下面这篇文章
【hcie-cloud】【20】容器详解【容器介绍,容器工作机制、容器常用命令说明】【上】
docker network ls
可列出当前网络类型[root@localhost etc]# docker network ls
NETWORK ID NAME DRIVER SCOPE
de9318b2d1fc bridge bridge local
eff3707e730d host host local
44e296e50379 none null local
docker network create
可创建一个新的网络[root@localhost etc]# docker network create -d macvlan test
78cfffc0e65c80ba378994f533a4b15bfd272768f6943cf5d05a56e3a0dd75e0
[root@localhost etc]# docker network ls
NETWORK ID NAME DRIVER SCOPE
de9318b2d1fc bridge bridge local
eff3707e730d host host local
44e296e50379 none null local
78cfffc0e65c test macvlan local
命令docker network create
可以指定网络的类型,还可以使用--subnet
选项指定该网络的网段,--gateway
选项指定该网络的网关,更多选项及其功能可使用help命令进行查看
命令docker network inspect NetworkName
可查看网络的详细信息
[root@localhost etc]# docker network inspect test
[
{
"Name": "test",
"Id": "78cfffc0e65c80ba378994f533a4b15bfd272768f6943cf5d05a56e3a0dd75e0",
"Created": "2022-04-20T02:14:23.608005889-04:00",
"Scope": "local",
"Driver": "macvlan",
"EnableIPv6": false,
...........
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
--network
选项可为容器指定使用的网络,例如命令docker run --network test -d busybox sleep 3600
可为容器设置其使用名称为test的网络[root@localhost etc]# docker run --network test -d busybox sleep 3600
[root@localhost etc]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d9bba594e156 busybox "sleep 3600" 57 seconds ago Up 56 seconds sharp_robinson
[root@localhost etc]# docker inspect sharp_robinson | grep -A 5 test
"NetworkMode": "test",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
--
"test": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"d9bba594e156"
],
对容器中数据的修改仅保存在临时读写层,无法进行永久存储,一旦容器被删除,这些数据就会同时被删除
如果需要将容器产生的数据做持久化保存,有两种方式实现:
容器停止时,临时读写层的数据不会被删除,只有容器被删除时,这些数据才会被删除
在容器编排章节重点介绍第三方存储插件,被章节主要介绍第一种方式
-v
参数可多次使用,用来挂载多个文件或目录到容器中docker run -d -v /root/index.html:/usr/share/nginx/html/index.html nginx:1.21
/root/index.html
文件挂载给了容器的/usr/share/nginx/html/index.html
[root@localhost ~]# echo "hello CCE" > index.html
[root@localhost ~]# docker run -d -v /root/index.html:/usr/share/nginx/html/index.html nginx:1.21
E5517b6737cf405c47969cc6d9bfe96b0798ce351e90eebbf235e7a2babe9221
[root@localhost ~]# docker inspect e5 | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
[root@localhost ~]# curl 172.17.0.2:80
hello CCE
-v
选项挂载宿主机文件或目录到容器时,可以设置容器对挂载后的数据的权限:
-ro
:容器对挂载后的数据有仅读权限-rw
:默认权限,表示容器对挂载后的数据有读写权限docker run -d -v /root/index.html:/usr/share/nginx/html/index.html:rw -v /etc/localtime:/etc/localtime:ro nginx:1.21
中,/root/index.html可以被容器读写,/etc/localtime容器仅有读取权限[root@localhost ~]# echo "hello CCE" > index.html
