docker basic
install docker on centos machine
-
install yum install -y docker
-
check docker status systemctl status docker.service
-
systemctl start docker.service
min kernel version: 3.10.0
basic commands
docker -v
docker version
docker info
update docker on ubuntu
- add gpg key
wget -qO- https://get.docker.com/gpg | apt-key add -
- add docker repository to sources.list
echo deb http://get.docker.com/ubuntu docker main > /etc/apt/sources.list.d/docker.list
- apt-get update
- apt-get install lxc-docker
run docker without roots
add users to Docker group to create namespace, cgroups and binds to /var/run/docker.sock
sudo gpasswd -a sean docker
cat /etc/group
config docker to communicate on network
docker default listen on a local unix socket, to config to run on tcp, we need:
-
check netstat
netstat -tlp
-
stop docker
service docker stop
-
run docker with -H command
docker -H 192.168.58.32:2375 -H unix:///var/run/docker.sock -d &
-
let docker client to talk to docker server via tcp
export DOCKER_HOST="tcp://192.168.58.32:2375"
some basic concept
image we are working in a large shipping company
Docker Engine
which is also called Docker demo is the Shipping Yard
Docker Images
is the manifests of the goods which to ship
docker containers
is the shipping containers
they all play good in there role
Where images are stored
on ubuntu it’s stored in /var/lib/docker/aufs/diff/xxxxxxxxx/
copy images to other hosts
- create a new image base on the current image
docker commit <image-hash> new-image-name
- save the image to tar file
docker save -o /tmp/imagename.tar imagename
peek inside to tar ball
tar -tf /tmp/imagename.tar
docker load -i /tmp/imagename.tar
- commands for working with container
docker run --cpu-shares=256
docker run memory=1g
ctrl + p + q detaching from container
-
use nsenter to access to a running container
use docker inspect to get the pid of a running container docker inspect <container> | grep Pid nsenter -m -u -n -p -i -t <pid> /bin/bash
-
get ternimal inside a container
docker exec -it <container> /bin/bash
- use docker to install software
docker run -v /usr/local/bin:/target jpetazzo/nsenter
Installing nscenter to /target
Installing docker-enter to /target
use -v option to mount local directory to container, thus when container start, it will copy the file from container target directory to the local directory
build with Dockerfile
docker build -t hello .
docker will take current diretory as build context, that is said all the file in the current directory can be used to build the image
use private registry
docker tag <image-id> <dns-server of docker registry>:<port>/<image-name>
docker push <dns-server of docker registry>:<port>/<image-name>
eg:
docker tag 43df3123 registry.docker.com:5000/private-test
docker push registry.docker.com:5000/private-test
note
add DOCKER_OPTS="--insecure-registry registry.docker.com:5000"
into docker config file at /etc/default/docker
for redhat system that use systemd
edit the systemd unit file for the docker service
/usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS --insecure-registry registry.docker.com:5000
reduce the number of Layers in images
each instruction will become a new layer, that add lots of unnessary layer, we can reduce the number of layers
RUN apt-get update && apt-get install -y \
apache2 \
apache2-utils \
vim \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
EXPOSE 80
CMD ["apache2ctl", "-D", "FIREGROUND"]
Dockerfile Instruction
CMD
only executes at runtime when lanuch the container
there can only be one CMD instruction per Dockerfile, and the cmd specified in docker run ... <command>
will override the cmd instruction in Dockerfile
CMD echo "Hello world"
CMD ["echo", "hello world"]
ENTRYPOINT
can’t be overridden at run-time with normal commands
docker run …
any command at run-time is used as an argument to ENTRYPOINT
ENTRYPOINT ["echo"]
docker run image Helloworld //helloworld will be treated as argument
so using ENTRYPOINT like this are containers behave like a binary
when use CMD with ENTRYPOINT, things get interesting, as CMD can be override by the commandline, so we can use CMD as the default arguments of ENTRYPOINT
CMD ["hello world"]
ENTRYPOINT ["echo"]
docker run -it helloworld //hello world
docker run -it hey there //hey there
ENV
used to set the enviroment variable in the container ``` ENV var1=ping var2=8.8.8.8
CMD $var1 $var2 ```
Volumns
docker run -it -v /data --name=volumecontainer ubuntu
after the volumecontainer started, we can access the volume from another container by --volumnes-from=volumecontainer
docker run -it --volumes-from=volumecontainer ubuntu /bin/bash
we can also mount the directory from our host machine to the container
docker run -v /data:/data //that will mount the /data directory from our local host to the /data in the container
VOLUMN instruction
VOLUME /data
if we want to remove the container with volume, we need to specify the -v option docker rm -v
otherwise the volume will not be deleted
docker networking
docker0 bridge
inspect the network interface by ip a
there is an interface called docker0
, when the docker daemon starts on our docker host, it creates this docker0 interface, it’s actually a bit more than just an interface, it actually a bridge creatd entirely in software inside the linux kernel, and docker0 is crucial to container networking, it passes or switches packets between two connected devices.
we can use bridge-utils
package to see the details of the docker0 interface
brctl show docker0
docker inspect
when look inside the container file /var/lib/docker/containers/
docker run --dns=8.8.4.4
this will use 8.8.4.4 as dns in the new container
if the network docker assign has confilcate with the current network that is said the range of the address has been used.
ip link del docker0 delete the docker0 link
edit the docker config file
vim /etc/default/docker
DOCKER_OPTS=--bip=150.150.0.1/24
–icc is short for inter-container communication, default to true, turning off this option will stop the container to communicate with each other. –iptables indicate if is allowed to modify iptable
be aware of this, if you found your container is not able to talk each other, chech these two option
private network ranges
10.0.0.0/255.0.0.0 10.0.0.0/8 // from 10.0.0.0 - 10.255.255.255 172.16.0.0/255.240.0.0 172.16.0.0/15 // from 172.16.0.0 - 172.31.255.255 192.168.0.0/255.255.0.0 192.168.0.0/16 // from 192.168.0.0 - 192.168.255.255
EXPOSE
EXPOSE 80 //expose 80 port to hostmachine
logging
docker -d -l debug & //start docker daemon with log level debug
/etc/default/docker
DOCKER_OPTS=”–log-level=fatal”
blog comments powered by Disqus