docker清理容器
# 容器停止后就自动删除:docker run --rm centos /bin/echo "One";# 杀死所有正在运行的容器:docker kill $(docker ps -a -q)# 删除所有未打标签的镜像:docker rmi $(docker images -q -f dangling=true)# 删除所有已经停止的容器:docker rm $(docker ps -a -q)# 显示镜像名字:tagdocker images --format "{ {.Repository}}:{ {.Tag}}"alias tag='docker images --format "{ {.Repository}}:{ {.Tag}}"'alias bb='docker run -it --rm busybox'alias dp='docker ps -a'alias dt='docker images --format "{ {.Repository}}:{ {.Tag}}"'alias dc='docker rm $(docker ps -a -q)'alias ds='docker stats'alias kk='kubectl get pod --all-namespaces -o wide --show-labels'alias ks='kubectl get svc --all-namespaces -o wide'alias kss='kubectl get svc --all-namespaces -o wide --show-labels'alias kd='kubectl get deploy --all-namespaces -o wide'alias wk='watch kubectl get pod --all-namespaces -o wide --show-labels'alias kv='kubectl get pv -o wide'alias kvc='kubectl get pvc -o wide --all-namespaces --show-labels'alias kbb='kubectl run -it --rm --restart=Never busybox --image=busybox sh'alias kbbc='kubectl run -it --rm --restart=Never curl --image=appropriate/curl sh'alias kd='kubectl get deployment --all-namespaces --show-labels'alias kcm='kubectl get cm --all-namespaces -o wide'alias kin='kubectl get ingress --all-namespaces -o wide' 自动补全
yum install bash-com* -ywget https://raw.githubusercontent.com/lannyMa/scripts/master/dockermv docker /etc/bash_completion.d/$ wget https://get.docker.com/builds/Linux/x86_64/docker-17.04.0-ce.tgz$ tar -xvf docker-17.04.0-ce.tgz$ cp docker/docker* /root/local/bin$ cp docker/completion/bash/docker /etc/bash_completion.d/
使用阿里云源安装新版docker-ce
安装步骤
参考:
https://mirrors.aliyun.com/help/docker-ce https://yq.aliyun.com/articles/110806yum install -y libnetfilter_conntrack-devel libmnl-devel conntrack-tools socatecho "net.netfilter.nf_conntrack_acct=1" >> /etc/sysctl.confecho "net.netfilter.nf_conntrack_timestamp=1" >> /etc/sysctl.confsysctl -p /etc/sysctl.conf yum install -y yum-utils device-mapper-persistent-data lvm2#如果docker-ce.repo内容为空,则参考下面附.yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo sudo yum makecache fastsudo yum install docker-ce -y
mkdir -p /etc/dockercat >>/etc/docker/daemon.json<
systemctl daemon-reloadsystemctl restart docker && systemctl enable docker
配置转发
sysctl -w net.ipv6.conf.all.disable_ipv6=1sysctl -w net.ipv6.conf.default.disable_ipv6=1sysctl -w net.ipv4.ip_forward=1 echo 'iptables -P FORWARD ACCEPT' >> /etc/rc.localiptables -P FORWARD ACCEPTsysctl -pdocker pull busyboxecho "alias bb='docker run -it --rm busybox'" >> /etc/bashrcsource /etc/bashrcsudo systemctl stop firewalldsudo systemctl disable firewalldsudo iptables -F && sudo iptables -X && sudo iptables -F -t nat && sudo iptables -X -t natiptables -t nat -L -n
ip netns ls显示
ln -s /var/run/docker/netns /var/run/netns
查看dockerd日志
journalctl -u docker -f
安装docker-compose
cdyum install python-pip -ymkdir ~/.pipcat >pip.conf<
二进制安装docker-ce
下载:
https://download.docker.com/linux/static/stable/x86_64/tar -xvf docker-17.04.0-ce.tgzcp docker/docker* /user/local/bincp docker/completion/bash/docker /etc/bash_completion.d/dockerd --log-level=error --bip=10.2.20.1/24 --mtu=1500 --ipmasq=true
$ cat docker.service[Unit]Description=Docker Application Container EngineDocumentation=http://docs.docker.io[Service]Environment="PATH=/root/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"EnvironmentFile=-/run/flannel/docker ## 这里比较关键ExecStart=/root/local/bin/dockerd --log-level=error $DOCKER_NETWORK_OPTIONSExecReload=/bin/kill -s HUP $MAINPIDRestart=on-failureRestartSec=5LimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinityDelegate=yesKillMode=process[Install]WantedBy=multi-user.target
flannel网络不通问题解决
两台机器间容器通过flannel网络无法互ping
- 以往是这样解决的
systemctl stop firewalld && systemctl disable firewalldsysctl -w net.ipv6.conf.all.disable_ipv6=1sysctl -w net.ipv6.conf.default.disable_ipv6=1sysctl -w net.ipv4.ip_forward=1 iptables -P FORWARD ACCEPTsysctl -pecho 'iptables -P FORWARD ACCEPT' >> /rc.local
- 这样不好使,排查发现flannel动态生成的subnet.env参数和docker手动指定的不一样 我重启了下所有机器,导致flannel启动后子网发生了变化,而docker启动加载的是之前手动给指定的之前的flannel的子网,因此导致不同.