[root@localhost ~]# docker run -d -v /root/index.html:/usr/share/nginx/html/index.html:rw -v /etc/localtime:/etc/localtime:ro nginx:1.21
67d3926b4efc8dcd8e4160cf6f5260ff06f81b1b3a402e8c0d3723de4ec34eac
root@67d3926b4efc:/# echo "hello CCE again" >> /usr/share/nginx/html/index.html
root@67d3926b4efc:/# cat /usr/share/nginx/html/index.html
hello CCE
hello CCE again
root@67d3926b4efc:/# echo "hello CCE again" >> /etc/localtime
bash: /etc/localtime: Read-only file system
将宿主机的文件或目录挂载到容器后,如果要对其进行修改,如果容器对该文件具备读写权限,可以在容器中修改,也可以在宿主机上直接修改
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
67d3926b4efc nginx:1.21 "/docker-entrypoint.…" 10 minutes ago Up 10 minutes 80/tcp hungry_lehmann
[root@localhost ~]# curl 172.17.0.2:80
hello CCE
hello CCE again
[root@localhost ~]# echo "hello CCE one more time" >> index.html
[root@localhost ~]# curl 172.17.0.2:80
hello CCE
hello CCE again
hello CCE one more time
容器镜像是容器的模板,容器是镜像的运行实例,runtime根据容器镜像创建容器
容器镜像挂载在容器根目录下,是为容器中的应用提供隔离后执行环境的文件系统
容器镜像打包了整个操作系统的文件和目录(rootfs),当然也包括应用本身。即,应用及其运行所需的所有依赖,都被封装在容器镜像中。保证了本地环境和云端环境的高度一致
容器镜像采用分层结构:
对一个应用来说,操作系统是它运行所需要的最完整的依赖
容器镜像直接打包了应用运行所需要的整个操作系统,从而保证了本地环境和云端环境的高度一致。对软件开发而言,容器镜像打通了“开发 - 测试 - 部署”的流程
容器镜像只是提供了一套镜像文件系统中的各种文件,而各种内核相关的模块或者特性支持,完全依赖于宿主机
操作 | 具体执行 |
---|---|
创建文件 | 新文件只能被添加在容器层中。 |
删除文件 | 依据容器分层结构由上往下依次查找。找到后,在容器层中记录该删除操作。具体实现是,UnionFS会在容器层创建一个”whiteout”文件,将被删除的文件“遮挡”起来。 |
修改文件 | 依据容器分层结构由上往下依次查找。找到后,将镜像层中的数据复制到容器层进行修改,修改后的数据保存在容器层中。(copy-on-write) |
读取文件 | 依据容器分层结构由上往下依次查找。 |
[root@localhost ~]# docker inspect bf
……..
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/b4eef5898b52ed697302ab7f03ac990b4eeac7f8d0b0e98d2ac1cd9f7af010d1-init/diff:/var/lib/docker/overlay2/801de6e91d75ed7a70a4978f40c1441d7020753fd30c0122a28108239b2dc042/diff:/var/lib/docker/overlay2/8b4ccfb6da748d8a3a311b06a6bd8dfb466f8953cf805fcfa1d374048e0d228d/diff:/var/lib/docker/overlay2/f7b0d2d35e7b39ad52706465dc5f50885ec12db1f2a87dbe6be00ad0c3bfbbea/diff:/var/lib/docker/overlay2/09ff411dc8224739cf2d5578ddbf21f6d6d5d3b6b04038fa9702f4338a40a097/diff:/var/lib/docker/overlay2/6549a19669295423943929a5273152ce34b28002c7a204595a7543e19ec9b415/diff",
"MergedDir": "/var/lib/docker/overlay2/b4eef5898b52ed697302ab7f03ac990b4eeac7f8d0b0e98d2ac1cd9f7af010d1/merged",
"UpperDir": "/var/lib/docker/overlay2/b4eef5898b52ed697302ab7f03ac990b4eeac7f8d0b0e98d2ac1cd9f7af010d1/diff",
"WorkDir": "/var/lib/docker/overlay2/b4eef5898b52ed697302ab7f03ac990b4eeac7f8d0b0e98d2ac1cd9f7af010d1/work"
},
"Name": "overlay2"
},
"Mounts": [],
………….
