本文共 12426 字,大约阅读时间需要 41 分钟。
①获取官方registry镜像
[root@dockertest ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:2Unable to find image 'registry:2' locally2: Pulling from library/registry81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54Status: Downloaded newer image for registry:2f59d18d8302b6589d5e94f901c1161a48854593cc32ee3259c806bc648c437df
#默认情况下,仓库会被创建在容器的/var/lib/registry目录下,可以通过-v将镜像文件存放在宿主机的指定目录下。
docker run -d -p 5000:5000 --restart=always \–v /opt/docker/registry/data:/var/lib/registry --name registry registry:2
② 推送一个镜像到镜像仓库
[root@dockertest ~]# docker tag nginx:latest 192.168.10.131:5000/nginx:latest[root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latestThe push refers to repository [192.168.10.131:5000/nginx]Get https://192.168.10.131:5000/v2/: http: server gave HTTP response to HTTPS client
#对于Centos7来说需要配置docker允许https的方式来访问仓库,并重启docker
[root@dockertest ~]# cat /etc/docker/daemon.json{"registry-mirrors": ["https://registry.docker-cn.com" ],"insecure-registries": ["192.168.10.131:5000" ]}[root@dockertest ~]# systemctl restart docker.service [root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latestThe push refers to repository [192.168.10.131:5000/nginx]e89b70d28795: Pushed 832a3ae4ac84: Pushed 014cf8bfcb2d: Pushed latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948[root@dockertest ~]# curl 192.168.10.131:5000/v2/_catalog{"repositories":["nginx"]} ③删除本地镜像,从仓库重新下载该镜像
[root@dockertest ~]# docker image rm 192.168.10.131:5000/nginx:latest[root@dockertest ~]# docker pull 192.168.10.131:5000/nginx:latestlatest: Pulling from nginx8176e34d5d92: Pull complete 5b19c1bdd74b: Pull complete 4e9f6296fa34: Pull complete Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7cStatus: Downloaded newer image for 192.168.10.131:5000/nginx:latest
①修改/etc/pki/tls/openssl.cnf文件使证书支持IP访问
[ v3_ca ]subjectAltName = IP:192.168.10.131
②使用openssl生成证书和密钥
[root@dockertest registry]# mkdir -p certs [root@dockertest registry]# openssl req \> -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \> -x509 -days 365 -out certs/domain.crtGenerating a 4096 bit RSA private key...........++..............................................................................................++writing new private key to 'certs/domain.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:192.168.10.131:5000Email Address []:
③将刚生成的domain.crt复制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt,并重启docker
[root@dockertest registry]# mkdir -p /etc/docker/certs.d/192.168.100.9:5000[root@dockertest registry]# cp certs/domain.crt /etc/docker/certs.d/192.168.100.9:5000/ca.crt[root@dockertest registry]# systemctl restart docker
④运行registry
[root@dockertest registry]# docker run -d -u root -p 5000:5000 \> --name private_registry --restart=always \> -v /opt/docker/registry/data:/var/lib/registry \> -v /opt/docker/registry/certs:/certs \> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \> registry:29d145ea538fda7687734a2a170ff21524bc8fc65fee81b2a12c43ef3a43a576a
⑤push一个到registry上
[root@dockertest ~]# docker push 192.168.10.131:5000/nginxThe push refers to repository [192.168.10.131:5000/nginx]e89b70d28795: Pushed 832a3ae4ac84: Pushed 014cf8bfcb2d: Pushed latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948
⑥换台机器下载刚上传的镜像
[root@localhost ~]# docker pull 192.168.10.131:5000/nginxUsing default tag: latestError response from daemon: Get https://192.168.10.131:5000/v2/: x509: certificate signed by unknown authority
#发现报错,原因是没有证书,将192.168.10.131上的证书拷贝到这台机器为/etc/docker/certs.d/192.168.10.131:5000/ca.crt,并重启docker
