安装
centos安装docker
一、查看是否已安装了Docker软件包:
#查看是否已经安装的Docker软件包
sudo yum list installed | grep docker
二、如果已安装不想要的docker/docker-engine/docker-ce软件包,卸载掉
#如果已安装不想要docker、docker-engine、docker-ce相关的软件包,则卸载掉:
sudo yum -y remove docker docker-common docker-selinux docker-engine docker-engine-selinux container-selinux docker-ce
#删除所有的镜像、容器、数据卷、配置文件等,如果不想删除已安装的镜像和运行的容器则跳过此步
sudo rm -rf /var/lib/docker
# 安装docker
yum install docker-ce docker-ce-cli containerd.io -y
"insecure-registries": ["0.0.0.0/0"]的作用
#docker可以从任意源拉取镜像,也可以向任意仓库推送镜像,否则会报
tls: failed to verify certificate: x509: certificate signed by unknown authority
insecure-registries的作用
docker客户端如果配置中添加了insecure-registary配置,就不需要在docker 客户端配置上对应证书,如果不配置就需要在/etc/docker/certs.d/目录中添加对应证书才能正常登录。
镜像加速
适用Ubuntu 16.04+、Debian 8+、CentOS 7
[root@node-1 ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": [
"https://ung2thfc.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
],
"insecure-registries": ["0.0.0.0/0"],
"log-opts": {
"max-file": "3",
"max-size": "10m"
}
}
启动 Docker
$ sudo systemctl enable docker # 开机自启
$ sudo systemctl start docker # 启动docker
Docker基础命令
[root@node-1 ~]# docker --help
Usage:
docker [OPTIONS] COMMAND [arg...]
docker daemon [ --help | ... ]
docker [ --help | -v | --version ]
A
self-sufficient runtime for containers.
Options:
--config=~/.docker Location of client config files #客户端配置文件的位置
-D, --debug=false Enable debug mode #启用Debug调试模式
-H, --host=[] Daemon socket(s) to connect to #守护进程的套接字(Socket)连接
-h, --help=false Print usage #打印使用
-l, --log-level=info Set the logging level #设置日志级别
--tls=false Use TLS; implied by--tlsverify #
--tlscacert=~/.docker/ca.pem Trust certs signed only by this CA #信任证书签名CA
--tlscert=~/.docker/cert.pem Path to TLS certificate file #TLS证书文件路径
--tlskey=~/.docker/key.pem Path to TLS key file #TLS密钥文件路径
--tlsverify=false Use TLS and verify the remote #使用TLS验证远程
-v, --version=false Print version information and quit #打印版本信息并退出
Commands:
attach Attach to a running container #当前shell下attach连接指定运行镜像
build Build an image from a Dockerfile #通过Dockerfile定制镜像
commit Create a new image from a container's changes #提交当前容器为新的镜像
cp Copy files/folders from a container to a HOSTDIR or to STDOUT #从容器中拷贝指定文件或者目录到宿主机中
create Create a new container #创建一个新的容器,同run 但不启动容器
diff Inspect changes on a container's filesystem #查看docker容器变化
events Get real time events from the server#从docker服务获取容器实时事件
exec Run a command in a running container#在已存在的容器上运行命令
export Export a container's filesystem as a tar archive #导出容器的内容流作为一个tar归档文件(对应import)
history Show the history of an image #展示一个镜像形成历史
images List images #列出系统当前镜像
import Import the contents from a tarball to create a filesystem image #从tar包中的内容创建一个新的文件系统映像(对应export)
info Display system-wide information #显示系统相关信息
inspect Return low-level information on a container or image #查看容器详细信息
kill Kill a running container #kill指定docker容器
load Load an image from a tar archive or STDIN #从一个tar包中加载一个镜像(对应save)
login Register or log in to a Docker registry#注册或者登陆一个docker源服务器
logout Log out from a Docker registry #从当前Docker registry退出
logs Fetch the logs of a container #输出当前容器日志信息
pause Pause all processes within a container#暂停容器
port List port mappings or a specific mapping for the CONTAINER #查看映射端口对应的容器内部源端口
ps List containers #列出容器列表
