Differences

This shows you the differences between two versions of the page.

--- технология_docker [2024/03/07 09:44]
val [Дополнительная информация]
+++ технология_docker [2025/10/21 07:19] (current)
val [docker-compose]
@@ Line 3: / Line 3: @@
   * [[https://youtu.be/hdVNKmru3LM|youtube/Проникновение в Docker с примерами, Дмитрий Столяров, Flant]]
   * [[https://www.upguard.com/articles/docker-vs-lxc|Docker vs LXC]]
-  * [[https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04-ru|Установка и использование Docker в Ubuntu 20.04]]
   * [[https://youtu.be/QF4ZF857m44|youtube/Артем Матяшов/Основы Docker. Большой практический выпуск]]
@@ Line 14: / Line 13: @@
 ===== Установка =====
-==== Ubuntu ====
+==== Ubuntu/Debian ====
   * [[https://docs.docker.com/engine/install/ubuntu/|Install Docker Engine on Ubuntu]]
+  * [[https://docs.docker.com/engine/installation/linux/docker-ce/debian/|Get Docker CE for Debian]]
 <code>
 # apt install docker.io
 </code>
-==== Debian ====
-  * [[https://docs.docker.com/engine/installation/linux/docker-ce/debian/|Get Docker CE for Debian]]
-=== Debian 10 ===
+==== Настройка registry-mirrors ====
+  * [[https://habr.com/ru/news/818177/|Docker hub перестал работать в России]]
 <code>
-# apt install ca-certificates curl gnupg lsb-release
+# cat /etc/docker/daemon.json
+</code><code>
+{
+  "registry-mirrors": ["https://mirror.gcr.io"]
+}
+</code>
-# curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+==== Настройка загрузки образов через proxy ====
-# echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
+  * [[Переменные окружения]]
-# apt update
+<code>
+# systemctl edit docker.service
+</code><code>
+...
+[Service]
+#Environment="http_proxy=http://proxy.isp.un:3128/"
+Environment="https_proxy=http://proxy.isp.un:3128/"
+Environment="no_proxy=localhost,127.0.0.1,isp.un,corpX.un"
+...
+</code><code>
+# systemctl daemon-reload
-# apt install docker-ce docker-ce-cli containerd.io
+# service docker restart
 </code>
 ==== Тестирование установки ====
 <code>
 # systemctl status docker
 # docker info
+</code>
+==== Запуск контейнеров ====
+  * [[https://stackoverflow.com/questions/41694329/docker-run-override-entrypoint-with-shell-script-which-accepts-arguments|Docker run override entrypoint with shell script which accepts arguments]]
+  * Запуск сервиса TACACS+ в [[Сервис TACACS+#Docker]]
+<code>
 # docker run hello-world
+# docker events --since '10m'
 </code>
@@ Line 57: / Line 81: @@
   * [[https://www.baeldung.com/ops/docker-image-layers-sizes|Finding the Layers and Layer Sizes for a Docker Image]]
+  * [[https://stackoverflow.com/questions/37966973/what-is-the-difference-between-the-size-and-the-virtual-size-of-the-docker-image|What is the difference between the size and the virtual size of the docker images?]]
   * [[https://docs.docker.com/engine/reference/commandline/system_prune/|docker system prune - Remove unused data]]
   * [[Сервис Grafana]]
 ==== Обзор и удаление ====
+  * [[https://forums.docker.com/t/why-arent-base-layer-images-listed-in-docker-image-ls-a/139044/5|Why aren’t base layer images listed in `docker image ls -a`?]]
