Docker实战笔记:Docker简介(二) 博客分类: docker
摘要: 摘要: 此Docker系列学习笔记,根据Reboot教育PC大神的运维自动化部分课程整理而成,补充少量个人理解以及练习日志(部分日志有删减)。 PC大神在知乎的专栏:面向工资编程 Docker简介(一) Docker简介(二) Docker管理系统(一) Docker管理系统(二) Docker管理系统(三) Docker原理-namespace和文件系统 Docker原理-徒手创建一个docker容器 Docker、etcd构建服务自发现体系 Docker生态系统:k8s、etcd等 etcd分布式一致性算法paxos、raft
# Docker实战笔记 [TOC] # 提纲 此Docker系列学习笔记,根据[Reboot教育](http://www.51reboot.com)PC大神的运维自动化部分课程整理而成,补充少量个人理解以及练习日志(部分日志有删减)。 PC大神在知乎的专栏:[面向工资编程](https://zhuanlan.zhihu.com/auxten) + Docker简介(一) + Docker简介(二) + Docker管理系统(一) + Docker管理系统(二) + Docker管理系统(三) + Docker原理-namespace和文件系统 + Docker原理-徒手创建一个docker容器 + Docker、etcd构建服务自发现体系 + Docker生态系统:k8s、etcd等 + etcd分布式一致性算法paxos、raft # Docker简介(二) # 盗梦空间 使用docker时,应时刻注意自己在哪儿,防止误操作。docker容器一般都是root全新,这个时候往往是宿主机、各容器相互交错,甚至有时候还有自己的笔记本远程登录维护的场景;一个不慎,就是生产事故。 **解决办法:设置PS1变量**,每个用户下颜色不一样,提示符不一样。同时加强用户权限的管理和落地,赋予运维人员岗位角色最小的权限,严格控制特殊权限如root的申请流程和双人复核制度; ## 参考bashrc 将以下代码保存为 bashrc ```bash #!/bin/bash #export DYLD_FALLBACK_LIBRARY_PATH="${HOME}/wine/wine-1.2/lib:/usr/X11/lib:/usr/ lib" export TERM=xterm-color export CLICOLOR=1 export LSCOLORS=ExFxCxDxBxegedabagacad export EDITOR=vi #export CDPATH=$CDPATH:/Users/auxten/Documents/Codes/ use_color=false # Set colorful PS1 only on colorful terminals. # dircolors --print-database uses its own built-in database # instead of using /etc/DIR_COLORS. Try to use the external file # first to take advantage of user additions. Use internal bash # globbing instead of external grep binary. safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM match_lhs="" [[ -f /.dir_colors ]] && match_lhs="${match_lhs}$(</.dir_colors)" [[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)" [[ -z ${match_lhs} ]] \ && type -P dircolors >/dev/null \ && match_lhs=$(dircolors --print-database) [[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true if ${use_color} ; then # Enable colors for ls, etc. Prefer ~/.dir_colors #64489 if type -P dircolors >/dev/null ; then if [[ -f ~/.dir_colors ]] ; then eval $(dircolors -b ~/.dir_colors) elif [[ -f /etc/DIR_COLORS ]] ; then eval $(dircolors -b /etc/DIR_COLORS) fi fi if [[ ${EUID} == 0 ]] ; then PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] ' else PS1='\[\033[01;33m\]\u.\[\033[01;34m\]\[\033[01;32m\]\h\[\033[01;34m\] \ w \$\[\033[00m\] ' #PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] ' fi alias ls='ls -G' alias grep='grep --colour=auto' else if [[ ${EUID} == 0 ]] ; then # show root@ when we don't have colors PS1='\u@\h \W \$ ' else PS1='\u@\h \w \$ ' fi fi # Try to keep environment pollution down, EPA loves us. unset use_color safe_term match_lhs ``` ## 设置命令 ```bash cp bashrc ~/.bashrc . ~/.bashrc ``` ## 赠与root ```bash sudo cp ~/.bashrc /root/ sudo su - ``` ## 效果展示 AnInputForce账号没有sudo权限,这里有一个课件截图:  # 基本操作 ## docker stop 停止docker容器。 建议不使用,直接使用docker rm -f 停止并删除容器:干净整洁不留垃圾;stop命令略慢,rm命令毫秒级别。以下是演示, ### 停止,清理容器 ```bash AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts 608ca094cbf836087a749f464e4e1175502cd0e0d184e174b99bfe59b4a18015 AnInputForce.teach ~ $ docker ps | grep kch 608ca094cbf8 centos "tail -f /etc/hosts" 28 seconds ago Up 26 seconds centos_kch AnInputForce.teach ~ $ docker stop centos_kch centos_kch AnInputForce.teach ~ $ docker ps | grep kch AnInputForce.teach ~ $ docker ps -a | grep kch 608ca094cbf8 centos "tail -f /etc/hosts" About a minute ago Exited (137) 16 seconds ago centos_kch AnInputForce.teach ~ $ docker rm centos_kch centos_kch AnInputForce.teach ~ $ docker ps -a | grep kch ``` ### 直接停止并删除容器 ```bash AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts e916042b88f1fe5829d400188c7cb806d7075751a9142c5fb9935a81b7924f56 AnInputForce.teach ~ $ docker ps | grep kch e916042b88f1 centos "tail -f /etc/hosts" 18 seconds ago Up 17 seconds centos_kch AnInputForce.teach ~ $ docker rm -f centos_kch centos_kch AnInputForce.teach ~ $ docker ps | grep kch AnInputForce.teach ~ $ docker ps -a | grep kch AnInputForce.teach ~ $ ``` ## docker exec 进入容器简化 我们经常要写这条命令,进入容器交互bash: ```bash docker exec -it centos_kch bash ``` 有网友写了个脚本简化这件事:[帖子看这里](http://askubuntu.com/questions/505506/how-to-get-bash-or-ssh-into-a-running-container-in-background-mode),看3楼的回复。 ```bash #!/bin/bash -xe # docker id might be given as a parameter DID=$1 if [[ "$DID" == "" ]]; then # if no id given simply just connect to the first running instance DID=$(docker ps | grep -Eo "^[0-9a-z]{8,}\b") fi docker exec -i -t $DID bash ``` 修订一下:如果不带参数,默认进入第一个运行的容器,但是过滤出来的是所有运行的容器。此处修订: ### 保存脚本为dgo ```bash #!/bin/bash -xe # docker id might be given as a parameter DID=$1 if [[ "$DID" == "" ]]; then # if no id given simply just connect to the first running instance DID=$(docker ps | grep -Eo "^[0-9a-z]{8,}\b" | head -n 1) fi docker exec -i -t $DID bash ``` ### 设置Setup > Put docker-ssh file in your $PATH with the following contents 有root权限的话,我们直接copy到bin目录 ```bash sudo cp dgo /usr/local/bin/ ``` ### 演示Usage > If you have one running instance simply run + dgo > Otherwise provide it with a docker id parmeter that you get from docker ps (first col) + dgo $docker-id,# dgo 3ccdb6bcf75a + dgo $container-name,# dgo centos_kch ```bash AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts 3ccdb6bcf75a197b4cfbeec3d6754d3d55630e11544f396e5cd942064dae220e AnInputForce.teach ~ $ dgo centos_kch + DID=centos_kch + [[ centos_kch == '' ]] + docker exec -i -t centos_kch bash [root@3ccdb6bcf75a /]# ``` ### 脚本参数 + bash -xe + -x 显示执行日志 + 把它执行的每条命令都打到console上,有助于让大家了解都执行的什么,有助于提醒这个脚本是个自定义命令;这是一个非常好的习惯; + -e 执行完退出; ## docker run -v -p + -v 映射目录 + -p 映射端口 **Tips:**端口映射docker是用iptable实现的,CentOS7引入了firewalld,本质上比iptable好用一些,如果docker用到端口映射,firewalld服务就不能听。内网使用,可以一上来用firewalld把所有端口都打开,这样比较方便docker管理端口映射。 ### 验证思路 筛选端口有没有占用,没有输出则可用 ```bash sudo netstat -nltp | grep 8084 ``` 将宿主机home目录的data文件夹映射到容器的/data目录,同时将宿主机的8084端口映射到宿主机的80端口 ```bash docker run --name"kch-centos" -v ~/data:/data -p 8084:80 -itd centos tail -f /etc/hosts ``` ### 映射目录验证 ```bash AnInputForce.teach ~ $ docker run --name "kch-centos" -v ~/data:/data -p 8084:80 -itd centos tail -f /etc/hosts 9bae287a1df72f557a218044e58dc61c473b8d746f9f4e02c801cf58e014385f AnInputForce.teach ~ $ ll 总用量 16 -rw-r--r-- 1 AnInputForce 231 11月 15 09:15 20161115.bashrc drwxr-xr-x 2 root 4096 11月 15 19:42 data drwxr-xr-x 6 root 4096 10月 16 10:41 open-falcon -rwxr-xr-x 1 AnInputForce 377 10月 16 11:42 runof.sh AnInputForce.teach ~ $ docker exec -it kch-centos /bin/bash [root@9bae287a1df7 /]# ll | grep data drwxr-xr-x 2 root root 4096 Nov 15 11:42 data [root@9bae287a1df7 /]# echo xxxyyy > data/xxx [root@9bae287a1df7 /]# exit exit AnInputForce.teach ~ $ cat data/xxx xxxxyyy AnInputForce.teach ~ $ ``` ### 端口映射验证 进入容器,启动一个python的SimpleHTTPServer,绑定80端口; 在浏览器中输入http://localhost:8084,成功访问; 演示使用的是教学机http://reboot.linrc.com:8084 ```bash AnInputForce.teach ~ $ docker exec -it kch-centos /bin/bash [root@9bae287a1df7 /]# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 219.142.60.11 - - [15/Nov/2016 12:03:14] "GET / HTTP/1.1" 200 - 219.142.60.11 - - [15/Nov/2016 12:03:14] code 404, message File not found 219.142.60.11 - - [15/Nov/2016 12:03:14] "GET /favicon.ico HTTP/1.1" 404 - ``` ## docker inspect $docker id | $docker name ```bash docker inspect centos_kch ``` 我们在使用docker过程中,如果碰上莫名其妙的问题,比如没写绝对路径时,不知道目录映射到哪儿了,就可以运行此命令,看"Mounts"属性; ## docker 创建镜像 推荐用dockerfile来构建镜像,因为可以提交git版本控制:清楚展现了所经历的过程。不推荐在现有容器中yum安装配置后,再commit创建镜像。后者参考:[Docker学习之路(六)用commit命令创建镜像](https://segmentfault.com/a/1190000002567459) + commit + ```bash docker commit -m "Added something" -a "Docker Newbee" centos centos:v2 ``` + ```bash docker rmi ``` + -a 就是author,作者 + dockerfile + ```dockerfile FROM ubuntu:14.04 MAINTAINER Docker Newbee newbee@docker.com RUN apt-get -qq update RUN apt-get -qqy install ruby ruby-dev RUN gem install sinatra ``` ### 科普:bash黑科技 - ctrl + u:#移到行尾,按快捷键暂存,当前命令行清空 - ctrl + y:# 恢复刚暂存的目录 - Ctrl + r:# 输入字符查找上一条命令 - sudo !! :执行上一条因权限不足而未能执行的命令 # 演示:徒手写Dockerfile 我们写个dockerfile,给镜像安装一个vim 查看centos有哪些版本:[dockerhub](https://hub.docker.com/\_/centos/) ## 保存脚本为centos-vim/Dockerfile ```dockerfile FROM centos:7 MAINTAINER mdrkang.cunhua@qq.com RUN yum install -y vim ``` ```bash AnInputForce.teach ~ $ mkdir experment AnInputForce.teach ~ $ cd experment/ AnInputForce.teach ~/experment $ mkdir centos-vim AnInputForce.teach ~/experment $ cd centos-vim/ AnInputForce.teach ~/experment $ vi Dockerfile ``` ## 构建镜像 docker build centos-vim/ ```bash AnInputForce.teach ~/experment $ cd centos-vim/ AnInputForce.teach ~/experment/centos-vim $ ll 总用量 4 -rw-rw-r-- 1 root 72 11月 15 20:34 Dockerfile AnInputForce.teach ~/experment/centos-vim $ cd .. AnInputForce.teach ~/experment $ pwd /home/AnInputForce/experment AnInputForce.teach ~/experment $ ll 总用量 4 drwxrwxr-x 2 AnInputForce 4096 11月 15 20:36 centos-vim AnInputForce.teach ~/experment $ docker build centos-vim/ Sending build context to Docker daemon 2.048 kB Step 1 : FROM centos:7 ---> 0584b3d2cf6d Step 2 : MAINTAINER mdrkang.cunhua@qq.com ---> Running in ec9eae8742d8 ---> 9153702517b5 Removing intermediate container ec9eae8742d8 Step 3 : RUN yum install -y vim ---> Running in 4e3ec7cee383 Loaded plugins: fastestmirror, ovl ...... Complete! ---> 5c72d36ad69e Removing intermediate container 4e3ec7cee383 Successfully built 5c72d36ad69e ``` ## 查看镜像 ```bash AnInputForce.teach ~/experment $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE
Docker实战笔记
[TOC]
提纲
此Docker系列学习笔记,根据Reboot教育PC大神的运维自动化部分课程整理而成,补充少量个人理解以及练习日志(部分日志有删减)。
PC大神在知乎的专栏:面向工资编程
- Docker简介(一)
- Docker简介(二)
- Docker管理系统(一)
- Docker管理系统(二)
- Docker管理系统(三)
- Docker原理-namespace和文件系统
- Docker原理-徒手创建一个docker容器
- Docker、etcd构建服务自发现体系
- Docker生态系统:k8s、etcd等
- etcd分布式一致性算法paxos、raft
Docker简介(二)
盗梦空间
使用docker时,应时刻注意自己在哪儿,防止误操作。docker容器一般都是root全新,这个时候往往是宿主机、各容器相互交错,甚至有时候还有自己的笔记本远程登录维护的场景;一个不慎,就是生产事故。
解决办法:设置PS1变量,每个用户下颜色不一样,提示符不一样。同时加强用户权限的管理和落地,赋予运维人员岗位角色最小的权限,严格控制特殊权限如root的申请流程和双人复核制度;
参考bashrc
将以下代码保存为 bashrc
#!/bin/bash
#export DYLD_FALLBACK_LIBRARY_PATH="${HOME}/wine/wine-1.2/lib:/usr/X11/lib:/usr/
lib" export TERM=xterm-color export CLICOLOR=1 export LSCOLORS=ExFxCxDxBxegedabagacad export EDITOR=vi #export CDPATH=$CDPATH:/Users/auxten/Documents/Codes/ use_color=false # Set colorful PS1 only on colorful terminals. # dircolors --print-database uses its own built-in database # instead of using /etc/DIR_COLORS. Try to use the external file # first to take advantage of user additions. Use internal bash # globbing instead of external grep binary. safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM match_lhs="" [[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)" [[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(</etc/DIR_COLORS)" [[ -z ${match_lhs} ]] \ && type -P dircolors >/dev/null \ && match_lhs=$(dircolors --print-database) [[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true if ${use_color} ; then # Enable colors for ls, etc. Prefer ~/.dir_colors #64489if type -P dircolors >/dev/null ; then if [[ -f ~/.dir_colors ]] ; then eval $(dircolors -b ~/.dir_colors) elif [[ -f /etc/DIR_COLORS ]] ; then eval$(dircolors -b /etc/DIR_COLORS) fi fi if [[ ${EUID} == 0 ]] ; then PS1='\[\033[01;31m\]\h\[\033[01;34m\] \w \$\[\033[00m\] 'else PS1='\[\033[01;33m\]\u.\[\033[01;34m\]\[\033[01;32m\]\h\[\033[01;34m\] \ w \$\[\033[00m\] '#PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] ' fi alias ls='ls -G' alias grep='grep --colour=auto'elseif [[ ${EUID} == 0 ]] ; then # show root@ when we don't have colors PS1='\u@\h \W \$ 'else PS1='\u@\h \w \$ ' fi fi # Try to keep environment pollution down, EPA loves us. unset use_color safe_term match_lhs
设置命令
cp bashrc ~/.bashrc
. ~/.bashrc
赠与root
sudo cp ~/.bashrc /root/
sudo su -
效果展示
AnInputForce账号没有sudo权限,这里有一个课件截图:
基本操作
docker stop
停止docker容器。
建议不使用,直接使用docker rm -f 停止并删除容器:干净整洁不留垃圾;stop命令略慢,rm命令毫秒级别。以下是演示,
停止,清理容器
AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts
608ca094cbf836087a749f464e4e1175502cd0e0d184e174b99bfe59b4a18015
AnInputForce.teach ~ $ docker ps | grep kch
608ca094cbf8 centos "tail -f /etc/hosts" 28 seconds ago Up 26 seconds centos_kch
AnInputForce.teach ~ $ docker stop centos_kch
centos_kch
AnInputForce.teach ~ $ docker ps | grep kch
AnInputForce.teach ~ $ docker ps -a | grep kch
608ca094cbf8 centos "tail -f /etc/hosts" About a minute ago Exited (137) 16 seconds ago centos_kch
AnInputForce.teach ~ $ docker rm centos_kch
centos_kch
AnInputForce.teach ~ $ docker ps -a | grep kch
直接停止并删除容器
AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts
e916042b88f1fe5829d400188c7cb806d7075751a9142c5fb9935a81b7924f56
AnInputForce.teach ~ $ docker ps | grep kch
e916042b88f1 centos "tail -f /etc/hosts" 18 seconds ago Up 17 seconds centos_kch
AnInputForce.teach ~ $ docker rm -f centos_kch
centos_kch
AnInputForce.teach ~ $ docker ps | grep kch
AnInputForce.teach ~ $ docker ps -a | grep kch
AnInputForce.teach ~ $
docker exec 进入容器简化
我们经常要写这条命令,进入容器交互bash:
docker exec -it centos_kch bash
有网友写了个脚本简化这件事:帖子看这里,看3楼的回复。
#!/bin/bash -xe
# docker id might be given as a parameter
DID=$1
if [[ "$DID" == "" ]]; then
# if no id given simply just connect to the first running instance
DID=$(docker ps | grep -Eo "^[0-9a-z]{8,}\b")
fi
docker exec -i -t $DID bash
修订一下:如果不带参数,默认进入第一个运行的容器,但是过滤出来的是所有运行的容器。此处修订:
保存脚本为dgo
#!/bin/bash -xe
# docker id might be given as a parameter
DID=$1
if [[ "$DID" == "" ]]; then
# if no id given simply just connect to the first running instance
DID=$(docker ps | grep -Eo "^[0-9a-z]{8,}\b" | head -n 1)
fi
docker exec -i -t $DID bash
设置Setup
Put docker-ssh file in your $PATH with the following contents
有root权限的话,我们直接copy到bin目录
sudo cp dgo /usr/local/bin/
演示Usage
