总结
[root@docker-01 ~]# docker rmi 192.168.70.105:5000/centos_sshd:v1 //删镜像
Untagged: 192.168.70.105:5000/centos_sshd:v1
Untagged: 192.168.70.105:5000/centos_sshd@sha256:46f82210f0270d044e1b341ce93c9f2b9fe1d3fd5ba4924e67306456ec5c1031
[root@docker-01 ~]# docker rmi -f 1ec5026b54bc
Untagged: my-image:latest
Deleted: sha256:1ec5026b54bced43afee2c217d5c1cda90e2f2ab6c71c420fbce63e52721abcd
//删除容器docker rm,若是up 状态 -f.
//rmi只能删除宿主机本地的镜像,不能删除镜像仓库中的镜像。
//docker rmi $(docker images -q -f dangling=true) //tag还有镜像名是,none,是未打标签的镜像。
[root@docker-01 ~]# docker images -q -f dangling=true
[root@docker-01 ~]# docker images -f dangling=true
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@docker-01 ~]# docker images -q
f0cd718a3d81
1c52006bcfa2
bfcb9b8f15f6
b4f91978e2cc
9c7a54a9a43c
ba6acccedd29
ba6acccedd29
ba6acccedd29
ba6acccedd29
1e1148e4cc2c
//显示镜像名字:tag
[root@docker-01 ~]# docker images --format "{{.Repository}}:{{.Tag}}"
centos_nginx:v1
ubuntu-with-vim:latest
centos-with-vim:latest
httpd:latest
hello-world:latest
192.168.70.105/centos01/hello-world:latest
192.168.70.105/centos01/ubuntu:20.01
192.168.70.105/centos01:ubuntu
192.168.70.105:5000/ubuntu:v1
centos:latest
//镜像详细信息
[root@docker-01 ~]# docker inspect centos_nginx:v1
[
{
"Id": "sha256:f0cd718a3d81c46a0046d5408b0ddadf22fdd81e35d7decc74aceb421eb0db37",
"RepoTags": [
"centos_nginx:v1"
],
//docker save/docker load存出和载入镜像。//导出镜像,用scp ; rsync ; U盘。
[root@docker-01 ~]# docker save -o hello-world.tar.gz hello-world:latest //导出
[root@docker-01 ~]# ls
anaconda-ks.cfg bunch.tar.gz Dockerfile hello-world.tar.gz nginx sshd_dockerfile tmpfile2 ubantu
[root@docker-01 ~]# docker rmi -f hello-world:latest
Untagged: hello-world:latest
Untagged: hello-world@sha256:fc6cf906cbfa013e80938cdf0bb199fbdbb86d6e3e013783e5a766f50f5dbce0
Deleted: sha256:9c7a54a9a43cca047013b82af109fe963fde787f63f9e016fdc3384500c2823d
[root@docker-01 ~]# docker load --input hello-world.tar.gz //导入
Loaded image: hello-world:latest
Docker容器(Container)
Docker利用容器来运行应用。容器是从镜像创建的运行实例,它可以被启动、开始、停止、 删除。每个容器都是相互隔离的、保证安全的平台,每个应用运行在隔离的容器中,享用独自的权限,用户,网络。确保安全与互相干扰。 注:镜像是只读的,容器在启动的时候创建一层可写层作为最上层。镜像是只读的,不可以修改,但是容器层是rw的,提供给用户操作
- 镜像image与容器Container区别:镜像是静态的,不会运行。容器则是动态的,有生命周期
运行容器
- 运行容器
(1) CMD指令。
(2) ENTRYPOINT 指令。
(3)在docker run 命令行中指定。
[root@docker-01 ~]# docker run ubuntu pwd
/
[root@docker-01 ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
//因为容器的生命周期依赖于启动时执行的命令,只要该命令不结束,容器也就不会退出。
[root@docker-01 ~]# docker history httpd:latest
IMAGE CREATED CREATED BY SIZE COMMENT
b4f91978e2cc 2 weeks ago /bin/sh -c #(nop) CMD ["httpd-foreground"] 0B
//CMD ["httpd-foreground"] 相当于前台运行 daemon off
- l两种进入容器的命令
有两种方法进入容器:attach 和 exec。 - 通过docker attach可以attach到容器启动命令的终端
[root@docker-01 ~]# docker run -d --name test2 ubuntu:latest /bin/bash -c "while true ; do sleep 5 ; echo 'in container' ; done"
510d02fce6935e4ae6d73034bdf104d71abda09b7ed435a08a3d185c9e705965
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
510d02fce693 ubuntu:latest "/bin/bash -c 'while…" 5 seconds ago Up 4 seconds test2
[root@docker-01 ~]# docker attach test2
in container
in container
in container
//开启另一个终端停掉
[root@docker-01 ~]# docker stop test2
test2
- docker exec 在容器中执行命令
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-01 ~]# docker start test2
test2
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
510d02fce693 ubuntu:latest "/bin/bash -c 'while…" 8 minutes ago Up 2 seconds test2
[root@docker-01 ~]# docker exec test2 ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
media
