- 介绍
- 能做什么
- Docker的基本概念
- 常用命令
- 其它常用命令
- Dockerfile与镜像仓库
- This Dockerfile was generated from the template at distribution/src/docker/Dockerfile
- Beginning of multi stage Dockerfile
- Build stage 0
builder
: - Extract elasticsearch artifact
- Install required plugins
- Set gid=0 and make group perms==owner perms
- Build stage 1 (the actual elasticsearch image):
- Copy elasticsearch from stage 0
- Add entrypoint
- Replace OpenJDK’s built-in CA certificate keystore with the one from the OS
- vendor. The latter is superior in several ways.
- https://github.com/elastic/elasticsearch-docker/issues/171">REF: https://github.com/elastic/elasticsearch-docker/issues/171
- Openshift overrides USER and uses ones with randomly uid>1024 and gid=0
- Allow ENTRYPOINT (and ES) to run even with a different user
- Dummy overridable parameter parsed by entrypoint
- End of multi-stage Dockerfile
- Kubernetes简介
介绍
- Docker依赖linux的cgroups技术
- Docker解决了虚拟机的内存资源大量浪费问题
能做什么
- 保证开发,测试,交付,部署环境完全一致
- 保证资源的隔离
- 就算服务器被攻击,也只是docker环境被攻破
- 启动临时的、用完即弃的环境
- 迅速(秒级)超大规模部署和扩容
- 应对峰值流量,快速扩容
Docker的基本概念
1. 镜像 image
一个预先定义好的模板文件,Docker引擎可以按照这个模板文件启动无数个一模一样,互不干扰的容器。
2. 容器 container
一台虚拟的计算机,拥有独立的:
- 网络
- 文件系统
- 进程
- 默认和宿主机不发生任何交互
- 意味着数据时没有持久化的!
常用命令
docker pull / images
- 下载一个指定镜像,方便随时启动
docker pull mysql:5.7.28
- <镜像registry(默认为中央仓库)>/<镜像名>:
- <镜像registry(默认为中央仓库)>/<镜像名>:
docker images
查看本地已有镜像
docker run / ps
- docker run装载镜像成为一个容器
- 在这个容器看来,自己就是一台独立计算机
- 每个容器有一个ID,支持缩写
- docker run -it <镜像名> <镜像中要运行的命令和参数>
- 交互式,载当前shell中运行
- docker run -d <镜像名> <镜像中要运行的命令和参数>
- daemon模式,在后台运行
- docker run常见命令(放在镜像名前)
- —name ,为容器指定一个名字
- —restart=always ,遇到错误自动重启
- -v <本地文件>:<容器文件>,文件映射
- 可以有第三个参数:权限。-v <本地文件>:<容器文件>:rw
- -p <本地端口>:<容器端口>,端口映射
- -e NAME=VALUE, 指定环境变量
docker run -d -e MYSQL_ROOT_PASSWORD=my-secret-pw -p 3307:3307 mysql
docker start/stop
- 启动/停止容器
docker rm
- 删除容器
docker exec
1. 指定目标容器,进入容器执行命令
其它常用命令
- docker logs
- -f
- docker ps
- docker inspect <容器id>
- docker images,查看镜像列表
- docker rmi
, 删除镜像
- docker rmi
- docker tag <镜像ID> <镜像名>:
,给镜像取一个镜像名(REPOSITORY)和TAG - REPOSITORY决定了跑docker push时这个镜像会被push的地址
- 下载时使用 REPOSITORY:TAG
- 给镜像打tag时,会自动push
Dockerfile与镜像仓库
1. Docker的镜像是分层的
- 一个ElasticSearch的Dockerfile示例:基于centos7一层层往上盖
- 分层的目的是复用,两个镜像都基于centos7就可以复用一个
```dockerfile
#
This Dockerfile was generated from the template at distribution/src/docker/Dockerfile
#Beginning of multi stage Dockerfile
#
#
Build stage 0 builder
:
Extract elasticsearch artifact
Install required plugins
Set gid=0 and make group perms==owner perms
#
FROM centos:7 AS builder
ENV PATH /usr/share/elasticsearch/bin:$PATH
RUN groupadd -g 1000 elasticsearch && adduser -u 1000 -g 1000 -d /usr/share/elasticsearch elasticsearch
WORKDIR /usr/share/elasticsearch
RUN cd /opt && curl —retry 8 -s -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-linux-x86_64.tar.gz && cd -
RUN tar zxf /opt/elasticsearch-7.4.2-linux-x86_64.tar.gz —strip-components=1 RUN grep ES_DISTRIBUTION_TYPE=tar /usr/share/elasticsearch/bin/elasticsearch-env && sed -ie ‘s/ES_DISTRIBUTION_TYPE=tar/ES_DISTRIBUTION_TYPE=docker/‘ /usr/share/elasticsearch/bin/elasticsearch-env RUN mkdir -p config data logs RUN chmod 0775 config data logs COPY config/elasticsearch.yml config/log4j2.properties config/
