docker yaml

littleCat
204 阅读9分钟

docker run : runs a command in a new container, pulling the image if needed and starting the container

使用镜像 nginx:latest,以后台模式启动一个容器,将容器的 80 端口映射到主机的 80 端口,主机的目录 /data 映射到容器的 /data。

docker run -p 80:80 -v /data:/data -d nginx:latest

docker start :启动一个或多个已经被停止的容器

docker stop :停止一个运行中的容器

docker restart :重启容器

docker ps  :list runing containers

docker inspect :get additional infomation about a container

docker exec : 在运行的容器中执行命令

  • -d : 分离模式: 在后台运行
  • -i : 即使没有附加也保持STDIN 打开
  • -t : 分配一个伪终端

在容器 mynginx 中以交互模式执行容器内 /root/runoob.sh 脚本:

runoob@runoob:~$ docker exec -it mynginx /bin/sh /root/runoob.sh
http://www.runoob.com/

在容器 mynginx 中开启一个交互模式的终端:

runoob@runoob:~$ docker exec -i -t  mynginx /bin/bash
root@b1a0703e41e7:/#

也可以通过 docker ps -a 命令查看已经在运行的容器,然后使用容器 ID 进入容器。 查看已经在运行的容器 ID:

# docker ps -a 
...
9df70f9a0714        openjdk             "/usercode/script.sh…" 
...

Dockerfile

docs.docker.com/language/go…

Docker can build images automatically by reading the instructions from a Dockerfile. A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image.

# syntax=docker/dockerfile:1

FROM golang:1.19

# Set destination for COPY
WORKDIR /app

# Download Go modules
COPY go.mod go.sum ./
RUN go mod download

# Copy the source code. Note the slash at the end, as explained in
# https://docs.docker.com/reference/dockerfile/#copy
COPY *.go ./

# Build
RUN CGO_ENABLED=0 GOOS=linux go build -o /docker-gs-ping

# Optional:
# To bind to a TCP port, runtime parameters must be supplied to the docker command.
# But we can document in the Dockerfile what ports
# the application is going to listen on by default.
# https://docs.docker.com/reference/dockerfile/#expose
EXPOSE 8080

# Run
CMD ["/docker-gs-ping"]

  • The WORKDIR instruction sets the working directory for any RUNCMDENTRYPOINTCOPY and ADD instructions that follow it in the Dockerfile

  • The RUN instruction will execute any commands to create a new layer on top of the current image.

  • docker build --tag docker-gs-ping .

  • docker image ls

docker compose

compose.yaml

The default path for a Compose file is compose.yaml (preferred) or compose.yml that is placed in the working directory. Compose also supports docker-compose.yaml and docker-compose.yml for backwards compatibility of earlier versions. If both files exist, Compose prefers the canonical compose.yaml.

docs.docker.com/compose/com…

docker compose up

Builds, (re)creates, starts, and attaches to containers for a service.

yaml 基本语法

  • 大小写敏感
  • 使用缩进表示层级关系
  • 缩进不允许使用tab,只允许空格
  • 缩进的空格数不重要,只要相同层级的元素左对齐即可
  • '#'表示注释

对象键值对使用冒号结构表示 key: value,冒号后面要加一个空格

原理

www.slideshare.net/slideshow/d…

docker components

image.png

Namespace

namespace 的关键特性是进程隔离

Namespace 的类型

Linux 内核包含了不同类型的 namespace。每个 namespace 都有自己的独特属性。

  • [User namespace] 拥有自己的一组用户 ID 和组 ID,用于分配给进程。这意味着进程可以在其 user namespace 中拥有 root 权限,而不需要在其他 user namespace 中获得。
  • [Process ID (PID) namespace]将一组 PID 分配给独立于其他 namespace 中的一组 PID 的进程。在新的 namespace 中创建的第一个进程分得 PID 1,子进程被分配给后续的 PID。如果子进程使用自己的 PID namespace 创建,则它在该 namespace 中使用 PID 1,在父进程的 namespace 中使用自己的 PID。请参见[下面]的示例。
  • [Network namespace] 拥有独立的网络栈:自己的专用路由表、IP 地址集、套接字列表、连接跟踪表、防火墙及其他网络相关资源。
  • [Mount namespace]拥有一个独立的挂载点列表,并对该 namespace 中的进程可见。这意味着您可以在 mount namespace 中挂载和卸载文件系统,而不会影响主机文件系统。
  • [Interprocess communication (IPC) namespace] 拥有自己的 IPC 资源,例如 [POSIX 消息队列]。
  • [UNIX Time‑Sharing (UTS) namespace] 允许单个系统对不同的进程显示不同的主机名和域名。

cgroup

控制组 (cgroup) 是 Linux 内核的一个特性,用于限制、记录和隔离一组进程的资源使用(CPU、内存、磁盘 I/O、网络等)。

Cgroup 具有以下特性:

  • 资源限制 —— 您可以配置 cgroup,从而限制进程可以对特定资源(例如内存或 CPU)的使用量。
  • 优先级 —— 当资源发生冲突时,您可以控制一个进程相比另一个 cgroup 中的进程可以使用的资源量(CPU、磁盘或网络)。
  • 记录 —— 在 cgroup 级别监控和报告资源限制。
  • 控制 —— 您可以使用单个命令更改 cgroup 中所有进程的状态(冻结、停止或重新启动)。

一个容器中通常运行了多个进程,并且您需要对这些进程实施统一控制,因此 cgroup 是容器的关键组件。Kubernetes 环境使用 cgroup 在 pod 级别上部署 [资源请求和限制]以及对应的 QoS 类。

docker file system

image.png

image.png

Union File Systems

AUFS 是联合文件系统,意味着它在主机上使用多层目录存储,每一个目录在 AUFS 中都叫作分支,而在 Docker 中则称之为层(layer),但最终呈现给用户的则是一个普通单层的文件系统,我们把多层以单一层的方式呈现出来的过程叫作联合挂载。

image.png

docker vs vm

www.docker.com/resources/w…

image.png

  • container是应用层的抽象,把代码和依赖打包在一起,多个container可以在一台机器上运行,each running as isolated processes in user space
  • 每个vm都有它自己的guest operating system
  • docker container tens of MBs in size,vm tens of GBs

Hypervisor

hypervisor is a software that you can use to run multiple virtual machines on a single physical machine. Every virtual machine has its own operating system and applications. The hypervisor allocates the underlying physical computing resources such as CPU and memory to individual virtual machines as required.

docker network

eth0

What do the Linux interface names mean?

