docker需要使用linux3.8版本的内核,为了方便起见,在一台ubuntu(1304)机器上安装docker。
sudo apt-get update
sudo apt-get install linux-image-extra-`uname -r`
sudo sh -c "wget -qO- https://get.docker.io/gpg | apt-key add -"
sudo sh -c "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list"
sudo apt-get update
sudo apt-get install lxc-docker
paas@ubuntu:~$ sudo apt-get install lxc-docker
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
aufs-tools bridge-utils cgroup-lite cloud-utils debootstrap distro-info distro-info-data dnsmasq-base euca2ools
gdisk libapparmor1 libcap2-bin libicu48 liblxc0 libnetfilter-conntrack3 libpam-cap libseccomp1 libyaml-0-2 lxc
lxc-docker-0.6.4 lxc-templates python-boto python-crypto python-distro-info python-m2crypto python-paramiko
python-yaml python3-lxc
Suggested packages:
shunit2 libcap-dev btrfs-tools lvm2 lxctl qemu-user-static python-crypto-dbg python-crypto-doc
The following NEW packages will be installed:
aufs-tools bridge-utils cgroup-lite cloud-utils debootstrap distro-info distro-info-data dnsmasq-base euca2ools
gdisk libapparmor1 libcap2-bin libicu48 liblxc0 libnetfilter-conntrack3 libpam-cap libseccomp1 libyaml-0-2 lxc
lxc-docker lxc-docker-0.6.4 lxc-templates python-boto python-crypto python-distro-info python-m2crypto
python-paramiko python-yaml python3-lxc
0 upgraded, 29 newly installed, 0 to remove and 92 not upgraded.
Need to get 9,649 kB of archives.
After this operation, 46.6 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
安装成功后,主机的以下方面发生了变化。
出现了以下目录
/var/cache/lxc 用于缓存lxc容器的rootfs
/var/lib/lxc 用于lxc存储容器
/var/lib/docker 用于存储docker的rootfs
repositories文件用于记录rootfs的版本。初始内容为:
{"Repositories":{}}
graph目录用于保存rootfs,初始为空。
containers目录用于保存容器相关文件,,初始为空。
volumes目录用途目前不清楚。
ifconfig
paas@localhost:~$ ifconfig
docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::4bf:59ff:fe74:71cc/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2496 (2.4 KB) TX bytes:2792 (2.7 KB)
eth0 Link encap:Ethernet HWaddr 00:0c:29:89:8e:ee
inet addr:172.16.202.130 Bcast:172.16.202.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe89:8eee/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6379 errors:0 dropped:0 overruns:0 frame:0
TX packets:4039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:551292 (551.2 KB) TX bytes:610253 (610.2 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1184 (1.1 KB) TX bytes:1184 (1.1 KB)
lxcbr0 Link encap:Ethernet HWaddr 76:78:19:69:3f:4e
inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0
inet6 addr: fe80::7478:19ff:fe69:3f4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
可以看到多了两个网桥设备docker0、lxcbr0,其中lxcbr0是安装lxc后创建的网桥,docker0是docker创建的网桥。
执行route查看路由情况
paas@localhost:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.16.202.2 0.0.0.0 UG 0 0 0 eth0
10.0.3.0 * 255.255.255.0 U 0 0 0 lxcbr0
172.16.202.0 * 255.255.255.0 U 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
执行brctl show查看网桥情况
paas@localhost:~$ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.000000000000 no
lxcbr0 8000.000000000000 no
iptables -t nat -L
paas@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.3.0/24 !10.0.3.0/24
MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16
Chain DOCKER (2 references)
target prot opt source destination
通过ps命令可以看到多了以下进程
dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/lxc/dnsmasq.pid --conf-file= --listen-address10.0.3.1 --dhcp-range10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0
这个进程是用来做本机的dhcp服务器,为容器提供dhcp服务的。
/bin/sh -e -c /usr/bin/docker -d /bin/sh
/usr/bin/docker -d
/sys/fs/cgroup目录下的各个子目录中都出现了一个lxc目录,用于后续对容器进行资源隔离。
sudo docker pull ubuntu
REPOSITORY TAG ID CREATED SIZE
ubuntu 12.04 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu latest 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu precise 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu 12.10 b750fe79269d 7 months ago 24.65 kB (virtual 180.1 MB)
ubuntu quantal b750fe79269d 7 months ago 24.65 kB (virtual 180.1 MB)
{
"Repositories":{
"ubuntu":{
"12.04":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
"12.10":"b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
"latest":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
"precise":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
"quantal":"b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc"
}
}
}
此文件中记录了下载的镜像信息。
root@ubuntu:/var/lib/docker/graph# ls
27cf784147099545
8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c
b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc
_tmp
其中8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c、b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc两个目录对应respositories文件中的镜像信息,27cf784147099545在respositories文件中没有体现。
通过du -sh命令查看各个目录的容量,发现b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc只有40k,明显不是一个ubuntu镜像。8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c和27cf784147099545目录分别有142M和194M,这两个目录真正保存ubuntu12.04和12.10的镜像文件,即rootfs。
每个目录下都有一个json文件,内容分别如下:
27cf784147099545/json
{"comment": "Imported from http://get.docker.io/images/base", "container_config": {"Tty": false, "Cmd": null, "MemorySwap": 0, "Image": "", "Hostname": "", "User": "", "Env": null, "Memory": 0, "Detach": false, "Ports": null, "OpenStdin": false}, "id": "27cf784147099545", "created": "2013-03-23T12:53:11.10432-07:00"}
8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c/json
{"comment": "Imported from -", "created": "2013-04-11T14:13:15.57812-07:00", "container_config": {"Tty": false, "Cmd": null, "Env": null, "Image": "", "Hostname": "", "StdinOnce": false, "AttachStdin": false, "User": "", "PortSpecs": null, "Memory": 0, "MemorySwap": 0, "AttachStderr": false, "AttachStdout": false, "OpenStdin": false}, "docker_version": "0.1.4", "id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c"}
b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc/json
{"container": "3d67245a8d72ecf13f33dffac9f79dcdf70f75acb84d308770391510e0c23ad0", "parent": "27cf784147099545", "created": "2013-03-23T22:24:18.818426-07:00", "container_config": {"Tty": true, "Cmd": ["/bin/bash"], "Env": null, "Image": "base", "Hostname": "", "User": "", "MemorySwap": 0, "Memory": 0, "Detach": false, "Ports": null, "OpenStdin": true}, "id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc"}
可以看出b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc与27cf784147099545是相关的。
启动一个容器运行bash,观察主机系统和容器系统的情况。
sudo docker run -i -t ubuntu /bin/bash
sudo docker run -i -t ubuntu:12.10 /bin/bash
指定容器运行ubuntu12.10版本操作系统
执行ifconfig查看网络配置,可以看到增加了一个网络设备
vethgfJrQe Link encap:Ethernet HWaddr fe:a7:b9:14:98:a2
inet6 addr: fe80::fca7:b9ff:fe14:98a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:468 (468.0 B) TX bytes:468 (468.0 B)
执行brctl show查看网桥配置
bridge name bridge id STP enabled interfaces
docker0 8000.fea7b91498a2 no vethgfJrQe
lxcbr0 8000.000000000000 no
通过ps命令查看lxc相关进程
105 1004 1 0 18:34 ? 00:00:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
root 1703 1008 0 19:29 pts/1 00:00:00 lxc-start -n e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab -f /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/config.lxc -- /.dockerinit -g 172.17.42.1 -e TERM=xterm -e HOME=/ -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -e container=lxc -e HOSTNAME=e6087b57a686 -- /bin/bash
