# Container - 時代はコンテナ. ## はじめての ``` yum install docker chkconfig docker on service docker start ``` ## docker pull - docker hubからとってくる. - `docker pull centos` - `docker pull nginx` - とかとか. - `docker images`でとったやつを確認できる. ## 使い方 - さがす - `docker search ` - ひっぱる - `docker pull ` - イメージ一覧 - `docker image ls` - たてる - `docker run -it ` - iオプションは中に入る.tオプションはtty接続. - `docker run --name -d -p ` - `--name`: お名前つける - `-d`: daemonとして起動 - `-p`: port forwardの設定.これでホストのポートにアクセスするとコンテナ内部のポートにフォワードされる. - 出るときは `Ctrl+p Ctrl+q`.exitするとコンテナが止まる. - コンテナ内に入る - `docker exec -it ` - `exit`で抜けれる - プロセス一覧 - `docker ps -a` - 削除 - `docker rm ` - イメージを削除 - `docker rmi -f ` - コンテナからイメージを作る - `docker commit ` - attach - `docker attach ` - dettach - `Ctrl+p Ctrl+q` ## ホストとファイルコピー ``` docker container ls docker container cp :/path/to/target_file /コピー先/ディレクトリ ``` ## docker containerの中でcronしたい - コンテナに入って下記とか ``` apt-get update apt-get install cron service cron start crontab -e ``` ## tagをとりたい - いやこれふつうにやりたくなるんだけどコマンドになってないのだろうか? ``` % curl -s -S 'https://registry.hub.docker.com/v2/repositories/library/centos/tags/' | jq '."results"[]["name"]' |sort "6" "6.6" "6.7" "7" "7.6.1810" "centos6" "centos6.6" "centos7" "centos7.6.1810" "latest" ``` ## コンテナの詳細なデータを見たい - `docker inspect ` - たとえばIPがほしいときは - `docker inspect --format '{{ .NetworkSettings.IPAddress }}' ` ## docker runのときにport forwardingするの忘れたとき. - iptablesに書いてしまおう - `sudo iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8001 -j DNAT --to-destination 172.17.0.2:8888` - `sudo iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8001 -j ACCEPT` - [Docker実践〜dockerコンテナに外部からアクセスするためにポートフォワード設定を追加する - sagantaf](http://sagantaf.hatenablog.com/entry/2018/11/18/155131) ## もんだい - [Dockerの諸問題とRocket登場の経緯 | SOTA](https://deeeet.com/writing/2015/02/17/docker-bad-points/) ## 脳死でcentosにdocker入れる - もう入ってた.うける. ``` [jp7fkf@jp7fkf_0 ~]$ sudo yum install -y yum-utils \ > device-mapper-persistent-data \ > lvm2 Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile epel/x86_64/metalink | 9.8 kB 00:00:00 * base: ftp.nara.wide.ad.jp * epel: ftp.riken.jp * extras: ftp.nara.wide.ad.jp * remi-safe: ftp.riken.jp * updates: ftp.nara.wide.ad.jp base | 3.6 kB 00:00:00 epel | 4.7 kB 00:00:00 extras | 3.4 kB 00:00:00 remi-safe | 3.0 kB 00:00:00 updates | 3.4 kB 00:00:00 Package yum-utils-1.1.31-50.el7.noarch already installed and latest version Package device-mapper-persistent-data-0.7.3-3.el7.x86_64 already installed and latest version Package 7:lvm2-2.02.180-10.el7_6.3.x86_64 already installed and latest version Nothing to do [jp7fkf@jp7fkf_0 ~]$ sudo yum-config-manager \ > --add-repo \ > https://download.docker.com/linux/centos/docker-ce.repo Loaded plugins: fastestmirror, langpacks adding repo from: https://download.docker.com/linux/centos/docker-ce.repo grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo repo saved to /etc/yum.repos.d/docker-ce.repo [jp7fkf@jp7fkf_0 ~]$ [jp7fkf@jp7fkf_0 ~]$ sudo yum install docker-ce docker-ce-cli containerd.io Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.nara.wide.ad.jp * epel: mirrors.aliyun.com * extras: ftp.nara.wide.ad.jp * remi-safe: ftp.riken.jp * updates: ftp.nara.wide.ad.jp docker-ce-stable | 3.5 kB 00:00:00 (1/2): docker-ce-stable/x86_64/primary_db | 23 kB 00:00:00 (2/2): docker-ce-stable/x86_64/updateinfo | 55 B 00:00:00 Resolving Dependencies --> Running transaction check ---> Package containerd.io.x86_64 0:1.2.2-3.3.el7 will be installed ---> Package docker-ce.x86_64 3:18.09.2-3.el7 will be installed --> Processing Dependency: container-selinux >= 2.9 