2013年10月29日

Docker使用笔记


docker使用笔记。

安装docker

docker需要使用linux3.8版本的内核,为了方便起见,在一台ubuntu(1304)机器上安装docker。

sudo apt-get update
sudo apt-get install linux-image-extra-`uname -r`

sudo sh -c "wget -qO- https://get.docker.io/gpg | apt-key add -"

sudo sh -c "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list"

sudo apt-get update

sudo apt-get install lxc-docker
相关软件包信息
paas@ubuntu:~$ sudo apt-get install lxc-docker
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  aufs-tools bridge-utils cgroup-lite cloud-utils debootstrap distro-info distro-info-data dnsmasq-base euca2ools
  gdisk libapparmor1 libcap2-bin libicu48 liblxc0 libnetfilter-conntrack3 libpam-cap libseccomp1 libyaml-0-2 lxc
  lxc-docker-0.6.4 lxc-templates python-boto python-crypto python-distro-info python-m2crypto python-paramiko
  python-yaml python3-lxc
Suggested packages:
  shunit2 libcap-dev btrfs-tools lvm2 lxctl qemu-user-static python-crypto-dbg python-crypto-doc
The following NEW packages will be installed:
  aufs-tools bridge-utils cgroup-lite cloud-utils debootstrap distro-info distro-info-data dnsmasq-base euca2ools
  gdisk libapparmor1 libcap2-bin libicu48 liblxc0 libnetfilter-conntrack3 libpam-cap libseccomp1 libyaml-0-2 lxc
  lxc-docker lxc-docker-0.6.4 lxc-templates python-boto python-crypto python-distro-info python-m2crypto
  python-paramiko python-yaml python3-lxc
0 upgraded, 29 newly installed, 0 to remove and 92 not upgraded.
Need to get 9,649 kB of archives.
After this operation, 46.6 MB of additional disk space will be used.
Do you want to continue [Y/n]? y

安装成功后,主机的以下方面发生了变化。

目录

出现了以下目录

/var/cache/lxc  用于缓存lxc容器的rootfs
/var/lib/lxc    用于lxc存储容器
/var/lib/docker 用于存储docker的rootfs
/var/lib/docker

repositories文件用于记录rootfs的版本。初始内容为:

{"Repositories":{}}

graph目录用于保存rootfs,初始为空。

containers目录用于保存容器相关文件,,初始为空。

volumes目录用途目前不清楚。

网络配置

ifconfig

paas@localhost:~$ ifconfig
docker0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::4bf:59ff:fe74:71cc/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2496 (2.4 KB)  TX bytes:2792 (2.7 KB)

eth0      Link encap:Ethernet  HWaddr 00:0c:29:89:8e:ee
          inet addr:172.16.202.130  Bcast:172.16.202.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe89:8eee/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6379 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:551292 (551.2 KB)  TX bytes:610253 (610.2 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1184 (1.1 KB)  TX bytes:1184 (1.1 KB)

lxcbr0    Link encap:Ethernet  HWaddr 76:78:19:69:3f:4e
          inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::7478:19ff:fe69:3f4e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

可以看到多了两个网桥设备docker0、lxcbr0,其中lxcbr0是安装lxc后创建的网桥,docker0是docker创建的网桥。

执行route查看路由情况

paas@localhost:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.16.202.2    0.0.0.0         UG    0      0        0 eth0
10.0.3.0        *               255.255.255.0   U     0      0        0 lxcbr0
172.16.202.0    *               255.255.255.0   U     0      0        0 eth0
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0

执行brctl show查看网桥情况

paas@localhost:~$ brctl show
bridge name bridge id       STP enabled interfaces
docker0     8000.000000000000   no
lxcbr0      8000.000000000000   no

iptables -t nat -L

paas@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.3.0/24         !10.0.3.0/24
MASQUERADE  all  --  172.17.0.0/16       !172.17.0.0/16

