极客时间运维进阶训练营第一周作业-容器技术(1)
1、梳理各 Namespace 的作用
namespace:将不同类型的命名空间部署在内核并封装在一起,实现资源隔离。
主要的隔离类型:
MNT Namespace(mount): 提供磁盘挂载点和文件系统的隔离能力
IPC Namespace(Inter-Process Communication):提供进程间通信的隔离能力
UTS Namespace(UNIX Timesharing System):提供主机名隔离能力
PID Namespace:提供进程隔离能力
Net Namespace:提供网络隔离能力
User Namespace:提供用户隔离能力
Time Namespace:提供时间隔离能力
Syslog Namespace:提供 syslog 隔离能力
Control group (cgroup) Namespace:提供进程所属的控制组的身份隔离能力
2、使用 apt/yum/ 二进制安装指定版本的 Docker
2.1 apt 安装
apt-get update apt-get -y install apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" apt-get -y update apt-cache madison docker-ce apt-cache madison docker-ce-cli apt-get install -y docker-ce=5:20.10.17~3-0~ubuntu-jammy docker-ce-cli=5:20.10.17~3-0~ubuntu-jammy tee -a /etc/docker/daemon.json << "EOF" { "graph": "/var/lib/docker", "storage-driver": "overlay2", "insecure-registries": ["harbor.magedu.com", "harbor.myserver.com", "172.31.7.105"], "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"], "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": false, "log-opts": { "max-file": "5", "max-size": "100m" } } EOF systemctl daemon-reload systemctl start docker && systemctl enable docker systemctl restart docker
2.2 二进制文件安装
PACKAGE_NAME="docker-20.10.19.tgz" cd /usr/local/src/ curl -O https://download.docker.com/linux/static/stable/x86_64/${PACKAGE_NAME} &&\ tar xzf ${PACKAGE_NAME} \cp /usr/local/src/docker/* /usr/bin tee -a /etc/security/limits.conf << "EOF" * soft core unlimited * hard core unlimited * soft nproc 1000000 * hard nproc 1000000 * soft nofile 1000000 * hard nofile 1000000 * soft memlock 32000 * hard memlock 32000 * soft msgqueue 8192000 * hard msgqueue 8192000 EOF tee -a /etc/sysctl.conf << "EOF" # add by docker_installer net.ipv4.ip_forward=1 vm.max_map_count=262144 kernel.pid_max=4194303 fs.file-max=1000000 net.ipv4.tcp_max_tw_buckets=6000 net.netfilter.nf_conntrack_max=2097152 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness=0 EOF sysctl -p if [[ ! -d /etc/docker ]]; then mkdir /etc/docker fi tee -a /etc/docker/daemon.json << "EOF" { "graph": "/var/lib/docker", "storage-driver": "overlay2", "insecure-registries": ["harbor.magedu.com","harbor.myserver.com","172.31.7.105"], "registry-mirrors": ["https://9916w1ow.mirror.aliyuncs.com"], "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": false, "log-opts": { "max-file": "5", "max-size": "100m" } } EOF tee -a /lib/systemd/system/containerd.service << "EOF" [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/bin/containerd Type=notify Delegate=yes KillMode=process Restart=always # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=1048576 # Comment TasksMax if your systemd version does not supports it. # Only systemd 226 and above support this version. TasksMax=infinity [Install] WantedBy=multi-user.target EOF tee -a /lib/systemd/system/docker.service << "EOF" [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always # Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. # Both the old, and new location are accepted by systemd 229 and up, so using the old location # to make them work for either version of systemd. StartLimitBurst=3 # Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make # this option work for either version of systemd. StartLimitInterval=60s # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Comment TasksMax if your systemd version does not support it. # Only systemd 226 and above support this option. TasksMax=infinity # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target EOF tee -a /lib/systemd/system/docker.socket << "EOF" [Unit] Description=Docker Socket for the API PartOf=docker.service [Socket] ListenStream=/var/run/docker.sock SocketMode=0660 SocketUser=root SocketGroup=docker [Install] WantedBy=sockets.target EOF systemctl daemon-reload groupadd docker && useradd docker -r -m -s /sbin/nologin -g docker usermod docker -G docker systemctl enable containerd.service && systemctl restart containerd.service systemctl enable docker.service && systemctl restart docker.service systemctl enable docker.socket && systemctl restart docker.socket
3、熟练使用 Docker 数据卷
## 多容器挂在1个文件夹实现目录共享
mkdir -p /data/testapp
echo "testaaaa web page" > /data/testapp/index.html
#######读写挂载
docker run -d --name=web1 -v /data/testapp/:/usr/share/nginx/html/testapp -p 80:80 nginx:1.20.2
######只读挂载
docker run -d --name=web2 -v /data/testapp/:/usr/share/nginx/html/testapp:ro -p 81:80 nginx:1.20.2
4、熟练使用 Docker 的 bridge 和 container 模式网络
## 创建容器指定网络模式
docker run -it -d --name=my_srv01 centos:7 bash
docker run -it -d --name=my_srv02 centos:7 bash
docker run -d -p 80:80 --net=bridge nginx:1.23.1-alpine
docker run -d --net=host nginx:1.23.1-alpine
docker run -it --net=none nginx:1.23.1-alpine sh
docker network create -d bridge my-net4
docker network list
docker run -d --name=my_test1 --network my-net4 nginx:1.20.2
docker run -d --name=my_test2 --network my-net4 nginx:1.20.2
docker run -it -d --name=my_test3 --network my-net4 centos:7.9.2009 bash
docker run -it -d --name=my_test4 --network my-net4 ubuntu:20.04 bash
docker run -it -d --name=my_test5 --network my-net4 centos:7 bash
## 网络容器模式
docker run -d --name nginx-container -p 80:80 --net=bridge nginx:1.22.0-alpine
docker run -d --name php-container --net=container:nginx-container php:7.4.30-fpm-alpine
docker run -d --name tomcat-container --net=container:nginx-container tomcat
docker run -d --name mysql-container --net=container:nginx-container -e MYSQL_ROOT_PASSWORD="Root@1234" mysql:5.6.48
########### end #####################