{containerd}(9800)
├─cron(1028)
├─dbus-daemon(988)
├─dockerd(9151)─┬─docker-proxy(11074)─┬─{docker-proxy}(11075)
│ │ ├─{docker-proxy}(11076)
│ │ ├─{docker-proxy}(11077)
│ │ └─{docker-proxy}(11078)
│ ├─{dockerd}(9171)
│ ├─{dockerd}(9172)
│ ├─{dockerd}(9173)
│ ├─{dockerd}(9174)
│ ├─{dockerd}(9180)
│ ├─{dockerd}(9181)
│ ├─{dockerd}(9204)
│ ├─{dockerd}(9682)
│ └─{dockerd}(9696)查看containerd进程关系
docker相关的四个进程
- dockerd:服务器程序,被client直接访问,其父进程为宿主机的systemd守护进程。
- docker-proxy:每个进程docker-proxy实现对应一个需要网络通信的容器,管理宿主机和容器之间端口映射,其父进程为dockerd,如果容器不需要网络则不需启动。
- containerd:被docker进程调用以实现与runc交互。
- containerd-shim:真正运行容器的载体,每个容器对应一个conntainerd-shim进程,其父进程为containerd
点击查看代码
root@ubuntu:~# ps -ef | grep containerd
root 7510 1 0 13:14 ? 00:00:16 /usr/bin/containerd
root 9151 1 0 14:07 ? 00:00:04 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 11079 7510 0 16:45 ? 00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/427f20a455226581ee9724fe01872ac1a91b9a2499c500b15c0ec20f9d433ec2 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root@ubuntu:~# ps -ef | grep docker-proxy
root 11074 9151 0 16:45 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 9000容器的创建与管理过程
- dockerd通过grpc和containerd模块通信,dockerd由libcontainerd负责和containerd进行交换,dockerd和containerd通信socket文件:/var/run/containerd/containerd.sock。
- containerd在dockerd启动时被启动,然后containerd启动grpc请求监听,containerd处理grpc请求,根据请求做相应动作。
- 若是run,start或是exec容器,containerd拉起一个container-shim,并进行相应的操作。
- container-shim被拉起后,start/exec/create拉起runC进程,通过exit、control文件和containerd通信,通过父子进程关系和SIGCHLD监控容器中进程状态。
- 在整个容器生命周期中,containerd通过epoll监控容器文件,监控容器事件。
参考文档
https://docs.docker.com/engine/install/