If you have one running instance simply run
- dgo
Otherwise provide it with a docker id parmeter that you get from docker ps (first col)
dgo $docker-id,# dgo 3ccdb6bcf75a
dgo $container-name,# dgo centos_kch
AnInputForce.teach ~ $ docker run --name="centos_kch" -itd centos tail -f /etc/hosts 3ccdb6bcf75a197b4cfbeec3d6754d3d55630e11544f396e5cd942064dae220e AnInputForce.teach ~ $ dgo centos_kch
- DID=centos_kch
- [[ centos_kch == '' ]]
- docker exec -i -t centos_kch bash [root@3ccdb6bcf75a /]#
脚本参数
- bash -xe
- -x 显示执行日志
- 把它执行的每条命令都打到console上,有助于让大家了解都执行的什么,有助于提醒这个脚本是个自定义命令;这是一个非常好的习惯;
- -e 执行完退出;
docker run -v -p
- -v 映射目录
- -p 映射端口
Tips:端口映射docker是用iptable实现的,CentOS7引入了firewalld,本质上比iptable好用一些,如果docker用到端口映射,firewalld服务就不能听。内网使用,可以一上来用firewalld把所有端口都打开,这样比较方便docker管理端口映射。
验证思路
筛选端口有没有占用,没有输出则可用
sudo netstat -nltp | grep 8084
将宿主机home目录的data文件夹映射到容器的/data目录,同时将宿主机的8084端口映射到宿主机的80端口
docker run --name"kch-centos" -v ~/data:/data -p 8084:80 -itd centos tail -f /etc/hosts
映射目录验证
AnInputForce.teach ~ $ docker run --name "kch-centos" -v ~/data:/data -p 8084:80 -itd centos tail -f /etc/hosts
9bae287a1df72f557a218044e58dc61c473b8d746f9f4e02c801cf58e014385f
AnInputForce.teach ~ $ ll
总用量 16
-rw-r--r-- 1 AnInputForce 231 11月 15 09:15 20161115.bashrc
drwxr-xr-x 2 root 4096 11月 15 19:42 data
drwxr-xr-x 6 root 4096 10月 16 10:41 open-falcon
-rwxr-xr-x 1 AnInputForce 377 10月 16 11:42 runof.sh
AnInputForce.teach ~ $ docker exec -it kch-centos /bin/bash
[root@9bae287a1df7 /]# ll | grep data
drwxr-xr-x 2 root root 4096 Nov 15 11:42 data
[root@9bae287a1df7 /]# echo xxxyyy > data/xxx
[root@9bae287a1df7 /]# exit
exit
AnInputForce.teach ~ $ cat data/xxx
xxxxyyy
AnInputForce.teach ~ $
端口映射验证
进入容器,启动一个python的SimpleHTTPServer,绑定80端口;
在浏览器中输入http://localhost:8084,成功访问;
演示使用的是教学机http://reboot.linrc.com:8084
AnInputForce.teach ~ $ docker exec -it kch-centos /bin/bash
[root@9bae287a1df7 /]# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
219.142.60.11 - - [15/Nov/2016 12:03:14] "GET / HTTP/1.1" 200 -
219.142.60.11 - - [15/Nov/2016 12:03:14] code 404, message File not found
219.142.60.11 - - [15/Nov/2016 12:03:14] "GET /favicon.ico HTTP/1.1" 404 -
docker inspect
$docker id | $docker name
docker inspect centos_kch
我们在使用docker过程中,如果碰上莫名其妙的问题,比如没写绝对路径时,不知道目录映射到哪儿了,就可以运行此命令,看"Mounts"属性;
docker 创建镜像
推荐用dockerfile来构建镜像,因为可以提交git版本控制:清楚展现了所经历的过程。不推荐在现有容器中yum安装配置后,再commit创建镜像。后者参考:Docker学习之路(六)用commit命令创建镜像
commit
docker commit -m "Added something" -a "Docker Newbee" centos centos:v2docker rmi-a 就是author,作者
dockerfile
FROM ubuntu:14.04 MAINTAINER Docker Newbee newbee@docker.com RUN apt-get -qq update RUN apt-get -qqy install ruby ruby-dev RUN gem install sinatra
科普:bash黑科技
- ctrl + u:#移到行尾,按快捷键暂存,当前命令行清空
- ctrl + y:# 恢复刚暂存的目录
- Ctrl + r:# 输入字符查找上一条命令
- sudo !! :执行上一条因权限不足而未能执行的命令
演示:徒手写Dockerfile
我们写个dockerfile,给镜像安装一个vim
查看centos有哪些版本:dockerhub
保存脚本为centos-vim/Dockerfile
FROM centos:7
MAINTAINER mdr<kang.cunhua@qq.com>
RUN yum install -y vim
AnInputForce.teach ~ $ mkdir experment
AnInputForce.teach ~ $ cd experment/
AnInputForce.teach ~/experment $ mkdir centos-vim
AnInputForce.teach ~/experment $ cd centos-vim/
AnInputForce.teach ~/experment $ vi Dockerfile
构建镜像 docker build centos-vim/
AnInputForce.teach ~/experment $ cd centos-vim/
AnInputForce.teach ~/experment/centos-vim $ ll
总用量 4
-rw-rw-r-- 1 root 7211月 1520:34 Dockerfile AnInputForce.teach ~/experment/centos-vim $ cd ..
