安装docker
dnf remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine
sudo dnf -y install dnf-plugins-core yum-utils device-mapper-persistent-data lvm2
sudo dnf -y config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl daemon-reload && sudo systemctl enable docker&& sudo systemctl start docker
====================================================================== 打标签
docker tag centos:latest centos:8.3
进容器
docker exec -it 9df70f9a0714 /bin/bash
docker run -it --rm 9df70f9a0714 /bin/bash
docker run -it --name test b5b4d78bc90c /bin/bash
docker inspect -f {{.Mounts}} web1
[{volume b788b8a50d69953e2b086b3b54ba683154647319a481246cb7ab2ff927b21372 /var/lib/docker/volumes/b788b8a50d69953e2b086b3b54ba683154647319a481246cb7ab2ff927b21372/_data /data/mysql local true }]
docker inspect -f "{{.NetworkSettings.IPAddress}}" 9a9e5785999d
172.17.0.3
docker inspect -f "{{.NetworkSettings.Gateway}}" 9a9e5785999d
172.17.0.1
docker inspect -f "{{.State.Pid}}" 635cf4705e64
4823
nsenter -t 4823 -m -u -i -n -p
nginx指定本地的IP地址8080端口映射到80端口上
docker run -it -p 192.168.7.100:8080:80 nginx
指定nginx多个映射端口,并命名为web1
docker run -it -d --name web1 -p 80:80/tcp -p 443:443 nginx
查看层
docker image history
退出后删除
docker run -it --rm
删除正在运行的容器ID,直接就删除了容器
docker rm -f 48f2d90121f1
删除所有的容器,包括正在运行的容器,慎用
docker rm -f `docker ps -a -q`
docker start `docker ps -a -q`
docker kill `docker ps -a -q `
docker rm -fv `docker ps -aq -f status=exited`
docker rm $(docker ps -qf status=exited)
docker run -it --rm -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 mysql:5.6.44
容器更改时区
rm -rf /etc/localtime
find / -name Shanghai
ln -sv /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
RUN rm -rf /etc/localtime && ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo "Asia/Shanghai" > /etc/timezone
j
dk profile
export JAVA_HOME=/usr/local/jdk
export TOMCAT_HOME=/apps/tomcat
export PATH=JAVA_HOME/bin:JAVA_HOME/jre/bin:TOMCAT_HOME/bin:PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
export CLASSPATH=.CLASSPATH:JAVA_HOME/lib:JAVA_HOME/jre/lib:JAVA_HOME/lib/tools.jar
推送镜像到docker
docker tag 460226b10ca2 ccxylt/centos8-image:v1
docker push ccxylt/centos8-image:v1
docker run -d --name mysql -p 3306:3306 -v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 5d9483f9a7b2
docker 更改网段
cat /etc/docker/daemon.json
{
"bip": "192.168.100.1/24",
"registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"]
}
wget -qO - 172.20.0.3
harbor
apt install gnupg2 pass
Harbor,首先要安装docker 和 docker-compose
1,安装 Docker-ce
2.安装docker-compose
(1)下载二进制文件
curl -L https://github.com/docker/compose/releases/download/1.25.3/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
(2)赋予二进制文件可执行权限
chmod +x /usr/local/bin/docker-compose
(3)根据自己的情况决定是否安装命令补全功能
yum install bash-completion
curl -L https://raw.githubusercontent.com/docker/compose/1.16.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
(4)测试是否安装成功
docker-compose --version
3.安装harbor
(1)下载
wget -P /usr/local/src/ wget https://github.com/goharbor/harbor/releases/download/v2.11.1/harbor-offline-installer-v2.11.1.tgz
(2)解压
cd /usr/local/src/ && tar xf harbor-offline-installer-v2.11.1.tgz -C /usr/local/
(3)修改配置文件
cd /usr/local/harbor/
mv harbor.yml.tmpl harbor.yml
vim harbor.yml
修改 hostname = harbor (启动harbor为主机名)
否则会报异常: ➜ Please set hostname and other necessary attributes in harbor.cfg first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients. Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.cfg bacause notary must run under https. Please set --with-clair if needs enable Clair in Harbor
(4)执行安装
./install.sh