 <code>
 # docker images
-# docker ps -a
+# docker ps -a #--size
 # docker container ls -a
+# docker container stats
 # docker start -i NNNNNNNNNNN
@@ Line 77: / Line 105: @@
 # docker rmi -f $(docker images -aq)
-# docker system prune
+# docker system df
-# docker system prune -a --volumes
+# docker system prune
+# docker system prune -a #--volumes
 </code>
@@ Line 95: / Line 124: @@
-==== Создание контейнера для приложения вручную ====
+==== Создание образа для приложения вручную ====
@@ Line 150: / Line 179: @@
   * [[#Запуск в режиме демона и подключение к контейнеру]] из полученного образа
-==== Создание контейнера для приложения с использованием Dockerfile ====
+==== Создание образа для приложения с использованием Dockerfile ====
+  * [[https://habr.com/ru/companies/slurm/articles/329138/|ENTRYPOINT vs CMD: назад к основам]]
   * [[Сервис TACACS+]]
-  * [[Средства программирования shell#Web сервер на shell]]
+=== Приложение bash webd ===
 <code>
-server# mkdir /root/webd/ && cd /root/webd/
+lan# mkdir -p /root/webd/ && cd /root/webd/
   или
 gitlab-runner@server:~$ mkdir -p ~/webd/webd/ && cd ~/webd/webd/
+lan:~/webd# scp server:/usr/local/sbin/webd .
+  или
 server# cp /usr/local/sbin/webd .
+  или
+</code>
+  * [[Средства программирования shell#Web сервер на shell]]
+<code>
+# nano webd      # добавляем закомментированные строки
-gitlab-runner@server:~/webd/webd$ nano webd      # добавляем закомментированные строки
+# cat start.sh
-server# ###tar -cvzf www.tgz -C /var/ www/
-server# cat start.sh
 </code><code>
 #!/bin/sh
@@ Line 176: / Line 210: @@
 if [ "$MYMODE" = 'TEST' ]; then
-  bash      # not work in k8s
+  sleep 3
+  curl localhost && exit 0 || exit 1
 else
   tail -f /var/log/webd.log
@@ Line 183: / Line 218: @@
 server# cat Dockerfile
 </code><code>
-#FROM debian:buster
+#FROM debian
-FROM debian:bullseye
+FROM debian:bookworm
 RUN cp /usr/share/zoneinfo/Etc/GMT-3 /etc/localtime \
     && apt-get update \
-    && apt-get install -y inetutils-inetd file \
+    && apt-get install -y inetutils-inetd file curl\
     && apt-get clean \
     && echo 'www stream tcp nowait root /usr/local/sbin/webd webd' > /etc/inetd.conf
@@ Line 205: / Line 240: @@
 </code><code>
 # docker build -t test/webd .
+# docker run --rm -e MYMODE=TEST test/webd
 # docker history test/webd
 </code>
-=== Dockerfile Multistage Building ===
+  * [[#Запуск в режиме демона и подключение к контейнеру]]
+=== Приложение python pywebd ===
+  * [[Язык программирования Python#Flask Gunicorn]]
+  * [[https://stackoverflow.com/questions/49955097/how-do-i-add-a-user-when-im-using-alpine-as-a-base-image|How do I add a user when I'm using Alpine as a base image?]]
+<code>
+:~/pywebd$ ## mkdir etc/; cp -rv /etc/pywebd/ etc/
+:~/pywebd$ ## echo '<h1>Default from pywebd</h1>' > index.html
+:~/pywebd$ dpkg -l | grep python
+:~/pywebd$ cat Dockerfile
+</code><code>
+FROM python:3.11-alpine
+#RUN pip install --root-user-action=ignore --upgrade pip
+#RUN adduser -D myuser
+#USER myuser
+#WORKDIR /home/myuser
+COPY requirements.txt .
+#COPY --chown=myuser:myuser requirements.txt .
+#ENV PATH="/home/myuser/.local/bin:${PATH}"
+RUN pip install -r requirements.txt
+#RUN pip install --user -r requirements.txt
+COPY . .
+#COPY --chown=myuser:myuser . .
+#COPY --chown=myuser:myuser app.py .
+## COPY --chown=myuser:myuser etc/pywebd/ /etc/pywebd/
+## COPY --chown=myuser:myuser index.html /var/www/
+### ADD www.tgz /var/
+### ENV PYWEBD_PORT=4080
+### EXPOSE 4080
+ENTRYPOINT ["python"]
+CMD ["app.py"]
+</code><code>
+:~/pywebd$ time docker build -t pywebd .
