Docker安装与使用
Docker & K8s 简单小记,主要是用于初识Docker的朋友们对于Docker知识的一点分享。
初识Docker & K8s
Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口
1.Docker安装与验证
1.1 Docker的安装
sudo apt-get install docker.io
1.2 Docker的验证
docker run hello-world
2.Docker相关命令
- Docker查看当前镜像
docker images
- Docker查看正在运行的容器
docker ps
- Docker启动
service docker start
- Docker停止
service docker stop
- Docker重启(需要重新加载配置文件使其生效)
systemctl daemon-reload
service docker restart
3.制作Docker镜像
3.1 制作war镜像
编写Dockerfile文件
FROM hub.c.163.com/library/tomcat
MAINTAINER zjydbj@163.com
COPY xxx.war /usr/local/tomcat/webapps
docker build -t configplatform/b:v1 .
如果改变了Dockerfile名字,则需要指定 -f 文件名称,镜像名称一定是小写
3.2 制作jar镜像
编写Dockerfile文件
FROM hub.c.163.com/bingohuang/jdk8:latest
MAINTAINER zjydbj@163.com
ADD ConfigPlatform.jar ConfigPlatform.jar
EXPOSE 8999
CMD java -jar ConfigPlatform.jar
docker build -t configplatform/s:v1 .
如果改变了Dockerfile名字,则需要指定 -f 文件名称,镜像名称一定是小写
3.3 报错信息
error pulling image configuration: Get https://dseasb33srnrn
可以找到 Docker 配置文件,一般配置文件在/etc/default/docker目录下,
sudo vim /etc/default/docker
然后,插入以下内容
DOCKER_OPTS="--registry-mirror=http://hub-mirror.c.163.com"
3.4 进入镜像内部执行操作
sudo docker exec -i 16d6931fe011 /bin/bash
进入docker内部执行命令
4.镜像迁移
sudo docker save portainer/portainer | bzip2 | ssh -p 5002x kubernetes@210.72.141.xxx "cat | docker load"
5.Portainer安装与配置
5.1 搜索镜像
docker search portainer/portainer
5.2 拉取镜像
docker pull portainer/portainer
5.3 运行镜像
docker run --restart=always -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock --name portainer portainer/portainer
6.Docker运行
6.1 运行web
docker run --restart=always -d -p 8888:8080 xxxx
–restart=always代表容器异常退出时自动重启,xxxx为镜像名,非容器名
另外,已经运行的容器可以进行以下命令进行修改:
docker container update --restart=always yyyy
yyyy为容器名
6.2 运行数据库
docker run -d -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=thingorigin hub.c.163.com/library/mysql:latest
7.上传镜像
7.1 登录网易云镜像仓库
docker login -u {你的网易云邮箱账号或手机号码} -p {你的网易云密码} hub.c.163.com,返回「Login Succeded」即为登录成功。
eg:docker login -u zxxxxx@163.com -p aaa6xxxxx hub.c.163.com
7.2 标记本地镜像
docker tag {镜像名或ID} hub.c.163.com/{你的用户名}/{标签名}
eg:docker tag nanrui:latest hub.c.163.com/kentaaa/siasoft8
注:hub.c.163.com为推送的地址
7.3 推送至网易云镜像仓库
docker push hub.c.163.com/{你的用户名}/{标签名}
eg:docker push hub.c.163.com/kentaaa/siasoft8
(首先需要实名认证)
8.搭建本地镜像仓库
8.1 登录网易云镜像仓库
部署Registry,运行命令 docker pull registry
docker pull registry
8.2 运行容器
docker run -d -p 5000:5000 -v myregistry:/var/lib/registry registry
8.3 查看镜像仓库
打开浏览器,访问http://127.0.0.01:5000/v2/_catalog,可以查看到{“repositories”: []} 表示现在仓库中,没有镜像images
8.4 标记镜像
在本地host上,重命名镜像,添加新的tag,使之与registry 相匹配
docker tag {镜像名或ID} 推送地址/{镜像名}:{标签名}
eg:docker tag configplatform/s:v1 210.72.141.195:50016/configplatform/s:v1
8.5 推送至网易云镜像仓库
docker push 推送地址/{镜像名}:{标签名}
eg:docker push 210.72.141.195:50016/configplatform/s:v1
8.6 报错
如果你在push镜像的时候出现问题,可能是因为我们启动的registry服务不是安全可信赖的.这个时候我们需要修改docker的配置文件/etc/default/docker,添加下面的内容: “- – insecure-registry 210.72.141.195:50008”
# Docker Upstart and SysVinit configuration file
#
# THIS FILE DOES NOT APPLY TO SYSTEMD
#
# Please see the documentation for "systemd drop-ins":
# https://docs.docker.com/engine/admin/systemd/
#
# Customize location of Docker binary (especially for development testing).
#DOCKERD="/usr/local/bin/dockerd"
# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--registry-mirror=http://hub-mirror.c.163.com --insecure-registry 210.72.141.195:50008"
#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"
# This is also a handy place to tweak where Docker's temporary files go.
#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"
注1:这一步一定要在创建私有仓库的容器之前,否则修改配置文件不会生效
注2:–insecure-registry 127.0.0.1:5000中的链接必须与镜像名链接一致,即这里应该把镜像210.72.141.195:50016/configplatform/s:v1的名字改为127.0.0.1:5000/configplatform/s:v1
8.7 查看仓库
第一种:
第二种:
kubernetes@kubernetes-virtual-machine:/etc/default$ curl http://210.72.141.195:50016/v2/_catalog
{"repositories":["configplatform/s"]}
9.搭建企业级私有镜像仓库Harbor
9.1 下载
下载链接:https://github.com/goharbor/harbor/releases
9.2 解压
tar -zxvf harbor-offline-installer-v1.2.2.tgz
9.3 修改配置文件
vim harbor.cfg
## Configuration file of Harbor
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = hub.siasofxt.com
#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http
#The password for the root user of mysql db, change this before any production use.
db_password = root123
#Maximum number of job workers in job service
max_job_workers = 3
主要是修改hostname,改成自己的域名
设置访问地址,可用ip,域名,不能使用127.0.0.1或localhost
如果设置为域名,记得在自己的hosts文件中做相应修改
9.4 安装部署
harbor支持docker-compose和kubernetes的部署方式,默认采用docker-compose作单机部署。
先执行./prepare,然后执行
./install.sh
进行启动。执行./install.sh的时候,即调用了docker-compose运行了当前目录下的docker-compose.yml文件。
进行安装
./install.sh
当遇到Fail to generate key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt错误时候,需要修改prepare文件,将第498行:
empty_subj = "/C=/ST=/L=/O=/CN=/"
修改为:
empty_subj = "/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=notarysigner"
启动成功如下:
[Step 0]: checking installation environment ...
Note: docker version: 18.09.7
Note: docker-compose version: 1.17.1
[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-ui:v1.2.2
Loaded image: vmware/notary-photon:server-0.5.0
Loaded image: vmware/nginx-photon:1.11.13
Loaded image: vmware/registry:2.6.2-photon
Loaded image: photon:1.0
Loaded image: vmware/notary-photon:signer-0.5.0
Loaded image: vmware/harbor-adminserver:v1.2.2
Loaded image: vmware/harbor-log:v1.2.2
Loaded image: vmware/harbor-db:v1.2.2
Loaded image: vmware/harbor-jobservice:v1.2.2
Loaded image: vmware/harbor-notary-db:mariadb-10.1.10
Loaded image: vmware/clair:v2.0.1-photon
Loaded image: vmware/postgresql:9.6.4-photon
[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/ui/app.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ...
Creating harbor-log ... done
Creating registry ...
Creating harbor-adminserver ...
Creating harbor-db ...
Creating registry
Creating harbor-adminserver
Creating harbor-adminserver ... done
Creating harbor-ui ...
Creating harbor-ui ... done
Creating nginx ...
Creating harbor-jobservice ...
Creating nginx
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://hub.siasofxt.com.
For more details, please visit https://github.com/vmware/harbor .
9.5 运行界面
进到主页面,根据自己的需要,进行私有镜像仓库的配置即可。
9.6 上传镜像到Harbor
标签化tag:
docker tag xxx/sia/8/soft/mysql:v1 210.72.141.195:50008/siasoft/mysql:v1
推送镜像:
docker push 210.72.141.195:50008/siasoft/mysql:v1
docker push 210.72.141.195:50008/siasoft/jdk8:v1
docker push 210.72.141.195:50008/siasoft/tomcat:v1
docker push 210.72.141.195:50008/siasoft/portainer:v1
docker push 210.72.141.195:50008/siasoft/configplatform/s:v1
docker push 210.72.141.195:50008/siasoft/configplatform/b:v1
但推送镜像产生如下报错:
denied: requested access to the resource is denied
需要重新登录docker
# docker login
Username:
Password:
当登录时报以下错误时候
** Message: 15:10:06.823: Remote error from secret service: org.freedesktop.DBus.Error.UnknownMethod: ??? org.freedesktop.Secret.Collection ?????? /org/freedesktop/secrets/collection/login ??
Error saving credentials: error storing credentials - err: exit status 1, out: `在路径 org.freedesktop.Secret.Collection 的对象上没有 /org/freedesktop/secrets/collection/login 接口`
是系统默认安装了golang-docker-credential-helpers,卸载以后就好了
sudo apt purge golang-docker-credential-helpers
但如果这个时候还是出现
denied: requested access to the resource is denied
时候,需要用命令行登录一下Harbor
docker login 210.:500x
username:admin
password:
当出现报以下错误时候
http: server gave HTTP response to HTTPS client
可以通过以下办法解决:
vim /etc/docker/daemon.json 增加一个daemon.json文件
{ “insecure-registries”:[“210.72.141.xxx:5000”] }
保存退出
重启docker服务
systemctl daemon-reload
systemctl restart docker
9.7 记录一个docker重启之后配置文件不生效的解决方法
新版的docker,直接在/etc/default/docker中修改启动项不生效,这个bug困扰了我一天!
解决办法
打开docker.service文件, $sudo vim /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=-/etc/default/docker
ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
修改[Service]中 ExecStart=/usr/bin/dockerd -H fd://
为 ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS
添加 EnvironmentFile=-/etc/default/docker(-表示忽略错误)
保存并退出
重新加载配置文件 systemctl daemon-reload
重启docker :service docker restart
这样才可以是/etc/default/docker中的配置项生效。
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl proxy
10.如何让Docker容器上网
参考网上6种解决方案:https://m.jb51.net/article/148874.htm
比较靠谱的是下面的第2种
sudo docker run --dns 8.8.8.8 --dns 8.8.4.4 --name ubuntu_bash -i -t ubuntu:latest /bin/bash
11.如何拷贝Docker容器与宿主机文件传输
11.1 Docker -> 宿主机
docker cp 机器码:docker路径 宿主机路径
docker cp 599ec5b00220:/root/ConfigPlatform2/resources/images/ /home/sia/
11.2 宿主机 -> Docker
docker cp 宿主机路径 机器码:docker路径
docker cp /home/sia/images/ 599ec5b00220:/root/ConfigPlatform2/resources/
12.容器的导入和导出
12.1 Docker容器导出
可以将任何一个容器从一台机器迁移到另外一台,而且不论容器是否处于运行还是停止状态
docker export 容器ID >文件名
docker export 43be430112ea > CP2-upload-manage.tar
12.2 Docker容器导入
docker import CP2-upload-manage.tar cp2-upload-manage:v1
但这里导入形成的是镜像,注意镜像都是小写字母之后还需要把镜像运行起来,这里值得注意的是,运行时候需要加入原来导出时候的command命令,详细如下:
docker run --restart=always -d -m 3G --memory-swap 4G -p 9098:9098 sc-zuul:v1 java -jar gateway.jar
即
java -jar gateway.jar
,是其运行命令,可以在原来导出的机器上
docker ps --no-trunc
查到完整的command命令
数据库启动如下,但是缺少了原有的数据
docker run --restart=always -d -m 3G --memory-swap 4G -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=ConfigPlatform2 sc-mysql:v1 docker-entrypoint.sh mysqld
13.Docker版Jenkins使用
13.1 容器下载
docker pull jenkins/jenkins:lts
13.2 启动容器服务
docker run -d -p 80:8080 -p 50000:50000 -v jenkins:/var/jenkins_home -v /etc/localtime:/etc/localtime --name jenkins docker.io/jenkins/jenkins
14.下载网易镜像失效时解决方案
14.1 问题发生情况
比如下载nodejs镜像
kubernetes@kubernetes-virtual-machine:~$ docker pull hub.c.163.com/public/nodejs:6.11.0
Error response from daemon: Get https://hub.c.163.com/v2/public/nodejs/manifests/6.11.0: unauthorized: authentication required
这个时候主要原因是远程镜像中心登录验证失败,有可能是使用web端时候修改了密码,需要重新登录
14.2 解决方案
重新登录验证
kubernetes@kubernetes-virtual-machine:~$ docker login hub.c.163.com
Authenticating with existing credentials...
