docker安装

发表于 更新于 分类于

安装和删除方法

官方文档:https://docs.docker.com/engine/install/
ubuntu:https://docs.docker.com/engine/install/ubuntu/
centos:https://docs.docker.com/install/linux/docker-ce/centos/
阿里云文档:https://developer.aliyun.com/mirror/docker-ce

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# ubuntuu
$ sudo apt update
$ sudo apt -y install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
#$ curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - # ubuntu22.04中废弃了apt-key命令
$ curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker.gpg

$ sudo add-apt-repository \
    "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu \
    $(lsb_release -cs) \
    stable"
$ sudo apt update
$ sudo apt -y install docker-ce

# 以上是直接安装最新版本,推荐安装时指定版本
$ apt-cache madison docker-ce
$ sudo apt -y install docker-ce=<VERSION_STRING>

二进制安装:https://docs.docker.com/install/linux/docker-ce/binaries/
https://mirrors.aliyun.com/docker-ce/linux/static/stable/x86_64/

配置文件

docker-ce 配置文件:

1
/etc/docker/daemon.json

docker registry 配置文件:

1
2
3
4
# ubuntu,来自containerd.io软件包
/etc/containerd/config.toml
# centos
/etc/containers/registries.conf

docker 命令帮助

https://docs.docker.com/reference/

新版 docker 命令采用结构化格式,虽然老版命令依旧可以使用,但是还是推荐结构化的使用命令,更加规范有效的使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
$ docker help

Usage:  docker [OPTIONS] COMMAND

A self-sufficient runtime for containers

Options:
      --config string      Location of client config files (default "/root/.docker")
  -c, --context string     Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set
                           with "docker context use")
  -D, --debug              Enable debug mode
  -H, --host list          Daemon socket(s) to connect to
  -l, --log-level string   Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
      --tls                Use TLS; implied by --tlsverify
      --tlscacert string   Trust certs signed only by this CA (default "/root/.docker/ca.pem")
      --tlscert string     Path to TLS certificate file (default "/root/.docker/cert.pem")
      --tlskey string      Path to TLS key file (default "/root/.docker/key.pem")
      --tlsverify          Use TLS and verify the remote
  -v, --version            Print version information and quit

Management Commands:
  app*        Docker App (Docker Inc., v0.9.1-beta3)
  builder     Manage builds
  buildx*     Docker Buildx (Docker Inc., v0.9.1-docker)
  config      Manage Docker configs  # 管理docker配置
  container   Manage containers   # 管理容器
  context     Manage contexts
  image       Manage images    # 管理镜像
  manifest    Manage Docker image manifests and manifest lists
  network     Manage networks   # 管理网络
  node        Manage Swarm nodes  # 管理Swarm节点
  plugin      Manage plugins   # 管理插件
  scan*       Docker Scan (Docker Inc., v0.21.0)
  secret      Manage Docker secrets  # 管理docker安全
  service     Manage services   # 管理服务
  stack       Manage Docker stacks
  swarm       Manage Swarm    # 管理Swarm集群
  system      Manage Docker    # 管理docker系统
  trust       Manage trust on Docker images  # 管理镜像信任
  volume      Manage volumes     # 管理卷

Commands:
  attach      Attach local standard input, output, and error streams to a running container
  build       Build an image from a Dockerfile
  commit      Create a new image from a container's changes
  cp          Copy files/folders between a container and the local filesystem
  create      Create a new container
  diff        Inspect changes to files or directories on a container's filesystem
  events      Get real time events from the server
  exec        Run a command in a running container
  export      Export a container's filesystem as a tar archive
  history     Show the history of an image
  images      List images
  import      Import the contents from a tarball to create a filesystem image
  info        Display system-wide information
  inspect     Return low-level information on Docker objects
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  login       Log in to a Docker registry
  logout      Log out from a Docker registry
  logs        Fetch the logs of a container
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image or a repository from a registry
  push        Push an image or a repository to a registry
  rename      Rename a container
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  run         Run a command in a new container
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  search      Search the Docker Hub for images
  start       Start one or more stopped containers
  stats       Display a live stream of container(s) resource usage statistics
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update configuration of one or more containers
  version     Show the Docker version information
  wait        Block until one or more containers stop, then print their exit codes

Run 'docker COMMAND --help' for more information on a command.

