Kubernetes: Docker 基础
- TAGS: Kubernetes
Docker
Docker:它是一个开源的软件项目,在Linux操作系统上,docker提供了一个额 外的软件抽象层及操作系统层虚拟化的自动管理机制。
docker 设计理念及发展历程
物理机:
- 安装系统
- 依赖环境
- Java – jdk jre
- NodeJS – Node
- PHP – PHP
- 应用程序
- 加一个物理机—> 提高并发量
虚拟机:
KVM Xen
- 把一个物理机虚拟机虚拟成多个机器
- 把依赖环境打成一个系统的模板
容器化:
Docker
- 镜像基础
- 依赖环境的镜像
- Java – Java基础的基础镜像
- PHP – PHP基础的基础镜像
- 根据基础镜像 – 放入自己的代码或者包
- 生产一个新镜像
- 程序镜像
- 镜像 – 按层存储
- A – Java JDK1.8
- a.jar
- B – Java -> JDK1.8
- b.jar
- A – Java JDK1.8
- 依赖环境的镜像
2.启动时间特别,秒级启动
容器:把自己的应用程序,根据某个依赖的基础镜像,生成一个应用程序镜像。
应用程序镜像,可以运行在任何部署了Docker环境的机器上。
Docker基本命令
docker version docker info docker search docker pull docker push docker run docker logs docker ps docker exec docker cp docker rmi docker rm docker tag docker images docker stop docker build docker history docker commit
# 查看Docker版本 [root@k8s-master01 ~]# docker version Client: Docker Engine - Community Version: 19.03.4 API version: 1.40 Go version: go1.12.10 Git commit: 9013bf583a Built: Fri Oct 18 15:52:22 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.4 API version: 1.40 (minimum version 1.12) Go version: go1.12.10 Git commit: 9013bf583a Built: Fri Oct 18 15:50:54 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.6 GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc: Version: 1.0.0-rc8 GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f docker-init: Version: 0.18.0 GitCommit: fec3683 Docker详细信息 [root@k8s-master01 ~]# docker info Client: Debug Mode: false Server: Containers: 8 Running: 4 Paused: 0 Stopped: 4 Images: 8 Server Version: 19.03.4 Storage Driver: overlay2 # aufs、overlay brtfs Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file # json-file: 存在本地 Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f init version: fec3683 Security Options: seccomp Profile: default Kernel Version: 4.18.0-80.el8.x86_64 Operating System: CentOS Linux 8 (Core) OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 1.764GiB Name: k8s-master01 ID: PRWL:PVRE:U7JQ:LNM6:SNLN:4QDV:URQA:MWQF:XXCE:VOT3:53GL:ECC6 Docker Root Dir: /var/lib/docker # 可以更改的,ssd的硬盘。最好使用一个单独的磁盘进行挂载 Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false 搜索镜像: [root@k8s-master01 ~]# docker search centos NAME DESCRIPTION STARS OFFICIAL AUTOMATED centos The official build of CentOS. 6054 [OK] ansible/centos7-ansible Ansible on Centos7 130 [OK] consol/centos-xfce-vnc Centos container with "headless" VNC session… 116 [OK] jdeathe/centos-ssh OpenSSH / Supervisor / EPEL/IUS/SCL Repos - … 114 [OK] centos/systemd systemd enabled base container. 84 [OK] centos/mysql-57-centos7 MySQL 5.7 SQL database server 77 imagine10255/centos6-lnmp-php56 centos6-lnmp-php56 58 [OK] tutum/centos Simple CentOS docker image with SSH access 47 centos/postgresql-96-centos7 PostgreSQL is an advanced Object-Relational … 45 kinogmt/centos-ssh CentOS with SSH 29 [OK] pivotaldata/centos-gpdb-dev CentOS image for GPDB development. Tag names… 12 guyton/centos6 From official centos6 container with full up… 10 [OK] drecom/centos-ruby centos ruby 6 [OK] centos/tools Docker image that has systems administration… 6 [OK] pivotaldata/centos Base centos, freshened up a little with a Do… 4 pivotaldata/centos-gcc-toolchain CentOS with a toolchain, but unaffiliated wi… 3 pivotaldata/centos-mingw Using the mingw toolchain to cross-compile t… 3 darksheer/centos Base Centos Image -- Updated hourly 3 [OK] miko2u/centos6 CentOS6 日本語環境 2 [OK] blacklabelops/centos CentOS Base Image! Built and Updates Daily! 