Docker image production and warehouse building

Container / package Mirror

Mirror Package

1、镜像打包：
docker save ‐o /root/tomcat7.tar mytomcat

2、将打包的镜像上传到其他服务器
scp tomcat7.tar 其他服务器ip:/root

3、导入镜像
docker load ‐i /root/tomcat7.tar

Container packing

1、容器打包
docker export ‐o /root/t1.tar t1

2、导入容器
docker import t1.tar mytomcat:latest

Mirroring

docker commit
submit a running container for a new image

• Production steps (making a mirror tomcat)

  1、拉取一个基础镜像（其始就是OS）
  docker pull centos
  
  2、创建一个交互式容器
  docker run ‐it ‐‐name=mycentos centos:latest
  
  3、软件上传：将宿主机Tomact、jdk上传到容器中
  docker cp apache‐tomcat‐7.0.47.tar.gz mycentos:/root/
  docker cp jdk‐8u161‐linux‐x64.tar.gz mycentos:/root/
  
  4、在容器中安装jdk  （yum install java‐1.7.0‐openjdk）
  tar ‐zxvf jdk‐8u161‐linux‐x64.tar.gz ‐C /usr/local/
  编辑/etc/profile文件，添加如下内容：
  JAVA_HOME=/usr/local/jdk1.8.0_161
  export PATH=$JAVA_HOME/bin:$PATH
  
  5、在容器中安装tomcat
  tar ‐zxvf apache‐tomcat‐7.0.47.tar.gz ‐C /usr/local/
  编辑tomcat/bin/setclsspath.sh文件，添加如下内容：
  export JAVA_HOME=/usr/local/jdk1.8.0_161
  export JRE_HOME=/usr/local/jdk1.8.0_161/jre
  
  6、将正在运行的容器提交为一个新的镜像
  docker commit mycentos mytomcat
  

• Port Mapping

  docker run ‐itd ‐‐name=t1 ‐p 8888:8080 mytomcat /bin/bash
  docker exec t1 /usr/local/apache‐tomcat‐7.0.47/bin/startup.sh
  

• Access by host: http: // ip: port

docker builder
Dockerfile used to build a basic Docker image based on an instruction syntax DSL, after use Docker
Builder to build a command based on the new image Dockerfile instructions.

• DSL syntax:

  • The FROM (designated basic image)
    build instructions, and need to be specified in the preceding Dockerfile other instructions. It must be the first instruction FROM instruction. Further, when creating a plurality of mirrors in the same Dockerfile may be used a plurality FROM instruction.
    This command has two formats:

    • Last modified base image for the image of the specified versionFROM <image>
    • A tag version specified for the image of the base imageFROM <image>:<tag>

  • The MAINTAINER on (information to specify the image creator)
    build instructions for writing the image of the creator of the information related to the image. When we order the execution image docker inspect, output a corresponding field of the message.

    • format:MAINTAINER <name>

  • RUN (with software installed)
    build instructions, RUN basic image can be run any commands supported.
    This command has two formats:

    • RUN <command>
    • RUN ["executable", "param1", "param2" ... ]

  • The CMD (container setting operation performed when start)
    setting instruction, when the container is used to specify start operation. This operation can be executed custom scripts can be executed
    line system commands. This instruction can only exist once in the file, if there is more, only the last execution.
    The instruction formats:

    • CMD ["executable","param1","param2"]
    • CMD command param1 param2
    • When Dockerfile specified ENTRYPOINT, then use the following format:CMD ["param1","param2"]
      • Wherein: ENTRYPOINT specified path is a script or executable program, script, or the designated program to be executed as parameters param1 and param2. So if CMD command using the form above, then Dockerfile must have supporting ENTRYPOINT.

  • EntryPoint (setting operation performed when starting container)
    provided instructions, commands executed when a container is started to be set many times but only the last valid.
    Two formats:

    • ENTRYPOINT ["executable", "param1", "param2"]
    • ENTRYPOINT command param1 param2

    Use of the instruction is divided into two cases

    • Alone use: When used by itself, if it is using the command CMD and CMD is a complete executable command, the command CMD and ENTRYPOINT will overwrite each other, only the last CMD or ENTRYPOINT effective.
    • CMD and instructions in conjunction with:
      • CMD command will not be executed, only ENTRYPOINT executed
      • And instructions to specify where the CMD default parameters ENTRYPOINT, then CMD executable instruction is not a complete command, only part of the parameters

      FROM ubuntu
      CMD ["‐l"]
      ENTRYPOINT ["/usr/bin/ls"]
      

  • The USER (user provided container vessel)
    setting instruction, a user starting container is provided, the default is the root user.

