Docker容器技术是利用LXC(LinuX Container)来实现类似VM的功能,而 LXC所实现的隔离性主要是来自内核的命名空间, 其中pid、net、ipc、mnt、uts、user等命名空间将容器的进程、网络、消息、文件系统、hostname和用户隔离开来。
各Namespace的隔离特性与相应Linux内核的支持版本如下图,用户和用户组级别的隔离性是在3.8才支持的,所以要想完全的使用Docker,内核版本需要大于或等于3.8。
多个容器共享宿主机一个内核,需要对cpu资源,内存,IO等资源进行分配和隔离,Linux内核使用Cgroups得以实现
Docker使用容器引擎进化:lxc --> libcontainer --> runC
Docer的组成:
Docer相当于有server端,有client端,是一个C/S架构。
Docker对象:
images,containers,networks,volumes,plugins等
镜像与容器的关系:
镜像是静态的,容器是动态的,有生命周期,两者的关系类似程序与进程的关系。
系统环境
root@node01:~# cat /etc/issue
Ubuntu 18.04.4 LTS \n \l
root@node01:~# lsb_release -cr
Release: 18.04
Codename: bionic
root@node01:~# uname -a
Linux node01 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxCodename: bionic 这个发行的代码名称比较重要,更改apt源时会用到。
修改时区与安装时间同步软件
root@node01:~# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
root@node01:~# apt-get install chrony
root@node01:~# systemctl start chrony
root@node01:~# systemctl enable chrony使用清华大学开源软件镜像站,其中bionic就是系统的Codename
root@node01:~# cd /etc/apt/
root@node01:/etc/apt# cp sources.list{,.bak}
root@node01:/etc/apt# vim sources.list
# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
# docker-ce
deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic stable安装docker-ce
root@node01:/etc/apt# curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
root@node01:/etc/apt# apt-get install docker-ce
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
aufs-tools cgroupfs-mount containerd.io docker-ce-cli libltdl7 pigz
The following NEW packages will be installed:
aufs-tools cgroupfs-mount containerd.io docker-ce docker-ce-cli libltdl7 pigz
0 upgraded, 7 newly installed, 0 to remove and 88 not upgraded.
Need to get 85.3 MB of archives.
After this operation, 381 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic/universe amd64 pigz amd64 2.4-1 [57.4 kB]
Get:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic/universe amd64 aufs-tools amd64 1:4.9+20170918-1ubuntu1 [104 kB]
Get:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic/universe amd64 cgroupfs-mount all 1.4 [6320 B]
Get:4 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable amd64 containerd.io amd64 1.2.13-2 [21.4 MB]
Get:4 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable amd64 containerd.io amd64 1.2.13-2 [21.4 MB]
Get:5 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable amd64 docker-ce-cli amd64 5:19.03.12~3-0~ubuntu-bionic [41.2 MB]
Get:6 https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic/stable amd64 docker-ce amd64 5:19.03.12~3-0~ubuntu-bionic [22.5 MB]
Get:7 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic/main amd64 libltdl7 amd64 2.4.6-2 [38.8 kB]
Fetched 64.8 MB in 1min 45s (616 kB/s)安装docer-ce时会附加安装aufs-tools cgroupfs-mount containerd.io docker-ce-cli libltdl7 pigz
root@node01:/etc/apt# docker version
Client: Docker Engine - Community
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:45:36 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:44:07 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683root@node01:/etc/apt# docker info
...
WARNING: No swap limit support如果docker info最后输出WARNING: No swap limit support,解决方法如下:
root@node01:~# vim /etc/default/grub
...
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
...
# 保存退出
root@node01:~# update-grub
root@node01:~# reboot默认情况下docker是从https://index.docker.io/v1/拉取镜像,大陆地区访问该地址较慢,所以需要配置一个镜像加速地址来加快镜像的下载。可选择的加速地址较多,一般使用以下几个。
docker cn, 地址为 https://registry.docker-cn.com,反应也不快
阿里云加速器,需要先注册阿里云开发帐号,平台会为用户分配一个加速域名
root@node01:~# vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://1nj0zren.mirror.aliyuncs.com",
"https://docker.mirrors.ustc.edu.cn",
"http://registry.docker-cn.com"
],
"insecure-registries" : [
"docker.mirrors.ustc.edu.cn"
],
"debug" : true,
"experimental" : true
}
# 保存退出后
root@node01:~# systemctl restart docker.service
root@node01:~# docker info
...
Registry Mirrors:
https://1nj0zren.mirror.aliyuncs.com/
https://docker.mirrors.ustc.edu.cn/
http://registry.docker-cn.com/
...原文:https://blog.51cto.com/zhaochj/2535005