Docker安装与使用

  • Post author:
  • Post category:其他




Docker安装与使用

Docker & K8s 简单小记,主要是用于初识Docker的朋友们对于Docker知识的一点分享。



初识Docker & K8s

Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的镜像中,然后发布到任何流行的 Linux或Windows 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口



1.Docker安装与验证



1.1 Docker的安装

sudo apt-get install docker.io



1.2 Docker的验证

docker run hello-world



2.Docker相关命令

  • Docker查看当前镜像
docker images
  • Docker查看正在运行的容器
docker ps
  • Docker启动
service docker start
  • Docker停止
service docker stop
  • Docker重启(需要重新加载配置文件使其生效)
systemctl daemon-reload
service docker restart



3.制作Docker镜像



3.1 制作war镜像

编写Dockerfile文件

FROM hub.c.163.com/library/tomcat
MAINTAINER zjydbj@163.com
COPY xxx.war /usr/local/tomcat/webapps
docker build -t configplatform/b:v1 .

如果改变了Dockerfile名字,则需要指定 -f 文件名称,镜像名称一定是小写



3.2 制作jar镜像

编写Dockerfile文件

FROM hub.c.163.com/bingohuang/jdk8:latest
MAINTAINER zjydbj@163.com
ADD ConfigPlatform.jar ConfigPlatform.jar
EXPOSE 8999
CMD java -jar ConfigPlatform.jar
docker build -t configplatform/s:v1 .

如果改变了Dockerfile名字,则需要指定 -f 文件名称,镜像名称一定是小写



3.3 报错信息

error pulling image configuration: Get https://dseasb33srnrn

可以找到 Docker 配置文件,一般配置文件在/etc/default/docker目录下,

sudo vim /etc/default/docker

然后,插入以下内容

DOCKER_OPTS="--registry-mirror=http://hub-mirror.c.163.com"



3.4 进入镜像内部执行操作

sudo docker exec -i 16d6931fe011 /bin/bash 

进入docker内部执行命令



4.镜像迁移

sudo docker save portainer/portainer | bzip2 | ssh -p 5002x kubernetes@210.72.141.xxx "cat | docker load"



5.Portainer安装与配置



5.1 搜索镜像

docker search portainer/portainer 



5.2 拉取镜像

docker pull portainer/portainer 



5.3 运行镜像

docker run --restart=always -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock --name portainer portainer/portainer



6.Docker运行



6.1 运行web

docker run --restart=always -d -p 8888:8080 xxxx

–restart=always代表容器异常退出时自动重启,xxxx为镜像名,非容器名

另外,已经运行的容器可以进行以下命令进行修改:

docker container update --restart=always yyyy

yyyy为容器名



6.2 运行数据库

docker run -d -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=thingorigin hub.c.163.com/library/mysql:latest



7.上传镜像



7.1 登录网易云镜像仓库

docker login -u {你的网易云邮箱账号或手机号码} -p {你的网易云密码} hub.c.163.com,返回「Login Succeded」即为登录成功。
eg:docker login -u zxxxxx@163.com -p aaa6xxxxx hub.c.163.com



7.2 标记本地镜像

docker tag {镜像名或ID} hub.c.163.com/{你的用户名}/{标签名}
eg:docker tag nanrui:latest hub.c.163.com/kentaaa/siasoft8

注:hub.c.163.com为推送的地址



7.3 推送至网易云镜像仓库

docker push hub.c.163.com/{你的用户名}/{标签名}
eg:docker push hub.c.163.com/kentaaa/siasoft8
(首先需要实名认证)



8.搭建本地镜像仓库



8.1 登录网易云镜像仓库

部署Registry,运行命令 docker pull registry

docker pull registry



8.2 运行容器

docker run -d -p 5000:5000 -v myregistry:/var/lib/registry registry



8.3 查看镜像仓库

打开浏览器,访问http://127.0.0.01:5000/v2/_catalog,可以查看到{“repositories”: []} 表示现在仓库中,没有镜像images

浏览器在这里插入图片描述



8.4 标记镜像

在本地host上,重命名镜像,添加新的tag,使之与registry 相匹配

docker tag {镜像名或ID} 推送地址/{镜像名}:{标签名}
eg:docker tag configplatform/s:v1 210.72.141.195:50016/configplatform/s:v1



8.5 推送至网易云镜像仓库

docker push 推送地址/{镜像名}:{标签名}
eg:docker push 210.72.141.195:50016/configplatform/s:v1



8.6 报错

如果你在push镜像的时候出现问题,可能是因为我们启动的registry服务不是安全可信赖的.这个时候我们需要修改docker的配置文件/etc/default/docker,添加下面的内容: “- – insecure-registry 210.72.141.195:50008”

