Why use docker
- Dependency Management
- Rapid migration, need to manually install dependent
- Such as Java jvm required dependencies
- Development and production environments consistency
- Rapid migration, need to manually install dependent
- Resource isolation
- Keep the machine clean
- Avoid a program to modify environment variables, startup scripts, etc. affect other programs
- Reduce errors because the resource is occupied ports due
- Keep the machine clean
- Safety
- Avoid malicious programs and programs that affect
- Resource consumption limit program (CPU, memory), avoid physical machine crashes
Storage volume
-
Realization storage environment variables and "polymorphism"
- Password and other configuration data without inserting a mirror, but through the environment variable or dynamically loaded profile
- So that the image can be reused
-
Bind-mounted volume
- The file or directory on the host machine is mapped into the container, to avoid unnecessary copying
- It must be an absolute path
- You can mount only a single file
-v /path/file: /path/file
- It can be set to read-only, modification of the container to avoid
- The file or directory on the host machine is mapped into the container, to avoid unnecessary copying
-
Volume Management
- Do not have to specify the directory location on the host machine, docker automatically creates the corresponding directory
- Only binding directory instead of a file
- You can
docker inspect -f “{{json .Mounts}}” <container>
view the corresponding host path
-
Shared storage volume
–-volumes-from <container>
Parameters can be shared storage volume- You can not change the path of the original binding, as well as read and write permissions
- Can be copied to the specified path by using the command data volume cp
- If the share from a plurality of containers, and they have to the same mount point, it will only last a share
- For example, share the same profile path
- If you have more than one data container volume mount path, then the probability of a path of conflict will increase, so it is best to mount a volume of data
docker run --name devConfig -v /config <image> bash -c "cp /dev/* /config/"
docker run --name prodConfig -v /config <image> bash -c "cp /prod/* /config/"
docker run --name devApp --volumes-from devConfig <image>
docker run --name prodApp --volumes-from prodConfig <image>
The internet
-
Although the network on the map where the two joined container bridge and the default network connection exists, but is still unable to communicate
- Because iptables DROP off the two-way traffic between the bridge and the self-built network docker0
- docker designed just want to isolate different network
- https://yq.aliyun.com/articles/311450?spm=a2c4e.11155435.0.0.7bee216fWZYjAs
-
The default container can access the Internet, just outside the network can not access the default container
- Or -P -p container through the connection start parameters, a default connection address is 0.0.0.0, i.e. receive traffic from all addresses
- 可以通过显式设置地址来指定允许访问的IP地址
-
docker服务端会启动一个虚拟网卡(docker 0)
- 这个接口相当于一个网卡,拥有独立的IP地址(ifconfig可以查到),使得容器可以和外部网络通信
- 所有bridge模式的容器都被挂载到了docker0的子网中
- 所有连接到docker 0 的接口都是同一个虚拟子网的一部分,可以通过IP地址互相通信
- 问题在于如何方便得知道对方的IP,这就需要
--link
或者加入同一自定义网络了- docker daemon 实现了一个内嵌的 DNS server,使容器可以直接通过容器名通信
- 使用 docker DNS 有个限制:只能在 user-defined 网络中使用。也就是说,默认的 bridge 网络是无法使用 DNS 的
- 问题在于如何方便得知道对方的IP,这就需要
- 如果
-p 1234:5678
,容器之间访问5678端口,外部服务访问1234端口- 因为容器之间属于同一个局域网中,而外部服务访问是通过NAT转换的
- 可以通过设置
-icc-false
禁止容器间通信
-
每个容器都有一个本地回环接口(localhost或127.0.0.1)
- 这样本机程序可以通过套接字通信
-
docker利用NAT实现与外网的通信
- 容器使用-p指定映射的端口时,docker会通过iptables创建一条nat规则,把宿主机打到映射端口的数据包通过转发到docker0的网关,docker0再通过广播找到对应ip的目标容器,把数据包转发到容器的端口上
- 容器使用-p指定映射的端口时,docker会通过iptables创建一条nat规则,把宿主机打到映射端口的数据包通过转发到docker0的网关,docker0再通过广播找到对应ip的目标容器,把数据包转发到容器的端口上
-
每一个映射的端口,host 都会启动一个 docker-proxy 进程来处理访问容器的流量
-
link原理
- 在接受容器(即设置了link参数的容器)中保存了设置了以下信息:
- 设置环境变量:源容器的名称、别名、IP、暴露的端口等
- 如果源容器重启后更换了IP,接受容器的环境变量并不会更新
- Update
/etc/hosts
file: Records added IP source container and aliases- Automatically updates the receiving vessel after the restart source container
/etc/hosts
file
- Automatically updates the receiving vessel after the restart source container
- 设置环境变量:源容器的名称、别名、IP、暴露的端口等
- Receiving container must be started after the source vessel
- Located only for the default container network
- Custom network may define a receiving vessel
- In fact, the custom network link not by the configuration
/etc/hosts
implementation file, but by DNS resolution
- In fact, the custom network link not by the configuration
- 在接受容器(即设置了link参数的容器)中保存了设置了以下信息: