Toggle navigation
主页
工具
归档
标签
Docker
0
无
2020-09-02 12:01:40
1
0
myron
jenkins 结合k8s部署 --- yaml模版 --- apiVersion: v1 kind: ReplicationController metadata: name: msdp-batch namespace: dev labels: name: msdp-batch spec: replicas: 1 selector: name: msdp-batch template: metadata: labels: name: msdp-batch spec: containers: - name: msdp-batch image: IMAGENAME env: - name: ENV value: k8s ports: - containerPort: 9010 volumeMounts: - name: local-time mountPath: /etc/localtime readOnly: true - name: jdk mountPath: /opt/jdk volumes: - name: local-time hostPath: path: /etc/localtime - name: jdk hostPath: path: JDK_PATH --- yaml 模版结束 --- ### 部署脚本 echo "定义环境变量" echo "workspace:" $WORKSPACE echo "git_url:" $GIT_URL GIT_VERSION=`git log |head -1 |awk '{print $2}'` BUILD_TIME=`date +%s` echo "打包镜像" cd k8s cp ../msdp-bat-service/target/msdp-bat-service.war ./ docker build -t registry:5000/bigtree/dubbo/service/msdp-batch:$BUILD_TIME-$GIT_VERSION . echo "推送镜像到 Registry" docker push registry:5000/bigtree/dubbo/service/msdp-batch:$BUILD_TIME-$GIT_VERSION echo "替换k8s配置文件中image名称为当前版本" sed -i "s/IMAGENAME/registry\:5000\/bigtree\/dubbo\/service\/msdp\-batch\:$BUILD_TIME\-$GIT_VERSION/g" *.yaml sed -i 's?JDK\_PATH?'"$JDK_PATH"'?' *.yaml ls *.yaml |xargs cat ## 部署到 k8s 集群 echo "部署到 k8s 集群 ..." export KUBECONFIG=/bin/.kube/admin.conf kubectl -n dev delete -f *.yaml kubectl -n dev create -f *.yaml ### 部署脚本结束 —————————————————————————— docker主机flannel网络 1、# cat /etc/sysconfig/flanneld # Flanneld configuration options # etcd url location. Point this to the server where etcd runs FLANNEL_ETCD_ENDPOINTS="http://172.16.108.11:2379" # etcd config key. This is the configuration key that flannel queries # For address range assignment FLANNEL_ETCD_PREFIX="/flannel/network" # Any additional options that you want to pass FLANNEL_OPTIONS="--iface=eth0" 2、 vi /usr/lib/systemd/system/docker.service 添加如下内容: # for containers run by docker Environment="PATH=/root/local/bin:/bin:/sbin:/usr/bin:/usr/sbin" EnvironmentFile=-/run/flannel/docker ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS ExecReload=/bin/kill -s HUP $MAINPID # systemctl daemon-reload # systemctl restart docker —————————————————————————— sed -i 's/# %wheel/%wheel/g' /etc/sudoers mgr@kali:~$ echo bigtree.com |md5sum c600ab351df7f121255c8ccef4b705b1 - _______________________________________________________ docker主机网络与外部互通 [root@v-yanshi deploy]# cat start_net.sh #!/bin/bash iptables -D DOCKER-ISOLATION-STAGE-2 1 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT _______________________________________________________ java 启动 web启动命令 web启动命令 java -jar access-web-0.0.1-SNAPSHOT.jar com.bigtreefinance.access.AccessWebApplication --spring.profiles.active=dev --server.port=8080 service启动命令 java -jar access-service-0.0.1-SNAPSHOT.jar com.bigtreefinance.access.AccessServiceApplication --spring.profiles.active=dev --server.port=8080 参数:server.port表示指定的运行端口号,上面的指定的是8080 ——————————————————————————— Docker 使用代理下载gcr.io 镜像方法 mkdir -p /etc/systemd/system/docker.service.d vi /etc/systemd/system/docker.service.d/http-proxy.conf [Service] Environment="HTTP_PROXY=http://proxy.bigtree.com:8118/" "NO_PROXY=localhost,172.0.0.0/8,172,30.0.0/16,10.0.54.24,10.0.54.25,10.0.54.26,10.0.54.27,10.0.54.28,127.0.0.1,daocloud.io,docker.io,registry,172.16.50.153,120.79.163.88,39.108.167.205,114.242.193.198,0.0.0.0" systemctl daemon-reload systemctl restart docker ——————————————————————————— 更新资源对象的Label Label(标签)作为用户可灵活定义的对象属性,在已创建的对象上,仍然可以随时通过kubectl label命令对其进行增加、修改、删除等操作。 