To get more help with docker, check out our guides at https://docs.docker.com/go/guides/

docker 相关信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
lujinkai@Z510:~$ sudo docker system info
Client:
 Debug Mode: false #client 端是否开启 debug

Server:
 Containers: 3 #当前主机运行的容器总数
  Running: 0 #有几个容器是正在运行的
  Paused: 0  #有几个容器是暂停的
  Stopped: 3 #有几个容器是停止的
 Images: 4  #当前服务器的镜像数
 Server Version: 19.03.13 #服务端版本
 Storage Driver: overlay2 #正在使用的存储引擎
  Backing Filesystem: extfs #后端文件系统,即服务器的磁盘文件系统
  Supports d_type: true  #是否支持 d_type
  Native Overlay Diff: true #是否支持差异数据存储
 Logging Driver: json-file #日志类型
 Cgroup Driver: cgroupfs #Cgroups 类型
 Plugins:     #插件
  Volume: local    #卷
  Network: bridge host ipvlan macvlan null overlay # overlay 跨主机通信
  #日志类型
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive #是否支持 swarm
 Runtimes: runc  #已安装的runtime
 Default Runtime: runc #默认使用的容器runtime
 Init Binary: docker-init #初始化容器的守护进程,即 pid 为 1 的进程
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175 #版本
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd #runc 版本
 init version: fec3683 #init 版本
 Security Options: #安全选项
  apparmor #安全模块,https://docs.docker.com/engine/security/apparmor/
  seccomp #安全计算模块,即制容器操作,https://docs.docker.com/engine/security/seccomp/
   Profile: default  #默认的配置文件
 Kernel Version: 5.4.0-53-generic  #宿主机内核版本
 Operating System: Ubuntu 20.04.1 LTS #宿主机操作系统
 OSType: linux   #宿主机操作系统类型
 Architecture: x86_64 #宿主机架构
 CPUs: 4 #宿主机 CPU 数量
 Total Memory: 15.56GiB  #宿主机总内存
 Name: Z510  #宿主机 hostname
 ID: 7FJX:7VKN:2YGG:VKRB:5KKA:DB7C:KNLC:UW2N:XH3E:EVEG:OSQJ:EEKV #宿主机 ID
 Docker Root Dir: /var/lib/docker #宿主机关于docker数据的保存目录
 Debug Mode: false  #server 端是否开启 debug
 Registry: https://index.docker.io/v1/  #仓库路径
 Labels:
 Experimental: false #是否测试版
 Insecure Registries:
  127.0.0.0/8  #非安全的镜像仓库
 Registry Mirrors:
  https://3417nt4m.mirror.aliyuncs.com/  #镜像仓库
 Live Restore Enabled: false #是否开启活动重启 (重启docker-daemon 不关闭容器 )

WARNING: No swap limit support #系统警告信息 (没有开启 swap 资源限制 )

解决上述 SWAP 报警提示:

1
2
3
4
5
6
7
# vim /etc/default/grub
...
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 swapaccount=1" #修改此行
...

sudo update-grub
sudo reboot

docker0 网卡

在 docker 安装启动之后,默认会生成一个名称为 docker0 的网卡,默认 IP 地址为 172.17.0.1 的网卡

docker 存储引擎

docker 官方推荐首选存储引擎为 overlay2,需要磁盘分区支持 d-type 功能

docker 服务进程

docker 相关的四个进程:

  • dockerd:服务端程序,被 client 直接访问,父进程为宿主机的 systemd 守护进程
  • docker-proxy:每个进程 docker-proxy 实现对应一个需要网络通信的容器,管理宿主机和容器的之间端口映射,其父进程为 dockerd,如果容器不需要网络则无需启动
  • containerd:被 dockerd 进程调用以实现与 runc 交互
  • containerd-shim:真正运行容器的载体,每个容器对应一个 containerd-shim 进程,其父进程为 containerd

containerd-shim 命令

容器的创建与管理过程

  1. dockerd 通过 grpc 和 containerd 模块通信,由 libcontainerd 负责,通信的 socket:/run/containerd/containerd.sock
  2. containerd 在 dockerd 启动时被启动,然后 containerd 启动 grpc 请求监听,containerd 处理请求,根据请求作出相应动作
  3. run/start/exec 容器,containerd 拉起一个 container-shim,并进行相应的操作
  4. container-shim 被拉起后,start/exec/create 拉起 runc 进程,通过 exit、control 文件和 containerd 通信,通过父子进程关系和 sigchld 监控容器中进程状态
  5. 在整个容器生命周期中,container 通过 epoll 监控容器文件、事件

gRPC

gPRC 是谷歌开发的一款高性能、开源和通用的 RPC 框架,支持众多语言客户端

docker 服务管理

docker 服务基于 C/S 架构,可以实现基于本地和远程方式进行管理

范例:docker 服务添加标签

1
2
3
4
5
6
7
8
9
10
11
$ vim /lib/systemd/system/docker.service
# 修改如下行
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --label="name=docker1"
...


$ docker info
...
Labels:
name=docker1 #此处显示添加的标签
...