#
Build stage 1 (the actual elasticsearch image):
Copy elasticsearch from stage 0
Add entrypoint
#
FROM centos:7
ENV ELASTIC_CONTAINER true
RUN for iter in {1..10}; do yum update —setopt=tsflags=nodocs -y && yum install -y —setopt=tsflags=nodocs nc && yum clean all && exit_code=0 && break || exit_code=$? && echo “yum error: retry $iter in 10s” && sleep 10; done; (exit $exit_code)
RUN groupadd -g 1000 elasticsearch && adduser -u 1000 -g 1000 -G 0 -d /usr/share/elasticsearch elasticsearch && chmod 0775 /usr/share/elasticsearch && chgrp 0 /usr/share/elasticsearch
WORKDIR /usr/share/elasticsearch COPY —from=builder —chown=1000:0 /usr/share/elasticsearch /usr/share/elasticsearch
Replace OpenJDK’s built-in CA certificate keystore with the one from the OS
vendor. The latter is superior in several ways.
REF: https://github.com/elastic/elasticsearch-docker/issues/171
RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts
ENV PATH /usr/share/elasticsearch/bin:$PATH
COPY —chown=1000:0 bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
Openshift overrides USER and uses ones with randomly uid>1024 and gid=0
Allow ENTRYPOINT (and ES) to run even with a different user
RUN chgrp 0 /usr/local/bin/docker-entrypoint.sh && chmod g=u /etc/passwd && chmod 0775 /usr/local/bin/docker-entrypoint.sh
EXPOSE 9200 9300
LABEL org.label-schema.build-date=”2019-10-28T20:40:44.883016Z” org.label-schema.license=”Elastic-License” org.label-schema.name=”Elasticsearch” org.label-schema.schema-version=”1.0” org.label-schema.url=”https://www.elastic.co/products/elasticsearch“ org.label-schema.usage=”https://www.elastic.co/guide/en/elasticsearch/reference/index.html“ org.label-schema.vcs-ref=”2f90bbf7b93631e52bafb59b3b049cb44ec25e96” org.label-schema.vcs-url=”https://github.com/elastic/elasticsearch“ org.label-schema.vendor=”Elastic” org.label-schema.version=”7.4.2” org.opencontainers.image.created=”2019-10-28T20:40:44.883016Z” org.opencontainers.image.documentation=”https://www.elastic.co/guide/en/elasticsearch/reference/index.html“ org.opencontainers.image.licenses=”Elastic-License” org.opencontainers.image.revision=”2f90bbf7b93631e52bafb59b3b049cb44ec25e96” org.opencontainers.image.source=”https://github.com/elastic/elasticsearch“ org.opencontainers.image.title=”Elasticsearch” org.opencontainers.image.url=”https://www.elastic.co/products/elasticsearch“ org.opencontainers.image.vendor=”Elastic” org.opencontainers.image.version=”7.4.2”
ENTRYPOINT [“/usr/local/bin/docker-entrypoint.sh”]
Dummy overridable parameter parsed by entrypoint
CMD [“eswrapper”]
#
End of multi-stage Dockerfile
#
<a name="FM88x"></a>
#### 2. Dockerfile
- 指定镜像如何生成
- Dockerfile的编写
- 一个最简单的Dockerfile,用 `docker build .` 构建镜像
```dockerfile
FROM: ubuntu:16.04 // 基础镜像
// 安装nginx,写一个html文件
RUN apt-get update && apt-get install -y nginx
RUN echo "Hello World" > /usr/share/nginx/html/index.html
// 暴露80端口,使上一步写的文件可访问
EXPOSE 80
- 在Dockerfile当前目录用
docker build .
命令构建镜像 - 每个镜像都会有一个唯一的ID
Kubernetes简介
Docker与K8S
- K8S是一个完全基于Docker的容器编排引擎
- 可实现滚动更新,对外的接口不影响