exec、cp
故障排查技巧命令之 exec
1.创建测试容器
[root@elk92 ~]# docker run -p 85:80 -d --name c1 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
cf3f8dee7b509da91796468ed99e3777f95e83412b141c8684f51ce88a8d20c5
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf3f8dee7b50 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 "/docker-entrypoint.…" 3 seconds ago Up 1 second 0.0.0.0:85->80/tcp, :::85->80/tcp c1
[root@elk92 ~]# 2.访问测试
http://10.0.0.92:85/3.在一个正在运行的容器中执行命令
[root@elk92 ~]# docker exec c1 ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:134 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11121 (10.8 KiB) TX bytes:305065 (297.9 KiB)
[root@elk92 ~]#
[root@elk92 ~]# docker exec c1 cat /etc/shells
# valid login shells
/bin/sh
/bin/ash
[root@elk92 ~]# 4.和一个容器进行交互
[root@elk92 ~]# docker exec -it c1 sh
/ #
/ # echo www.haoshuaicongedu.com > /usr/share/nginx/html/index.html
/ #
/ # hostname -i
172.17.0.3
/ #
/ # curl 172.17.0.3
www.haoshuaicongedu.com
/ #
/ #
[root@elk92 ~]# 故障排查技巧命令之 cp
1.将宿主机的某个文件拷贝到容器的某个路径
[root@elk92 ~]# docker cp /etc/hosts c1:/usr/share/nginx/html/index.html
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c1
172.17.0.3
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.3
127.0.0.1 localhost
127.0.1.1 yinzhengjie
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[root@elk92 ~]# 2.将容器的某个文件拷贝到宿主机
[root@elk92 ~]# docker exec -it c1 sh
/ # ls /
bin etc mnt run tmp
dev home opt sbin usr
docker-entrypoint.d lib proc srv var
docker-entrypoint.sh media root sys
/ #
[root@elk92 ~]#
[root@elk92 ~]# docker cp c1:/docker-entrypoint.sh /tmp/
[root@elk92 ~]#
[root@elk92 ~]# ll /tmp/docker-entrypoint.sh
-rwxrwxr-x 1 root root 1202 Nov 13 2021 /tmp/docker-entrypoint.sh*
[root@elk92 ~]# 容器使用存储卷实战
1. 什么是存储卷
所谓的存储卷就是一种持久化容器数据的一种存储方案。
2. 存储卷的基本管理
2.1 清空容器
[root@elk92 ~]# docker container rm -f `docker container ps -qa`2.2 查看本地的存储卷列表
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local 0bd65347815590fc2b97b905ce1956cc95ec5a426e5b651abd51ee5bd9728a3a
local 9855be3402732954195ae84bde12747543b21248559dcfe12334e2a6c501bd38
local f9ef3a710d56b5d971961c1ff7c4591353ab86fbe8db4b4774ecb345a2714416
[root@elk92 ~]# 2.3 清理存储卷【清理所有未使用的存储卷】
[root@elk92 ~]# docker volume prune -f
Deleted Volumes:
9855be3402732954195ae84bde12747543b21248559dcfe12334e2a6c501bd38
0bd65347815590fc2b97b905ce1956cc95ec5a426e5b651abd51ee5bd9728a3a
f9ef3a710d56b5d971961c1ff7c4591353ab86fbe8db4b4774ecb345a2714416
Total reclaimed space: 638.8MB
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
[root@elk92 ~]# 2.3 创建存储卷
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
[root@elk92 ~]#
[root@elk92 ~]# docker volume create haoshuaicongedu-linux96 # 创建存储卷指定名称
haoshuaicongedu-linux96
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local haoshuaicongedu-linux96
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker volume create # 若不指定存储卷的名称则默认会生成一个匿名(随机)存储卷。
8ee576eb01877bc9feb422d4184ef662c6a7fd1672e459f5803efc8f44d1f4ca
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local 8ee576eb01877bc9feb422d4184ef662c6a7fd1672e459f5803efc8f44d1f4ca
local haoshuaicongedu-linux96
[root@elk92 ~]# 2.4 删除指定的存储卷
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local 8ee576eb01877bc9feb422d4184ef662c6a7fd1672e459f5803efc8f44d1f4ca
local haoshuaicongedu-linux96
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker volume rm 8ee576eb01877bc9feb422d4184ef662c6a7fd1672e459f5803efc8f44d1f4ca
8ee576eb01877bc9feb422d4184ef662c6a7fd1672e459f5803efc8f44d1f4ca
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local haoshuaicongedu-linux96
[root@elk92 ~]# 2.6 查看一个存储卷的详细信息
[root@elk92 ~]# docker volume inspect haoshuaicongedu-linux96
[
{
"CreatedAt": "2025-03-20T09:23:06+08:00",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/haoshuaicongedu-linux96/_data",
"Name": "haoshuaicongedu-linux96",
"Options": {},
"Scope": "local"
}
]
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/volumes/haoshuaicongedu-linux96/_data
total 8
drwxr-xr-x 2 root root 4096 Mar 20 09:23 ./
drwx-----x 3 root root 4096 Mar 20 09:23 ../
[root@elk92 ~]# 3. 将存储卷给一个容器使用
3.1 容器使用特定的存储卷
[root@elk92 ~]# ll /var/lib/docker/volumes/haoshuaicongedu-linux96/_data
total 8
drwxr-xr-x 2 root root 4096 Mar 20 09:23 ./
drwx-----x 3 root root 4096 Mar 20 09:23 ../
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c2 -v haoshuaicongedu-linux96:/usr/share/nginx/html registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
a8cdc8eaecb5d0247b672c5a138c71193ab8e71dbf657ff9f573d5e56f2611d5
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/volumes/haoshuaicongedu-linux96/_data
total 244
drwxr-xr-x 2 root root 4096 Mar 20 09:26 ./
drwx-----x 3 root root 4096 Mar 20 09:23 ../
-rw-r--r-- 1 root root 233472 Jan 20 2024 1.jpg
-rw-r--r-- 1 root root 494 May 25 2021 50x.html
-rw-r--r-- 1 root root 357 Jan 20 2024 index.html
[root@elk92 ~]#
[root@elk92 ~]# 3.2 修改容器的数据
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c2
172.17.0.2
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.2
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>yinzhengjie apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
[root@elk92 ~]#
[root@elk92 ~]# docker exec -it c2 sh
/ # echo www.haoshuaicongedu.com > /usr/share/nginx/html/index.html
/ #
/ # cat /usr/share/nginx/html/index.html
www.haoshuaicongedu.com
/ #
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.2
www.haoshuaicongedu.com
[root@elk92 ~]#
[root@elk92 ~]# cat /var/lib/docker/volumes/haoshuaicongedu-linux96/_data/index.html
www.haoshuaicongedu.com
[root@elk92 ~]# 3.3 删除容器观察存储卷是否删除
[root@elk92 ~]# docker rm -f c2
c2
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/volumes/haoshuaicongedu-linux96/_data/ # 发现数据并没有丢失
total 244
drwxr-xr-x 2 root root 4096 Mar 20 09:26 ./
drwx-----x 3 root root 4096 Mar 20 09:23 ../
-rw-r--r-- 1 root root 233472 Jan 20 2024 1.jpg
-rw-r--r-- 1 root root 494 May 25 2021 50x.html
-rw-r--r-- 1 root root 18 Mar 20 09:28 index.html
[root@elk92 ~]# 3.4 重新创建新的容器并使用之前的存储卷
[root@elk92 ~]# docker run -d --name c3 -v haoshuaicongedu-linux96:/usr/share/nginx/html registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
3a79ca38546481517a35a55e49c4105a37808df68ce78d3ac1694f30f5a00eba
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c3
172.17.0.2
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.2
www.haoshuaicongedu.com
[root@elk92 ~]# 3.5 将多个容器挂载到同一个存储卷
[root@elk92 ~]# docker run -d --name c4 -v haoshuaicongedu-linux96:/usr/share/nginx/html registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
9fd1654da34116af2c181f2f28200fc1b6f085c4b6c211270c92a9a2445ad58c
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c4
172.17.0.3
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.3
www.haoshuaicongedu.com
[root@elk92 ~]#
[root@elk92 ~]# docker exec -it c4 sh
/ # echo linux96 > /usr/share/nginx/html/index.html
/ #
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.3
linux96
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.2
linux96
[root@elk92 ~]# 3.6 新建容器和现有的容器使用相同的存储卷信息
[root@elk92 ~]# docker run -d --name c5 --volumes-from c4 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
de5f6acba7c49f7f7d612213d68065ef179f72ec50b31877bf3bf11fc94755fe
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c5
172.17.0.4
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.4
linux96
[root@elk92 ~]# 容器使用存储卷注意事项
1. 存储卷不存在会自动创建
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
[root@elk92 ~]#
[root@elk92 ~]# docker run -v haoshuaicongedu:/usr/share/nginx/html -d --name c1 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
a3a26860c5dc66c69ba689ed586712bd2e2b0c7f43c037dfe7ea79411c593007