Chain DOCKER (2 references)
target     prot opt source               destination

服务进程

通过ps命令可以看到多了以下进程

dnsmasq进程
dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/lxc/dnsmasq.pid --conf-file= --listen-address10.0.3.1 --dhcp-range10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0

这个进程是用来做本机的dhcp服务器,为容器提供dhcp服务的。

docker进程
/bin/sh -e -c /usr/bin/docker -d /bin/sh
/usr/bin/docker -d

cgroup

/sys/fs/cgroup目录下的各个子目录中都出现了一个lxc目录,用于后续对容器进行资源隔离。

下载镜像

sudo docker pull ubuntu

docker images

REPOSITORY          TAG                 ID                  CREATED             SIZE
ubuntu              12.04               8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              latest              8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              precise             8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              12.10               b750fe79269d        7 months ago        24.65 kB (virtual 180.1 MB)
ubuntu              quantal             b750fe79269d        7 months ago        24.65 kB (virtual 180.1 MB)

/var/lib/docker/repositories

{
    "Repositories":{
        "ubuntu":{
            "12.04":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
            "12.10":"b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
            "latest":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
            "precise":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
            "quantal":"b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc"
        }
    }
}

此文件中记录了下载的镜像信息。

/var/lib/docker/graph

root@ubuntu:/var/lib/docker/graph# ls
27cf784147099545
8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c
b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc
_tmp

其中8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c、b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc两个目录对应respositories文件中的镜像信息,27cf784147099545在respositories文件中没有体现。

通过du -sh命令查看各个目录的容量,发现b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc只有40k,明显不是一个ubuntu镜像。8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c和27cf784147099545目录分别有142M和194M,这两个目录真正保存ubuntu12.04和12.10的镜像文件,即rootfs。

每个目录下都有一个json文件,内容分别如下:

27cf784147099545/json

{"comment": "Imported from http://get.docker.io/images/base", "container_config": {"Tty": false, "Cmd": null, "MemorySwap": 0, "Image": "", "Hostname": "", "User": "", "Env": null, "Memory": 0, "Detach": false, "Ports": null, "OpenStdin": false}, "id": "27cf784147099545", "created": "2013-03-23T12:53:11.10432-07:00"}

8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/json

{"comment": "Imported from -", "created": "2013-04-11T14:13:15.57812-07:00", "container_config": {"Tty": false, "Cmd": null, "Env": null, "Image": "", "Hostname": "", "StdinOnce": false, "AttachStdin": false, "User": "", "PortSpecs": null, "Memory": 0, "MemorySwap": 0, "AttachStderr": false, "AttachStdout": false, "OpenStdin": false}, "docker_version": "0.1.4", "id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c"}

b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc/json

{"container": "3d67245a8d72ecf13f33dffac9f79dcdf70f75acb84d308770391510e0c23ad0", "parent": "27cf784147099545", "created": "2013-03-23T22:24:18.818426-07:00", "container_config": {"Tty": true, "Cmd": ["/bin/bash"], "Env": null, "Image": "base", "Hostname": "", "User": "", "MemorySwap": 0, "Memory": 0, "Detach": false, "Ports": null, "OpenStdin": true}, "id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc"}

可以看出b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc与27cf784147099545是相关的。

基础容器分析

启动一个容器运行bash,观察主机系统和容器系统的情况。

sudo docker run -i -t ubuntu /bin/bash

sudo docker run -i -t ubuntu:12.10 /bin/bash
指定容器运行ubuntu12.10版本操作系统

主机网络配置

执行ifconfig查看网络配置,可以看到增加了一个网络设备

vethgfJrQe Link encap:Ethernet  HWaddr fe:a7:b9:14:98:a2
          inet6 addr: fe80::fca7:b9ff:fe14:98a2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:468 (468.0 B)  TX bytes:468 (468.0 B)