# Docker Upstart and SysVinit configuration file

#
# THIS FILE DOES NOT APPLY TO SYSTEMD
#
#   Please see the documentation for "systemd drop-ins":
#   https://docs.docker.com/engine/admin/systemd/
#

# Customize location of Docker binary (especially for development testing).
#DOCKERD="/usr/local/bin/dockerd"

# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--registry-mirror=http://hub-mirror.c.163.com --insecure-registry 210.72.141.195:50008"
#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"

# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"

# This is also a handy place to tweak where Docker's temporary files go.
#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"

注1:这一步一定要在创建私有仓库的容器之前,否则修改配置文件不会生效

注2:–insecure-registry 127.0.0.1:5000中的链接必须与镜像名链接一致,即这里应该把镜像210.72.141.195:50016/configplatform/s:v1的名字改为127.0.0.1:5000/configplatform/s:v1



8.7 查看仓库

第一种:

在这里插入图片描述

第二种:

kubernetes@kubernetes-virtual-machine:/etc/default$ curl http://210.72.141.195:50016/v2/_catalog
{"repositories":["configplatform/s"]}



9.搭建企业级私有镜像仓库Harbor



9.1 下载

下载链接:https://github.com/goharbor/harbor/releases



9.2 解压

tar -zxvf harbor-offline-installer-v1.2.2.tgz



9.3 修改配置文件

vim harbor.cfg
## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = hub.siasofxt.com

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http

#The password for the root user of mysql db, change this before any production use.
db_password = root123

#Maximum number of job workers in job service
max_job_workers = 3

主要是修改hostname,改成自己的域名

设置访问地址,可用ip,域名,不能使用127.0.0.1或localhost

如果设置为域名,记得在自己的hosts文件中做相应修改



9.4 安装部署

harbor支持docker-compose和kubernetes的部署方式,默认采用docker-compose作单机部署。

先执行./prepare,然后执行

./install.sh

进行启动。执行./install.sh的时候,即调用了docker-compose运行了当前目录下的docker-compose.yml文件。

进行安装

./install.sh

当遇到Fail to generate key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt错误时候,需要修改prepare文件,将第498行:

empty_subj = "/C=/ST=/L=/O=/CN=/"

修改为:

empty_subj = "/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=Harbor/CN=notarysigner"

启动成功如下:

[Step 0]: checking installation environment ...

Note: docker version: 18.09.7

Note: docker-compose version: 1.17.1

[Step 1]: loading Harbor images ...
Loaded image: vmware/harbor-ui:v1.2.2
Loaded image: vmware/notary-photon:server-0.5.0
Loaded image: vmware/nginx-photon:1.11.13
Loaded image: vmware/registry:2.6.2-photon
Loaded image: photon:1.0
Loaded image: vmware/notary-photon:signer-0.5.0
Loaded image: vmware/harbor-adminserver:v1.2.2
Loaded image: vmware/harbor-log:v1.2.2
Loaded image: vmware/harbor-db:v1.2.2
Loaded image: vmware/harbor-jobservice:v1.2.2
Loaded image: vmware/harbor-notary-db:mariadb-10.1.10
Loaded image: vmware/clair:v2.0.1-photon
Loaded image: vmware/postgresql:9.6.4-photon

[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/ui/app.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/app.conf
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.

[Step 3]: checking existing instance of Harbor ...


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ...
Creating harbor-log ... done
Creating registry ...
Creating harbor-adminserver ...
Creating harbor-db ...
Creating registry
Creating harbor-adminserver
Creating harbor-adminserver ... done
Creating harbor-ui ...
Creating harbor-ui ... done
Creating nginx ...
Creating harbor-jobservice ...
Creating nginx
Creating nginx ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://hub.siasofxt.com.
For more details, please visit https://github.com/vmware/harbor .



9.5 运行界面

在这里插入图片描述
进到主页面,根据自己的需要,进行私有镜像仓库的配置即可。



9.6 上传镜像到Harbor

标签化tag:

docker tag xxx/sia/8/soft/mysql:v1 210.72.141.195:50008/siasoft/mysql:v1

推送镜像:

docker push 210.72.141.195:50008/siasoft/mysql:v1
docker push 210.72.141.195:50008/siasoft/jdk8:v1
docker push 210.72.141.195:50008/siasoft/tomcat:v1
docker push 210.72.141.195:50008/siasoft/portainer:v1
docker push 210.72.141.195:50008/siasoft/configplatform/s:v1
docker push 210.72.141.195:50008/siasoft/configplatform/b:v1