[root@localhost 192.168.10.131:5000]# docker pull 192.168.10.131:5000/nginxUsing default tag: latestlatest: Pulling from nginx8176e34d5d92: Pull complete 5b19c1bdd74b: Pull complete 4e9f6296fa34: Pull complete Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7cStatus: Downloaded newer image for 192.168.10.131:5000/nginx:latest
①创建一个数据卷
[root@dockertest ~]# docker volume create v1v1[root@dockertest ~]# docker volume lsDRIVER VOLUME NAMElocal v1
②查看数据卷信息
[root@dockertest ~]# docker volume lsDRIVER VOLUME NAMElocal v1[root@dockertest ~]# docker volume inspect v1[ { "CreatedAt": "2018-06-04T01:47:39-04:00", "Driver": "local", "Labels": {}, "Mountpoint": "/var/lib/docker/volumes/v1/_data", "Name": "v1", "Options": {}, "Scope": "local" }] ③挂载容器
[root@dockertest ~]# docker run -d -p 80:80 --name web --mount source=v1,target=/webapp nginx3f315ab9ed576d5f0b72dc9e8c067331e0ef785a9577c2c3c6d2e74ec77e51fd[root@dockertest ~]# docker exec -it web /bin/bashroot@3f315ab9ed57:/# cd /webapp/root@3f315ab9ed57:/webapp# touch ss.txtroot@3f315ab9ed57:/webapp# exitexit[root@dockertest ~]# ls /var/lib/docker/volumes/v1/_data/ss.txt
④查看容器信息
[root@dockertest ~]# docker inspect -f "{ {.Mounts}}" web [{volume v1 /var/lib/docker/volumes/v1/_data /webapp local z true }] ⑤删除数据卷
[root@dockertest ~]# docker volume rm v1
⑥挂载主机目录
[root@dockertest ~]# docker run -d -p 80:80 --name web --mount type=bind,source=/dockerdata,target=/webapp nginx67f90a8a2c6171bfbfce4c84606f0742adb7e283cdb45b488d47035b7f02871b#挂载的主机目录默认权限是读写,也可以通过增加readonly来指定为只读[root@dockertest ~]# docker run -d -p 81:80 --name web2 --mount type=bind,source=/dockerdata,target=/webapp,readonly nginxced71fc7a97d251bfea388768e3e45cafe3a12680282d820e032d9845c74a1bf#加上readonly后在容器内/webapp目录新建文件就会报错[root@dockertest ~]# docker exec -it web2 /bin/bashroot@ced71fc7a97d:/# cd webapp/root@ced71fc7a97d:/webapp# touch sstouch: cannot touch 'ss': Read-only file systemroot@ced71fc7a97d:/webapp# exitexit
如果用户需要在容器之间共享一些持续更新的数据,可以采用数据卷容器,数据卷容器其实是一个普通的容器,专门用来提供数据卷供其它容器挂载。
①创建一个数据卷并挂载数据卷到web1[root@dockertest ~]# docker volume create v1v1[root@dockertest ~]# docker run -dit --mount source=v1,target=/tmp/test --name web1 centos237879201e1c8fedae870af923083625ab8d0fb2b375f66784e1da4179e068c7[root@dockertest ~]# docker exec -it web1 ls -d /tmp/test/tmp/test
②创建两个容器并从web1挂载数据卷
[root@dockertest ~]# docker run -dit --volumes-from web1 --name db1 centos0b656f36fe24ce835b94d2c891645962e6545e3e18c70bbc6a3e24edbd45f153[root@dockertest ~]# docker run -dit --volumes-from web1 --name db2 centos 4468244e0b8b7d6caa57801a2c98d1272c6fdb7d59e89ce704533b53fe969b70[root@dockertest ~]# docker inspect -f "{ {".Mounts"}}" db2[{volume v1 /var/lib/docker/volumes/v1/_data /tmp/test local true }] ③分别在web1和db1中新建两个测试文件
[root@dockertest ~]# docker exec -it web1 touch /tmp/test/web1.txt[root@dockertest ~]# docker exec -it db1 touch /tmp/test/db1.txt#在db2和本地主机中查看[root@dockertest ~]# docker exec -it db2 ls /tmp/testdb1.txt web1.txt[root@dockertest ~]# ls /var/lib/docker/volumes/v1/_data/db1.txt web1.txt
④使用db2作为db3的容器数据卷
[root@dockertest ~]# docker run -dit --volumes-from db2 --name db3 centos7ccd5f862ce125121b2e216c3f312c1921a41df0214a327e957a15bd2041cf07[root@dockertest ~]# docker exec -it db3 ls /tmp/testdb1.txt web1.txt
⑤停止web1并查看关联容器的挂载文件
[root@dockertest ~]# docker stop web1 web1[root@dockertest ~]# docker exec -it db3 ls /tmp/testdb1.txt web1.txt
①创建数据卷并挂载
[root@dockertest ~]# docker volume create v2v2[root@dockertest ~]# docker run -it --mount source=v2,target=/backup --name datamove centos[root@19de5488667a /]# cd /backup/[root@19de5488667a backup]# touch {a,b,c,d,ss}[root@19de5488667a backup]# lsa b c d ss ②数据卷的备份