执行brctl show查看网桥配置

bridge name bridge id       STP enabled interfaces
docker0     8000.fea7b91498a2   no      vethgfJrQe
lxcbr0      8000.000000000000   no

主机进程

通过ps命令查看lxc相关进程

105       1004     1  0 18:34 ?        00:00:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
root      1703  1008  0 19:29 pts/1    00:00:00 lxc-start -n e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab -f /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/config.lxc -- /.dockerinit -g 172.17.42.1 -e TERM=xterm -e HOME=/ -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -e container=lxc -e HOSTNAME=e6087b57a686 -- /bin/bash

可以看到还是通过lxc-start程序启动了容器。

通过ps命令查看docker相关进程

paas@localhost:~$ ps -ef | grep docker
root      1007     1  0 18:34 ?        00:00:00 /bin/sh -e -c /usr/bin/docker -d /bin/sh
root      1008  1007  0 18:34 ?        00:00:00 /usr/bin/docker -d
root      1694  1302  0 19:29 pts/0    00:00:00 sudo docker run -i -t ubuntu /bin/bash
root      1695  1694  0 19:29 pts/0    00:00:00 docker run -i -t ubuntu /bin/bash
root      1703  1008  0 19:29 pts/1    00:00:00 lxc-start -n e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab -f /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/config.lxc -- /.dockerinit -g 172.17.42.1 -e TERM=xterm -e HOME=/ -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -e container=lxc -e HOSTNAME=e6087b57a686 -- /bin/bash

通过pstree命令查看docker进程(1008)的进程树

paas@localhost:~$ pstree -p 1008
docker(1008)─┬─lxc-start(1703)───bash(1713)
             ├─{docker}(1093)
             ├─{docker}(1096)
             ├─{docker}(1097)
             ├─{docker}(1098)
             ├─{docker}(1099)
             └─{docker}(1665)

可以看到是docker进程启动lxc-start进程。
其余6个线程的功能尚不清楚。

主机cgroup

/sys/fs/cgroup/blkio、/sys/fs/cgroup/cpu、/sys/fs/cgroup/cpuacct、/sys/fs/cgroup/cpuset、/sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/memory、/sys/fs/cgroup/memory目录的子目录lxc中都有一个e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab目录。

e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab目录的tasks文件内容:

1713

即对lxc-start(1703)的子进程bash(1713)进行资源隔离。

其余cgroup配置为默认配置。

主机容器目录

/var/lib/docker/containers目录中多了一个子目录:e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab

drwx------  4 root root  4096 Nov  1 19:29 ./
drwx------  3 root root  4096 Nov  1 19:29 ../
-rw-r--r--  1 root root  1226 Nov  1 19:29 config.json
-rw-r--r--  1 root root  4090 Nov  1 19:29 config.lxc
-rw-------  1 root root 14718 Nov  1 19:43 e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab-json.log
-rw-r--r--  1 root root    48 Nov  1 19:29 hostconfig.json
-rw-r--r--  1 root root    13 Nov  1 19:29 hostname
-rw-r--r--  1 root root   197 Nov  1 19:29 hosts
drwxr-xr-x 29 root root  4096 Nov  1 19:29 rootfs/
-rw-------  1 root root     0 Nov  1 19:29 rootfs.hold
drwxr-xr-x  5 root root  4096 Nov  1 19:29 rw/
config.json

