摘要

本文部分内容来源于网络，个人收集整理，请勿传播

重新整理docker的基础知识。

docker的安装
被弃用的功能

Docker版本区别

docker CE：社区版本
docker EE：企业版本

Docker环境准备

https://www.cnblogs.com/sparkdev/p/9129334.html

OS 版本要求

系统	要求	备注
centos	需要开启centos-extras，默认开启
Ubuntu	`Cosmic 18.10`、`Bionic 18.04 (LTS)`、`Xenial 16.04 (LTS)`

关闭防火墙和selinux

1
2
3

systemctl disable --now firewalld NetworkManager
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config

关闭dnsmasq

linux 系统开启了 dnsmasq 后(如 GUI 环境)，将系统 DNS Server 设置为 127.0.0.1，这会导致 docker 容器无法解析域名，需要关闭它

1	systemctl disable --now dnsmasq

关闭swap

1
2
3

swapoff -a && sysctl -w vm.swappiness=0

sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab

升级系统软件包

yum install epel-release -y
yum install wget git jq psmisc socat pstree tree -y
yum install lvm2 git -y
yum install openssl-devel openssl -y
#yum update -y --exclude=kernel*

开启ipvs以及overlay等

lsmod | grep over
# 临时开启
modprobe overlay
# 所有机器安装ipvs(ipvs性能甩iptables几条街并且排错更直观)
yum install ipvsadm ipset sysstat conntrack libseccomp -y
# ubuntu
# sudo apt-get install -y wget git conntrack ipvsadm ipset jq sysstat curl iptables libseccomp

:> /etc/modules-load.d/ipvs.conf
module=(
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
br_netfilter
overlay
 )
for kernel_module in ${module[@]};do
 /sbin/modinfo -F filename $kernel_module |& grep -qv ERROR && echo $kernel_module >> /etc/modules-load.d/ipvs.conf || :
done

#for kernel_module in ${module[@]};do
#  /sbin/modinfo -F filename $kernel_module |& grep -qv ERROR && modprobe $kernel_module || :
#done
systemctl enable --now systemd-modules-load.service

上面如果systemctl enable命令报错可以systemctl status -l systemd-modules-load.service看看哪个内核模块加载不了,在/etc/modules-load.d/ipvs.conf里注释掉它再enable试试

升级内核

docker在低版本内核下（包括4.15内核），会存在以下bug

1	kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1

所以为了安全起见，需要升级内核

# 内核依赖perl
[ ! -f /usr/bin/perl ] && yum install perl -y
yum install gcc gcc-c++ -y
yum install bison flex -y
yum install libelf-dev libelf-devel  elfutils-libelf-devel -y

# overlay2需要使用4.0以上版本的内核，如果使用的是RHEL或CentOS，需要3.10.0-514以上版本的内核

# 导入elrepo源
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm

## 查看可用内核版本
yum --disablerepo="*" --enablerepo="elrepo-kernel" list available --showduplicates

## 安装最新内核

yum --disablerepo="*" --enablerepo="elrepo-kernel" list available --showduplicates | grep -Po '^kernel-ml.x86_64\s+\K\S+(?=.el7)'
yum --disablerepo="*" --enablerepo=elrepo-kernel install -y kernel-ml{,-devel}

# 自选安装内核版本

export Kernel_Version=4.18.9-1
wget http://mirror.rc.usf.edu/compute_lock/elrepo/kernel/el7/x86_64/RPMS/kernel-ml{,-devel}-${Kernel_Version}.el7.elrepo.x86_64.rpm
yum localinstall -y kernel-ml*

## centos6
# export k=4.18.20-1
# wget http://mirror.rc.usf.edu/compute_lock/elrepo/kernel/el6/x86_64/RPMS/kernel-ml{,-devel}-${k}.el6.elrepo.x86_64.rpm
# yum localinstall -y kernel-ml*

# 编译安装内核

export KERNEL_VER="4.19.28"
wget https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VER}.tar.gz
wget https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.19.28.tar.gz

make mrproper
make clean              #这两条用于清除之前编译生成的.ko和.config
make oldconfig          #使用当前的内核配置
make                    #编译，半小时以上是正常的
make modules_install    #把编译出的内核模块复制到/lib/modules/${KERNEL_VERSION}
make install