[root@docker-01 ~]# docker exec -it test2 bash
root@510d02fce693:/# ps
PID TTY TIME CMD
42 pts/0 00:00:00 bash
52 pts/0 00:00:00 ps
root@510d02fce693:/# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3968 1568 ? Ss 11:44 0:00 /bin/bash -c while true ; do sleep 5 ; echo 'in container' ; done
root 42 0.1 0.0 4100 2164 pts/0 Ss 11:46 0:00 bash
root 55 0.0 0.0 2500 376 ? S 11:47 0:00 sleep 5
root 56 0.0 0.0 5888 1416 pts/0 R+ 11:47 0:00 ps -aux
//退出Ctrl+d 或者 exit
- docker logs 查看启动命令的输出
[root@docker-01 ~]# docker logs -f 510d02fce693
in container
in container
in container
[root@docker-01 ~]# docker rename test2 test1 //重命名容器
- 按用途容器大致可分为两类:服务类容器和工具类的容器。
小结
容器运行相关的知识点: 当 CMD 或 Entrypoint 或 docker run 命令行指定的命令运行结束时,容器停止。 通过 -d 参数在后台启动容器。 通过 exec -it 可进入容器并执行命令。 指定容器的三种方法: 短ID。 长ID。 容器名称。 可通过 --name 为容器命名。重命名容器可执行docker rename。
- 当利用docker run 来创建容器时,Docker 在后台运行的标准操作包括: 1.检查本地是否存在指定的镜像,不存在就从仓库下载 2.利用镜像创建并启动一个容器 3.分配一个文件系统,并在只读的镜像层外面挂载一层可读写层 4.从宿主主机配置的网桥接口中桥接一个虚拟接口到容器中去 5.从地址池配置一个ip地址给容器 6.执行用户指定的应用程序 7.执行完毕后容器被终止 注:养成查看帮助的习惯,如docker ps -h
- 删除容器
[root@docker-01 ~]# docker ps -a -f status=exited
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
722b9027c3ea centos_nginx:v1 "nginx -g 'daemon of…" 18 hours ago Exited (0) 18 hours ago nginx01
fad4d553701c ubuntu "pwd" 19 hours ago Exited (0) 19 hours ago blissful_villani
3077cacce403 ubuntu "pwd" 19 hours ago Exited (0) 19 hours ago ecstatic_ramanujan
a227e3a609dd dfca1a28e8b3 "/run.sh" 2 days ago Exited (137) 2 days ago keen_knuth
2d3f567f55ef 1ec5026b54bc "sh" 3 days ago Exited (0) 3 days ago kind_mendel
909f9c776e08 centos_nginx:v1 "/bin/sh -c 'while t…" 3 days ago Exited (137) 3 days ago youthful_dijkstra
f157bad76f39 centos_nginx:v1 "nginx -g 'daemon of…" 3 days ago Exited (0) 3 days ago thirsty_swartz
91653e49be5c centos-with-vim "/bin/bash" 4 days ago Exited (0) 4 days ago vibrant_gauss
995f50a7adbb centos "/bin/bash" 4 days ago Exited (0) 4 days ago adoring_noyce
509a608daadd ubuntu "bash" 4 days ago Exited (127) 4 days ago nostalgic_kapitsa
d27372fcadcf httpd "httpd-foreground" 4 days ago Exited (0) 4 days ago fervent_booth
b7f2079ff8f5 httpd "httpd-foreground" 4 days ago Exited (0) 4 days ago blissful_hypatia
247a0d24936c httpd "httpd-foreground" 4 days ago Exited (0) 4 days ago optimistic_goldstine
15d950759fae httpd "httpd-foreground" 5 days ago Exited (0) 4 days ago romantic_matsumoto
f1aac8a052b3 hello-world "/hello" 5 days ago Exited (0) 5 days ago nervous_northcutt
[root@docker-01 ~]# docker ps -aq -f status=exited
722b9027c3ea
fad4d553701c
3077cacce403
a227e3a609dd
2d3f567f55ef
909f9c776e08
f157bad76f39
91653e49be5c
995f50a7adbb
509a608daadd
d27372fcadcf
b7f2079ff8f5
247a0d24936c
15d950759fae
f1aac8a052b3
[root@docker-01 ~]# docker rm $(docker ps -aq -f status=exited)
722b9027c3ea
fad4d553701c
3077cacce403
a227e3a609dd
2d3f567f55ef
909f9c776e08
f157bad76f39
91653e49be5c
995f50a7adbb
509a608daadd
d27372fcadcf
b7f2079ff8f5
247a0d24936c
15d950759fae
f1aac8a052b3
[root@docker-01 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
510d02fce693 ubuntu:latest "/bin/bash -c 'while…" 2 hours ago Up 2 hours test1
- docker create 创建的容器处于 Created 状态。 docker start 将以后台方式启动容器。 docker run 命令实际上是 docker create 和 docker start 的组合。
docker网络
- none 网络 host 网络 bridge 网络
[root@docker-01 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
1a0144c5e037 bridge bridge local
c1ade8cf6b57 host host local
a688ab4efbd1 none null local
//none网络(应用场景生成随机密码)
[root@docker-01 ~]# docker run -it --network=none busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