pull Pull an image or a repository from a registry #从docker镜像源服务器拉取指定镜像或者库镜像
push Push an image or a repository to a registry #推送指定镜像或者库镜像至docker源服务器
rename Rename a container #重命名容器
restart Restart a running container #重启运行的容器
rm Remove one or more containers #移除一个或者多个容器
rmi Remove one or more images #移除一个或多个镜像(无容器使用该镜像才可以删除,否则需要删除相关容器才可以继续或者-f强制删除)
run Run a command in a new container #创建一个新的容器并运行一个命令
save Save an image(s) to a tar archive#保存一个镜像为一个tar包(对应load)
search Search the Docker Hub for images #在dockerhub中搜索镜像
start Start one or more stopped containers#启动容器
stats Display a live stream of container(s) resource usage statistics #统计容器使用资源
stop Stop a running container #停止容器
tag Tag an image into a repository #给源中镜像打标签 docker tag busybox:latest hub.komect.com:10443/daping/busybox:latest
top Display the running processes of a container #查看容器中运行的进程信息
unpause Unpause all processes within a container #取消暂停容器
version Show the Docker version information#查看容器版本号
wait Block until a container stops, then print its exit code #截取容器停止时的退出状态值
Run 'docker COMMAND --help' for more information on a command. #运行docker命令在帮助可以获取更多信息
docker常用操作命令
docker search hello-docker # 搜索hello-docker的镜像
docker search centos # 搜索centos镜像
docker pull hello-docker # 获取centos镜像
docker run hello-world #运行一个docker镜像,产生一个容器实例(也可以通过镜像id前三位运行)
docker image ls # 查看本地所有镜像
docker images # 查看docker镜像
docker image rmi hello-docker # 删除hello-docker镜像
docker ps # 列出正在运行的容器(如果创建容器中没有进程正在运行,容器就会立即停止)
docker ps -a # 列出所有运行过的容器记录
docker save centos > /opt/centos.tar.gz # 导出docker镜像至本地
docker load < /opt/centos.tar.gz #导入本地镜像到docker镜像库
docker stop `docker ps -aq` # 停止所有正在运行的容器
docker rm `docker ps -aq` # 一次性删除所有容器记录
docker rmi `docker images -aq` # 一次性删除所有本地的镜像记录
docker inspect NAME|ID # 查看容器详细信息
docker container update --restart=always 容器名字 # docker 重启时容器自动重启
systemctl restart docker # 重启docker
# docker 虚悬镜像 ( 悬空镜像 ) :镜像没有仓库名或没有标签,名称一般都是<none>
# 查询显示虚悬镜像
docker images -f dangling=true
# 删除虚悬镜像
docker rmi $(docker images -q -f dangling=true)
docker rmi $(docker images -f "dangling=true" -q)
Docker run 命令
语法
[root@hecs-141602 ~]# docker run --help
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Create and run a new container from an image
Aliases:
docker container run, docker run
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
--annotation map Add an annotation to the container (passed through to the OCI runtime) (default map[])
-a, --attach list Attach to STDIN, STDOUT or STDERR
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--cap-add list Add Linux capabilities
--cap-drop list Drop Linux capabilities
--cgroup-parent string Optional parent cgroup for the container
--cgroupns string Cgroup namespace to use (host|private)
'host': Run the container in the Docker host's cgroup namespace
'private': Run the container in its own private cgroup namespace
'': Use the cgroup namespace as configured by the
default-cgroupns-mode option on the daemon (default)
--cidfile string Write the container ID to the file
--cpu-period int Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period int Limit CPU real-time period in microseconds
--cpu-rt-runtime int Limit CPU real-time runtime in microseconds
-c, --cpu-shares int CPU shares (relative weight)
--cpus decimal Number of CPUs