# 查看内核顺序
awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg

# 修改默认加载内核位置
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
## 等同 vim /etc/default/grub GRUB_DEFAULT=saved改为GRUB_0=saved
## grub2-mkconfig -o /boot/grub2/grub.cfg

## 查看确认下是否启动默认内核指向上面安装的内核
grubby --default-kernel

## docker官方的内核检查脚本建议(RHEL7/CentOS7: User namespaces disabled; add ‘user_namespace.enable=1’ to boot command line),使用下面命令开启
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"

echo -e 'export PATH="/home/docker/docker_isme/bin:$PATH"' >> /etc/profile
source /etc/profile

创建docker用户

groupadd -g 1001 docker
usermod -G docker work
useradd -g docker -u 1001 docker

dockerd运行用户： root
docker使用用户：work、docker？

systemd管理dockerd ？

需要优化，固定一些内核参数
需要优化和tcp，iptables有关的参数

内核参数优化

cat <<EOF > /etc/sysctl.d/docker.conf
# https://github.com/moby/moby/issues/31208 
# ipvsadm -l --timout
# 修复ipvs模式下长连接timeout问题 小于900即可
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10

# 禁用ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

net.ipv4.ip_forward = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_timestamps                            = 1
net.ipv4.tcp_fin_timeout                           = 10
net.ipv4.tcp_tw_reuse                              = 1
net.ipv4.tcp_tw_recycle                            = 0
net.ipv4.ip_local_port_range                       = 1024 65535
net.netfilter.nf_conntrack_max                     = 1048576
net.netfilter.nf_conntrack_tcp_timeout_close       = 1
net.netfilter.nf_conntrack_tcp_timeout_close_wait  = 10
net.netfilter.nf_conntrack_tcp_timeout_time_wait   = 30
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.netfilter.nf_conntrack_max = 2310720
fs.inotify.max_user_watches=89100
fs.may_detach_mounts = 1
fs.file-max = 52706963
fs.nr_open = 52706963
net.bridge.bridge-nf-call-arptables = 1
vm.swappiness = 0
vm.overcommit_memory=1
vm.panic_on_oom=0
EOF


sysctl --system

参数备用

net.ipv4.ip_forward                                = 1
net.ipv4.tcp_timestamps                            = 1
net.core.somaxconn                                 = 4096
net.core.rmem_default                              = 262144
net.core.wmem_default                              = 262144
net.core.rmem_max                                  = 16777216
net.core.wmem_max                                  = 16777216
net.ipv4.tcp_rmem                                  = 4096 4096 16777216
net.ipv4.tcp_wmem                                  = 4096 4096 16777216
net.ipv4.tcp_mem                                   = 786432 2097152 3145728
net.ipv4.tcp_max_syn_backlog                       = 16384
net.core.netdev_max_backlog                        = 20000
net.ipv4.tcp_fin_timeout                           = 10
net.ipv4.tcp_tw_reuse                              = 1
net.ipv4.tcp_tw_recycle                            = 0
net.ipv4.tcp_max_tw_buckets                        = 180000
net.ipv4.ip_local_port_range                       = 1024 65535
vm.swappiness                                      = 0
vm.dirty_ratio                                     = 20
vm.dirty_background_ratio                          = 10
vm.overcommit_memory                               = 1
net.netfilter.nf_conntrack_max                     = 1048576
net.netfilter.nf_conntrack_tcp_timeout_close       = 1
net.netfilter.nf_conntrack_tcp_timeout_close_wait  = 10
net.netfilter.nf_conntrack_tcp_timeout_time_wait   = 30

cat <<EOF > /etc/sysctl.d/k8s.conf
# https://github.com/moby/moby/issues/31208 
# ipvsadm -l --timout
# 修复ipvs模式下长连接timeout问题 小于900即可
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10