(5)访问: http://192.168.38.23/harbor/sign-in 默认账号密码: admin / Harbor12345 登录后修改密码
(6)启动和重启 Harbor 的日常运维管理是通过docker-compose来完成的,Harbor本身有多个服务进程,都放在docker容器之中运行,我们可以通过docker ps命令查看。
docker-compose ps
启动Harbor
docker-compose start
停止Harbor
docker-compose stop
重启Harbor
docker-compose restart
如果是用 docker-compose start 会报错:
ERROR: for nginx UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
ERROR: for harbor-log UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
因此使用 docker-compose up -d 启动
#
harbor 启动报错 failed to initialize logging driver: dial tcp 127.0.0.1:1514: connect: connection refuse
docker-compose -f docker-compose.yml stop
systemctl restart rsyslog.service
docker-compose -f docker-compose.yml start
syslog修改默认端口号 vim /etc/syslog.conf
#Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 1514
设置为开机启动,只需要将启动程序存在/etc/rc.d/rc.local下,并加上执行权限即可。
chmod +x /etc/rc.d/rc.local
vim /etc/rc.d/rc.local
cd /usr/local/src/harbor && docker-compose -f docker-compose.yml start
- 上传和下载 (1)配置daemon.json $ vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://njrds9qc.mirror.aliyuncs.com"],
"insecure-registries":["192.168.38.23"]
}
然后依次执行如下命令:
docker-compose stop
systemctl daemon-reload
systemctl restart docker
docker-compose up -d
(2)客户端将镜像打tag 命令格式:docker tag SOURCE_IMAGE[:TAG] harbor/library/IMAGE[:TAG]
docker tag 83f3f8af3613 192.168.38.23/library/tomcat:7.0.69-jre7
vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 10.0.0.101 --insecure-registry 10.0.0.102
(3)客户端push镜像之前,先登录服务端
docker login 192.168.38.23
Username: admin
Password:
用户名密码:admin / Harbor12345
备注:如果登录时出现 Error response from daemon: Get http://192.168.38.23/v2/: Get http://harbor/service/token?account=admin&client_id=docker&offline_token=true&service=harbor-registry: dial tcp: lookup harbor on 192.168.38.2:53: no such host.
则需要执行第5步操作,配置TLS证书
报下面错误 Error response from daemon: Get "https://192.168.10.12/v2/": x509: certificate is valid for 192.168.1.1, not 192.168.10.12
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=192.168.10.12
docker-compose up -d
docker-compose ps
docker-compose stop
(4)客户端push
push命令格式: docker push harbor/library/IMAGE[:TAG]
docker push 192.168.38.23/library/tomcat:7.0.69-jre7
5.Harbor配置TLS证书
(1)修改Harbor配置文件 因为Harbor默认使用http协议访问,所以我们这里在配置文件中,开启https配置; 配置harbor.yml
hostname = 192.168.38.23
ui_url_protocol = https
ssl_cert = /etc/certs/ca.crt
ssl_cert_key = /etc/certs/ca.key
(2)创建自签名证书key文件
mkdir /etc/certs
openssl genrsa -out /etc/certs/ca.key 2048
(3)创建自签名证书crt文件
openssl req -x509 -new -nodes -key /etc/certs/ca.key -subj "/CN=192.168.38.23" -days 5000 -out /etc/certs/ca.crt
(4)开始安装Harbor
./install.sh
(5)客户端配置 客户端需要创建证书文件存放的位置,并且把服务端创建的证书拷贝到该目录下,然后重启客户端docker
mkdir -p /etc/docker/certs.d/192.168.38.23
把服务端crt证书文件拷贝到客户端,这里的客户端为192.168.38.21
scp /etc/certs/ca.crt [email protected]:/etc/docker/certs.d/192.168.38.23/
重启客户端docker
systemctl restart docker
docker login 192.168.38.23
Username: admin
push成功后登录Harbor可查看刚才上传的镜像,这里的链接地址也变成了https了 https://192.168.38.23/harbor/sign-in
(6)客户端docker pull 测试 备注:如果pull不成功,可能需要修改daemon.json 文件
#
容器最大是128M,2个工作进程,一个进程是128M,最大进程占用256M,实际只能用128M内存
docker run -it --rm --memory 128m --memory-reservation 64m lorel/docker-stress-ng --vm 2 --vm-bytes 128M
==================================================================== Docker存储卷与容器卷详解
docker run -it -v /opt/tomcat/app1/:/apps/tomcat/webapps/app1 -p 80:8080 tomcat-app1:v1
docker run -it -d --name web1 -v /tomcat/bin/catalina.sh:/usr/local/tomcat/bin/catalina.sh:ro -v /tomcat/logs:/usr/local/tomcat/logs -p 80:8080 tomcat-base:v1
