容器

介绍

虚拟化

• 虚拟化技术就是对资源的抽象，如虚拟机，虚拟内存等

• 分类

  • 从资源提供角度分

    • 硬件平台虚拟化
    • 操作系统虚拟化

  • 从虚拟化实现方式分

    • Type I：半虚拟化，虚拟机直接运行在系统硬件上，被称为裸机型，没有所谓的宿主机操作系统。
    • Type II：硬件辅助全虚拟化，虚拟机运行在传统操作系统上，同样创建的是硬件全仿真实例，被称为**托管（宿主）**型。
    • Type III：
      • 软件全虚拟化
      • 操作系统虚拟化

Docker

• 官网：https://www.docker.com/
• Docker为16年以来，应用最广泛的容器管理系统，用于管理容器
• LXC是08年出现的第一套完整的容器管理解决方案，不需要任何补丁直接运行在linux内核之上的容器管理方案。特点是创建容器慢，不方便移植
• Docker是在LXC基础上发展起来的
• Docker是一个在2013年开源的应用程序，是基于go语言编写的PAAS服务
• Docker相比虚拟机的交付速度更快，资源消耗更低，Docker采用客户端、服务端架构，使用远程api来管理和创建Docker容器
• Docker生态系统：容器镜像，注册表，RestFul API及命令操作界面
• 17年之后Docker商业开源，dicker-ce社区版，docker-ee商业版

Docker&虚拟机

• 虚拟机

• docker

• 优缺点对比

  • 虚拟化
    • 隔离性强，有独立的GUEST OS
    • 网络传输效率低
    • 虚拟机创建&启动慢，读文件逐个加载
    • 操作系统会占用一定的资源，开销大
    • 应用程序调用硬件响应时间长
    • 镜像庞大，实例化时不能共享
  • 容器
    • 与物理机共享内核和OS，隔离性弱
    • 快速响应用户请求
    • 计算/存储无损耗，无GUEST OS开销
    • 镜像小，实例化时可共享
    • 学习成本增加，服务治理更加繁琐

云平台技术实现

• IaaS（Infrastructure as a Service）
  • 硬件即服务
  • 资源整合方式：虚拟机
  • 如：阿里云ECS，OpenStack VM实例
• PaaS（Platform as a Service）
  • 平台即服务
  • 资源整合式：容器
  • 如：Docker，LXC
• SaaS（Software as a Service）
  • 软件即服务
  • 资源整合方式：应用程序
  • 如：王者荣耀

相关内核技术

NameSpace命名空间

• UTS：命名空间允许每个容器拥有独立的主机名和域名，从而虚拟出一个具有独立主机名和网络空间的环境，可以简单理解为一个NameSpace为一个独立主机
• IPC：每个容器依旧使用linux内核中进程交互的方法，进行进程间的通信
• Mount：容器的文件系统彼此独立
• Net：网络命名空间，容器的网络彼此隔离
• User：容器内需要使用特定的内部用户执行程序（容器与容器，容器与主机用户相互隔离，每个容器都有自己的root用户）
• PID：每个容器都拥有独立的进程树。容器本身为物理机的一个进程，所以容器的进程实际是物理机的线程

命名空间：应用程序运行环境隔离的空间，则为NameSpace，每个NameSpace都拥有UTS，IPC，Mount，Net，User，PID

CGroups控制组

主要用于实现容器的资源隔离（主机虚拟化实现资源隔离的方式：通过Hypervisor中的VMM实现），CGroups能够限制九大资源子系统，基于进程进行限制（Pam通过ulimit也可以对资源进行限制，但仅能限制用户）

九大资源子系统

• cpu：限制进程使用CPU的比例
• cpuacct：产生cgroup任务的cpu资源报告
• cpuset：用于多CPU执行cgroup时，对进程进行CPU分组
• memory：限制内存使用
• blkio：限制块设备的输入输出带宽
• devices：允许或拒绝设备访问
• freezer：暂停或恢复cgroup运行
• net_cls：标记网络包
• ns：NameSpace命名空间

案例1：限制CPU

安装并启动
[root@server1 ~]# yum install -y libcgroup*
[root@server1 ~]# systemctl start cgconfig.service 
[root@server1 ~]# systemctl enable cgconfig.service 

创建Cgroup组
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail -12 /etc/cgconfig.conf 
group lesscpu {
	cpu {
		cpu.shares=200;
	}
}

group morecpu {
	cpu {
		cpu.shares=800;
	}
}
[root@server1 ~]# systemctl restart cgconfig.service 

为保证验证效果，建议只留一个cpu
[root@server1 ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4
[root@server1 ~]# echo 1 >/sys/devices/system/cpu/cpu0/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu1/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu2/online
[root@server1 ~]# echo 0 >/sys/devices/system/cpu/cpu3/online
[root@server1 ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0
Off-line CPU(s) list:  1-3

验证
#终端1
[root@server1 ~]# cgexec -g cpu:lesscpu md5sum /dev/zero 
#终端2
[root@server1 ~]# cgexec -g cpu:morecpu sha1sum /dev/zero 
#终端3

案例2：限制Mem

[root@server1 ~]# vim /etc/cgconfig.conf 
[root@server1 ~]# tail -8 /etc/cgconfig.conf 
group lessmem {
	memory {
		#限制物理内存为256M
		memory.limit_in_bytes=268435465;
		#总内存限制(物理内存+swap)
		memory.memsw.limit_in_bytes=268435465;
	}
}
[root@server1 ~]# systemctl restart cgconfig.service 

创建内存盘
[root@server1 ~]# mkdir /mnt/mem_test
[root@server1 ~]# mount -t tmpfs /dev/shm /mnt/mem_test/
[root@server1 ~]# df -h
文件系统                 容量  已用  可用 已用% 挂载点
devtmpfs                 1.9G     0  1.9G    0% /dev
tmpfs                    1.9G     0  1.9G    0% /dev/shm
tmpfs                    1.9G   13M  1.9G    1% /run
tmpfs                    1.9G     0  1.9G    0% /sys/fs/cgroup
/dev/mapper/centos-root   36G  4.6G   31G   13% /
/dev/sda1               1014M  168M  847M   17% /boot
tmpfs                    378M   64K  378M    1% /run/user/0
/dev/shm                 1.9G     0  1.9G    0% /mnt/mem_test

测试
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=300
已杀死
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB)已复制，0.0849808 秒，2.5 GB/秒
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file2 bs=1M count=100
已杀死

Docker组成

• Docker客户端 client：客户端使用docker命令或其他工具调用docker api
• Docker主机 host：一个物理机或者虚拟机，用于运行docker服务进程和容器
• Docker仓库 registry：保存镜像的仓库，类似于git或svn这样的版本控制器
• Docker镜像 images：镜像可以理解为创建实例使用的模板
• Docker容器 container：容器是从镜像生成对外提供服务的一个或一组服务

Docker部署

官方文档

• https://docs.docker.com/engine/install/centos/

安装

• 卸载旧版本

yum remove docker \
	docker-client \
	docker-client-latest \
	docker-common \
	docker-latest \
	docker-latest-logrotate \
	docker-logrotate \
	docker-engine

• 设置yum源

安装yum-utils包（提供yum-config-manager 实用程序）
yum install -y yum-utils
yum-config-manager \
	--add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
    
加载yum源
yum clean all
yum makecache

• 安装 Docker

yum install -y docker-ce docker-ce-cli containerd.io

• 启动 Docker

systemctl start docker
systemctl enable docker

• hello-world 通过运行映像来验证 Docker 引擎是否已正确安装

 docker run hello-world
 
 [root@server1 ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:97a379f4f88575512824f3b352bc03cd75e239179eea0fecc38e597b2209f49a
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

快速开始

查看本地镜像
[root@server1 ~]# docker images
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
hello-world   latest    feb5d9fea6a5   4 months ago   13.3kB

搜索镜像
[root@server1 ~]# docker search tomcat
NAME                          DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
tomcat                        Apache Tomcat is an open source implementati…   3254      [OK]  

