技术流ken

运维拯救世界

课堂记录:docker网络管理,私有镜像仓库,容器监控(五)–技术流ken

docker网络管理

 

1.host网络

2.bridge

3.none

4.container

 

一. bridge模式

docker网络隔离基于网络命名空间,在物理机上创建docker容器时会为每一个docker容器分配网络命名空间,并且把容器IP桥接到物理机的虚拟网桥上。

二. none模式

此模式下创建容器是不会为容器配置任何网络参数的,如:容器网卡、IP、通信路由等,全部需要自己去配置。

三. host模式

此模式创建的容器没有自己独立的网络命名空间,是和物理机共享一个Network Namespace,并且共享物理机的所有端口与IP,并且这个模式认为是不安全的。

四. container模式

此模式和host模式很类似,只是此模式创建容器共享的是其他容器的IP和端口而不是物理机,此模式容器自身是不会配置网络和端口,创建此模式容器进去后,你会发现里边的IP是你所指定的那个容器IP并且端口也是共享的,而且其它还是互相隔离的,如进程等。

 

 

1.bridge网络

 

容器再启动的时候如果没有指定相应的网络模式的话,默认是bridge

 

2,none网络

再启动容器的时候需要指定网络模式,使用–network选项

[root@ken1 ~]# docker run -it --network=none busybox

 

3.host网络

[root@ken1 ~]# docker run -it --network=host busybox

 

4,container网络

[root@ken1 ~]# docker  run -it --network=container:test1 busybox

 

--network=container:test1

container为固定的关键词,test1为容器名

 

如何创建自己的网络?

 

第一步:创建网络

[root@ken1 ~]# docker network create  -d bridge  ken
[root@ken1 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
3e0a00f82fd9        bridge              bridge              local
0f3934f83099        host                host                local
ac13e58550ab        ken                 bridge              local
af18e88e2bf1        none                null                local

 

第二步:使用创建的网络

[root@ken1 ~]# docker run -it --network=ken busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # ping baidu.com
PING baidu.com (39.156.69.79): 56 data bytes
64 bytes from 39.156.69.79: seq=1 ttl=127 time=52.613 ms

 

第三步:自定义网段及网关

[root@ken1 ~]# docker network create --subnet=10.0.0.0/16 --gateway=10.0.0.1 -d bridge kenken
e4cce525b3ccfeffea85a8a64d6abcc7a4a739014cc8d6323803d2787c6e69fa
[root@ken1 ~]# 
[root@ken1 ~]# 
[root@ken1 ~]# 
[root@ken1 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
3e0a00f82fd9        bridge              bridge              local
0f3934f83099        host                host                local
ac13e58550ab        ken                 bridge              local
e4cce525b3cc        kenken              bridge              local

 

第四步:使用新创建的网络

[root@ken1 ~]# docker run -it --network=kenken busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:0a:00:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/16 brd 10.0.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # ping baidu.com
PING baidu.com (220.181.38.148): 56 data bytes
64 bytes from 220.181.38.148: seq=1 ttl=127 time=13.260 ms
64 bytes from 220.181.38.148: seq=2 ttl=127 time=15.590 ms
^C
--- baidu.com ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 13.260/14.425/15.590 ms

 

第五步:给容器分配固定的IP地址

[root@ken1 ~]# docker run -it --network=kenken --ip=10.0.0.5 busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:0a:00:00:05 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/16 brd 10.0.255.255 scope global eth0
       valid_lft forever preferred_lft forever

 

注意:

1.docker自带的网络模式无法分配固定的IP

2.只能使用自己创建的网络去分配固定IP地址

 

 

 

容器之间通信?

 

1.IP

2.通过DNS主机名

3.join模式

 

 

1.通过IP地址通信

[root@ken1 ~]# docker run -it --network=kenken busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:0a:00:00:03 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/16 brd 10.0.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=0.119 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=0.093 ms

 

注意:通过IP地址通信,只能是相同网络模式的才够通信

 

 

那如何实现不同网络模式的容器可以进行通信那?