Registry是存放容器镜像的仓库,用户可进行镜像下载和访问,它可分为公有和私有两类Registry
云镜像仓库是云服务商提供的私有镜像仓库服务,常用的云镜像仓库服务有:
云镜像仓库服务还会提供镜像加速器功能
使用命令docker info
可以查看到当前使用的镜像仓库地址
registry
:镜像仓库地址,如果不指定,一般表示使用官方的公共镜像。使用私有镜像仓库时,建议使用完整路径path
:镜像存放的镜像仓库中的路径,使用私有镜像仓库时,建议使用完整路径imagename
:容器镜像名称tag
:镜像的版本号,如果不指定,则为latest,通常建议设置为版本号-镜像中包含的软件-基础镜像信息[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
swr.cn-north-4.myhuaweicloud.com/test-real/nginx 1.21 12766a6745ee 2 weeks ago 142MB
swr.cn-north-4.myhuaweicloud.com/test-real/nginx test 12766a6745ee 2 weeks ago 142MB
nginx
[root@localhost ~]# docker inspect nginx:test
[
{
"Id": "sha256:12766a6745eea133de9fdcd03ff720fa971fdaf21113d4bc72b417c123b15619",
"RepoTags": [
"nginx:test",
"swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21",
"swr.cn-north-4.myhuaweicloud.com/test-real/nginx:test"
],
"RepoDigests": [
swr.cn-north-4.myhuaweicloud.com/test-real/nginx@sha256:83d487b625d8c7818044c04f1b48aabccd3f51c3341fc300926846bca0c439e6
..........
docker pull
可将镜像从镜像仓库拉取到本地docker pull nginx:1.21
可将版本为1.21的nginx镜像拉取到本地。在本命令中省略了镜像仓库地址和路径,系统将默认从官方镜像站拉取,如下所示的docker.io/library/[root@localhost ~]# docker pull nginx:1.21
1.21: Pulling from library/nginx
c229119241af: Pull complete
2215908dc0a2: Pull complete
08c3cb2073f1: Pull complete
18f38162c0ce: Pull complete
10e2168f148a: Pull complete
c4ffe9532b5f: Pull complete
Digest: sha256:2275af0f20d71b293916f1958f8497f987b8d8fd8113df54635f2a5915002bf1
Status: Downloaded newer image for nginx:1.21
docker.io/library/nginx:1.21
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx 1.21 12766a6745ee 2 weeks ago 142MB
docker login -u xxxxxxx -p xxxxx swr.cn-north-4.myhuaweicloud.com
可登录云上的私有镜像仓库,然后再使用命令docker pull swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
[root@localhost ~]# docker login -u xxxxxxx -p xxxxx swr.cn-north-4.myhuaweicloud.com
Login Succeeded
[root@localhost ~]# docker pull swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
1.21: Pulling from test-real/nginx
c229119241af: Pull complete
2215908dc0a2: Pull complete
08c3cb2073f1: Pull complete
18f38162c0ce: Pull complete
10e2168f148a: Pull complete
c4ffe9532b5f: Pull complete
Digest: sha256:83d487b625d8c7818044c04f1b48aabccd3f51c3341fc300926846bca0c439e6
Status: Downloaded newer image for swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
swr.cn-north-4.myhuaweicloud.com/test-real/nginx 1.21 12766a6745ee 2 weeks ago 142MB
docker push
可将更新或者创建的镜像推送的容器仓库,可供其他人使用。在推送镜像时,要使用镜像的完整路径,才能推送到准确的位置docker push swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
可将镜像推送到对应位置[root@localhost ~]# docker push swr.cn-north-4.myhuaweicloud.com/test-real/nginx:1.21
The push refers to repository [swr.cn-north-4.myhuaweicloud.com/test-real/nginx]
ea4bc0cd4a93: Layer already exists
fac199a5a1a5: Layer already exists
5c77d760e1f4: Layer already exists
33cf1b723f65: Layer already exists
ea207a4854e7: Layer already exists
608f3a074261: Layer already exists
1.21: digest: sha256:83d487b625d8c7818044c04f1b48aabccd3f51c3341fc300926846bca0c439e6 size: 1570
docker save
可将一个或数个镜像打包成一个压缩包,打包后的镜像可以下载到本地[root@localhost ~]# docker save nginx:test -o nginx
[root@localhost ~]# ls
anaconda-ks.cfg nginx
docker load
可将打包后的镜像进行解压[root@localhost ~]# docker load -i nginx
Loaded image: nginx:test
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