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local haoshuaicongedu
[root@elk92 ~]#
[root@elk92 ~]# docker volume inspect haoshuaicongedu
[
{
"CreatedAt": "2025-03-20T10:06:45+08:00",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/haoshuaicongedu/_data",
"Name": "haoshuaicongedu",
"Options": null,
"Scope": "local"
}
]
[root@elk92 ~]# ll /var/lib/docker/volumes/haoshuaicongedu/_data
total 244
drwxr-xr-x 2 root root 4096 Mar 20 10:06 ./
drwx-----x 3 root root 4096 Mar 20 10:06 ../
-rw-r--r-- 1 root root 233472 Jan 20 2024 1.jpg
-rw-r--r-- 1 root root 494 May 25 2021 50x.html
-rw-r--r-- 1 root root 357 Jan 20 2024 index.html
[root@elk92 ~]# 2. 若不指定存储卷则会自动创建匿名存储卷
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local haoshuaicongedu
[root@elk92 ~]#
[root@elk92 ~]# docker run -v /usr/share/nginx/html -d --name c2 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
390e754181d6d57de79800ca5b71a12a2501c5d40516c9baf3ea45bea6ae66af
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local 22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2
local haoshuaicongedu
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker volume inspect 22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2
[
{
"CreatedAt": "2025-03-20T10:08:00+08:00",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2/_data",
"Name": "22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2",
"Options": null,
"Scope": "local"
}
]
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/volumes/22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2/_data
total 244
drwxr-xr-x 2 root root 4096 Mar 20 10:08 ./
drwx-----x 3 root root 4096 Mar 20 10:08 ../
-rw-r--r-- 1 root root 233472 Jan 20 2024 1.jpg
-rw-r--r-- 1 root root 494 May 25 2021 50x.html
-rw-r--r-- 1 root root 357 Jan 20 2024 index.html
[root@elk92 ~]# 3. 容器删除匿名存储卷
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local 22d11c315365fe99f0810c343c89c37f60779c5633c6b54fbd2471baad1200b2
local haoshuaicongedu
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
390e754181d6 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 "/docker-entrypoint.…" 46 seconds ago Up 45 seconds 80/tcp c2
a3a26860c5dc registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 "/docker-entrypoint.…" 2 minutes ago Up 2 minutes 80/tcp c1
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker container rm -f -v `docker ps -aq` # 注意,使用-v选项可以删除匿名的存储卷。
390e754181d6
a3a26860c5dc
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@elk92 ~]#
[root@elk92 ~]# docker volume ls
DRIVER VOLUME NAME
local haoshuaicongedu
[root@elk92 ~]# 4. 使用宿主机的某个路径作为存储卷挂载到容器【如果容器有数据,会将之前的内容清空】
[root@elk92 ~]# mkdir /data
[root@elk92 ~]#
[root@elk92 ~]# echo "1111,22222~" > /data/index.html
[root@elk92 ~]#
[root@elk92 ~]# ll /data/
total 12
drwxr-xr-x 2 root root 4096 Mar 20 10:11 ./
drwxr-xr-x 23 root root 4096 Mar 20 10:10 ../
-rw-r--r-- 1 root root 41 Mar 20 10:11 index.html
[root@elk92 ~]#
[root@elk92 ~]# cat /data/index.html
1111,22222~
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@elk92 ~]#
[root@elk92 ~]# docker run -v /data:/usr/share/nginx/html -d --name c1 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
fc03e0faa05b95687defd41bb9e6a86c91d9a1ded48ffd125dc5fc7c9d70c0b8
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c1
172.17.0.2
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.2
1111,22222~
[root@elk92 ~]#
[root@elk92 ~]# ll /data/
total 12
drwxr-xr-x 2 root root 4096 Mar 20 10:11 ./
drwxr-xr-x 23 root root 4096 Mar 20 10:10 ../
-rw-r--r-- 1 root root 41 Mar 20 10:11 index.html
[root@elk92 ~]# 5. 如果挂载宿主机的某个目录不存在,则会自动创建【尽管该目录没有数据,也会将容器的数据清空】
[root@elk92 ~]# ll /data3
ls: cannot access '/data3': No such file or directory
[root@elk92 ~]#
[root@elk92 ~]# docker run -v /data3:/usr/share/nginx/html -d --name c3 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
42d9e15a2fab660dd0742431bd2a09da37b47b393cc5416d2a93afc6e3e9308d
[root@elk92 ~]#
[root@elk92 ~]# ll /data3
total 8
drwxr-xr-x 2 root root 4096 Mar 20 10:13 ./
drwxr-xr-x 25 root root 4096 Mar 20 10:13 ../
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" c3
172.17.0.3
[root@elk92 ~]#
[root@elk92 ~]# curl 172.17.0.3
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@elk92 ~]# docker 底层 Linux 特性之 chroot 技术
1. 什么是 chroot
change root,表示改变根目录 (“/”)。
2. 测试案例
略,见视频。
[root@elk92 ~]# ldd /bin/bash
linux-vdso.so.1 (0x00007fff2d3ee000)
libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f5478a32000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5478809000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5478bd3000)
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# ldd /usr/bin/ls
linux-vdso.so.1 (0x00007fff3d1d6000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fe181b71000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe181948000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fe1818b1000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe181bcf000)
[root@elk92 ~]#
[root@elk92 ~]# tree haoshuaicongedu-linux96
haoshuaicongedu-linux96
├── bin
│ └── bash
├── lib
│ └── x86_64-linux-gnu
│ ├── libc.so.6
│ ├── libpcre2-8.so.0
│ ├── libselinux.so.1
│ └── libtinfo.so.6
├── lib64
│ └── ld-linux-x86-64.so.2
├── usr
│ └── bin
│ └── ls
└── xixi.log
6 directories, 8 files
[root@elk92 ~]#
[root@elk92 ~]# cp -r haoshuaicongedu-linux96 haoshuaicongedu-linux97
[root@elk92 ~]#
[root@elk92 ~]# chroot haoshuaicongedu-linux96
bash-5.1# ls -l /
total 20
drwxr-xr-x 2 0 0 4096 Mar 20 02:21 bin
drwxr-xr-x 3 0 0 4096 Mar 20 02:22 lib
drwxr-xr-x 2 0 0 4096 Mar 20 02:22 lib64
drwxr-xr-x 3 0 0 4096 Mar 20 02:24 usr
-rw-r--r-- 1 0 0 18 Mar 20 02:26 xixi.log
bash-5.1# exit
[root@elk92 ~]#
[root@elk92 ~]# chroot haoshuaicongedu-linux97
bash-5.1# ls /
bin lib lib64 usr xixi.log
bash-5.1#
bash-5.1# echo 111111111111111111111 > /haha.txt
bash-5.1#
bash-5.1# ls /
bin haha.txt lib lib64 usr xixi.log
bash-5.1# exit
[root@elk92 ~]#
[root@elk92 ~]# chroot haoshuaicongedu-linux96 ls -l /
total 20
drwxr-xr-x 2 0 0 4096 Mar 20 02:21 bin
drwxr-xr-x 3 0 0 4096 Mar 20 02:22 lib
drwxr-xr-x 2 0 0 4096 Mar 20 02:22 lib64
drwxr-xr-x 3 0 0 4096 Mar 20 02:24 usr
-rw-r--r-- 1 0 0 18 Mar 20 02:26 xixi.log
[root@elk92 ~]#
[root@elk92 ~]# chroot haoshuaicongedu-linux97 ls -l /
total 24
drwxr-xr-x 2 0 0 4096 Mar 20 02:28 bin
-rw-r--r-- 1 0 0 22 Mar 20 02:28 haha.txt
drwxr-xr-x 3 0 0 4096 Mar 20 02:28 lib
drwxr-xr-x 2 0 0 4096 Mar 20 02:28 lib64
drwxr-xr-x 3 0 0 4096 Mar 20 02:28 usr
-rw-r--r-- 1 0 0 18 Mar 20 02:28 xixi.log
[root@elk92 ~]# 3. 验证 docker 底层用到了 chroot 技术
3.1 创建容器
[root@elk92 ~]# docker run -d --name c1 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
3c7766ed58bf1dad823f4a7c30b0de029ee5fe836e7490c4193ad2f48533208b
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c2 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
6b21c993e17243080e6b39fe552289a5ef0dd6ea74d0d7af9cf4969501d56afc
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker exec c1 touch /xixi.log
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2 touch /haha.log
[root@elk92 ~]#
[root@elk92 ~]# ls /
bin cdrom data2 dev home lib32 libx32 media haoshuaicongedu proc run snap swap.img tmp var
boot data data3 etc lib lib64 lost+found mnt opt root sbin srv sys usr yinzhengjie
[root@elk92 ~]# 3.2 查看容器的 MergedDir 目录
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.MergedDir}}' c1
/var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/merged
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.MergedDir}}' c2
/var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/merged
[root@elk92 ~]#
[root@elk92 ~]# chroot /var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/merged ls /