下载镜像
[root@server1 ~]# docker pull tomcat
Using default tag: latest
latest: Pulling from library/tomcat
0c6b8ff8c37e: Pull complete 
412caad352a3: Pull complete 
e6d3e61f7a50: Pull complete 
461bb1d8c517: Pull complete 
e442ee9d8dd9: Pull complete 
542c9fe4a7ba: Pull complete 
41de18d1833d: Pull complete 
302c8c746cd9: Pull complete 
eb0a0c97f800: Pull complete 
80de1d500a54: Pull complete 
Digest: sha256:4ceb3b972a1a6dfd01106a7743c51953d9a06acef271ce6168490e5d0087206a
Status: Downloaded newer image for tomcat:latest
docker.io/library/tomcat:latest
[root@server1 ~]# docker images
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
tomcat        latest    52691d316146   2 days ago     680MB
hello-world   latest    feb5d9fea6a5   4 months ago   13.3kB
拉取centos7的镜像
[root@server1 ~]# docker pull centos:7
7: Pulling from library/centos
2d473b07cdd5: Pull complete 
Digest: sha256:9d4bcbbb213dfd745b58be38b13b996ebb5ac315fe75711bd618426a630e0987
Status: Downloaded newer image for centos:7
docker.io/library/centos:7
[root@server1 ~]# docker images 
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
tomcat        latest    52691d316146   2 days ago     680MB
hello-world   latest    feb5d9fea6a5   4 months ago   13.3kB
centos        7         eeb6ee3f44bd   5 months ago   204MB
centos        latest    5d0da3dc9764   5 months ago   231MB

运行容器
[root@server1 ~]# docker run -it --name=c7 centos:7 /bin/bash
[root@ae4e73acf002 /]# 

查看启动时间
[root@ae4e73acf002 /]# uptime 
 14:06:35 up 2 days, 21:55,  0 users,  load average: 0.03, 0.04, 0.05

在容器内安装httpd，iproute等（如果出现yum找不到或者镜像源之类的错误，可以尝试更换镜像或版本）
[root@ae4e73acf002 /]# yum install -y httpd
[root@ae4e73acf002 /]# yum install -y iproute
[root@ae4e73acf002 /]# ip a                  
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@ae4e73acf002 /]# echo hello >> /var/www/html/index.html

开启httpd
[root@ae4e73acf002 /]# httpd -k start
AH00558: httpd: Could not reliably determine the servers fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message

测试
[root@ae4e73acf002 /]# curl 172.17.0.2
hello

退出容器
[root@ae4e73acf002 /]# exit

查看正在运行的容器
[root@server1 ~]# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

查看所有容器
[root@server1 ~]# docker ps --all
CONTAINER ID   IMAGE           COMMAND       CREATED      STATUS                    PORTS     NAMES
ae4e73acf002   centos:7        "/bin/bash"   6 days ago   Exited (255) 3 days ago             c7
f9051be53ca6   centos:latest   "/bin/bash"   6 days ago   Exited (1) 6 days ago               c0
bc62efa28781   tomcat:latest   "/bin/bash"   6 days ago   Exited (0) 6 days ago               c1
ebc1e5937f2e   hello-world     "/hello"      7 days ago   Exited (0) 7 days ago               upbeat_nash

再次进入容器
[root@server1 ~]# docker start c7
c7
[root@server1 ~]# docker attach c7
[root@ae4e73acf002 /]# 
[root@ae4e73acf002 /]# httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@ae4e73acf002 /]# curl 172.17.0.2
hello

Docker Daemon远程管理容器

• 关闭docker守护进程

[root@server1 ~]# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket

• 修改配置文件/usr/lib/systemd/system/docker.service

如果想使用/etc/docker/daemon.json管理docker daemon，默认情况下，/etc/docker目录中并没有daemon.json文件，强行手动添加后会导致docker daemon无法启动，在添加daemon.json文件之前需要修改/usr/lib/systemd/system/docker.service 文件
[root@server1 ~]# vim /usr/lib/systemd/system/docker.service
 13 #ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
 13 ExecStart=/usr/bin/dockerd  

• 重启docker

[root@server1 ~]# systemctl daemon-reload 
[root@server1 ~]# systemctl start docker

• 添加配置文件/etc/docker/daemon.json，实现远程管理

[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json
{
  "hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
[root@server1 ~]# systemctl restart docker
[root@server1 ~]# ss -tnalp |grep 2375
LISTEN     0      128       [::]:2375                  [::]:*                   users:(("dockerd",pid=10572,fd=9))

• 远程连接测试

[root@server2 ~]# docker -H 192.168.139.10 version
Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:44:05 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
[root@server2 ~]# docker -H 192.168.139.10 pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest

Docker使用

Docker容器管理

docker命令分类：

普通命令

• 管理类命令：是普通命令的整合与扩展

• 

镜像获取

• 镜像搜索

[root@server1 ~]# docker search centos

• 镜像下载

普通命令下载（不指定版本，会默认下载最新版）
[root@server1 ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest

管理命令下载（不指定版本，会默认下载最新版）
[root@server1 ~]# docker image pull centos
Using default tag: latest
latest: Pulling from library/centos
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Image is up to date for centos:latest
docker.io/library/centos:latest

镜像传输

• 本地镜像打包

[root@server1 ~]# docker save -o centos.tar centos:latest 

• 镜像传输

[root@server1 ~]# scp centos.tar 192.168.139.20:/root

• 镜像导入

[root@server2 ~]# docker load -i centos.tar 
74ddd0ec08fa: Loading layer  238.6MB/238.6MB
Loaded image: centos:latest
[root@server2 ~]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
centos       latest    5d0da3dc9764   5 months ago   231MB

容器运行

• 容器运行bash

普通命令运行
-i：交互
-t：开启终端
[root@server2 ~]# docker run -it --name=c1 centos:latest /bin/bash
[root@7ce3c0f9eedb /]# exit
exit

管理命令运行
[root@server2 ~]# docker container run -it --name=c2 centos:latest /bin/bash
[root@cda7901b8d09 /]# exit
exit

• 容器运行httpd(建议使用centos7)

[root@server2 ~]# docker pull centos:7
[root@server2 ~]# docker run -it --name=c0 centos:7 /bin/bash
[root@63ef4da19cc4 /]# yum install -y httpd
[root@63ef4da19cc4 /]# which httpd
/usr/sbin/httpd
[root@63ef4da19cc4 /]# /usr/sbin/httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@63ef4da19cc4 /]# echo test >> /var/www/html/index.html
[root@63ef4da19cc4 /]# curl 127.0.0.1
test

容器生成镜像

• 容器正在运行，也可以导出

[root@server2 ~]# docker export -o centos7_httpd.tar c0

• 导入基于容器生成的镜像

[root@server2 ~]# scp centos7_httpd.tar 192.168.139.10:/root
[root@server1 ~]# docker import -m httpd centos7_httpd.tar centos7_httpd:v1
sha256:ab81a74818e988a41ba11655c6786d1f9c0e39b80466b78019b536c97f0be50a
[root@server1 ~]# docker images|grep v1
centos7_httpd   v1        ab81a74818e9   43 seconds ago   367MB

• 启动容器并启动httpd服务

[root@server1 ~]# docker run -it --name=ch1 centos7_httpd:v1 /bin/bash
[root@55d5f4bd076f /]# httpd -k start
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[root@55d5f4bd076f /]# curl 127.0.0.1
test

容器ip

• 安装docker后，物理机会默认增添docker0网卡

[root@server2 ~]# ip a
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:04:9e:d4:bc brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:4ff:fe9e:d4bc/64 scope link 
       valid_lft forever preferred_lft forever

• 查看容器ip

[root@63ef4da19cc4 /]# yum install -y iproute
[root@63ef4da19cc4 /]# ip a                  
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
该ip地址为网桥自动分配

[root@63ef4da19cc4 /]# ping www.baidu.com
PING www.a.shifen.com (112.80.248.75) 56(84) bytes of data.
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=1 ttl=127 time=7.73 ms
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=2 ttl=127 time=8.05 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 7.732/7.893/8.055/0.184 ms

ctrl+p+q：不退出容器，切换回linux终端

• 终端查看ip

[root@server2 ~]# docker inspect c0
[
...
"Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "4fedee9b1f956c11e90c4373715fac28f8de6e789294c4a2aa7c8d2ab3ea1eaa",
                    "EndpointID": "d20e90a3f7f33f7aa5eb7426bec5bc63073790191cd1278a7d5e37c109b924bb",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }
]

[root@server2 ~]# docker exec c0 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

停止并重新进入容器

• 查看正在运行容器

[root@server1 ~]# docker ps
CONTAINER ID   IMAGE              COMMAND       CREATED        STATUS        PORTS     NAMES
55d5f4bd076f   centos7_httpd:v1   "/bin/bash"   13 hours ago   Up 13 hours             ch1

• 关闭容器

[root@server1 ~]# docker stop ch1
ch1
[root@server1 ~]# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
#关闭多个：docker stop ch1 ch2

• 重新开启已停止的容器

[root@server1 ~]# docker start ch1
ch1
[root@server1 ~]# docker attach ch1
[root@55d5f4bd076f /]# 

删除容器

• 停止容器

终端退出，直接停止容器
root@bc62efa28781:/usr/local/tomcat# exit
exit

停止后台运行的容器
[root@server1 ~]# docker stop c1
c1

• 删除

[root@server1 ~]# docker rm c1
c1

端口映射

• 报错：WARNING: IPv4 forwarding is disabled. Networking will not work.

