云原生 -- Docker进阶(Docker-compose,Docker网络简单介绍)
Dockerfile的构建过程
- 每条保留字段必须为大写字母。
- Dockerfile每行只支持一条指令,但是每条指令可以带多个参数,并且每条保留字指令后面至少要带有一个参数。
- 从上到下依次执行。
- 每条指令都会创建一个新的镜像层,并提交新的镜像。
大致流程:
- docker从基础镜像运行一个容器
- 执行一条指令并对容器作出修改
- 执行提交操作,提交一个新的镜像层
- 执行dockerfile的下一条指令
Dockerfile的保留字指令
Docker Compose
我们使用一个超长的命令来去看一下MySQL能不能部署成功:
docker run --name some-mysql -v /my/own/datadir:/var/lib/mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=123456 -d mysql --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
部署成功了,但是这个命令太过于长了,而且一次只能部署一个容器,所以我们提出了docker-compose。
我们写一个docker-compose文件然后运行docker-compose up,结果报错了。
这个报错非常的坑:
ERROR: yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any tokenin "./docker-compose.yaml", line 4, column 1
意思就是yaml必须打2个空格,不能打\t。然后最终看起来是一样的,但是会无法识别。
1 version: '3.1'2 3 services:4 5 db:6 image: mysql # 镜像的名称7 command: # 对应我上面那个巨长的命令的--8 --character-set-server=utf8mb49 --collation-server=utf8mb4_unicode_ci10 restart: always # 如果宕机了,重启的策略11 environment: # 对应上面的-e配置环境12 MYSQL_ROOT_PASSWORD: 12345613 volumes: 对应上面的 -v 挂载数据14 - /my/own/datadir:/var/lib/mysql15 ports: 对应上面的 -p 端口映射16 - 3306:330617 18 adminer:19 image: adminer20 restart: always21 ports:22 - 8080:8080
然后
docker-compose up -d
在后台启动我的docker容器。
这个admin是一个MySQL的管理系统。
停止容器的运行
条件:在docker-compose的目录下
docker-compose stop/start #只是停止/运行这个容器
docker-compose down #直接把这个容器删了
但是如果我的这个yml文件不叫docker-compose文件呢?
docker-compose -f mysql.yaml up -d
-f强行指定姓名就可以了。
看日志
docker-compose logs
这样的话就是名字叫做docker-compose.yaml的日志。
docker-compose -f mysql.yaml logs
这样就是查看名字叫做mysql.yaml的日志。
docker-compose -f mysql.yaml logs -f
这样就是查看名字叫做mysql.yaml的日志,并且滚动更新日志。
Docker容器网络基础
Bridge网络
我们先使用一个命令查看Docker的一些网络信息:
[root@k8smaster mysql]# docker network ls
NETWORK ID NAME DRIVER SCOPE
0192785adb20 bridge bridge local
6265d41f9cbc host host local
1076f6955d43 mysql_default bridge local
7bd9dd6a93a5 none null local
可以看到又一个bridge,网桥网络。
在网络方面,桥接网络是在网段之间转发流量的链路层设备。桥可以是在主机内核中运行的硬件设备或者软件设备。
docker0(默认bridge)
docker run -d --name tomcat1 tomcat
我们先来启动两个tomcat容器。
docker inspect tomcat1
查看tomcat1容器的相关信息。
我们来看一下结果:
[{"Id": "89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6","Created": "2023-02-15T10:41:23.32460978Z","Path": "catalina.sh","Args": ["run"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"OOMKilled": false,"Dead": false,"Pid": 52447,"ExitCode": 0,"Error": "","StartedAt": "2023-02-15T10:41:23.665177066Z","FinishedAt": "0001-01-01T00:00:00Z"},"Image": "sha256:fb5657adc892ed15910445588404c798b57f741e9921ff3c1f1abe01dbb56906","ResolvConfPath": "/var/lib/docker/containers/89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6/resolv.conf","HostnamePath": "/var/lib/docker/containers/89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6/hostname","HostsPath": "/var/lib/docker/containers/89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6/hosts","LogPath": "/var/lib/docker/containers/89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6/89435df83bcb0f8c5d685f4ad7a0d06b01a14b182c3f2eedd48aace0fc8539b6-json.log","Name": "/tomcat1","RestartCount": 0,"Driver": "overlay2","Platform": "linux","MountLabel": "","ProcessLabel": "","AppArmorProfile": "","ExecIDs": null,"HostConfig": {"Binds": null,"ContainerIDFile": "","LogConfig": {"Type": "json-file","Config": {"max-size": "100m"}},"NetworkMode": "default","PortBindings": {},"RestartPolicy": {"Name": "no","MaximumRetryCount": 