bin etc mnt run tmp
dev home opt sbin usr
docker-entrypoint.d lib proc srv var
docker-entrypoint.sh media root sys xixi.log
[root@elk92 ~]#
[root@elk92 ~]# chroot /var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/merged ls /
bin etc media root sys
dev haha.log mnt run tmp
docker-entrypoint.d home opt sbin usr
docker-entrypoint.sh lib proc srv var
[root@elk92 ~]# Docker 底层 Linux 特性之 OverlayFS 技术
1. 什么是 OverlayFS
OverlayFS 是 Docker 所使用的一款 Linux 联合文件系统。它属于堆叠文件系统,依赖并构建于其他文件系统(如 ext4fs 和 xfs 等)之上,不直接参与磁盘空间结构的划分,仅将原系统文件中的文件或目录 “合并”,最终向用户呈现 “合并” 后的文件处于同一级目录,这便是联合挂载技术。相较于早期 Docker(<1.12)使用的 AUFS 存储技术,OverlayFS 速度更快且实现更简单。
Linux 内核为 Docker 提供了两种 OverlayFS 驱动:Overlay 和 Overlay2。其中,Overlay2 是对 Overlay 的改进,在 Inode 利用率方面更高效。不过,Overlay 有特定的环境要求:
- Docker 版本需为 17.06.02+;
- 宿主机文件系统需为 EXT4 或 XFS 格式。
OverlayFS 的实现方式
OverlayFS 通过三个目录来实现:lower 目录、upper 目录以及 work 目录。
- lower:通常对应只读数据。
- upper:为可进行读写操作的目录。
- work:是工作基础目录,挂载后会自动创建一个 work 子目录(实际测试中,手动卸载后该目录不会被删除),主要用于存储临时结果或中间数据,使用过程中其内容对用户不可见。联合挂载完成后,向用户呈现的统一视图称为 merged 目录。
OverlayFS 的结构层次
OverlayFS 结构分为三个层:LowerDir、Upperdir、MergedDir。
- LowerDir(只读):是只读的 image layer,即 rootfs。使用 Dockerfile 构建镜像时,Image Layer 可分为多层,因此对应的 lowerdir 会有多个(源镜像)。Lower 包含两个子层:
- 系统的 init:
- 容器启动后,默认情况下 lower 层内容不可修改,但用户若需修改主机名与域名地址,可添加 init 层中的文件(如 hostname、resolv.conf、hosts、mtab 等)来解决此问题。
- 修改内容仅对当前容器生效,使用 docker commit 提交为镜像时,init 层不会被提交。
- init 文件存放在
/var/lib/docker/overlay2/<init_id>/diff目录。
- 容器的镜像层:包含不可修改的数据。
- Upperdir(读写):位于 lowerdir 之上,是读写层。容器启动时创建,对容器的所有修改都在此层进行,例如容器启动写入的日志文件或应用程序写入的临时文件。
- MergedDir(展示):是容器的挂载点,用户视角下看到的所有文件都从这层展示。
2. OverlayFS 参考案例
2.1 创建工作目录
[root@elk92 ~]# mkdir -pv /haoshuaicongedu2025/lower{0..2} /haoshuaicongedu2025/{uppper,work,merged}
mkdir: created directory '/haoshuaicongedu2025'
mkdir: created directory '/haoshuaicongedu2025/lower0' #---> RO
mkdir: created directory '/haoshuaicongedu2025/lower1' #---> RO
mkdir: created directory '/haoshuaicongedu2025/lower2' #---> RO
mkdir: created directory '/haoshuaicongedu2025/uppper' #---> RW
mkdir: created directory '/haoshuaicongedu2025/work' #---> TEMP|CACHE
mkdir: created directory '/haoshuaicongedu2025/merged' #---> USER
[root@elk92 ~]#2.2 挂载文件系统
[root@elk92 ~]# mount -t overlay overlay -o lowerdir=/haoshuaicongedu2025/lower0:/haoshuaicongedu2025/lower1:/haoshuaicongedu2025/lower2,upperdir=/haoshuaicongedu2025/uppper,workdir=/haoshuaicongedu2025/work /haoshuaicongedu2025/merged/
[root@elk92 ~]#2.3 查看挂载信息
[root@elk92 ~]# df -h | grep haoshuaicongedu2025
overlay 97G 15G 78G 16% /haoshuaicongedu2025/merged
[root@elk92 ~]#2.4 尝试在 lower 层写入准备初始数据
ll /haoshuaicongedu2025/ -R
cp /etc/hosts /haoshuaicongedu2025/lower0/
cp /etc/issue /haoshuaicongedu2025/lower1/
cp /etc/resolv.conf /haoshuaicongedu2025/lower2/
ll /haoshuaicongedu2025/ -R2.5 尝试在 upper 层写入准备初始数据
cp /etc/hostname /haoshuaicongedu2025/uppper/
ll /haoshuaicongedu2025/ -R2.6 尝试在 merged 目录写入数据,观察数据实际写入的应该是 upper 层
cp /etc/fstab /haoshuaicongedu2025/merged/
ll /haoshuaicongedu2025/ -R2.7 重新挂载,但不挂载 upperdir 层
umount /haoshuaicongedu2025/merged
mount -t overlay overlay -o lowerdir=/haoshuaicongedu2025/lower0:/haoshuaicongedu2025/lower1:/haoshuaicongedu2025/lower2,workdir=/haoshuaicongedu2025/work /haoshuaicongedu2025/merged/2.8 再次尝试写入数据失败,因为没有写层
[root@elk92 ~]# cp /etc/os-release /haoshuaicongedu2025/merged/
cp: cannot create regular file '/haoshuaicongedu2025/merged/os-release': Read-only file system
[root@elk92 ~]#3. 验证 Docker 底层用到了 OverlayFS
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.MergedDir}}' c1
/var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/merged
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.MergedDir}}' c2
/var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/merged
[root@elk92 ~]#
[root@elk92 ~]# df -h | grep overlay
overlay 97G 15G 78G 16% /var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/merged
overlay 97G 15G 78G 16% /var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/merged
overlay 97G 15G 78G 16% /haoshuaicongedu2025/merged
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.UpperDir}}' c1
/var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/diff
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.GraphDriver.Data.UpperDir}}' c2
/var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/diff
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/overlay2/e06301296149dd7363b456f71941c5f2fe53609b3d5c76ba800eb8de800c6188/diff
total 32
drwxr-xr-x 6 root root 4096 Mar 20 10:31 ./
drwx--x--- 5 root root 4096 Mar 20 10:31 ../
drwxr-xr-x 3 root root 4096 Mar 20 10:31 etc/
drwx------ 2 root root 4096 Mar 20 10:35 root/
drwxr-xr-x 2 root root 4096 Mar 20 10:31 run/
drwxr-xr-x 3 root root 4096 Nov 12 2021 var/
-rw-r--r-- 1 root root 0 Mar 20 10:31 xixi.log # 数据的确写入到了UpperDir层
[root@elk92 ~]#
[root@elk92 ~]# ll /var/lib/docker/overlay2/ee96862518138d9c297fe86e95da53c9c4b3ba2d7737028371fe90b4413918c5/diff
total 28
drwxr-xr-x 5 root root 4096 Mar 20 10:31 ./
drwx--x--- 5 root root 4096 Mar 20 10:31 ../
drwxr-xr-x 3 root root 4096 Mar 20 10:31 etc/
-rw-r--r-- 1 root root 0 Mar 20 10:31 haha.log # 数据的确写入到了UpperDir层
drwxr-xr-x 2 root root 4096 Mar 20 10:31 run/
drwxr-xr-x 3 root root 4096 Nov 12 2021 var/
[root@elk92 ~]#4. 查看 Docker 的存储驱动就是 OverlayFS
[root@elk92 ~]# docker info | grep "Storage Driver"
Storage Driver: overlay2
[root@elk92 ~]#面试题:Docker 的网络类型分类
单机网络类型
即同一个 Docker 节点的网络,具体如下:
- none:不分配任何网络,容器仅拥有一块 lo 本地回环网卡。
- bridge:会分配一个虚拟设备对,一端位于容器内,另一端在宿主机上。
- host:容器和宿主机共用网络名称空间,不会新建虚拟设备对,网络性能最高。
- container:新建容器时,不创建新的网络,而是与一个正在运行的容器共用网络名称空间。
- custom network:支持通过 bridge 等驱动实现,可自定义网段、网关、子网掩码等信息。该模式内置 DNS 功能,能够实现基于容器名称的方式访问对应的容器。
跨主机网络类型
也就是不同 Docker 节点容器的网络通信方案,典型代表有:macvlan、overlay、ipvlan、Flannel 等。
若要将容器指定到某个网络,可使用--network字段。
docker 底层 Linux 特性之 namespace 技术,资源隔离
1. namespace 概述
namespace 是 Linux 用于隔离进程资源的,比如 IPC,NET,MNT,PID,UTS,USER。
在 “/proc” 目录可以查看当前进程的名称空间:
[root@elk92 ~]# ll /proc/$$/ns
total 0
dr-x--x--x 2 root root 0 Mar 20 11:54 ./
dr-xr-xr-x 9 root root 0 Mar 19 10:54 ../
lrwxrwxrwx 1 root root 0 Mar 20 11:54 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 mnt -> 'mnt:[4026531841]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 net -> 'net:[4026531840]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 time -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 time_for_children -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Mar 20 11:54 uts -> 'uts:[4026531838]'
[root@elk92 ~]# 2. 验证 docker 多容器共享了 net 网络名称空间
[root@elk92 ~]# docker inspect -f '{{.State.Pid}}' c2-bridge
757760
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.State.Pid}}' c3-container
758784
[root@elk92 ~]#
[root@elk92 ~]# ll /proc/757760/ns/net
lrwxrwxrwx 1 root root 0 Mar 20 11:43 /proc/757760/ns/net -> 'net:[4026532818]'
[root@elk92 ~]#
[root@elk92 ~]# ll /proc/758784/ns/net
lrwxrwxrwx 1 root root 0 Mar 20 11:46 /proc/758784/ns/net -> 'net:[4026532818]'
[root@elk92 ~]# docker 容器单机的网络类型
1. 创建 none 容器网络实战
[root@elk92 ~]# docker run -d --name c1-none --network none registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
63cca36bf725e9d235fb6190161c43921fa81fe0476afd68118ed7eefc935c8b
[root@elk92 ~]#
[root@elk92 ~]# docker exec c1-none ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root@elk92 ~]# 2. 创建 bridge,若不指定,则默认为 bridge
[root@elk92 ~]# docker run -d --name c2-bridge --network bridge registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
5017edee9e32794fb54d01597942158be11e753038ae47949bcb21157d554093
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2-bridge ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
42: eth0@if43: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# ip a
...
