夜雨聆风前言
Docker是一种开源的容器化技术,其核心作用在于解决应用开发、部署和运行过程中的环境一致性、隔离性和效率问题。本文将详细介绍如何在麒麟信安操作系统中安装和配置Docker以及常见问题解决方法。本文以KylinSec-Server-3.6.1版本使用root用户进行介绍。
Docker简介
1、docker优势介绍
隔离性:每个容器都是独立的,互不干扰,确保应用程序的安全性和稳定性。
可移植性:容器可以在任何支持Docker 的环境中运行,无需担心环境差异问题。
快速部署:容器的启动和停止速度极快,大大提高了开发和部署效率。
资源利用率高:多个容器可以共享宿主机的操作系统内核,减少资源浪费。
容器 VS 虚拟机:传统虚拟机需要完整的操作系统,而Docker容器共享宿主机内核,轻量高效(启动仅需秒级!)。
2、 镜像与容器关系
镜像(Image):只读模板(类似"安装包"),包含应用代码+环境。
容器(Container):镜像的运行实例(类似"安装后的软件")。
3、 镜像分层机制
镜像采用分层存储结构,不同镜像可共享基础层,节省磁盘空间,加速构建过程。
Docker部署
1、使用dnf方式直接进行部署(互联网环境)
[root@localhost ~]# dnf makecache[root@localhost ~]# dnf install -y docker-ce
2、安装包部署(内网环境)
[root@localhost ~]# cd /root/docker[root@localhost ~]# lscontainerd.io-1.4.3-3.1.ky3_6.kb3.aarch64.rpm fuse-overlayfs-1.13-1.ky3_6.aarch64.rpmdocker-ce-20.10.9-3.ky3_6.kb1.aarch64.rpm go-md2man-2.0.0-3.ky3_6.kb1.aarch64.rpmdocker-ce-cli-20.10.9-3.ky3_6.kb1.aarch64.rpm libslirp-4.7.0-2.ky3_6.aarch64.rpmdocker-ce-rootless-extras-20.10.9-3.ky3_6.kb1.aarch64.rpm slirp4netns-1.2.3-1.ky3_6.aarch64.rpm[root@localhost ~]# rpm -ivh *.rpm
3、启动docker服务并设置开机自启
[root@localhost ~]# systemclt start docker.service[root@localhost ~]# systemctl enable docker.service
4、查看docker版本
[root@localhost ~]# docker --versionDocker version 20.10.9, build f0df350
常用命令介绍
1、列出本地镜像
[root@localhost ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEnode 22-alpine3.20 790701fae0b4 6 weeks ago 155MBnginx latest 9b1b7be1ffa6 8 weeks ago 197MBmysql latest ccc8e7cf9efa 2 months ago 814MB说明:REPOSITORY:镜像所在的仓库名称TAG:镜像标签IMAGEID:镜像IDCREATED:镜像的创建日期(不是获取该镜像的日期)SIZE:镜像大小
2、拉取镜像
[root@localhost ~]# docker image pull library/nginxUsing default tag: latestlatest: Pulling from library/nginxd9b636547744: Pull complete0994e771ba34: Pull completebef2ee7fab45: Pull complete13f89c653285: Pull complete589701e352f8: Pull complete8e77214beb25: Pull complete4c7c1a5bd3af: Pull completeDigest: sha256:124b44bfc9ccd1f3cedf4b592d4d1e8bddb78b51ec2ed5056c52d3692baebc19Status: Downloaded newer image for nginx:latestdocker.io/library/nginx:latest说明:library/nginx 文件在仓库里面的位置library:是 image 文件所在的组nginx:是 image 文件的名字由于 Docker 官方提供的 image 文件,都放在library组里面,所以它的是默认组,可以省略,因此,上面的命令可以写成下面这样:docker image pull nginx
3、删除镜像
[root@localhost ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEnginx latest 2c9168b3c9a8 8 weeks ago 197MB[root@localhost ~]# docker rmi 2c9168b3c9a8Untagged: nginx:latestUntagged: nginx@sha256:124b44bfc9ccd1f3cedf4b592d4d1e8bddb78b51ec2ed5056c52d3692baebc19Deleted: sha256:2c9168b3c9a84851f91e03534dc4136951e9f581ab3ac8ee38b28b49ad57ba38Deleted: sha256:2cdcd9ae6804cbc2c8c8c66b8156d722fb7275eecdf691aa798da08aa3842e67Deleted: sha256:5a9a0099da05feea7f90572b293886da5ca2ad1d168c753a64bbed84ca96cbddDeleted: sha256:fe5448bc54d2a21c260cb52bf6cbb7dd25d513326065f442b65a5611944f6beeDeleted: sha256:08fb5c8b06bcff060329308109d4b306b4bfd2db4be01bddb77302d4e1f65659Deleted: sha256:2dbb763aeeec1e9a0e44e99182a65fd450bcbaba296b7a049e242a257ee5baceDeleted: sha256:6fcccaff183b2d53bf2d12e5c56e522ca610d1c7044c32d7c927cd27122da61aDeleted: sha256:70a3ee4d4d38a5bb57ecd08c40c9a37d750d3f8f63591e97cdbf8277c3698e6f说明:1、docker rmi 镜像名/镜像ID2、正在运行容器的镜像无法删除。
4、运行容器
[root@localhost ~]# docker run -d nginxbbeb9c8f0b5ec4c0d6dd591799caac2799c434387dbe97b69ea700534960896c
5、列出容器
[root@localhost ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESbbeb9c8f0b5e nginx "/docker-entrypoint.…" About a minute ago Up About a minute 80/tcp sweet_bell[root@localhost ~]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESbbeb9c8f0b5e nginx "/docker-entrypoint.…" 3 minutes ago Up 3 minutes 80/tcp sweet_bell说明:1、docker ps :列出在运行中的容器2、docker ps -a :列出所有容器,包括正在运行和已停止的容器。
6、停止与删除容器
[root@localhost ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESbbeb9c8f0b5e nginx "/docker-entrypoint.…" 7 minutes ago Up 7 minutes 80/tcp sweet_bell[root@localhost ~]# docker stop bbeb9c8f0b5ebbeb9c8f0b5e[root@localhost ~]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESbbeb9c8f0b5e nginx "/docker-entrypoint.…" 8 minutes ago Exited (0) 56 seconds ago sweet_bell[root@localhost ~]# docker rm bbeb9c8f0b5ebbeb9c8f0b5e[root@localhost ~]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES说明:1、停止容器:docker stop 容器名/容器ID2、删除容器:docker rm 容器名/容器ID3、不能删除正在运行的容器,如果要强制删除:docker rm -f 容器ID
7、查看容器日志
[root@localhost ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESf15d497dfd3b nginx "/docker-entrypoint.…" 7 seconds ago Up 4 seconds 80/tcp upbeat_roentgen[root@localhost ~]# docker logs f15d497dfd3b/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d//docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh/docker-entrypoint.sh: Configuration complete; ready for start up2025/04/03 02:23:22 [notice] 1#1: using the "epoll" event method2025/04/03 02:23:22 [notice] 1#1: nginx/1.27.42025/04/03 02:23:22 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)2025/04/03 02:23:22 [notice] 1#1: OS: Linux 4.19.90-2309.3.0.0218.kb11.ky3_4.aarch642025/04/03 02:23:22 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:10485762025/04/03 02:23:22 [notice] 1#1: start worker processes2025/04/03 02:23:22 [notice] 1#1: start worker process 292025/04/03 02:23:22 [notice] 1#1: start worker process 302025/04/03 02:23:22 [notice] 1#1: start worker process 312025/04/03 02:23:22 [notice] 1#1: start worker process 322025/04/03 02:23:22 [notice] 1#1: start worker process 332025/04/03 02:23:22 [notice] 1#1: start worker process 342025/04/03 02:23:22 [notice] 1#1: start worker process 352025/04/03 02:23:22 [notice] 1#1: start worker process 36
8、进入容器
[root@localhost ~]# docker exec -it f15d497dfd3b /bin/bashroot@f15d497dfd3b:/# cat /etc/os-releasePRETTY_NAME="Debian GNU/Linux 12 (bookworm)"NAME="Debian GNU/Linux"VERSION_ID="12"VERSION="12 (bookworm)"VERSION_CODENAME=bookwormID=debianHOME_URL="https://www.debian.org/"SUPPORT_URL="https://www.debian.org/support"BUG_REPORT_URL="https://bugs.debian.org/"
常见问题
1、镜像拉取失败:Error response from daemon
解决思路:配置国内镜像加速器,修改daemon.json文件
vim /etc/docker/daemon.json{"registry-mirrors":["https://docker.registry.cyou","https://docker-cf.registry.cyou","https://dockercf.jsdelivr.fyi","https://docker.jsdelivr.fyi","https://dockertest.jsdelivr.fyi","https://mirror.aliyuncs.com","https://dockerproxy.com","https://mirror.baidubce.com","https://docker.m.daocloud.io","https://docker.nju.edu.cn","https://docker.mirrors.sjtug.sjtu.edu.cn","https://docker.mirrors.ustc.edu.cn","https://mirror.iscas.ac.cn","https://docker.rainbond.cc","https://ghcr.io","https://ghcr.nju.edu.cn"]}
2、端口冲突:Bind for 0.0.0.0:80 failed
现象:
[root@localhost ~]# docker run -d -p 80:80 --name nginx1 nginx9c8d454972bea5c6c511b657556709577d1fe48d91d9aaf2c7adf49d7b4a01f5docker: Error response from daemon: driver failed programming external connectivity on endpoint nginx1(0e1c26ad5a4f7a0f7b642965b4a1c6ca928d08da06150c9d73746969db3432e9): Bind for 0.0.0.0:80 failed: port is already allocated.
解决思路:修改容器端口映射
docker run -d -p 8080:80 --name nginx2 nginx[root@localhost ~]# docker statsCONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS9c8d454972be nginx1 393.19% 1.563GiB / 2.82GiB 55.42% 29.8MB / 325kB 1.25MB / 69.3MB 5
解决思路:限制容器资源:--memory=2g --cpus=1
docker stats #监控资源使用--memory=2g --cpus=1 #限制容器资源docker image prune -a #清理无用镜像
原文来自:麒麟信安技术服务
更多人工智能、信创、开源资源,尽在XPlaza!
【往期回顾】
