Docker
Docker profile
Containerization technology: an incomplete operating system.
Why is Docker faster than virtual machines?
- Docker has fewer layers of abstraction than virtual machines
- Docker makes use of the host’s kernel
So when creating a new container, Docker doesn’t need to reload an operating system like a virtual machine, avoiding booting.
VM is hardware virtualization, Docker is OS virtualization.
VM will have 5-20% performance loss, Docker is physical machine performance.
Commonly used instructions
docker version
docker info
docker –help
Docker pull [] download image
Docker search [] searches for images
Docker rmI [] Delete image
Docker rmi -f $(docker images -aq) delete all images
Docker Images view images
Create a new container and start
Docker run [optional] [image]
–name=”name01″ Container name
-d Runs in background mode
-it uses interactive running to enter the container to view the contents
-p Specifies the container port, -p 8080:8080 (host port: container port)
-p Random port
When docker run is used to create containers, the standard operations that Docker runs in the background include:
- Check whether the specified image exists locally. If not, download it from the shared repository
- Create and start a container with an image
- Assign a file system and mount a read-write layer outside the read-only mirror layer
- Bridge a virtual interface from the host host’s configured bridge interface to the container
- Configure an IP address from the address pool to the container
- Execute the user-specified application
- The container is terminated after execution
Lists all running containers
Docker ps [-a] bring out history run, [-n=? N that have run recently
-q Displays only container numbers
Out of the container
Exit Exit container
CTRL +P+Q exits without stopping
Remove the container
Docker RM Container ID Delete a container
Docker rm -f $(docker ps -aq) delete all containers
Start restart and stop shutdown
Docker start Container ID
Docker restart Container ID
Docker stop Container ID
Docker kill Container ID
The docker container uses the background runtime (docker run -d), if there is no foreground process, it will stop immediately. For example, nginx, when a container is started, it finds that it has no service and immediately stops.
See the log
Docker logs [-tf] displays all logs with time stamps
–tail + num Displays the number of logs
View information about processes in a container
Docker Top Container ID
View mirror metadata
Docker inspect Container ID
Enter the currently running container
We usually run containers in the background and need to go into the container and change some configuration.
Docker exec -it Container ID bashshell
Docker Attach Container ID
Exec opens a new terminal after entering the container and can perform operations
Attach to the terminal where the container is executing without starting a new process
Copy files from a container to a host
Docker cp Container ID: indicates the host path of the destination in the container
Viewing CPU Status
docker stats
Visualization (Protainer)
Docker graphical interface
docker run -d -p 8088:9000 --restart=always -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer
Copy the codeAccess: http://IP:8088
Commit the mirror
The Docker commit commits the image to a new copy
Docker commit -m=” commit “-a=” author” docker commit -m=” commit “-a=” author”
Container data volume
There can be a data share between containers. Data generated in the Docker container is synchronized locally.
A data volume is a special directory that can be used by one or more containers, bypassing UFS and providing a number of useful features:
- Data volumes can be shared and reused between containers
- Changes to data volumes take effect immediately
- Data volume updates do not affect the mirroring
- The volume exists until no container is used
Summary: Containers persist and synchronize operations, and data can be shared between containers.
Use: docker run -v host directory: container directory bashshell Host directory must be an absolute path, if docker does not exist automatically created
The default permission for docker to mount data volumes is read and write. Users can also specify read-only by :ro
Example: MySql data persistence
docker run -d -p 3310:3306 -v /home/mysql/conf:/etc/mysql/conf.d -v /home/mysql/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD = 123456 - name mysql01 mysql: 5.7Copy the codeDocker run Background port mapping Volume mounting environment Configuration Container name image name
The difference between container and image
Images are read-only and cannot be saved or modified. One image can be built on top of another.
Containers add a writable layer on top of all the mirror layers. This writable layer has processes running on the CPU in two different states: running and stopped. Everything we do to it from the run state to the stop state is permanently written to the container’s file system, not the mirror. You can start multiple containers with an image, isolated from each other.
Named mount and anonymous mount
- Docker run -d -p -v /etc/nginx
- Docker run -d -p -v name01:/etc/nginx
Viewing a Volume List
docker volume ls
Copy the codeViewing Volume Information
Docker Volume Inspect Specifies the volume name
-v Mount the container path anonymously
-v Volume name: Mount to a named path in a container
-v Host path: inside container path Specifies a path for mounting
-v Path inside the container :ro(read-only) Rw (readable and writable)
Data volume container
A data volume container, in fact, is a normal container that provides data volumes for other containers to mount.
First, create a named volume container dbData:
docker run -d -v /dbdata --name dbdata training/postgres echo Data-only container
Copy the codeThen use the –volumes-from container name to mount the data volumes in the dbData container
docker run -d --volumes-from dbdata --name db1 training/postgres
docker run -d --volumes-from dbdata --name db2 training/postgres
Copy the codeYou can also use multiple –volumes-from parameters to mount multiple data volumes from multiple containers. You can also mount data volumes from other containers that have already mounted data volumes.
If you delete mounted containers (including DBData, DB1, and DB2), the data volume will not be deleted automatically. If you want to delete a data volume, you must use the docker rm -v command when deleting the last container that is still attached to it to specify that the associated container is also deleted. This allows users to upgrade and move data volumes between containers.
DockerFile
Used to build docker image build file, command script. This script can be used to generate the image. The image is a layer, and the script is a command, each command is a layer.