• 原因：CentOS的内核中的ip_forward(IP转发)是默认关闭的，需要手动打开

• 解决：

  vim /usr/lib/sysctl.d/00-system.conf
  # 追加
  net.ipv4.ip_forward=1
  

• 端口映射

将本机80端口映射为容器80端口（访问本机80端口，即为访问容器80端口）
[root@server1 ~]# docker run -it -p80:80 --name=c2 centos:7 /bin/bash
[root@bd84b8c3ae20 /]# [root@server1 ~]# 
[root@server1 ~]# docker ps
CONTAINER ID   IMAGE      COMMAND       CREATED          STATUS          PORTS                               NAMES
bd84b8c3ae20   centos:7   "/bin/bash"   25 seconds ago   Up 24 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp   c2

经指定容器端口，不指定本机端口，主机会随机添加映射到容器80端口
[root@server1 ~]# docker run -it -p:80 --name=c3 centos:7 /bin/bash
[root@3c015e013f22 /]# [root@server1 ~]# docker ps
CONTAINER ID   IMAGE      COMMAND       CREATED          STATUS          PORTS                                     NAMES
3c015e013f22   centos:7   "/bin/bash"   13 seconds ago   Up 12 seconds   0.0.0.0:49153->80/tcp, :::49153->80/tcp   c3
bd84b8c3ae20   centos:7   "/bin/bash"   5 hours ago      Up 5 hours      0.0.0.0:80->80/tcp, :::80->80/tcp         c2

指定映射主机的IP
[root@server1 ~]# docker run -it -p192.168.139.10::80 --name=c4 centos:7 /bin/bash
[root@3c015e013f22 /]# [root@server1 ~]# docker ps
CONTAINER ID   IMAGE      COMMAND       CREATED          STATUS          PORTS                                     NAMES
fe7603d0cea0   centos:7   "/bin/bash"   13 seconds ago   Up 12 seconds   192.168.139.10:49154->80/tcp              c4
3c015e013f22   centos:7   "/bin/bash"   6 minutes ago    Up 6 minutes    0.0.0.0:49153->80/tcp, :::49153->80/tcp   c3
bd84b8c3ae20   centos:7   "/bin/bash"   5 hours ago      Up 5 hours      0.0.0.0:80->80/tcp, :::80->80/tcp         c2

数据持久化存储

将数据保存在docker Host上实现持久化存储

将docker内的/data目录挂载到docker Host的/mnt/docker-c5目录下
[root@server1 ~]# mkdir /mnt/docker-c5
[root@server1 ~]# docker run -it -v /mnt/docker-c5/:/data --name=c5 centos:7 /bin/bash

测试
[root@934894a5764d /]# [root@server1 ~]# 
[root@server1 ~]# echo test >> /mnt/docker-c5/test.txt
[root@server1 ~]# docker attach c5
[root@934894a5764d /]# ls /data/     
test.txt
[root@934894a5764d /]# cat /data/test.txt
test

• 部署httpd服务

[root@server1 ~]# mkdir /mnt/httpd
[root@server1 ~]# docker run -it -p80:80 -v /mnt/httpd/:/var/www/html --name=c1 centos:7 /bin/bash
[root@589987cd58f5 /]# yum install -y httpd
[root@589987cd58f5 /]# httpd -k start
[root@589987cd58f5 /]# echo hello >> /var/www/html/index.html
[root@589987cd58f5 /]# [root@server1 ~]# 
[root@server1 ~]# cat /mnt/httpd/index.html 
hello

容器&主机时间同步

[root@server1 ~]# docker run -it -v /etc/localtime:/etc/localtime --name=c2 centos:7 /bin/bash
[root@1670d938968a /]# date
Sun Mar  6 23:51:50 CST 2022

容器外执行命令

查看正在运行的容器
[root@server1 ~]# docker ps
CONTAINER ID   IMAGE      COMMAND       CREATED      STATUS      PORTS                               NAMES
1670d938968a   centos:7   "/bin/bash"   5 days ago   Up 5 days                                       c2
589987cd58f5   centos:7   "/bin/bash"   5 days ago   Up 5 days   0.0.0.0:80->80/tcp, :::80->80/tcp   c1

容器外执行命令
[root@server1 ~]# docker exec c1 ls /
anaconda-post.log
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

[root@server1 ~]# docker exec c1 yum install -y httpd
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: mirrors.cn99.com
 * extras: mirrors.cn99.com
 * updates: mirrors.cn99.com
Package httpd-2.4.6-97.el7.centos.4.x86_64 already installed and latest version
Nothing to do

容器互联

• 使用场景：容器编排

• 被依赖的容器先创建

创建被依赖的容器
[root@server1 ~]# docker run -it --name c3 centos:7 /bin/bash
[root@75a611252083 /]# [root@server1 ~]# 

使用--link参数（可指定别名），创建联系
[root@server1 ~]# docker run --link c3:web_server -it --name c4 centos:7 /bin/bash

容器通过主机名互联，而非IP地址（容器ip不稳定）
[root@af9bc5e7f0a1 /]# ping web_server
PING web_server (172.17.0.4) 56(84) bytes of data.
64 bytes from web_server (172.17.0.4): icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from web_server (172.17.0.4): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from web_server (172.17.0.4): icmp_seq=3 ttl=64 time=0.039 ms
^C
--- web_server ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.037/0.058/0.098/0.028 ms
[root@af9bc5e7f0a1 /]# cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.4	web_server 75a611252083 c3
172.17.0.5	af9bc5e7f0a1

Docker镜像管理

镜像介绍

• 镜像获取流程：
  • docker client向docker daemon发起容器创建请求
  • docker daemon查找有无客户端需要的镜像
  • 若无，则到容器镜像仓库中下载需要的镜像
  • 拿到容器镜像后，启动容器
• 镜像介绍：
  • Docker 镜像就是一组只读的目录，或者叫只读的 Docker 容器模板，镜像中含有一个Docker 容器运行所需要的文件系统，所以我们说Docker 镜像是启动一个Docker 容器的基础。
  • 可以将Docker 镜像看成是Docker 容器的静态时，也可将Docker 容器看成是Docker镜像的运行时。
  • 联合文件系统（UnionFS）是一种轻量级的高性能分层文件系统，它支持将文件系统中的修改信息作为一次提交，并层层叠加，同时可以将不同目录挂载到同一个虚拟文件系统下，应用看到的是挂载的最终结果。
  • 联合文件系统是实现Docker镜像的技术基础。Docker镜像可以通过分层来进行继承。用户基于基础镜像来制作各种不同的应用镜像。这些镜像共享同一个基础镜像层，提高了存储效率。此外，当用户改变了一个Docker镜像（比如升级程序到新的版本），则会创建一个新的层（layer）。因此，用户不需要替换整个原镜像或者重新建立，只需要添加新层即可。用户分发镜像的时候，也只需要分发被改动的新层内容（增量部分）。这让Docker的镜像管理变得十分轻量级和快速。

镜像制作

• 制作基础镜像

准备最小化的操作系统
略

打包操作系统根目录
#需要排除proc目录（保存了进程pid，文件描述符fd等信息），dev目录（设备映射目录，建议排除），sys目录（系统内核相关）
# --numeric-owner 将文件的属主，属组都数字化 
[root@server8 ~]# tar --numeric-owner --exclude=/proc --exclude=/sys -cvf centos7u6.tar /
[root@server8 ~]# ll -h
总用量 1.4G
-rw-------. 1 root root 1.3K 3月   4 00:54 anaconda-ks.cfg
-rw-r--r--. 1 root root 1.4G 3月   4 00:56 centos7u6.tar