AnInputForce.teach ~/experment $ pwd
/home/AnInputForce/experment
AnInputForce.teach ~/experment $ ll
总用量 4
drwxrwxr-x 2 AnInputForce 4096 11月 15 20:36 centos-vim
AnInputForce.teach ~/experment $ docker build centos-vim/
Sending build context to Docker daemon 2.048 kB
Step 1 : FROM centos:7
---> 0584b3d2cf6d Step 2 : MAINTAINER mdr<kang.cunhua@qq.com>
---> Running in ec9eae8742d8 ---> 9153702517b5 Removing intermediate container ec9eae8742d8
Step 3 : RUN yum install -y vim
---> Running in4e3ec7cee383 Loaded plugins: fastestmirror, ovl
......
Complete!
---> 5c72d36ad69e Removing intermediate container 4e3ec7cee383
Successfully built 5c72d36ad69e
查看镜像
AnInputForce.teach ~/experment $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 5c72d36ad69e 2 minutes ago 361.1 MB
centos-vim latest 37e42772dafe 11 days ago 361.1 MB
centos 7 0584b3d2cf6d 12 days ago 196.5 MB
centos latest 0584b3d2cf6d 12 days ago 196.5 MB
给镜像美容
docker tag $dockerid $imagename #默认不写,tag是latest
docker tag $dockerid $image-name:$tag #也可以指定tag
默认
AnInputForce.teach ~ $ docker tag 5c72d36ad69e centos-vim
AnInputForce.teach ~ $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-vim latest 5c72d36ad69e 10 minutes ago 361.1 MB
写$tag
AnInputForce.teach ~ $ docker tag 5c72d36ad69e centos-vim:mdr
AnInputForce.teach ~ $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-vim latest 5c72d36ad69e 13 minutes ago 361.1 MB
centos-vim mdr 5c72d36ad69e 13 minutes ago 361.1 MB
<none> <none> 37e42772dafe 11 days ago 361.1 MB
注意
可以给一个镜像打多个tag,他们可以共存。
但是$image-name需全局唯一,如果你使用了已有的名字,原来叫这个名字的就会变成
测试新镜像
docker rm -f kch-centos删除之前的容器,
AnInputForce.teach ~ $ docker run --name "mdr-centos" -v ~/data:/data -p 8084:80 -itd centos-vim tail -f /etc/hosts
7ce8203e0431a7571df28e51fe7bb2152093fa49ebb8495516342046af23e953
AnInputForce.teach ~ $ dgo mdr-centos
+ DID=mdr-centos
+ [[ mdr-centos == '' ]]
+ docker exec -i -t mdr-centos bash
[root@7ce8203e0431 /]# vim
可以看到,成功进入vim;
小练习:新增账号后打包镜像
基于centos镜像,加一个账号,然后build镜像,镜像名字自己起。同时安装SSH服务,这个后续有用。
Dockerfile参考
FROM centos:7
MAINTAINER mdr<kang.cunhua@qq.com>
RUN useradd mdr
RUN yum install -y openssh-server
构建演示
AnInputForce.teach ~ $ cd experment/
AnInputForce.teach ~/experment $ mkdir centos-dev
AnInputForce.teach ~/experment $ cd centos-dev/
AnInputForce.teach ~/experment/centos-dev $ vi Dockerfile
AnInputForce.teach ~/experment/centos-dev $ cd ..
AnInputForce.teach ~/experment $ docker build centos-dev/
Sending build context to Docker daemon 2.048 kB
Step 1 : FROM centos:7
---> 0584b3d2cf6d
......
Complete!
---> 7677fcb139ca
Removing intermediate container 9bb12e1ee067
Successfully built 7677fcb139ca
AnInputForce.teach ~/experment $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 7677fcb139ca 44 seconds ago 307.8 MB
centos-vim latest 5c72d36ad69e 24 hours ago 361.1 MB
centos-vim mdr 5c72d36ad69e 24 hours ago 361.1 MB
AnInputForce.teach ~/experment $ docker tag 7677fcb139ca centos-dev:mdr
AnInputForce.teach ~/experment $ docker images | grep mdr
centos-dev mdr 7677fcb139ca 3 minutes ago 307.8 MB
centos-vim mdr 5c72d36ad69e 24 hours ago 361.1 MB
AnInputForce.teach ~/experment $
小技巧
在Dockerfile中设置用户密码
来自kongsys童鞋;
Run echo "yourpasswd666"|passwd kongsys --stdin
在构建镜像时指定标签
这样的话,就不用构建后在给镜像命名和打tag了--来自Roven童鞋;
docker build -t test-centos|centos7.2 centos-vim
如何拿Docker撘开发机
搭建开发机,让各位同学能自动登录。之前我们是通过Dockerfile构建的,此处演示我们用commit来构建。
不需要输密码,只要我在wheel组里
sudoedit /etc/sudoers编辑
找到
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
改为
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
演示日志
AnInputForce.teach ~ $ dgo mdr-centos
+ DID=mdr-centos
+ [[ mdr-centos == '' ]]
+ docker exec -i -t mdr-centos bash
[root@7ce8203e0431 /]# useradd mdr
[root@7ce8203e0431 /]# passwd mdr
Changing password for user mdr.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@7ce8203e0431 /]# yum install -y openssh-server
....