  • eth0
  • eth1
  • wlan0

when we are connected to the Internet via LAN cable it's eth0 ( eth0 is the first ethernet interface) or eth1 and when we are connected with internet via WiFi it's wlan0.

ARP (Address Resolution Protocol)

image.png

It is one of the most important protocols of the Data link layer in the OSI model. It is responsible to find the hardware(MAC) address of a host from a known IP address.

veth

zhuanlan.zhihu.com/p/411224778

回想下在物理机组成的网络里,最基础,最简单的网络连接方式是什么?没错,那就是直接用一根交叉网线把两台电脑的网卡连起来。这样,一台机器发送数据,另外一台就能收到了。

image.png 那么,网络虚拟化实现的第一步,就是用软件来模拟这个简单的网络连接实现过程。实现的技术就是我们今天的主角 veth,它模拟了在物理世界里的两块网卡,以及一条网线。通过它可以将两个虚拟的设备连接起来,让他们之间相互通信。平时工作中在 Docker 镜像里我们看到的 eth0 设备,其实就是 veth。

image.png

在 Linux 下,我们可以通过使用 ip 命令创建一对儿 veth。其中 link 表示 link layer的意思,即链路层。

# ip link add veth0 type veth peer name veth1

network

A container has no information about what kind of network it's attached to, or whether their peers are also Docker workloads or not. A container only sees a network interface with an IP address, a gateway, a routing table, DNS services, and other networking details.

DriverDescription
bridgeThe default network driver.
hostRemove network isolation between the container and the Docker host.
noneCompletely isolate a container from the host and other containers.
overlayOverlay networks connect multiple Docker daemons together.
ipvlanIPvlan networks provide full control over both IPv4 and IPv6 addressing.
macvlanAssign a MAC address to a container.
  • map port
-p 8080:80Map port 8080 on the Docker host to TCP port 80 in the container.

image.png

  • bridge , able to publish the same container to different host Ports

bridge

image.png

When you start Docker, a [default bridge network] (also called bridge) is created automatically, and newly-started containers connect to it unless otherwise specified.

在该模式中,Docker 守护进程创建了一个虚拟以太网桥 docker0,新建的容器会自动桥接到这个接口,附加在其上的任何网卡之间都能自动转发数据包。

默认情况下,守护进程会创建一对对等虚拟设备接口 veth pair,将其中一个接口设置为容器的 eth0 接口(容器的网卡),另一个接口放置在宿主机的命名空间中,以类似 vethxxx 这样的名字命名,连接到 docker0 上, 从而将宿主机上的所有容器都连接到这个内部网络上。

同时,守护进程还会从网桥 docker0 的私有地址空间中分配一个 子网IP 给该容器

  • Docker 默认的 bridge 网络和 Linux 内核中的 “docker0” 网桥是同一个东西。bridge 是 Docker 中对网络的命名,而 docker0 是内核中网桥的名字。

  • Linux Bridge(网桥)是用纯软件实现的虚拟交换机,有着和物理交换机相同的功能,例如二层交换,MAC地址学习等。

docker storage

By default all files created inside a container are stored on a writable container layer. This means that:

  • The data doesn't persist when that container no longer exists, and it can be difficult to get the data out of the container if another process needs it.
  • A container's writable layer is tightly coupled to the host machine where the container is running. You can't easily move the data somewhere else.
  • Writing into a container's writable layer requires a storage driver to manage the filesystem. The storage driver provides a union filesystem, using the Linux kernel. This extra abstraction reduces performance as compared to using data volumes, which write directly to the host filesystem.

Docker has two options for containers to store files on the host machine, so that the files are persisted even after the container stops: volumes, and bind mounts.

Docker also supports containers storing files in-memory on the host machine. Such files are not persisted. If you're running Docker on Linux, **tmpfs** mount is used to store files in the host's system memory. If you're running Docker on Windows, named pipe is used to store files in the host's system memory.

[Choose the right type of mount]

No matter which type of mount you choose to use, the data looks the same from within the container. It is exposed as either a directory or an individual file in the container's filesystem.

image.png

  • Volumes are stored in a part of the host filesystem which is managed by Docker (/var/lib/docker/volumes/ on Linux). Non-Docker processes should not modify this part of the filesystem. Volumes are the best way to persist data in Docker.
  • Bind mounts may be stored anywhere on the host system. They may even be important system files or directories. Non-Docker processes on the Docker host or a Docker container can modify them at any time.
  • tmpfs mounts are stored in the host system's memory only, and are never written to the host system's filesystem.

Bind mounts and volumes can both be mounted into containers using the -v or --volume flag, For tmpfs mounts, you can use the --tmpfs flag.

[Volumes]

You can create a volume explicitly using the docker volume create command, or Docker can create a volume during container or service creation.

A given volume can be mounted into multiple containers simultaneously. When no running container is using a volume, the volume is still available to Docker and isn't removed automatically. You can remove unused volumes using docker volume prune.

avatar
文章
阅读
粉丝