下面详解了解下flannel如何和docker联动
1.下载flannel后,压缩包里有个生成docker启动参数(网络)的脚本
2.flannel启动会执行这个脚本(flannel的services实现),动态生成docker参数
/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
- 创建 flanneld 的 systemd unit 文件
$ cat > flanneld.service << EOF[Unit]Description=Flanneld overlay address etcd agentAfter=network.targetAfter=network-online.targetWants=network-online.targetAfter=etcd.serviceBefore=docker.service[Service]Type=notifyExecStart=/root/local/bin/flanneldExecStartPost=/root/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/dockerRestart=on-failure[Install]WantedBy=multi-user.targetRequiredBy=docker.serviceEOF
mk-docker-opts.sh 脚本将分配给 flanneld 的 Pod 子网网段信息写入到 /run/flannel/docker 文件中,后续 docker 启动时使用这个文件中参数值设置 docker0 网桥;
-iface 选项值指定 flanneld 和其它 Node 通信的接口,如果机器有内、外网,则最好指定为内网接口;- 创建docker启动脚本
$ cat docker.service[Unit]Description=Docker Application Container EngineDocumentation=http://docs.docker.io[Service]Environment="PATH=/root/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"EnvironmentFile=-/run/flannel/dockerExecStart=/root/local/bin/dockerd --log-level=error $DOCKER_NETWORK_OPTIONSExecReload=/bin/kill -s HUP $MAINPIDRestart=on-failureRestartSec=5LimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinityDelegate=yesKillMode=process[Install]WantedBy=multi-user.target
flannel自动生成docker参数脚本
/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
#!/bin/shusage() { echo "$0 [-f FLANNEL-ENV-FILE] [-d DOCKER-ENV-FILE] [-i] [-c] [-m] [-k COMBINED-KEY]Generate Docker daemon options based on flannel env fileOPTIONS: -f Path to flannel env file. Defaults to /run/flannel/subnet.env -d Path to Docker env file to write to. Defaults to /run/docker_opts.env -i Output each Docker option as individual var. e.g. DOCKER_OPT_MTU=1500 -c Output combined Docker options into DOCKER_OPTS var -k Set the combined options key to this value (default DOCKER_OPTS=) -m Do not output --ip-masq (useful for older Docker version)" >&2 exit 1}flannel_env="/run/flannel/subnet.env"docker_env="/run/docker_opts.env"combined_opts_key="DOCKER_OPTS"indiv_opts=falsecombined_opts=falseipmasq=truewhile getopts "f:d:icmk:?h" opt; do case $opt in f) flannel_env=$OPTARG ;; d) docker_env=$OPTARG ;; i) indiv_opts=true ;; c) combined_opts=true ;; m) ipmasq=false ;; k) combined_opts_key=$OPTARG ;; [\?h]) usage ;; esacdoneif [ $indiv_opts = false ] && [ $combined_opts = false ]; then indiv_opts=true combined_opts=truefiif [ -f "$flannel_env" ]; then . $flannel_envfiif [ -n "$FLANNEL_SUBNET" ]; then DOCKER_OPT_BIP="--bip=$FLANNEL_SUBNET"fiif [ -n "$FLANNEL_MTU" ]; then DOCKER_OPT_MTU="--mtu=$FLANNEL_MTU"fiif [ -n "$FLANNEL_IPMASQ" ] && [ $ipmasq = true ] ; then if [ "$FLANNEL_IPMASQ" = true ] ; then DOCKER_OPT_IPMASQ="--ip-masq=false" elif [ "$FLANNEL_IPMASQ" = false ] ; then DOCKER_OPT_IPMASQ="--ip-masq=true" else echo "Invalid value of FLANNEL_IPMASQ: $FLANNEL_IPMASQ" >&2 exit 1 fifieval docker_opts="\$${combined_opts_key}"if [ "$docker_opts" ]; then docker_opts="$docker_opts ";fiecho -n "" >$docker_envfor opt in $(set | grep "DOCKER_OPT_"); do OPT_NAME=$(echo $opt | awk -F "=" '{print $1;}'); OPT_VALUE=$(eval echo "\$$OPT_NAME"); if [ "$indiv_opts" = true ]; then echo "$OPT_NAME=\"$OPT_VALUE\"" >>$docker_env; fi docker_opts="$docker_opts $OPT_VALUE";doneif [ "$combined_opts" = true ]; then echo "${combined_opts_key}=\"${docker_opts}\"" >>$docker_envfi 把机器上所有image dump成文件,一键导出本地所有镜像
#!/bin/bashimage_list=`docker images --format "{ {.Repository}}:{ {.Tag}}"`for image in $image_list;do file_name=`echo $image | sed "s#[/:]#_#g"` echo "Saveing image '$image' into '$file_name.tar.gz'" docker save -o "$file_name.tar" $image gzip $file_name.tardone# gzip把tar搞成了tar.gz, docker load -i tar.gz即可. 如果空间够,可以不gzip docker json日志驱动滚动和清理参数