Docker build steps
- Write a dockerFile file
- Docker builds as an image
- Docker run runs the image
- Docker Push release image (DockerHub, Ali Cloud……)
DockerFile instruction
| instruction | instructions |
|---|---|
| FROM | Base mirror, where it all starts |
| MAINTAINER | Who wrote the image? Name + email |
| RUN | Run the command |
| ADD | Add content, unzip tar (different from COPY) |
| WORKDIR | Mirror working directory |
| VOLUME | Mount directory |
| EXPOSE | Specify the exposed port (same as the -p instruction) |
| CMD | Specifies the command to execute when starting the container. There can be only one CMD command per Dockerfile. If multiple commands are specified, only the last one is executed and can be substituted. |
| ENTRYPOINT | If the user specified a command to run when starting the container, CMD commands are overridden. ENTRYPOINT can add commands. There can only be one ENTRYPOINT per Dockerfile. When multiple entryPoints are specified, only the last ENTRYPOINT takes effect. |
| ONBUILD | The ONBUILD directive is run when building an inherited DockerFile. Trigger instructions |
| COPY | Like ADD, copy our files to the image |
| ENV | Set environment variables at build time |
99% of the images in DockerHub are FROM Scratch
DockerFile example
Create your own centos
FROM centos
MAINTAINER jy<[email protected]>
ENV MYPATH /usr/local
WORKDIR $MYPATH
RUN yum -y install vim
RUN yum -y install net-tools
EXPOSE 80
CMD echo $MYPATH
CMD echo "---end---"
CMD /bin/bash
Copy the codeRun the DockerFile file
Docker build -f file path -t filename :[TAG]. I’m going to add one at the end.
Docker History Image ID you can view the image construction process
-f dockerFile (-f) -f dockerfile (-f
Note: a mirror cannot exceed 127 layers
CMD and ENTRYPOINT
CMD ["ls","-a"]
Copy the codeTo run, run ls -a
When there is CMD in Dockerfile
Docker run Image ID ls-al
Append command replaces CMD statement, so append -l error, equivalent to CMD [“-l”]
But if it is
ENTRYPOINT ["ls","-a"]
Copy the codeDocker run image ID -l
There will be no errors, it will append to the ENTRYPOINT directive
Publish your own image
Docker login -u xx -p xx docker push id:[TAG]Copy the codeAli Cloud image container, can refer to the official website of Ali Cloud
Docker network
Docker0 (use IP addr to query nic information)
When Docker starts, it automatically creates a Docker0 virtual bridge on the host, which is actually a Linux bridge that can be interpreted as a software switch. It forwards between ports mounted to it.
When a Docker container is created, a pair of Veth pair interfaces are created (when a packet is sent to one interface, the other interface can receive the same packet). One end of the pair is in the container, called eth0; The other end is local and mounted to
Docker0 bridge whose name starts with veth (for example, vethAQI2QT). In this way, hosts can communicate with containers and containers can communicate with each other. Docker creates a virtual shared network between hosts and all containers.
Principle:
- Every time we start a Docker container, Docker will assign an IP to the container. As long as we install Docker, we will have a network card Docker0.
- Bridge mode, using the veTH-pair technology.
- The network cards brought by this container are one-to-one.
- A VETH-pair is a pair of virtual device interfaces that come in pairs, with one end connected to the protocol and the other to each other.
- Because of this feature, VETH-pair acts as a bridge between various virtual network devices.
As shown in the figure, Tomcat01 and Tomcat02 are common routers. All containers are routed by Docker0 if no network is specified. Docker assigns a default available IP to our containers.
All network interfaces in Docker are virtual. Virtual forwarding efficiency is high! Once the container is deleted, the corresponding bridge pair is gone.
Containers access the extranet
In order for a container to access an external network, it needs forwarding support from the local system.
On Linux, check whether forwarding is enabled.
$sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Copy the codeIf the value is 0, forwarding is not enabled. You need to manually enable forwarding.
$sysctl -w net.ipv4.ip_forward=1
Copy the codeIf –ip-forward=true is set when Docker starts the service, Docker automatically sets the ip_forward parameter to 1.
–link
Ping with the container name (service name) without using IP
docker exec -it tomcat02 ping tomcat01
Copy the codeThe one above cannot ping through!
docker run -d -P --name tomcat03 --link tomcat02 tomcatdocker exec -it tomcat03 ping tomcat02
Copy the codeAt this point, you can ping through
Principle:
docker exec -it tomcat03 cat /etc/hosts
Copy the codeConclusion:
— Link adds a mapping to the hosts configuration
Viewing Network Information
Docker Network LsDocker network INSPECT network IDCopy the codeNetwork mode
Bridge: Bridge mode (default)
None: The network is not configured
Host: Shares the network with the host
Container: The container network is connected (rarely used but limited).
docker run -d -P --name tomcat01 --net bridge tomcat
Copy the codeDocker0 features: By default, domain names cannot be accessed. — Link can be accessed
Docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynetCopy the codeDocker network create Bridge network mode subnet gateway name
docker run -d -P --name tomcat01 --net mynet tomcat
Copy the codeThey can ping each other directly
docker exec -it tomcat01 ping tomcat02
Copy the codeNetwork connectivity
docker network connect mynet tomcat00
Copy the codeContainers on different networks can also communicate with each other. Tomcat00 is a container on another network
Docker underlying implementation and network implementation
The underlying core technology of Docker includes Namespaces, Control groups and Union files on Linux
Union File Systems and Container Format.
The network implementation of Docker actually makes use of the network namespace and virtual network devices (especially Veth pair) on Linux.