容器配置文件

{
    "ID":"e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab",
    "Created":"2013-11-01T19:29:07.143233156-07:00",
    "Path":"/bin/bash",
    "Args":[],
    "Config":{
        "Hostname":"e6087b57a686",
        "Domainname":"",
        "User":"",
        "Memory":0,
        "MemorySwap":0,
        "CpuShares":0,
        "AttachStdin":true,
        "AttachStdout":true,
        "AttachStderr":true,
        "PortSpecs":null,
        "Tty":true,
        "OpenStdin":true,
        "StdinOnce":true,
        "Env":null,
        "Cmd":["/bin/bash"],
        "Dns":null,
        "Image":"ubuntu",
        "Volumes":{},
        "VolumesFrom":"",
        "WorkingDir":"",
        "Entrypoint":[],
        "NetworkDisabled":false,
        "Privileged":false
    },"
    State":{
        "Running":true,
        "Pid":1703,
        "ExitCode":0,
        "StartedAt":"2013-11-01T19:29:07.35621483-07:00",
        "FinishedAt":"0001-01-01T00:00:00Z",
        "Ghost":false
    },
    "Image":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
    "NetworkSettings":{
        "IPAddress":"172.17.0.2",
        "IPPrefixLen":16,
        "Gateway":"172.17.42.1",
        "Bridge":"docker0",
        "PortMapping":{"Tcp":{},"Udp":{}}
    },
    "SysInitPath":"/usr/bin/docker",
    "ResolvConfPath":"/etc/resolv.conf",
    "HostnamePath":"/var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hostname",
    "HostsPath":"/var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hosts",
    "Volumes":{},
    "VolumesRW":{}
}
config.lxc

lxc容器配置文件,docker通过配置文件来控制lxc创建容器。

# hostname

lxc.utsname = e6087b57a686

#lxc.aa_profile = unconfined


# network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = docker0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 172.17.0.2/16


# root filesystem

lxc.rootfs = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs


# enable domain name support
lxc.mount.entry = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hostname /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/hostname none bind,ro 0 0
lxc.mount.entry = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hosts /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/hosts none bind,ro 0 0


# use a dedicated pts for the container (and limit the number of pseudo terminal
# available)
lxc.pts = 1024

# disable the main console
lxc.console = none

# no controlling tty at all
lxc.tty = 1


# no implicit access to devices
lxc.cgroup.devices.deny = a

# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm

# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm

# /dev/urandom,/dev/random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm

# /dev/pts/* - pts namespaces are "coming soon"
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm

# tuntap
lxc.cgroup.devices.allow = c 10:200 rwm

# fuse
#lxc.cgroup.devices.allow = c 10:229 rwm

# rtc
#lxc.cgroup.devices.allow = c 254:0 rwm


# standard mount point
#  WARNING: procfs is a known attack vector and should probably be disabled
#           if your userspace allows it. eg. see http://blog.zx2c4.com/749
lxc.mount.entry = proc /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/proc proc nosuid,nodev,noexec 0 0
#  WARNING: sysfs is a known attack vector and should probably be disabled
#           if your userspace allows it. eg. see http://bit.ly/T9CkqJ
lxc.mount.entry = sysfs /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/sys sysfs nosuid,nodev,noexec 0 0
lxc.mount.entry = devpts /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0
#lxc.mount.entry = varrun /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/var/run tmpfs mode=755,size=4096k,nosuid,nodev,noexec 0 0
#lxc.mount.entry = varlock /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/var/lock tmpfs size=1024k,nosuid,nodev,noexec 0 0
lxc.mount.entry = shm /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/dev/shm tmpfs size=65536k,nosuid,nodev,noexec 0 0

# Inject docker-init
lxc.mount.entry = /usr/bin/docker /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/.dockerinit none bind,ro 0 0

# In order to get a working DNS environment, mount bind (ro) the host's /etc/resolv.conf into the container
lxc.mount.entry = /etc/resolv.conf /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/resolv.conf none bind,ro 0 0



# drop linux capabilities (apply mainly to the user root in the container)
#  (Note: 'lxc.cap.keep' is coming soon and should replace this under the
#         security principle 'deny all unless explicitly permitted', see
#         http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config


# limits    
e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab-json.log

记录容器启动后的标准输入、标准输出、标准错误输出内容。

hostconfig.json
{
    "Binds":null,
    "ContainerIDFile":"",
    "LxcConf":[]
}
hostname
e6087b57a686
hosts
127.0.0.1   e6087b57a686
::1     e6087b57a686