43: vethb6928b2@if42: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 3a:ff:b2:94:7a:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::38ff:b2ff:fe94:7aba/64 scope link
valid_lft forever preferred_lft forever
[root@elk92 ~]# 3. 创建 container,和已经存在的容器公用相同网络名称空间
[root@elk92 ~]# docker run -d --name c3-container --network container:c2-bridge registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 tail -f /etc/hosts
7cba934c32c4ca2e5e3463b258c2ccea7834790b6c1db6b5a5c1f2115ae5d66d
[root@elk92 ~]#
[root@elk92 ~]# docker exec c3-container ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
42: eth0@if43: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@elk92 ~]# 4. 创建 host,使用宿主机的网络,也不会创建新的网卡,而是和宿主机公用网络
[root@elk92 ~]# docker run -d --name c4-host --network host registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 tail -f /etc/hosts
c0caddfd776f42bc3a38ad769dc2bd24f51148ff3522ae9397adec224babfd84
[root@elk92 ~]#
[root@elk92 ~]# docker exec c4-host ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether 00:0c:29:36:2c:11 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.92/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.0.66/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe36:2c11/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:34:df:ae:ba brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:34ff:fedf:aeba/64 scope link
valid_lft forever preferred_lft forever
43: vethb6928b2@if42: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 3a:ff:b2:94:7a:ba brd ff:ff:ff:ff:ff:ff
inet6 fe80::38ff:b2ff:fe94:7aba/64 scope link
valid_lft forever preferred_lft forever
[root@elk92 ~]# 单机的自定义网络管理
1. 查看网络列表【内置的】
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
184392b9f477 none null local
[root@elk92 ~]#2. 创建网络
[root@elk92 ~]# docker network create haoshuaicongedu
17cf8ede64a6ced03ecef37b65e3145d6badc01ab3c5357c3b3f4cd9696bc8df
[root@elk92 ~]#
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
184392b9f477 none null local
17cf8ede64a6 haoshuaicongedu bridge local
[root@elk92 ~]#
[root@elk92 ~]# docker network create -d bridge --subnet 172.30.0.0/16 --gateway 172.30.0.254 --ip-range 172.30.1.0/24 linux96
50a8d37e523134d09e39563f8384de69d98588bae239996d954e54afd0635030
[root@elk92 ~]#
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
50a8d37e5231 linux96 bridge local
184392b9f477 none null local
17cf8ede64a6 haoshuaicongedu bridge local
[root@elk92 ~]#3. 查看某个网络的详细信息
[root@elk92 ~]# docker network inspect haoshuaicongedu
[
{
"Name": "haoshuaicongedu",
"Id": "17cf8ede64a6ced03ecef37b65e3145d6badc01ab3c5357c3b3f4cd9696bc8df",
"Created": "2025-03-20T12:00:43.769576807+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]#
[root@elk92 ~]# docker network inspect linux96
[
{
"Name": "linux96",
"Id": "50a8d37e523134d09e39563f8384de69d98588bae239996d954e54afd0635030",
"Created": "2025-03-20T12:04:18.005583689+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.30.0.0/16",
"IPRange": "172.30.1.0/24",
"Gateway": "172.30.0.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]#
[root@elk92 ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "4bf3b80a73b8682a760f344f59fbadf930061e6edde4bea95fab51d3c32429e6",
"Created": "2025-03-19T10:53:42.170464619+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"5017edee9e32794fb54d01597942158be11e753038ae47949bcb21157d554093": {
"Name": "c2-bridge",
"EndpointID": "8d264c925316c73dd216ffaa3ecff6181eb36a097af9cd793795994e3476d573",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@elk92 ~]#4. 创建容器使用自定义网络
[root@elk92 ~]# docker container rm -f `docker container ps -qa`
c0caddfd776f
7cba934c32c4
5017edee9e32
63cca36bf725
[root@elk92 ~]#
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
50a8d37e5231 linux96 bridge local
184392b9f477 none null local
17cf8ede64a6 haoshuaicongedu bridge local
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c1 --network linux96 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
3ddd3de2a62c896fc829c6596a7b58dfe2913b62785e2d4e5001592cbf57261e
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c2 --network linux96 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
da682aadd82ba9ab3fd6ce4b7c3a8f2f76421aaa41ceccd4041ee9e90f4bbb38
[root@elk92 ~]#
[root@elk92 ~]# docker exec c1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
46: eth0@if47: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:1e:01:00 brd ff:ff:ff:ff:ff:ff
inet 172.30.1.0/16 brd 172.30.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
48: eth0@if49: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:1e:01:01 brd ff:ff:ff:ff:ff:ff
inet 172.30.1.1/16 brd 172.30.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker exec c1 ping c2 -c 3
PING c2 (172.30.1.1): 56 data bytes
64 bytes from 172.30.1.1: seq=0 ttl=64 time=0.406 ms
64 bytes from 172.30.1.1: seq=1 ttl=64 time=0.068 ms
64 bytes from 172.30.1.1: seq=2 ttl=64 time=0.073 ms
--- c2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.068/0.182/0.406 ms
[root@elk92 ~]#5. 将某个网络从容器中移除
[root@elk92 ~]# docker network inspect linux96
[
{
"Name": "linux96",
"Id": "50a8d37e523134d09e39563f8384de69d98588bae239996d954e54afd0635030",
"Created": "2025-03-20T12:04:18.005583689+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.30.0.0/16",
"IPRange": "172.30.1.0/24",
"Gateway": "172.30.0.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"3ddd3de2a62c896fc829c6596a7b58dfe2913b62785e2d4e5001592cbf57261e": {
"Name": "c1",
"EndpointID": "c346dcbcc7f431773255a759cc105ee3c704ea2b67fd78d2fcb1093e22e88dfe",
"MacAddress": "02:42:ac:1e:01:00",
"IPv4Address": "172.30.1.0/16",
"IPv6Address": ""
},
"da682aadd82ba9ab3fd6ce4b7c3a8f2f76421aaa41ceccd4041ee9e90f4bbb38": {
"Name": "c2",
"EndpointID": "040860ebd444e944098be6547c187fb379a2039544ae9d340004c1ff574c4c5a",
"MacAddress": "02:42:ac:1e:01:01",
"IPv4Address": "172.30.1.1/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2 ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:1E:01:01
inet addr:172.30.1.1 Bcast:172.30.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2744 (2.6 KiB) TX bytes:378 (378.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root@elk92 ~]#
[root@elk92 ~]# docker network disconnect linux96 c2
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2 ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root@elk92 ~]#
[root@elk92 ~]# docker network inspect linux96
[
{
"Name": "linux96",
"Id": "50a8d37e523134d09e39563f8384de69d98588bae239996d954e54afd0635030",
"Created": "2025-03-20T12:04:18.005583689+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.30.0.0/16",
"IPRange": "172.30.1.0/24",
"Gateway": "172.30.0.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"3ddd3de2a62c896fc829c6596a7b58dfe2913b62785e2d4e5001592cbf57261e": {
"Name": "c1",
"EndpointID": "c346dcbcc7f431773255a759cc105ee3c704ea2b67fd78d2fcb1093e22e88dfe",
"MacAddress": "02:42:ac:1e:01:00",
"IPv4Address": "172.30.1.0/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]#6. 将某个网络加入到指定容器
[root@elk92 ~]# docker network connect linux96 c2
[root@elk92 ~]#
[root@elk92 ~]# docker exec c2 ifconfig -a
eth1 Link encap:Ethernet HWaddr 02:42:AC:1E:01:01
inet addr:172.30.1.1 Bcast:172.30.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:927 (927.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root@elk92 ~]#
[root@elk92 ~]# docker network inspect linux96
[
{
"Name": "linux96",
"Id": "50a8d37e523134d09e39563f8384de69d98588bae239996d954e54afd0635030",
"Created": "2025-03-20T12:04:18.005583689+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.30.0.0/16",
"IPRange": "172.30.1.0/24",
"Gateway": "172.30.0.254"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"3ddd3de2a62c896fc829c6596a7b58dfe2913b62785e2d4e5001592cbf57261e": {
"Name": "c1",
"EndpointID": "c346dcbcc7f431773255a759cc105ee3c704ea2b67fd78d2fcb1093e22e88dfe",
"MacAddress": "02:42:ac:1e:01:00",
"IPv4Address": "172.30.1.0/16",
"IPv6Address": ""
},
"da682aadd82ba9ab3fd6ce4b7c3a8f2f76421aaa41ceccd4041ee9e90f4bbb38": {
"Name": "c2",
"EndpointID": "fb9af69bcb5dbb3506d1a7ba975a25e0067a916be04e56f7ea37a460b91c9b55",
"MacAddress": "02:42:ac:1e:01:01",
"IPv4Address": "172.30.1.1/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]#7. 移除所有未使用的网络
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
ad9376e26378 haha bridge local
f110b9172ab7 host host local
50a8d37e5231 linux96 bridge local
184392b9f477 none null local
17cf8ede64a6 haoshuaicongedu bridge local
17c131984c75 xixi bridge local
[root@elk92 ~]#
[root@elk92 ~]# docker network prune -f
Deleted Networks:
haha
haoshuaicongedu
xixi
[root@elk92 ~]#
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
50a8d37e5231 linux96 bridge local
184392b9f477 none null local
[root@elk92 ~]#8. 删除指定的网络
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
50a8d37e5231 linux96 bridge local
184392b9f477 none null local
[root@elk92 ~]#
[root@elk92 ~]# docker container rm -f `docker container ps -qa`
c92593ee264d
c282c4cd6720
03036aa74ff5
da682aadd82b
3ddd3de2a62c
[root@elk92 ~]#
[root@elk92 ~]# docker network rm linux96
linux96
[root@elk92 ~]#
[root@elk92 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4bf3b80a73b8 bridge bridge local
f110b9172ab7 host host local
184392b9f477 none null local
[root@elk92 ~]#容器的启动命令 COMMAND
1. 什么是容器的启动命令
所谓的容器本质上就是宿主机的某个进程,而该进程在运行时结束时,则意味着容器也会退出状态。
2. 当启动命令 [COMMAND] 运行结束时,容器会随之退出
[root@elk92 ~]# docker run -d --name c3 alpine sleep 30 # 创建容器时,我们可以改变其启动命令。
af1bd4d62d030e2ea1dbdbe03ac675c5d7a4f6bfef251c17a92f8e0f5be0d287
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af1bd4d62d03 alpine "sleep 30" 2 seconds ago Up 1 second c3
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af1bd4d62d03 alpine "sleep 30" 30 seconds ago Up 29 seconds c3
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af1bd4d62d03 alpine "sleep 30" 38 seconds ago Exited (0) 7 seconds ago c3
[root@elk92 ~]# 3. 容器本质上就是宿主机的某个进程
[root@elk92 ~]# docker run -d --name c4 alpine tail -f /etc/hosts
6f9dd7e2ee36fa1d8c790b8d6b7b84f12f9007154cd9e533f8477409cc1d3627
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6f9dd7e2ee36 alpine "tail -f /etc/hosts" 1 second ago Up 1 second c4
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f '{{.State.Pid}}' c4
796988
[root@elk92 ~]#
[root@elk92 ~]# ps -ef | grep /etc/hosts | grep -v grep
root 796988 796964 0 14:47 ? 00:00:00 tail -f /etc/hosts
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# kill -9 796988
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6f9dd7e2ee36 alpine "tail -f /etc/hosts" 2 minutes ago Exited (137) 2 seconds ago c4
[root@elk92 ~]# 4. 启动命令时要确定能在该容器中执行
[root@elk92 ~]# docker run -d --name c6 alpine tail -f /usr/share/apk/keys/x86_64/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
ad1ae21682970a243f533f401682b1f7d311ee7aa6fa3dad8649e84a691715a8
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad1ae2168297 alpine "tail -f /usr/share/…" 4 seconds ago Up 3 seconds c6
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l --no-trunc
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad1ae21682970a243f533f401682b1f7d311ee7aa6fa3dad8649e84a691715a8 alpine "tail -f /usr/share/apk/keys/x86_64/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub" 22 seconds ago Up 21 seconds c6
[root@elk92 ~]#
[root@elk92 ~]# docker exec -it c6 ls -l /usr/share/apk/keys/x86_64/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
lrwxrwxrwx 1 root root 54 Feb 13 23:04 /usr/share/apk/keys/x86_64/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub -> ../alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
[root@elk92 ~]#
[root@elk92 ~]# docker exec -it c6 ls -l /etc/netplan/00-installer-config.yaml
ls: /etc/netplan/00-installer-config.yaml: No such file or directory
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c7 alpine tail -f /etc/netplan/00-installer-config.yaml # 注意,容器中压根就不存在该文件,因此会执行失败,以为容器将退出。
c9780acd05884dd27bcc4472453812843cf55500c82693b2c6e84e18ad3dce05
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l --no-trunc
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c9780acd05884dd27bcc4472453812843cf55500c82693b2c6e84e18ad3dce05 alpine "tail -f /etc/netplan/00-installer-config.yaml" 8 seconds ago Exited (1) 7 seconds ago c7
[root@elk92 ~]# 5. 特殊的情况下,比如 sh,需要交互才能运行,因此通常情况下会分配一个标准输入进行交互,比如 ‘-i’。
[root@elk92 ~]# docker run -d --name c1 alpine
9a7125995ada0bf3ec95d13346ad1aac8bc87cde454f9fc3444b3a1dc8531f13
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9a7125995ada alpine "/bin/sh" 9 seconds ago Exited (0) 7 seconds ago c1
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c2 -i alpine
34d1f9ac575bc9ed740d02fd9339ed1787e98d99fc3f240b93934cbd96e04105
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34d1f9ac575b alpine "/bin/sh" 2 seconds ago Up 1 second c2
[root@elk92 ~]# 自定义网络案例之 Zabbix
0. 导入镜像
你可以通过以下链接导入镜像:
http://192.168.16.253/Resources/Docker/images/Zabbix/7.2/1. 创建定义网络
[root@elk92 ~]# docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 zabbix-net
585d0fb7c93ff3610d608c987e52a34455ee66b98cddf11391351854d2bc8b59
[root@elk92 ~]# 2. 启动数据库实例
[root@elk92 ~]# docker run --name mysql-server -t \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="linux96" \
-e MYSQL_PASSWORD="haoshuaicongedu" \
-e MYSQL_ROOT_PASSWORD="123456" \
--network=zabbix-net \
--restart unless-stopped \
-d mysql:8.0.36-oracle \
--character-set-server=utf8 --collation-server=utf8_bin \
--default-authentication-plugin=mysql_native_password3. 启动 Java gateway 组件
[root@elk92 ~]# docker run --name zabbix-java-gateway -t \
--network=zabbix-net \
--restart unless-stopped \
-d zabbix/zabbix-java-gateway:alpine-7.2-latest4. 启动 Zabbix server 链接数据库
[root@elk92 ~]# docker run --name zabbix-server-mysql -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="linux96" \
-e MYSQL_PASSWORD="haoshuaicongedu" \
-e MYSQL_ROOT_PASSWORD="123456" \
-e ZBX_JAVAGATEWAY="zabbix-java-gateway" \
--network=zabbix-net \
-p 10051:10051 \
--restart unless-stopped \
-d zabbix/zabbix-server-mysql:alpine-7.2-latest5. 启动 Zabbix web 组件
[root@elk92 ~]# docker run --name zabbix-web-nginx-mysql -t \
-e ZBX_SERVER_HOST="zabbix-server-mysql" \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="linux96" \
-e MYSQL_PASSWORD="haoshuaicongedu" \
-e MYSQL_ROOT_PASSWORD="123456" \
--network=zabbix-net \
-p 88:8080 \
--restart unless-stopped \
-d zabbix/zabbix-web-nginx-mysql:alpine-7.2-latest6. 检查容器是否正常运行
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b18825e636ec zabbix/zabbix-web-nginx-mysql:alpine-7.2-latest "docker-entrypoint.sh" About a minute ago Up About a minute (healthy) 8443/tcp, 0.0.0.0:88->8080/tcp, :::88->8080/tcp zabbix-web-nginx-mysql
aa21cbc03c81 zabbix/zabbix-server-mysql:alpine-7.2-latest "/usr/bin/docker-ent…" About a minute ago Up About a minute 0.0.0.0:10051->10051/tcp, :::10051->10051/tcp zabbix-server-mysql
e178eed4b847 zabbix/zabbix-java-gateway:alpine-7.2-latest "docker-entrypoint.s…" About a minute ago Up About a minute 10052/tcp zabbix-java-gateway
037498d39486 mysql:8.0.36-oracle "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp, 33060/tcp mysql-server
[root@elk92 ~]# 7. 访问 Zabbix 的 WebUI
http://10.0.0.92:88/
用户名:Admin
密 码:zabbix 8. 查看 Zabbix 的自定义网络
[root@elk92 ~]# docker network inspect zabbix-net
[
{
"Name": "zabbix-net",
"Id": "585d0fb7c93ff3610d608c987e52a34455ee66b98cddf11391351854d2bc8b59",
"Created": "2025-03-20T15:02:07.508990969+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.20.0.0/16",
"IPRange": "172.20.240.0/20"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"037498d394868441ceff0168a6a0e4c16e051252012f03bb9d99ff6575265dd6": {
"Name": "mysql-server",
"EndpointID": "086f76d5044396ff75202b18fb0103ae962b496903cc392475b1ddfe88d7722c",
"MacAddress": "02:42:ac:14:f0:01",
"IPv4Address": "172.20.240.1/16",
"IPv6Address": ""
},
"aa21cbc03c81fbc9aa7d4c47845d45de060a0506db433a484db1a4dbfc844819": {
"Name": "zabbix-server-mysql",
"EndpointID": "f9497a944ed76b336844b974a88976aef8425996565916fd199dd4a7cc81029a",
"MacAddress": "02:42:ac:14:f0:03",
"IPv4Address": "172.20.240.3/16",
"IPv6Address": ""
},
"b18825e636ece0c602300ec8b3736aa67a7e698c171ac669439101624e964e39": {
"Name": "zabbix-web-nginx-mysql",
"EndpointID": "4e023fb93140af4a6ec7795824d51f4e09c5b0900136e8a92ac33cf3dbe0d885",
"MacAddress": "02:42:ac:14:f0:04",
"IPv4Address": "172.20.240.4/16",
"IPv6Address": ""
},
"e178eed4b84746b480ee4110aba2765090c48f70fd83d065d7ae3e530cee0e1f": {
"Name": "zabbix-java-gateway",
"EndpointID": "d1ade6c51f74a4600a3659a417a9dec9bf550148b46c45a3c5ed8c5420fff3a6",
"MacAddress": "02:42:ac:14:f0:02",
"IPv4Address": "172.20.240.2/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
[root@elk92 ~]# 容器的 4 种重启策略
1. 什么是容器的重启策略
所谓的容器重启策略,指的是容器在退出后,容器的操作,比如是否重新启动。
重启策略有以下四种:
- always:只要容器退出就始终会重启。
- no:只要容器退出,始终不重启。
- unless – stopped:在容器重启之前,若容器处于运行状态,则重启后会重启,如果容器已经退出则不重启。
- on – failure:当容器异常退出时,才会重启,若容器正常退出则不重启。
2. 实战案例验证