将打包的文件导入docker host
[root@server8 ~]# scp centos7u6.tar 192.168.139.10:/root
[root@server1 ~]# docker import centos7u6.tar centos7u6:latest
sha256:592ba953c5f959be15bdf45e15884a64f4b6aca777dcb950f1b7719ec9a30aaa
[root@server1 ~]# docker image ls
REPOSITORY    TAG       IMAGE ID       CREATED          SIZE
centos7u6     latest    592ba953c5f9   29 seconds ago   1.42GB
tomcat        latest    52691d316146   4 weeks ago      680MB
hello-world   latest    feb5d9fea6a5   5 months ago     13.3kB
centos        7         eeb6ee3f44bd   5 months ago     204MB
centos        latest    5d0da3dc9764   5 months ago     231MB

使用基础镜像启动容器
[root@server1 ~]# docker run -it --name=c5 centos7u6:latest /bin/bash
[root@7539e17de8bd /]# ls
bin   dev  home  lib64  mnt  proc  run   srv  tmp     usr  WP
boot  etc  lib   media  opt  root  sbin  sys  upload  var
[root@7539e17de8bd /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
28: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:06 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.6/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@7539e17de8bd /]# 

• 应用镜像制作

[root@server1 ~]# docker attach c5
[root@7539e17de8bd /]# yum install -y httpd
Rpmdb checksum is invalid: dCDPT(pkg checksums): httpd-tools.x86_64 0:2.4.6-97.el7.centos.4 - u

报错：Rpmdb checksum is invalid: dCDPT(pkg checksums): httpd-tools.x86_64 0:2.4.6-97.el7.centos.4 - u

场景：容器内安装软件

解决：yum clean all

[root@7539e17de8bd /]# yum clean all
已加载插件：fastestmirror
正在清理软件源： base extras updates
Cleaning up list of fastest mirrors
[root@7539e17de8bd /]# yum install -y httpd

应用镜像制作（提交时会暂时暂停镜像）
[root@server1 ~]# docker commit c5 centos7u6-httpd:v1
sha256:ba470b1ba5a68169fb0ef729284fed1394d36ef95dac43f230633db2bfe2eb3d
[root@server1 ~]# docker images
REPOSITORY        TAG       IMAGE ID       CREATED              SIZE
centos7u6-httpd   v1        ba470b1ba5a6   About a minute ago   1.62GB
centos7u6         latest    592ba953c5f9   18 minutes ago       1.42GB
tomcat            latest    52691d316146   4 weeks ago          680MB
hello-world       latest    feb5d9fea6a5   5 months ago         13.3kB
centos            7         eeb6ee3f44bd   5 months ago         204MB
centos            latest    5d0da3dc9764   5 months ago         231MB

使用应用镜像启动容器
[root@server1 ~]# docker run -it --name httpd centos7u6-httpd:v1 /bin/bash
[root@397e1d4a248a /]# echo test >> /var/www/html/index.html
[root@397e1d4a248a /]# httpd -k start 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.7. Set the 'ServerName' directive globally to suppress this message
[root@397e1d4a248a /]# curl 127.0.0.1
test

使用Dockerfile创建应用镜像

• Dockerfile工作原理
  • 在Dockerfile定义所要执行的命令，使用docker build创建镜像。过程中会按照Dockerfile文件所定义的内容创建新的临时性容器，把Dockerfile中所定义的每行命令在临时容器中执行，然后生成镜像分层。所有命令结束后，生成一个新应用镜像，中间过程为commit（暂停–>打包–>启动）
  • 执行命令越多，容器应用镜像越大，优化命令是必要的
• docker build命令

关键字：
	FROM:指定基础镜像
	MAINTAINER:指定镜像创建者信息
		MATNTAINER "name|email|..."
	RUN:运行指定命令
	CMD:设置容器时所执行的操作，一次执行一条
	ENRTYPOINT:设置容器时所执行的操作，一次执行多条
	USER:设置容器启动用户
	EXPOSE:暴露容器映射到宿主机的端口
	ENV:设置环境变量
	ADD:复制文件
		ADD <src> <dest>
	VOLUME:指定挂载点
	WORKDIR:切换目录
	ONBUILD:在子镜像中执行

• 案例1：实现启动容器时直接启动httpd服务的镜像

实现思路：选择基础镜像–>安装httpd服务–>通过脚本启动httpd，放在前端执行（只要httpd还在执行，容器就不会退出）–>暴露80/tcp端口–>添加测试文件，验证服务可用性

• 创建目录，目录中应包含Dockerfile文件以及制作镜像需要的其他文件（如站点文件，启动脚本）

创建目录
[root@server1 ~]# mkdir test

创建httpd启动脚本
[root@server1 ~]# cd test
[root@server1 test]# vim run-httpd.sh
[root@server1 test]# cat run-httpd.sh 
#!/bin/bash
# 删除httpd的pid进程（如果有）
rm -rf /var/run/httpd/*
# 指定httpd在前端运行(注意httpd命令的位置)
exec /usr/sbin/httpd -D FOREGROUND

创建网站首页文件
[root@server1 test]# vim index.html
[root@server1 test]# cat index.html 
hello!

创建Dockerfile文件
[root@server1 test]# vim Dockerfile
[root@server1 test]# cat Dockerfile 
# 指定基础镜像
FROM centos7u6:latest

# 指定镜像维护者信息
MAINTAINER "hello 3181754453@qq.com"

# 安装httpd
RUN yum clean all && rpm --rebuilddb && yum install -y httpd

# 将本地run-httpd.sh文件传入容器
ADD run-httpd.sh /run-httpd.sh

# 给容器内的/run-httpd.sh文件加执行权限
RUN chmod -v +x /run-httpd.sh

# 将本地index.html文件传到容器站点根目录
ADD index.html /var/www/html/

# 暴露容器80端口
EXPOSE 80

# 切换目录
WORKDIR /

# 执行脚本
CMD ["/bin/bash","/run-httpd.sh"]

• docker build读取Dockerfile创建镜像

-t	指定镜像名和版本号

[root@server1 test]# docker build -t centos7u6-httpd:v1 .
Sending build context to Docker daemon  4.608kB
Step 1/9 : FROM centos7u6:latest
 ---> 592ba953c5f9
Step 2/9 : MAINTAINER "hello 3181754453@qq.com"
 ---> Using cache
 ---> 5853c941dbe7
Step 3/9 : RUN yum clean all && rpm --rebuilddb && yum install -y httpd
 ---> Running in 81aebb2b83cc
...安装httpd...
Removing intermediate container 81aebb2b83cc
 ---> c13ccb5eaafd
Step 4/9 : ADD run-httpd.sh /run-httpd.sh
 ---> aca4eb1f5660
Step 5/9 : RUN chmod -v +x /run-httpd.sh
 ---> Running in e13889039ea6
mode of '/run-httpd.sh' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
Removing intermediate container e13889039ea6
 ---> 886bc48382a2
Step 6/9 : ADD index.html /var/www/html/
 ---> 4a3237b9ef0e
Step 7/9 : EXPOSE 80
 ---> Running in db802cb690a8
Removing intermediate container db802cb690a8
 ---> af1d91263859
Step 8/9 : WORKDIR /
 ---> Running in ee8a565b43bf
Removing intermediate container ee8a565b43bf
 ---> e3877c37bcdd
Step 9/9 : CMD ["/bin/bash","/run-httpd.sh"]
 ---> Running in 66ce489bcf2a
Removing intermediate container 66ce489bcf2a
 ---> 324c348ce68a
Successfully built eeaba8b83515
Successfully tagged centos7u6-httpd:v1

• 验证：使用已创建的镜像启动容器

查看镜像
[root@server1 test]# docker images
REPOSITORY        TAG       IMAGE ID       CREATED          SIZE
centos7u6-httpd   v1        eeaba8b83515   20 seconds ago   1.62GB
centos7u6         latest    592ba953c5f9   2 days ago       1.42GB
centos            7         eeb6ee3f44bd   6 months ago     204MB

启动容器
[root@server1 test]# docker run -d centos7u6-httpd:v1 
aaab87bbae50049e8b39f4665b6cf2f118f77b5cec57bfbd6de6a35b51062955

查看运行的容器
[root@server1 test]# docker ps
CONTAINER ID   IMAGE                COMMAND                  CREATED         STATUS         PORTS     NAMES
aaab87bbae50   centos7u6-httpd:v1   "/bin/bash /run-http…"   5 seconds ago   Up 4 seconds   80/tcp    wonderful_kirch

查看IP地址
[root@server1 test]# docker inspect aaa
                    "IPAddress": "172.17.0.2",

访问测试
[root@server1 test]# curl 172.17.0.2
hello!

