容器技术

---

记录CentOS7构建docker-ce的过程

1. 使用CentOS 7.9系列的Linux操作系统
2. 从CentOS系统基础配置开始，0到1快速构建docker应用

CentOS 7.9基础配置

# 默认已初始化安装 CentOS 7.9
CPU: 4核 * 2
Memory: 16G
Disk: 2块物理硬盘(sda,sdb) sda: 40GB(预装最小化Linux), sdb: 200GB
Swap: 2GB
docker应用的映射存储目录: /opt/mydocker# 后续完成如下配置
hostname: docker01.mysite.com
ip: 10.0.0.210
gateway: 10.0.0.254
dns: 223.5.5.5 114.114.114.114# swap改成12G, 关闭selinux, 开启firewalld

[root@localhost ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                8			# 8个逻辑处理器
On-line CPU(s) list:   0-7
Thread(s) per core:    1
Core(s) per socket:    4			# 每个插槽的CPU核心数
Socket(s):             2			# CPU插槽数量, 物理CPU数量
...[root@localhost ~]# lsmem | grep Total
Total online memory:      16G		# 16G内存
Total offline memory:      0B[root@localhost ~]# lsscsi 
[0:0:0:0]    disk    VMware   Virtual disk     2.0   /dev/sda 
[0:0:1:0]    disk    VMware   Virtual disk     2.0   /dev/sdb 
[3:0:0:0]    cd/dvd  NECVMWar VMware SATA CD00 1.00  /dev/sr0[root@localhost ~]# fdisk -l | grep -i 'disk /dev'
Disk /dev/sdb: 214.7 GB, 214748364800 bytes, 419430400 sectors		# sdb: 200GB
Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors			# sda: 40GB
Disk /dev/mapper/centos-root: 39.7 GB, 39720058880 bytes, 77578240 sectors
Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors

centos配置网络连接, sshd, hostname, yum包更新

### centos配置网络连接, sshd, yum包更新, ntp时间同步
vi /etc/sysconfig/network-scripts/ifcfg-ens192
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.0.210
PREFIX=24
GATEWAY=10.0.0.254
DNS1=223.5.5.5
DNS2=114.114.114.114
# :x保存
systemctl restart network

vim /etc/ssh/sshd_config
Port 22
PermitRootLogin yes
PasswordAuthentication yes
# :x保存
systemctl restart sshd

hostnamectl set-hostname docker01.mysite.com --static
su	# 切换root, 使hostname刷新yum update -y	# 可选更新所有包
# 安装一些基础常用的包
yum -y install vim tcpdump lsof zip unzip strace traceroute net-tools bind-utils bridge-utils whois wget ftp nc lrzsz sysstat telnet ntp
yum -y install psmisc bc ntpdate dos2unix tree openldap-devel
yum -y install epel-release	  # epel源
yum -y install jq		  	  # json格式化工具

# 配置HWCLOCK硬件层的ntp时间同步
[root@localhost ~]# vim /etc/sysconfig/ntpd
# Command line options for ntpd
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g"
SYNC_HWCLOCK=yes
# :x保存systemctl enable --now ntpd
timedatectl set-timezone Asia/Shanghai
[root@docker01 ~]# timedatectl Local time: Sat 2024-05-01 14:13:37 CSTUniversal time: Sat 2024-05-01 06:13:37 UTCRTC time: Sat 2024-05-01 06:13:38Time zone: Asia/Shanghai (CST, +0800)	# 东8区时区NTP enabled: yes		# ntp已启用
NTP synchronized: yes		# ntp已同步RTC in local TZ: noDST active: n/a

sdb硬盘配置lvm

以下操作均使用xshell的ssh连接centos

### sdb硬盘配置lvm
### lvdocker逻辑卷开机挂载到/opt/mydockerfdisk /dev/sdb	# 对/dev/sdb进行磁盘操作
n				# 添加新分区
p				# 新建主分区
1				# 定义编号1
2048			# 定义扇区大小，默认2048# 定义容量大小，默认100%FREE
t				# 更改分区的system id
8e				# Linux LVM的system id
w				# 保存配置partprobe		# 重新识别磁盘
lsblk			# 查看块设备信息pvs    						# 查看已创建的物理卷信息列表
pvcreate /dev/sdb1    		# 新建pv物理卷
vgcreate vgdocker /dev/sdb1	# 新建vg卷组, 用来存放lvm逻辑卷
vgs							# 查看已创建的vg卷组
lvcreate -l 100%FREE -n lvdocker vgdocker		# 创建lv逻辑卷[root@docker01 ~]# lvsLV        VG        Attr       LSize    Pool Origin Data%  Meta%  Move Log Cpy%Sync Convertroot      centos    -wi-ao----   36.99g                                                    swap      centos    -wi-ao----    2.00g                                                    lvdocker  vgdocker  -wi-a----- <200.00g[root@docker01 ~]# mkfs.ext4 /dev/mapper/vgdocker-lvdocker
[root@docker01 ~]# blkid | grep docker
/dev/mapper/vgdocker-lvdocker: UUID="2a2e3964-5b40-42e5-a813-9f3c12e17a13" TYPE="ext4"vim /etc/fstab			# 在最后一行添加配置, 把lvdocker逻辑卷开机挂载到/opt/mydocker目录, 文件系统格式是ext4
#
# /etc/fstab
# Created by anaconda on Wed Jul 12 00:06:09 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=e56d6e40-f244-4d46-b5fb-80365ad2cfc4 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
UUID=2a2e3964-5b40-42e5-a813-9f3c12e17a13 /opt/mydocker ext4    defaults        0 0
# :x保存mkdir -p /opt/mydocker	# 新建/opt/mydocker目录
mount -a				# 刷新所有挂载源
[root@docker01 ~]# mount | grep docker
/dev/mapper/vgdocker-lvdocker on /opt/mydocker type ext4 (rw,relatime,seclabel,data=ordered)

部署docker之前, 优化centos的默认参数

### (可选)关闭selinux
# setenforce 0
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config### 优化centos基础配置, swap内存修改成 12G(centos虚拟机16G内存), swap内存使用权重60
swapoff -a
dd if=/dev/zero of=/swap_12g bs=1024 count=12582912
chmod 600 /swap_12g
mkswap /swap_12g
swapon /swap_12g
echo "vm.swappiness = 60" >> /etc/sysctl.conf
sysctl -p
[root@docker01 ~]# swapon
NAME      TYPE SIZE USED PRIO
/swap_12g file  12G   0B   -2### 禁用ipv6
sysctl -a 2>1 | grep disable_ipv6	# 跟下列参数不同则自定义该参数
cat <<EOF > /etc/sysctl.d/not-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF### 优化文件系统和网络性能
cat <<EOF > /etc/sysctl.d/fs.conf
fs.file-max = 10000000
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
EOF
cat <<EOF > /etc/sysctl.d/net.conf
net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
EOFsysctl -p /etc/sysctl.d/*.conf

docker底层原理

### docker底层原理docker的生命周期有三部分组成：仓库（repository）+ 镜像（image）+ 容器（container）docker是利用Linux内核虚拟机化技术（LXC），提供轻量级的虚拟化，以便隔离进程和资源。LXC不是硬件的虚拟化，而是Linux内核的级别的虚拟机化，相对于传统的虚拟机，节省了很多硬件资源。NameSpace
LXC是利用内核namespace技术，进行进程隔离。其中pid, net, ipc, mnt, uts等namespace将 container 的进程, 网络, 消息, 文件系统和 hostname 隔离开。Control Group
LXC利用的宿主机共享的资源，虽然用namespace进行隔离，但是资源使用没有收到限制，这里就需要用到Control Group技术，对资源使用进行限制，设定优先级，资源控制等。images: 镜像, 只读模板. 镜像的描述文件是Dockerfile
Dockerfile: 镜像的描述文件
FROM		定义基础镜像
MAINTAINER	作者
RUN			运行Linux命令
ENV			环境变量
CMD			运行进程
...container: 容器, 镜像的运行实例, 镜像 > 容器
获取镜像: docker pull nginx    从镜像仓库拉取
使用镜像创建容器, 分配文件系统, 挂载一个读写层(与宿主机实现数据交互),在读写层加载镜像
分配网络/网桥接口, 创建一个网络接口, 让容器和宿主机通信
容器获取IP地址
执行容器命令, 如/bin/bash
使用 -p 将docker容器端口映射到宿主机端口, 实现容器的端口通信
使用 -v 将docker容器目录映射到宿主机目录, 实现容器的文件系统关联
反馈容器启动结果registry: 镜像仓库(也是一个容器)
官方镜像仓库地址: https://hub.docker.com/
国内镜像仓库地址(阿里云镜像地址)：https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

安装docker-ce社区版

### 安装docker依赖环境, 安装docker-ce社区版, 配置镜像加速# step 1: 安装必要的一些系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's/download.docker.com/mirrors.aliyun.com\/docker-ce/g' /etc/yum.repos.d/docker-ce.repo
# Step 3: 更新并安装 Docker-CE
yum makecache fast
yum -y install docker-ce# 防火墙规则允许网络桥接、允许ipv4网络转发
cat <<EOF > /etc/sysctl.d/docker.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOFmodprobe br_netfilter	# 先执行这行命令启动网桥过滤功能, 否则会报错/proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
sysctl -p /etc/sysctl.d/docker.conf# 配置镜像加速 阿里云镜像仓库、网易镜像仓库、中科大镜像仓库
mkdir -p /etc/docker
vim /etc/docker/daemon.json
{"registry-mirrors":["https://x9w5e7g4.mirror.aliyuncs.com","https://hub-mirrors.c.163.com/","https://Docker.mirrors.ustc.edu.cn/"]
}systemctl daemon-reload;systemctl enable --now docker
[root@docker ~]# docker version			# 查看docker版本, Docker Engine - Community 社区版
Client: Docker Engine - CommunityVersion:           26.1.2API version:       1.45Go version:        go1.21.10Git commit:        211e74bBuilt:             Wed May  8 14:01:02 2024OS/Arch:           linux/amd64Context:           defaultServer: Docker Engine - CommunityEngine:Version:          26.1.2API version:      1.45 (minimum version 1.24)Go version:       go1.21.10Git commit:       ef1912dBuilt:            Wed May  8 13:59:55 2024OS/Arch:          linux/amd64Experimental:     falsecontainerd:Version:          1.6.31GitCommit:        e377cd56a71523140ca6ae87e30244719194a521runc:Version:          1.1.12GitCommit:        v1.1.12-0-g51d5e94docker-init:Version:          0.19.0GitCommit:        de40ad0

验证docker-ce是否正常运行

# 输出以下文本说明docker-ce正常运行且正常拉取镜像了
[root@docker01 ~]# docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:2498fce14358aa50ead0cc6c19990fc6ff866ce72aeb5546e1d59caac3d0d60f
Status: Downloaded newer image for hello-world:latestHello from Docker!
This message shows that your installation appears to be working correctly.To generate this message, Docker took the following steps:1. The Docker client contacted the Docker daemon.2. The Docker daemon pulled the "hello-world" image from the Docker Hub.(amd64)3. The Docker daemon created a new container from that image which runs theexecutable that produces the output you are currently reading.4. The Docker daemon streamed that output to the Docker client, which sent itto your terminal.To try something more ambitious, you can run an Ubuntu container with:$ docker run -it ubuntu bashShare images, automate workflows, and more with a free Docker ID:https://hub.docker.com/For more examples and ideas, visit:https://docs.docker.com/get-started/

案例：部署nginx镜像

### 部署nginx镜像, nginx默认执行目录 /usr/share/nginx/html/ 映射到 /opt/mydocker/nginx/html/ 目录, 使用宿主机的8000端口访问nginx容器的80端口
### 编写 /opt/mydocker/nginx/html/index.html 文件, docker 启动 nginx 容器, 验收代码项目docker pull nginx
docker run --name nginx8000 -p 8000:80 -v /opt/mydocker/nginx/html/:/usr/share/nginx/html/ -itd nginx
# --name 自定义容器名称
# -p [宿主机端口]:[容器端口]  将容器的80端口映射到宿主机的8000端口
# -v [宿主机目录]:[容器目录]	将容器的/usr/share/nginx/html/目录映射到宿主机的/opt/mydocker/nginx/html/   目录不存在的话会自动递归创建
# -d 在后台运行
# -it 交互式启动, 无前台进程的容器需要使用 -it 参数, 容器才会处于running状态, 例如 centos 镜像.
# nginx容器自带前台进程,  -it 参数可选可不选, 容器会保持running状态.# 添加index.html到nginx监听的站点
echo '<h1>welcome to my nginx server.</h1>' > /opt/mydocker/nginx/html/index.html
# 修改firewall-cmd配置，放通8000端口的访问
[root@docker01 ~]# firewall-cmd --remove-service=dhcpv6-client --per
[root@docker01 ~]# firewall-cmd --add-port=8000/tcp --per
[root@docker01 ~]# firewall-cmd --reload
[root@docker01 ~]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: ens192sources: services: ssh			# 仅保留sshd服务，取消dhcpv6-client服务ports: 8000/tcp		# 放通tcp的8000端口protocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules: 

检查&验证

# 本地验证
[root@docker01 ~]# curl localhost:8000
<h1>welcome to my nginx server.</h1>
[root@docker01 ~]# netstat -tnlp | grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      10681/docker-proxy  

# 网络验证
PS C:\> curl http://10.0.0.210:8000 | ForEach-Object Content
<h1>welcome to my nginx server.</h1>

参考来源

1. Linux 网络调优：内核网络栈参数篇
2. Linux内核 TCP/IP、Socket参数调优
3. Install Docker Engine on CentOS
4. Linux CentOS 7.9 如何安装Docker
5. Docker 命令大全