docker私有化部署

一、docker守护进程

  1. docker的守护进程的层级结构如下图:

    三者关系:Docker Engine 负责镜像管理,将镜像交付到 containerd 运行,containerd 使用 runC 来运行容器。Docker Engine和client交互,管理镜像和容器。启动时指定runC实现containerd守护进程,主要用于镜像管理和容器执行,向上为dockerd提供grpc接口,向下通过containerd-shim结合runC,使得引擎可以独立升级,避免之前Docker Daemon升级会导致所有容器不可用的问题。独立负责容器运行时和生命周期(如创建、启动、停止、中止、信号处理、删除等),其他一些如镜像构建、卷管理、日志等由dockerd守护进程的其他模块处理。containerd 只需管理容器,包括容器的启动、停止、暂停和销毁。鉴于容器运行时与引擎隔离,Engine 能够重启和升级,无需重启容器。

  2. 实例:
    2.1 启动docker之后:(42720是docker守护进程dockerd)

[root@your_machine my_container]# pstree -l -a -A 42720
dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --graph=/home/work/docker --selinux-enabled --log-driver=journald --signature-verification=false
|-docker-containe -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc --runtime-args --systemd-cgroup=true
[root@your_machine my_container]# ps -ef |grep 42720
root 16284 12092 0 14:30 pts/4 00:00:00 grep --color=auto 42720
root 42720 1 1 2017 ? 03:24:29 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --graph=/home/work/docker --selinux-enabled --log-driver=journald --signature-verification=false
root 42729 42720 0 2017 ? 00:03:00 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc --runtime-args --systemd-cgroup=true
root 44419 42720 0 2017 ? 00:00:00 xz -d -c -q

/usr/bin/dockerd-current是dockerd守护进程,启动时指定runC实现为/usr/libexec/docker/docker-runc-current

/usr/bin/docker-containerd-current是docker-containerd守护进程

2.2 启动一个容器后:
[work@your_machine ~]$ docker run -itd docker.io/centos /bin/bash
c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b
[work@your_machine ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c22307e49cc1 docker.io/centos "/bin/bash" 2 seconds ago Up 1 seconds stoic_liskov
[root@your_machine my_container]# pstree -l -a -A 42720
dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --graph=/home/work/docker --selinux-enabled --log-driver=journald --signature-verification=false
|-docker-containe -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc --runtime-args --systemd-cgroup=true
| |-docker-containe c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /var/run/docker/libcontainerd/c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /usr/libexec/docker/docker-runc-current
| | |-bash
[root@your_machine my_container]# ps -ef |grep 42729

root 17195 42729 0 14:51 ? 00:00:00 /usr/bin/docker-containerd-shim-current c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /var/run/docker/libcontainerd/c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /usr/libexec/docker/docker-runc-current
root 17320 12092 0 14:53 pts/4 00:00:00 grep --color=auto 42729
root 42729 42720 0 2017 ? 00:03:00 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc --runtime-args --systemd-cgroup=true

可以看到,启动一个容器后,containerd进程创建了一个docker-containerd-shim(/usr/bin/docker-containerd-shim-current)进程,参数c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b是启动容器的id,参数/var/run/docker/libcontainerd/c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b是和容器相关的目录,其中包括容器配置、标准输入、标准输出:

[root@your_machine my_container]# ll /var/run/docker/libcontainerd/c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b
total 20
-rw-r--r--. 1 root root 20441 Jan 9 14:51 config.json
prwx------. 1 root root 0 Jan 9 14:51 init-stdin
prwx------. 1 root root 0 Jan 9 14:51 init-stdout

这个容器的json文件:config.json

最后一行的bash进程是容器中正在运行的进程,因为PID隔离所以在宿主机上看到的pid和在容器内看到的PID不一样:

[root@your_machine my_container]# ps -ef |grep 17195
root 17195 42729 0 14:51 ? 00:00:00 /usr/bin/docker-containerd-shim-current c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /var/run/docker/libcontainerd/c22307e49cc135640e3d72b69244d92aedcef1a400b0080f44d6cfca5a77b04b /usr/libexec/docker/docker-runc-current
root 17211 17195 0 14:51 pts/3 00:00:00 /bin/bash
[work@your_machine ~]$ docker attach c22307e49cc1
[root@c22307e49cc1 /]# ps
PID TTY TIME CMD
1 ? 00:00:00 bash
15 ? 00:00:00 ps
  1. runC
    runC实现了容器启停,资源隔离等功能。下面只用runC来启停容器:
    3.1 把docker respoity上的busybox
    mkdir my_container
    cd my_container
    mkdir rootfs
    docker export $(docker create busybox) | tar -C rootfs -xvf -
    [root@your_machine work]# tree -d my_container/
    my_container/
    `-- rootfs
    |-- bin
    |-- dev
    | |-- pts
    | `-- shm
    |-- etc
    |-- home
    |-- proc
    |-- root
    |-- sys
    |-- tmp
    |-- usr
    | `-- sbin
    `-- var
    |-- spool
    | `-- mail
    `-- www
    
    17 directories
    
    3.2 然后调用runc生成配置文件,主要包含容器挂载信息、平台信息、进程信息等容器启动依赖的所有数据:

生成配置文件:

[root@your_machine my_container]# /usr/libexec/docker/docker-runc-current spec
[root@your_machine my_container]# ll
total 8
-rw-r--r--. 1 root root 2342 Jan 9 15:19 config.json
drwxrwxr-x. 12 work work 4096 Jan 8 23:14 rootfs

启动容器:

[root@your_machine my_container]# /usr/libexec/docker/docker-runc-current run busybox2
/ # pwd
/
/ # ll
sh: ll: not found
/ # ls
bin dev etc home proc root sys tmp usr var
comments powered by Disqus