0%

docker容器+Kubernetes集群

本篇文章介绍基础docker用法
Kubernetes是一套由Google发布的容器编排系统
这里也会借助Kubernetes来管理容器

Docker安装

这里我使用的是软件包的形式进行方便,不用关心依赖,比较方便,分别给出基于redhat和ubuntu的安装方法
清华docker

Ubuntu安装docker

添加docker软件包密钥

1
2
root@aml:~# curl -fsSL "https://download.docker.com/linux/ubuntu/gpg" | apt-key add -
OK

也可以使用阿里的CE镜像安装,那么使用阿里源的docker-gpg(清华或者阿里添加一个即可,选择自己的安装源添加)

curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -

添加清华的docker软件源

在添加软件源之前需要先知道自己的系统版本,我这里使用的ubuntu 18,可以使用lsb_release命令查看:

1
2
3
4
5
6
root@aml:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

在知道自己的系统版本后,添加docker软件源:

1
2
3
root@aml:~# echo "deb https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu $(lsb_release -cs) stable"  >/etc/apt/sources.list.d/docker.list
root@aml:~# curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
ok

你需要将这里的bionic修改为自己的系统版本别名(Codename项)。

添加阿里的docker软件源

1
echo "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list

添加docker官方源(不推荐)

add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

更新本地源仓库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@aml:~# apt update
Get:1 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic InRelease [64.4 kB]
Hit:2 http://ports.ubuntu.com bionic InRelease
Get:3 http://ports.ubuntu.com bionic-security InRelease [88.7 kB]
Get:4 http://ports.ubuntu.com bionic-updates InRelease [88.7 kB]
Get:5 http://ports.ubuntu.com bionic-backports InRelease [74.6 kB]
Get:6 https://apt.armbian.com bionic InRelease [18.3 kB]
Get:7 https://apt.armbian.com bionic/main arm64 Packages [116 kB]
Get:8 https://apt.armbian.com bionic/main armhf Packages [144 kB]
Fetched 595 kB in 1min 9s (8,654 B/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
173 packages can be upgraded. Run 'apt list --upgradable' to see them.

可以看到,这里apt已经列出了docker-ce源。

卸载已安装的docker-ce

我这里安装的是社区版,所以对应的软件包名是docker-ce,对于学习测试来说,社区版足以。
需要注意下,这里在安装前如果本机上已经存在docker,则需要先卸载已经安装的docker:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@aml:~# apt-mark unhold docker-ce
docker-ce was already not hold.
#解除锁定的软件包docker-ce,我这里没有对其hold所以提示not hold。

root@aml:~# apt remove docker-ce -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
containerd.io docker-ce-cli
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
docker-ce
0 upgraded, 0 newly installed, 1 to remove and 173 not upgraded.
After this operation, 86.8 MB disk space will be freed.
(Reading database ... 31263 files and directories currently installed.)
Removing docker-ce (5:19.03.2~3-0~ubuntu-bionic) ...
#卸载已安装的docker-ce,我这里提示有两个已经不再需要的依赖项“containerd.io docker-ce-cli”可以使用apt autoremove卸载掉,也可以不管它,我这里为了演示所以卸载:

root@aml:~# apt autoremove containerd.io docker-ce-cli
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
containerd.io docker-ce-cli
0 upgraded, 0 newly installed, 2 to remove and 173 not upgraded.
After this operation, 213 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 31253 files and directories currently installed.)
Removing containerd.io (1.2.6-3) ...
Removing docker-ce-cli (5:19.03.2~3-0~ubuntu-bionic) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

docker-ce安装

安装前可以使用apt-cache查看docker的所有版本选择一个进行安装:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@aml:~# apt-cache madison docker-ce
docker-ce | 5:19.03.2~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:19.03.1~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:19.03.0~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.9~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.8~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.7~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.6~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.5~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.4~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.3~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.2~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.1~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 5:18.09.0~3-0~ubuntu-bionic | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 18.06.3~ce~3-0~ubuntu | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 18.06.2~ce~3-0~ubuntu | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 18.06.1~ce~3-0~ubuntu | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 18.06.0~ce~3-0~ubuntu | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages
docker-ce | 18.03.1~ce~3-0~ubuntu | https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 Packages