• 更改网站内容：新建容器实现

[root@server1 test]# mkdir /www
[root@server1 test]# echo world >> /www/index.html
[root@server1 test]# docker run -d -v /www:/var/www/html centos7u6-httpd:v1 
be1b0a843642406e0728c1843702cd6ddd4cda18d33f059d27cc070454cdae97
[root@server1 test]# docker inspect be1
                    "IPAddress": "172.17.0.3",
[root@server1 test]# curl 172.17.0.3
world

• 案例2：nginx应用容器化

创建目录
[root@server1 ~]# mkdir docker-nginx
[root@server1 ~]# cd docker-nginx/
[root@server1 docker-nginx]# 

创建测试文件
[root@server1 docker-nginx]# echo 'hello nginx!' >> index.html

创建Dockerfile文件
[root@server1 docker-nginx]# vim Dockerfile
[root@server1 docker-nginx]# cat Dockerfile 
FROM centos:7

MAINTAINER "3181754453@qq.com"

# 安装yum-plugin-ovl为了防止yum缓存报错，等同于rpm --rebuilddb
RUN yum clean all && yum install -y yum-plugin-ovl && yum install -y epel-release && yum install -y nginx

ADD index.html /usr/share/nginx/html/

# 取消nginx后台运行
RUN echo 'daemon off;' >> /etc/nginx/nginx.conf

EXPOSE 80

CMD /usr/sbin/nginx

创建镜像
[root@server1 docker-nginx]# docker build -t centos7-nginx:v1 .
Sending build context to Docker daemon  3.072kB
Step 1/7 : FROM centos:7
 ---> eeb6ee3f44bd
Step 2/7 : MAINTAINER "3181754453@qq.com"
 ---> Running in 698d43ab396d
Removing intermediate container 698d43ab396d
 ---> b8887cfc248d
Step 3/7 : RUN yum clean all && yum install -y yum-plugin-ovl && yum install -y epel-release && yum install -y nginx
 ---> Running in 2a70b689e164
...软件包安装...
Removing intermediate container 2a70b689e164
 ---> d88d004a7bb4
Step 4/7 : ADD index.html /usr/share/nginx/html/
 ---> 7bf523b1f36e
Step 5/7 : RUN echo 'daemon off;' >> /etc/nginx/nginx.conf
 ---> Running in da866942aad9
Removing intermediate container da866942aad9
 ---> a42c3412d4e5
Step 6/7 : EXPOSE 80
 ---> Running in 4be21c1a730c
Removing intermediate container 4be21c1a730c
 ---> b1f29a6b48af
Step 7/7 : CMD /usr/sbin/nginx
 ---> Running in a3f529feb6c1
Removing intermediate container a3f529feb6c1
 ---> e66f7de25290
Successfully built e66f7de25290
Successfully tagged centos7-nginx:v1
[root@server1 docker-nginx]# docker images
REPOSITORY        TAG       IMAGE ID       CREATED          SIZE
centos7-nginx     v1        e66f7de25290   2 minutes ago    437MB
centos7u6-httpd   v1        eeaba8b83515   32 minutes ago   1.62GB
centos7u6         latest    592ba953c5f9   2 days ago       1.42GB
centos            7         eeb6ee3f44bd   6 months ago     204MB

创建容器
[root@server1 docker-nginx]# docker run -d centos7-nginx:v1 
96fc6c0547a74326b3410606f0bbf65797921c0f49a194ef5c4ecec4477122b8
[root@server1 docker-nginx]# docker ps
CONTAINER ID   IMAGE                COMMAND                  CREATED          STATUS          PORTS     NAMES
96fc6c0547a7   centos7-nginx:v1     "/bin/sh -c /usr/sbi…"   4 seconds ago    Up 3 seconds    80/tcp    trusting_rhodes
be1b0a843642   centos7u6-httpd:v1   "/bin/bash /run-http…"   24 minutes ago   Up 24 minutes   80/tcp    blissful_darwin
aaab87bbae50   centos7u6-httpd:v1   "/bin/bash /run-http…"   32 minutes ago   Up 32 minutes   80/tcp    wonderful_kirch

访问测试
[root@server1 docker-nginx]# docker inspect 96f
            "IPAddress": "172.17.0.4",
[root@server1 docker-nginx]# curl 172.17.0.4
hello nginx!

镜像储存位置

• docker的容器镜像以及容器本身的数据都存放在**/var/lib/docker**目录中
• 不同linux发行版存储方式不同，Ubuntu上存储方式为AUFS（联合文件系统），CentOS上储存方式为Overlay或Overlay2
• OverlayFS是一个类似AUFS的联合文件系统，速度更快，实现简单

[root@server1 ~]# cd /var/lib/docker/
[root@server1 docker]# ls
buildkit  containers  image  network  overlay2  plugins  runtimes  swarm  tmp  trust  volumes
[root@server1 docker]# cd overlay2/
[root@server1 overlay2]# ls
31defc9106f569ecdeffc14f21b0303d1c84a73170c0b7fe1efc904f8820b07e
45304352f9a16cb6bade04df883077917d4ae94aac6191f5d8c0b2c864cd5a77
6119d1823b21afec0a3ccb96b6622ff3857c1a95cf845dc86b3771881166ae6e
616168a7f1471f43604022fc9a16e74b169bfd1b5afd6ab09acc0234a8ac8f16
65984770c2d8bedf020303bdec82f025b9a46d2c77414a84d02715b82843c376
a4d506a4522a6064e15a4c34dfa1003235a38dda401af5519337a1e1f1713b89
b8f4fd78df9e5555e779c5e3e0c59577444fede045de8ca2fa80de937290979f
backingFsBlockDev
be63c03fa26bac673e8f6f8758bd24ce0c4b09fef421a44513787347329917df
c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598
c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598-init
cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329
cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329-init
ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f
ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f-init
f03c20efb44663a24211a1155b68e6366d32d0f8c6bbfbdbe47904ef41910cf2
l
[root@server1 overlay2]# ll ./l
总用量 0
lrwxrwxrwx 1 root root 72 3月  16 14:49 52MW66F3OZ4QQ7MC6TCUMCNICA -> ../f03c20efb44663a24211a1155b68e6366d32d0f8c6bbfbdbe47904ef41910cf2/diff
lrwxrwxrwx 1 root root 72 3月  16 14:49 5PBS62L2S6Z4D4S2VAPQWUJBZX -> ../45304352f9a16cb6bade04df883077917d4ae94aac6191f5d8c0b2c864cd5a77/diff
lrwxrwxrwx 1 root root 72 2月  14 22:05 BK2CRKRCR3O3GJLVB6XGDGJA57 -> ../31defc9106f569ecdeffc14f21b0303d1c84a73170c0b7fe1efc904f8820b07e/diff
lrwxrwxrwx 1 root root 72 3月  16 15:23 COL6FEZLQ5NHXDZ6MTLNPH7SRE -> ../cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/diff
lrwxrwxrwx 1 root root 72 3月  16 15:19 DBP6NOORVJ2OEOUHYKEGAIMD5R -> ../65984770c2d8bedf020303bdec82f025b9a46d2c77414a84d02715b82843c376/diff
lrwxrwxrwx 1 root root 72 3月  16 15:19 DKRFINFUO3ONOMJLY72JX6Y66A -> ../b8f4fd78df9e5555e779c5e3e0c59577444fede045de8ca2fa80de937290979f/diff
lrwxrwxrwx 1 root root 77 3月  16 14:58 IB7TXGSUW2HORBVNB2GAAW5LUX -> ../c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598-init/diff
lrwxrwxrwx 1 root root 72 3月  16 15:19 IGZXSMKVQ4BDFAHUOZW2JCWNIK -> ../616168a7f1471f43604022fc9a16e74b169bfd1b5afd6ab09acc0234a8ac8f16/diff
lrwxrwxrwx 1 root root 72 3月  16 14:51 KAYQOFYRUO2QRU35ACBED3KXOX -> ../ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/diff
# 可以看见l文件夹里保存的是镜像的软连接，用于挂载使用（linux系统挂载时，限制镜像名为128个字符）