for package: 3:docker-ce-18.09.2-3.el7.x86_64 ---> Package docker-ce-cli.x86_64 1:18.09.2-3.el7 will be installed --> Running transaction check ---> Package container-selinux.noarch 2:2.74-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================== Package Arch Version Repository Size ====================================================================================================================== Installing: containerd.io x86_64 1.2.2-3.3.el7 docker-ce-stable 22 M docker-ce x86_64 3:18.09.2-3.el7 docker-ce-stable 19 M docker-ce-cli x86_64 1:18.09.2-3.el7 docker-ce-stable 14 M Installing for dependencies: container-selinux noarch 2:2.74-1.el7 extras 38 k Transaction Summary ====================================================================================================================== Install 3 Packages (+1 Dependent package) Total download size: 55 M Installed size: 235 M Is this ok [y/d/N]: y Downloading packages: (1/4): container-selinux-2.74-1.el7.noarch.rpm | 38 kB 00:00:00 warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/containerd.io-1.2.2-3.3.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY Public key for containerd.io-1.2.2-3.3.el7.x86_64.rpm is not installed (2/4): containerd.io-1.2.2-3.3.el7.x86_64.rpm | 22 MB 00:00:04 (3/4): docker-ce-18.09.2-3.el7.x86_64.rpm | 19 MB 00:00:04 (4/4): docker-ce-cli-18.09.2-3.el7.x86_64.rpm | 14 MB 00:00:01 ---------------------------------------------------------------------------------------------------------------------- Total 9.1 MB/s | 55 MB 00:00:06 Retrieving key from https://download.docker.com/linux/centos/gpg Importing GPG key 0x621E9F35: Userid : "Docker Release (CE rpm) " Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35 From : https://download.docker.com/linux/centos/gpg Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 2:container-selinux-2.74-1.el7.noarch 1/4 setsebool: SELinux is disabled. Installing : containerd.io-1.2.2-3.3.el7.x86_64 2/4 Installing : 1:docker-ce-cli-18.09.2-3.el7.x86_64 3/4 Installing : 3:docker-ce-18.09.2-3.el7.x86_64 4/4 Verifying : 3:docker-ce-18.09.2-3.el7.x86_64 1/4 Verifying : 1:docker-ce-cli-18.09.2-3.el7.x86_64 2/4 Verifying : containerd.io-1.2.2-3.3.el7.x86_64 3/4 Verifying : 2:container-selinux-2.74-1.el7.noarch 4/4 Installed: containerd.io.x86_64 0:1.2.2-3.3.el7 docker-ce.x86_64 3:18.09.2-3.el7 docker-ce-cli.x86_64 1:18.09.2-3.el7 Dependency Installed: container-selinux.noarch 2:2.74-1.el7 Complete! [jp7fkf@jp7fkf_0 ~]$ yum list docker-ce --showduplicates | sort -r * updates: ftp.iij.ad.jp * remi-safe: ftp.riken.jp Loaded plugins: fastestmirror, langpacks Installed Packages * extras: ftp.iij.ad.jp * epel: www.ftp.ne.jp docker-ce.x86_64 3:18.09.2-3.el7 docker-ce-stable docker-ce.x86_64 3:18.09.2-3.el7 @docker-ce-stable docker-ce.x86_64 3:18.09.1-3.el7 docker-ce-stable docker-ce.x86_64 3:18.09.0-3.el7 docker-ce-stable docker-ce.x86_64 18.06.3.ce-3.el7 docker-ce-stable docker-ce.x86_64 18.06.2.ce-3.el7 docker-ce-stable docker-ce.x86_64 18.06.1.ce-3.el7 docker-ce-stable docker-ce.x86_64 18.06.0.ce-3.el7 docker-ce-stable docker-ce.x86_64 18.03.1.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 18.03.0.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.12.1.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.12.0.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.09.1.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.09.0.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.06.2.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.06.1.