在这篇文章当前时间下的最新版本为19.03.2,默认使用apt install安装的是软件源中的最新版本,而如果你的环境需要特定版本的docker话可以指定版本号进行安装。

我这里演示指定最新版进行安装:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@aml:~# apt install -y --allow-downgrades docker-ce=5:19.03.2~3-0~ubuntu-bionic
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
containerd.io docker-ce-cli
Recommended packages:
aufs-tools cgroupfs-mount | cgroup-lite pigz libltdl7 apparmor
The following NEW packages will be installed:
containerd.io docker-ce docker-ce-cli
0 upgraded, 3 newly installed, 0 to remove and 173 not upgraded.
Need to get 59.2 MB of archives.
After this operation, 300 MB of additional disk space will be used.
Get:1 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 containerd.io arm64 1.2.6-3 [13.7 MB]
Get:2 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 docker-ce-cli arm64 5:19.03.2~3-0~ubuntu-bionic [30.0 MB]
Get:3 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable arm64 docker-ce arm64 5:19.03.2~3-0~ubuntu-bionic [15.5 MB]
Fetched 59.2 MB in 12s (4,782 kB/s)
Selecting previously unselected package containerd.io.
(Reading database ... 31040 files and directories currently installed.)
Preparing to unpack .../containerd.io_1.2.6-3_arm64.deb ...
Unpacking containerd.io (1.2.6-3) ...
Selecting previously unselected package docker-ce-cli.
Preparing to unpack .../docker-ce-cli_5%3a19.03.2~3-0~ubuntu-bionic_arm64.deb ...
Unpacking docker-ce-cli (5:19.03.2~3-0~ubuntu-bionic) ...
Selecting previously unselected package docker-ce.
Preparing to unpack .../docker-ce_5%3a19.03.2~3-0~ubuntu-bionic_arm64.deb ...
Unpacking docker-ce (5:19.03.2~3-0~ubuntu-bionic) ...
Setting up containerd.io (1.2.6-3) ...
Processing triggers for systemd (237-3ubuntu10.13) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Setting up docker-ce-cli (5:19.03.2~3-0~ubuntu-bionic) ...
Setting up docker-ce (5:19.03.2~3-0~ubuntu-bionic) ...

注意,如果安装的是低版本软件的话,则建议加上–allow-downgrades参数来允许安装低版本的依赖项,否则可能会出现软件包安装不上的情况。

锁定docker版本

安装完成后建议使用apt-mark来对其进行锁定,这样使用update不会对其进行更新。

1
2
3
4
5
root@aml:~# apt-mark hold docker-ce
docker-ce set on hold.

root@aml:~# apt-mark showhold
docker-ce

redhat安装docker

添加docker源

redhat上的安装方法与ubuntu类似,先添加docker软件源:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@localhost ~]# yum install -y yum-utils
# yum-utils可以理解为yum的扩展

[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
adding repo from: https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
grabbing file https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
#添加源

[root@localhost ~]# yum makecache
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/10): docker-ce-stable/x86_64/updateinfo | 55 B 00:00:00
(2/10): docker-ce-stable/x86_64/filelists_db | 18 kB 00:00:00
(3/10): docker-ce-stable/x86_64/primary_db | 37 kB 00:00:00
(4/10): docker-ce-stable/x86_64/other_db | 111 kB 00:00:00
(5/10): extras/x86_64/filelists_db | 207 kB 00:00:00
(6/10): extras/x86_64/other_db | 100 kB 00:00:00
(7/10): base/x86_64/other_db | 2.6 MB 00:00:01
(8/10): updates/x86_64/other_db | 243 kB 00:00:00
(9/10): updates/x86_64/filelists_db | 2.1 MB 00:00:00
(10/10): base/x86_64/filelists_db | 7.3 MB 00:00:01
Metadata Cache Created
#刷新yum本地缓存

卸载旧版本docker

1
2
3
4
5
6
7
[root@localhost ~]# yum remove  -y docer-ce docker-ce-cli
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
No Match for argument: docer-ce
No Match for argument: docker-ce-cli
No Packages marked for removal