但推送镜像产生如下报错:

denied: requested access to the resource is denied

需要重新登录docker

# docker login
Username:
Password:

当登录时报以下错误时候

** Message: 15:10:06.823: Remote error from secret service: org.freedesktop.DBus.Error.UnknownMethod: ??? org.freedesktop.Secret.Collection ?????? /org/freedesktop/secrets/collection/login ??
Error saving credentials: error storing credentials - err: exit status 1, out: `在路径 org.freedesktop.Secret.Collection 的对象上没有 /org/freedesktop/secrets/collection/login 接口`

是系统默认安装了golang-docker-credential-helpers,卸载以后就好了

sudo apt purge golang-docker-credential-helpers

但如果这个时候还是出现

denied: requested access to the resource is denied

时候,需要用命令行登录一下Harbor

docker login 210.:500x
username:admin
password:

当出现报以下错误时候

http: server gave HTTP response to HTTPS client

可以通过以下办法解决:

vim /etc/docker/daemon.json 增加一个daemon.json文件

{ “insecure-registries”:[“210.72.141.xxx:5000”] }

保存退出

重启docker服务

systemctl daemon-reload

systemctl restart docker



9.7 记录一个docker重启之后配置文件不生效的解决方法

新版的docker,直接在/etc/default/docker中修改启动项不生效,这个bug困扰了我一天!

解决办法

打开docker.service文件, $sudo vim /lib/systemd/system/docker.service

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=-/etc/default/docker
ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

修改[Service]中 ExecStart=/usr/bin/dockerd -H fd://

为 ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS

添加 EnvironmentFile=-/etc/default/docker(-表示忽略错误)

保存并退出

重新加载配置文件 systemctl daemon-reload

重启docker :service docker restart

这样才可以是/etc/default/docker中的配置项生效。

kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl proxy



10.如何让Docker容器上网

参考网上6种解决方案:https://m.jb51.net/article/148874.htm

比较靠谱的是下面的第2种

sudo docker run --dns 8.8.8.8 --dns 8.8.4.4 --name ubuntu_bash -i -t ubuntu:latest /bin/bash



11.如何拷贝Docker容器与宿主机文件传输



11.1 Docker -> 宿主机

docker cp 机器码:docker路径 宿主机路径

docker cp 599ec5b00220:/root/ConfigPlatform2/resources/images/ /home/sia/



11.2 宿主机 -> Docker

docker cp 宿主机路径 机器码:docker路径

docker cp /home/sia/images/ 599ec5b00220:/root/ConfigPlatform2/resources/



12.容器的导入和导出



12.1 Docker容器导出

可以将任何一个容器从一台机器迁移到另外一台,而且不论容器是否处于运行还是停止状态

docker export 容器ID >文件名

docker export 43be430112ea > CP2-upload-manage.tar



12.2 Docker容器导入

docker import CP2-upload-manage.tar cp2-upload-manage:v1

但这里导入形成的是镜像,注意镜像都是小写字母之后还需要把镜像运行起来,这里值得注意的是,运行时候需要加入原来导出时候的command命令,详细如下:

docker run --restart=always -d -m 3G --memory-swap 4G -p 9098:9098 sc-zuul:v1 java -jar gateway.jar



java -jar gateway.jar

,是其运行命令,可以在原来导出的机器上

docker ps --no-trunc

查到完整的command命令

数据库启动如下,但是缺少了原有的数据

docker run --restart=always -d -m 3G --memory-swap 4G -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=ConfigPlatform2 sc-mysql:v1 docker-entrypoint.sh mysqld



13.Docker版Jenkins使用



13.1 容器下载

docker pull jenkins/jenkins:lts



13.2 启动容器服务

docker run -d -p 80:8080 -p 50000:50000 -v jenkins:/var/jenkins_home -v /etc/localtime:/etc/localtime --name jenkins docker.io/jenkins/jenkins



14.下载网易镜像失效时解决方案



14.1 问题发生情况

比如下载nodejs镜像

kubernetes@kubernetes-virtual-machine:~$ docker pull hub.c.163.com/public/nodejs:6.11.0
Error response from daemon: Get https://hub.c.163.com/v2/public/nodejs/manifests/6.11.0: unauthorized: authentication required