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.06.0.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.03.3.ce-1.el7 docker-ce-stable docker-ce.x86_64 17.03.2.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable Determining fastest mirrors * base: ftp.iij.ad.jp Available Packages [jp7fkf@jp7fkf_0 ~]$ sudo yum install docker-ce docker-ce-cli containerd.io Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.nara.wide.ad.jp * epel: www.ftp.ne.jp * extras: ftp.nara.wide.ad.jp * remi-safe: ftp.riken.jp * updates: ftp.nara.wide.ad.jp Package 3:docker-ce-18.09.2-3.el7.x86_64 already installed and latest version Package 1:docker-ce-cli-18.09.2-3.el7.x86_64 already installed and latest version Package containerd.io-1.2.2-3.3.el7.x86_64 already installed and latest version Nothing to do [jp7fkf@jp7fkf_0 ~]$ sudo systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: https://docs.docker.com [jp7fkf@jp7fkf_0 ~]$ sudo systemctl start docker [jp7fkf@jp7fkf_0 ~]$ sudo docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ``` ## centosでsystemctl すると怒られが発生する. - はい. ``` [jp7fkf@jp7fkf_0 ~]$ systemctl status httpd Failed to get D-Bus connection: Operation not permitted ``` とか言われる. - `--privileged` つけて `-d` して `docker exec` で入るとよろしいらしい. ``` [jp7fkf@jp7fkf_0 ~]$ sudo docker pull centos:latest latest: Pulling from library/centos a02a4930cb5d: Pull complete Digest: sha256:184e5f35598e333bfa7de10d8fb1cebb5ee4df5bc0f970bf2b1e7c7345136426 Status: Downloaded newer image for centos:latest [jp7fkf@jp7fkf_0 ~]$ [jp7fkf@jp7fkf_0 ~]$ docker images Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied [jp7fkf@jp7fkf_0 ~]$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos latest 1e1148e4cc2c 2 months ago 202MB [jp7fkf@jp7fkf_0 ~]$ sudo docker run -it -d --privileged --name centos centos:latest /sbin/init 76efffadff20224247573edb5d5a03834b3be5b9868683542a4fab766c8d55ee [jp7fkf@jp7fkf_0 ~]$ [jp7fkf@jp7fkf_0 ~]$ sudo docker exec -it 76ef /bin/bash ``` - [DockerでCentOS7起動時にsystemctlが動かないとき | GROUP DEV BLOG | TECHNO MOBILE](https://www.tcmobile.jp/dev_blog/devtool/docker%E3%81%A7centos7%E8%B5%B7%E5%8B%95%E6%99%82%E3%81%AEsystemctl%E3%81%8C%E5%8B%95%E3%81%8B%E3%81%AA%E3%81%84%E3%81%A8%E3%81%8D/) ## tips - `--net='none'` 状態では`docker attach`を使っての接続はできない? - `docker exec`で`/bin/bash`を読むなどして入ることはできる. ## Docker Build - Dockerfileをつくってbuildする ``` FROM centos #もとになるimage(docker imagesで存在する/pullしてある必要がある.) MAINTAINER Yudai Hashimoto CMD echo "now running..." #docker runしたときに RUN yum install -y iproute curl wget bind-utils ``` ``` [jp7fkf@localhost ~]$ sudo docker build -t hogehoge . ##current dir. にあるDockerfileを読んでhogehoge というimageをつくる. Sending build context to Docker daemon 11.78kB Step 1/4 : FROM centos ---> 1e1148e4cxxx Step 2/4 : MAINTAINER Yudai Hashimoto ---> Running in 5584276013f3 Removing intermediate container 558427601xxx ---> 412c0dea5xxx Step 3/4 : CMD echo "now running..." ---> Running in e7987dfe0xxx Removing intermediate container e7987dfe0xxx ---> cf4eebd0bxxx Step 4/4 : RUN yum install -y iproute curl wget bind-utils ---> Running in 65094f874a93 Loaded plugins: fastestmirror, ovl Determining fastest mirrors * base: ftp.jaist.ac.jp * extras: ftp.jaist.ac.jp * updates: ftp.jaist.ac.jp Package curl-7.29.0-51.el7.