Docker镜像 - 图2

镜像组成

Docker镜像 - 图3

docker镜像由多个只读层叠加面成,启动容器时,docker会加载只读镜像层并在镜像栈顶部加一个读写层
如果运行中的容器修改了现有的一个已经存在的文件,那该文件将会从读写层下面的只读层复制到读写层,该文件版本仍然存在,只是已经被读写层中该文件的副本所隐藏,此即“写时复制(COW)”机制

dockerfile —> image —> registry

Docker镜像 - 图4
Docker镜像 - 图5

image.png

Dockerfile整体就两类语句组成:
# Comment 注释信息
Instruction arguments 指令 参数,一行一个指令

Dockerfile文件名首字母必须大写
Dockerfile指令不区分大小写,但是为方便和参数做区分,通常指令使用大写字母
Dockerfile中指令按顺序从上至下依次执行
Dockerfile中第一个非注释行必须是FROM指令,用来指定制作当前镜像依据的是哪个基础镜像。
Dockerfile中需要调用的文件必须跟Dockerfile文件在同一目录下,或者在其子目录下,父目录或者其它路径无效

引用
https://www.cnblogs.com/edisonchou/p/dockerfile_inside_introduction.html
示例

  1. FROM centos
  2. #1、指定工作目录
  3. WORKDIR /usr/local
  4. #2、指定版本信息
  5. ENV JAVA=jdk-8u181-linux-x64 TOMCAT=apache-tomcat-8.0.53
  6. #3、创建目录,多个命令尽量在一个Dockerfile 命令中完成,避免构建多层,做好清理工作
  7. RUN mkdir java \
  8.    && mkdir tomcat \
  9.    && cd java \
  10.    && yum -y install wget \
  11.    && wget -q -O jdk-linux.rpm --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/${JAVA}.rpm \
  12.    && rpm -ivh jdk-linux.rpm \
  13.    && rm -rf jdk-linux.rpm \
  14.    && cd ../tomcat \
  15.    && wget -q http://apache.claz.org/tomcat/tomcat-8/v8.0.53/bin/${TOMCAT}.tar.gz \
  16.    && tar -zxv -f ${TOMCAT}.tar.gz \
  17.    && rm -rf ${TOMCAT}.tar.gz \
  18.    && rm -rf ${TOMCAT}/webapps/ROOT \
  19.    && yum -y remove wget;
  20. #4、把上下文目录中的 war 复制进来
  21. ONBUILD COPY *.war ./tomcat/${TOMCAT}/webapps/
  22. #5、启动容器
  23. ONBUILD ENTRYPOINT ["/usr/local/tomcat/apache-tomcat-8.0.53/bin/catalina.sh","run"]
  24. #6、基础环境构建完毕
  25. CMD ["sh","-c","echo Environment construction completed"]

nginx官方docker镜像

nginxinc/docker-nginx

https://github.com/nginxinc/docker-nginx/blob/master/stable/alpine/Dockerfile

示列
https://blog.51cto.com/dengaosky/2426483

镜像联合build组成

要求:
Docker 17.05或更高版本
https://blog.csdn.net/boling_cavalry/article/details/90742657
https://docs.docker.com/develop/develop-images/multistage-build/

编写Dockerfiles最佳实践(Docker 18.09).pdf

编写Dockerfiles最佳实践(Docker 18.09).pdf

基础镜像

  1. [root@riyimei docker]# cat Dockerfile 
  2. FROM centos:7
  3. ENV container docker
  4. RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
  5. systemd-tmpfiles-setup.service ] || rm -f $i; done); \
  6. rm -f /lib/systemd/system/multi-user.target.wants/*;\
  7. rm -f /etc/systemd/system/*.wants/*;\
  8. rm -f /lib/systemd/system/local-fs.target.wants/*; \
  9. rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
  10. rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
  11. rm -f /lib/systemd/system/basic.target.wants/*;\
  12. rm -f /lib/systemd/system/anaconda.target.wants/*;
  13. VOLUME [ "/sys/fs/cgroup" ]
  14. CMD ["/usr/sbin/init"]
  1. [root@riyimei docker]# docker build --rm -t local/c7-systemd .
  2. Sending build context to Docker daemon   2.56kB
  3. Step 1/5 : FROM centos:7
  4. 7: Pulling from library/centos
  5. ab5ef0e58194: Pull complete 
  6. Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
  7. Status: Downloaded newer image for centos:7
  8.  ---> 5e35e350aded
  9. Step 2/5 : ENV container docker
  10.  ---> Running in 49fc2862ce9e
  11. Removing intermediate container 49fc2862ce9e
  12.  ---> 33822cd236ef
  13. Step 3/5 : RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); rm -f /lib/systemd/system/multi-user.target.wants/*;rm -f /etc/systemd/system/*.wants/*;rm -f /lib/systemd/system/local-fs.target.wants/*; rm -f /lib/systemd/system/sockets.target.wants/*udev*; rm -f /lib/systemd/system/sockets.target.wants/*initctl*; rm -f /lib/systemd/system/basic.target.wants/*;rm -f /lib/systemd/system/anaconda.target.wants/*;
  14.  ---> Running in c4b4f8110113
  15. Removing intermediate container c4b4f8110113
  16.  ---> 68a87c415a5b
  17. Step 4/5 : VOLUME [ "/sys/fs/cgroup" ]
  18.  ---> Running in 3869cc1fd8f7
  19. Removing intermediate container 3869cc1fd8f7
  20.  ---> 74aad90ab141
  21. Step 5/5 : CMD ["/usr/sbin/init"]
  22.  ---> Running in 925030db2aba
  23. Removing intermediate container 925030db2aba
  24.  ---> 900b71d7e1bb
  25. Successfully built 900b71d7e1bb
  26. Successfully tagged local/c7-systemd:latest