这里我的测试环境还未安装docker所以提示no match。

安装docker-ce

安装前查看所有版本,确定是否有自己需要的版本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[root@localhost ~]# yum list docker-ce --showduplicates
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Available Packages
docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.3.ce-1.el7 docker-ce-stable
docker-ce.x86_64 17.06.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 18.03.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 18.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 18.06.0.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.1.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.2.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.3.ce-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.0-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.4-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.5-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.6-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.7-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.8-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.9-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.0-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.4-3.el7 docker-ce-stable

安装指定版本的docker-ce,这里因为我是测试,所以直接指定安装最新版:

1
2
[root@localhost ~]# yum install -y docker-ce-19.03.4-3.el7
#回显太多,不贴出来了,这里要注意的是指定版本时只需要给出:后的字符串即可。

锁定docker版本

建议锁定软件版本,避免后期使用update误升级:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@localhost ~]# yum install yum-plugin-versionlock.noarch -y
#安装hold扩展

[root@localhost ~]# yum versionlock docker-ce
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager, versionlock
This system is not registered with an entitlement server. You can use subscription-manager to register.
Adding versionlock on: 3:docker-ce-19.03.4-3.el7
versionlock added: 1
#锁定docker-ce,注意:这里锁定的软件包名是docker-ce不是docker。

#可以使用delete来解锁:
[root@localhost ~]# yum versionlock delete docker-ce
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-manager, versionlock
This system is not registered with an entitlement server. You can use subscription-manager to register.
Deleting versionlock for: 3:docker-ce-19.03.4-3.el7.*
versionlock deleted: 1

使用aliyun镜像加速器

阿里云加速器
阿里云官方的操作文档已经很详细了,且Redhat和Ubuntu的配置方式相同。
可以使用docker info命令来查看是否生效:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[root@localhost ~]# docker info
Client:
Debug Mode: false

Server:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 2
Server Version: 19.03.4
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-1062.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.7 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.933GiB
Name: localhost.localdomain
ID: RQSG:MXAD:BZY4:DLC2:MKHM:BQKQ:ONRG:SM45:SGPJ:URMC:7WO7:3AYJ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://bwi3es48.mirror.aliyuncs.com/
Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

可以看到,有Registry Mirrors:https://bwi3es48.mirror.aliyuncs.com/ 键值对,表明加速器已经生效了,我这里还有两个warning是因为iptables未开启,redhat默认防火墙为firewall而不是iptables。

hello world

注意,我这里ubuntu环境下在安装完成后docker是自动运行的,但redhat默认是关闭的,需要手动拉起:

1
[root@localhost ~]# systemctl start docker

运行一个hello world容器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

ot@localhost ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete Digest: sha256:c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/

For more examples and ideas, visit:
https://docs.docker.com/get-started/

使用run命令来运行一个hello world容器,因为本地没有hello world镜像,所以docker先从hub上拉取一个hello world镜像到本地,之后docker使用本地中的镜像来运行新的容器。

拉取nginx镜像

默认使用pull不指定版本是拉取最新版,如果需要指定特定版本,那么可以到docker hub上查看tag

1
2
3
4
5
6
7
8
9
[root@localhost ~]# docker pull nginx:latest
Using default tag: latest
latest: Pulling from library/nginx
8d691f585fa8: Pull complete
5b07f4e08ad0: Pull complete
abc291867bca: Pull complete
Digest: sha256:922c815aa4df050d4df476e92daed4231f466acc8ee90e0e774951b0fd7195a4
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

这里为了演示所以指定了nginx的tag。

搜索docker hub上的镜像

1
2
3
4
5
6
7
8
9
10
11
12
[root@localhost ~]# docker search --limit 10 nginx
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
nginx Official build of Nginx. 12175 [OK]
jwilder/nginx-proxy Automated Nginx reverse proxy for docker con… 1686 [OK]
richarvey/nginx-php-fpm Container running Nginx + PHP-FPM capable of… 745 [OK]
linuxserver/nginx An Nginx container, brought to you by LinuxS… 81
bitnami/nginx Bitnami nginx Docker Image 72 [OK]
nginxdemos/hello NGINX webserver that serves a simple page co… 31 [OK]
nginx/nginx-ingress NGINX Ingress Controller for Kubernetes 22
nginxinc/nginx-unprivileged Unprivileged NGINX Dockerfiles 9
mailu/nginx Mailu nginx frontend 4 [OK]
ansibleplaybookbundle/nginx-apb An APB to deploy NGINX 1 [OK]