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package bind-utils.x86_64 32:9.9.4-73.el7_6 will be installed --> Processing Dependency: bind-libs = 32:9.9.4-73.el7_6 for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 --> Processing Dependency: libGeoIP.so.1()(64bit) for package: 32:bind-utils-9.9.4-73.el7_6.x86_64 ---> Package iproute.x86_64 0:4.11.0-14.el7 will be installed --> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: iproute-4.11.0-14.el7.x86_64 --> Processing Dependency: libxtables.so.10()(64bit) for package: iproute-4.11.0-14.el7.x86_64 --> Processing Dependency: libmnl.so.0()(64bit) for package: iproute-4.11.0-14.el7.x86_64 ---> Package wget.x86_64 0:1.14-18.el7 will be installed --> Running transaction check ---> Package GeoIP.x86_64 0:1.5.0-13.el7 will be installed ---> Package bind-libs.x86_64 32:9.9.4-73.el7_6 will be installed --> Processing Dependency: bind-license = 32:9.9.4-73.el7_6 for package: 32:bind-libs-9.9.4-73.el7_6.x86_64 ---> Package iptables.x86_64 0:1.4.21-28.el7 will be installed --> Processing Dependency: libnfnetlink.so.0()(64bit) for package: iptables-1.4.21-28.el7.x86_64 --> Processing Dependency: libnetfilter_conntrack.so.3()(64bit) for package: iptables-1.4.21-28.el7.x86_64 ---> Package libmnl.x86_64 0:1.0.3-7.el7 will be installed --> Running transaction check ---> Package bind-license.noarch 32:9.9.4-72.el7 will be updated ---> Package bind-license.noarch 32:9.9.4-73.el7_6 will be an update ---> Package libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3 will be installed ---> Package libnfnetlink.x86_64 0:1.0.1-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: bind-utils x86_64 32:9.9.4-73.el7_6 updates 206 k iproute x86_64 4.11.0-14.el7 base 763 k wget x86_64 1.14-18.el7 base 547 k Installing for dependencies: GeoIP x86_64 1.5.0-13.el7 base 1.5 M bind-libs x86_64 32:9.9.4-73.el7_6 updates 1.0 M iptables x86_64 1.4.21-28.el7 base 433 k libmnl x86_64 1.0.3-7.el7 base 23 k libnetfilter_conntrack x86_64 1.0.6-1.el7_3 base 55 k libnfnetlink x86_64 1.0.1-4.el7 base 26 k Updating for dependencies: bind-license noarch 32:9.9.4-73.el7_6 updates 87 k Transaction Summary ================================================================================ Install 3 Packages (+6 Dependent packages) Upgrade ( 1 Dependent package) Total download size: 4.6 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. warning: /var/cache/yum/x86_64/7/updates/packages/bind-license-9.9.4-73.el7_6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY Public key for bind-license-9.9.4-73.el7_6.noarch.rpm is not installed Public key for libmnl-1.0.3-7.el7.x86_64.rpm is not installed -------------------------------------------------------------------------------- Total 1.1 MB/s | 4.6 MB 00:04 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) " Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-6.1810.2.el7.centos.x86_64 (@CentOS) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : GeoIP-1.5.0-13.el7.x86_64 1/11 Installing : libmnl-1.0.3-7.el7.x86_64 2/11 Installing : libnfnetlink-1.0.1-4.el7.x86_64 3/11 Installing : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 4/11 Installing : iptables-1.4.21-28.el7.x86_64 5/11 Updating : 32:bind-license-9.9.4-73.el7_6.noarch 6/11 Installing : 32:bind-libs-9.9.4-73.el7_6.x86_64 7/11 Installing : 32:bind-utils-9.9.4-73.el7_6.x86_64 8/11 Installing : iproute-4.11.0-14.el7.x86_64 9/11 Installing : wget-1.14-18.el7.x86_64 10/11 install-info: No such file or directory for /usr/share/info/wget.info.gz Cleanup : 32:bind-license-9.9.4-72.el7.noarch 11/11 Verifying : libnfnetlink-1.0.1-4.el7.x86_64 1/11 Verifying : 32:bind-license-9.9.4-73.el7_6.noarch 2/11 Verifying : libmnl-1.0.3-7.el7.x86_64 3/11 Verifying : GeoIP-1.5.0-13.el7.x86_64 4/11 Verifying : 32:bind-libs-9.9.4-73.el7_6.x86_64 5/11 Verifying : wget-1.14-18.el7.x86_64 6/11 Verifying : 