参考: https://docs.docker.com/engine/admin/logging/json-file/#usage
默认一个日志文件.不自动切割.
dockerd前台启动
可以指定bridge启动(默认的docker0有nat)
dockerd -b=br0
可以启动后不让修改iptables
dockerd -b=br0 --iptables=false #默认修改的,iptables -t nat -L -n
$ dockerd --helpUsage: dockerd COMMANDA self-sufficient runtime for containers.Options: --add-runtime runtime Register an additional OCI compatible runtime (default []) --allow-nondistributable-artifacts list Allow push of nondistributable artifacts to registry --api-cors-header string Set CORS headers in the Engine API --authorization-plugin list Authorization plugins to load --bip string Specify network bridge IP -b, --bridge string Attach containers to a network bridge --cgroup-parent string Set parent cgroup for all containers --cluster-advertise string Address or interface name to advertise --cluster-store string URL of the distributed storage backend --cluster-store-opt map Set cluster store options (default map[]) --config-file string Daemon configuration file (default "/etc/docker/daemon.json") --containerd string Path to containerd socket --cpu-rt-period int Limit the CPU real-time period in microseconds --cpu-rt-runtime int Limit the CPU real-time runtime in microseconds --data-root string Root directory of persistent Docker state (default "/var/lib/docker") -D, --debug Enable debug mode --default-gateway ip Container default gateway IPv4 address --default-gateway-v6 ip Container default gateway IPv6 address --default-ipc-mode string Default mode for containers ipc ("shareable" | "private") (default "shareable") --default-runtime string Default OCI runtime for containers (default "runc") --default-shm-size bytes Default shm size for containers (default 64MiB) --default-ulimit ulimit Default ulimits for containers (default []) --disable-legacy-registry Disable contacting legacy registries (default true) --dns list DNS server to use --dns-opt list DNS options to use --dns-search list DNS search domains to use --exec-opt list Runtime execution options --exec-root string Root directory for execution state files (default "/var/run/docker") --experimental Enable experimental features --fixed-cidr string IPv4 subnet for fixed IPs --fixed-cidr-v6 string IPv6 subnet for fixed IPs -G, --group string Group for the unix socket (default "docker") --help Print usage -H, --host list Daemon socket(s) to connect to --icc Enable inter-container communication (default true) --init Run an init in the container to forward signals and reap processes --init-path string Path to the docker-init binary --insecure-registry list Enable insecure registry communication --ip ip Default IP when binding container ports (default 0.0.0.0) --ip-forward Enable net.ipv4.ip_forward (default true) --ip-masq Enable IP masquerading (default true) --iptables Enable addition of iptables rules (default true) --ipv6 Enable IPv6 networking --label list Set key=value labels to the daemon --live-restore Enable live restore of docker when containers are still running --log-driver string Default driver for container logs (default "json-file") -l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info") --log-opt map Default log driver options for containers (default map[]) --max-concurrent-downloads int Set the max concurrent downloads for each pull (default 3) --max-concurrent-uploads int Set the max concurrent uploads for each push (default 5) --metrics-addr string Set default address and port to serve the metrics api on --mtu int Set the containers network MTU --network-control-plane-mtu int Network Control plane MTU (default 1500) --no-new-privileges Set no-new-privileges by default for new containers --node-generic-resources string user defined