–limit参数可以限制最大搜索结果数,默认是按照hub上的星级来排序的。

创建一个nginx例子

创建www、log目录

创建www和log目录挂载到nginx容器中,作为nginx的根目录和日志目录:

1
[root@localhost ~]# mkdir -p nginx/www nginx/log

创建nginx容器

1
2
3
[root@localhost ~]# docker run -it --name webapp -p 8080:80 -v /root/nginx/www:/usr/share/nginx/html -v /root/nginx/log:/var/log/nginx nginx /bin/bash
docker: Error response from daemon: driver failed programming external connectivity on endpoint webapp (48e670d0865aa35dff259f57fa6c8f0cad9fbf60ce1dbaa3d02aaae53c387e5e): (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables: No chain/target/match by that name.
(exit status 1)).

创建DOCKER链

这里使用-p参数指定端口映射的时候出现了一个ERROR,原因是我禁用了redhat自带的firewall,打开了iptables,而iptables是后安装的,所以在iptables中没有DOCKER链,这里只需要创建两个DOCKER链即可:

1
2
[root@localhost ~]# iptables -t filter -N DOCKER
[root@localhost ~]# iptables -t nat -N DOCKER

重新创建nginx容器

1
2
3
4
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8d62c58f5e68 nginx "/bin/bash" 3 minutes ago Created webapp
eab0d98b58ca hello-world "/hello" 31 minutes ago Exited (0) 31 minutes ago eloquent_elion

虽然刚刚的nginx容器创建失败了,但docker还是创建了一个webapp,我们先删除它:

1
2
[root@localhost ~]# docker rm webapp
webapp

继续创建nginx容器:

1
2
[root@localhost ~]# docker run -it --name webapp -p 8080:80 -v /root/nginx/www:/usr/share/nginx/html -v /root/nginx/log:/var/log/nginx nginx /bin/bash
root@020e48aaf047:/#

可以看到现在nginx容器已经创建成功了,并且进入了该容器的shell。
参数解析:

1
2
3
4
5
6
7
8
9
10
11
-i:表示始终打开STDIN(输入流)
-t:分配一个伪终端绑定到该容器中
Docker中系统镜像的缺省命令是 bash,如果不加 -ti bash 命令执行了自动会退出。这是因为如果没有衔接输入流,本身就会马上结束。加-ti 后docker命令会为容器分配一个伪终端,并接管其stdin/stdout支持交互操作,这时候bash命令不会自动退出。

--name:为容器指定名称
-p:指定端口映射,该项参数值也可以为:
-p 0.0.0.0:8080:80 #表示绑定本地所有地址8080端口到容器的80端口。
-p 127.0.0.1::80 #表示绑定localhost的任意端口到容器的80,本地会自动分配一个端口。
-p 127.0.0.1::80/udp #使用udp标记来指定映射的udp端口。

-v:挂载宿主机的目录到容器中,也可以是文件。

启动nginx服务

nginx容器运行后默认是不打开nginx容器的,使用service拉起nginx服务:

1
root@020e48aaf047:/# service nginx start

同时按下Ctrl+P+Q键可以将容器置入后台,在宿主机上使用curl访问8080端口:

1
2
3
4
5
6
7
8
[root@localhost ~]# curl 127.0.0.1:8080
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.5</center>
</body>
</html>

可以看到本地访问是正常的,而通过其他机器是无法访问的,因为这里的防火墙策略禁止了进入流量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@localhost ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http

可以看到,这里INPUT链上的第5条阻止了除前4条匹配外的任何流量,这里将其删除:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@localhost ~]# iptables -t filter -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain DOCKER (0 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http

[root@localhost ~]# iptables -t filter -D INPUT 5

[root@localhost ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http

这样通过其他设备访问该机的8080端口就正常了。

接下来在宿主机上继续修改index.html:

