Harbor && docker

一、简介Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，提供用户权限管理、镜像复制等功能，提高使用的registry的效率。二、架构图：注解：主要组件包括proxy，是一个nginx前端代理，主要是分发前端页面ui访问和镜像上传和下载流量，上图中通过深蓝色先标识；ui提供了一个web管理页面，当然还包括了一个前端页面和后端API，底层使用mysql数...

疯飙的蜗牛

1888人浏览 · 2018-09-30 12:08:56

疯飙的蜗牛 · 2018-09-30 12:08:56 发布

一、简介

Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器，提供用户权限管理、镜像复制等功能，提高使用的registry的效率。

二、架构图：

è¿éåå¾çæè¿°

注解：主要组件包括proxy，是一个nginx前端代理，主要是分发前端页面ui访问和镜像上传和下载流量，上图中通过深蓝色先标识；ui提供了一个web管理页面，当然还包括了一个前端页面和后端API，底层使用mysql数据库；registry是镜像仓库，负责存储镜像文件，当镜像上传完毕后通过hook通知ui创建repository，上图通过红色线标识，当然registry的token认证也是通过ui组件完成；adminserver是系统的配置管理中心附带检查存储用量，ui和jobserver启动时候回需要加载adminserver的配置，通过灰色线标识；jobsevice是负责镜像复制工作的，他和registry通信，从一个registry pull镜像然后push到另一个registry，并记录job_log，上图通过紫色线标识；log是日志汇总组件，通过docker的log-driver把日志汇总到一起，通过浅蓝色线条标识。

三、安装配置harbor1.5.0
1、环境：

系统：CentOS Linux release 7.2.1511 (Core)
Python version：Python 2.7.5
Docker version：>=1.10 
Docker Compose version：>=1.6.0 
Openssl：直接yum安装最新版本即可(# yum -y install openssl openssl-devel)

2、安装docker

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum list docker-ce --showduplicates | sort -r
yum install docker-ce -y
systemctl start docker
systemctl enable docker
docker version

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:03 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:25:29 2018
  OS/Arch:          linux/amd64
  Experimental:     false

3、安装 docker-compose

 curl -L https://github.com/docker/compose/releases/download/1.21.1/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose
 chmod +x /usr/local/bin/docker-compose
docker-compose version

docker-compose version 1.21.1, build 5a3f1a3
docker-py version: 3.3.0
CPython version: 3.6.5
OpenSSL version: OpenSSL 1.0.1t  3 May 2016

4、下载harbor-offline-installer-v1.5.1

分三个包：

https://download.csdn.net/download/zhangxueleishamo/10629751
https://download.csdn.net/download/zhangxueleishamo/10629761
https://download.csdn.net/download/zhangxueleishamo/10629765

官方链接：

 wget https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-offline-installer-v1.5.0.tgz
tar -zxvf harbor-offline-installer-v1.5.1.tgz  -C /opt/

5、生成访问harbor密钥证书

#mkdir /data/cert 
#cd /data/cert
#openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............++
....................................................................................................++
e is 65537 (0x10001)

#openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:harbor@yoyi.cn

# mkdir /opt/harbor/common/config/ui/ -p
# mkdir /opt/harbor/common/config/registry/ -p
# cp /data/cert/private_key.pem /opt/harbor/common/config/ui/private_key.pem
# cp /data/cert/root.crt /opt/harbor/common/config/registry/root.crt

6、配置https

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
..................++
...................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:harbor@yoyi.cn

# openssl req -newkey rsa:4096 -nodes -sha256 -keyout yoyi.harbor.com.key -out yoyi.harbor.com.csr
Generating a 4096 bit RSA private key
..........................................................................................................................++
...................................................................................................++
writing new private key to 'yoyi.harbor.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Bejing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:harbor@yoyi.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:``1122qq
An optional company name []:yoyi.harbor.com

# openssl x509 -req -days 365 -in yoyi.harbor.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out yoyi.harbor.com.crt
Signature ok
subject=/C=CN/ST=Beijing/L=Bejing/O=harbor/OU=harbor/CN=yoyi.harbor.com/emailAddress=harbor@yoyi.cn
Getting CA Private Key

# echo subjectAltName = IP:192.168.5.121 extfile.cnf

# openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................++
.................................................++
e is 65537 (0x10001)


# openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:harbor
Organizational Unit Name (eg, section) []:harbor
Common Name (eg, your name or your server's hostname) []:yoyi.harbor.com
Email Address []:harbor@yoyi.cn

7、修改harbor配置文件

#vim /opt/harbor/harbor.cfg
hostname = yoyi.harbor.com
ui_url_protocol = https
ssl_cert = /data/cert/yoyi.harbor.com.crt
ssl_cert_key = /data/cert/yoyi.harbor.com.key
secretkey_path = /data

8、启动harbor

./prepare 
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.crt
Clearing the configuration file: ./common/config/nginx/cert/harbor.yoyi.com.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /opt/harbor/data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

]# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 18.06.1

Note: docker-compose version: 1.21.1

[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-ui:v1.5.1
Loaded image: vmware/harbor-log:v1.5.1
Loaded image: vmware/harbor-jobservice:v1.5.1
Loaded image: vmware/registry-photon:v2.6.2-v1.5.1
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.1
Loaded image: vmware/mariadb-photon:v1.5.1
Loaded image: vmware/clair-photon:v2.0.1-v1.5.1
Loaded image: vmware/harbor-adminserver:v1.5.1
Loaded image: vmware/nginx-photon:v1.5.1
Loaded image: vmware/photon:1.0
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.1
Loaded image: vmware/postgresql-photon:v1.5.1
Loaded image: vmware/harbor-db:v1.5.1
Loaded image: vmware/redis-photon:v1.5.1
Loaded image: vmware/harbor-migrator:v1.5.0


[Step 2]: preparing environment ...
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...

Note: stopping existing Harbor instance ...
Stopping harbor-jobservice  ... done
Stopping harbor-ui          ... done
Stopping harbor-db          ... done
Stopping redis              ... done
Stopping harbor-adminserver ... done
Stopping registry           ... done
Stopping harbor-log         ... done
Removing nginx              ... done
Removing harbor-jobservice  ... done
Removing harbor-ui          ... done
Removing harbor-db          ... done
Removing redis              ... done
Removing harbor-adminserver ... done
Removing registry           ... done
Removing harbor-log         ... done
Removing network harbor_harbor


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating registry           ... done
Creating harbor-adminserver ... done
Creating redis              ... done
Creating harbor-db          ... done
Creating harbor-ui          ... done
Creating harbor-jobservice  ... done
Creating nginx              ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://yoyi.harbor.com. 
For more details, please visit https://github.com/vmware/harbor .

# docker ps
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                   PORTS                                                              NAMES
fb81c4bdf1e7        vmware/harbor-jobservice:v1.5.1        "/harbor/start.sh"       3 minutes ago       Up 3 minutes                                                                                harbor-jobservice
d32560069411        vmware/nginx-photon:v1.5.1             "nginx -g 'daemon of…"   3 minutes ago       Up 3 minutes (healthy)   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp   nginx
3027884466bc        vmware/harbor-ui:v1.5.1                "/harbor/start.sh"       3 minutes ago       Up 3 minutes (healthy)                                                                      harbor-ui
d3f5f664acfd        vmware/harbor-db:v1.5.1                "/usr/local/bin/dock…"   3 minutes ago       Up 3 minutes (healthy)   3306/tcp                                                           harbor-db
efb310517d0c        vmware/registry-photon:v2.6.2-v1.5.1   "/entrypoint.sh serv…"   3 minutes ago       Up 3 minutes (healthy)   5000/tcp                                                           registry
67099980d893        vmware/redis-photon:v1.5.1             "docker-entrypoint.s…"   3 minutes ago       Up 3 minutes             6379/tcp                                                           redis
31bc58eb4424        vmware/harbor-adminserver:v1.5.1       "/harbor/start.sh"       3 minutes ago       Up 3 minutes (healthy)                                                                      harbor-adminserver
6c7c901328bf        vmware/harbor-log:v1.5.1               "/bin/sh -c /usr/loc…"   3 minutes ago       Up 3 minutes (healthy)   127.0.0.1:1514->10514/tcp                                          harbor-log