127.0.0.1   localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0     ip6-localnet
ff00::0     ip6-mcastprefix
ff02::1     ip6-allnodes
ff02::2     ip6-allrouters
rootfs

容器的rootfs

rootfs.hold
rw

dev目录内容

drwxr-xr-x 2 root root 4096 Nov  1 19:29 ./
drwxr-xr-x 5 root root 4096 Nov  1 19:29 ../
lrwxrwxrwx 1 root root    7 Nov  1 19:29 kmsg -> console
其他

容器中的网络配置

ip addr

root@e6087b57a686:/etc# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 06:e9:de:18:f2:8c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
inet6 fe80::4e9:deff:fe18:f28c/64 scope link
   valid_lft forever preferred_lft forever

ip route

root@e6087b57a686:/etc# ip route
default via 172.17.42.1 dev eth0
172.17.0.0/16 dev eth0  proto kernel  scope link  src 172.17.0.2

hosts

root@e6087b57a686:/# cat /etc/hosts
127.0.0.1   e6087b57a686
::1     e6087b57a686

127.0.0.1   localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0     ip6-localnet
ff00::0     ip6-mcastprefix
ff02::1     ip6-allnodes
ff02::2     ip6-allrouters

容器中的进程

ps -ef

root@e6087b57a686:/etc# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 02:29 ?        00:00:00 /bin/bash
root        19     1  0 02:41 ?        00:00:00 ps -ef

这里面的1号进程(/bin/bash)就是从容器外看到的进程bash(1713)。
可以看到与普通lxc容器的区别是容器中没有sshd进程,不能象对待普通lxc容器一样通过scp命令向容器里面复制文件。

结束容器

退出容器后,/var/lib/docker目录中的容器目录仍然存在,但是其中的rootfs已经被umount掉。

docker容器中运行redis-server

打开一个docker容器

sudo docker run -i -t ubuntu /bin/bash

在容器中安装redis

apt-get update

apt-get install vim

换ubuntu源

apt-get install redis-server

在容器外部保存容器

docker ps -a

paas@ubuntu:~$ sudo docker ps -a
[sudo] password for paas:
    ID                  IMAGE               COMMAND             CREATED             STATUS              PORTS
eb017f9c4a06        ubuntu:12.04        /bin/bash           5 hours ago         Up 5 hours

docker commit eb017f9c4a06 paas/redis

paas@ubuntu:~$ sudo docker commit eb017f9c4a06 paas/redis
9947d279c0e7

docker images

paas@ubuntu:~$ sudo docker images
REPOSITORY          TAG                 ID                  CREATED             SIZE
paas/redis          latest              9947d279c0e7        28 seconds ago      287.1 MB (virtual 418.6 MB)
ubuntu              12.04               8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              latest              8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              precise             8dbd9e392a96        6 months ago        131.5 MB (virtual 131.5 MB)
ubuntu              12.10               b750fe79269d        7 months ago        24.65 kB (virtual 180.1 MB)
ubuntu              quantal             b750fe79269d        7 months ago        24.65 kB (virtual 180.1 MB)

ls /var/lib/docker/graph

root@ubuntu:/var/lib/docker/graph# ls
27cf784147099545
8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c
9947d279c0e7103cb4ebc9e532bdf90614de4db1e2e80acedf2500d9e69daaca
b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc
_tmp

退出已经安装好redis的容器

在接入容器的终端执行exit命令。

重新启动docker容器,并运行redis

sudo docker run -d -p 6379 paas/redis /usr/bin/redis-server

主机docker信息

paas@ubuntu:~$ sudo docker ps
ID                  IMAGE               COMMAND                CREATED             STATUS              PORTS
f1b7aadb29c7        paas/redis:latest   /usr/bin/redis-serve   33 minutes ago      Up 33 minutes       49153->6379