这个时候主要原因是远程镜像中心登录验证失败,有可能是使用web端时候修改了密码,需要重新登录



14.2 解决方案

重新登录验证

kubernetes@kubernetes-virtual-machine:~$ docker login hub.c.163.com
Authenticating with existing credentials...
Stored credentials invalid or expired
Username (zjydbj@163.com): zjydbj@163.com
Password:
WARNING! Your password will be stored unencrypted in /home/kubernetes/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
kubernetes@kubernetes-virtual-machine:~$ docker pull hub.c.163.com/public/nodejs:6.11.0
6.11.0: Pulling from public/nodejs
f46924f139ed: Pull complete
a3ed95caeb02: Pull complete
4849cac99801: Pull complete
f8c2498bcfb3: Pull complete
119b6cd4a2d6: Pull complete
1d21f95b2fb0: Pull complete
50b6d9712503: Pull complete
38aedef2c31d: Pull complete
a0951d4c9db4: Pull complete
6a65c054e8aa: Pull complete
b048eefac266: Pull complete
Digest: sha256:a62b1be272dd96ec3c06e4e69dd8d0e4cad7aaa5b9565090524ccb40c2c41430
Status: Downloaded newer image for hub.c.163.com/public/nodejs:6.11.0



15.Docker容器添加对外映射端口

在运行容器时指定映射端口运行后,如果想要添加新的端口映射,可以使用以下方式



15.1 先停止现有容器

docker stop container-id



15.2 将容器commit成为一个镜像

docker commit container-id  new-image-id



15.3 用新镜像运行容器

docker run -it -d --name container-id -p p1:p1 -p p2:p2 new-image-id



16.Docker容器内source: not found

运行

ls -l /bin/sh

后显示

/bin/sh -> dash

这说明是用dash来进行解析的。

解决方案:

dpkg-reconfigure dash(需要root权限)

在界面中选择no

再运行

ls -l /bin/sh 

显示

/bin/sh -> bash

最后需要重新ssh连接之后,测试shell脚本,可以正常使用!



17.Docker版的Gitlab问题



17.1 出现访问forbidden问题产生原因

Gitlab使用rack_attack做了并发访问的限制。

解决方案:

根据官方说明:Rack Attack和IP Whitelist,解决方法三种:

  • 添加IP白名单.
  • 加大并发阈值.
  • 直接关闭Rack Attack.

这里我是加大并发阈值和添加IP白名单.

因为跑的是容器,那么就直接进挂载的文件夹里找到config/gitlab.rb后,打开并找到gitlab_rails[‘rack_attack_git_basic_auth’]项,去掉注释,并修改为:

gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1","210.72.141.1xx","210.72.141.1xx","192.168.1.51"],
   'maxretry' => 200,
   'findtime' => 60,
   'bantime' => 3600
 }

修改完之后,在容器内执行

gitlab-ctl reconfigure

即可



17.2 Whoops, GitLab is taking too much time to respond.

Whoops, GitLab is taking too much time to respond.

在这里插入图片描述

1.首先vim /etc/gitlab/gitlab.rb打开配置文件

2.修改配置

找到如下配置项,原来是用#注释的,把前面的#去掉取消注释,原来的默认端口号应该是8080,改成你自己想要的端口号,比如8099

注意新配置的端口号不要被其他进程占用,且要在防火墙设置放开

以下两项新配置的端口号需一致

之所以报502这个错误就是原来默认配置的8080端口号被其他应用占用冲突了,只需换成其他新的端口号就可以了

unicorn['port'] = 8099
gitlab_workhorse['auth_backend'] = "http://localhost:8099" 

输入如下命令让配置生效

sudo gitlab-ctl reconfigure

最后重启服务

sudo gitlab-ctl restart



18.Docker设置开机启动

  • 查看已启动的服务
systemctl list-units --type=service
  • 查看是否设置开机启动
systemctl list-unit-files | grep enable
  • 设置开机启动
systemctl enable docker.service
  • 关闭开机启动
systemctl disable docker.service



19.对已经创建的docker container设置开机自启动

  • 显示所有容器
docker ps -a 
  • 修改容器规则
docker update --restart=always c276b2a14ee4



20.Docker安装MySQL

docker run --name aipros-mysql-a -v /home/ubuntu/Tools/mysql/log:/var/log/mysql -v /home/ubuntu/Tools/mysql/data:/var/lib/mysql -v /home/ubuntu/Tools/mysql/conf:/etc/mysql -e MYSQL_ROOT_PASSWORD=xxxxxx --restart=always -d -p 3306:3306 hub.c.163.com/library/mysql:5.7 --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci



21.Docker安装Tomcat

docker run --name tomcatA --restart=always -v /home/ubuntu/Tools/TomcatA/webapps/:/usr/local/tomcat/webapps/ -d -p 8998:8080 tomcat:9.0.41-jdk8-corretto
docker run --name tomcatB --restart=always -v /home/ubuntu/Tools/TomcatB/webapps/:/usr/local/tomcat/webapps/ -d -p 8999:8080 tomcat:9.0.41-jdk8-corretto



版权声明:本文为fnFenNuDManMan原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。