2.1 验证 Always
[root@elk92 ~]# docker run -d --name c1-always --restart always alpine:latest sleep 10 # 正常退出时也会重启。
ec5342f63cd96820f985459516b68c409ccf3da7b4b5d1e772f5d479800e977f
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec5342f63cd9 alpine:latest "sleep 10" 3 seconds ago Up 1 second c1-always
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec5342f63cd9 alpine:latest "sleep 10" 6 seconds ago Up 5 seconds c1-always
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec5342f63cd9 alpine:latest "sleep 10" 10 seconds ago Up 9 seconds c1-always
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec5342f63cd9 alpine:latest "sleep 10" 11 seconds ago Up Less than a second c1-always
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ec5342f63cd9 alpine:latest "sleep 10" 13 seconds ago Up 1 second c1-always
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c2-always --restart always alpine:latest sleep 300
158a4ee23901041461669f89e5b79db5b475c41c02c4476c05aaa1743f9bf014
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
158a4ee23901 alpine:latest "sleep 300" 45 seconds ago Up 44 seconds c2-always
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c1-always
8
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c2-always
0
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c2-always
814797
[root@elk92 ~]#
[root@elk92 ~]# kill -9 814797 # 模拟的是异常退出,发现会重启
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
158a4ee23901 alpine:latest "sleep 300" About a minute ago Up Less than a second c2-always
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
158a4ee23901 alpine:latest "sleep 300" About a minute ago Up 3 seconds c2-always
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c2-always
1
[root@elk92 ~]# 2.2 验证 no 策略
[root@elk92 ~]# docker run -d --name c3-no --restart no alpine:latest sleep 10
613a6fd8724ae58a06d408c677380aaacbcead797113d1cb5f2b1575d7e680d9
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
613a6fd8724a alpine:latest "sleep 10" 2 seconds ago Up 1 second c3-no
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
613a6fd8724a alpine:latest "sleep 10" 15 seconds ago Exited (0) 4 seconds ago c3-no
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c4-no --restart no alpine:latest sleep 300
ef9bfc504c4a05dfe3e3bbefd20788d5b1fc6ed7f829b55f8dd73d890461295e
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ef9bfc504c4a alpine:latest "sleep 300" 4 seconds ago Up 3 seconds c4-no
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c4-no
818422
[root@elk92 ~]#
[root@elk92 ~]# kill -9 818422 # 模拟异常退出时不重启
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ef9bfc504c4a alpine:latest "sleep 300" 35 seconds ago Exited (137) 1 second ago c4-no
[root@elk92 ~]# 2.3 验证 unless – stopped
[root@elk92 ~]# docker run -d --name c6-unless-stopped --restart unless-stopped alpine:latest sleep 10
809f0e701ad8b647f53138258fa94d13a7b593b031561d4d13406e70ad86c136
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
809f0e701ad8 alpine:latest "sleep 10" 4 seconds ago Up 3 seconds c6-unless-stopped
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
809f0e701ad8 alpine:latest "sleep 10" 7 seconds ago Up 6 seconds c6-unless-stopped
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
809f0e701ad8 alpine:latest "sleep 10" 10 seconds ago Up 10 seconds c6-unless-stopped
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
809f0e701ad8 alpine:latest "sleep 10" 12 seconds ago Up 1 second c6-unless-stopped
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
acb5c2145e2d alpine:latest "sleep 300" 2 seconds ago Up 1 second c7-unless-stopped
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c7-unless-stopped
821041
[root@elk92 ~]#
[root@elk92 ~]# kill -9 821041
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
acb5c2145e2d alpine:latest "sleep 300" 25 seconds ago Up 1 second c7-unless-stopped
[root@elk92 ~]# 2.4 验证 on – failure
[root@elk92 ~]# docker run -d --name c8-on-failure-max --restart on-failure:3 alpine:latest sleep 10
97b82a1ac5ff15c441a1d339eeee3a677d522a07410ec4c4c34aef574f9b26e3
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97b82a1ac5ff alpine:latest "sleep 10" 2 seconds ago Up 1 second c8-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97b82a1ac5ff alpine:latest "sleep 10" 11 seconds ago Exited (0) 1 second ago c8-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
97b82a1ac5ff alpine:latest "sleep 10" 15 seconds ago Exited (0) 4 seconds ago c8-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c9-on-failure-max --restart on-failure:3 alpine:latest sleep 300
c8ab893815101eaab5c76e9dbf44da0c3e959e359df4a7ed22bb05e1a26d7e84
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c8ab89381510 alpine:latest "sleep 300" 2 seconds ago Up 2 seconds c9-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c9-on-failure-max
825192
[root@elk92 ~]#
[root@elk92 ~]# kill -9 825192
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c8ab89381510 alpine:latest "sleep 300" 37 seconds ago Up 2 seconds c9-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c9-on-failure-max
826263
[root@elk92 ~]#
[root@elk92 ~]# kill -9 826263
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c8ab89381510 alpine:latest "sleep 300" 53 seconds ago Up 1 second c9-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c9-on-failure-max
2
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c9-on-failure-max
826737
[root@elk92 ~]#
[root@elk92 ~]# kill -9 826737
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c8ab89381510 alpine:latest "sleep 300" About a minute ago Up 1 second c9-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.State.Pid}}" c9-on-failure-max
828403
[root@elk92 ~]#
[root@elk92 ~]# kill -9 828403
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c8ab89381510 alpine:latest "sleep 300" 2 minutes ago Exited (137) 2 seconds ago c9-on-failure-max
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c9-on-failure-max
3
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.HostConfig.RestartPolicy.MaximumRetryCount}}" c9-on-failure-max
3
[root@elk92 ~]# 2.5 重启 docker 服务时,请问下面几种哪个会重启呢?
[root@elk92 ~]# docker run -d --name c11-always --restart always alpine:latest tail -f /etc/hosts
edfa0798290d8ec5d5a751ee4b407b6456e5c23112f6b23c48c55417b72d0260
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c22-no --restart no alpine:latest tail -f /etc/hosts
aaf7e262f4ddd574ad4adc9062805dcb9e434dd5e0a201f91e28472c37c82ee2
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c33-unless-stopped --restart unless-stopped alpine:latest tail -f /etc/hosts
c5afb42aad497da5b4b729c1ce381abe0d7fb3dccae809d6ac3e1f8ae6fa4344
[root@elk92 ~]#
[root@elk92 ~]# docker run -d --name c44-on-failure --restart on-failure:3 alpine:latest tail -f /etc/hosts
947eeace7837a3bd19f4f9755662d7dbf2c14fb8ff5853821a086e8c1cd83253
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
947eeace7837 alpine:latest "tail -f /etc/hosts" 4 seconds ago Up 4 seconds c44-on-failure
c5afb42aad49 alpine:latest "tail -f /etc/hosts" 28 seconds ago Up 27 seconds c33-unless-stopped
aaf7e262f4dd alpine:latest "tail -f /etc/hosts" 41 seconds ago Up 41 seconds c22-no
edfa0798290d alpine:latest "tail -f /etc/hosts" 53 seconds ago Up 53 seconds c11-always
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# systemctl restart docker
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
947eeace7837 alpine:latest "tail -f /etc/hosts" About a minute ago Up 25 seconds c44-on-failure
c5afb42aad49 alpine:latest "tail -f /etc/hosts" About a minute ago Up 24 seconds c33-unless-stopped
aaf7e262f4dd alpine:latest "tail -f /etc/hosts" About a minute ago Exited (255) 26 seconds ago c22-no
edfa0798290d alpine:latest "tail -f /etc/hosts" About a minute ago Up 24 seconds c11-always
[root@elk92 ~]#
[root@elk92 ~]# docker kill `docker ps -aq`
947eeace7837
c5afb42aad49
edfa0798290d
Error response from daemon: Cannot kill container: aaf7e262f4dd: Container aaf7e262f4ddd574ad4adc9062805dcb9e434dd5e0a201f91e28472c37c82ee2 is not running
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
947eeace7837 alpine:latest "tail -f /etc/hosts" About a minute ago Exited (137) 5 seconds ago c44-on-failure
c5afb42aad49 alpine:latest "tail -f /etc/hosts" About a minute ago Exited (137) 5 seconds ago c33-unless-stopped
aaf7e262f4dd alpine:latest "tail -f /etc/hosts" 2 minutes ago Exited (255) 56 seconds ago c22-no
edfa0798290d alpine:latest "tail -f /etc/hosts" 2 minutes ago Exited (137) 5 seconds ago c11-always
[root@elk92 ~]#
[root@elk92 ~]# systemctl restart docker
[root@elk92 ~]#
[root@elk92 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
947eeace7837 alpine:latest "tail -f /etc/hosts" 2 minutes ago Up 26 seconds c44-on-failure
c5afb42aad49 alpine:latest "tail -f /etc/hosts" 2 minutes ago Exited (137) 39 seconds ago c33-unless-stopped
aaf7e262f4dd alpine:latest "tail -f /etc/hosts" 2 minutes ago Exited (255) About a minute ago c22-no
edfa0798290d alpine:latest "tail -f /etc/hosts" 2 minutes ago Up 26 seconds c11-always
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.HostConfig.RestartPolicy.MaximumRetryCount}}" c44-on-failure
3
[root@elk92 ~]#
[root@elk92 ~]# docker inspect -f "{{.RestartCount}}" c44-on-failure
0
[root@elk92 ~]# docker 底层 Linux 特性之 iptables 技术
1. 暴露容器触发 iptables 的 NAT 规则
当用户暴露一个容器带外部时就会触发 iptables 的 NAT 规则。
[root@elk92 ~]# docker run -d --name myweb -p 81:80 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1
8f723f1ed386828342549752cd4cafad79be57452df8441ddf00c9048a7062da
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f723f1ed386 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 "/docker-entrypoint.…" 2 seconds ago Up 1 second 0.0.0.0:81->80/tcp, :::81->80/tcp myweb
[root@elk92 ~]#
[root@elk92 ~]# iptables-save | grep 81
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 172.17.0.2:80
[root@elk92 ~]#
[root@elk92 ~]# docker container inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" myweb
172.17.0.2
[root@elk92 ~]#
[root@elk92 ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
179 10740 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
460 27600 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-585d0fb7c93f 172.20.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-585d0fb7c93f * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 to:172.17.0.2:80
[root@elk92 ~]#docker 底层 Linux 特性之 kernel 参数
1. 容器访问外网与内核转发参数
如果容器需要访问外网,则必须开启内核转发参数。
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f723f1ed386 registry.cn-hangzhou.aliyuncs.com/yinzhengjie-k8s/apps:v1 "/docker-entrypoint.…" 9 minutes ago Up 9 minutes 0.0.0.0:81->80/tcp, :::81->80/tcp myweb
[root@elk92 ~]#
[root@elk92 ~]# docker exec myweb ping baidu.com -c 3
PING baidu.com (110.242.68.66): 56 data bytes
64 bytes from 110.242.68.66: seq=0 ttl=127 time=10.850 ms
64 bytes from 110.242.68.66: seq=1 ttl=127 time=11.014 ms
64 bytes from 110.242.68.66: seq=2 ttl=127 time=13.873 ms
--- baidu.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 10.850/11.912/13.873 ms
[root@elk92 ~]#
[root@elk92 ~]# sysctl -q net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
[root@elk92 ~]#
[root@elk92 ~]# sysctl -q net.ipv4.ip_forward
net.ipv4.ip_forward = 0
[root@elk92 ~]#
[root@elk92 ~]# docker exec myweb ping baidu.com -c 3
ping: bad address 'baidu.com'
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@elk92 ~]#
[root@elk92 ~]# docker exec myweb ping baidu.com -c 3
PING baidu.com (39.156.66.10): 56 data bytes
64 bytes from 39.156.66.10: seq=0 ttl=127 time=10.424 ms
64 bytes from 39.156.66.10: seq=1 ttl=127 time=9.274 ms
64 bytes from 39.156.66.10: seq=2 ttl=127 time=7.482 ms
--- baidu.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7.482/9.060/10.424 ms
[root@elk92 ~]#docker 底层 Linux 特性之 cgroup
1. 什么是 cgroup
所谓的 cgroup 本质上是 Linux 用做资源限制,可以限制 Linux 的 cpu,memory,disk,I/O。
2. docker 底层基于 system 管理 cgroup
[root@elk92 ~]# docker info | grep Cgroup
Cgroup Driver: systemd
Cgroup Version: 2
[root@elk92 ~]#3. 拉取镜像
[root@elk92 ~]# docker pull jasonyin2020/haoshuaicongedu-linux-tools:v0.1
v0.1: Pulling from jasonyin2020/haoshuaicongedu-linux-tools
59bf1c3509f3: Pull complete
cdc010c9a849: Pull complete
bac97e2f09ed: Pull complete
d2167fa4e835: Pull complete
Digest: sha256:eac6c50d80c7452db54871790fb26a6ca4d63dd3d4c98499293b3bab90832259
Status: Downloaded newer image for jasonyin2020/haoshuaicongedu-linux-tools:v0.1
docker.io/jasonyin2020/haoshuaicongedu-linux-tools:v0.1
[root@elk92 ~]#
SVIP:
http://192.168.16.253/Resources/Docker/images/haoshuaicongedu-stress-tools.tar.gz4. 启动容器
指定cpu不能超过百分30 内存不能超过200m
[root@elk92 ~]# docker run -d --name stress --cpu-quota 30000 -m 209715200 jasonyin2020/haoshuaicongedu-linux-tools:v0.1 tail -f /etc/hosts
ff20efb748d582ba58910b9c2f494c46b9b1d38cc75c9807586d9de123c0ddc7
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ff20efb748d5 jasonyin2020/haoshuaicongedu-linux-tools:v0.1 "tail -f /etc/hosts" 2 seconds ago Up 2 seconds stress
[root@elk92 ~]#5. CPU 压测
[root@elk92 ~]# docker exec -it stress sh
/usr/local/stress #
/usr/local/stress # stress -c 4 --verbose --timeout 10m
stress: info: [19] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd
stress: dbug: [19] using backoff sleep of 12000us
stress: dbug: [19] setting timeout to 600s
stress: dbug: [19] --> hogcpu worker 4 [20] forked
stress: dbug: [19] using backoff sleep of 9000us
stress: dbug: [19] setting timeout to 600s
stress: dbug: [19] --> hogcpu worker 3 [21] forked
stress: dbug: [19] using backoff sleep of 6000us
stress: dbug: [19] setting timeout to 600s
stress: dbug: [19] --> hogcpu worker 2 [22] forked
stress: dbug: [19] using backoff sleep of 3000us
stress: dbug: [19] setting timeout to 600s
stress: dbug: [19] --> hogcpu worker 1 [23] forked
...
[root@elk92 ~]# docker stats stress
...
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ff20efb748d5 stress 30.66% 1.535MiB / 200MiB 0.77% 2.3kB / 0B 0B / 16.4kB 11
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ff20efb748d5 stress 30.66% 1.535MiB / 200MiB 0.77% 2.3kB / 0B 0B / 16.4kB 116. 内存压测
[root@elk92 ~]# docker exec -it stress sh
...
/usr/local/stress # stress -m 5 --vm-bytes 52428800 --vm-keep --verbose
...
[root@elk92 ~]# docker stats stress
...
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ff20efb748d5 stress 30.70% 199.9MiB / 200MiB 99.93% 2.37kB / 0B 2.87GB / 2.58GB 29
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ff20efb748d5 stress 30.70% 199.9MiB / 200MiB 99.93% 2.37kB / 0B 2.87GB / 2.58GB 29
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ff20efb748d5 stress 30.72% 199.7MiB / 200MiB 99.85% 2.37kB / 0B 2.96GB / 2.68GB 29彩蛋:对已经运行的容器做资源限制
1. 实验环境
[root@elk92 ~]# free -h
total used free shared buff/cache available
Mem: 7.7Gi 3.9Gi 1.1Gi 1.0Mi 2.8Gi 3.6Gi
Swap: 3.8Gi 3.0Mi 3.8Gi
[root@elk92 ~]#
[root@elk92 ~]# docker stats myweb
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
8f723f1ed386 myweb 0.00% 4.379MiB / 7.717GiB 0.06% 4.44kB / 2.69kB 12.6MB / 24.6kB 3
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
8f723f1ed386 myweb 0.00% 4.379MiB / 7.717GiB 0.06% 4.44kB / 2.69kB 12.6MB / 24.6kB 3
...2. 在不停止容器的情况下配置资源限制
[root@elk92 ~]# docker update --cpu-quota 50000 -m 52428800 --memory-swap 52428800 myweb
myweb
[root@elk92 ~]#3. 验证测试
[root@elk92 ~]# docker stats myweb --no-stream
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
8f723f1ed386 myweb 0.00% 4.379MiB / 50MiB 8.76% 4.44kB / 2.69kB 12.6MB / 24.6kB 3
[root@elk92 ~]#使用 docker 部署 ES 单点
1. 创建自定义网络
[root@elk92 ~]# docker network create elastic
5ed2e4e49c9457cc918f349efb3f86cca44eaf6556e699776efae7787b47a33e
[root@elk92 ~]# 2. 拉取镜像到本地
[root@elk92 ~]# docker pull docker.elastic.co/elasticsearch/elasticsearch:8.17.3
8.17.3: Pulling from elasticsearch/elasticsearch
4bb953b2341e: Pull complete
8e24285bc7e9: Pull complete
712c04fdbd90: Pull complete
4ca545ee6d5d: Pull complete
c8e302a2e0d1: Pull complete
2920558bb9da: Pull complete
425da96d0239: Pull complete
542cc10a95ab: Pull complete
a0a8cf8ea932: Pull complete
ca2cb92388d3: Pull complete
Digest: sha256:224c75e346bd745ce908f06a1cbad7bf10988961dcdcdfccb22556b3f856b3f0
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:8.17.3
docker.elastic.co/elasticsearch/elasticsearch:8.17.3
[root@elk92 ~]# 3. 后台运行 es 服务
[root@elk92 ~]# docker run -d --name es01 --net elastic -p 19200:9200 -it -m 1GB docker.elastic.co/elasticsearch/elasticsearch:8.17.3
56e2ec147a76ce3f4cbde953fdea48028154e3490106963e440e03ee8c7c53eb
[root@elk92 ~]#
[root@elk92 ~]#
[root@elk92 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56e2ec147a76 docker.elastic.co/elasticsearch/elasticsearch:8.17.3 "/bin/tini -- /usr/l…" 5 seconds ago Up 4 seconds 9300/tcp, 0.0.0.0:19200->9200/tcp, :::19200->9200/tcp es01
[root@elk92 ~]# 4. 重置 ES 的密码
[root@elk92 ~]# docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y
Password for the [elastic] user successfully reset.