    #指定memcached的运行用户
    ENTRYPOINT ["memcached"]
    USER daemon
    
    或者
    ENTRYPOINT ["memcached", "‐u", "daemon"]
    

  • EXPOSE (specified container needs to be mapped to a port of the host machine)
    provided instructions container ports will be mapped to a port of the host machine. When the IP address of each run of the container the container can not be specified, but randomly generated within the address range of the bridge card. IP address of the host machine is fixed, we can map the port container to a port on the host machine, eliminating the need to view every container each time the vessel a service to access the IP address.

    • EXPOSE first use of the container port is provided to be mapped in Dockerfile
    • Then EXPOSE -p option is set with the port when the container is running, the port number will be set such EXPOSE randomly mapped to a port number of the host machine.

    format:

    • EXPOSE <port> [<port>...]

    #映射一个端口
    EXPOSE port1
    #相应的运行容器使用的命令
    docker run ‐p port1 image 
    
    #映射多个端口
    EXPOSE port1 port2 port3
    #相应的运行容器使用的命令
    docker run ‐p port1 ‐p port2 ‐p port3 image
    #还可以指定需要映射到宿主机器上的某个端口号
    docker run ‐p host_port1:port1 ‐p host_port2:port2 ‐p host_port3:port3 image
    

  • ENV (used to set the environment variable)
    is mainly used for container runtime environment variable is set after set, follow the RUN command can be used, after the container started, you can inspect to see this environment variable by docker, also by docker run set or modify environment variables --env key = value.
    format:

    • ENV <key> <value>

    If you install the JAVA program, you need to set JAVA_HOME, you can write in Dockerfile in:

    ENV JAVA_HOME /path/to/java/dirent
    

  • The ADD (src from dest copy the files to the container path)
    is mainly used to add files to the host in the mirror build instructions, all copies of the container file and folder permissions 0755, uid and gid is 0;

    • If it is a directory, then add all the files in the directory into the container, not including the directory;
    • If the file is a compressed format recognizable, the docker will help decompression (note compression format);
      • If <src>the file and <dest>does not use a slash end, it will be <dest>treated as a file, <src>the content is written;
      • If <src>the file and <dest>use slash end, it will <src>copy the file to <dest>the directory.

    format:

    • ADD <src> <dest>
      • <src>Is the relative path is constructed opposite the source directory, the path may be a file or directory, or may be a remote file url, <dest>is the absolute path of the container
      • If <src>the file and <dest>does not use a slash end, it will be <dest>treated as a file, <src>the content is written;
      • If <src>the file and <dest>use slash end, it will <src>copy the file to <dest>the directory.

  • The VOLUME (mount point))
    to make a container having a directory persistent function of storing data, the directory can be used as such a container may be shared with other containers. Container using AUFS, this kind of data the file system can not be sustained, when the container is closed, all changes will be lost. When the application container has a persistent data requirements can be used in the instruction Dockerfile.
    format:

    • VOLUME ["<mountpoint>"]

    FROM base
    VOLUME ["/tmp/data"]
    

    • Using the above container shared / tmp / data directory, you can run the following command to start a container:

    #其中：container1为第一个容器的ID，image2为第二个容器运行image的名字。
    docker run ‐t ‐i ‐rm ‐volumes‐from container1 image2 bash
    

  • The WORKDIR (change directory)
    setting instructions, may switch multiple times (corresponding to the cd command), to RUN, CMD, ENTRYPOINT effect.
    format:

    • WORKDIR /path/to/workdir

    #在/p1/p2下执行vim a.txt
    WORKDIR /p1 WORKDIR p2 RUN vim a.txt
    

  • ONBUILD (performed in the sub-mirror)
    ONBUILD specified command is not performed in the construction of the mirror, but performs its sub-mirror.
    format:

    • ONBUILD <Dockerfile关键字>

• By constructing the mirror dockerfile steps:

  • Create a directory
  • Creating Dockerfile documents and other files in the directory
  • Mirroring docker build Construction
  • Starting container constructed by mirroring

• Case

  • Dockerfile

  #pull down centos image
  FROM docker.io/centos
  MAINTAINER ruanwen [email protected]
  
  #install nginx
  RUN yum install ‐y pcre pcre‐devel openssl openssl‐devel gcc gcc+ wget vim net‐tools
  RUN useradd www ‐M ‐s /sbin/nologin
  RUN cd /usr/local/src && wget http://nginx.org/download/nginx‐1.8.0.tar.gz && tar ‐zxvf nginx‐1.8.0.tar.gz
  RUN cd /usr/local/src/nginx‐1.8.0 && ./configure ‐‐prefix=/usr/local/nginx ‐‐user=www ‐‐group=www ‐‐with‐http_stub_status_module ‐‐with‐http_ssl_module && make && make install'
  
  ENTRYPOINT /usr/local/nginx/sbin/nginx && tail ‐f /usr/local/nginx/logs/access.log
  

  • Construction of the mirror:

  docker build -f Dockerfile ‐t rw_nginx ‐‐rm=true .
  

  • -t generated image represents optionally specify a user name, name and tag warehouse
  • --rm = true indicates that the specified delete the temporary container produced in the intermediate image generation process.
  • Note: Construction of the last symbol of the above command do not leak, indication Dockerfile mirror constructed in the current directory '.'

docker warehouse

docker hub

• Open https://hub.docker.com/
• Registered account: Slightly
• Create a warehouse (Create Repository): slightly
• Set up a mirrored label
  • docker tag local‐image:tagname new‐repo:tagname（设置tag）
  • eg:docker tag hello‐world:latest 108001509033/test‐hello‐world:v1
• Log Hub Docker
  Docker the Login (carriage return, enter the account number and password)
• Push mirroring
  • docker push new‐repo:tagname
  • eg：docker push 108001509033/test‐hello‐world:v1

Ali Cloud

• Ali cloud account creation
• Create a namespace
• Create a mirror warehouse
• Operations Guide
  • $ sudo docker login ‐‐username=[账号名称] registry.cn‐hangzhou.aliyuncs.com
  • $ sudo docker tag [ImageId] registry.cn‐hangzhou.aliyuncs.com/360buy/portal:[镜像版本号]
  • $ sudo docker push registry.cn‐hangzhou.aliyuncs.com/360buy/portal:[镜像版本号]

Build private warehouse

• To build a private warehouse

1、启动Docker Registry，使用Docker官方提供的Registry镜像就可以搭建本地私有镜像
仓库，具体指令如下。
$ docker run ‐d \
  ‐p 5000:5000 \
  ‐‐restart=always \
  ‐‐name registry \
  ‐v /mnt/registry:/var/lib/registry \
  registry:2
指令参数说明：
	‐d：表示在后台运行该容器；
	‐p 5000:5000：表示将私有镜像仓库容器内部默认暴露的5000端口映射到宿主机的5000端口
	‐‐restart=always：表示容器启动后自动启动本地私有镜像仓库
	‐‐name registry：表示为生成的容器命名为registry
	‐v /mnt/registry:/var/lib/registry：表示将容器内的默认存储位置/var/lib/registry中的数据挂载到宿主机的/mnt/registry目录下，这样当容器销毁后，在容器中/var/lib/registry目录下的数据会自动备份到宿主机指定目录
说明：
	Docker Registry目前有v1和v2两个版本，v2版本并不是v1版本的简单升级，而是在很多功能上都有了改进和优化。
	v1版本使用的是Python开发的，而v2版本是用go语言开发的；
	v1版本本地镜像仓库容器中数据默认挂载是/tmp/registry，而v2版本的本地镜像仓库容器中数据默认挂载点是/var/lib/registry


2、重命名镜像，之前推送镜像时，都是默认推送到远程镜像仓库，而本次是将指定镜像推送
到本地私有镜像仓库。由于推送到本地私有镜像仓库的镜像名必须符合“仓库IP:端口
号/repository”的形式，因此需要按照要求修改镜像名称，具体操作指令如下。
$ docker tag hello‐world:latest localhost:5000/myhellodocker


