kubernetes/Docker-MD/Docker应用.md

372 lines
12 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<h1><center>Docker应用</center></h1>
**作者:行癫(盗版必究)**
------
## 一:端口转发
容器172.16.0.2 5000
client----->eth0:10.18.45.197------->172.16.0.2:5000
5000
使用端口转发解决容器端口访问问题
-p:
创建应用容器的时候,一般会做端口映射,这样是为了让外部能够访问这些容器里的应用。可以用多个-p指定多个端口映射关系
mysql应用端口转发
```shell
查看本地地址:
[root@xingdian ~]# ip a
ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:0a:5b:8b brd ff:ff:ff:ff:ff:ff
inet 192.168.245.134/24 brd 192.168.245.255 scope global dynamic ens33
valid_lft 1444sec preferred_lft 1444sec
```
运行容器:使用-p作端口转发把本地3307转发到容器的3306其他参数需要查看发布容器的页面提示
```shell
[root@xingdian ~]# docker run --name mysql1 -p 3307:3306 -e MYSQL_ROOT_PASSWORD=123 daocloud.io/library/mysql
```
通过本地IP192.168.245.134的3307端口访问容器mysql1内的数据库出现如下提示恭喜你
```shell
[root@xingdian /]# mysql -u root -p123 -h 192.168.245.134 -P3307
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
```
## 二:部署私有仓库
仓库镜像Docker hub官方已提供容器镜像registry,用于搭建私有仓库
拉取镜像:
```shell
[root@xingdian ~]# docker pull daocloud.io/library/registry:latest
```
运行容器:
```shell
[root@xingdian ~]# docker run --restart=always -d -p 5000:5000 daocloud.io/library/registry
```
注:如果创建容器不成功,报错防火墙,解决方案如下
```shell
[root@xingdian ~]# systemctl stop firewalld
[root@xingdian ~]# systemctl restart docker
```
查看运行的容器:
```shell
[root@xingdian ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1f444285bed8 daocloud.io/library/registry "/entrypoint.sh /etc/" 23 seconds ago Up 21 seconds 0.0.0.0:5000->5000/tcp elegant_rosalind
```
连接容器查看端口状态:
```shell
[root@xingdian ~]# docker exec -it  1f444285bed8  /bin/sh     //这里是sh 不是bash
/ # netstat -antpl //查看5000端口是否开启(容器内查看)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::5000 :::* LISTEN 1/registry
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
```
在本机查看能否访问该私有仓库, 看看状态码是不是200
```shell
[root@xingdian registry]# curl -I 127.0.0.1:5000
HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Thu, 08 Oct 2020 05:34:32 GMT
```
为了方便下载1个比较小的镜像,buysbox
```shell
[root@xingdian registry]# docker pull busybox
```
上传前必须给镜像打tag 注明ip和端口
```shell
[root@xingdian ~]# docker tag busybox  本机IP端口/busybox
```
这是直接从官方拉的镜像,很慢:
```shell
[root@xingdian ~]# docker tag busybox 192.168.245.136:5000/busybox
```
下面这个Mysql是我测试的第二个镜像从daocloud拉取的
```shell
[root@xingdian ~]# docker tag daocloud.io/library/mysql 192.168.245.136:5000/daocloud.io/library/mysql
```
注意:
tag后面可以使用镜像名称也可以使用id,我这里使用的镜像名称如果使用官方的镜像不需要加前缀但是daocloud.io的得加前缀
修改请求方式为http:
```shell
默认为https不改会报以下错误:
Get https://master.up.com:5000/v1/_ping: http: server gave HTTP response to HTTPS client
[root@xingdian ~]# vim /etc/docker/daemon.json
{ "insecure-registries":["192.168.245.136:5000"] }
重启docker:
[root@xingdian ~]# systemctl restart docker
```
上传镜像到私有仓库:
```shell
[root@xingdian ~]# docker push 192.168.245.136:5000/busybox
[root@xingdian ~]# docker push 192.168.245.136:5000/daocloud.io/library/mysql
```
查看私有仓库里的所有镜像:
```shell
[root@xingdian ~]# curl 192.168.245.130:5000/v2/_catalog
{"repositories":["busybox"]}
```
查看私有仓库里的镜像版本:
```shell
[root@docker ~]# curl 10.11.67.110:5000/v2/busybox/tags/list
{"name":"busybox","tags":["v1","v2"]}
```
```shell
[root@docker ~]# curl -XGET http://10.11.67.110:3000/v2/busybox/tags/list
{"name":"busybox","tags":["v1","v2"]}
查询镜像digest_hash删除命令里边要填写的 镜像digest_hash 就是 查询结果里边 Docker-Content-Digest: 后边的内容
[root@docker ~]# curl --header "Accept:application/vnd.docker.distribution.manifest.v2+json" -I -XGET http://10.11.67.110:3000/v2/busybox/manifests/v1
HTTP/1.1 200 OK
Content-Length: 527
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Docker-Content-Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc"
X-Content-Type-Options: nosniff
Date: Thu, 12 Nov 2020 07:29:46 GMT
删除私有库镜像
进入/etc/docker/registry/config.yml添加,在stroage后面加
delete
enabled: true
修改完后重新启动容器
[root@docker ~]# curl -I -XDELETE http://10.11.67.110:3000/v2/busybox/manifests/sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
HTTP/1.1 202 Accepted
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 12 Nov 2020 07:30:22 GMT
Content-Length: 0
查看镜像信息可以看到镜像的标签显示为空 null
[root@docker ~]# curl -XGET http://10.11.67.110:3000/v2/busybox/tags/list
{"name":"busybox","tags":null}
```
## 三部署centos7容器应用
systemd 整合:
因为 systemd 要求 CAPSYSADMIN 权限,从而得到了读取到宿主机 cgroup 的能力CentOS7 中已经用 fakesystemd 代替了 systemd 来解决依赖问题。 如果仍然希望使用 systemd可用参考下面的 Dockerfile
```shell
[root@xingdian ~]# vim Dockerfile
FROM daocloud.io/library/centos:7
MAINTAINER "xingdian" xingdian@qq.com
ENV container docker
RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs
RUN yum -y update; yum clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]
```
这个Dockerfile删除fakesystemd 并安装了 systemd
然后再构建基础镜像:
```shell
[root@xingdian ~]# docker build --rm -t local/c7-systemd .