Dependency Installed:
fipscheck.x86_64 0:1.4.1-5.el7 fipscheck-lib.x86_64 0:1.4.1-5.el7
openssh.x86_64 0:6.6.1p1-25.el7_2 tcp_wrappers-libs.x86_64 0:7.6-77.el7
Complete!
[root@7ce8203e0431 /]# usermod -aG wheel mdr
[root@7ce8203e0431 /]# yum install -y sudo
Loaded plugins: fastestmirror, ovl
......
Installed:
sudo.x86_64 0:1.8.6p7-17.el7_2
Complete!
[root@7ce8203e0431 /]# sudoedit /etc/sudoers
[root@7ce8203e0431 /]# exit
exit
AnInputForce.teach ~ $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ce8203e0431 centos-vim "tail -f /etc/hosts" 24 hours ago Up 24 hours 0.0.0.0:8084->80/tcp mdr-centos
......
AnInputForce.teach ~ $ docker commit mdr-centos centos-dev:7
sha256:f331bbce086b75f00133b8fc3385f03d1bb3c5274e7c279e69ab06a2192f63ae
AnInputForce.teach ~ $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-dev 7 f331bbce086b 11 seconds ago 473.3 MB
centos-dev mdr 7677fcb139ca 44 minutes ago 307.8 MB
centos-vim latest 5c72d36ad69e 25 hours ago 361.1 MB
centos-vim mdr 5c72d36ad69e 25 hours ago 361.1 MB
......
AnInputForce.teach ~ $ docker rm -f mdr-centos
mdr-centos
AnInputForce.teach ~ $ docker run --name="mdr-centos" -v ~/data:/data -p 8088:22 -itd centos-dev:7 /usr/sbin/sshd -D
af94c0ffe40432112a4d5b7c38a2b66f2244b7baf941995c2e6b5ef95384ee76
AnInputForce.teach ~ $
登录开发机,报错
我们来尝试登录一下开发机,发现报错,docker logs $container-id查日志排错
ssh -P 8088 mdr@127.0.0.1
ssh: connect to host 8088 port 22: Invalid argument
AnInputForce.teach ~ $ docker logs mdr-centos
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
**tips:**ssh-keygen如何不输入-y,搜索关键词:ssh-kengen no interactive
回到简单模式,启动container
报错:/etc/hosts: no such file or directory
AnInputForce.teach ~ $ docker run --name="mdr-centos" -v ~/data:/data -p 8088:22 -itd centos-dev:7 "tail -f /etc/hosts"
2fafa8f4c7fd503cd62cb083ffa0135a2f20eff7d3d7e75b421fb61e2b13e358
docker: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"exec: \\\"tail -f /etc/hosts\\\": stat tail -f /etc/hosts: no such file or directory\"\n".
原因 :command多加了引号
AnInputForce.teach ~ $ docker run --name "mdr-centos" -v ~/data:/data -p 8088:22 -itd centos-dev:7 tail -f /etc/hosts
f47f6e673f49154c261355039da9f45bb50777106917752d17aee96a3135421c
再回到container安装ssh
同时,根据日志提示安装对应加密算法
Welcome to aliyun Elastic Compute Service!
-bash: /home/AnInputForce: 是一个目录
AnInputForce.teach ~ $ dgo mdr-centos
+ DID=mdr-centos
+ [[ mdr-centos == '' ]]
+ docker exec -i -t mdr-centos bash
[root@f47f6e673f49 /]# ssh-keygen
......
+--[ RSA 2048]----+
......
+-----------------+
[root@f47f6e673f49 /]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
......
+--[ DSA 1024]----+
......
+-----------------+
[root@f47f6e673f49 /]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
......
+--[ RSA 2048]----+
......
+-----------------+
测试下:提示缺两种非对称加密算法
[root@f47f6e673f49 /]# /usr/sbin/sshd -D
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
继续安装非对称加密算法
[root@f47f6e673f49 /]# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
+--[ECDSA 256]---+
......
+-----------------+
[root@f47f6e673f49 /]# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
......
+--[ED25519 256--+
......