1
2
3
4
[root@localhost ~]# echo "Hello World" > nginx/www/index.html

[root@localhost ~]# curl 127.0.0.1:8080
Hello World

查看nginx日志

因为这里已经将nginx的日志目录绑定到本地了,所以直接查看宿主机目录:

1
2
3
4
5
6
7
8
[root@localhost ~]# cat nginx/log/error.log
2019/11/10 14:02:41 [error] 15#15: *1 directory index of "/usr/share/nginx/html/" is forbidden, client: 172.17.0.1, server: localhost, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
2019/11/10 14:10:16 [error] 15#15: *3 open() "/usr/share/nginx/html/s" failed (2: No such file or directory), client: 172.17.0.1, server: localhost, request: "GET /s HTTP/1.1", host: "127.0.0.1:8080"

[root@localhost ~]# cat nginx/log/access.log
172.17.0.1 - - [10/Nov/2019:14:02:41 +0000] "GET / HTTP/1.1" 403 153 "-" "curl/7.29.0" "-"
172.17.0.1 - - [10/Nov/2019:14:09:19 +0000] "GET / HTTP/1.1" 200 12 "-" "curl/7.29.0" "-"
172.17.0.1 - - [10/Nov/2019:14:10:16 +0000] "GET /s HTTP/1.1" 404 153 "-" "curl/7.29.0" "-"

查看容器日志

1
2
3
4
[root@localhost ~]# docker logs webapp
root@020e48aaf047:/# ip a
bash: ip: command not found
root@020e48aaf047:/# service nginx start

使用docker logs命令可以查看到容器的标准输出。

查看容器端口映射

1
2
3
4
5
6
[root@localhost ~]# docker port webapp
80/tcp -> 0.0.0.0:8080

[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
020e48aaf047 nginx "/bin/bash" 49 minutes ago Up 49 minutes 0.0.0.0:8080->80/tcp webapp

使用port和ps都可以查看到容器的端口映射情况。

查看容器信息

1
[root@localhost ~]# docker inspect webapp

输出太多了,就不贴出来了,说一下inspect的常用用法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
docker inspect --format='{{ XXX }}' $(docker ps -aq)
一级属性{{.属性}} 二级属性 {{.属性.属性}} 三级属性 {{.属性.属性.属性}}

[root@localhost ~]# docker inspect --format='{{.Name}}' $(docker ps -aq)
/webapp
/eloquent_elion

[root@localhost ~]# docker inspect --format='{{.NetworkSettings.Ports}}' webapp
map[80/tcp:[{0.0.0.0 8080}]]

[root@localhost ~]# docker inspect --format='{{.Mounts}}' webapp
[{bind /root/nginx/www /usr/share/nginx/html true rprivate} {bind /root/nginx/log /var/log/nginx true rprivate}]

[root@localhost ~]# docker inspect -f='{{ .State.Pid }} {{ .Name }}' $(docker ps -aq)
30455 /webapp
0 /eloquent_elion
#当需要列出多个字段时 一次写出对应位置即可

使用Dockerfile构建一个nginx容器

Dockerfile

这里基础镜像使用的是ubuntu18.04:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
vim Dockerfile

FROM ubuntu:latest
COPY ubuntu_sources.list /etc/apt/sources.list

#RUN apt-get update && apt install nginx -y && service nginx start

RUN apt-get update
RUN apt install nginx -y
RUN service nginx start
EXPOSE 80
CMD ["/usr/sbin/nginx","-g","daemon off;"]

[root@localhost ~]# cat ubuntu_sources.list
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

这里为了让构建流程更快速,我使用了aliyun源来替换容器内的ubuntu官方源。
并且这里我将一条RUN项展开为了三条RUN方便我们排查故障,

关于Dockerfile文件的各参数网上有很多详解文章,这里只说一些需要注意的地方:

  • RUN命令是在build时运行的命令,默认是使用shell模式,其解释器为/bin/sh;也可以使用exec模式:
    RUN [“/bin/bash”,”-c”,”apt-get update”]

