分类 Docker 相关 下的文章

docker cgroup - [docker cookbook] 读书笔记 2

Control Groups (cgroups) provide resource limitations and accounting for containers. From the Linux Kernel documentation:

Control Groups provide a mechanism for aggregating/partitioning sets
of tasks, and all their future children, into hierarchical groups with
specialized behaviour.

In simple terms, they can be compared to the ulimit shell command or the setrlimit system call. Instead of setting the resource limit to a single process, cgroups allow the limiting of resources to a group of processes.

Control groups are split into different subsystems, such as CPU, CPU sets, memory block I/O, and so on. Each subsystem can be used independently or can be grouped with others. The features that cgroups provide are:

  1. Resource limiting: For example, one cgroup can be bound to specific
    CPUs, so all processes in that group would run off given CPUs only
  2. Prioritization: Some groups may get a larger share of CPUs
  3. Accounting: You can measure the resource usage of different
    subsystems for billing
  4. Control: Freezing and restarting groups

Some of the subsystems that can be managed by cgroups are as follows:

  • blkio: It sets I/O access to and from block devices such as disk,
    SSD, and so on
  • Cpu: It limits access to CPU
  • Cpuacct: It generates CPU resource utilization
  • Cpuset: It assigns the CPUs on a multicore system to tasks in a
    cgroup
  • Devices: It devises access to a set of tasks in a cgroup
  • Freezer: It suspends or resumes tasks in a cgroup
  • Memory: It sets limits on memory use by tasks in a cgroup

There are multiple ways to control work with cgroups. Two of the most popular ones are accessing the cgroup virtual filesystem manually and accessing it with the libcgroup library.

docker namespace

There are different types of namespaces and each one of them isolates applications from each other. They are created using the clone system call. One can also attach to existing namespaces.

  1. The pid namespace allows each container to have its own process
    numbering. Each pid forms its own process hierarchy. A parent
    namespace can see the children namespaces and affect them, but a
    child can neither see the parent namespace nor affect it.
  2. The net namespace allows us to have different network interfaces on
    each container, like port. Each net namespace has its own routing
    table and firewall rules.
  3. ipc namespace sepratate IPC (Inter Process Communication) between
    different container's process;
  4. with mnt namespace, a container can have its own set of mounted
    filesystems and root directories, enhenance chroot.
  5. With uts namespace, we can have different hostnames for each
    container.
  6. With user namespace support, we can have users who have a nonzero ID
    on the host but can have a zero ID inside the container.

There are ways to share namespaces between the host and container and container and container.

摘自book: docker cookbook, 第一章 introduction and Installation, 第一节 Introduction

[using docker] 读书笔记 4

  1. It’s important to set the USER statement in all your Dockerfiles (or change user within any ENTRYPOINT / CMD scripts). If you don’t do this, your processes will be running as root within the container. As UIDs are the same within a container and on the host, should an attacker manage to break the container, they will have root access to the host machine.

  2. 查看container 的CPU, 内存, 网络使用情况
    docker stats $(docker inspect -f {{.Name}} $(docker ps -q))

  3. cAdvisor aggregates and processes various stats and also makes these available through a REST API, for further processing and storage.

Docker Daemon 监听tcp端口, 远程API 调用

默认情况下, Docker Daemon 监听在本地的 unix:///var/run/docker.sock 上, 只允许本地 root 用户 docker client 连接. 如果要想远程连接, 必须监听 tcp 端口.

Docker Daemon 可以选择在启动的时候, 设置监听在 tcp 端口, IPC socket 监听, 或者2个都监听.

  • 首先看一下Docker Daemon 是不是在监听 (ps -aux | grep docker);
  • 如果已经起来了, 先shutdown (service docker stop);
  • 重新启动, 设置tcp 和 sock 同时监听 (sudo docker -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock -d &);
    官方关于设置Docker Daemon 的文档: http://docs.docker.com/articles/basics/
    如下图:
    Screen Shot 2015-07-12 at 12.12.17 PM.png

重新查看进程状态, 可以看到 Docker Deamon 已经起来了. 那么就可以远程http连接了
http://docker.tianxiaohui.com:2375/containers/json?all=1 (查看所有container)

使用 RESTful client, 启动一个container, 这里返回204, 代表没有任何错误
Screen Shot 2015-07-12 at 2.30.33 PM.png

官方关于docker remote API 的文档 http://docs.docker.com/reference/api/docker_remote_api/

Using Docker [读书笔记] 3 docker 命令

docker run

--restart 参数 可以是 no | always | on-failure:10, 所以可以设置是否自动启动
--rm 自动删除 container 当container 退出的时候;
-e, --env 设置环境变量
--env-file 设置环境变量名字
-h, --hostname
--name NAME
-v, --volume
--volumes-from
--expose
--link
-p, --publish 发布一个端口, 如果不给定, 就随机设置一个未用的
-P, --publish-all
--add-host Adds the given IP and hostname mapping to /etc/hosts in the container.
--dns 定制 dns server
--mac-address 设置 MAC 地址
--net 设置网络模式 bridge | none | container | host
-c, --cpu-shares CPU 使用量
-cap-add / --cap-drop 增加 或 去除 linux 某个功能
--cpuset 可以使用那个CPU
--device 设置 container 可以访问那个那个硬件设备 如 磁盘, 打印机, 声卡
-m, --memory 内存使用量 设置
--entrypoint override ENTRYPOINT
-u, --user override USER
-w, --workdir

管理 Container

    docker attach [OPTIONS] CONTAINER   
    docker create  从image 创建一个container, 但是不run, 后续可以使用 docker start 去run
    docker cp  从container copy 文件或路径到 host
    docker exec  run 一个在container 的命令
    docker kill  杀死 container 的main process (PID : 1)
    docker pause  / docker unpause  冻结/解冻 container 的所有进程
    docker rename  重命名 一个 container
    docker restart  = docker stop; docker start
    docker rm   remove one or more containers. -f 选项强制remove 正在运行的, -v 去除相关volume

Container 相关命令

    docker diff  对比从image 到现在container 为止 container文件系统做的变化
    docker events   打印实时事件信息
    docker inspect   查看 image 或 container 的相关信息
    docker logs    查看 container 的STDOUT, STDERR 相关信息
    docker port    查看 container 对应的端口 mapping 信息
    docker ps  查看在run 或者 停止的 container 的 high-level 相关信息, -q 只返回container id, 一般用着其他后续命令
    docker top 类似 top, 不过只和这个container 相关的, 也就是container 内部的进程

Image 相关命令

    docker build  从Dockerfile 创建 image 
    docker commit  从 container 创建 image. 从一个正在运行的container 创建 image, 可能导致它暂停, 有参数 --pause=false 可以设置
    docker history  Outputs information on each of the layers in an image.
    docker images  查看本地 image 信息
    docker rmi   删除本地 某 image
    docker tag   给image 打tag

Registry 相关命令 .dockercfg in your home directory

    docker login 
    docker logout
    docker push
    docker search