• OverlayFS原理

• OverlayFS 文件系统主要有三个角色，lowerdir、upperdir 和 merged。

  • lowerdir 是只读层，用户不能修改这个层的文件；upperdir 是可读写层，用户能够修改这个层的文件
  • merged 是合并层，把 lowerdir 层和 upperdir 层的文件合并展示
  • 当需要修改一个文件时，使用CoW（写时复制技术）将文件从只读的 lowerdir 层复制到可写的upperdir 层进行修改，结果保存在upperdir 层
  • 在Docker中，底下的只读层就是image，可写层就是Container

  [root@server1 ~]# docker info|grep Storage
   Storage Driver: overlay2
  WARNING: bridge-nf-call-iptables is disabled
  WARNING: bridge-nf-call-ip6tables is disabled
  
  [root@server1 ~]# mount |grep overlay2
  overlay on /var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/OYS3ZZ3QJ35DISKDHCHZEPZ553:/var/lib/docker/overlay2/l/PIZABUMQHMYOD3DDIBWUYPGBO2:/var/lib/docker/overlay2/l/M6ZMLCESK2WI2DK635I3QAC4FG:/var/lib/docker/overlay2/l/5PBS62L2S6Z4D4S2VAPQWUJBZX:/var/lib/docker/overlay2/l/52MW66F3OZ4QQ7MC6TCUMCNICA:/var/lib/docker/overlay2/l/R425GC2OANG2RBQZM2ICKCXPBB,upperdir=/var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/diff,workdir=/var/lib/docker/overlay2/ed2b26b0829150630e9b76a37edba9c56f90ae9af6fe7d6267181fa945ee6d7f/work)
  overlay on /var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/IB7TXGSUW2HORBVNB2GAAW5LUX:/var/lib/docker/overlay2/l/PIZABUMQHMYOD3DDIBWUYPGBO2:/var/lib/docker/overlay2/l/M6ZMLCESK2WI2DK635I3QAC4FG:/var/lib/docker/overlay2/l/5PBS62L2S6Z4D4S2VAPQWUJBZX:/var/lib/docker/overlay2/l/52MW66F3OZ4QQ7MC6TCUMCNICA:/var/lib/docker/overlay2/l/R425GC2OANG2RBQZM2ICKCXPBB,upperdir=/var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/diff,workdir=/var/lib/docker/overlay2/c094c98ebb96566b27a4b3331004cd0ac50144aa19e7f9bedf6ae468f586f598/work)
  overlay on /var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/TNCXK37C2PSX5QXNOIMSN2UGOQ:/var/lib/docker/overlay2/l/DKRFINFUO3ONOMJLY72JX6Y66A:/var/lib/docker/overlay2/l/DBP6NOORVJ2OEOUHYKEGAIMD5R:/var/lib/docker/overlay2/l/IGZXSMKVQ4BDFAHUOZW2JCWNIK:/var/lib/docker/overlay2/l/BK2CRKRCR3O3GJLVB6XGDGJA57,upperdir=/var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/diff,workdir=/var/lib/docker/overlay2/cbf1804d3f502a2303af421baaeb264c14221a0fdbcd1c5517187aa5452ee329/work)
  
  

官方镜像仓库

• 网址：https://hub.docker.com/

• 邮箱注册

• 创建自己的仓库

• 命令行登入登出

登入
[root@server1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xiaotanggao	用户名
Password: 				密码（#姓名+.）
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

登出
[root@server1 ~]# docker logout 
Removing login credentials for https://index.docker.io/v1/

• 镜像上传与下载

上传前需要标记
[root@server1 ~]# docker images
REPOSITORY          TAG       IMAGE ID       CREATED        SIZE
centos7-nginx       v1        e66f7de25290   24 hours ago   437MB
xiaotanggao/nginx   v1        e66f7de25290   24 hours ago   437MB
centos7u6-httpd     v1        eeaba8b83515   25 hours ago   1.62GB
centos7u6           latest    592ba953c5f9   3 days ago     1.42GB
centos              7         eeb6ee3f44bd   6 months ago   204MB
[root@server1 ~]# docker tag centos:7 xiaotanggao/nginx:v1

登录
[root@server1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: xiaotanggao
Password: 

上传
[root@server1 ~]# docker push xiaotanggao/nginx:v1 
The push refers to repository [docker.io/xiaotanggao/nginx]
174f56854903: Layer already exists 
v1: digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f size: 529
# 如果官方仓库中有该镜像，会做成一个软连接
# 如果官方仓库中没有该镜像，会慢慢上传，很耗时

登出
[root@server1 ~]# docker logout 
Removing login credentials for https://index.docker.io/v1/

下载：可以不登录，直接下载
[root@server1 ~]# docker pull xiaotanggao/nginx:v1
v1: Pulling from xiaotanggao/nginx
Digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f
Status: Image is up to date for xiaotanggao/nginx:v1
docker.io/xiaotanggao/nginx:v1
[root@server1 ~]# docker pull ansible/centos7-ansible
Using default tag: latest
latest: Pulling from ansible/centos7-ansible
45a2e645736c: Pull complete 
1c3acf573616: Pull complete 
edcb61e55ccc: Pull complete 
cbae31bad30a: Pull complete 
aacbdb1e2a62: Pull complete 
fdeea4fb835c: Pull complete 
Digest: sha256:39eff7d56b96530d014083cd343f7314c23acbd1ecf37eb75a71a2f6584d0b02
Status: Downloaded newer image for ansible/centos7-ansible:latest
docker.io/ansible/centos7-ansible:latest

镜像加速器

• 用于加快镜像下载速度
• 阿里云加速器：https://cr.console.aliyun.com/cn-hangzhou/instances

• 按要求配置

[root@server1 ~]# cat > /etc/docker/daemon.json <<EOF
{
  "registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
EOF

[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker

测试（明显感到速度变快）
[root@server1 ~]# docker rmi ansible/centos7-ansible:latest 
[root@server1 ~]# docker pull ansible/centos7-ansible 
Using default tag: latest
latest: Pulling from ansible/centos7-ansible
45a2e645736c: Pull complete 
1c3acf573616: Pull complete 
edcb61e55ccc: Pull complete 
cbae31bad30a: Pull complete 
aacbdb1e2a62: Pull complete 
fdeea4fb835c: Pull complete 
Digest: sha256:39eff7d56b96530d014083cd343f7314c23acbd1ecf37eb75a71a2f6584d0b02
Status: Downloaded newer image for ansible/centos7-ansible:latest
docker.io/ansible/centos7-ansible:latest 

本地镜像仓库

• 作用：用于局域网内使用，方便与其他系统进行集成，上传和下载大镜像方便
• 搭建本地镜像仓库

下载registry镜像
[root@server1 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete 
0d96da54f60b: Pull complete 
5b27040df4a2: Pull complete 
e2ead8259a04: Pull complete 
3790aef225b9: Pull complete 
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest
[root@server1 ~]# docker images
REPOSITORY                TAG       IMAGE ID       CREATED        SIZE
centos7-nginx             v1        e66f7de25290   25 hours ago   437MB
centos7u6-httpd           v1        eeaba8b83515   26 hours ago   1.62GB
centos7u6                 latest    592ba953c5f9   3 days ago     1.42GB
registry                  latest    b8604a3fe854   4 months ago   26.2MB
centos                    7         eeb6ee3f44bd   6 months ago   204MB
xiaotanggao/nginx         v1        eeb6ee3f44bd   6 months ago   204MB
ansible/centos7-ansible   latest    688353a31fde   5 years ago    447MB

创建registry镜像仓库的挂载点，实现持久化储存
[root@server1 ~]# mkdir /mnt/registry

使用registry镜像启动容器
--restart=always	表达一旦容器挂了，总是重启
[root@server1 ~]# docker run -d -p 5000:5000 -v /mnt/registry:/var/lib/registry --restart=always registry:latest 
77dff96850d0d3136781a80a065e3ed61600f01c304ca46f8e737c970acb69ed
[root@server1 ~]# docker ps
CONTAINER ID   IMAGE             COMMAND                  CREATED         STATUS         PORTS                                       NAMES
77dff96850d0   registry:latest   "/entrypoint.sh /etc…"   2 minutes ago   Up 2 minutes   0.0.0.0:5000->5000/tcp, :::5000->5000/tcp   affectionate_gauss