  • CMD命令为容器运行时执行的命令,如果在使用docker run运行容器时未指定启动命令,那么默认会执行CMD内的命令,否则会被run指定的命令参数所覆盖,同样它也支持shell和exec两种写法。

  • ENTRYPOINT与CMD类似,只是它不会被run指定的启动命令所覆盖,除非使用docker run –entrypoint覆盖。

  • EXPOSE命令是声明容器应该打开的端口实际上并没有将它打开。
    EXPOSE的作用在于能让运维人员或者后来者知道我们开启了容器的哪些端口。还有一点就是,当我们声明了EXPOSE端口之后,我们使用-P命令进行随机映射的时候,是会对这个端口进行映射的。

Dockerfile构建过程

  1. 从基础镜像运行一个容器
  2. 执行一条指令,对容器做出修改
  3. 执行类似docker commit的操作,提交一个新的镜像层
  4. 再基于刚提交的镜像运行一个新的容器
  5. 执行Dockerfile中的下一条指令,直至所有指令执行完毕
    这里使用刚完成的Dockerfile构建一个镜像进行测试:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    [root@localhost ~]# docker build -t="nginx\test" .
    invalid argument "nginx\\test" for "-t, --tag" flag: invalid reference format
    See 'docker build --help'.
    [root@localhost ~]# docker build -t="nginx/test" .
    Sending build context to Docker daemon 17.02MB
    Step 1/7 : FROM ubuntu:latest
    latest: Pulling from library/ubuntu
    7ddbc47eeb70: Pull complete c1bbdc448b72: Pull complete 8c3b70e39044: Pull complete 45d437916d57: Pull complete Digest: sha256:6e9f67fa63b0323e9a1e587fd71c561ba48a034504fb804fd26fd8800039835d
    Status: Downloaded newer image for ubuntu:latest
    ---> 775349758637
    Step 2/7 : COPY ubuntu_sources.list /etc/apt/sources.list
    ---> 181242f0f40b
    Step 3/7 : RUN apt-get update
    ---> Running in 99fd1ca7af66
    Get:1 http://mirrors.aliyun.com/ubuntu bionic InRelease [242 kB]
    Get:2 http://mirrors.aliyun.com/ubuntu bionic-security InRelease [88.7 kB]
    Get:3 http://mirrors.aliyun.com/ubuntu bionic-updates InRelease [88.7 kB]
    Get:4 http://mirrors.aliyun.com/ubuntu bionic-proposed InRelease [242 kB]
    ---------------------------------省略N行----------------------------------
    Fetched 31.6 MB in 6s (5229 kB/s)
    Reading package lists...
    Removing intermediate container 99fd1ca7af66
    ---> eaff5a858371
    Step 4/7 : RUN apt install nginx -y
    ---> Running in b286363309ff

    WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

    Reading package lists...
    Building dependency tree...
    Reading state information...
    The following additional packages will be installed:
    fontconfig-config fonts-dejavu-core geoip-database iproute2 libatm1 libbsd0
    libelf1 libexpat1 libfontconfig1 libfreetype6 libgd3 libgeoip1 libicu60
    ---------------------------------省略N行----------------------------------
    Setting up libnginx-mod-http-image-filter (1.14.0-0ubuntu1.6) ...
    Setting up nginx-core (1.14.0-0ubuntu1.6) ...
    invoke-rc.d: could not determine current runlevel
    invoke-rc.d: policy-rc.d denied execution of start.
    Setting up nginx (1.14.0-0ubuntu1.6) ...
    Processing triggers for libc-bin (2.27-3ubuntu1) ...
    Removing intermediate container b286363309ff
    ---> 2f8ae2021d9f
    Step 5/7 : RUN service nginx start
    ---> Running in 84f1cf205c13
    * Starting nginx nginx
    ...done.
    Removing intermediate container 84f1cf205c13
    ---> bd70e26420b4
    Step 6/7 : EXPOSE 80
    ---> Running in d6d09b563f1b
    Removing intermediate container d6d09b563f1b
    ---> f542d142ff44
    Step 7/7 : CMD ["/usr/sbin/nginx","-g","daemon off;"]
    ---> Running in 082bd9298887
    Removing intermediate container 082bd9298887
    ---> bfd4e2ad6d5f
    Successfully built bfd4e2ad6d5f
    Successfully tagged nginx/test:latest
    可以看到这里构建过程总共执行了7步,而每一步都会生成一个中间层镜像,且删除临时容器,可以使用docker images -a来查看临时镜像:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    [root@localhost ~]# docker images -a
    REPOSITORY TAG IMAGE ID CREATED SIZE
    nginx/test latest bfd4e2ad6d5f 13 minutes ago 175MB
    <none> <none> f542d142ff44 13 minutes ago 175MB
    <none> <none> bd70e26420b4 13 minutes ago 175MB
    <none> <none> 2f8ae2021d9f 13 minutes ago 175MB
    <none> <none> eaff5a858371 13 minutes ago 115MB
    <none> <none> 181242f0f40b 13 minutes ago 64.2MB
    ubuntu latest 775349758637 10 days ago 64.2MB
    nginx latest 540a289bab6c 2 weeks ago 126MB
    hello-world latest fce289e99eb9 10 months ago 1.84kB
    中间镜像的好处就是方便调试,如果在build中出现了错误,那么可以利用中间镜像来纠错,且如果再次构建的话,那么docker会使用缓存来进行构建:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    [root@localhost ~]# docker build -t="nginx/test2" .
    Sending build context to Docker daemon 17.02MB
    Step 1/7 : FROM ubuntu:latest
    ---> 775349758637
    Step 2/7 : COPY ubuntu_sources.list /etc/apt/sources.list
    ---> Using cache
    ---> 43f5cf542548
    Step 3/7 : RUN apt-get update
    ---> Using cache
    ---> 253985e618a0
    Step 4/7 : RUN apt install nginx -y
    ---> Using cache
    ---> f7cc354b2285
    Step 5/7 : RUN service nginx start
    ---> Using cache
    ---> b65798b02f9b
    Step 6/7 : EXPOSE 80
    ---> Using cache
    ---> fcb631f42e23
    Step 7/7 : CMD ["/usr/sbin/nginx","-g","daemon off;"]
    ---> Using cache
    ---> 8de8d9712d62
    Successfully built 8de8d9712d62
    Successfully tagged nginx/test2:latest
    可以看到,再次构建的时候docker使用了cache,可以在build中使用–no-cache来强制不使用缓存:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    [root@localhost ~]# docker build -t="nginx/test2" . --no-cache
    Sending build context to Docker daemon 17.02MB
    Step 1/7 : FROM ubuntu:latest
    ---> 775349758637
    Step 2/7 : COPY ubuntu_sources.list /etc/apt/sources.list
    ---> 9811f9665757
    Step 3/7 : RUN apt-get update
    ---> Running in 269221f45a60
    --------------------中间过程省略-----------------------------
    Removing intermediate container 269221f45a60
    ---> 4c38b00be696
    Step 4/7 : RUN apt install nginx -y
    ---> Running in d97b28c77b71
    --------------------中间过程省略-----------------------------
    Removing intermediate container d97b28c77b71
    ---> 1084e13434d3
    Step 5/7 : RUN service nginx start
    ---> Running in 3e2f5f95cd92
    * Starting nginx nginx
    ...done.
    Removing intermediate container 3e2f5f95cd92
    ---> d28dd784d653
    Step 6/7 : EXPOSE 80
    ---> Running in 154ccad49e33
    Removing intermediate container 154ccad49e33
    ---> 14bced0b57d0
    Step 7/7 : CMD ["/usr/sbin/nginx","-g","daemon off;"]
    ---> Running in c9d55891bb09
    Removing intermediate container c9d55891bb09
    ---> 9387f73ebc76
    Successfully built 9387f73ebc76
    Successfully tagged nginx/test2:latest

    重新附加到容器

    前面提到了,在容器的shell中可以使用Ctrl+P+Q键来将容器置入后台,对于在后台运行的容器,可以使用attach来重新拉回前台:
    1
    2
    3
    4
    5
    [root@localhost ~]# docker ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    e1371fb81726 ubuntu "/bin/bash" 33 seconds ago Up 32 seconds sharp_satoshi
    [root@localhost ~]# docker attach e1
    root@e1371fb81726:/#