[root@dockertest ~]# docker run --volumes-from datamove -v /dockerdata/:/back --name backup centos tar cvf /back/backup.tar /backuptar: Removing leading `/' from member names/backup//backup/a/backup/b/backup/c/backup/d/backup/ss[root@dockertest ~]# ls /dockerdata/backup.tar
③创建一个容器savedata还原数据卷
[root@dockertest ~]# docker run --volumes-from datamove -v /dockerdata/:/back --name savedata centos tar xvf /back/backup.tarbackup/backup/abackup/bbackup/cbackup/dbackup/ss
④创建一个容器挂载savedata
[root@dockertest ~]# docker run -dit --volumes-from savedata --name savetest centosfaa008b4f18360b0bed3619f740ccc6a326d7e718020347bdb3027750d48ef60[root@dockertest ~]# docker exec -it savetest ls /backupa b c d ss
①一对一映射
[root@dockertest ~]# docker run -dit -p 80:80 --name port1 centos
②多对多映射
[root@dockertest ~]# docker run -dit -p 8088:8088 -p 8080:8080 --name port2 centos
③随机映射一个端口
[root@dockertest ~]# docker run -dit -p :80 --name port3 centos
④映射UDP端口
[root@dockertest ~]# docker run -dit -p :80/udp --name port4 centos
⑤查看端口映射
[root@dockertest ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESdbdbe92054f2 centos "/bin/bash" 7 minutes ago Up 7 minutes 0.0.0.0:32769->80/udp port43880ae523333 centos "/bin/bash" 7 minutes ago Up 7 minutes 0.0.0.0:32769->80/tcp port38293f668125f centos "/bin/bash" 7 minutes ago Up 7 minutes 0.0.0.0:8080->8080/tcp, 0.0.0.0:8088->8088/tcp port2e01160b11472 centos "/bin/bash" 8 minutes ago Up 7 minutes 0.0.0.0:80->80/tcp port1
①新建一个网络
[root@dockertest ~]# docker network create -d bridge my-netcf09779c2aac2043c84b98a9728ed597c2dac7e8f67c8946b57dc4b9aa3f7cd2[root@dockertest ~]# docker network lsNETWORK ID NAME DRIVER SCOPEda971fe6813b bridge bridge localeec69c6ab2da host host localcf09779c2aac my-net bridge locald2be30ca65ba none null local
②运行一个容器并连接到新建my-net的网络
[root@dockertest ~]# docker run -it --rm --name web1 --network my-net centos[root@ac92ecff44e1 /]#
③打开新的终端,再运行一个容器并加入到my-net网络
[root@dockertest ~]# docker run -it --rm --name web2 --network my-net centos[root@a6e5609d4e6f /]#
④测试连接
[root@a6e5609d4e6f /]# ping web1PING web1 (172.18.0.2) 56(84) bytes of data.64 bytes from web1.my-net (172.18.0.2): icmp_seq=1 ttl=64 time=0.102 ms64 bytes from web1.my-net (172.18.0.2): icmp_seq=2 ttl=64 time=0.045 ms64 bytes from web1.my-net (172.18.0.2): icmp_seq=3 ttl=64 time=0.053 ms^C--- web1 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2002msrtt min/avg/max/mdev = 0.045/0.066/0.102/0.026 ms[root@a6e5609d4e6f /]#
①在容器中查看挂载信息
[root@ac92ecff44e1 /]# mount | grep etc/dev/mapper/centos-root on /etc/resolv.conf type xfs (rw,relatime,attr2,inode64,noquota)/dev/mapper/centos-root on /etc/hostname type xfs (rw,relatime,attr2,inode64,noquota)/dev/mapper/centos-root on /etc/hosts type xfs (rw,relatime,attr2,inode64,noquota)[root@ac92ecff44e1 /]#
这种机制可以让宿主主机 DNS 信息发生更新后,所有 Docker容器的DNS配置通过/etc/resolv.conf 文件会得到更新。
②配置全部容器的DNS可以在/etc/docker/daemon.json中增加DNS相关项来设置
{"dns" : ["114.114.114.114","8.8.8.8"]}#这样每次启动容器时容器的DNS会自动配置为添加的地址[root@dockertest ~]# docker run -it --rm centos cat etc/resolv.confsearch localdomainnameserver 114.114.114.114nameserver 8.8.8.8 ③如果想要手动指定容器的配置,可以在使用 docker run 命令启动容器时加入如下参数:
-h 设定容器的主机名,它会被写到容器内的/etc/hostname 和 /etc/hosts中,但它在容器外部看不到,既不会在docker ps 中显示,也不会在其他的容器的 /etc/hosts 看到。--dns=IP_ADDRESS 添加 DNS 服务器到容器的 /etc/resolv.conf 中,让容器用这个服务器来解析所有不在/etc/hosts 中的主机名。--dns-search=DOMAIN 设定容器的搜索域,当设定搜索域为 .example.com 时,在搜索一个名为 host 的主机时,DNS 不仅搜索 host,还会搜索 host.example.com 。#学习文档地址:
转载于:https://blog.51cto.com/lullaby/2124669