resources (e.g. fpga=2;gpu={UUID1,UUID2,UUID3}) --oom-score-adjust int Set the oom_score_adj for the daemon (default -500) -p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid") --raw-logs Full timestamps without ANSI coloring --registry-mirror list Preferred Docker registry mirror --seccomp-profile string Path to seccomp profile --selinux-enabled Enable selinux support --shutdown-timeout int Set the default shutdown timeout (default 15) -s, --storage-driver string Storage driver to use --storage-opt list Storage driver options --swarm-default-advertise-addr string Set default address or interface for swarm advertised address --tls Use TLS; implied by --tlsverify --tlscacert string Trust certs signed only by this CA (default "/root/.docker/ca.pem") --tlscert string Path to TLS certificate file (default "/root/.docker/cert.pem") --tlskey string Path to TLS key file (default "/root/.docker/key.pem") --tlsverify Use TLS and verify the remote --userland-proxy Use userland proxy for loopback traffic (default true) --userland-proxy-path string Path to the userland proxy binary --userns-remap string User/Group setting for user namespaces -v, --version Print version information and quit 开启流数据统计
## 开启流数据包统计(packets和bytes)echo "net.netfilter.nf_conntrack_acct=1" >> /etc/sysctl.conf## 开启流持续时间统计(delta-time)echo "net.netfilter.nf_conntrack_timestamp=1" >> /etc/sysctl.confsysctl -p /etc/sysctl.conf conntrack -L -o ktimestamp
让centos7镜像支持中文
RUN yum -y install kde-l10n-Chinese && \ yum -y reinstall glibc-common &&\ yum clean all && \ localedef -c -f UTF-8 -i zh_CN zh_CN.utf8 ENV LC_ALL "zh_CN.UTF-8"
docker选项配置参考
安装k8s集群时候,自动给docker配置的
[root@n1 ~]# ps -ef|grep dockerroot 14289 1 2 23:18 ? 00:00:32 /usr/bin/dockerd --insecure-registry=10.233.0.0/18 --graph=/var/lib/docker --log-opt max-size=50m --log-opt max-file=5 --iptables=false --dns 10.233.0.3 --dns 114.114.114.114 --dns-search default.svc.cluster.local --dns-search svc.cluster.local --dns-opt ndots:2 --dns-opt timeout:2 --dns-opt attempts:2[root@n1 ~]# cat /etc/systemd/system/docker.service[Unit]Description=Docker Application Container EngineDocumentation=http://docs.docker.comAfter=network.target docker-storage-setup.serviceWants=docker-storage-setup.service[Service]Type=notifyEnvironment=GOTRACEBACK=crashExecReload=/bin/kill -s HUP $MAINPIDDelegate=yesKillMode=processExecStart=/usr/bin/dockerd \ $DOCKER_OPTS \ $DOCKER_STORAGE_OPTIONS \ $DOCKER_NETWORK_OPTIONS \ $DOCKER_DNS_OPTIONS \ $INSECURE_REGISTRYLimitNOFILE=1048576LimitNPROC=1048576LimitCORE=infinityTimeoutStartSec=1minRestart=on-abnormal[Install]WantedBy=multi-user.target[root@n1 ~]# ll /etc/systemd/system/docker.service.d/total 12-rw-r--r-- 1 root root 234 Dec 27 23:18 docker-dns.conf-rw-r--r-- 1 root root 158 Dec 27 23:18 docker-options.conf-rw-r--r-- 1 root root 288 Dec 27 23:18 http-proxy.conf[root@n1 ~]# cat /etc/systemd/system/docker.service.d/docker-options.conf [Service]Environment="DOCKER_OPTS=--insecure-registry=10.233.0.0/18 --graph=/var/lib/docker --log-opt max-size=50m --log-opt max-file=5 \--iptables=false"[root@n1 ~]# cat /etc/systemd/system/docker.service.d/docker-dns.conf [Service]Environment="DOCKER_DNS_OPTIONS=\ --dns 10.233.0.3 --dns 114.114.114.114 \ --dns-search default.svc.cluster.local --dns-search svc.cluster.local \ --dns-opt ndots:2 --dns-opt timeout:2 --dns-opt attempts:2 \[root@n1 ~]# cat /etc/systemd/system/docker.service.d/http-proxy.conf [Service]Environment="HTTP_PROXY=http://192.168.1.88:1080/" "NO_PROXY=192.168.2.14,node4,node4.cluster.local,192.168.2.15,node5,node5.cluster.local,192.168.2.11,node1,node1.cluster.local,192.168.2.12,node2,node2.cluster.local,192.168.2.13,node3,node3.cluster.local,127.0.0.1,localhost"
