關(guān)于Docker中本地倉庫，限制容器資源，容器監(jiān)控的一些筆記

寫在前面

學(xué)習(xí) K8s，順便整理下之前學(xué)的docker的相關(guān)筆記.有錯誤的地方小伙伴積極留言。

博文內(nèi)容涉及：

docker本地庫（registry，harbor）

docker 資源限制

docker 容器監(jiān)控(cadvisor,weavescope)

生活的意義就是學(xué)著真實的活下去，生命的意義就是尋找生活的意義 -----山河已無恙

1、容器 ？= docker

容器是什么？docker是什么？

啟動盤小伙伴都不陌生，電腦系統(tǒng)壞了，開不了機(jī)，我們插一個啟動盤就可以了，這個啟動盤里有一些基礎(chǔ)的軟件，那么這里，

我們用的啟動盤，就可以理解是一個類似鏡像的東東

，這個啟動盤在電腦上運行一個系統(tǒng)，

這個win PE系統(tǒng)就是一個容器

，這個系統(tǒng)運行需要的物理內(nèi)存CPU都是從物理機(jī)獲取，也就是我們開不了機(jī)的那個電腦。

那現(xiàn)實場景中，我們要多管理容器和鏡像，要怎么辦，不能一個鏡像放到一個U盤里吧，這里我們

需要一個 runtime(運行時)，即用于管理容器的一種軟件

，比如 runc lxc gvisor kata這些，只能管理容器，不能管理鏡像，他們被稱為

低級別運行時

。

低級別的運行時功能單一，不能管理鏡像，這時候需要有

高級別的運行時

，比如 docker podman containerd ..，用來調(diào)用管理低級別運行時 runc 等，即能管理容器，也能管理鏡像。

k8s是用來管理高級別運行時的。

關(guān)閉屏保

setterm -blank 0

配置yum源

rm -rf /etc/yum.repos.d/ wget ftp://ftp.rhce.cc/k8s/* -P /etc/yum.repos.d/

配置docker加速器

sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-'EOF' { "registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart docker

配置docker本地倉庫

安裝倉庫鏡像

┌──[root@vms56.liruilongs.github.io]-[~] └─#yum -y install docker-ce Loaded plugins: fastestmirror kubernetes/signature | 844 B 00:00:00 Retrieving key from https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg Importing GPG key 0x307EA071: Userid : "Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub)" Fingerprint: 7f92 e05b 3109 3bef 5a3c 2d38 feea 9169 307e a071 From : https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg Retrieving key from https://mirrors.aliyun.com/kubernetes/yum/doc/ ................. Complete! ┌──[root@vms56.liruilongs.github.io]-[~] └─#sudo tee /etc/docker/daemon.json <<-'EOF' > { > "registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"] > } > EOF { "registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"] } ┌──[root@vms56.liruilongs.github.io]-[~] └─#sudo systemctl daemon-reload ┌──[root@vms56.liruilongs.github.io]-[~] └─#sudo systemctl restart docker ┌──[root@vms56.liruilongs.github.io]-[~] └─#docker pull hub.c.163.com/library/registry:latest latest: Pulling from library/registry 25728a036091: Pull complete 0da5d1919042: Pull complete e27a85fd6357: Pull complete d9253dc430fe: Pull complete 916886b856db: Pull complete Digest: sha256:fce8e7e1569d2f9193f75e9b42efb07a7557fc1e9d2c7154b23da591e324f3d1 Status: Downloaded newer image for hub.c.163.com/library/registry:latest hub.c.163.com/library/registry:latest ┌──[root@vms56.liruilongs.github.io]-[~] └─#docker run -dit --name=myreg -p 5000:5000 -v $PWD/myreg:^Cr ┌──[root@vms56.liruilongs.github.io]-[~] └─#docker history hub.c.163.com/library/registry:latest IMAGE CREATED CREATED BY SIZE COMMENT 751f286bc25e 4 years ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B 4 years ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B 4 years ago /bin/sh -c #(nop) COPY file:7b57f7ab1a8cf85c… 155B 4 years ago /bin/sh -c #(nop) EXPOSE 5000/tcp 0B 4 years ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B 4 years ago /bin/sh -c #(nop) COPY file:6c4758d509045dc4… 295B 4 years ago /bin/sh -c #(nop) COPY file:b99d4fe47ad1addf… 22.8MB 4 years ago /bin/sh -c set -ex && apk add --no-cache… 5.61MB 4 years ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B 4 years ago /bin/sh -c #(nop) ADD file:89e72bfc19e81624b… 4.81MB ┌──[root@vms56.liruilongs.github.io]-[~] └─#docker run -dit --name=myreg -p 5000:5000 -v $PWD/myreg:/var/lib/registry hub.c.163.com/library/registry 317bcc7bd882fd0d29cf9a2898e5cec4378431f029a796b9f9f643762679a14d ┌──[root@vms56.liruilongs.github.io]-[~] └─#docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 317bcc7bd882 hub.c.163.com/library/registry "/entrypoint.sh /etc…" 5 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp myreg └─# └─#

selinux、防火墻設(shè)置

┌──[root@vms56.liruilongs.github.io]-[~] └─#getenforce Disabled ┌──[root@vms56.liruilongs.github.io]-[~] └─#systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-10-06 12:57:44 CST; 15min ago Docs: man:firewalld(1) Main PID: 608 (firewalld) Memory: 1.7M CGroup: /system.slice/firewalld.service └─608 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' fa...that name. Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst...that name. Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No...that name. Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,...t chain?). Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1' failed: iptab...that name. Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -...that name. Oct 06 13:05:18 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP' faile...t chain?). Oct 06 13:08:01 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 5000 -j DNAT --to-destin...that name. Oct 06 13:08:01 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0....t chain?). Oct 06 13:08:01 vms56.liruilongs.github.io firewalld[608]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.2 -d 172.17.0.2 --dpor...that name. Hint: Some lines were ellipsized, use -l to show in full. ┌──[root@vms56.liruilongs.github.io]-[~] └─#systemctl disable firewalld.service --now Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. ┌──[root@vms56.liruilongs.github.io]-[~] └─#

鏡像push 協(xié)議設(shè)置

┌──[root@liruilongs.github.io]-[~] └─$ cat /etc/docker/daemon.json { "registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"] } ┌──[root@liruilongs.github.io]-[~] └─$ vim /etc/docker/daemon.json ┌──[root@liruilongs.github.io]-[~] └─$ cat /etc/docker/daemon.json { "registry-mirrors": ["https://2tefyfv7.mirror.aliyuncs.com"], "insecure-registries": ["192.168.26.56:5000"] } ┌──[root@liruilongs.github.io]-[~] └─$ ┌──[root@liruilongs.github.io]-[~] └─$ systemctl restart docker ┌──[root@liruilongs.github.io]-[~]

API使用,查看腳本編寫

┌──[root@liruilongs.github.io]-[~/docker] └─$ vim dockerimages.sh ┌──[root@liruilongs.github.io]-[~/docker] └─$ sh dockerimages.sh 192.168.26.56 192.168.26.56:5000/db/mysql:v1 192.168.26.56:5000/os/centos:latest ┌──[root@liruilongs.github.io]-[~/docker] └─$ curl http://192.168.26.56:5000/v2/_catalog {"repositories":["db/mysql","os/centos"]} ┌──[root@liruilongs.github.io]-[~/docker] └─$ curl -XGET http://192.168.26.56:5000/v2/_catalog {"repositories":["db/mysql","os/centos"]} ┌──[root@liruilongs.github.io]-[~/docker] └─$ curl -XGET http://192.168.26.56:5000/v2/os/centos/tags/list {"name":"os/centos","tags":["latest"]} ┌──[root@liruilongs.github.io]-[~/docker] └─$

┌──[root@liruilongs.github.io]-[~/docker] └─$ cat dockerimages.sh #!/bin/bash file=$(mktemp) curl -s $1:5000/v2/_catalog | jq | egrep -v '\{|\}|\[|]' | awk -F\" '{print $2}' > $file while read aa ; do tag=($(curl -s $1:5000/v2/$aa/tags/list | jq | egrep -v '\{|\}|\[|]|name' | awk -F\" '{print $2}')) for i in ${tag[*]} ; do echo $1:5000/${aa}:$i done done < $file rm -rf $file ┌──[root@liruilongs.github.io]-[~/docker] └─$ yum -y install jq