可以看到还是通过lxc-start程序启动了容器。
通过ps命令查看docker相关进程
paas@localhost:~$ ps -ef | grep docker
root 1007 1 0 18:34 ? 00:00:00 /bin/sh -e -c /usr/bin/docker -d /bin/sh
root 1008 1007 0 18:34 ? 00:00:00 /usr/bin/docker -d
root 1694 1302 0 19:29 pts/0 00:00:00 sudo docker run -i -t ubuntu /bin/bash
root 1695 1694 0 19:29 pts/0 00:00:00 docker run -i -t ubuntu /bin/bash
root 1703 1008 0 19:29 pts/1 00:00:00 lxc-start -n e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab -f /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/config.lxc -- /.dockerinit -g 172.17.42.1 -e TERM=xterm -e HOME=/ -e PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -e container=lxc -e HOSTNAME=e6087b57a686 -- /bin/bash
通过pstree命令查看docker进程(1008)的进程树
paas@localhost:~$ pstree -p 1008
docker(1008)─┬─lxc-start(1703)───bash(1713)
├─{docker}(1093)
├─{docker}(1096)
├─{docker}(1097)
├─{docker}(1098)
├─{docker}(1099)
└─{docker}(1665)
可以看到是docker进程启动lxc-start进程。
其余6个线程的功能尚不清楚。
/sys/fs/cgroup/blkio、/sys/fs/cgroup/cpu、/sys/fs/cgroup/cpuacct、/sys/fs/cgroup/cpuset、/sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/memory、/sys/fs/cgroup/memory目录的子目录lxc中都有一个e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab目录。
e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab目录的tasks文件内容:
1713
即对lxc-start(1703)的子进程bash(1713)进行资源隔离。
其余cgroup配置为默认配置。
/var/lib/docker/containers目录中多了一个子目录:e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab
drwx------ 4 root root 4096 Nov 1 19:29 ./
drwx------ 3 root root 4096 Nov 1 19:29 ../
-rw-r--r-- 1 root root 1226 Nov 1 19:29 config.json
-rw-r--r-- 1 root root 4090 Nov 1 19:29 config.lxc
-rw------- 1 root root 14718 Nov 1 19:43 e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab-json.log
-rw-r--r-- 1 root root 48 Nov 1 19:29 hostconfig.json
-rw-r--r-- 1 root root 13 Nov 1 19:29 hostname
-rw-r--r-- 1 root root 197 Nov 1 19:29 hosts
drwxr-xr-x 29 root root 4096 Nov 1 19:29 rootfs/
-rw------- 1 root root 0 Nov 1 19:29 rootfs.hold
drwxr-xr-x 5 root root 4096 Nov 1 19:29 rw/
容器配置文件
{
"ID":"e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab",
"Created":"2013-11-01T19:29:07.143233156-07:00",
"Path":"/bin/bash",
"Args":[],
"Config":{
"Hostname":"e6087b57a686",
"Domainname":"",
"User":"",
"Memory":0,
"MemorySwap":0,
"CpuShares":0,
"AttachStdin":true,
"AttachStdout":true,
"AttachStderr":true,
"PortSpecs":null,
"Tty":true,
"OpenStdin":true,
"StdinOnce":true,
"Env":null,
"Cmd":["/bin/bash"],
"Dns":null,
"Image":"ubuntu",
"Volumes":{},
"VolumesFrom":"",
"WorkingDir":"",
"Entrypoint":[],
"NetworkDisabled":false,
"Privileged":false
},"
State":{
"Running":true,
"Pid":1703,
"ExitCode":0,
"StartedAt":"2013-11-01T19:29:07.35621483-07:00",
"FinishedAt":"0001-01-01T00:00:00Z",
"Ghost":false
},
"Image":"8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
"NetworkSettings":{
"IPAddress":"172.17.0.2",
"IPPrefixLen":16,
"Gateway":"172.17.42.1",
"Bridge":"docker0",
"PortMapping":{"Tcp":{},"Udp":{}}
},
"SysInitPath":"/usr/bin/docker",
"ResolvConfPath":"/etc/resolv.conf",
"HostnamePath":"/var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hostname",
"HostsPath":"/var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hosts",
"Volumes":{},
"VolumesRW":{}
}
lxc容器配置文件,docker通过配置文件来控制lxc创建容器。
# hostname
lxc.utsname = e6087b57a686
#lxc.aa_profile = unconfined
# network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = docker0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 172.17.0.2/16
# root filesystem
lxc.rootfs = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs
# enable domain name support
lxc.mount.entry = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hostname /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/hostname none bind,ro 0 0
lxc.mount.entry = /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/hosts /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/hosts none bind,ro 0 0
# use a dedicated pts for the container (and limit the number of pseudo terminal
# available)
lxc.pts = 1024
# disable the main console
lxc.console = none
# no controlling tty at all
lxc.tty = 1
# no implicit access to devices
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/urandom,/dev/random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/pts/* - pts namespaces are "coming soon"
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# tuntap
lxc.cgroup.devices.allow = c 10:200 rwm
# fuse
#lxc.cgroup.devices.allow = c 10:229 rwm
# rtc
#lxc.cgroup.devices.allow = c 254:0 rwm
# standard mount point
# WARNING: procfs is a known attack vector and should probably be disabled
# if your userspace allows it. eg. see http://blog.zx2c4.com/749
lxc.mount.entry = proc /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/proc proc nosuid,nodev,noexec 0 0
# WARNING: sysfs is a known attack vector and should probably be disabled
# if your userspace allows it. eg. see http://bit.ly/T9CkqJ
lxc.mount.entry = sysfs /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/sys sysfs nosuid,nodev,noexec 0 0
lxc.mount.entry = devpts /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0
#lxc.mount.entry = varrun /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/var/run tmpfs mode=755,size=4096k,nosuid,nodev,noexec 0 0
#lxc.mount.entry = varlock /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/var/lock tmpfs size=1024k,nosuid,nodev,noexec 0 0
lxc.mount.entry = shm /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/dev/shm tmpfs size=65536k,nosuid,nodev,noexec 0 0
# Inject docker-init
lxc.mount.entry = /usr/bin/docker /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/.dockerinit none bind,ro 0 0
# In order to get a working DNS environment, mount bind (ro) the host's /etc/resolv.conf into the container
lxc.mount.entry = /etc/resolv.conf /var/lib/docker/containers/e6087b57a6868fdccd35bef1c11892970d7776f6fb222681567a6f5e3fd94aab/rootfs/etc/resolv.conf none bind,ro 0 0
# drop linux capabilities (apply mainly to the user root in the container)
# (Note: 'lxc.cap.keep' is coming soon and should replace this under the
# security principle 'deny all unless explicitly permitted', see
# http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
# limits
记录容器启动后的标准输入、标准输出、标准错误输出内容。
{
"Binds":null,
"ContainerIDFile":"",
"LxcConf":[]
}
e6087b57a686
127.0.0.1 e6087b57a686
::1 e6087b57a686
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
容器的rootfs
dev目录内容
drwxr-xr-x 2 root root 4096 Nov 1 19:29 ./
drwxr-xr-x 5 root root 4096 Nov 1 19:29 ../
lrwxrwxrwx 1 root root 7 Nov 1 19:29 kmsg -> console
ip addr
root@e6087b57a686:/etc# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 06:e9:de:18:f2:8c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
inet6 fe80::4e9:deff:fe18:f28c/64 scope link
valid_lft forever preferred_lft forever
ip route
root@e6087b57a686:/etc# ip route
default via 172.17.42.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
hosts
root@e6087b57a686:/# cat /etc/hosts
127.0.0.1 e6087b57a686
::1 e6087b57a686
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ps -ef
root@e6087b57a686:/etc# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 02:29 ? 00:00:00 /bin/bash
root 19 1 0 02:41 ? 00:00:00 ps -ef
这里面的1号进程(/bin/bash)就是从容器外看到的进程bash(1713)。
可以看到与普通lxc容器的区别是容器中没有sshd进程,不能象对待普通lxc容器一样通过scp命令向容器里面复制文件。
退出容器后,/var/lib/docker目录中的容器目录仍然存在,但是其中的rootfs已经被umount掉。
sudo docker run -i -t ubuntu /bin/bash
apt-get update
apt-get install vim
换ubuntu源
apt-get install redis-server
docker ps -a
paas@ubuntu:~$ sudo docker ps -a
[sudo] password for paas:
ID IMAGE COMMAND CREATED STATUS PORTS
eb017f9c4a06 ubuntu:12.04 /bin/bash 5 hours ago Up 5 hours
docker commit eb017f9c4a06 paas/redis
paas@ubuntu:~$ sudo docker commit eb017f9c4a06 paas/redis
9947d279c0e7
docker images
paas@ubuntu:~$ sudo docker images
REPOSITORY TAG ID CREATED SIZE
paas/redis latest 9947d279c0e7 28 seconds ago 287.1 MB (virtual 418.6 MB)
ubuntu 12.04 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu latest 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu precise 8dbd9e392a96 6 months ago 131.5 MB (virtual 131.5 MB)
ubuntu 12.10 b750fe79269d 7 months ago 24.65 kB (virtual 180.1 MB)
ubuntu quantal b750fe79269d 7 months ago 24.65 kB (virtual 180.1 MB)
ls /var/lib/docker/graph
root@ubuntu:/var/lib/docker/graph# ls
27cf784147099545
8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c
9947d279c0e7103cb4ebc9e532bdf90614de4db1e2e80acedf2500d9e69daaca
b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc
_tmp
在接入容器的终端执行exit命令。
sudo docker run -d -p 6379 paas/redis /usr/bin/redis-server
paas@ubuntu:~$ sudo docker ps
ID IMAGE COMMAND CREATED STATUS PORTS
f1b7aadb29c7 paas/redis:latest /usr/bin/redis-serve 33 minutes ago Up 33 minutes 49153->6379
iptables -t nat -L
paas@ubuntu:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.3.0/24 !10.0.3.0/24
MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:49153 to:172.17.0.4:6379
可以看到iptables的nat表中增加了一条DNAT配置,分配了一个端口49153,用于主机外部系统访问主机上docker容器中的redis服务。
Dockerfile是用来创建自己定制化image的说明文件。具体内容请参考官方说明。
mkdir test
cd test
git clone https://github.com/antirez/redis.git
cd redis
git checkout 2.6
# 使用ubuntu系统
FROM ubuntu
# 修改源并更新
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list
RUN apt-get update
RUN apt-get upgrade -y
# 安装基础软件包
RUN apt-get install -y gcc make g++ build-essential libc6-dev tcl
# 把当前目录添加到容器内部的根目录
ADD . /
# 编译redis
RUN (cd /redis && make)
RUN mkdir -p /redis-data
VOLUME ["/redis-data"]
# 为私有端口6379(redis默认端口)随即分配一个公用端口。作用就是容器启动后,docker为其分配一个公用端口,并在iptables的规则内部增加一条DNAT配置,使外部访问这个共有端口的请求都会被转发到私有端口6379,这样就可以从外部访问容器中的redis服务了。
EXPOSE 6379
# redis启动命令
ENTRYPOINT ["/redis/src/redis-server"]
CMD ["--dir", "/redis-data"]
docker build -t redis-2.6 .
paas@ubuntu:~/test$ sudo docker images
REPOSITORY TAG ID CREATED SIZE
redis-2.6 latest d82b0b9000a3 10 hours ago 12.29 kB (virtual 529.9 MB)
paas@ubuntu:~$ sudo docker run -d redis-2.6
0f103febaecc
启动一个脚本,每隔一秒执行一次date命令。
paas@localhost:~$ sudo docker run -d ubuntu /bin/sh -c "while true; do date; sleep 1; done"
5bdf5fc96060
此命令返回一个容器的id号,后续可以通过这个id来操作容器
paas@localhost:~$ sudo docker ps
ID IMAGE COMMAND CREATED STATUS PORTS
5bdf5fc96060 ubuntu:12.04 /bin/sh -c while tru 2 minutes ago Up 2 minutes
docker logs 容器id
paas@localhost:~$ sudo docker logs 5bdf5fc96060
Tue Oct 29 10:51:19 UTC 2013
Tue Oct 29 10:51:20 UTC 2013
Tue Oct 29 10:51:21 UTC 2013
Tue Oct 29 10:51:22 UTC 2013
Tue Oct 29 10:51:23 UTC 2013
Tue Oct 29 10:51:24 UTC 2013
Tue Oct 29 10:51:25 UTC 2013
Tue Oct 29 10:51:26 UTC 2013
Tue Oct 29 10:51:27 UTC 2013
Tue Oct 29 10:51:28 UTC 2013
Tue Oct 29 10:51:29 UTC 2013
Tue Oct 29 10:51:30 UTC 2013
Tue Oct 29 10:51:31 UTC 2013
...
显示应用启动以来的标准输出和标准错误输出。
docker attach 容器id
paas@localhost:~$ sudo docker attach 5bdf5fc96060
Tue Oct 29 10:57:25 UTC 2013
Tue Oct 29 10:57:26 UTC 2013
Tue Oct 29 10:57:27 UTC 2013
Tue Oct 29 10:57:28 UTC 2013
...
docker stop 容器id
未完待续...