1 [OK] mcnaughton/centos-base centos base image 1 [OK] indigo/centos-maven Vanilla CentOS 7 with Oracle Java Developmen… 1 [OK] pivotaldata/centos6.8-dev CentosOS 6.8 image for GPDB development 0 smartentry/centos centos with smartentry 0 [OK] pivotaldata/centos7-dev CentosOS 7 image for GPDB development 0 [root@k8s-master01 ~]# docker search nginx NAME DESCRIPTION STARS OFFICIAL AUTOMATED nginx Official build of Nginx. 13358 [OK] 拉取一个镜像到本地: [root@k8s-master01 ~]# docker pull alpine:latest latest: Pulling from library/alpine df20fa9351a1: Already exists Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321 Status: Downloaded newer image for alpine:latest docker.io/library/alpine:latest push 推送镜像 Docker run:启动一个镜像 1.前台启动 a)[root@k8s-master01 ~]# docker run -ti centos:8 bash b)[root@55eb31fec62e /]# whoami c)root 2.后台启动 -d 后台启动一个镜像 查看容器日志:docker logs -f
dockerfile
FROM:继承基础镜像 MAINTAINER:镜像制作作者信息 RUN:用来执行shell命令 EXPOSE:暴露端口号 CMD:启动容器默认执行的命令 ENTRYPOINT:启动容器真正执行的命令 VOLUME:创建挂载点 ENV:配置环境变量 ADD:复制文件到容器 COPY:复制文件到容器 WORKDIR:设置容器的工作目录 USER:容器使用的用户 CMD和ENTRYPIOINT 必须要有一个 CMD可以被覆盖,如果有ENTRYPIOINT的话,CMD就是ENTRYPIOINT的参数。 ENTRYPIOINT – 》 COMMAND CMD –》 arg
FROM centos:8 LABEL maintainer="test dockerfile" LABEL test=dockerfile RUN useradd dot RUN mkdir /opt/dot CMD [ "sh", "-c", "echo 1"] #RUN useradd dot && /opt/dot FROM centos:8 LABEL maintainer="test dockerfile" LABEL test=dockerfile ENV test_env1 env1 ENV test_env2 env2 RUN useradd dot RUN mkdir /opt/dot #ENTRYPOINT ["echo"] ENV env1=test1 env2=test2 ADD ./index.tar.gz /opt/ COPY ./index.tar.gz /opt/dot/ WORKDIR /opt/dot USER 1000 CMD pwd ; ls #RUN useradd dot && /opt/dot
制作镜像
制作小镜像:
- 一定不要使用centos镜像
- Alpine,busybox,scratch(空镜像),Debian
- Glibc: node:slim python:slim net
使用多阶段构建:编译操作和生成最终镜像的操作
# build step FROM golang:1.14.4-alpine as builder WORKDIR /opt COPY main.go /opt RUN go build /opt/main.go CMD "./main" # create real app image FROM alpine:3.8 COPY --from=builder /opt/main / CMD "./opt/main" FROM php:7.1.22-fpm-alpine RUN apk add --no-cache binutils freetype libpng libjpeg-turbo freetype-dev libpng-dev libjpeg-turbo-dev libc6-compat libxml2 libxml2-dev libmcrypt libmcrypt-dev libc-dev icu-dev gettext-dev openssl-dev bzip2-dev RUN docker-php-ext-install pdo pdo_mysql mcrypt zip gd pcntl opcache bcmath #RUN docker-php-ext-install gettext RUN docker-php-ext-install mysqli #RUN apk add --no-cache php7-sysvsem php7-pdo_dblib php7-sockets php-soap php7-xmlrpc ##RUN apk add --no-cache php7-sysvsem php7-pdo_dblib php7-sockets php-soap php7-xmlrpc ##RUN apk add --no-cache freetds-dev ##RUN docker-php-ext-install pdo_dblib #RUN docker-php-ext-install soap #RUN docker-php-ext-install sockets #RUN docker-php-ext-install sysvsem #RUN docker-php-ext-install xmlrpc #RUN apk add --no-cache freetds-dev #RUN docker-php-ext-install pdo_dblib #RUN docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ #RUN docker-php-ext-install -j$(nproc) gd #FROM php:7.1.22-fpm-alpine #COPY --from=0 /usr/local/lib/php/extensions/no-debug-non-zts-20160303 /usr/local/lib/php/extensions/no-debug-non-zts-20160303 #RUN apk add --no-cache freetds-dev php7-sysvsem php7-pdo_dblib php7-sockets php-soap php7-xmlrpc binutils freetype libpng libjpeg-turbo freetype-dev libpng-dev libjpeg-turbo-dev libc6-compat libxml2 libxml2-dev libmcrypt libmcrypt-dev libc-dev icu-dev gettext-dev openssl-dev bzip2-dev && cd /usr/local/lib/php/extensions/no-debug-non-zts-20160303 && docker-php-ext-enable *.so && rm -rf /var/cache/apk/*
资源清理