 

答案是给想要通信的容器连接到相同的网络模式下

[root@ken1 ~]# docker network connect kenken test2

本质是给容器分配一块相同网段的网卡

 

验证

/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
32: eth1@if33: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:0a:00:00:03 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/16 brd 10.0.255.255 scope global eth1
       valid_lft forever preferred_lft forever
/ # ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=0.113 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=0.061 ms

 

 

也可以进行分离

[root@ken1 ~]# docker network disconnect -f kenken test2

 

2.DNS通信

[root@ken1 ~]# docker run -it --network=kenken --rm --name=test5 busybox
/ # ping test4
PING test4 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=0.080 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=0.058 ms
64 bytes from 10.0.0.2: seq=2 ttl=64 time=0.062 ms
^C
--- test4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.058/0.066/0.080 ms

 

 

注意:

1.只能是想通网络模式的才可以DNS通信

2.只能是用户自己创建的网络模式 user defined network

 

3.join模式

[root@ken1 ~]# docker run -it --network=kenken --rm --name=test6 busybox

 

 

总结:

1.只能是用户创建的网络模式下才可以分配固定的IP地址

2.只能是用户创建的网络模式下才可以使用DNS进行通信

3.容器间的通信必须要有一个相同网络模式

4.外网如何访问容器?端口映射

5.容器本身就可以访问外网

 

 

 

docker仓库

 

1.阿里云仓库

2.dockerhub仓库

3.私有仓库registry

 

1.dockerhub需要依赖外网网络,registry无需外网网络

2.dockerhub是公共仓库,任何人都可以进行拉取,registry私有仓库免费而且安全

 

 

搭建docker私有仓库registry

 

 

小心 latest tag

千万别被 latest tag 给误导了。latest 其实并没有什么特殊的含义。当没指明镜像 tag 时,Docker 会使用默认值 latest,仅此而已。

虽然 Docker Hub 上很多 repository 将 latest 作为最新稳定版本的别名,但这只是一种约定,而不是强制规定。

所以我们在使用镜像时最好还是避免使用 latest,明确指定某个 tag,比如 httpd:2.3,ubuntu:xenial。

 

第一步:拉取registry镜像

[root@ken1 ~]# docker search registry
[root@ken1 ~]# docker pull registry

 

第二步:查看registry镜像信息

 

[root@ken1 ~]# docker history registry
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
f32a97de94e1        5 months ago        /bin/sh -c #(nop)  CMD ["/etc/docker/registr…   0B                  
<missing>           5 months ago        /bin/sh -c #(nop)  ENTRYPOINT ["/entrypoint.…   0B                  
<missing>           5 months ago        /bin/sh -c #(nop) COPY file:507caa54f88c1f38…   155B                
<missing>           5 months ago        /bin/sh -c #(nop)  EXPOSE 5000                  0B                  
<missing>           5 months ago        /bin/sh -c #(nop)  VOLUME [/var/lib/registry]   0B                  
<missing>           5 months ago        /bin/sh -c #(nop) COPY file:4544cc1555469403…   295B                
<missing>           5 months ago        /bin/sh -c #(nop) COPY file:21256ff7df5369f7…   20.1MB              
<missing>           5 months ago        /bin/sh -c set -ex     && apk add --no-cache…   1.29MB              
<missing>           5 months ago        /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B                  
<missing>           5 months ago        /bin/sh -c #(nop) ADD file:38bc6b51693b13d84…   4.41MB 

搭建私有仓库需要和保存镜像的数据卷绑定

registry监听的是5000端口

 

第三步:使用registry

[root@ken1 ~]# docker tag busybox 192.168.64.8:5000/busbox:v1
[root@ken1 ~]# docker push 192.168.64.8:5000/busbox:v1
The push refers to repository [192.168.64.8:5000/busbox]
Get https://192.168.64.8:5000/v2/: http: server gave HTTP response to HTTPS client

想要使用registry私有仓库,需要首先把镜像名改为host:port/镜像名:tag

但是现在直接推得话会报上面的错误

 

第四步:解决上述错误

在docker文件添如下一行

[root@ken1 ~]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://xxx.mirror.aliyuncs.com"],
  "insecure-registries":["192.168.64.8:5000"]
}

ip地址指定的是registry所在的宿主机的IP地址

5000端口是registry仓库映射到宿主机的端口,建议就映射为特定的5000端口

 

第五步:重启docker和容器

[root@ken1 ~]# systemctl restart docker
[root@ken1 ~]# docker start d8681dfb9854 

 

第六步:再次推送

[root@ken1 ~]# docker push 192.168.64.8:5000/busbox:v1

 

第七步:查看仓库

[root@ken1 ~]# ls /test/docker/registry/v2/repositories/busbox/

 

其他人如何使用私有仓库?

 

第一步:也需要添加一行

"insecure-registries":["192.168.64.8:5000"]

 

第二步:重启docker

 

第三步:拉取镜像

[root@ken1 ~]# docker pull 192.168.64.8:5000/busbox:v1

 

总结如何实现共享镜像?

1.把镜像制作成tar包,然后进行镜像共享

2.把镜像传到阿里云或者dockerhub仓库进行镜像共享harbor

3.把镜像传到公司内部私有镜像仓库,实现镜像共享

 

 

容器监控

 

weave scope

见博客

 

 

 

 

 

 

 

9 thoughts on “课堂记录:docker网络管理,私有镜像仓库,容器监控(五)–技术流ken

  1. I抦 impressed, I must say. Actually rarely do I encounter a blog that抯 each educative and entertaining, and let me let you know, you may have hit the nail on the head. Your concept is excellent; the issue is something that not sufficient persons are speaking intelligently about. I am very pleased that I stumbled across this in my seek for something referring to this.

  2. My spouse and i felt delighted that Louis managed to do his investigations from the ideas he acquired in your web pages. It is now and again perplexing to simply happen to be giving freely information which often a number of people could have been selling. So we see we need the blog owner to give thanks to for this. The most important illustrations you have made, the straightforward website menu, the relationships your site help create – it is mostly extraordinary, and it is facilitating our son and us know that that issue is amusing, which is certainly truly vital. Thanks for everything!

  3. I not to mention my friends came reviewing the excellent solutions on your web site and then suddenly I got a horrible suspicion I had not thanked the web site owner for them. These young men are already totally joyful to study all of them and already have pretty much been taking pleasure in them. Appreciate your actually being indeed helpful and for obtaining these kinds of great useful guides most people are really needing to learn about. My personal sincere apologies for not expressing gratitude to sooner.

  4. I actually wanted to write a message in order to say thanks to you for these nice guides you are giving on this website. My time consuming internet research has finally been paid with good know-how to exchange with my friends and family. I would declare that we site visitors actually are very blessed to dwell in a good community with so many perfect professionals with very helpful advice. I feel very blessed to have come across the web site and look forward to some more brilliant times reading here. Thanks a lot again for a lot of things.

  5. I precisely wished to appreciate you once again. I do not know the things that I would have sorted out without the entire smart ideas documented by you regarding such a problem. It truly was a real troublesome setting for me personally, however , considering this specialized avenue you processed it forced me to cry over delight. Now i’m happy for this service as well as sincerely hope you comprehend what an amazing job you have been undertaking educating others all through your webblog. I am certain you have never got to know all of us.

  6. Thanks so much for giving everyone remarkably terrific possiblity to read in detail from this blog. It really is so useful and full of amusement for me personally and my office colleagues to visit your website a minimum of three times every week to find out the newest things you will have. Not to mention, I’m usually contented with the terrific inspiring ideas served by you. Selected 2 areas in this post are rather the very best I’ve ever had.

  7. I together with my buddies came examining the great tips from your web blog and quickly developed a terrible suspicion I had not thanked the website owner for those techniques. All the boys are actually consequently thrilled to read through all of them and already have truly been making the most of them. Appreciate your getting simply helpful as well as for selecting this form of terrific areas millions of individuals are really eager to know about. My personal honest apologies for not expressing gratitude to you earlier.

  8. I would like to voice my passion for your kindness giving support to individuals that really need assistance with the topic. Your very own commitment to getting the solution along became definitely practical and have continually encouraged ladies like me to reach their aims. Your amazing warm and friendly guideline can mean so much a person like me and far more to my colleagues. Best wishes; from everyone of us.

  9. Thanks for every one of your efforts on this web page. My mom takes pleasure in working on investigation and it’s really easy to understand why. I learn all relating to the lively form you produce vital tips and hints through this blog and as well welcome response from the others on this concern and our own princess has always been learning a lot of things. Take advantage of the rest of the year. You’re the one conducting a really great job.

发表评论

邮箱地址不会被公开。