# 禁用ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.netfilter.nf_conntrack_max = 2310720
fs.inotify.max_user_watches=89100
fs.may_detach_mounts = 1
fs.file-max = 52706963
fs.nr_open = 52706963
net.bridge.bridge-nf-call-arptables = 1
vm.swappiness = 0
vm.overcommit_memory=1
vm.panic_on_oom=0

net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
EOF

环境检查

1 2	curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh bash ./check-config.sh

Docker安装

使用脚本安装

需要使用root用户或者sudo权限执行脚本。

$ curl -fsSL https://get.docker.com -o get-docker.sh
$ sudo sh get-docker.sh

# 使用docker官方脚本安装
curl -sSL https://get.docker.com | sh -
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun


# 使用阿里云源脚本安装
curl -sSL http://acs-public-mirror.oss-cn-hangzhou.aliyuncs.com/docker-engine/internet | sh -

Centos安装

yum install -y yum-utils \
  device-mapper-persistent-data \
  lvm2
yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo

# 使用阿里yum源
yum-config-manager \
    --add-repo \
    http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum install docker-ce docker-ce-cli containerd.io
# 安装指定版本
# yum install docker-ce-<VERSION_STRING> docker-ce-cli-<VERSION_STRING> containerd.io

Ubuntu安装

# 更新apt包索引：
$ sudo apt-get update

# 安装包以允许apt通过HTTPS使用存储库：
$ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

# 添加Docker的官方GPG密钥：
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
$ sudo apt-get install docker-ce docker-ce-cli containerd.io
# $ sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io

二进制安装

#!/bin/sh

usage(){
  echo "Usage: $0 FILE_NAME_DOCKER_CE_TAR_GZ"
  echo "       $0 docker-18.03.0--ce.tgz"
  echo "Get docker-ce binary from: https://download.docker.com/linux/static/stable/x86_64/"
  echo "eg: wget https://download.docker.com/linux/static/stable/x86_64/docker-18.03.0--ce.tgz"
  echo ""
}
SYSTEMDDIR=/usr/lib/systemd/system
SERVICEFILE=docker.service
DOCKERDIR=/usr/bin
DOCKERBIN=docker
SERVICENAME=docker

if [ $# -ne 1 ]; then
  usage
  exit 1
else
  FILETARGZ="$1"
fi

if [ ! -f ${FILETARGZ} ]; then
  echo "Docker binary tgz files does not exist, please check it"
  echo "Get docker-ce binary from: https://download.docker.com/linux/static/stable/x86_64/"
  echo "eg: wget https://download.docker.com/linux/static/stable/x86_64/docker-18.03.0--ce.tgz"
  exit 1
fi

echo "##unzip : tar xvpf ${FILETARGZ}"
tar xvpf ${FILETARGZ}
echo

echo "##binary : ${DOCKERBIN} copy to ${DOCKERDIR}"
cp -p ${DOCKERBIN}/* ${DOCKERDIR} >/dev/null 2>&1
which ${DOCKERBIN}

echo "##systemd service: ${SERVICEFILE}"
echo "##docker.service: create docker systemd file"
cat >${SYSTEMDDIR}/${SERVICEFILE} <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
[Service]
Type=notify
EnvironmentFile=-/run/flannel/docker
WorkingDirectory=/usr/local/bin
ExecStart=/usr/bin/dockerd \
                -H tcp://0.0.0.0:4243 \
                -H unix:///var/run/docker.sock \
                --selinux-enabled=false \
                --log-opt max-size=1g
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

echo ""

systemctl daemon-reload
echo "##Service status: ${SERVICENAME}"
systemctl status ${SERVICENAME}
echo "##Service restart: ${SERVICENAME}"
systemctl restart ${SERVICENAME}
echo "##Service status: ${SERVICENAME}"
systemctl status ${SERVICENAME}

echo "##Service enabled: ${SERVICENAME}"
systemctl enable ${SERVICENAME}

echo "## docker version"
docker version

版本

export VERSION="18.06.3-ce"
export WORKDIR="/home/work"
export DOCKERDIR="${WORKDIR}/docker_isme"
export COMPOSE_VERSION="1.23.2"

mkdir -p ${DOCKERDIR}/{bin,conf,logs,sbin,data}

wget https://download.docker.com/linux/static/stable/x86_64/docker-${VERSION}.tgz -O ${DOCKERDIR}/docker-${VERSION}.tgz

curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o ${DOCKERDIR}/bin/docker-compose
chmod +x ${DOCKERDIR}/bin/docker-compose