Docker 18.09 引入了 BuildKit ,提升了构建过程的性能、安全、存储管理等能力。
#查看磁盘使用情况 docker system df #查看所有情况 docker system df -v 展示以下部分 Images space usage: Containers space usage: Local Volumes space usage: Build cache usage:
清理
# 占用存储空间,又没有用的容器 docker images -aq -f 'dangling=true' | xargs docker rmi # 清理关闭的容器、无用的数据卷和网络等 docker system prune #连同没有容器使用的镜像一起清除 docker system prune -a
构建缓存清理
#清理所有构建缓存 docker builder prune #清理10天之前的缓存 docker builder prune --filter 'until=240h' #系统crontab 定时清理 0 0 * * * echo 'y'| docker builder prune
删除
docker stop $(docker ps -a | grep "Exited" | awk '{print $1 }') # 停止容器 docker rm $(docker ps -a | grep "Exited" | awk '{print $1 }') #删除容器 docker rmi $(docker images | grep "none" | awk '{print $3}') #删除镜像 docker rmi $(docker images -q) -f # 删除所有镜像 谨慎使用
Containerd
ctr
#查看镜像 ctr ns list ctr --namespace k8s.io containers ls ctr --namespace k8s.io images ls
crictl
containerd 自带的 ctr 命令工具功能有限
https://github.com/kubernetes-sigs/cri-tools
VERSION="v1.31.1" wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin rm -f crictl-$VERSION-linux-amd64.tar.gz
设置一个连接端点
cat <<EOF | sudo tee /etc/crictl.yaml runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF # 1. 假如使用的是 docker: cat <<EOF | sudo tee /etc/crictl.yaml runtime-endpoint: unix:///var/run/cri-dockerd.sock image-endpoint: unix:///var/run/cri-dockerd.sock timeout: 10 debug: false EOF # 2. cri-o: cat <<EOF | sudo tee /etc/crictl.yaml runtime-endpoint: unix:///var/run/crio/crio.sock image-endpoint: unix:///var/run/crio/crio.sock timeout: 10 debug: false EOF #测试连接 crictl info
常用命令
#帮助 crictl <subcommand> help # 列出所有镜像 crictl img #或者 crictl images # 查看镜像详情 crictl inspecti <image-id> # 拉取镜像 crictl pull <image-name> # 查看运行中的容器 crictl ps # 查看所有容器 crictl ps -a #清理镜像层, 清理未使用的镜像层 crictl rmi --prune
排查
查看容器资源占用情况
crictl stats -a
通过快照路径确认容器
/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1077/fs/data/log 如何确认对应哪个容器
#查找挂载点 mount | grep overlay |grep 1077 overlay on /run/containerd/io.containerd.runtime.v2.task/k8s.io/078464e2ddf49d647dc10da72e2cd1b9f1a3e6b2739e21de1e8acf582206bbf4/rootfs type overlay (rw,relatime,...workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1077/work,index=off) #或者findmnt | grep /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/1077/fs #确认容器名称 ctr -n k8s.io containers list |grep 078464e2ddf49d647dc10da72e2
查看容器网络情况
#1.找到 Pod 对应的容器 ID # 列出所有容器(使用容器运行时接口工具,如 crictl) crictl ps --name <pod-name> -o yaml # 或者通过 kubectl 找到 Pod 所在节点确认 kubectl get pod <pod-name> -o wide #2.获取容器的进程 PID CONTAINER_ID="<容器ID>" PID=$(sudo crictl inspect --output=json $CONTAINER_ID | jq .info.pid) #3.进入容器的网络命名空间 nsenter -n -t $PID #后续命令会在 Pod 的网络命名空间中执行。 #4.查看网络连接情况 #查看活跃连接 ss -tunap #过滤特定 IP 的连接 ss -tunap src 172.21.80.173 # 查看源 IP 为 Pod IP 的连接 ss -tunap dst 172.21.80.173 # 查看目标 IP 为 Pod IP 的连接 #查看连接跟踪表(conntrack) conntrack -L -d 172.21.80.173 # 查看与 Pod IP 相关的连接跟踪记录 #5.退出网络命名空间 exit