/ #
//host网络(共用宿主机网络)优点,性能好,缺点灵活性差。
[root@docker-01 ~]# docker run -it --network=host busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:b2:18:f8 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.106/24 brd 192.168.70.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::5a9d:ed09:948b:8d8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 02:42:70:a0:b7:7e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
/ # hostname
docker-01
/ #
//bridge 网络
//容器和容器之间的通信,容器访问宿主机以外的外网。
//Centos系统
// yum install bridge-utils
Ubuntu系统
//apt-get install bridge-utils
[root@docker-01 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024270a0b77e no
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker-01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos_nginx v1 f0cd718a3d81 4 days ago 486MB
ubuntu-with-vim latest 1c52006bcfa2 4 days ago 184MB
centos-with-vim latest bfcb9b8f15f6 4 days ago 465MB
httpd latest b4f91978e2cc 2 weeks ago 145MB
hello-world latest 9c7a54a9a43c 3 weeks ago 13.3kB
busybox latest beae173ccac6 17 months ago 1.24MB
192.168.70.105:5000/ubuntu v1 ba6acccedd29 19 months ago 72.8MB
ubuntu latest ba6acccedd29 19 months ago 72.8MB
192.168.70.105/centos01/hello-world latest ba6acccedd29 19 months ago 72.8MB
192.168.70.105/centos01/ubuntu 20.01 ba6acccedd29 19 months ago 72.8MB
192.168.70.105/centos01 ubuntu ba6acccedd29 19 months ago 72.8MB
centos latest 1e1148e4cc2c 4 years ago 202MB
[root@docker-01 ~]# docker run -d centos_nginx:v1
256ad616b9991d775f4ac0f20753e7ddf01386cabd2b2aeda26f33996923f889
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
256ad616b999 centos_nginx:v1 "nginx -g 'daemon of…" 8 seconds ago Up 8 seconds (health: starting) 80/tcp compassionate_lewin
[root@docker-01 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024270a0b77e no veth4ec5dc6
[root@docker-01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b2:18:f8 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.106/24 brd 192.168.70.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::5a9d:ed09:948b:8d8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:70:a0:b7:7e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:70ff:fea0:b77e/64 scope link
valid_lft forever preferred_lft forever
5: veth4ec5dc6@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 9a:b2:c7:1f:a9:5a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::98b2:c7ff:fe1f:a95a/64 scope link
valid_lft forever preferred_lft forever
//再进一下容器
[root@docker-01 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024270a0b77e no veth4ec5dc6
[root@docker-01 ~]# docker exec -it 256ad616b999 bash
[root@256ad616b999 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@docker-01 ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "1a0144c5e037b3e00fa3cbe6ba74a1b93d90c746a38eb2e189f742f6be72a246",
"Created": "2023-05-29T06:47:16.655938162+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"256ad616b9991d775f4ac0f20753e7ddf01386cabd2b2aeda26f33996923f889": {
"Name": "compassionate_lewin",
"EndpointID": "362cb5f3f6ffeb34a820a54c01995b32b8b0bf617439c15f17cb5a5dbb6aa051",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
容器访问外网
- 容器访问外部世界:容器默认就能访问外网。这里的关键就是 SNAT,原地址方式转换。
[root@docker-01 ~]# docker run -d centos_nginx:v1
7a62964c2f64f617f231ffac792a49326afc151a89ccdf16a484dcb5a4f173da
[root@docker-01 ~]# docker exec -it 7a62964c2f64f617f231ffac792a49326afc151a89ccdf16a484dcb5a4f173da bash
[root@7a62964c2f64 /]# ping www.baidu.com
PING www.a.shifen.com (124.237.176.4) 56(84) bytes of data.