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
-d, --detach Run container in background and print container ID
--detach-keys string Override the key sequence for detaching a container
--device list Add a host device to the container
--device-cgroup-rule list Add a rule to the cgroup allowed devices list
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--disable-content-trust Skip image verification (default true)
--dns list Set custom DNS servers
--dns-option list Set DNS options
--dns-search list Set custom DNS search domains
--domainname string Container NIS domain name
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env list Set environment variables
--env-file list Read in a file of environment variables
--expose list Expose a port or a range of ports
--gpus gpu-request GPU devices to add to the container ('all' to pass all GPUs)
--group-add list Add additional groups to join
--health-cmd string Command to run to check health
--health-interval duration Time between running the check (ms|s|m|h) (default 0s)
--health-retries int Consecutive failures needed to report unhealthy
--health-start-period duration Start period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s)
--health-timeout duration Maximum time to allow one check to run (ms|s|m|h) (default 0s)
--help Print usage
-h, --hostname string Container host name
--init Run an init inside the container that forwards signals and reaps processes
-i, --interactive Keep STDIN open even if not attached
--ip string IPv4 address (e.g., 172.30.100.104)
--ip6 string IPv6 address (e.g., 2001:db8::33)
--ipc string IPC mode to use
--isolation string Container isolation technology
--kernel-memory bytes Kernel memory limit
-l, --label list Set meta data on a container
--label-file list Read in a line delimited file of labels
--link list Add link to another container
--link-local-ip list Container IPv4/IPv6 link-local addresses
--log-driver string Logging driver for the container
--log-opt list Log driver options
--mac-address string Container MAC address (e.g., 92:d0:c6:0a:29:33)
-m, --memory bytes Memory limit
--memory-reservation bytes Memory soft limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--memory-swappiness int Tune container memory swappiness (0 to 100) (default -1)
--mount mount Attach a filesystem mount to the container
--name string Assign a name to the container
--network network Connect a container to a network
--network-alias list Add network-scoped alias for the container
--no-healthcheck Disable any container-specified HEALTHCHECK
--oom-kill-disable Disable OOM Killer
--oom-score-adj int Tune host's OOM preferences (-1000 to 1000)
--pid string PID namespace to use
--pids-limit int Tune container pids limit (set -1 for unlimited)
--platform string Set platform if server is multi-platform capable
--privileged Give extended privileges to this container
-p, --publish list Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--pull string Pull image before running ("always", "missing", "never") (default "missing")
-q, --quiet Suppress the pull output
--read-only Mount the container's root filesystem as read only
--restart string Restart policy to apply when a container exits (default "no")
--rm Automatically remove the container when it exits
--runtime string Runtime to use for this container