```
为了使用像上面那样包含 systemd 的容器需要创建一个类似下面的Dockerfile
```shell
[root@xingdian ~]# vim Dockerfile
FROM local/c7-systemd
RUN yum -y install httpd; yum clean all; systemctl enable httpd.service
EXPOSE 80
CMD ["/usr/sbin/init"]
```
构建镜像:
```shell
[root@xingdian ~]# docker build --rm -t local/c7-systemd-httpd .
```
运行包含 systemd 的应用容器:
为了运行一个包含 systemd 的容器,需要使用--privileged选项 并且挂载主机的 cgroups 文件夹。 下面是运行包含 systemd 的 httpd 容器的示例命令:
```shell
[root@xingdian ~]# docker run --privileged -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 80:80 local/c7-systemd-httpd
```
注意:上条命令不能添加/bin/bash添加了会导致服务不可用而且有些服务可能会发现之前提到的权限不够的问题但是如果不加会运行在前台(没有用-d)可以用ctrl+p+q放到后台去
测试可用:
```shell
# elinks --dump http://docker //下面为apache默认页面
Testing 123..
This page is used to test the proper operation of the [1]Apache HTTP
server after it has been installed. If you can read this page it means
that this site is working properly. This server is powered by [2]CentOS.
```
## 四固定容器IP
#### 1.容器网络
docker安装后默认会创建三种网络类型bridge、host和none
显示当前网络:
```
[root@xingdian ~]# docker network list
NETWORK ID NAME DRIVER SCOPE
90b22f633d2f bridge bridge local
e0b365da7fd2 host host local
da7b7a090837 none null local
```
bridge网络桥接
默认情况下启动、创建容器都是用该模式所以每次docker容器重启时会按照顺序获取对应ip地址这就导致容器每次重启ip都发生变化
none无指定网络
启动容器时可以通过network=none,docker容器不会分配局域网ip
host主机网络
docker容器的网络会附属在主机上两者是互通的
#### 2.创建固定ip容器
创建自定义网络类型,并且指定网段:
```shell
[root@xingdian ~]# docker network create --subnet=192.168.0.0/16 staticnet
```
通过docker network ls可以查看到网络类型中多了一个staticnet
使用新的网络类型创建并启动容器:
```shell
[root@xingdian ~]# docker run -it --name userserver --net staticnet --ip 192.168.0.2 centos:6 /bin/bash
```
通过docker inspect可以查看容器ip为192.168.0.2关闭容器并重启发现容器ip并未发生改变
## 五BUG整理
#### 1.基于centos7的docker容器出现的一个bug
centos7下部署的docker容器中启动服务报错如下
```shell
[root@a3c8baf6961e .ssh]# systemctl restart sshd.service
Failed to get D-Bus connection: Operation not permitted
```
这是centos7容器里面出现的一个BUG
即centos7镜像创建的容器里面安装服务后不能用systemctl/service启动服务centos6的容器里没有这个坑可以通过使用其他的方式启动或者换用centos6的镜像来避免这个错误
解决方案如下:
原因是dbus-daemon没能启动。其实systemctl并不是不可以使用可以将你的CMD设置为/usr/sbin/init即可
这样就会自动将dbus等服务启动起来。即采用 /usr/sbin/init自动启动dbus daemon即把之前的容器关闭并删除docker stop container-id然后重新启动容器注意启动时一定要加上参数--privileged和/usr/sbin/init如下
```shell
[root@localhost ~]# docker run --privileged -it centos7:7.3.1611 /sbin/init
```
#### 2.解决容器内字符集乱码问题
容器内操作:
1. 查找 .vimrc文件
通常有2个地方保存这个文件的
在/etc/文件夹下面是所有用户的vim配置
每个用户的开始登录的文件夹下面
2. 修改.vimrc文件
建议修改当前使用的用户下面,这样只会影响到当前用户
然后添加下面几行,保存后,重新登录即可
```shell
set fileencodings=utf-8,gb2312,gb18030,gbk,ucs-bom,cp936,latin1
set enc=utf8
set fencs=utf8,gbk,gb2312,gb18030
```
修改后如下:
![img](https://xingdian-image.oss-cn-beijing.aliyuncs.com/xingdian-image/TvBv8HgxAve_fExhZw5D_A.png)