docker run method of starting container, when the container starts command can be specified in three specified.
(1) CMD command
(2) ENTRYPOINT Directive
(3) specify the command line in the docker run in
but docker run and not long-term running state, we often need to enter into the container to do some work, such as viewing log, commissioning, start other processes and so on. There are two ways to enter the container: attach and exec.
docker attach
First, start a container, keeping long-running background
docker run -d ubuntu /bin/bash -c "while true; do sleep 1; echo i_am_a_container;doneFirst check the ID of the container
docker ps -a
CONTAINER ID number of the container is, in fact, before the container ID 12 characters, also known as short ID
the IMAGE is the IMAGE Base
NAMES is the name of the container, the container can be explicitly named by --name parameter when starting the container.
By Docker attach terminal may attach to the container start command.
docker attach 1e5cc7e3b22b 
Through a short ID to attach the start command of the containers, after seeing the output every second echo print information
can then attach the terminal ctl + q exit through ctl + p,
docker exec
Into the vessel through the same docker exec
docker exec -it 1e5cc7e3b22b bash
Description
1, -it open the terminal in the form of interactive execution bash
2, you can execute the same command like a normal linux, shows the process started by the container
3, the container exit
docker exec command format is as follows:
docker exec -it <container> bash |shattach vs exec
The main difference between the two is as follows:
1, attch directly into the container terminal start command will not start a new process
2, exec is to open a new terminal in the container, and can start a new process
3, if you want directly in the terminal View startup command output, with attach, otherwise use exec
Best practice run container
By use of the container can be roughly divided into two categories: service class container vessels and tools
The former runs as a daemon, and provide services such as Web Server, databases and so on. Start by -d station after the way this type of container is very appropriate, if you want to troubleshoot the problem, you can enter the container through exec -it
latter container typically provides a temporary work environment can give us, usually to run -it way
Multi-use tools container base image, e.g. busybox, debian, ubuntu etc.
Summarized as follows:
(1) When the CMD, Entypoint docker run command line and the specified command operation, stopping the container
(2) starting container -d parameters in the background
(3) and exec -it can enter the vessel Run
Container life cycle
stop / start / restart container
docker stop: Stop running in the container, the container is actually a process docker host in the command sends a SIGTERM signal is essentially like the process, but also to quickly stop the container by docker kill command
docker start: to stop the vessel. When the first startup parameters can be started by the command, retaining containers
docker restart: Restart container
pause/unpause容器
docker pause: pause to let the vessel, such as the need to fight snapshot of the container file system
unpause: container is in pause state will not take up CPU resources until the recovery operation by dokcer unpause
Delete container
docker rm: Use docker after a period of time, there may be a large number have quit the containers, which will still take up file system resources on the host host, you can use docker rm delete
If you want to delete more than one container, you can use the following command
docker rm -v $(docker ps -aq -f status=exited)State machine container
Life cycle state machine entire container, as follows:
Resource constraints
A number of containers will be run on the host docker, each container needs cpu, memory and IO resources. Docker provides a similar mechanism to avoid a container due to take up too many resources and affect other containers or entire HOST resources
Memory Limit
Similar to the operating system, the memory may be used container consists of two parts: the physical memory and swap. Docker container to control the amount of memory used by the following two sets of parameters
(1) -m or --memory: Memory usage restrictions set
(2) - memory-swap: Set Memory & usage limits the swap
example:
Docker RUN - m 200M --memory-swap = 300M ubuntu
allowing the container when most sense swap 200M and 300MB of memory. By default, the above two parameters -l, i.e. there is no limitation on the use of containers and swap
Testing using progrium / stress mirror, the mirror can be used to perform stress testing containers
docker run -it -m 200M --memory-swap=300M progrium/stress --vm 1 --vm-bytes 280MDescription:
1, - VM1: start a working memory threads
2, - vm-bytes 280M, 280MB of memory allocated for each thread 
procedure:
1 allocate memory 280M
2 releases the memory 280M
3 redistribution 280M memory
4 and release
5 same duration cycle
cpu limit
默认设置下,所有的容器可以平等的使用hostCPU资源,而且没有限制
docker可以通过-c或者--cpu-shares设置容器使用cpu的权重,如果不指定,默认值1024
与内存限额不同,通过-c设置的cpu share并不是cpu资源的绝对数量,而是一个相对的权重值。某个容器最终能分配的到的CPU资源取决于它的cpu share总和和比例,换句话说通过cpu share可以设置容器使用CPU的优先级
docker run --name "container_A" -c 1024 ubuntu && docker run --name "container_B" -c 512 ubuntucontainer_A的cpu share 1024,是containerB的两倍,当两个容器都需要CPU资源时,前者可以得到的cpu是后者的两倍
需要特别注意的是,这种按权重分配CPU的只会发生在CPU资源紧张的情况下。如果containerA处于空闲状态,这时为了充分利用CPU资源,containrB也可以分配到全部可用的cpu
Block IO带宽限制
Block IO是另一种可以限制容器资源,它是指磁盘的读写,docker可以通过设置权重,限制bsp和iops的方式控制容器读写磁盘的带宽。
IO权重
默认情况下,所有的容器能平等的读写磁盘,可以通过设置 --blkio-weight 参数来改变容器的block IO的优先级
--blkio-weight与--cpu-share类似,设置的是相对权重,默认为500
docker run -it --name container_A --blkio-weight 600 ubuntu && docker run --it --name container_B --blkio-weight 300 ubuntu通过命令行设定,containerA的读写磁盘带宽是containerB的两倍
限制bps和iops
bsp是byte per second ,每秒读写的数据量
iops是ip per second,每秒IO的次数
可以通过以下参数控制容器的bsp和 iops
--device-read-bps,限制读某个设备的 bps。
--device-write-bps,限制写某个设备的 bps。
--device-read-iops,限制读某个设备的 iops。
--device-write-iops,限制写某个设备的 iops。
cgroup和namespace
cgropu和namespace是实现容器底层的最重要的两种技术。cgroup实现资源限制,namespace实现资源的隔离
cgroup
cgroup 全称 Control Group。Linux 操作系统通过 cgroup 可以设置进程使用 CPU、内存 和 IO 资源的限额。前面我们看到的--cpu-shares、-m、--device-write-bps 实际上就是在配置 cgroup。
可以在/sys/fs/cgroup中找到
docker run -it --cpu-shares 512 progrium/stress -c 1记录容器ID。在 /sys/fs/cgrouXXXpu/docker 目录中,Linux 会为每个容器创建一个 cgroup 目录,以容器长ID 命名:
目录中包含所有与 cpu 相关的 cgroup 配置,文件 cpu.shares 保存的就是 --cpu-shares 的配置,值为 512。
同样的,/sys/fs/cgroup/memory/docker 和 /sys/fs/cgroup/blkio/docker 中保存的是内存以及 Block IO 的 cgroup 配置
namespace
在每个容器中,我们都可以看到文件系统,网卡等资源,这些资源看上去是容器自己的。拿网卡来说,每个容器都会认为自己有一块独立的网卡,即使 host 上只有一块物理网卡。这种方式非常好,它使得容器更像一个独立的计算机。
Linux 实现这种方式的技术是 namespace。namespace 管理着 host 中全局唯一的资源,并可以让每个容器都觉得只有自己在使用它。换句话说,namespace 实现了容器间资源的隔离。
Linux 使用了六种 namespace,分别对应六种资源:Mount、UTS、I*、PID、Network 和 User。
Mount namespace
Mount namespace 让容器看上去拥有整个文件系统。
容器有自己的 / 目录,可以执行 mount 和 umount 命令。当然我们知道这些操作只在当前容器中生效,不会影响到 host 和其他容器。
UTS namespace
简单的说,UTS namespace 让容器有自己的 hostname。 默认情况下,容器的 hostname 是它的短ID,可以通过 -h 或 --hostname 参数设置。
I P C namespace
IPC namespace 让容器拥有自己的共享内存和信号量(semaphore)来实现进程间通信,而不会与 host 和其他容器的 IPC 混在一起。
PID namespace
能够使容器能够拥有自己的PID
Network namespace
Network namespace 让容器拥有自己独立的网卡、IP、路由等资源。我们会在后面网络章节详细讨论。
User namespace
User namespace 让容器能够管理自己的用户,host 不能看到容器中创建的用户。
常用命令
The following are common operations command container
create creating containers
run run container
pause pause container
unpause unpauses continue to run container
stop sending SIGTERM to stop container
kill Send SIGKILL quickly stop the container
start to start the tank
restart to restart the container
attach attach to the container to start the process of terminal
exec in container start a new process, usually "-it" parameter
logs show the console output to start the process of container, with the "-f" continuous print
rm deleted from the disk container