--security-opt list Security Options
--shm-size bytes Size of /dev/shm
--sig-proxy Proxy received signals to the process (default true)
--stop-signal string Signal to stop the container
--stop-timeout int Timeout (in seconds) to stop a container
--storage-opt list Storage driver options for the container
--sysctl map Sysctl options (default map[])
--tmpfs list Mount a tmpfs directory
-t, --tty Allocate a pseudo-TTY
--ulimit ulimit Ulimit options (default [])
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
--userns string User namespace to use
--uts string UTS namespace to use
-v, --volume list Bind mount a volume
--volume-driver string Optional volume driver for the container
--volumes-from list Mount volumes from the specified container(s)
-w, --workdir string Working directory inside the container
OPTIONS说明:
-a stdin: 指定标准输入输出内容类型,可选 STDIN/STDOUT/STDERR 三项;
-d: 后台运行容器,并返回容器ID;
-i: 以交互模式运行容器,通常与 -t 同时使用;
-P: 随机端口映射,容器内部端口随机映射到主机的端口
-p: 指定端口映射,格式为:主机(宿主)端口:容器端口
-t: 为容器重新分配一个伪输入终端,通常与 -i 同时使用;
--name="nginx-lb": 为容器指定一个名称;
--dns 8.8.8.8: 指定容器使用的DNS服务器,默认和宿主一致;
--dns-search example.com: 指定容器DNS搜索域名,默认和宿主一致;
-h "mars": 指定容器的hostname;
-e username="ritchie": 设置环境变量;
--env-file=[]: 从指定文件读入环境变量;
--cpuset="0-2" or --cpuset="0,1,2": 绑定容器到指定CPU运行;
-m :设置容器使用内存最大值;
--net="bridge": 指定容器的网络连接类型,支持 bridge/host/none/container: 四种类型;
--link=[]: 添加链接到另一个容器;
--expose=[]: 开放一个端口或一组端口;
--volume , -v: 绑定一个卷
启动容器的两种方式
容器是运行应用程序的,所以必须得先有一个操作系统为基础
# 1. 后台运行一个docker
$ docker run -d centos /bin/sh -c "while true;do echo 正在运行; sleep 1;done"
# -d 后台运行容器
# centos 镜像
# /bin/sh 指定使用centos的bash解释器
# -c 运行一段shell命令
# "while true;do echo 正在运行; sleep 1;done" 在linux后台,每秒中打印一次正在运行
$ docker ps # 检查容器进程
$ docker logs -f 容器id/名称 # 不间断打印容器的日志信息
$ docker stop centos # 停止容器
# 2. 启动一个bash终端,允许用户进行交互
$ docker run --name mydocker -it centos /bin/bash
# --name 给容器定义一个名称
# -i 让容器的标准输入保持打开
# -t 让Docker分配一个伪终端,并绑定到容器的标准输入上
# /bin/bash 指定docker容器,用shell解释器交互
当利用docker run来创建容器时,Docker在后台运行的步骤如下:
检查本地是否存在指定的镜像,不存在就从公有仓库下载
利用镜像创建并启动一个容器
分配一个文件系统,并在只读的镜像层外面挂在一层可读写层
从宿主主机配置的网桥接口中桥接一个虚拟接口到容器中去
从地址池配置一个ip地址给容器
执行用户指定的应用程序
执行完毕后容器被终止
终止状态的容器重新启动
$ docker ps -a # 先查询记录
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ee92fcf6f32d centos "/bin/bash" 4 days ago Exited (137) 3 days ago kickass_raman
$ docker start ee9 # 再启动这个容器
ee9
$ docker exec -it ee9 /bin/bash # 进入容器交互式界面
[root@ee92fcf6f32d /]# # 注意看用户名,已经变成容器用户名
提交创建自定义镜像
# 1.我们进入交互式的centos容器中,发现没有vim命令
$ docker run -it centos
# 2.在当前容器中,安装一个vim
$ yum install -y vim
# 3.安装好vim之后,exit退出容器
$ exit
# 4.查看刚才安装好vim的容器记录
$ docker container ls -a
# 5.提交这个容器,创建新的image
$ docker commit 059fdea031ba chaoyu/centos-vim
# 6.查看镜像文件
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
chaoyu/centos-vim latest fd2685ae25fe 5 minutes ago
外部访问容器
容器中可以运行网络应用,但是要让外部也可以访问这些应用,可以通过-p或-P参数指定端口映射。
$ docker run -d -P training/webapp python app.py
# -P 参数会随机映射端口到容器开放的网络端口
# 检查映射的端口
$ docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cfd632821d7a training/webapp "python app.py" 21 seconds ago Up 20 seconds 0.0.0.0:32768->5000/tcp brave_fermi
#宿主机ip:32768 映射容器的5000端口
# 查看容器日志信息
$ docker logs -f cfd # #不间断显示log
# 也可以通过-p参数指定映射端口
$ docker run -d -p 9000:5000 training/webapp python app.py
打开浏览器访问服务器的9000端口, 内容显示 Hello world!表示正常启动(如果访问失败的话,检查自己的防火墙,以及云服务器的安全组)。