docker配置代理
参考:https://docs.docker.com/engine/admin/systemd/
修改docker的svc即可.[Service]Environment="HTTP_PROXY=http://[proxy-addr]:[proxy-port]/"或者:docker -H LOCAL_IP:1028 测试(才700多K的东西):docker pull gcr.io/google_containers/pause-amd64:3.0
与Supervisord类似的工具包括monit, daemontools和runit。
参考: https://hub.docker.com/r/faisyl/alpine-runit/~/dockerfile/docker加速器
image: registry.cn-shenzhen.aliyuncs.com/rancher_cn/heapster-grafana-amd64:v4.4.3image: registry.cn-hangzhou.aliyuncs.com/outman_google_containers/heapster-amd64:v1.4.0vi /etc/docker/daemon.json{ "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]}[root@n1 influxdb]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://registry.docker-cn.com"], "hosts": [ "tcp://0.0.0.0:2375", "unix:///var/run/docker.sock" ]} 设置insecure-registries
echo '{ "insecure-registries":["registry-srv:5000"] }' >/etc/docker/daemon.json docker的dns和日志切割设置
/usr/bin/dockerd --insecure-registry=10.233.0.0/18 --graph=/var/lib/docker --log-opt max-size=50m --log-opt max-file=5 --iptables=false --dns 10.233.0.3 --dns 114.114.114.114 --dns-search default.svc.cluster.local --dns-search svc.cluster.local --dns-opt ndots:2 --dns-opt timeout:2 --dns-opt attempts:2docker run -it --rm busybox / # cat /etc/resolv.conf search default.svc.cluster.local svc.cluster.localnameserver 10.233.0.3nameserver 114.114.114.114
docker-ce.repo阿里云
[docker-ce-stable]name=Docker CE Stable - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stableenabled=1gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-stable-debuginfo]name=Docker CE Stable - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stableenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-stable-source]name=Docker CE Stable - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stableenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge]name=Docker CE Edge - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge-debuginfo]name=Docker CE Edge - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-edge-source]name=Docker CE Edge - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edgeenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test]name=Docker CE Test - $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test-debuginfo]name=Docker CE Test - Debuginfo $basearchbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg[docker-ce-test-source]name=Docker CE Test - Sourcesbaseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/testenabled=0gpgcheck=1gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
FLANNEL_MTU = 1450 是 vxlan FLANNEL_MTU = 1500 是 host-gw
其他参考
docker的2类存储资源
- docker存储docker提供了2种存储资源: 镜像(由 storage driver 管理): 1.基础镜像层 2.可写层 storage driver overlay2(devicemapper) autfs Data Volume: 1.bind mount 支持f/d ro/rw 目的任意指定 docker run -v的方式 2.docker managed volume 不支持ro /var/lib/docker/volumes/ 1.--volumes-from: 先启一个数据容器,后引用容器容器名 data-packed volume container FROM busybox VOLUME ["/data1","/data2"] docker build . -t busybox1 docker run -itd --name b1 busybox1 1.先在/var/lib/docker/volumes/创建目录 2.挂载到容器/data1 /data2(容器启动会自动创建这两个) docker run -itd --volumes-from b1 busybox 2.docker create volume docker volume create hello docker run -d -v hello:/world busybox ls /world
devicemapper存储设置容量
[root@n1 ~]# docker run -itd -v /data:/data --name b4 busybox1ce96b5f4f135e1e98b33997b95e682efa6287ff744e1613aaacab2e159c353b[root@n1 ~]# docker exec -it b4 sh/ # df -hFilesystem Size Used Available Use% Mounted onoverlay 37.8G 1.8G 35.9G 5% /tmpfs 487.3M 0 487.3M 0% /devtmpfs 487.3M 0 487.3M 0% /sys/fs/cgroup/dev/sda3 37.8G 1.8G 35.9G 5% /data
今天复习了以下docker, 发现竟然有这玩意.
https://docs.docker.com/engine/reference/commandline/dockerd/#options-per-storage-driver http://blog.51cto.com/welcomeweb/1696121