docker run -it -d --name volume-server -v /tomcat/bin/catalina.sh:/usr/local/tomcat/bin/catalina.sh:ro -v /tomcat/logs:/usr/local/tomcat/logs -v \
/tomcat:/data tomcat-base:v1
docker run -it -d --name volume-client --volumes-from volume-server -p 80:8080 tomcat-base:v1
============================================== 容器之间的互联
docker run -it -d --name tomcat1 tomcat-app1:v1
docker exec -it tomcat1 bash
docker run -it -d --name nginx-web1 -p 80:80 --link tomcat1 nginx:v1
docker exec -it nginx-web2 bash
upstream tomcat {
server tomcat-web1:8080;
}
server {
location /app1 {
proxy_pass http://tomcat;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-FOR $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
====================================================================== 定义别名: docker run -d -name 新容器名称 --link 目标容器名称:自定义的名称 -p 本地端口:容器端口 镜像名称 shell命令
docker run -it -d --name tomcat2 tomcat-app1:v1
docker run -it -d --name nginx-web3 --link tomcat2:tomcat.google.com -p 82:80 nginx:v1
===================================================================
网络模式 Host(open) container 开放式网络模式 None(Close) container 封闭式网络模式 Container(join) container 联合挂载式网络模式,是host网络模式的延伸 Bridge contauner 桥接式网络模式
Host
docker run -it -d --name nginx-net-host --network host nginx-base:v1
None
docker run -it -d --name nginx-net-host1 --network none nginx-base:v1
Container
docker run -it -d --name nginx-net-host2 --network bridge nginx-base:v1
docker run -it -d --name nginx-net-host3 --network container:nginx-net-host2 nginx-base:v1
Bridge
docker run -it -d --name nginx-net-host2 --network bridge nginx-base:v1
======================================================================
Docker跨主机(不同网段)互联之简单实现
A:192.168.10.10 10.10.0.1/16
B:192.168.10.11 10.20.0.1/16
vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip 10.10.0.1/16
route add -net 10.20.0.0/16 gw 192.168.10.11
iptables -A FORWARD -s 192.168.10.0/21 -j ACCEPT
====================================================================== 自定义Dockre容器IP地址
docker network create -d bridge --subnet 172.27.0.0/21 --gateway 172.27.0.1 linux-net1
docker network ls
docker run -it --network linux-net1 centos bash
docker run -it -p 80:80 --network linux-net1 nginx:v1 bash
将两个跨主机且不在同一网段的宿主机进行通信
iptables-save > iptables-rule.txt #将iptables规则导出,修改配置文件,注释掉以下两行
#-A DOCKER-ISOLATION-STAGE-2 -o br-4e9a106f0e22 -j DROP
#-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
iptables-restore < iptables-rule.txt
启动一个桥接模式的容器 进入容器B中进行ping容器A的IP地址,此时就会基于iptables规则进行跨网段ping通
docker run -d -it -p 81:80 --network bridge nginx:v1
==================================================================== 容器编排工具Docker Compose
nginx-web1:
container_name: nginx-web1
image: 192.168.10.12/baseimages/nginx:latest
expose:
- 80
volumes:
- /data/nginx/html:/apps/nginx/html
- /data/nginx/conf/nginx.conf:/apps/nginx/conf/nginx.conf
links:
- tomcat-web1
- tomcat-web2
nginx-web2:
container_name: nginx-web2
image: 192.168.10.12/baseimages/nginx:latest
expose:
- 80
volumes:
- /data/nginx/conf/nginx.conf:/apps/nginx/conf/nginx.conf
links:
- tomcat-web1
- tomcat-web2
tomcat-web1:
container_name: tomcat-web1
image: 192.168.10.12/baseimages/tomcat:v1
expose:
- 8080
#user: tomcat
command: /usr/bin/run_tomcat.sh
volumes:
- /data:/data
tomcat-web2:
container_name: tomcat-web2
image: 192.168.10.12/baseimages/tomcat:v1
expose:
- 8080
#user: tomcat
command: /usr/bin/run_tomcat.sh
volumes:
- /data:/data
haproxy:
container_name: haproxy-web1
image: 192.168.10.12/baseimages/haproxy:v1
command: /usr/bin/run_haproxy.sh
ports:
- "9999:9999"
- "80:80"
links:
- nginx-web1
- nginx-web2