swr.cn-north-4.myhuaweicloud.com/test-real/nginx 1.21 12766a6745ee 2 weeks ago 142MB
swr.cn-north-4.myhuaweicloud.com/test-real/nginx test 12766a6745ee 2 weeks ago 142MB
nginx
使用命令docker rmi
可删除当前宿主机上的镜像
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx test 12766a6745ee 2 weeks ago 142MB
swr.cn-north-4.myhuaweicloud.com/test-real/nginx 1.21 12766a6745ee 2 weeks ago 142MB
swr.cn-north-4.myhuaweicloud.com/test-real/nginx test 12766a6745ee 2 weeks ago 142MB
[root@localhost ~]# docker rmi nginx:test
Untagged: nginx:test
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
swr.cn-north-4.myhuaweicloud.com/test-real/nginx 1.21 12766a6745ee 2 weeks ago 142MB
swr.cn-north-4.myhuaweicloud.com/test-real/nginx test 12766a6745ee 2 weeks ago 142MB
推荐用这种方式,直接去看我下面这篇文章,下面文章是操作,下面标题Dockerfile详述是概念,可以都看看了解一下。
docker镜像构建详细说明
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx 1.21 12766a6745ee 2 weeks ago 142MB
[root@localhost ~]# docker run -d nginx:1.21
bd46d46a32a4c4c02cb591226334d28630a6b3e1db98c6999170478f5adba24e
[root@localhost ~]# docker exec -it bd /bin/bash
root@bd46d46a32a4:/# echo "hello CCE" > /usr/share/nginx/html/index.html
root@bd46d46a32a4:/# exit
Exit
[root@localhost ~]# docker commit bd nginx:test
sha256:d60c3f8cee30013b1649c3ec1cac1029d486f4f1ffe951a9bce45ad3ca184062
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx test d60c3f8cee30 5 seconds ago 142MB
nginx 1.21 12766a6745ee 2 weeks ago 142MB
Dockerfile构建容器时使用COPY指令可以将宿主机的文件拷贝到镜像当中
Dockerfile在容器构建时可使用CMD指令设置镜像启动时执行的命令
CMD后面的命令可以被运行容器时运行的命令所覆盖
如果在一个Dockerfile中有多个CMD,在构建镜像时不会报错,但容器运行时仅执行最后一个
FROM centos:7
RUN useradd nginx
COPY CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
RUN yum install -y wget
RUN wget -c http://nginx.org/download/nginx-1.21.0.tar.gz
RUN tar -xzvf nginx-1.21.0.tar.gz
RUN yum -y install gcc gcc-c++ autoconf automake make pcre-devel openssl openssl-devel
WORKDIR nginx-1.21.0
RUN ./configure --prefix=/usr/local/nginx/ --user=nginx --group=nginx --without-http_rewrite_module
RUN make && make install
RUN cp /usr/local/nginx/sbin/nginx /usr/local/sbin/
EXPOSE 80
ENTRYPOINT ["nginx","-g","daemon off;"]
有如下可以优化
优化后dockfile如下:
FROM centos:7 as build
COPY CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
RUN useradd nginx && \
yum install -y wget gcc gcc-c++ autoconf automake make pcre-devel openssl openssl-devel && \
wget -c http://nginx.org/download/nginx-1.21.0.tar.gz && \
tar -xzvf nginx-1.21.0.tar.gz
WORKDIR nginx-1.21.0
RUN ./configure --prefix=/usr/local/nginx/ --user=nginx --group=nginx --without-http_rewrite_module && \
make && make install
FROM debian:latest
RUN useradd nginx
COPY --from=build /usr/local/nginx/ /usr/local/nginx/
COPY --from=build /usr/local/nginx/sbin/nginx /usr/local/sbin/nginx
EXPOSE 80
ENTRYPOINT ["nginx","-g","daemon off;"]
缩略语 | 英文全称 | 解释 |
---|---|---|
API | Application Programming Interface | 应用编程接口,指的是应用程序之间为了保证互相通讯所提供的一系列特殊规则和要求 |
K8s | Kubernetes | Kubernetes的缩写 |
CLI | Command-line | Interface 命令行视图 |
LB | Load Balance | 负载均衡 |
AI | Artificial Intelligence | 人工智能 |
OA | Office Automation | 办公自动化 |
OTT | Over The Top | 通过互联网向用户提供各种应用服务 |
CSI | Container Storage Interface | 容器存储接口 |
CCE | Cloud Container Engine | 华为云容器引擎 |
HCS | HUAWEI CLOUD Stack | 华为云解决方案名称 |