New value: oKDKPom6akpPKO7T89x2
[root@elk92 ~]# 5. 获取 kibana 加入的 token
[root@elk92 ~]# docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTcyLjE4LjAuMjo5MjAwIl0sImZnciI6IjA3N2VmMzFhMDYwMzYyZDBmYzAwOTI0Nzk4MWNhMjA3OTRlMTcwZDc1YjA0MWFjNzVmY2MwNjFhNzY5NDFmYmMiLCJrZXkiOiJfUG5mc3BVQmVxRkQ4SWl2cEEwSjpxbnBJTnpHLVQwbTRnaW5JTjE0cjF3In0=
[root@elk92 ~]# 6. 从容器拷贝证书文件到本地
[root@elk92 ~]# docker cp es01:/usr/share/elasticsearch/config/certs/http_ca.crt .
[root@elk92 ~]#
[root@elk92 ~]# ll http_ca.crt
-rw-rw---- 1 root root 1915 Mar 20 17:21 http_ca.crt
[root@elk92 ~]# 7. 访问 ES 测试
[root@elk92 ~]# curl --cacert http_ca.crt -u elastic:oKDKPom6akpPKO7T89x2 https://localhost:19200/_cat/nodes
172.18.0.2 56 90 10 0.30 0.59 0.55 cdfhilmrstw * 56e2ec147a76
[root@elk92 ~]#
[root@elk92 ~]# curl -k -u elastic:oKDKPom6akpPKO7T89x2 https://10.0.0.92:19200/_cat/nodes
172.18.0.2 59 90 6 0.30 0.52 0.53 cdfhilmrstw * 56e2ec147a76
[root@elk92 ~]# 使用 Docker 部署 ES 集群
1. 创建 token
[root@elk92 ~]# docker exec -it es01 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTcyLjE4LjAuMjo5MjAwIl0sImZnciI6IjA3N2VmMzFhMDYwMzYyZDBmYzAwOTI0Nzk4MWNhMjA3OTRlMTcwZDc1YjA0MWFjNzVmY2MwNjFhNzY5NDFmYmMiLCJrZXkiOiJfdm5qc3BVQmVxRkQ4SWl2WVEydTpfc3AtaFhsdVNVNmJuZGxqaExXdVlRIn0=
[root@elk92 ~]# 2. 启动新节点
[root@elk92 ~]# docker run -d -e ENROLLMENT_TOKEN="eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTcyLjE4LjAuMjo5MjAwIl0sImZnciI6IjA3N2VmMzFhMDYwMzYyZDBmYzAwOTI0Nzk4MWNhMjA3OTRlMTcwZDc1YjA0MWFjNzVmY2MwNjFhNzY5NDFmYmMiLCJrZXkiOiJfdm5qc3BVQmVxRkQ4SWl2WVEydTpfc3AtaFhsdVNVNmJuZGxqaExXdVlRIn0=" --name es02 --net elastic -it -m 1GB docker.elastic.co/elasticsearch/elasticsearch:8.17.3
f9507cdc0e658c4da580dc9f968a85784ed6bac530f25bdf4785cd06dab10942
[root@elk92 ~]#
[root@elk92 ~]# docker run -d -e ENROLLMENT_TOKEN="eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTcyLjE4LjAuMjo5MjAwIl0sImZnciI6IjA3N2VmMzFhMDYwMzYyZDBmYzAwOTI0Nzk4MWNhMjA3OTRlMTcwZDc1YjA0MWFjNzVmY2MwNjFhNzY5NDFmYmMiLCJrZXkiOiJfdm5qc3BVQmVxRkQ4SWl2WVEydTpfc3AtaFhsdVNVNmJuZGxqaExXdVlRIn0=" --name es03 --net elastic -it -m 1GB docker.elastic.co/elasticsearch/elasticsearch:8.17.3
b17df95ddab2ef50d54da8ed50bc5eeacc443c7335cd1abb38466b752a06159f
[root@elk92 ~]# 3. 查看集群是否部署成功
[root@elk92 ~]# curl -k -u elastic:oKDKPom6akpPKO7T89x2 https://10.0.0.92:19200/_cat/nodes
172.18.0.2 51 85 7 1.38 0.81 0.62 cdfhilmrstw * 56e2ec147a76
172.18.0.3 58 95 7 1.38 0.81 0.62 cdfhilmrstw - f9507cdc0e65
172.18.0.4 34 96 6 1.38 0.81 0.62 cdfhilmrstw - b17df95ddab2
[root@elk92 ~]#
[root@elk92 ~]# curl --cacert http_ca.crt -u elastic:oKDKPom6akpPKO7T89x2 https://localhost:19200/_cat/nodes
172.18.0.2 52 85 9 1.35 0.81 0.62 cdfhilmrstw * 56e2ec147a76
172.18.0.3 59 95 9 1.35 0.81 0.62 cdfhilmrstw - f9507cdc0e65
172.18.0.4 35 97 9 1.35 0.81 0.62 cdfhilmrstw - b17df95ddab2
[root@elk92 ~]# 使用 Docker 部署 Kibana
1. 下载 Kibana
[root@elk92 ~]# docker pull docker.elastic.co/kibana/kibana:8.17.3
8.17.3: Pulling from kibana/kibana
4bb953b2341e: Already exists
0961e5ed6e0a: Pull complete
6ce04461e85c: Pull complete
f4f59eec995f: Pull complete
2ffd3541d0b7: Pull complete
53b1f59a050f: Pull complete
4ca545ee6d5d: Pull complete
07997af583d7: Pull complete
8deb66cfd190: Pull complete
778b08e1783f: Pull complete
56c96bfa149e: Pull complete
c109816ec202: Pull complete
2675abfb9d2f: Pull complete
Digest: sha256:7dfee7a14cf7de9f22285d9e9db3bf423c36f3f4a82c0dce7294b0fb1532c863
Status: Downloaded newer image for docker.elastic.co/kibana/kibana:8.17.3
docker.elastic.co/kibana/kibana:8.17.3
[root@elk92 ~]# 2. 运行 Kibana
[root@elk92 ~]# docker run -d --name kibana --net elastic -p 5601:5601 docker.elastic.co/kibana/kibana:8.17.3
fd2e21c42d1b831ecb0261415d38e6450f5a49a3ec2443907a9fc4979c0525c0
[root@elk92 ~]# 3. 访问 Kibana
http://10.0.0.92:5601/使用之前 ES 生成的 token 登录:
eyJ2ZXIiOiI4LjE0LjAiLCJhZHIiOlsiMTcyLjE4LjAuMjo5MjAwIl0sImZnciI6IjA3N2VmMzFhMDYwMzYyZDBmYzAwOTI0Nzk4MWNhMjA3OTRlMTcwZDc1YjA0MWFjNzVmY2MwNjFhNzY5NDFmYmMiLCJrZXkiOiJfUG5mc3BVQmVxRkQ4SWl2cEEwSjpxbnBJTnpHLVQwbTRnaW5JTjE0cjF3In0=4. 获取 Kibana 的校验码
[root@elk92 ~]# docker exec kibana /usr/share/kibana/bin/kibana-verification-code
Kibana is currently running with legacy OpenSSL providers enabled! For details and instructions on how to disable see https://www.elastic.co/guide/en/kibana/8.17/production.html#openssl-legacy-provider
Your verification code is: 912 224
[root@elk92 ~]# 5. 登录修改 elastic 的密码
http://10.0.0.92:5601
用户名: elatic
密 码: oKDKPom6akpPKO7T89x2 # 你的密码看你自己的,推荐密码修改为: 1234566. 修改中文支持
[root@elk92 ~]# docker exec -it kibana bash
kibana@fd2e21c42d1b:~$
kibana@fd2e21c42d1b:~$ echo i18n.locale: "zh-CN" >> /usr/share/kibana/config/kibana.yml
kibana@fd2e21c42d1b:~$
kibana@fd2e21c42d1b:~$ exit
[root@elk92 ~]#
[root@elk92 ~]# docker restart kibana
kibana
[root@elk92 ~]# 推荐阅读
https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.htmldocker run –rm \
docker.elastic.co/beats/filebeat:8.17.3 \
setup -E setup.kibana.host=kibana:15601 \
-E output.elasticsearch.hosts=[“elasticsearch:19200”] \
今日总结
docker run --rm \
docker.elastic.co/beats/filebeat:8.17.3 \
setup -E setup.kibana.host=kibana:15601 \
-E output.elasticsearch.hosts=["elasticsearch:19200"] \
-E cloud.id=<Cloud ID from Elasticsearch Service> \
-E cloud.auth=elastic:<elastic password>
- 今日内容回顾:
- 存储卷 *****
-v
--volumes-from
- 故障排查技巧命令 *****
- docker exec
- docker cp
- docker logs
- docker inspect
- docker的网络类型
- 单机网络 *****
- none
- bridge
- container
- host
- custom network
- 跨主机网络 *
- macvlan
- overlay
- flannel
- ipvlan
- docker重启策略 *****
- no
- always
- on-failure
- unless-stopped
- docker底层用到的Linux特性 ***
- chroot
- cgroup
- overlayFS
- iptables
- namespace
- kernel args ...
- 项目案例 **
- zabbix
- ElasticStack
今日作业:
- 完成课堂所有练习并整理思维导图;
- 使用EFK的容器版本,采集各节点的系统日志到ES集群,并通过kibana展示;
扩展作业:
- 使用docker部署"Loki + Grafana"服务并测试运行。