64 bytes from 124.237.176.4 (124.237.176.4): icmp_seq=1 ttl=127 time=33.7 ms
64 bytes from 124.237.176.4 (124.237.176.4): icmp_seq=2 ttl=127 time=39.5 ms
[root@docker-01 ~]# docker run -it busybox
/ # ping baidu.com
PING baidu.com (39.156.66.10): 56 data bytes
64 bytes from 39.156.66.10: seq=0 ttl=127 time=43.825 ms
64 bytes from 39.156.66.10: seq=1 ttl=127 time=52.019 ms
//再开一个终端
[root@docker-01 ~]# ip a
[root@docker-01 ~]# yum -y install tcpdump
[root@docker-01 ~]# tcpdump -i docker0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:37:22.456322 IP 172.17.0.2 > 39.156.66.10: ICMP echo request, id 8, seq 8, length 64
09:37:22.498167 IP 39.156.66.10 > 172.17.0.2: ICMP echo reply, id 8, seq 8, length 64
09:37:23.458337 IP 172.17.0.2 > 39.156.66.10: ICMP echo request, id 8, seq 9, length 64
09:37:23.501969 IP 39.156.66.10 > 172.17.0.2: ICMP echo reply, id 8, seq 9, length 64
09:37:24.458713 IP 172.17.0.2 > 39.156.66.10: ICMP echo request, id 8, seq 10, length 64
//停止ping包,再原来终端ip a
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping baidu.com
PING baidu.com (110.242.68.66): 56 data bytes
64 bytes from 110.242.68.66: seq=0 ttl=127 time=46.602 ms
64 bytes from 110.242.68.66: seq=1 ttl=127 time=47.955 ms
64 bytes from 110.242.68.66: seq=2 ttl=127 time=48.181 ms
//新终端(到ens33网卡抓包)
[root@docker-01 ~]# tcpdump -i ens33 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
09:42:23.082372 IP 192.168.70.106 > 110.242.68.66: ICMP echo request, id 10, seq 56, length 64
09:42:23.132114 IP 110.242.68.66 > 192.168.70.106: ICMP echo reply, id 10, seq 56, length 64
09:42:24.083240 IP 192.168.70.106 > 110.242.68.66: ICMP echo request, id 10, seq 57, length 64
09:42:24.128107 IP 110.242.68.66 > 192.168.70.106: ICMP echo reply, id 10, seq 57, length 64
09:42:25.085605 IP 192.168.70.106 > 110.242.68.66: ICMP echo request, id 10, seq 58, length 64
09:42:25.131984 IP 110.242.68.66 > 192.168.70.106: ICMP echo reply, id 10, seq 58, length 64
09:42:26.085895 IP 192.168.70.106 > 110.242.68.66: ICMP echo request, id 10, seq 59, length 64
09:42:26.132067 IP 110.242.68.66 > 192.168.70.106: ICMP echo reply, id 10, seq 59, length 64
1、busybox 发送 ping 包:172.17.0.2 > www.baidu.com。 2、docker0 收到包,发现是发送到外网的,交给 NAT 处理。 3、NAT 将源地址换成 ens33 的 IP:192.168.70.106> www.baidu.com。 4、ping 包从 ens33 发送出去,到达 www.baidu.com。 通过 NAT,docker 实现了容器对外网的访问。
- 外部世界访问容器
端口映射,DNAT目标地址转换。
//大写P (随机映射端口)
[root@docker-01 ~]# docker run -d -P httpd
be0e3c41145244ee8d40a2aab960b1ea1165a11b7c89669c97b2285c9edd97c4
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
be0e3c411452 httpd "httpd-foreground" 4 seconds ago Up 3 seconds 0.0.0.0:32769->80/tcp, :::32769->80/tcp awesome_thompson
//宿主机访问http://192.168.70.106:32769/
//小写p (手动指定空闲端口)
[root@docker-01 ~]# docker run -d -p 8801:80 httpd
9e54209c62d3c71f2daa80501e13a563e37f547ab4ddb8ca525edbf5c8a60db4
[root@docker-01 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e54209c62d3 httpd "httpd-foreground" 4 seconds ago Up 2 seconds 0.0.0.0:8801->80/tcp, :::8801->80/tcp compassionate_torvalds
//宿主机访问http://192.168.70.106:8801/