32:bind-utils-9.9.4-73.el7_6.x86_64 7/11 Verifying : libnetfilter_conntrack-1.0.6-1.el7_3.x86_64 8/11 Verifying : iproute-4.11.0-14.el7.x86_64 9/11 Verifying : iptables-1.4.21-28.el7.x86_64 10/11 Verifying : 32:bind-license-9.9.4-72.el7.noarch 11/11 Installed: bind-utils.x86_64 32:9.9.4-73.el7_6 iproute.x86_64 0:4.11.0-14.el7 wget.x86_64 0:1.14-18.el7 Dependency Installed: GeoIP.x86_64 0:1.5.0-13.el7 bind-libs.x86_64 32:9.9.4-73.el7_6 iptables.x86_64 0:1.4.21-28.el7 libmnl.x86_64 0:1.0.3-7.el7 libnetfilter_conntrack.x86_64 0:1.0.6-1.el7_3 libnfnetlink.x86_64 0:1.0.1-4.el7 Dependency Updated: bind-license.noarch 32:9.9.4-73.el7_6 Complete! Removing intermediate container 65094f874xxx ---> 9f7416db3xxx Successfully built xxxxx Successfully tagged hogehoge:latest [jp7fkf@localhost ~]$ ``` ## docker にnetnsでnic生やす - 生やしたいこともある.netns, iplink勉強しなきゃね. ``` sudo docker network create --driver=bridge --subnet=172.16.156.0/24 --gateway=172.16.156.1 -o "com.docker.network.bridge.name=br_eth1" br_eth1 sudo docker run -it -d --name hoge --network="br_eth1" --ip=172.16.156.40 test_probe /bin/bash sudo docker start hoge sudo brctl addif br_eth1 eth1 ``` ``` #!/bin/bash -eux CONTAINER_ID=$1 IP_CONTAINER=$2 IP_HOST=$3 NIC_NAME=$4 sudo yum -y install bridge-utils sudo yum -y install git sudo git clone https://github.com/jpetazzo/pipework.git /usr/pipewor sudo ln -s ~/pipework/pipework /usr/bin/pipework pipework br0 $CONTAINER_ID $IP_CONTAINER ip addr add $IP_HOST dev br0 brctl addif br0 $NIC_NAME ``` ### [pypework](https://github.com/jpetazzo/pipework/blob/master/pipework) - dockerにhostのinterfaceを直接生やせたりいろいろできる. - [pipeworkを使ってDockerのcontainerにIPアドレスを付与する方法 | Skyarch Broadcasting](https://www.skyarch.net/blog/?p=6719) - 結局のところ `sudo pipework --direct-phys eth1 $CONTAINERID 192.168.1.2/24` とかを使うのが一番早い件.さすが. - [networking - Assign physical interface to docker exclusively - Server Fault](https://serverfault.com/questions/688483/assign-physical-interface-to-docker-exclusively) ``` [jp7fkf@localhost ~]$ sudo sh -x pipework/pipework --direct-phys eth1 39d4 172.16.156.40/24 + set -e + case "$1" in + DIRECT_PHYS=1 + shift + IFNAME=eth1 + CONTAINER_IFNAME= + '[' 39d4 = -i ']' + '[' 39d4 = -l ']' + FAMILY_FLAG=-4 + '[' 39d4 = -a ']' + GUESTNAME=39d4 + IPADDR=172.16.156.40/24 + MACADDR= + case "$MACADDR" in + VLAN= + case "$MACADDR" in + '[' 172.16.156.40/24 ']' + '[' -z '' ']' + '[' -d /sys/class/net/eth1 ']' + '[' -d /sys/class/net/eth1/bridge ']' + installed ovs-vsctl + command -v ovs-vsctl ++ cat /sys/class/net/eth1/type + '[' 1 -eq 32 ']' + IFTYPE=phys + CONTAINER_IFNAME=eth1 + '[' '' ']' + '[' phys = bridge ']' + '[' phys = ipoib ']' + read _ mnt fstype options _ + '[' rootfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' sysfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' proc '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' devtmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' securityfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' devpts '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd + continue + read _ mnt fstype options _ + '[' pstore '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + echo rw,nosuid,nodev,noexec,relatime,cpuacct,cpu + grep -qw devices + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,pids + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + echo rw,nosuid,nodev,noexec,relatime,freezer + grep -qw devices + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,cpuset + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + echo rw,nosuid,nodev,noexec,relatime,memory + grep -qw devices + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,hugetlb + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + echo rw,nosuid,nodev,noexec,relatime,perf_event + grep -qw devices + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,net_prio,net_cls + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + echo rw,nosuid,nodev,noexec,relatime,blkio + grep -qw devices + continue + read _ mnt fstype options _ + '[' cgroup '!=' cgroup ']' + grep -qw devices + echo rw,nosuid,nodev,noexec,relatime,devices + CGROUPMNT=/sys/fs/cgroup/devices + read _ mnt fstype options _ + '[' configfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' xfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' mqueue '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' debugfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' hugetlbfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' xfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' autofs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' overlay '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' proc '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' overlay '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' tmpfs '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' proc '!=' cgroup ']' + continue + read _ mnt fstype options _ + '[' /sys/fs/cgroup/devices ']' ++ find /sys/fs/cgroup/devices -name 39d4 ++ wc -l + N=0 + case "$N" in + installed docker + command -v docker + RETRIES=3 + '[' 3 -gt 0 ']' ++ docker inspect '--format={{ .State.Pid }}' 39d4 + DOCKERPID=29121 ++ docker inspect '--format={{ .ID }}' 39d4 + DOCKERCID=39d4a4146861624830f60bd15f07c61215ee7cd10af3063e543b48baeedbxxxx ++ docker inspect '--format={{ .Name }}' 39d4 + DOCKERCNAME=/hoge + '[' 29121 '!=' 0 ']' + break + '[' 29121 = 0 ']' + '[' 29121 = '' ']' + '[' phys '!=' route ']' + '[' phys '!=' rule ']' + '[' phys '!=' tc ']' + case "$IPADDR" in + : + '[' '' ']' + '[' 29121 ']' + NSPID=29121 + '[' phys = phys ']' + '[' '' ']' + '[' '!' -d /var/run/netns ']' + rm -f /var/run/netns/29121 + ln -s /proc/29121/ns/net /var/run/netns/29121 + '[' phys = bridge ']' + '[' phys '!=' route ']' + '[' phys '!=' dummy ']' + '[' phys '!=' rule ']' + '[' phys '!=' tc ']' ++ ip link show eth1 ++ awk '{print $5}' + MTU=1500 + '[' phys = bridge ']' + '[' phys = phys ']' + '[' '' ']' + '[' '!' -z 1 ']' + GUEST_IFNAME=eth1 + ip link set eth1 up + '[' phys = ipoib ']' + '[' phys = dummy ']' + '[' phys = route ']' + '[' phys = rule ']' + '[' phys = tc ']' + ip link set eth1 netns 29121 + ip netns exec 29121 ip link set eth1 name eth1 + '[' '' ']' + case "$DHCP_CLIENT" in + installed ipcalc + command -v ipcalc ++ ipcalc -b 172.16.156.40/24 + eval BROADCAST=172.16.156.255 ++ BROADCAST=172.16.156.255 + ip netns exec 29121 ip -4 addr add 172.16.156.40/24 brd 172.16.156.255 dev eth1 + '[' '' ']' + ip netns exec 29121 ip -4 link set eth1 up + '[' '' ']' + installed arping + command -v arping ++ echo 172.16.156.40/24 ++ cut -d/ -f1 + IPADDR=172.16.156.40 + ip netns exec 29121 arping -c 1 -A -I eth1 172.16.156.40 + rm -f /var/run/netns/29121 [jp7fkf@localhost ~]$ ```` ## docker で ip route add できないんだが! - `--privileged` つけろ.