升级runc

由于runc近期爆发严重漏洞，需要进行升级，建议下载docker18.09以上升级包，替换当前版本的runc即可。

二进制启动文件

#!/bin/sh
# author: wangping01_isme
# 用于管理dockerd_isme

#debug
#set -x
#check unbound variables
#set -u
# Scripts PATH enviroment
BASEDIR=$( dirname $(cd $(dirname $0); pwd))
export PATH="/usr/bin:/bin:/usr/sbin:/sbin:${BASEDIR}/bin"
# disable core dump
ulimit -c 0
# return value
RETVAL=0

# node_exporter general config
PROG="dockerd"
USER="root"
LOGLEVEL="info"
#BASEDIR=${SYMLINK:-/usr/sbin/node_exporter}
DAEMON="${BASEDIR}/bin/${PROG}"
CONFIG="${BASEDIR}/conf/daemon.json"
LOGFILE="${BASEDIR}/logs/${PROG}.log"
# nginx start timeout milliscond
STARTTIME=10000
# nginx stop timeout milliscond
STOPTIME=10000

color_msg(){
    local COLOR=$1
    local MSG=$2
    OFFSET="\033[80G"
    NORMAL="\033[0m"
    case $COLOR in
        red)
            COLOR="\033[1;40;31m"
            ;;
        green)
            COLOR="\033[1;40;32m"
            ;;
        yellow)
            COLOR="\033[1;40;33m"
            ;;
        *)
            COLOR="\033[0m"
            ;;
    esac
    echo -en "$OFFSET [$COLOR $MSG $NORMAL"
    echo     "]"
}

start() {
    echo -n "Starting $PROG : "
    PROC_PID=$(pgrep -P 1 -u $USER ^$PROG)
    if [ -n "$PROC_PID" ]; then
        echo -n "is already running."
        color_msg yellow WARNING
    else
        nohup $DAEMON  --config-file ${CONFIG} &> ${LOGFILE} &
        if [  $? -eq 0 ]; then
            color_msg green SUCCESS
        else
            color_msg red FAILED && exit 1
        fi
    fi
}

stop() {
    echo -n "Stopping $PROG : "
    PROC_PID=$(pgrep -P 1 -u $USER ^$PROG)
    if [ -z "$PROC_PID" ]; then
        echo -n "is not running."
        color_msg yellow WARNING
    else
        kill -TERM ${PROC_PID} >/dev/null 2>&1
	#/bin/kill -s HUP $MAINPID
        while [ "$STOPTIME" -gt 0 ]; do
            kill -0 ${PROC_PID} >/dev/null 2>&1 || break
            STOPTIME=$(($STOPTIME-1))
            echo -n "." && sleep 0.001s
        done
        if [ "$STOPTIME" -le 0 ]; then
            color_msg red TIMEOUT && exit 1
        else
            color_msg green SUCCESS
        fi
	fi
}

restart() {
        echo -n "Restart $PROG : "
        echo
        echo -en "\t" && stop
        echo -en "\t" && start
}

reload() {
    echo -n "Reloading $PROG : "
	PROC_PID=$(pgrep -P 1 -u $USER ^$PROG)
	if [ -n "$PROC_PID" ]; then
	    kill -HUP ${PROC_PID} >/dev/null 2>&1
        if [  $? -eq 0 ]; then
            color_msg green SUCCESS
        else
            color_msg red FAILED && exit 1
        fi
	else
        echo -n "is not running."
        color_msg yellow WARNING
    fi
}

status() {
    PROC_PID=$(pgrep -P 1 -u $USER ^$PROG)
    if [ -z "$PROC_PID" ];then
        echo "$PROG is stopped"
        exit 3
    else
        echo "$PROG (pid $PROC_PID) is running..."
        exit 0
    fi
}

init_config() {
    if [ -f "${CONFIG}" ];then
        echo "${CONFIG} already exists!"
    else
        data_root="${BASEDIR}/data/container"
        exec_root="${BASEDIR}/data/bootstrap"
        pidfile="${BASEDIR}/data/docker.pid"
        docker_init="${BASEDIR}/bin/docker-init"
cat > ${CONFIG} << E0F
{
    "data-root": "${data_root}",
    "exec-opts": [],
    "exec-root": "${exec_root}",
    "experimental": false,
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "labels": [],
    "live-restore": true,
    "log-driver": "json-file",
    "log-opts": {
        "labels": "io.isme.log",
        "max-size": "1g",
        "max-file": "100"
    },
    "pidfile": "${pidfile}",
    "max-concurrent-downloads": 3,
    "max-concurrent-uploads": 3,
    "debug": false,
    "hosts": [
        "unix:///var/run/docker.sock",
        "tcp://127.0.0.1:2376"
    ],
    "log-level": "info",
    "default-ulimits": {
        "nofile": {
            "Name": "nofile",
            "Hard": 10240,
            "Soft": 10240
        }
    },
    "init": true,
    "init-path": "${docker_init}",
    "bip": "192.168.1.1/16",
    "registry-mirrors": [
        "https://registry.docker-cn.com"
    ],
    "insecure-registries": [
        "https://r.isme.pub"
    ]
}
E0F
    fi
}

case C"$1" in
    Cinit)
        init_config
        ;;
    Cstart)
        init_config
        start
        ;;
    Cstop)
        stop
        ;;
    Creload)
        reload
        ;;
    Crestart)
        restart
        ;;
    Cstatus)
        status
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart|reload|status|init_config}"
        exit 3
        ;;
esac

配置文件

cat daemon.json
{
    "data-root": "/home/docker/docker_isme/data/container",
    "exec-opts": [],
    "exec-root": "/home/docker/docker_isme/data/bootstrap",
    "experimental": false,
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "labels": [],
    "live-restore": true,
    "log-driver": "json-file",
    "log-opts": {
        "labels": "io.isme.log",
        "max-size": "1g",
        "max-file": "100"
    },
    "pidfile": "/home/docker/docker_isme/data/docker.pid",
    "max-concurrent-downloads": 3,
    "max-concurrent-uploads": 3,
    "debug": false,
    "hosts": [
        "unix:///var/run/docker.sock",
        "tcp://127.0.0.1:2376"
    ],
    "log-level": "info",
    "default-ulimits": {
        "nofile": {
            "Name": "nofile",
            "Hard": 10240,
            "Soft": 10240
        }
    },
    "init": true,
    "init-path": "/home/docker/docker_isme/bin/docker-init",
    "bip": "192.168.1.1/16",
    "registry-mirrors": [
        "https://registry.docker-cn.com"
    ],
    "insecure-registries": [
        "https://r.isme.pub"
    ]
}

systemd启动文件

cat > /usr/lib/systemd/system/docker.service <<"EOF"
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
[Service]
Environment="PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
EnvironmentFile=-/run/flannel/docker
ExecStart=/usr/local/bin/dockerd --log-level=error $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

1	nohup dockerd --config-file conf/daemon.json &> logs/dockerd.log &

开启docker命令补全

1
2
3

# yum安装，二进制安装的命令补全待有空补充
yum install -y  bash-completion && cp /usr/share/bash-completion/completions/docker /etc/bash_completion.d/
systemctl enable --now docker

后续配置

详细配置可参考 docker基础-dockerd守护进程

{
    "data-root": "/data/docker",
    "exec-opts": [],
    "exec-root": "/data/lib/docker",
    "experimental": false,
    #--metrics-addr
    "storage-driver": "overlay2",
    "storage-opts": [
        "overlay2.override_kernel_check=true"
    ],
    "labels": [],
    "live-restore": true,
    "log-driver": "json-file",
    "log-opts": {
        "labels": "io.isme.log",
        "max-size": "1g",
        "max-file": "100"
    },
    "pidfile": "/data/docker/docker.pid",
    "max-concurrent-downloads": 3,
    "max-concurrent-uploads": 3,
    "debug": false,
    "hosts": [
        "fd://",
        "unix:///var/run/docker.sock",
        "tcp://127.0.0.1:2376",
    ],
    "log-level": "info",
    "default-ulimits": {
        "nofile": {
            "Name": "nofile",
            "Hard": 64000,
            "Soft": 64000
        }
    },
    "init": true,
    "init-path": "/usr/libexec/docker-init",
    "bip": "192.168.1.1/16",
    "registry-mirrors": [
        "https://registry.docker-cn.com"
    ],
    "insecure-registries": [
        "https://r.isme.com"
    ]
}

设置非root用户管理docker

Docker守护进程监听默认绑定到Unix socket上而不是绑定到tcp端口。而socket默认只有root用户权限，其他用户只能通过sudo权限来使用socket，因此Docker守护进程只能以root用户身份来运行。

如果您不想在docker命令前加上sudo，可以创建一个docker用户组，并向其添加用户。当Docker守护程序启动时，它会创建一个可由该docker组成员访问的Unix socket。

1 2	groupadd docker usermod -aG docker $USER

镜像加速

从国内访问国外的docker镜像仓库有时候网络是个很严重的问题，因此我们可以采用一些国内的镜像仓库来进行加速

阿里云提供的镜像加速
docker官方国内镜像加速

1
2
3

{
  "registry-mirrors": ["https://registry.docker-cn.com"]
}

存储驱动选型

docker基础-存储驱动

配置lvm

lvm配置主要用于devicemapper存储驱动，也可以用于其他的存储驱动

yum -y install lvm2

# Docker Storage Driver 23
export DEVICE_NAME=/dev/xvdb
export VG_NAME=docker

mkfs.ext4 ${DEVICE_NAME}

pvcreate ${DEVICE_NAME}
vgcreate ${VG_NAME} ${DEVICE_NAME}

echo "activation {
    thin_pool_autoextend_threshold=80
    thin_pool_autoextend_percent=20
}" > /etc/lvm/profile/docker-thinpool.profile 

lvcreate -y --wipesignatures y -n thinpool ${VG_NAME} -l 38%VG 
lvcreate -y --wipesignatures y -n thinpoolmeta ${VG_NAME} -l 1%VG

# 用于devicemapper
lvconvert -y --zero n -c 512K --thinpool ${VG_NAME}/thinpool --poolmetadata ${VG_NAME}/thinpoolmeta

lvchange -y --metadataprofile docker-thinpool ${VG_NAME}/thinpool

lvcreate -y --wipesignatures y -n bootstrap ${VG_NAME} -l 40%VG
lvcreate -y --wipesignatures y -n data ${VG_NAME} -l 20%VG

mkfs.ext4 /dev/mapper/docker-data
mount /dev/mapper/docker-data /data

mkfs.ext4 /dev/mapper/docker-bootstrap
mount /dev/mapper/docker-bootstrap /var/lib/docker

echo -e "/dev/mapper/docker-data /data ext4 defaults 0 0" >> /etc/fstab
echo -e "/dev/mapper/docker-bootstrap /var/lib/docker ext4 defaults 0 0" >> /etc/fstab
# 注意，如果需要为 /var/lib/docker 创建 data 逻辑卷，需要重置 Docker，且，重新生成 thinpool，一个 thinpool 只能被一个 docker daemon 使用。

已经废弃的docker功能

以下功能已经不推荐在docker中使用，并且一些功能已经在版本迭代中删除，由于docker近几年发展迅速，这部分内容最好有一些了解

存储驱动的选择

overlay将在v18.09.0版本中弃用，可以使用overlay2来取代overlay
- overlay可以在4.x之前的内核上使用overlayFS文件系统。而现在所有的发行版都能够运行overlay2 （因为它们在内核4.x上，或者支持多个后向后移）
- overlay2解决了overlay会导致inode占用过多的问题
devicemapper将在v18.09.0版本中弃用，可以使用overlay2取代devicemapper

引擎标签中保留的namespace

保留的namespace：com.docker.*, io.docker.*, and org.dockerproject.*
- 现在个人使用这些标签会在log中提示warn
- 18.12 版本会开始报错

异步`service create` and `service update`

v17.05.0版本添加新的选项--detach=false，默认让service create and service update同步工作
v17.10版本将改为使用--detach选项让service create and service update异步工作
- 这个选项也会影响docker service rollback and docker service scale

Top-level network properties in NetworkSettings

v1.13.0版本中弃用，v17.12版本中删除

Deprecated In Release: v1.13.0

Target For Removal In Release: v17.12

When inspecting a container, NetworkSettings contains top-level information about the default (“bridge”) network;

EndpointID, Gateway, GlobalIPv6Address, GlobalIPv6PrefixLen, IPAddress, IPPrefixLen, IPv6Gateway, and MacAddress.

These properties are deprecated in favor of per-network properties in NetworkSettings.Networks. These properties were already “deprecated” in docker 1.9, but kept around for backward compatibility.

Refer to #17538 for further information.

`filter param for /images/json endpoint`

v1.13.0版本中弃用，v17.12版本中删除

Deprecated In Release: v1.13.0

Target For Removal In Release: v17.12

The filter param to filter the list of image by reference (name or name:tag) is now implemented as a regular filter, named reference.

`overlay2`在`xfs`系统中的`d_type`

v1.13.0版本中弃用，v17.12版本中删除
如果支持文件系统不支持d_type，那么overlay和overlay2存储驱动程序就不能正常工作。例如，如果XFS使用ftype=0选项格式化，则不支持d_type。

通过api启动容器时的HostConfig

v1.10.0版本中弃用，v1.12.0版本中删除
不推荐POST /containers/{name}/start
推荐POST /containers/create

`docker ps`的选项`--before`,`--since`

v1.10.0版本中弃用，v1.12.0版本中删除
使用docker ps --filter=before=...，docker ps --filter=since=...替代这两个参数

`docker search`的选项`--automated`,`--stars`

v1.12.0版本中弃用，v17.09版本中删除
使用docker search --filter=is-automated=...，docker search --filter=stars=...替代这两个参数

命令行参数

v1.8.0版本中弃用， v1.10.0版本中删除
用daemon取代-d,--daemon
用--help取代-help
帮助信息使用--help，不要使用-h
用--opt替代-opt选项，涉及到的命令行参数如下

docker attach -nostdin
docker attach -sig-proxy
docker build -no-cache
docker build -rm
docker commit -author
docker commit -run
docker events -since
docker history -notrunc
docker images -notrunc
docker inspect -format
docker ps -beforeId
docker ps -notrunc
docker ps -sinceId
docker rm -link
docker run -cidfile
docker run -dns
docker run -entrypoint
docker run -expose
docker run -link
docker run -lxc-conf
docker run -n
docker run -privileged
docker run -volumes-from
docker search -notrunc
docker search -stars
docker search -t
docker search -trusted
docker tag -force

以下参数已弃用

docker run --cpuset
docker run --networking
docker ps --since-id
docker ps --before-id
docker search --trusted

ENV中的密码环境变量

DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE 重命名为DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE
DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE 重命名为DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE

其他

docker commit的参数用--changes替换--run
弃用v1版本仓库接口--disable-legacy-registry=false
标签的key冲突将导致报错，当设置重复的标签时，护进程将无法启动。
DOCKERFILE中的MAINTAINER弃用
弃用不带版本号的api调用
repository:shortid弃用
docker守护进程功能移动到独立的二进制文件dockerd中
-g 和 --graph选项在v17.05.0版本不推荐使用，推荐使用--data-root替代这个选项
- 这个选项暂时不会移除，只是会隐藏，有可能在后续版本充移除
docker import的参数格式file|URL|- [REPOSITORY [TAG]]已经移除
移除docker login的--email和-e参数
docker run的参数--security-opt的分隔符从:统一为=
使用/containers/(id or name)/archive替代/containers/(id or name)/copy
api中的ID, Statu, From字段弃用，用更加丰富的参数取代这些字段
弃用docker tag的-f参数
弃用日志标签syslog-tag,gelf-tag,fluentd-tag
- 用通用的tag标签来替代

1	docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}"

移除内置的LXC-exec驱动、 lxc-conf 以及api
--api-cors-header替换--api-enable-cors
--disable-legacy-registry已删除

摘要