9、访问测试，默认用户名&密码：admin Harbor12345

四、客户端使用。

1、登陆客户端安装docker，登陆harbor

#yum -y install docker-io
#service docker start
#docker login https://yoyi.harbor.com
Username: admin
Password: 
Error response from daemon: Get https://yoyi.harbor.com/v1/users/: x509: certificate signed by unknown authority

注：错误提示，证书验证不通过。如内网测试或使用可改用http，或向相关证书网站申请购买。

解决办法：

客户端上创建证书存储目录
mkdir /etc/docker/certs.d/yoyi.harbor.com
harbor服务器上将证书拷贝到客户端上
scp -r yoyi.harbor.com.crt root@192.168.5.122:/etc/docker/certs.d/yoyi.harbor.com
客户端上重启docker服务，重新登陆即可
service docker restart

2、显示harbor上项目文件，下载，重新打包，并上传到自己的仓库

# docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE

因未传输，所以为空
搜索官方库，查询需要的镜像
#docker search -s 10 centos  //查询收藏超过10的相关centos镜像
Flag --stars has been deprecated, use --filter=stars=3 instead
INDEX       NAME                                        DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
docker.io   docker.io/centos                            The official build of CentOS.                   4762      [OK]       
docker.io   docker.io/ansible/centos7-ansible           Ansible on Centos7                              118                  [OK]
docker.io   docker.io/jdeathe/centos-ssh                CentOS-6 6.10 x86_64 / CentOS-7 7.5.1804 x...   99                   [OK]
docker.io   docker.io/consol/centos-xfce-vnc            Centos container with "headless" VNC sessi...   64                   [OK]
docker.io   docker.io/imagine10255/centos6-lnmp-php56   centos6-lnmp-php56                              45                   [OK]
docker.io   docker.io/tutum/centos                      Simple CentOS docker image with SSH access      43                   
docker.io   docker.io/centos/mysql-57-centos7           MySQL 5.7 SQL database server                   39                   
docker.io   docker.io/gluster/gluster-centos            Official GlusterFS Image [ CentOS-7 +  Glu...   34                   [OK]
docker.io   docker.io/openshift/base-centos7            A Centos7 derived base image for Source-To...   33                   
docker.io   docker.io/centos/python-35-centos7          Platform for building and running Python 3...   31                   
docker.io   docker.io/centos/postgresql-96-centos7      PostgreSQL is an advanced Object-Relationa...   29                   
docker.io   docker.io/kinogmt/centos-ssh                CentOS with SSH                                 22                   [OK]
docker.io   docker.io/centos/php-56-centos7             Platform for building and running PHP 5.6 ...   15                   
docker.io   docker.io/openshift/jenkins-2-centos7       A Centos7 based Jenkins v2.x image for use...   15

注：docker没有查看详情的命令。docker search作用有限，不如到官方网站查(http://hub.docker.com)搜索，上面有最详细的信息。得出结论后再pull到本地使用

访问官网查询到centos相关镜像

#docker pull centos:7.5.1804    //将官方最新镜像下载到本地
Trying to pull repository docker.io/library/centos ... 
7.5.1804: Pulling from docker.io/library/centos
7dc0dca2b151: Pull complete 
Digest: sha256:7fa8d6e1b61a3f9fc1413be9c2f8a8a84dab8855cdb5c467d144ff171155fd19
Status: Downloaded newer image for docker.io/centos:7.5.1804

#docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.5.1804            fdf13fa91c6e        7 weeks ago         200 MB

将官方包重命名为自己仓库library下镜像包
#docker tag centos:7.5.1804  yoyi.harbor.com/library/yoyi-centos-7.5.1804 

# docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.5.1804            fdf13fa91c6e        7 weeks ago         200 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804   latest              fdf13fa91c6e        7 weeks ago         200 MB

将重命名的包上传到已经登陆的harbor上
# docker push yoyi.harbor.com/library/yoyi-centos-7.5.1804
The push refers to a repository [yoyi.harbor.com/library/yoyi-centos-7.5.1804]
bcc97fbfc9e1: Pushed 
latest: digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61 size: 529

命令查看harbor私有仓库下面的镜像包
# curl -X GET http://yoyi.harbor.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.13.8</center>
</body>
</html>

登陆harbor查看

3、在其他机器上安装自己打的包

直接点击上图红框内pull命令，会生成链接，到指定客户端粘贴执行即可。

#docker pull yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Trying to pull repository yoyi.harbor.com/library/yoyi-centos-7.5.1804 ... 
latest: Pulling from yoyi.harbor.com/library/yoyi-centos-7.5.1804
7dc0dca2b151: Pull complete 
Digest: sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Status: Downloaded newer image for yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest

4、启动安装完成的镜像。

#docker run --name my-centos7.5 -d yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest /bin/bash -c "ping www.baidu.com"
d61832659e4c727cfa5a06f07d8162028bb6228b6d5de4588d52d4b893acb60e
# docker ps 
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   54 seconds ago      Up 52 seconds                           my-centos7.5

5、删除镜像和关闭docker容器

注：先停止容器-删除容器-删除镜像

docker ps 
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   54 seconds ago      Up 52 seconds                           my-centos7.5
[root@slaver ~]# docker stop my-centos7.5
my-centos7.5
[root@slaver ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
# docker ps -a
CONTAINER ID        IMAGE                                                 COMMAND                  CREATED             STATUS                       PORTS               NAMES
d61832659e4c        yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest   "/bin/bash -c 'pin..."   5 minutes ago       Exited (137) 8 seconds ago                       my-centos7.5
# docker rm -f d61832659e4c
d61832659e4c
# docker images 
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
docker.io/centos                               7.2.1511            ddc0fb7d7a72        2 months ago        195 MB
docker.io/centos                               7.3.1611            2e5dfff91072        2 months ago        192 MB
yoyi.harbor.com/library/yoyi-centos-7.5.1804   latest              fdf13fa91c6e        2 months ago        200 MB
# docker rmi yoyi.harbor.com/library/yoyi-centos-7.5.1804
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804:latest
Untagged: yoyi.harbor.com/library/yoyi-centos-7.5.1804@sha256:7c14180942615fef85cb5c8b1388e028be1a8f79694a5fa30a4025173e42ad61
Deleted: sha256:fdf13fa91c6e0445e51dfd26443aa4bcd561fd40a7c5e85718c4df8e67bcc514
Deleted: sha256:bcc97fbfc9e1a709f0eb78c1da59caeb65f43dc32cd5deeb12b8c1784e5b8237

六、运行简单服务

nginx:

docker pull nginx

# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
docker.io/nginx     latest              e81eb098537d        9 days ago          109 MB

docker run --name my-nginxd  -v /data/nginx.conf:/etc/nginx/nginx.conf:rw -v /data/html:/usr/share/nginx/html:rw  -p 9090:80 -d nginx 

注释：/data/nginx.conf 配置文件   /data/html页面目录   9090端口

七、dockerfile

FROM 指定基础镜像，并且必须是第一条指令。

如果不以任何镜像为基础，那么写法为： FROM scratch。同时意味着所写指令作为镜像的第一层开始。

语法：

FROM <image>
FROM <imge>:<tag>
FROM <imge>:<digest>
可选项，如没有选择，默认值为latest

RUN 运行指定的命令

语法

RUN <command>  //直接跟shell命令，/bin/sh -c &&  cmd /S /C
RUN ["executable","param1","parm2"] //函数调用，调用可执行文件，后面为2个参数

RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
RUN ["/bin/bash","-c","echo hello"]

注：多行命令，不要写多个RUN，原因是Dockerfile中每一个指令都会建立一层。
    多少RUN就构建了多少层镜像，会造成镜像的臃肿、多层，不仅增加构建部署时间，还容易出错，换行符为\

CMD 为容器启动时要运行的命令

语法

CMD ["executable","param1","param2"]  //例：CMD ["sh","-c","echo $HOME"]
CMD ["parm1","param2"]   //例： CMD ["echo","$HOME"]
CMD command param1 param2   //shell执行方式和方法
注： 参数要用双引号，不能单引号。原因是参数传递后，docker解析是一个JSON array

注释：RUN是构建容器时运行的命令以及提交运行结果；CMD是容器启动时执行的命令，在构建时并不运行。

LABEL 为镜像指定标签

语法

LABEL <key>=<value> <key>=<value> <key>=<value> ....
一个Dockerfile可以有多个LABEL，例如：
LABEL "com.example.vendor"="ACME Incorporated"
LABEL com.example.label-with-value="foo"
LABEL version="1.0"
LABEL description="This text illustrates \
that label-values can span multiple lines."
说明：LABEL会继承基础镜像的LABEL，如遇到key相同，则值覆盖

MAINTAINER 指定作者

语法

MAINTAINER <name>

EXPOSE 为暴露容器运行时的监听端口给外部，但EXPOSE并不会使容器访问主机的端口，如映射端口，必须启动后加-P参数

ENV 设置环境变量

语法

ENV <key> <value>    //一个参数及值
ENV <key>=<value> ...   //多个参数及值

ADD 一个复制命令，把文件复制都镜像中

语法

ADD <src> ... <dest>
ADD ["<src>",..."<dest>"]
注：src是一个本地文件或压缩文件或url；dest是容器内的绝对路径，也可以是相对于工作目录的相对路径
    如src写成一个url，那么ADD就类似于wget命令
例：
ADD test relativeDir/
ADD test /relativeDir
ADD http://example.com/foobar /
注：尽量不要把src写成目录，如是一个目录，将复制整个目录的内容，包括文件系统元数据

COPY 复制命令

语法

COPY <src>...<dest>
COPY ["<src>",..."<dest>"]
注：与ADD的区别，copy的src只能是本地文件，其它用法一致

ENTRYPOINT 启动时的默认命令

语法

ENTRYPOINT ["executable","param1","param2"]  //可执行文件，后面2个参数
ENTRYPOINT command param1 param2    //shell用法

与CMD比较说明
  相同点：只能写一条，如果写多条，那么只有最后一条生效；容器启动时才运行，运行时机相同。
  不同点：ENTRYPOINT不会被运行的command覆盖，而CMD则会被覆盖； 如果在Dockerfile中同时写了这两种，并且CMD指令不是一个完整的可执行命令，那么CMD指令的内容将会作为ENTRYPOIN的参数； 如果CMD是一个完整的可执行命令，那么他们两个会互相覆盖，在最后的生效

官方使用一张表格展示组合的执行情况

VOLUME 实现挂载功能，可以将本地文件或其他容器中的文件挂载到这个容器中

语法

VOLUME ["/data"]
VOLUME ["/var/log/"]
VOLUME /var/log
VOLUME /var/log /var/db
注：一般的使用场景为需要持久化存储数据时； 容器使用的是AUFS，不能持久化数据，当容器关闭后，所更改丢失，所以当数据需要持久化使用这个命令。