主机网络配置变化

iptables -t nat -L

paas@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.3.0/24         !10.0.3.0/24
MASQUERADE  all  --  172.17.0.0/16       !172.17.0.0/16

Chain DOCKER (2 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:49153 to:172.17.0.4:6379

可以看到iptables的nat表中增加了一条DNAT配置,分配了一个端口49153,用于主机外部系统访问主机上docker容器中的redis服务。

Dockerfile

Dockerfile是用来创建自己定制化image的说明文件。具体内容请参考官方说明。

通过Dockerfile创建运行redis-server的image

新建一个目录

mkdir test
cd test

下载redis源码

git clone https://github.com/antirez/redis.git
cd redis
git checkout 2.6

创建一个Dockerfile文件

# 使用ubuntu系统
FROM ubuntu

# 修改源并更新
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list
RUN apt-get update
RUN apt-get upgrade -y

# 安装基础软件包
RUN apt-get install -y gcc make g++ build-essential libc6-dev tcl

# 把当前目录添加到容器内部的根目录
ADD . /

# 编译redis
RUN (cd /redis && make)

RUN mkdir -p /redis-data
VOLUME ["/redis-data"]

# 为私有端口6379(redis默认端口)随即分配一个公用端口。作用就是容器启动后,docker为其分配一个公用端口,并在iptables的规则内部增加一条DNAT配置,使外部访问这个共有端口的请求都会被转发到私有端口6379,这样就可以从外部访问容器中的redis服务了。
EXPOSE 6379

# redis启动命令
ENTRYPOINT ["/redis/src/redis-server"]
CMD ["--dir", "/redis-data"]

使用Dockerfile创建image

docker build -t redis-2.6 .

查看image

paas@ubuntu:~/test$ sudo docker images
REPOSITORY          TAG                 ID                  CREATED             SIZE
redis-2.6           latest              d82b0b9000a3        10 hours ago        12.29 kB (virtual 529.9 MB)

启动容器

paas@ubuntu:~$ sudo docker run -d redis-2.6
0f103febaecc

docker命令使用

启动应用

启动一个脚本,每隔一秒执行一次date命令。

paas@localhost:~$ sudo docker run -d ubuntu /bin/sh -c "while true; do date; sleep 1; done"
5bdf5fc96060

此命令返回一个容器的id号,后续可以通过这个id来操作容器

查看容器

paas@localhost:~$ sudo docker ps
ID                  IMAGE               COMMAND                CREATED             STATUS              PORTS
5bdf5fc96060        ubuntu:12.04        /bin/sh -c while tru   2 minutes ago       Up 2 minutes

查看应用日志

docker logs 容器id

paas@localhost:~$ sudo docker logs 5bdf5fc96060
Tue Oct 29 10:51:19 UTC 2013
Tue Oct 29 10:51:20 UTC 2013
Tue Oct 29 10:51:21 UTC 2013
Tue Oct 29 10:51:22 UTC 2013
Tue Oct 29 10:51:23 UTC 2013
Tue Oct 29 10:51:24 UTC 2013
Tue Oct 29 10:51:25 UTC 2013
Tue Oct 29 10:51:26 UTC 2013
Tue Oct 29 10:51:27 UTC 2013
Tue Oct 29 10:51:28 UTC 2013
Tue Oct 29 10:51:29 UTC 2013
Tue Oct 29 10:51:30 UTC 2013
Tue Oct 29 10:51:31 UTC 2013
...

显示应用启动以来的标准输出和标准错误输出。

接入应用

docker attach 容器id

paas@localhost:~$ sudo docker attach 5bdf5fc96060
Tue Oct 29 10:57:25 UTC 2013
Tue Oct 29 10:57:26 UTC 2013
Tue Oct 29 10:57:27 UTC 2013
Tue Oct 29 10:57:28 UTC 2013
...

停止应用

docker stop 容器id

未完待续...