Stored credentials invalid or expired
Username (zjydbj@163.com): zjydbj@163.com
Password:
WARNING! Your password will be stored unencrypted in /home/kubernetes/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
kubernetes@kubernetes-virtual-machine:~$ docker pull hub.c.163.com/public/nodejs:6.11.0
6.11.0: Pulling from public/nodejs
f46924f139ed: Pull complete
a3ed95caeb02: Pull complete
4849cac99801: Pull complete
f8c2498bcfb3: Pull complete
119b6cd4a2d6: Pull complete
1d21f95b2fb0: Pull complete
50b6d9712503: Pull complete
38aedef2c31d: Pull complete
a0951d4c9db4: Pull complete
6a65c054e8aa: Pull complete
b048eefac266: Pull complete
Digest: sha256:a62b1be272dd96ec3c06e4e69dd8d0e4cad7aaa5b9565090524ccb40c2c41430
Status: Downloaded newer image for hub.c.163.com/public/nodejs:6.11.0
15.Docker容器添加对外映射端口
在运行容器时指定映射端口运行后,如果想要添加新的端口映射,可以使用以下方式
15.1 先停止现有容器
docker stop container-id
15.2 将容器commit成为一个镜像
docker commit container-id new-image-id
15.3 用新镜像运行容器
docker run -it -d --name container-id -p p1:p1 -p p2:p2 new-image-id
16.Docker容器内source: not found
运行
ls -l /bin/sh
后显示
/bin/sh -> dash
这说明是用dash来进行解析的。
解决方案:
dpkg-reconfigure dash(需要root权限)
在界面中选择no
再运行
ls -l /bin/sh
显示
/bin/sh -> bash
最后需要重新ssh连接之后,测试shell脚本,可以正常使用!
17.Docker版的Gitlab问题
17.1 出现访问forbidden问题产生原因
Gitlab使用rack_attack做了并发访问的限制。
解决方案:
根据官方说明:Rack Attack和IP Whitelist,解决方法三种:
- 添加IP白名单.
- 加大并发阈值.
- 直接关闭Rack Attack.
这里我是加大并发阈值和添加IP白名单.
因为跑的是容器,那么就直接进挂载的文件夹里找到config/gitlab.rb后,打开并找到gitlab_rails[‘rack_attack_git_basic_auth’]项,去掉注释,并修改为:
gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => true,
'ip_whitelist' => ["127.0.0.1","210.72.141.1xx","210.72.141.1xx","192.168.1.51"],
'maxretry' => 200,
'findtime' => 60,
'bantime' => 3600
}
修改完之后,在容器内执行
gitlab-ctl reconfigure
即可
17.2 Whoops, GitLab is taking too much time to respond.
Whoops, GitLab is taking too much time to respond.
1.首先vim /etc/gitlab/gitlab.rb打开配置文件
2.修改配置
找到如下配置项,原来是用#注释的,把前面的#去掉取消注释,原来的默认端口号应该是8080,改成你自己想要的端口号,比如8099
注意新配置的端口号不要被其他进程占用,且要在防火墙设置放开
以下两项新配置的端口号需一致
之所以报502这个错误就是原来默认配置的8080端口号被其他应用占用冲突了,只需换成其他新的端口号就可以了
unicorn['port'] = 8099
gitlab_workhorse['auth_backend'] = "http://localhost:8099"
输入如下命令让配置生效
sudo gitlab-ctl reconfigure
最后重启服务
sudo gitlab-ctl restart
18.Docker设置开机启动
- 查看已启动的服务
systemctl list-units --type=service
- 查看是否设置开机启动
systemctl list-unit-files | grep enable
- 设置开机启动
systemctl enable docker.service
- 关闭开机启动
systemctl disable docker.service
19.对已经创建的docker container设置开机自启动
- 显示所有容器
docker ps -a
- 修改容器规则
docker update --restart=always c276b2a14ee4
20.Docker安装MySQL
docker run --name aipros-mysql-a -v /home/ubuntu/Tools/mysql/log:/var/log/mysql -v /home/ubuntu/Tools/mysql/data:/var/lib/mysql -v /home/ubuntu/Tools/mysql/conf:/etc/mysql -e MYSQL_ROOT_PASSWORD=xxxxxx --restart=always -d -p 3306:3306 hub.c.163.com/library/mysql:5.7 --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
21.Docker安装Tomcat
docker run --name tomcatA --restart=always -v /home/ubuntu/Tools/TomcatA/webapps/:/usr/local/tomcat/webapps/ -d -p 8998:8080 tomcat:9.0.41-jdk8-corretto
docker run --name tomcatB --restart=always -v /home/ubuntu/Tools/TomcatB/webapps/:/usr/local/tomcat/webapps/ -d -p 8999:8080 tomcat:9.0.41-jdk8-corretto