验证
[root@server1 ~]# curl 192.168.139.10:5000/v2/_catalog
{"repositories":[]}
# 显示为空仓库

• 上传至本地镜像仓库

修改/etc/docker/daemon.json
[root@server1 ~]# vim /etc/docker/daemon.json 
[root@server1 ~]# cat /etc/docker/daemon.json 
{
  "insecure-registries": ["http://192.168.139.10:5000"],
  "registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker

标记上传镜像
[root@server1 ~]# docker tag centos7-nginx:v1 192.168.139.10:5000/centos7-nginx:v1

上传
[root@server1 ~]# docker push 192.168.139.10:5000/centos7-nginx:v1 
The push refers to repository [192.168.139.10:5000/centos7-nginx]
271152a56ebf: Pushed 
b4f12a07bd95: Pushed 
77dbbafd209d: Pushed 
174f56854903: Pushed 
v1: digest: sha256:8080974be0483ed84c5c5f482e59e10aeb3de680d26372262419783d7a3438c0 size: 1157

查看挂载点
[root@server1 ~]# ls /mnt/registry/
docker
[root@server1 ~]# ls /mnt/registry/docker/registry/v2/repositories/
centos7-nginx

• 其他主机也可使用此仓库

[root@server1 ~]# vim /usr/lib/systemd/system/docker.service 
[root@server1 ~]# grep ExecStart /usr/lib/systemd/system/docker.service 
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd

[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json 
{
  "insecure-registries": ["http://192.168.139.10:5000"]
}

[root@server1 ~]# systemctl daemon-reload && systemctl restart docker

[root@server1 ~]# docker pull 192.168.139.10:5000/centos7-nginx:v1

Harbor实现通过web管理本地仓库

• harbor介绍：

  • vmware公司开源，使用广泛
  • 有良好的中文web管理界面

• harbor软件获取

  • 

  • 

  • 

• harbor部署

安装pip3
[root@server1 ~]# yum install -y epel-release.noarch 
[root@server1 ~]# yum install -y python3-pip
[root@server1 ~]# pip3 install --upgrade pip
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip3 install --user` instead.
Collecting pip
  Downloading https://files.pythonhosted.org/packages/a4/6d/6463d49a933f547439d6b5b98b46af8742cc03ae83543e4d7688c2420f8b/pip-21.3.1-py3-none-any.whl (1.7MB)
    100% |████████████████████████████████| 1.7MB 929kB/s 
Installing collected packages: pip
Successfully installed pip-21.3.1

下载docker-compose
[root@server1 ~]# pip3 install docker-compose --ignore-install requests
[root@server1 ~]# docker-compose -v
docker-compose version 1.29.2, build unknown

解压harbor
[root@server1 ~]# ls harbor-offline-installer-v2.4.2.tgz 
harbor-offline-installer-v2.4.2.tgz
[root@server1 ~]# tar -xf harbor-offline-installer-v2.4.2.tgz 

配置
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh  harbor.v2.4.2.tar.gz  harbor.yml.tmpl  install.sh  LICENSE  prepare
[root@server1 harbor]# cp harbor.yml.tmpl harbor.yml
[root@server1 harbor]# grep -Ev "#|^$" harbor.yml
hostname: 192.168.139.10	主机IP
http:
  port: 80					端口
# https:					没有证书，暂时注释
  # port: 443
  # certificate: /your/certificate/path	
  # private_key: /your/private/key/path
harbor_admin_password: Harbor12345		默认用户名及密码
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.4.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
[root@server1 harbor]# vim /etc/docker/daemon.json 
[root@server1 harbor]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}
[root@server1 harbor]# systemctl daemon-reload 
[root@server1 harbor]# systemctl restart docker

配置
[root@server1 harbor]# ./prepare 
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

安装
[root@server1 harbor]# ./install.sh
✔ ----Harbor has been installed and started successfully.----
[root@server1 harbor]# docker images|grep goharbor
goharbor/harbor-exporter            v2.4.2    ddbe51a2d92c   2 days ago     84.3MB
goharbor/chartmuseum-photon         v2.4.2    4c8a43a14da1   2 days ago     175MB
goharbor/redis-photon               v2.4.2    61d136910774   2 days ago     158MB
goharbor/trivy-adapter-photon       v2.4.2    f32f7db1569e   2 days ago     167MB
goharbor/notary-server-photon       v2.4.2    1465d8e1d2e5   2 days ago     112MB
goharbor/notary-signer-photon       v2.4.2    547245607828   2 days ago     110MB
goharbor/harbor-registryctl         v2.4.2    f43545bdfd12   2 days ago     138MB
goharbor/registry-photon            v2.4.2    1927be8b8775   2 days ago     80.8MB
goharbor/nginx-photon               v2.4.2    4189bfe82749   2 days ago     47.3MB
goharbor/harbor-log                 v2.4.2    b2279d3a2ba5   2 days ago     162MB
goharbor/harbor-jobservice          v2.4.2    d22f0a749835   2 days ago     222MB
goharbor/harbor-core                v2.4.2    672a56385d29   2 days ago     199MB
goharbor/harbor-portal              v2.4.2    bc60d9eaf4ad   2 days ago     56.3MB
goharbor/harbor-db                  v2.4.2    91d13ec46b2c   2 days ago     226MB
goharbor/prepare                    v2.4.2    d2100ed70ba4   2 days ago     269MB

• 浏览器访问192.168.139.10

• 上传镜像到harbor镜像仓库

重启Harbor：

docker-compose down -v

docker-compose up -d

修改/etc/docker/daemon.json 
[root@server1 harbor]# vim /etc/docker/daemon.json 
[root@server1 harbor]# cat /etc/docker/daemon.json 
{
  "insecure-registries": ["http://192.168.139.10"],
  "registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"]
}

重启docker
[root@server1 harbor]# systemctl daemon-reload 
[root@server1 harbor]# systemctl restart docker

重启Harbor！！！！！！！！！！！！
[root@server1 harbor]# docker-compose down -v
[root@server1 harbor]# docker-compose up -d

标记待上传镜像
[root@server1 harbor]# docker tag centos7-nginx:v1 192.168.139.10/library/centos7-nginx:v1

登录
[root@server1 harbor]# docker login 192.168.139.10
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

上传
[root@server1 harbor]# docker push 192.168.139.10/library/centos7-nginx:v1 

• 其他服务器使用harbor仓库

[root@server1 ~]# vim /usr/lib/systemd/system/docker.service 
[root@server1 ~]# grep ExecStart /usr/lib/systemd/system/docker.service 
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd

[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json 
{
  "insecure-registries": ["http://192.168.139.10"]
}

[root@server1 ~]# systemctl daemon-reload && systemctl restart docker

[root@server1 ~]# docker pull 192.168.139.10/centos7-nginx:v1

Docker网络

网络介绍

查看

[root@server1 ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
84f49d76ee7a   bridge    bridge    local
97377fbbe546   host      host      local
0df3a8cad17b   none      null      local

bridge

• 所有容器连接到桥docker0，通过NAT，使容器可以访问外网
• 默认为bridge

[root@server1 harbor]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:06:da:1a:80 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:6ff:feda:1a80/64 scope link 
       valid_lft forever preferred_lft forever

host

• 所有容器与docker host在同一网络中，可以让容器访问外网，外网也能访问容器内的服务
• 如果多容器运行同一服务，会造成端口冲突，不建议生产环境使用，仅测试使用

选择容器运行的网络
[root@server1 ~]# docker run -d --network host centos7-nginx:v1 
60fcebc5fcf6e13c9df9049e0bfd2a6fc78dfc858c7414095cb721f037b25736

[root@server1 ~]# docker inspect 60f
# 没有IP

none

• 容器仅有lo网卡，无法连接外网，常在k8s的编排中使用

容器网络|联盟网络

• 容器间共享同一个网络命令空间，实现容器间的数据传输

跨主机容器通信

• 通信工具

  • Pipework
  • Flannel
  • Weave
  • Open V Swith（OVS）
  • Calico

• Weave介绍

  • 原理：在每个宿主机上布置一个特殊的route容器，不同宿主机上的route容器互联。route会拦截所有普通容器的IP请求，通过udp包发送到其他宿主机中的普通容器上

• Flannel介绍

  • 机制：为集群中的所有节点重新规划IP地址的使用规则，使得不同节点上的容器能够获得同属一个内网且不重复的IP，从而实现不同节点的容器间的通信
  • 原理：Flannel是Overlay网络，即覆盖型网络（应用层网络），Flannel为每个主机配置一个IP段和子网个数，通过etcd来维护分配的子网到实际IP地址的映射。对于数据路径，flannel使用udp（udp作为转发协议，可以穿透防火墙）来封装ip数据报，转发到远程主机

• 环境搭建

IP地址	主机名	部署
192.168.139.10	server1	etcd，flannel，docker
192.168.139.20	server2	flannel，docker

• 环境准备

cat >> /etc/hosts <<EOF
	192.168.139.10 server1
	192.168.139.20 server2
	EOF
	
yum install -y ntpdate
ntpdate cn.ntp.org.cn

yum install -y flannel

yum install -y etcd

• server1配置

配置etcd
[root@server1 ~]# vim /etc/etcd/etcd.conf 
[root@server1 ~]# cat /etc/etcd/etcd.conf |grep -Ev "#|^$"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"				数据存放位置
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379,http://0.0.0.0:4001"	监听客户端地址
ETCD_NAME="default"
ETCD_ADVERTISE_CLIENT_URLS="http://server1:2379,http://server1:4001"	通知客户端地址

启动etcd
[root@server1 ~]# systemctl start etcd.service 
[root@server1 ~]# systemctl enable etcd.service 
[root@server1 ~]# ss -tnalp|grep 2379
LISTEN     0      128       [::]:2379                  [::]:*                   users:(("etcd",pid=9752,fd=6))
[root@server1 ~]# ss -tnalp|grep 4001
LISTEN     0      128       [::]:4001                  [::]:*                   users:(("etcd",pid=9752,fd=7))

测试etcd可用性
[root@server1 ~]# etcdctl set testdir/testkey0 1000
1000
[root@server1 ~]# etcdctl get testdir/testkey0
1000
[root@server1 ~]# etcdctl -C http://server1:4001 cluster-health
member 8e9e05c52164694d is healthy: got healthy result from http://server1:2379
cluster is healthy

flannel配置
[root@server1 ~]# grep -Ev "^$|#" /etc/sysconfig/flanneld 
FLANNEL_ETCD_ENDPOINTS="http://server1:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"	默认前缀

在etcd中添加网段
[root@server1 ~]# etcdctl mk /atomic.io/network/config '{ "Network": "172.100.0.0/16"}'
{ "Network": "172.100.0.0/16"}
[root@server1 ~]# etcdctl get /atomic.io/network/config
{ "Network": "172.100.0.0/16"}

启动flannel
[root@server1 ~]# systemctl start flanneld.service 
[root@server1 ~]# systemctl enable flanneld.service 
[root@server1 ~]# ip a
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 172.100.34.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::f1c:4b4a:9877:38a1/64 scope link flags 800 
       valid_lft forever preferred_lft forever

配置docker
[root@server1 ~]# cat /run/flannel/subnet.env
FLANNEL_NETWORK=172.100.0.0/16
FLANNEL_SUBNET=172.100.34.1/24	#bip
FLANNEL_MTU=1472
FLANNEL_IPMASQ=false
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 ~]# cat /etc/docker/daemon.json 
{
	"insecure-registries": ["http://192.168.139.10"],
	"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"],
	"bip": "172.100.34.1/24",
	"mtu": 1472
}

重启docker
[root@server1 ~]# systemctl daemon-reload 
[root@server1 ~]# systemctl restart docker
[root@server1 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:e2:79:c1:5f brd ff:ff:ff:ff:ff:ff
    inet 172.100.34.1/24 brd 172.100.34.255 scope global docker0
       valid_lft forever preferred_lft forever
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 172.100.34.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::f1c:4b4a:9877:38a1/64 scope link flags 800 
       valid_lft forever preferred_lft forever

启动容器
[root@server1 ~]# docker run -it centos:7
[root@bcb13dfe7fad /]# [root@server1 ~]# 
[root@server1 ~]# docker inspect bcb
                    "IPAddress": "172.100.34.2",

• server2配置

配置flannel
[root@server2 ~]# vim /etc/sysconfig/flanneld 
[root@server2 ~]# grep -Ev "^$|#" /etc/sysconfig/flanneld 
FLANNEL_ETCD_ENDPOINTS="http://server1:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"

启动flannel
[root@server2 ~]# systemctl start flanneld.service 
[root@server2 ~]# systemctl enable flanneld.service 

获取subnet信息
[root@server2 ~]# cat /run/flannel/subnet.env 
FLANNEL_NETWORK=172.100.0.0/16
FLANNEL_SUBNET=172.100.30.1/24
FLANNEL_MTU=1472
FLANNEL_IPMASQ=false

配置docker
[root@server2 ~]# vim /etc/docker/daemon.json
[root@server2 ~]# cat /etc/docker/daemon.json 
{
	"insecure-registries": ["http://192.168.139.10"],
	"registry-mirrors": ["https://he5z7917.mirror.aliyuncs.com"],
	"bip": "172.100.30.1/24",
	"mtu": 1472
}

重启docker
[root@server2 ~]# systemctl restart docker
[root@server2 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:49:14:48:21 brd ff:ff:ff:ff:ff:ff
    inet 172.100.30.1/24 brd 172.100.30.255 scope global docker0
       valid_lft forever preferred_lft forever
6: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 172.100.30.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::6d73:fc5d:fa63:1792/64 scope link flags 800 
       valid_lft forever preferred_lft forever

启动容器
[root@server2 ~]# docker pull centos:7
[root@server2 ~]# docker run -it centos:7 
[root@94d7627a4b9b /]# [root@server2 ~]# 
[root@server2 ~]# docker inspect 94d
                    "IPAddress": "172.100.30.2",

• 互通测试

[root@server1 ~]# docker exec bcb ping -c 2 172.100.30.2
PING 172.100.30.2 (172.100.30.2) 56(84) bytes of data.
64 bytes from 172.100.30.2: icmp_seq=1 ttl=60 time=3.40 ms
64 bytes from 172.100.30.2: icmp_seq=2 ttl=60 time=1.55 ms

--- 172.100.30.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 1.556/2.481/3.406/0.925 ms

[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.

--- 172.100.34.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms

现象：server1内的容器可以ping通server2

​ server2内的容器不能ping通server1

原因：server1中防火墙引起的，FORWARD链默认规则为DROP

​ [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T8bbzZXQ-1647588683111)(%E5%AE%B9%E5%99%A8.assets/image-20220318152641746.png)]

解决：将FORWARD链默认规则改为ACCEPT

[root@server1 ~]# iptables -P FORWARD ACCEPT
[root@server1 ~]# iptables -L FORWARD 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

oot@server2 ~]#
[root@server2 ~]# docker inspect 94d
“IPAddress”: “172.100.30.2”,

-   互通测试

```powershell
[root@server1 ~]# docker exec bcb ping -c 2 172.100.30.2
PING 172.100.30.2 (172.100.30.2) 56(84) bytes of data.
64 bytes from 172.100.30.2: icmp_seq=1 ttl=60 time=3.40 ms
64 bytes from 172.100.30.2: icmp_seq=2 ttl=60 time=1.55 ms

--- 172.100.30.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 1.556/2.481/3.406/0.925 ms

[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.

--- 172.100.34.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms

现象：server1内的容器可以ping通server2

​ server2内的容器不能ping通server1

原因：server1中防火墙引起的，FORWARD链默认规则为DROP
​

解决：将FORWARD链默认规则改为ACCEPT

[root@server1 ~]# iptables -P FORWARD ACCEPT
[root@server1 ~]# iptables -L FORWARD 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

[root@server2 ~]# docker exec 94d ping -c 2 172.100.34.2
PING 172.100.34.2 (172.100.34.2) 56(84) bytes of data.
64 bytes from 172.100.34.2: icmp_seq=1 ttl=60 time=1.15 ms
64 bytes from 172.100.34.2: icmp_seq=2 ttl=60 time=1.61 ms

--- 172.100.34.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 1.151/1.382/1.614/0.234 ms