刪除本地倉庫里的鏡像

curl https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null sudo chmod a+x /usr/local/bin/delete_docker_registry_image

export REGISTRY_DATA_DIR=/opt/data/registry/docker/registry/v2

delete_docker_registry_image --image testrepo/awesomeimage --dry-run delete_docker_registry_image --image testrepo/awesomeimage delete_docker_registry_image --image testrepo/awesomeimage:supertag

harbor的使用

┌──[root@vms56.liruilongs.github.io]-[~] └─#yum install -y docker-compose ┌──[root@vms56.liruilongs.github.io]-[/] └─#ls bin dev harbor-offline-installer-v2.0.6.tgz lib machine-id mnt proc run srv tmp var boot etc home lib64 media opt root sbin sys usr ┌──[root@vms56.liruilongs.github.io]-[/] └─#tar zxvf harbor-offline-installer-v2.0.6.tgz harbor/harbor.v2.0.6.tar.gz harbor/prepare harbor/LICENSE harbor/install.sh harbor/common.sh harbor/harbor.yml.tmpl ┌──[root@vms56.liruilongs.github.io]-[/] └─#docker load -i harbor/harbor.v2.0.6.tar.gz

修改配置文件

┌──[root@vms56.liruilongs.github.io]-[/] └─#cd harbor/ ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#ls common.sh harbor.v2.0.6.tar.gz harbor.yml.tmpl install.sh LICENSE prepare ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#cp harbor.yml.tmpl harbor.yml ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#ls common.sh harbor.v2.0.6.tar.gz harbor.yml harbor.yml.tmpl install.sh LICENSE prepare ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#vim harbor.yml ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#

harbor.yml

4 # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients. 5 hostname: 192.168.26.56 6 7 # http related config ....... 12 # https related config 13 #https: 14 # https port for harbor, default is 443 15 # port: 443 16 # The path of cert and key files for nginx 17 # certificate: /your/certificate/path 18 # private_key: /your/private/key/path .... 33 # Remember Change the admin password from UI after launching Harbor. 34 harbor_admin_password: Harbor12345 35 36 # Harbor DB configuration

./prepare && ./install.sh

┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#./prepare prepare base dir is set to /harbor WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/log/rsyslog_docker.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/registryctl/config.yml Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /data/secret/keys/secretkey Successfully called func: create_root_cert Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir ┌──[root@vms56.liruilongs.github.io]-[/harbor] └─#./install.sh [Step 0]: checking if docker is installed ... Note: docker version: 20.10.9 [Step 1]: checking docker-compose is installed ...

┌──[root@liruilongs.github.io]-[~/docker] └─$ docker push 192.168.26.56/library/mysql Using default tag: latest The push refers to repository [192.168.26.56/library/mysql] 8129a85b4056: Pushed 3c376267ac82: Pushed fa9efdcb088a: Pushed 9e615ff77b4f: Pushed e5de8ba20fae: Pushed 2bee3420217b: Pushed 904af8e2b2d5: Pushed daf31ec3573d: Pushed da4155a7d640: Pushed 3b7c5f5acc82: Pushed 295d6a056bfd: Pushed latest: digest: sha256:c0806ac73235043de2a6cb4738bb2f6a74f71d9c7aa0f19c8e7530fd6c299e75 size: 2617 ┌──[root@liruilongs.github.io]-[~/docker] └─$

限制容器資源

了解Cgroup的使用

對內(nèi)存的限制

/etc/systemd/system/memload.service.d cat 00-aa.conf [Service] MemoryLimit=512M

對CPU親和性限制

ps mo pid,comm,psr $(pgrep httpd) /etc/systemd/system/httpd.service.d cat 00-aa.conf [Service] CPUAffinity=0

容器如何限制

┌──[root@liruilongs.github.io]-[/] └─$ docker exec -it c1 bash [root@55e45b34d93d /]# ls bin etc lib lost+found mnt proc run srv tmp var dev home lib64 media opt root sbin sys usr [root@55e45b34d93d /]# cd opt/ [root@55e45b34d93d opt]# ls memload-7.0-1.r29766.x86_64.rpm [root@55e45b34d93d opt]# rpm -ivh memload-7.0-1.r29766.x86_64.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:memload-7.0-1.r29766 ################################# [100%] [root@55e45b34d93d opt]# exit exit ┌──[root@liruilongs.github.io]-[/] └─$ docker stats CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 55e45b34d93d c1 0.00% 8.129MiB / 3.843GiB 0.21% 648B / 0B 30.4MB / 11.5MB 1

[root@55e45b34d93d /]# memload 1000 Attempting to allocate 1000 Mebibytes of resident memory... ^C [root@55e45b34d93d /]# ┌──[root@liruilongs.github.io]-[/] └─$ docker stats CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 55e45b34d93d c1 0.02% 165.7MiB / 3.843GiB 4.21% 648B / 0B 30.5MB / 11.5MB 3

內(nèi)存限制

┌──[root@liruilongs.github.io]-[/] └─$ docker run -itd --name=c2 -m 200M centos 3b2df1738e84159f4fa02dadbfc285f6da8ddde4d94cb449bc775c9a70eaa4ea ┌──[root@liruilongs.github.io]-[/] └─$ docker stats CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 3b2df1738e84 c2 0.00% 528KiB / 200MiB 0.26% 648B / 0B 0B / 0B 1 55e45b34d93d c1 0.00% 8.684MiB / 3.843GiB 0.22% 648B / 0B 30.5MB / 11.5MB 2

對容器CPU的限制

┌──[root@liruilongs.github.io]-[/] └─$ ps mo pid,psr $(pgrep cat) ┌──[root@liruilongs.github.io]-[/] └─$ docker run -itd --name=c3 --cpuset-cpus 0 -m 200M centos a771eed8c7c39cd410bd6f43909a67bfcf181d87fcafffe57001f17f3fdff408

11.監(jiān)控容器

cadvisor,讀取宿主機(jī)信息

docker pull hub.c.163.com/xbingo/cadvisor:latest

docker run \ -v /var/run:/var/run \ -v /sys:/sys:ro \ -v /var/lib/docker:/var/lib/docker:ro \ -d -p 8080:8080 --name=mon \ hub.c.163.com/xbingo/cadvisor:latest

weavescope

┌──[root@liruilongs.github.io]-[/] └─$ chmod +x ./scope ┌──[root@liruilongs.github.io]-[/] └─$ ./scope launch Unable to find image 'weaveworks/scope:1.13.1' locally 1.13.1: Pulling from weaveworks/scope c9b1b535fdd9: Pull complete 550073704c23: Pull complete 8738e5bbaf1d: Pull complete 0a8826d26027: Pull complete 387c1aa951b4: Pull complete e72d45461bb9: Pull complete 75cc44b65e98: Pull complete 11f7584a6ade: Pull complete a5aa3ebbe1c2: Pull complete 7cdbc028c8d2: Pull complete Digest: sha256:4342f1c799aba244b975dcf12317eb11858f9879a3699818e2bf4c37887584dc Status: Downloaded newer image for weaveworks/scope:1.13.1 3254bcd54a7b2b1a5ece2ca873ab18c3215484e6b4f83617a522afe4e853c378 Scope probe started The Scope App is not responding. Consult the container logs for further details. ┌──[root@liruilongs.github.io]-[/] └─$

Docker 容器

版權(quán)聲明：本文內(nèi)容由網(wǎng)絡(luò)用戶投稿，版權(quán)歸原作者所有，本站不擁有其著作權(quán)，亦不承擔(dān)相應(yīng)法律責(zé)任。如果您發(fā)現(xiàn)本站中有涉嫌抄襲或描述失實的內(nèi)容，請聯(lián)系我們jiasou666@gmail.com 處理，核實后本網(wǎng)站將在24小時內(nèi)刪除侵權(quán)內(nèi)容。