USER 启动容器的用户，可以是用户名或UID

用法

USER daemo
USER UID
注：如设置了容器以demon用户去运行，那么RUN，CMD，ENTRYPOINT都会以这个用户去运行

WORKDIR 设置工作目录；解析环境变量

语法

WORKDIR /path/to/workdir
设置完目录后，对RUN，CMD，ENTRYPOINT，COPY,ADD生效，如不存在则会创建，可设置多次
WORKDIR /a
WORKDIR b
WORKDIR c
RUN pwd
执行的结果是 /a/b/c

ENV DIRPATH /path
WORKDIR $dirpath/$DIRNAME
RUN pwd
执行的结果是 /path/$DIRNAME

ARG 设置变量命令

语法

ARG <name> [=<default value>]
定义了一个变量，在docker build创建镜像的时候，使用 --build-arg <varname>=<value>来指定参数
如果用户在build镜像时制定了一个参数没有定义在Dockerfile中，那么将有一个Warning： [Warning] One or more build-args [foo] were not consumed.

可以定义一个或多个参数，如下：
FROM busybox
ARG user1
ARG buildno
...

也可以给参数一个默认值：
FROM busybox
ARG user1=someuser
ARG buildno=1
...
如果我们给了ARG定义的参数默认值，那么当build镜像时没有指定参数值，将会使用这个默认值。

ONBUILD 为镜像天机触发器

语法

ONBUILD [INSTRUCTION]
命令只对当前镜像的子镜像生效。
比如当前镜像为A，在Dockerfile中添加：
ONBUILD RUN ls -al
这个ls -al 命令不会在A镜像构建后启动的时候执行
此时有一个镜像B是基于A镜像构建的，那么这个ls -al 命令会在B镜像构建的时候执行。

STOPSIGNAL signal当容器退出时给系统发送什么样的指令

HEALTHCHECK 容器监控状况检查命令

语法

HEALTHCHECK [OPTIONS] CMD command  //在容器内部运行一个命令来检查容器的健康状况
HEALTHCHECK NONE    //在基础镜像中取消健康检查命令

[OPTIONS]选项
--interval=DURATION 两次检查默认的时间间隔为30秒
--timeout=DURATION  健康检查命令运行超时时长，默认30秒
--retries=N 当连续失败指定次数后，则容器被认为是不健康的，状态为unhealthy，默认次数是3

注：HEALTHCHECK命令只能出现一次，如果出现了多次，只有最后一个生效。

CMD后面的命令的返回值决定了本次健康检查是否成功，具体的返回值如下：
0：success - 表示容器时健康的
1：unhealthy - 表示容器已经不能工作了
2：reserved - 保留值

例如：HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://localhost/ || exit 1
健康检查命令是：curl -f http://localhost/ || exit 1
两次检查的间隔时间是5秒
命令超时时间为3秒

向您推荐>>Eolink开发者社区

权威｜前沿｜技术｜干货｜国内首个API全生命周期开发者社区

更多推荐

深入理解 Mocha 测试框架：从零实现一个 Mocha

前言什么是自动化测试自动化测试在很多团队中都是Devops环节中很难执行起来的一个环节，主要原因在于测试代码的编写工作很难抽象，99%的场景都需要和业务强绑定，而且写测试代码的编写工作量往往比编写实际业务代码的工作量更多。在一些很多业务场景中投入产出比很低，适合写自动化测试的应该是那些中长期业务以及一些诸如组件一样的基础库。自动化测试是个比较大的概念，其中分类也比较多，比如单元测试，端对端测试，集

云原生

ELK实现containerd的容器日志采集展示【基于logging的全栈监测】

企业级ELK Stack构建介绍

云原生

(20200916 Solved)docker-compose up创建容器自动退出

问题描述如题，创建容器后自动退出了。并且docker start container无效解决方案原因是缺失了控制终端的配置，需要在docker-compose.yml中增加tty:true ，有时候这样也不行，需要再增加一个command:/bin/bash，命令不一定是这个，需要是一个不会退出的命令，然后用-d后台启动容器。Referencesdocker-compose启动容器后自动退出...