镜像安全
rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.1.6/trivy_0.1.6_Linux-64bit.rpm

https://www.freebuf.com/sectool/207757.html

image.png

image.png

镜像仓库

引用
https://blog.51cto.com/dengaosky/2427258
官方私有仓库:Docker Registry
https://docs.docker.com/registry/
第三方仓库:harbor
https://goharbor.io/
项目地址
https://github.com/goharbor/harbor/releases
安装要求:
docker 17.06.0-ce+ and docker-compose 1.18.0+
安装手册
https://github.com/goharbor/harbor/tree/master/docs/1.10

Harbor的功能主要包括四大类:多用户的管控(基于角色访问控制和项目隔离)、镜像管理策略(存储配额、制品保留、漏洞扫描、来源签名、不可变制品、垃圾回收等)、安全与合规(身份认证、扫描和CVE例外规则等)和互操作性(Webhook、内容远程复制、可插拔扫描器、REST API、机器人账号等)

  1. sudo ./install.sh --with-notary --with-trivy --with-chartmuseum
  1. sudo ./install.sh --with-clair
  3. docker tag nginx:latest 192.168.31.130/devops/nginx:v1
  6. [root@docker-node1 harbor]# docker login 192.168.31.130
  7. Username: liwm
  8. Password:
  9. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
  10. Configure a credential helper to remove this warning. See
  11. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
  13. Login Succeeded
  14. [root@docker-node1 harbor]#
  16. [root@docker-node1 harbor]# docker push 192.168.31.130/devops/nginx:v1
  17. The push refers to repository [192.168.31.130/devops/nginx]
  18. 318be7aea8fc: Pushed
  19. fe08d5d042ab: Pushed
  20. f2cb0ecef392: Pushed
  21. v1: digest: sha256:4a50ed86d8c86e35f530d4a168173677a192177eed14146fbb5728b1b3a2d4de size: 948
  22. [root@docker-node1 harbor]# cat /etc/docker/daemon.json
  23. {
  24. "registry-mirrors": ["https://0bb06s1q.mirror.aliyuncs.com"],
  25. "insecure-registries" : ["192.168.31.130"]
  26. }
  27. [root@docker-node1 harbor]#

dockers镜像导出和导入

导出:

  1. [root@n9e ~]# docker image ls 
  2. REPOSITORY                          TAG                 IMAGE ID            CREATED             SIZE
  3. docker.io/filebrowser/filebrowser   latest              830d1363b1ef        4 days ago          33.4 MB
  4. [root@n9e ~]# docker save -o /tmp/filebrowser.tar.gz docker.io/filebrowser/filebrowser:latest 
  5. [root@n9e ~]# ll /tmp/
  6. total 32648
  7. -rw------- 1 root root 33431040 Oct 26 09:18 filebrowser.tar.gz
  8. drwx------ 2 root root        6 Oct 26 09:01 tmp.aV0PHawz9M
  9. [root@n9e ~]#

导入:
docker load < filebrowser.tar.gz

  1. [root@prod-smb-server01 tmp]# docker load < filebrowser.tar.gz 
  2. 963d3c7196dd: Loading layer [==================================================>]  217.6kB/217.6kB
  3. b62ffa58b9a4: Loading layer [==================================================>]  69.63kB/69.63kB
  4. 35f09ea19b05: Loading layer [==================================================>]  2.048kB/2.048kB
  5. 943906d44595: Loading layer [==================================================>]  33.12MB/33.12MB
  6. Loaded image: filebrowser/filebrowser:latest
  7. [root@prod-smb-server01 tmp]# docker image ls 
  8. REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
  9. filebrowser/filebrowser   latest              830d1363b1ef        4 days ago          33.4MB
  10. [root@prod-smb-server01 tmp]#
  1. docker批量删除容器、镜像
  2. 1、删除所有容器
  3. docker rm `docker ps -a -q`
  4. 2、删除所有镜像
  5. docker rmi `docker images -q`
  6. 3、按条件删除镜像没有打标签
  8. docker rmi `docker images -q | awk '/^<none>/ { print $3 }'`镜像名包含关键字
  10. docker rmi --force `docker images | grep doss-api | awk '{print $3}'`    //其中doss-api为关键字