docker run -ti --rm
--rm运行完自动删除
容器是相对隔绝,和物理机共享内核 uname -r
docker inspect name
docker分层可以节省空间,因为相同层数的镜像内容是只读共享的,不需要重复
docker search westos007
docker rm -f name
docker stop name
run 创建加运行
attach name 直接进去
进去容器系统之后ctrl+PQ 后台运行
docker commit vm1 centos:v1
提交内容到v1版本
docker run -it -name vm1 centos:v1
docker container cp /etc/passwd vm1:/tmp
docker diff vm1 查看容器变更
docker logs vm1 查看操作日志,用来安全审计
docker container exec vm1 hostname
在容器内执行hostname命令
docker run -it --name vm2 centos:v1
-it交互必须要有bash命令才能交互
docker run -it --name vm2 nginx bash 调出他的bash
docker run -d --name vm2 nginx
docker container exec -it vm2 bash
docker container export name
输出tar包
docker save a > a.tar 导出多个镜像
docker port name 查看端口映射
[root@foundation11 docker]# docker container prune
WARNING! This will remove all stopped containers.
docker network ls 查看网络
docker volume ls 查看存储卷
docker search name
镜像管理
mkdir docker
cd docker
不要在根目录下编译,否则会将当前目录所有数据发送
vim dvd.repo
[dvd]
name=rhel7.3
baseurl=http://172.25.254.250/rhel7.3/x86_64/dvd
gpgcheck=0
vim Dockerfile
FROM rhel7 #你的镜像,如果没有会从网上自动下载
COPY dvd.repo /etc/yum.repos.d
RUN rpmdb --rebuilddb
RUN yum install -y httpd
EXPOSE 80
CMD ["/usr/sbin/httpd","-D","FOREGROUND"] #双引号
docker build -t rhel7:v1 .
docker run -d --name vm2 rhel7:v1
docker rmi name 删除镜像
Step 5/6 : EXPOSE 80
---> Running in 0e7e3b0167fa
Removing intermediate container 0e7e3b0167fa
---> 3d6c38bd764e
Step 6/6 : CMD ["/usr/sbin/httpd","-D","FOREGROUND"]
---> Running in 1fb0a0a00c04
Removing intermediate container 1fb0a0a00c04
---> 47c76ef68b63
Successfully built 47c76ef68b63
Successfully tagged rhel7:v1
问题
Rpmdb checksum is invalid: dCDPT(pkg checksums): systemd-libs.x86_64 0:219-30.el7 - u
解决办法
rpmdb --rebuilddb
使用数据卷
FROM rhel7
COPY dvd.repo /etc/yum.repos.d
RUN rpmdb --rebuilddb
RUN yum install -y httpd
EXPOSE 80
VOLUME ["/var/www/html"]
CMD ["/usr/sbin/httpd","-D","FOREGROUND"]
docker build -t rhel7:v2
docker history rhel7:v1 查看区别和路径docker history rhel7:v2
[root@foundation11 docker_demo]# docker history rhel7:v1
IMAGE CREATED CREATED BY SIZE COMMENT
47c76ef68b63 3 minutes ago /bin/sh -c #(nop) CMD ["/usr/sbin/httpd" "-… 0B
3d6c38bd764e 3 minutes ago /bin/sh -c #(nop) EXPOSE 80 0B
34ecbf263547 3 minutes ago /bin/sh -c yum install -y httpd 52.8MB
481ee4c61717 3 minutes ago /bin/sh -c rpmdb --rebuilddb 6.64MB
3b6d3164f931 7 minutes ago /bin/sh -c #(nop) COPY file:72083e7cf7811d38… 79B
0a3eb3fde7fd 4 years ago 140MB Imported from -
[root@foundation11 docker_demo]# docker history rhel7:v2
IMAGE CREATED CREATED BY SIZE COMMENT
e5c9b810f453 31 seconds ago /bin/sh -c #(nop) CMD ["/usr/sbin/httpd" "-… 0B
cf6135545a0b 31 seconds ago /bin/sh -c #(nop) VOLUME [/var/www/html] 0B
3d6c38bd764e 3 minutes ago /bin/sh -c #(nop) EXPOSE 80 0B
34ecbf263547 3 minutes ago /bin/sh -c yum install -y httpd 52.8MB
481ee4c61717 3 minutes ago /bin/sh -c rpmdb --rebuilddb 6.64MB
3b6d3164f931 7 minutes ago /bin/sh -c #(nop) COPY file:72083e7cf7811d38… 79B
0a3eb3fde7fd 4 years ago 140MB Imported from -
docker run -d --name vm2 -v /opt/docker/webdata:/var/www/html rhel7:v2
docker run -d --name vm2 rhel7:v2 不挂载
-v /opt/docker/webdata://var/www/html:ro 挂载加只读
但是他的volume每次都会生成新的
需要 docker volume rm 卷名
docker exec -it vm2 bash
现在使用 busybox
FROM busybox
ENV name world
CMD echo "hellp,$name"
docker build -t busybox:v1 .
docker run --rm busybx:v1 运行完删除
使用中括号 CMD ["/bin/echo","hello,$name"]
这样是不会解析变量的 $name
改为CMD ["/bin/sh","-c","echo hello,$name"]
就可以输出
现在使用
FROM busybox
ENTRYPOINT ["/bin/echo","hello"]
CMD ["world"]
这两个ENTRYPOINT 和 CMD 只能出现一次
CMD会被覆盖
现在制作nginx dockerfile
FROM rhel7
COPY dvd.repo /etc/yum.repos.d
ADD nginx-1.15.8.tar.gz /mnt
WORKDIR /mnt/nginx-1.15.8
RUN rpmdb --rebuilddb
RUN yum install -y gcc pcre-devel zlib-devel make &> /dev/null &&yum clean all&& sed -i 's/CFLAGS="$CFLAGS -g"/CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> /dev/null &&make install &> /dev/null && rm -fr /mnt/nginx-1.15.8
EXPOSE 80
VOLUME ["/usr/local/nginx/html"]
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"]
docker build -t rhel7:v3 .
docker run -d --name nginx rhel7:v3
也可以分阶段构建
FROM rhel7 as build
COPY dvd.repo /etc/yum.repos.d
ADD nginx-1.15.8.tar.gz /mnt
WORKDIR /mnt/nginx-1.15.8
RUN rpmdb --rebuilddb
RUN yum install -y gcc pcre-devel zlib-devel make &> /dev/null &&yum clean all&& sed -i 's/CFLAGS="$CFLAGS -g"/CFLAGS="$CFLAGS -g"/g' auto/cc/gcc && ./configure --prefix=/usr/local/nginx &> /dev/null && make &> /dev/null &&make install &> /dev/null && rm -fr /mnt/nginx-1.15.8
FROM rhel7
COPY --from=build /usr/local/nginx /usr/local/nginx
EXPOSE 80
VOLUME ["/usr/local/nginx/html"]
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"]
[root@foundation11 docker_busy]# docker run -d --name nginx rhel7:v4
[root@foundation11 docker_busy]# docker run -d --name nginx_v4 rhel7:v4
[root@foundation11 docker_busy]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v4 69862242a3f2 27 seconds ago 144MB
rhel7 v3 4f4fcd46f278 About a minute ago 259MB
精简版
[root@foundation11 docker_busy]# ls
busybox.tar distroless.tar Dockerfile dvd.repo nginx-1.15.8.tar.gz nginx.tar
docker load -i distroless.tar
docker load -i nginx.tar
FROM nginx as base
ARG Asia/Shanghai
RUN mkdir -p /opt/var/cache/nginx && \
cp -a --parents /usr/lib/nginx /opt && \
cp -a --parents /usr/share/nginx /opt && \
cp -a --parents /var/log/nginx /opt && \
cp -aL --parents /var/run /opt && \
cp -a --parents /etc/nginx /opt && \
cp -a --parents /etc/passwd /opt && \
cp -a --parents /etc/group /opt && \
cp -a --parents /usr/sbin/nginx /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpcre.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libc.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libdl.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpthread.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libcrypt.so.* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libssl.so.* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libcrypto.so.* /opt && \
cp /usr/share/zoneinfo/${TIME_ZONE:-ROC} /opt/etc/localtime
FROM gcr.io/distroless/base
COPY --from=base /opt /
EXPOSE 80
ENTRYPOINT ["nginx", "-g", "daemon off;"]
[root@foundation11 docker_busy]# docker build -t rhel7:v5 .
[root@foundation11 docker_busy]# docker run -d --name nginx rhel7:v5
查看动态库
[root@foundation11 docker_busy]# ldd /usr/sbin/halt
linux-vdso.so.1 => (0x00007ffe81ddf000)
librt.so.1 => /lib64/librt.so.1 (0x00007efcc8854000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007efcc862d000)
liblzma.so.5 => /lib64/liblzma.so.5 (0x00007efcc8406000)
libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007efcc8185000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007efcc7f6f000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007efcc7d52000)
libc.so.6 => /lib64/libc.so.6 (0x00007efcc7991000)
/lib64/ld-linux-x86-64.so.2 (0x00007efcc8b0c000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007efcc7730000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007efcc752b000)
libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007efcc7326000)
搭建docker仓库
vim /etc/docker/daemon.json
docker pull registry
mkdir -p /mnt/registry
docker run -d -p 5000:5000 --name registry -v /opt/registry:/var/lib/registry registry
docker images
docker tag rhel7:v2 localhost:5000/rhel7:v2
docker push localhost:5000/rhel7:v2
[root@foundation11 ~]# docker tag rhel7:v2 localhost:5000/rhel7:v2
[root@foundation11 ~]# docker push localhost:5000/rhel7:v2
The push refers to repository [localhost:5000/rhel7]
3ff8704e6e49: Pushed
c9783764f69c: Pushed
057e6ab720bd: Pushed
18af9eb19b5f: Pushed
v2: digest: sha256:50fcb6ee032d4f395b1e85bcee1ac3c9cbaea5021bed235324156b68d0709d93 size: 1159
[root@foundation11 ~]# docker pull localhost:5000/rhel7:v2
就可以下载了
设置安全仓库
cd /opt/docker
mkdir -p certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
cp westos.org.crt ca.crt
docker rm -f registry
docker run -d --name registry -v /opt/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry
mkdir /etc/docker/certs.d/westos.org -p
保证这两个文件都有证书
cp ca.crt /etc/docker/certs.d/westos.org
scp ca.crt 172.25.11.1:/etc/docker/certs.d/westos.org/
[root@foundation11 docker]# docker tag game2048:latest westos.org/game2048
[root@foundation11 docker]# docker push westos.org/game2048
server1
scp container-selinux-2.21-1.el7.noarch.rpm libsemanage-2.5-8.el7.x86_64.rpm libsemanage-python-2.5-8.el7.x86_64.rpm docker-ce-18.06.1.ce-3.el7.x86_64.rpm policycoreutils-2.5-17.1.el7.x86_64.rpm policycoreutils-python-2.5-17.1.el7.x86_64.rpm pigz-2.3.4-1.el7.x86_64.rpm server1:/root/
docker pull example.org/game2048
mkdir auth
docker run --entrypoint htpasswd registry -Bbn wxh westos > auth/htpasswd
docker run --rm --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
docker run -d --name registry -v /opt/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v /opt/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
docker login westos.org
[root@foundation11 /]# cat /root/.docker/config.json
{
"auths": {
"westos.org": {
"auth": "d3hoOndlc3Rvcw=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
}[root@foundation11 /]#
web显示 localhost:8080
docker-registry-web.tar
docker load -i docker-registry-web.tar
docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org:5000/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="" -e REGISTRY_NAME=westos.org REGISTRY_READONLY=false docker-registry-web
docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org:5000/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="d3hoOndlc3Rvcw==" -e REGISTRY_NAME=westos.org docker-registry-web
docker run -d --restart=always --name registry -v /opt/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v /opt/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_DELETE_ENABLED=true registry
[root@foundation11 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
464cee70edb0 registry "/entrypoint.sh /etc…" 33 seconds ago Up 33 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
--insecure-registry 172.25.11.250
[root@foundation11 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
23ec6a2663c7 registry "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry
59b585a11fdb docker-registry-web "start.sh" 3 minutes ago Up 2 minutes 0.0.0.0:8080->8080/tcp registry-web