+:~/pywebd$ ### docker run -ti --rm --entrypoint /bin/sh pywebd
+:~/pywebd$ ### docker run -p 4443 -d --rm pywebd
+:~/pywebd$ docker run -d --rm -p 4088 -e PYWEBD_PORT=4088 -v /etc/pywebd:/etc/pywebd -v /var/www/:/var/www/ --name pywebd01 pywebd
+</code>
+  * [[#Запуск в режиме демона и подключение к контейнеру]]
+=== Приложение python pywebd2 ===
+  * [[Язык программирования Python#FastAPI Uvicorn]]
+<code>
+~/pywebd2# cat Dockerfile
+</code><code>
+FROM python:3.11-alpine
+RUN pip install --root-user-action=ignore --upgrade pip
+RUN pip install poetry
+RUN adduser -D myuser
+USER myuser
+WORKDIR /home/myuser
+COPY --chown=myuser:myuser . .
+RUN poetry install
+ENTRYPOINT ["poetry", "run"]
+CMD ["python3", "app.py"]
+</code><code>
+~/pywebd2# time docker build -t pywebd2 .
+# docker run -d -p 8000 --rm pywebd2
+# docker run -d -p 4080 -e PYWEBD_MESSAGE='Hello Docker' --rm pywebd2 uvicorn app:app --reload --host 0.0.0.0 --port 4080
+</code>
+=== Приложение golang gowebd ===
+== Dockerfile Multistage Building ==
   * [[Язык программирования Golang]]
@@ Line 219: / Line 346: @@
 </code><code>
 FROM golang
-#FROM golang as builder
+#FROM golang AS builder
 WORKDIR /build
@@ Line 230: / Line 357: @@
 #FROM alpine
 #COPY --from=builder /gowebd /gowebd
+EXPOSE 80
 ENTRYPOINT ["/gowebd"]
 </code><code>
-student@client1:~/gowebd$ docker images
+~/gowebd$ docker images
-student@client1:~/gowebd$ time docker build -t gowebd .
+~/gowebd$ time docker build -t gowebd .
 real    6m2.564s
-student@client1:~/gowebd$ docker run -d -p 8080:80 --rm gowebd
+$ docker run -d -p 8080:80 --rm gowebd
+$ docker run -d --rm -p 80 --name gowebd01 gowebd
+$ docker run -d --rm --network=host gowebd
 </code>
+== docker buildx ==
+  * [[https://doroshev.com/blog/docker-mount-type-cache/|Docker Buildkit: Правильное использование --mount=type=cache]]
+<code>
+ubuntu# apt install docker-buildx
+  или
+docker# apt install docker-buildx-plugin
+ubuntu:~/gowebd# cat Dockerfile
+</code><code>
+...
+RUN --mount=type=cache,target="/root/.cache/go-build" go build -o /gowebd
+...
+</code><code>
+ubuntu:~/gowebd# time docker build -t gowebd .
+...
+real    0m6.686s
+</code>
+== Smoke test ==
+<code>
+$ MY_ID=$(docker run -d --rm gowebd)
+$ MY_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $MY_ID)
+$ docker run --rm alpine/curl -sS $MY_IP
+$ docker stop $MY_ID
+</code>
+  * [[#Запуск в режиме демона и подключение к контейнеру]]
 ==== Запуск в режиме демона и подключение к контейнеру ====
@@ Line 255: / Line 419: @@
   * [[Технология cgroup]]
+  * [[https://www.baeldung.com/ops/docker-memory-limit|Setting Memory And CPU Limits In Docker]]
+  * [[https://stackoverflow.com/questions/72185669/what-is-the-real-memory-available-in-docker-container|What is the real memory available in Docker container?]]