3、推送镜像，本地私有镜像仓库搭建并启动完成，同时要推送的镜像也已经准备就绪后，就
可以将指定镜像推送到本地私有镜像仓库了，具体操作指令如下
$ docker push localhost:5000/myhellodocker


4、查看本地仓库镜像
http://localhost:5000/v2/myhellodocker/tags/list  （注意：使用该地址时注意镜像名称）
由于做了目录挂载，因此可以在本地的该目录下查看：
/mnt/registry/docker/registry/v2/repositories

• Configuring authentication private warehouse

 一、配置私有仓库认证
1、查看Docker Registry私有仓库搭建所在服务器地址：ifconfig
例如：服务器地址为：192.168.200.141


2、生成自签名证书（在home目录下执行上述指令后）
要确保Docker Registry本地镜像仓库的安全性，还需要一个安全认证证书，来保证其他
Docker机器不能随意访问该机器上的Docker Registry本地镜像仓库，所以需要在搭建
Docker Registry本地镜像仓库的Docker主机上先生成自签名证书（如果已购买证书就无需
生成），具体操作指令如下。
$ mkdir registry && cd registry && mkdir certs && cd certs
$ openssl req ‐x509 ‐days 3650 ‐subj '/CN=192.168.200.162:5000/' \
    ‐nodes ‐newkey rsa:2048 ‐keyout domain.key ‐out domain.crt
指令参数说明：
	‐x509：x509是一个自签发证书的格式
	‐days 3650：表示证书有效期
	192.168.197.141:5000：表示具体部署Docker Registry本地镜像仓库的地址和端口
	rsa:2048：是证书算法长度
	domain.key和domain.crt：就是生成的证书文件

3、生成用户名和密码
在Docker Registry本地镜像仓库所在的Docker主机上生成自签名证书后，为了确保
Docker机器与该Docker Registry本地镜像仓库的交互，还需要生成一个连接认证的用户名
和密码，使其他Docker用户只有通过用户名和密码登录后才允许连接到Docker Registry本
地镜像仓库
$ cd .. && mkdir auth
$ docker run ‐‐entrypoint htpasswd registry:2 ‐Bbn ruanwen 123456 >
auth/htpasswd


4、启动Docker Registry本地镜像仓库服务（将之前创建的容器删除）
$ docker run ‐d \
  ‐p 5000:5000 \
  ‐‐restart=always \
  ‐‐name registry \
  ‐v /mnt/registry:/var/lib/registry \
  ‐v `pwd`/auth:/auth \
  ‐e "REGISTRY_AUTH=htpasswd" \
  ‐e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  ‐e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  ‐v `pwd`/certs:/certs \
  ‐e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  ‐e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2


5、配置Docker Registry访问接口
完成Docker Registry本地镜像仓库服务启动后，还需要在搭建了Docker Registry本地镜
像仓库所在的Docker主机上配置供其他Docker机器访问的接口，具体指令如下：
$ sudo mkdir ‐p /etc/docker/certs.d/192.168.200.162:5000
$ sudo cp certs/domain.crt /etc/docker/certs.d/192.168.200.162:5000


6、Docker Registry私有仓库使用登记
在Docker机器终端使用sudo vim /etc/docker/daemon.json命令编辑daemon.json文
件，在该文件中添加如下内容
{"insecure‐registries":["192.168.200.162:5000"]}


7、重启并加载docker配置文件
$ sudo /etc/init.d/docker restart

• Verification Test

1、装备镜像
$ docker tag hello‐world:latest 192.168.200.162:5000/myhelloworld


2、推送镜像
$ docker push 192.168.200.141:5000/myhelloworld
送过程中出现错误，信息提示为：no basic auth credentials（即没有通过身份验
证），所以无法进行推送，这也就说明身份验证的配置有效。要想成功推送，需要先登录成
功后再推送


3、登录Docker Registry镜像仓库
$ docker login 192.168.200.162:5000


4、再次推送
$ docker push 192.168.200.139:5000/myhelloworld


5、结果验证
由于做了目录挂载，因此可以在本地的该目录下查看：
/mnt/registry/docker/registry/v2/repositories