アホ. ## docker networkとnetns - [Dockerのネットワーク管理とnetnsの関係 - めもめも](http://enakai00.hatenablog.com/entry/20140424/1398321672) - [Dockerを支える技術 - SlideShare](https://www.slideshare.net/enakai/docker-34668707) ## docker lint - [Dockerfileの静的解析ツールが便利すぎた - Qiita](https://qiita.com/ryuichi1208/items/d49f3f6ba39c88899049) ## コンテナ技術入門 - [コンテナ技術入門 - 仮想化との違いを知り、要素技術を触って学ぼう - エンジニアHub|若手Webエンジニアのキャリアを考える!](https://employment.en-japan.com/engineerhub/entry/2019/02/05/103000) ## docker installation on ubuntu18.04 ``` sudo apt-get install -y apt-transport-https ca-certificates curl sudo apt install -y apt-transport-https ca-certificates curl software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo apt-key fingerprint 0EBFCD88 uname -a sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" sudo apt update sudo apt install -y docker-ce sudo docker ps -a sudo systemctl start docker sudo systemctl enable docker sudo usermod -aG docker $USER //executable docker command without sudo ``` ## Buildkitを有効にする 手法1. 環境変数に書く ``` $ export DOCKER_BUILDKIT=1 ``` 手法2. 設定ファイルを書く `/etc/docker/daemon.json`,もしくはDocker for Macの場合は,`Preferences>Daemon>Advanced` 下記を記述する. ``` { "features": { "buildkit": true } } ``` ## [Contiv](https://contiv.io/) - CiscoのOSSなコンテナネットワーキングソフトウェア ## dockerdot - [GitHub - po3rin/dockerdot: dockerdot shows dockerfile dependenciy graph. This is useful to understand how build dockerfile. This uses Go WebAssembly + BuildKit package.](https://github.com/po3rin/dockerdot) - Dockerfile入力からBuildKit LLBに変換,このLLBをdot言語に変換,viz.jsでグラフ化. ## systemdとdocker-composeを組み合わせる docker-composeのありかを指定しつつrootでsystemdであげる感じだと下記.これを`/etc/systemd/system/nginx.service`等においておき,`sudo systemctl daemon-reload`して利用できるようになる. ``` lab@docker01:~/nginx$ cat nginx.service [Unit] Description=docker-compose nginx service Requires=docker.service [Service] User=root Type=simple Environment=COMPOSE_FILE=/home/lab/nginx/docker-compose.yml #ExecStartPre=/usr/bin/docker-compose -f ${COMPOSE_FILE} kill #ExecStartPre=/usr/bin/docker-compose -f ${COMPOSE_FILE} rm -v -f ExecStartPre=/usr/bin/docker-compose -f ${COMPOSE_FILE} down ExecStart=/usr/bin/docker-compose -f ${COMPOSE_FILE} up --force-recreate --abort-on-container-exit #ExecStop=/usr/bin/docker-compose -f ${COMPOSE_FILE} stop #ExecStopPost=/usr/bin/docker-compose -f ${COMPOSE_FILE} rm -v -f ExecStopPost=/usr/bin/docker-compose -f ${COMPOSE_FILE} down Restart=always RestartSec=180s [Install] WantedBy=multi-user.target ``` ### References - [Systemdとdocker-composeでカジュアルにdockerを運用する - Qiita](https://qiita.com/kanga/items/5f956bc47068c9774522) ## volume - `docker-compose rm -v`ではanonymous volumeのみが削除され,named volumeはそのまま残る.DB永続化等はこれで残せる. - `docker-compose down -v`だとnamed volumeも削除されてしまうので注意する必要がある. ## k8s - `$ kubectl describe pods my_namespace -n my_pod` ### GKE upgrade ``` export GKE_CHANNEL=REGULAR export GKE_VER=1.25.10-gke.2700 export GKE_REGION=asia-northeast1 export GKE_CLUSTER=my-dev-master export GKE_NODEPOOL=my-dev-pool gcloud container get-server-config --flatten="channels" --filter="channels.channel=${GKE_CHANNEL}" --format="yaml(channels.channel,channels.validVersions)" --region=${GKE_REGION} gcloud container clusters list gcloud container node-pools list --cluster=${GKE_CLUSTER} --region=${GKE_REGION} kubectl get nodes gcloud container clusters upgrade ${GKE_CLUSTER} --master --cluster-version ${GKE_VER} --region=${GKE_REGION} gcloud container clusters upgrade ${GKE_CLUSTER} --node-pool=${GKE_NODEPOOL} --cluster-version ${GKE_VER} --region=${GKE_REGION} ``` ## Dockerfileでdocker run ``` #!/usr/bin/env -S bash -c "docker run -p 8080:8080 -it --rm \$(docker build \$(for arg in \$*; do echo --build-arg \$arg; done) --progress plain -f \$0 . 2>&1 | tee /dev/stderr | grep -oP 'sha256:[0-9a-f]*')" ``` ``` chmod +x ./Dockerfile ./Dockerfile hoge=huga # ARG hoge=huga ``` - [#!/usr/bin/env docker run · GitHub](https://gist.github.com/adtac/595b5823ef73b329167b815757bbce9f)