   * [[Технология namespaces]]
 <code>
@@ Line 264: / Line 431: @@
 server# cat /proc/<PID>/cgroup
 server# systemd-cgls
-server# cat /sys/fs/cgroup/memory/docker/NNNNNNNNNNNNNNNNNNNNNNNNNNNNN/memory.max_usage_in_bytes
+cgroup-v1# cat /sys/fs/cgroup/memory/docker/NNNNNNNNNNNNNNNNNNNNNNNNNNNNN/memory.max_usage_in_bytes
+cgroup-v2# cat /sys/fs/cgroup/system.slice/docker-NNNNNNNNNNNNNNNNNNNNNNNNNNNNN.scope/memory.max
 server# docker stats
@@ Line 273: / Line 440: @@
 server# lsns | grep start.sh
 </code>
-=== Анализ параметров запущенного контейнера ===
+== Анализ параметров запущенного контейнера ==
 <code>
 server# docker inspect webd01
-server# docker inspect webd01 -f {{.NetworkSettings.IPAddress}}
+server# docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webd01
 server# wget -qO - http://172.17.0.2/
@@ Line 293: / Line 460: @@
 host browser -> http://server.corpX.un:8000/
+</code>
+== Анализ параметров запущенного контейнера изнутри ==
+<code>
 server# docker attach webd01
-server# docker exec -it webd01 bash
+server# docker exec -it webd01 sh
 webd01# ps ax
@@ Line 303: / Line 472: @@
 webd01# cat /proc/1/cmdline
-webd01# ss -tpan
+webd01# ip a
   или
+webd01# cat /proc/net/fib_trie
+webd01# ss -tpan
+  или   https://www.rapidtables.com/convert/number/decimal-to-hex.html
 webd01# cat /proc/net/tcp
 webd01# cat /proc/net/tcp6
 Ctrl+P, Q(still holding Ctrl)
+</code>
+== Управление контейнером после запуска ==
+<code>
 server# docker stop webd01
@@ Line 323: / Line 500: @@
 ==== Микросервисы ====
+==== Использование готовых образов приложений ====
   * [[https://hub.docker.com/search?type=image|Explore Docker's Container Image Repository]]
+=== atmoz/sftp ===
   * [[https://hub.docker.com/r/atmoz/sftp|atmoz/sftp]]
@@ Line 332: / Line 512: @@
 # chown -R 10003 /var/www
-# docker run --name sftp01 -v /var/www:/home/user3/www -p 2222:22 -d atmoz/sftp user3:password3:10003
+# docker run --name sftp01 -v /var/www:/home/user3/www -p 2222:22 -d --rm atmoz/sftp user3:password3:10003
-# docker exec -it sftp01 bash
+# ###docker exec -it sftp01 bash
 </code>
 Ctrl+D
@@ Line 342: / Line 522: @@
 # sftp -P 2222 user3@localhost
 </code>
-  * [[Сервис SSH#Настройка ssh клиента]]
+  * [[Сервис SSH#WinSCP]]
 <code>
 # docker logs sftp01
@@ Line 353: / Line 533: @@
   * [[https://habr.com/ru/company/ruvds/blog/450312/|Руководство по Docker Compose для начинающих]]
   * [[https://stackoverflow.com/questions/39663096/docker-compose-creating-multiple-instances-for-the-same-image|docker-compose creating multiple instances for the same image]]
+  * [[https://docs.docker.com/compose/how-tos/lifecycle/|Using lifecycle hooks with Compose]]
   * [[Инструмент GitLab#Установка через docker-compose]] GitLab
   * Установка через [[Сервис Keycloak#docker-compose]] Keycloak
+  * [[https://kompose.io/|Go from Docker Compose to Kubernetes]]
 <code>
-# apt install docker-compose
+# apt install docker-compose docker.io
-debian11# service docker start
 # cat docker-compose.yml
 </code><code>
-version: "3"
+#version: "3"
 services:
   webd:
-    image: test/webd
+#    image: server.corpX.un:5000/student/webd:ver1.N
-    build: webd/
+    image: pywebd
-    ports:
+#    build: webd/
-      - "8000:80"
+#    entrypoint: /start.sh
+#    ports:
 #      - "80"
+##    network_mode: host
     volumes:
+      - /etc/pywebd/:/etc/pywebd/
       - /var/www/:/var/www/
 #      - vol1:/var/www/
+    deploy:
+      mode: replicated
+      replicas: 3
 #    environment:
-#      - MYMODE=TEST
+#      - PYWEBD_PORT=80
 #    stdin_open: true
-    tty: true
+#    tty: true
+#    restart: unless-stopped
   sftp:
     image: atmoz/sftp
@@ Line 393: / Line 580: @@
 #  vol1:
 </code><code>
-# docker-compose build
+# ###docker-compose build
+# docker-compose config
 # docker-compose up -d
+# docker-compose logs -f webd
 # docker-compose stop
@@ Line 404: / Line 595: @@
 # docker-compose rm
+# docker volume inspect root_vol1
 # docker volume rm root_vol1
-gitlab-runner@server:~/webd$ docker-compose up -d --scale webd=N
+# docker-compose up -d --scale webd=N
-gitlab-runner@server:~/webd$ docker ps
+# docker ps
-gitlab-runner@server:~/webd$ docker-compose down
 </code><code>
 gitlab-runner@server:~/webd$ cat docker-compose.yml
@@ Line 436: / Line 627: @@
 ===== Локальные репозитории =====
+  * [[https://www.suse.com/c/rancher_blog/container-registries-you-might-have-missed/|Container Registries You Might Have Missed]]
+==== Копирование образов ====
+<code>
+lan# docker save -o test-webd.tgz test/webd
+lan# scp test-webd.tgz somehost:
+somehost# docker load -i test-webd.tgz
+</code>
 ==== Insecure Private Registry ====
@@ Line 449: / Line 649: @@
 </code><code>
 # service docker restart
+</code>
+==== Аутентификация в Registry ====
+<code>
+gitlab-runner@server:~$ docker login
 gitlab-runner@server:~$ docker login http://server.corpX.un:5000
@@ Line 464: / Line 670: @@
   * [[https://serverfault.com/questions/703344/how-to-remove-an-image-tag-in-docker-without-removing-the-image-itself|How to remove an image tag in Docker without removing the image itself?]]
+==== Использование Private Registry ====
 <code>
@@ Line 469: / Line 676: @@
 gitlab-runner@server:~$ docker tag test/webd server.corpX.un:5000/student/webd
-gitlab-runner@server:~$ docker tag test/webd server.corpX.un:5000/student/webd:1.1
+gitlab-runner@server:~$ docker tag test/webd server.corpX.un:5000/student/webd:ver1.1
 gitlab-runner@server:~$ docker images
 gitlab-runner@server:~$ docker push server.corpX.un:5000/student/webd
-gitlab-runner@server:~$ docker push server.corpX.un:5000/student/webd:1.1
+gitlab-runner@server:~$ docker push server.corpX.un:5000/student/webd:ver1.1
 ...
 node1_2_3# docker run --name webd01 --hostname webd01 -itd --rm -p 8000:80 server.corpX.un:5000/student/webd
@@ Line 481: / Line 688: @@
 </code>
-==== Secure Private Registry ====
-  * [[Пакет OpenSSL#Импорт сертификата центра сертификации]]
+==== Использование образа Docker Registry on-premise ====
+  * [[https://docs.docker.com/registry/|Docker Registry]]
+  * [[https://stackoverflow.com/questions/25436742/how-to-delete-images-from-a-private-docker-registry?newreg=e655d7146b114f0f9b88b1132990f346|How to delete images from a private docker registry?]]
 <code>
-# docker pull server.corp13.un:5050/student/gowebd
+# docker run -d -p 5000:5000 -v /root:/certs \
+  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/wild.crt \
+  -e REGISTRY_HTTP_TLS_KEY=/certs/wild.key \
+  --name registry --restart=always registry:2
-# docker login server.corp13.un:5050
+# docker tag gowebd server.corp13.un:5000/student/gowebd
-</code>
-==== Использование образа Docker Registry и on-premise CA ====
-  * [[https://docs.docker.com/registry/|Docker Registry]]
+# docker push server.corp13.un:5000/student/gowebd
-<code>
+# curl https://server.corp13.un:5000/v2/_catalog
-gate# docker run -d -p 5000:5000 -v /root:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/gate.crt -e REGISTRY_HTTP_TLS_KEY=/certs/gate.key --name registry registry:2
+{"repositories":["student/gowebd"]}
-node1# cp ~vagrant/gate.crt /etc/docker/certs.d/gate.corp13.un\:5000/ca.crt
+# curl https://server.corp13.un:5000/v2/student/gowebd/tags/list
+</code>
-node1# service docker restart
+===== Дополнительная информация =====
-node1# docker tag val/webd:latest gate.corp13.un:5000/webd
+==== Инструмент kaniko ====
-node1# docker push gate.corp13.un:5000/webd
+  * [[https://habr.com/ru/companies/slurm/articles/436126/|Kubernetes: сборка образов Docker в кластере, можно использовать kaniko]]
-node1# curl --insecure -X GET https://gate.corp13.un:5000/v2/_catalog
+<code>
-{"repositories":["webd"]}
+~/gowebd# time docker run \
+  -v $(pwd):/workspace \
+  -v ~/.docker/config.json:/kaniko/.docker/config.json \
+  gcr.io/kaniko-project/executor:latest \
+  --skip-tls-verify --log-timestamp \
+  --dockerfile=./Dockerfile \
+  --context=/workspace \
+  --destination=server.corpX.un:5000/student/gowebd
+</code><code>
+или, интерактивно:
+</code><code>
+root@ubuntu:~/gowebd# docker run -it \
+  -v $(pwd):/workspace --rm --entrypoint "/bin/sh" \
+  -v ~/.docker/config.json:/kaniko/.docker/config.json \
+  gcr.io/kaniko-project/executor:debug
-val@gitlab-vkube:~$ curl -s https://gitlab-vkube.bmstu.ru:5000/v2/postgresql/tags/list | jq
+# time /kaniko/executor --skip-tls-verify --log-timestamp \
-{
+  --dockerfile=./Dockerfile \
-  "name": "postgresql",
+  --context=/workspace \
-  "tags": [
+  --destination=server.corpX.un:5000/student/gowebd
-    "13"
+</code><code>
-  ]
+тестируем результат:
-}
+</code><code>
+# docker run --pull=always --name gowebd -itd --rm \
+  -p 8000:80 server.corpX.un:5000/student/gowebd
 </code>
+==== Приложение apwebd ====
-===== Дополнительная информация =====
 <code>
-$ cat Dockerfile
+~/apwebd$ cat Dockerfile
 </code><code>
 FROM debian:bookworm
@@ Line 536: / Line 763: @@
 ENTRYPOINT ["/start.sh"]
 </code><code>
-$ find rootfs/ -type f | xargs tail -n +1
+~/apwebd$ find rootfs/ -type f | xargs tail -n +1
 </code><code>
 ==> rootfs/var/www/html/index.html.apwebd-template <==
@@ Line 596: / Line 823: @@
 </code><code>
 ==> rootfs/usr/lib/cgi-bin/apwebd <==
+</code><code>
 #!/bin/sh
-echo Content-type: text/html
+echo Content-type: "text/html;charset=utf-8"
 echo
-echo "<h1 style=\"color:blue;\">Hello ${OIDC_CLAIM_preferred_username}</h1>"
+echo "<h1 style=\"color:blue;\">Привет ${OIDC_CLAIM_preferred_username}</h1>"
 echo "<pre>"; env; echo "</pre>"
+</code><code>
+~/apwebd# chmod +x rootfs/usr/lib/cgi-bin/apwebd rootfs/start.sh
+~/apwebd$ docker build -t server.corp13.un:5000/student/apwebd:ver1.2 .
+~/apwebd$ docker run -e APWEBD_HOSTNAME=apwebd.corp13.un -e KEYCLOAK_HOSTNAME=keycloak.corp13.un -e REALM_NAME=corp13 -itd --rm -P server.corp13.un:5000/student/apwebd:ver1.2
+~/apwebd$ docker run -e APWEBD_HOSTNAME=apwebd.corp13.un -e KEYCLOAK_HOSTNAME=keycloak.corp13.un -e REALM_NAME=corp13 -itd --entrypoint bash server.corp13.un:5000/student/apwebd:ver1.2
+~/apwebd$ docker push server.corp13.un:5000/student/apwebd:ver1.2
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools