Operation and Maintenance Chapter Docker Soul Torture 2-2

Follow the WeChat public account Java Book Club for more good articles

In the previous section, we have analyzed the Docker core component image. In this section, we will torture the container above the image layer. From the figure below, we can see that the container is generated based on the Image layer. The relationship between image and container can be understood by analogy with the relationship between class and object. In the docker world, image is read-only, while container is readable and writable.

We have already introduced how to create a container in the docker first sight of the deity. For example, the command to create tomcat is as follows

docker run -d --name my-tomcat -p 9090:8080 tomcat

Reverse image from container

Soul torture 1: Since we know that the container is created based on image, can we get the image through the container inversely?

Let's take a look at an example to practice a wave

#1.拉取centos镜像
docker pull centos 
#2.根据centos镜像创建出centos container
docker run -d -it --name my-centos centos
#3.进入my-centos容器中
docker exec -it my-centos bash 
#4.输入vim命令，显示
bash: vim: command not found
#5.我们要做的是 对该container进行修改，也就是安装一下vim命令，然后将其生成一个新的centos #6.在centos的container中安装vim 
yum install -y vim
#7.退出容器（exit或者Ctrl+d），将其生成一个新的centos，名称为"vim-centos-image"
docker commit my-centos vim-centos-image
#8.查看镜像列表，并且基于"vim-centos-image"创建新的容器
docker run -d -it --name my-vim-centos vim-centos-image
#9.进入到my-vim-centos容器中
docker exec -it my-vim-centos bash
#10.检查vim命令是否存在
vim

After the above operations, we found that the image we created in the reverse direction of the container and then generated a new container inherited the characteristics of the original container. However, this method is not recommended. Because our normal operation is to use Docker file to generate image, if we do this, we cannot know the creation process of image. The more recommended way is the custom image in the previous section

Common commands for container

We have used several commands for operating containers above, here is a summary:

#1.根据镜像创建容器
docker run -d --name -p 9090:8080 my-tomcat tomcat
#2.查看运行中的container
docker ps
#3.查看所有的container[包含退出的]
docker ps -a 
#4.删除container
docker rm containerid 
#5.删除所有container
docker rm -f $(docker ps -a)
#6.进入到一个container中
docker exec -it container bash
#7.根据container生成image
docker commit my-centos vim-centos-image
#8.查看某个container的日志
docker logs container
#9.查看容器资源使用情况
docker stats
#10.查看容器详情信息
docker inspect container
#11.停止/启动容器
docker stop/start container

Supplement: delete image and container commands

#1.杀死所有正在运行的容器
docker kill $(docker ps -a -q)
#2.删除所有已经停止的容器
docker rm $(docker ps -a -q)
#3.删除所有未打 dangling 标签的镜
docker rmi $(docker images -q -f dangling=true)
#4.删除所有镜像
docker rmi $(docker images -q)
#5.强制删除 无法删除的镜像
docker rmi -f <IMAGE_ID>
docker rmi -f $(docker images -q)

 ~/.bash_aliases
	#1.杀死所有正在运行的容器.
	alias dockerkill='docker kill $(docker ps -a -q)'
 	#2.删除所有已经停止的容器.
	alias dockercleanc='docker rm $(docker ps -a -q)'
	#3.删除所有未打标签的镜像.
	alias dockercleani='docker rmi $(docker images -q -f dangling=true)'
 	#4.删除所有已经停止的容器和未打标签的镜像.
	alias dockerclean='dockercleanc || true && dockercleani'

Container resource monitoring

As the name suggests, as a container, he must have his own "size", and only a reasonable use of the container's resources can make him perform better.

Above, we understand the basic operation commands of Container, we can execute docker stats to see the status information of docker container in detail

We can see that the default memory allocation uses the maximum memory of the host, which will make our resources uncontrollable.

Regarding resource constraints, we can mainly deal with it in two ways:

• Memory limit

  #--memory memory limit
  docker run -d --memory 100M --name tomcat1 tomcat
  

• cpu limit

  #--cpu-shares cpu权重
  docker run -d --memory 100M --cpu-shares 10 --name tomcat02 tomcat
  

From the above picture, we can see that the setting has been successful. The specific size can be flexibly adjusted according to the actual situation.

The command line is fine for us to play with and see, but in the production environment, when there are a large number of containers, it is stretched. At this time, we have to use our powerful container monitoring tool

Weavescope

github address: https://github.com/weaveworks/scope

This tool is powerful and simple to build, but there may be a small obstacle, but it is easy to solve.

#1.配置weavescope环境
sudo curl -L git.io/scope -o /usr/local/bin/scope
sudo chmod a+x /usr/local/bin/scope
scope launch 192.168.110.164
#2.页面访问http://192.168.110.164:4040/，此时可能会出现页面无法访问的问题.我们要检查下4040端口是否启用。
	#2.1 查看端口状态
	firewall-cmd --query-port=4040/tcp
	#2.2 添加端口
	firewall-cmd --add-port=4040/tcp --permanent
	#2.3 端口重载
	firewall-cmd --reload

Detailed introduction to weave:

​ You can refer to the official website: https://www.weave.works/docs/

​ You can also look at this article: https://www.jianshu.com/p/1155b97bfdd8

Container technical support

Above we mentioned some important points of the container, so let’s summarize

Container is a lightweight virtualization technology that does not need to simulate hardware to create virtual machines. Docker is a custom container format encapsulated based on Linux Kernel's Namespace, CGroups, UnionFileSystem and other technologies to provide a set of virtual operating environment.

Namespace: used for isolation, such as pid[process], net[network], mnt[mount point], etc.

CGroups: Controller Groups are used to limit resources, such as memory and CPU

Union file systems: used for image and container layering

If you want to explore further, please see my next article Operation and Maintenance Docker Network Analysis, so stay tuned~