0},"AutoRemove": false,"VolumeDriver": "","VolumesFrom": null,"CapAdd": null,"CapDrop": null,"Capabilities": null,"Dns": [],"DnsOptions": [],"DnsSearch": [],"ExtraHosts": null,"GroupAdd": null,"IpcMode": "private","Cgroup": "","Links": null,"OomScoreAdj": 0,"PidMode": "","Privileged": false,"PublishAllPorts": false,"ReadonlyRootfs": false,"SecurityOpt": null,"UTSMode": "","UsernsMode": "","ShmSize": 67108864,"Runtime": "runc","ConsoleSize": [0,0],"Isolation": "","CpuShares": 0,"Memory": 0,"NanoCpus": 0,"CgroupParent": "","BlkioWeight": 0,"BlkioWeightDevice": [],"BlkioDeviceReadBps": null,"BlkioDeviceWriteBps": null,"BlkioDeviceReadIOps": null,"BlkioDeviceWriteIOps": null,"CpuPeriod": 0,"CpuQuota": 0,"CpuRealtimePeriod": 0,"CpuRealtimeRuntime": 0,"CpusetCpus": "","CpusetMems": "","Devices": [],"DeviceCgroupRules": null,"DeviceRequests": null,"KernelMemory": 0,"KernelMemoryTCP": 0,"MemoryReservation": 0,"MemorySwap": 0,"MemorySwappiness": null,"OomKillDisable": false,"PidsLimit": null,"Ulimits": null,"CpuCount": 0,"CpuPercent": 0,"IOMaximumIOps": 0,"IOMaximumBandwidth": 0,"MaskedPaths": ["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths": ["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver": {"Data": {"LowerDir": "/var/lib/docker/overlay2/7eadc53b492791389b9375565b5e9d8f521b247aaec55e14c5694fde8cb262ed-init/diff:/var/lib/docker/overlay2/5d15c4c9c3c9d33bce87d6c6d4fe6cd9a1659fae0f1606fb538066e645ed91c7/diff:/var/lib/docker/overlay2/0a467022e79f75c4fc6bbc155b4deb858bf3e17c41a00144c3fd63fdf94ec0bc/diff:/var/lib/docker/overlay2/4871abe01045d7cd11c8bcda554285ed9881067ed31bad1ef9e13d6f43bdc0cd/diff:/var/lib/docker/overlay2/8645d7f0b517edd1e5ad42be66d166d643756ed3dd26c72a6e69ac2ede924f76/diff:/var/lib/docker/overlay2/eb8d5dd01d3f3bb1b83e73d8276505fcb6b799c70820e792c6b0c2e17e3f38fd/diff:/var/lib/docker/overlay2/2714615f68373bde97f4eed08063f25d441d70a09f2cbab8223305fd099cab27/diff:/var/lib/docker/overlay2/65f27c74105575dcf023693c9f437f2e10165b6a85d9f76a76520d7bf0353483/diff:/var/lib/docker/overlay2/a52375516fb2e071a95f2c633bc23bc5d774311287a88f1e534a61bfd76a164a/diff:/var/lib/docker/overlay2/03545b9f89cf397d82c6effb7d924f1a901a5e02f023eec1509b11f4a5bb5adc/diff:/var/lib/docker/overlay2/8a92f9978f8dc817792c00c70433e91809d369cd7dabfbd40e75d583f46dffb9/diff","MergedDir": "/var/lib/docker/overlay2/7eadc53b492791389b9375565b5e9d8f521b247aaec55e14c5694fde8cb262ed/merged","UpperDir": "/var/lib/docker/overlay2/7eadc53b492791389b9375565b5e9d8f521b247aaec55e14c5694fde8cb262ed/diff","WorkDir": "/var/lib/docker/overlay2/7eadc53b492791389b9375565b5e9d8f521b247aaec55e14c5694fde8cb262ed/work"},"Name": "overlay2"},"Mounts": [],"Config": {"Hostname": "89435df83bcb","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"ExposedPorts": {"8080/tcp": {}},"Tty": false,"OpenStdin": false,"StdinOnce": false,"Env": ["PATH=/usr/local/tomcat/bin:/usr/local/openjdk-11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","JAVA_HOME=/usr/local/openjdk-11","LANG=C.UTF-8","JAVA_VERSION=11.0.13","CATALINA_HOME=/usr/local/tomcat","TOMCAT_NATIVE_LIBDIR=/usr/local/tomcat/native-jni-lib","LD_LIBRARY_PATH=/usr/local/tomcat/native-jni-lib","GPG_KEYS=A9C5DF4D22E99998D9875A5110C01C5A2F6059E7","TOMCAT_MAJOR=10","TOMCAT_VERSION=10.0.14","TOMCAT_SHA512=c2d2ad5ed17f7284e3aac5415774a8ef35434f14dbd9a87bc7230d8bfdbe9aa1258b97a59fa5c4030e4c973e4d93d29d20e40b6254347dbb66fae269ff4a61a5"],"Cmd": ["catalina.sh","run"],"Image": "tomcat","Volumes": null,"WorkingDir": "/usr/local/tomcat","Entrypoint": null,"OnBuild": null,"Labels": {}},"NetworkSettings": {"Bridge": "","SandboxID": "22a9286beec475133639bbde1edc2d07c1b1e0d95fcd4eec6a4e7beba42d34c4","HairpinMode": false,"LinkLocalIPv6Address": "","LinkLocalIPv6PrefixLen": 0,"Ports": {"8080/tcp": null},"SandboxKey": "/var/run/docker/netns/22a9286beec4","SecondaryIPAddresses": null,"SecondaryIPv6Addresses": null,"EndpointID": "dea491b6061874ceefd394d819009d84a564ad08c4782f0279706660caf246af","Gateway": "172.17.0.1","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","MacAddress": "02:42:ac:11:00:02","Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"NetworkID": "0192785adb20f46e2f13c2fcfe6131d43b7b965eb03b39f55fe292c6196ae2ea","EndpointID": "dea491b6061874ceefd394d819009d84a564ad08c4782f0279706660caf246af","Gateway": "172.17.0.1","IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "02:42:ac:11:00:02","DriverOpts": null}}}}
]
可以看到network那个地方是桥接。
Bridge网络模型图
设备上网是需要一张网卡的。
veth相当于是一个虚拟网卡。
我们手动创建两个网桥:
docker network create br0
br0和br1。然后我们来看一下:
[root@VM-24-15-centos ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
e3e87ce572f5 br0 bridge local
4cf4d0ebbd73 br1 bridge local
7891479a5509 bridge bridge local
dd1c10816481 etcdnet bridge local
c1c1565931b6 host host local
cadd4c7e1fe9 none null local
可以发现确实是成功的。
docker network connect br0 tomcat1
观察一下tomcat1的状态:
"Networks": {"br0": {"IPAMConfig": {},"Links": null,"Aliases": ["7c7fbf222981"],"NetworkID": "e3e87ce572f5870e73ad1f37f700f597cd7748b1a40fc46e260ee14f99be4468","EndpointID": "29a5954e817f89ecf33c00520e84fe41e91875203ac96ca0f71fab26e470373c","Gateway": "172.19.0.1","IPAddress": "172.19.0.2","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "02:42:ac:13:00:02","DriverOpts": {}},"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"NetworkID": "7891479a5509f9cfb69ac4db4452a4a3b9d8fd28b175cf750f53a79ded798671","EndpointID": "bf73381f0a91920258c6780aa75b8d11846838547dff83e9af8ca260257794ef","Gateway": "172.17.0.1","IPAddress": "172.17.0.4","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "02:42:ac:11:00:04","DriverOpts": null}}
可以看到确实连接成功了,但是旧的bridge没有被删除。
就像是一个机器可以连接多个网卡一样。
我们把bridge去掉。
docker network disconnect bridge tomcat1
然后就可以看到网桥网络确实被删除掉了!!!
有些例如数据库这样的东西,我们可以把数据库放在一个网桥上。然后不对外暴露端口。
Host网络
Host模式并没有为容器创建一个隔离的网络环境。而之所以被称之为host模型,是因为该模式下的Docker容器会和host宿主机共享同一个网络namespace,故Docker Container的IP地址即为宿主机eth0的IP地址。其特点包括:
- 这种模式下的容器没有隔离的
network namespace。 - 容器的IP地址同Docker host的IP地址。
- host模式可以与其他模式共存
- 容器中的服务的端口号不能与Docker host上已经使用的端口号冲突。
考虑到安全问题,Host网络用的比较少
None网络
网络模式为none,即不为Docker容器构造任何网络环境。一旦Docker容器采用了none网络模式,那么容器内部就只能使用loopback(lo)网络设备,不会再有其他的网络资源。Docker Container的none网络模式意味着不给该容器创建任何网络环境,容器只能使用127.0.0.1的本地网络。
Container模式
Container网络模式是Docker中一种比较特殊的网络模式。处于这个模式下的Docker容器共享其他容器的网络环境,因此至少这两个容器之间不存在网络隔离,而这两个容器又与宿主机以及除此之外的其他的容器存在网络隔离。
我们先启动一个my-nginx2的容器,网络在默认的bridge网桥上。
然后启动一个tomcat3容器,并且使用Container网络与my-nginx2共享网络。
docker run -d --name tomcat3 --network container:my-nginx2 tomcat
我们inspect一下tomcat3,发现压根没有网络设置。
我们在inspect返回的结果里面查看一下网络设置:
"NetworkMode": "container:33d777b8b7c5158174ba5d10ffbbca289a45e416e152c1b933e5acfbc65bab4a",
可以看到是Container模式,并且连接到33d777b8b7c5158174ba5d10ffbbca289a45e416e152c1b933e5acfbc65bab4a这个容器。
我们要注意一点,我们两个容器暴露的端口肯定不能一样。
我们现在有tomcat1已经启动了,然后我们再次创建一个tomcat4,并且使用Container模式于tomcat1。
然后就报错了:
java.net.BindException: Address already in use (Bind failed)
端口已经绑定了,这很正常,原因前面已经讲解过了。绑定的端口冲突了,因为我们运行的都是tomcat容器,所以绑定的端口是一样的。