+-----------------+
SSH服务成功启动
[root@f47f6e673f49 /]# /usr/sbin/sshd -D
^C
[root@f47f6e673f49 /]#
提交打包镜像
[root@f47f6e673f49 /]# exit
exit
AnInputForce.teach ~ $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-dev 7 f331bbce086b 11 hours ago 473.3 MB
centos-dev mdr 7677fcb139ca 12 hours ago 307.8 MB
centos-vim latest 5c72d36ad69e 37 hours ago 361.1 MB
AnInputForce.teach ~ $ docker commit mdr-centos centos-dev:7
sha256:90fc2a3fa895faa4611731b442b7e17fcdfab2084cc488378a48d54a44e59490
AnInputForce.teach ~ $ docker commit mdr-centos centos-dev
sha256:a7d3dc16d111e7ab50fd0d8b2a5aabe8c5c4213ffdc8d7b4a2e32a7ba09f096c
AnInputForce.teach ~ $ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos-dev latest a7d3dc16d111 4 seconds ago 473.3 MB
centos-dev 7 90fc2a3fa895 19 seconds ago 473.3 MB
centos-dev mdr 7677fcb139ca 12 hours ago 307.8 MB
centos-vim latest 5c72d36ad69e 37 hours ago 361.1 MB
测试进入开发机
AnInputForce.teach ~ $ docker rm -f mdr-centos
mdr-centos
AnInputForce.teach ~ $ docker run --name "mdr-centos" -v ~/data:/data -p 8088:22 -itd centos-dev:7 tail -f /usr/sbin/sshd -D
6d0bae922b6e380adb93ceea88b6ba230b3b578d93744e2dcc0d524080f95356
AnInputForce.teach ~ $ ssh -P 8088 mdr@reboot.linrc.com
ssh: connect to host 8088 port 22: Invalid argument
AnInputForce.teach ~ $ docker logs
"docker logs" requires exactly 1 argument(s).
See 'docker logs --help'.
Usage: docker logs [OPTIONS] CONTAINER
Fetch the logs of a container
AnInputForce.teach ~ $ docker logs mdr-centos
tail: invalid option -- 'D'
Try 'tail --help' for more information.
AnInputForce.teach ~ $ docker rm -f mdr-centos
mdr-centos
AnInputForce.teach ~ $ docker run --name "mdr-centos" -v ~/data:/data -p 8088:22 -itd centos-dev /usr/sbin/sshd -D
b996a0f5c858ea59dae380960274371ff45c2fba4ee2b307b9eea241e0ea6e2d
AnInputForce.teach ~ $ ssh -P 8088 mdr@reboot.linrc.com
ssh: connect to host 8088 port 22: Invalid argument
AnInputForce.teach ~ $ docker logs mdr-centos
AnInputForce.teach ~ $ ssh -p 8088 mdr@reboot.linrc.com
The authenticity of host '[reboot.linrc.com]:8088 ([59.110.12.72]:8088)' can't be established. ECDSA key fingerprint is 2e:c3:ac:e6:86:99:98:65:c8:4b:44:67:f3:84:2e:45. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[reboot.linrc.com]:8088,[59.110.12.72]:8088' (ECDSA) to the list of known hosts. mdr@reboot.linrc.com's password:
[mdr@b996a0f5c858 ~]$
成功进入。Tips:我们在使用docker时,碰上报错可以,使用docker logs $container-id 来查看日志。以上日志对应包含了对应排错过程,请参考。
让我们做得更好:免密码登录
我们在日常使用开发机的时候,不能每个容器都这儿操作一遍:加入id_rsa.pub 内容到.ssh/authorized_keys。能不能批量实现这个效果?可以的,用到了目录映射:^演示账号权限不足提示
思路
把自己目录下的id_rsa.pub内容加入/root/.ssh/authorized_keys
演示
AnInputForce.teach ~/.ssh $ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLqCVUrRiiGCuK3lAa3kIrk1rSU0WuzpOZT9LctQE1m0TOrAGDC/C0USp6AOTQ90V+JdaRFC6hvjmI5AVrZIbnhHFbhlJpqPegnC7pZiMLFIt8Pcdi9aCZGAqvj6ALfMOsXRgM4H5vgwAKg1YAihnse4A2rLmS237UK43/Yk1E6fn/0wILzdy1gPjIuQbHbKUuJV/VAhP8655xRDLGjOj7rmfR0rm+qukyOrgfW4kCtuGSQfC0qykTHmS25pNnByWaS1tzxspgL0XWRcHIKCxzFSDgzdLgtIOvrlDR46pZFJ8lShQKaMhu/eDj4ZC4VN7QHulZNP/rjiWlB1pafkw5 AnInputForce@teach
[mdr@b996a0f5c858 log]$ sudo su -
teach ~ # vi .ssh/authorized_keys
让所有人都可以免密码登录
把宿主机的ssh目录映射到容器里,所有人都可以免密码登录了。只要用户能免密码登录宿主机,就能免密码登录容器;
docker rm -f mdr-centos
sudo docker run --name='mdr-centos' -v ~/data:/data -v /root/.ssh:/root/.ssh -p 8088:22 -itd centos-dev /usr/sbin/sshd -D
也可以把自己目录的映射到容器中。
**Tips:**风险--目录映射之后,在容器中修改对应目录或文件,也会同步到本地。需要特别注意。如果有童鞋知道如何映射本地目录到容器中为只读权限,麻烦您给我留言,我会更新本文。
Docker简介总结:我们做了什么
- 为什么是docker:秒级启动,化复杂安装配置为简洁
- docker基本概念:仓库、镜像、容器
- docker基本操作:ps、port、pull、images、run、stop、rm、exec、inspect、logs、commit
- 徒手写Dockerfile构建镜像
- 一个小练习:新增账号后,打包镜像
- 用Docker来搭建开发机:快速批量提供开发环境,让所有人免密登录
- https://my.oschina.net/hexie/blog/789705