例如,我们要给已创建的Pod“redis-master-bobr0”添加一个标签role=backend: $ kubectl label pod redis-master-bobr0 role=backend 查看该Pod的Label: $ kubectl get pods -Lrole NAME READY STATUS RESTARTS AGE ROLE redis-master-bobr0 1/1 Running 0 3m backend 删除一个Label,只需在命令行最后指定Label的key名并与一个减号相连即可: $ kubectl label pod redis-master-bobr0 role- 修改一个Label的值,需要加上--overwrite参数: $ kubectl label pod redis-master-bobr0 role=master --overwrite _____________________________________________________ docker 初始化 [root@node15 ~]# more /etc/sysconfig/docker # /etc/sysconfig/docker # Modify these options if you want to change the way the docker daemon runs # OPTIONS='--selinux-enabled' OPTIONS="--selinux-enabled -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-opt dm.no_warn_on_loop_devices=true --log-level=warn" DOCKER_CERT_PATH=/etc/docker # If you want to add your own registry to be used for docker search and docker # pull use the ADD_REGISTRY option to list a set of registries, each prepended # with --add-registry flag. The first registry added will be the first registry # searched. # ADD_REGISTRY='--add-registry registry.access.redhat.com' ADD_REGISTRY='--add-registry chineseall:5000' # If you want to block registries from being used, uncomment the BLOCK_REGISTRY # option and give it a set of registries, each prepended with --block-registry # flag. For example adding docker.io will stop users from downloading images # from docker.io # BLOCK_REGISTRY='--block-registry' # If you have a registry secured with https but do not have proper certs # distributed, you can tell docker to not look for full authorization by # adding the registry to the INSECURE_REGISTRY line and uncommenting it. # INSECURE_REGISTRY='--insecure-registry' INSECURE_REGISTRY='--insecure-registry chineseall:5000' # On an SELinux system, if you remove the --selinux-enabled option, you # also need to turn on the docker_transition_unconfined boolean. # setsebool -P docker_transition_unconfined 1 # Location used for temporary files, such as those created by # docker load and build operations. Default is /var/lib/docker/tmp # Can be overriden by setting the following environment variable. # DOCKER_TMPDIR=/var/tmp # Controls the /etc/cron.daily/docker-logrotate cron job status. # To disable, uncomment the line below. # LOGROTATE=false ______________________________________________________ registry仓库备份 IP:192.168.0.17 备份路径:/data/md3260i/files/docker_registry_hudsondata_192.168.0.236 ______________________________________________________ 日志切割 [root@node11 19f145679e91c23ec10ffdede6727bfb4202ec24520c983b56d6a5fe28159582]# more /etc/logrotate.d/docker-containers /var/lib/docker/containers/*/*-json.log { rotate 5 copytruncate missingok notifempty compress maxsize 10M daily create 0644 root root } _______________________________________________________ 查询僵尸pod k get po |grep Terminating ________________________________________________________ 镜像下载策略: Always、 IfNotPresent containers: - image: busybox command: - sleep - "3600" imagePullPolicy: IfNotPresent _________________________________________________________ 命令自动补齐: complete 工具 yum -y install bash-completion-2.1-6.el7.noarch _________________________________________________________ hosts.allow sshd:192.168.0.0/255.255.0.0 sshd:10.10.254.0/255.255.255.0 sshd:211.157.166.0/255.255.255.0 sshd:219.238.93.0/255.255.255.0 sshd:103.250.227.145/255.255.255.240 sshd:125.39.193.0/255.255.255.0 sshd:125.39.194.0/255.255.255.0 sshd:125.39.195.0/255.255.255.0 hosts.deny sshd:ALL ___________________________________________________________ [maguirun@node1 ~]$ more .bash_profile # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/.local/bin:$HOME/bin export PATH eval `ssh-agent` ____________________________________________________________ https://github.com/kubernetes/kubernetes/releases/ _____________________________________________________________ # kubectl exec --tty -i [pod 名字] bash ______________________________________________________________ [root@node1 kube-ui]# more /etc/sysconfig/flanneld # Flanneld configuration options # etcd url location. Point this to the server where etcd runs FLANNEL_ETCD="http://192.168.0.163:4001" # etcd config key. This is the configuration key that flannel queries # For address range assignment FLANNEL_ETCD_KEY="/coreos.com/network" # Any additional options that you want to pass FLANNEL_OPTIONS="-iface=em4" _______________________________________________________________ svc定义不同port spec: ports: - port: 8080 nodePort: 30102 targetPort: 8080 _______________________________________________________________ 1026 wget -c https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz 1027 ls 1028 tar xzvf easy-rsa.tar.gz 1029 ls 1030 cd easy-rsa-master/ 1031 cd easyrsa3/ 1032 ls 1033 ./easyrsa init-pki 1034 ./easyrsa --batch "--req-cn=192.168.0.163@date +%" build-ca nopass 1035 ./easyrsa --subject-alt-name="IP:192.168.0.163" build-server-full kubernetes-master nopass 1036 ls /srv/kubernetes/ 1037 rm -f /srv/kubernetes/* 1038 ls /srv/kubernetes/ 1039 cp pki/ca.crt pki/issued/kubernetes-master.crt pki/private/kubernetes-master.key /srv/kubernetes/ 999 mkdir -p /srv/kubernetes/new 1000 ls 1001 cd /srv/kubernetes/new/ 1002 ls 1003 openssl genrsa -out ca.key 2048 1004 ls 1005 openssl req -x509 -new -nodes -key ca.key -subj "/CN=17k.com" -days 5000 -out ca.crt 1006 openssl genrsa -out server.key 2048 1007 openssl req -new -key server.key -subj "/CN=node1" -out server.csr 1008 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000 1009 ls 1010 pwd 1011 history [root@node1 new]# more /etc/kubernetes/apiserver ## Created by mgr. KUBE_API_ADDRESS="--address=0.0.0.0" KUBE_API_PORT="--port=8080" KUBE_MASTER="--master=192.168.0.163:8080" KUBELET_PORT="kubelet_port=10250" KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.10.0.0/16" #KUBE_API_ARGS="--admission_control=ServiceAccount" KUBE_API_ARGS="--admission_control=ServiceAccount --client-ca-file=/srv/kubernet es/new/ca.crt --tls-cert-file=/srv/kubernetes/new/server.crt --tls-private-key-f ile=/srv/kubernetes/new/server.key" KUBE_API_ARGS="--secure-port=0" [root@node1 new]# more /etc/kubernetes/controller-manager ## Create by mgr. KUBELET_ADDRESSES="--machines=node2,node3" #KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/var/run/kuber netes/apiserver.key" KUBE_CONTROLLER_MANAGER_ARGS="--root-ca-file=/srv/kubernetes/new/ca.crt --servic e_account_private_key_file=/srv/kubernetes/new/server.key" #KUBE_CONTROLLER_MANAGER_ARGS="" _________________________________________________________________ @iremA use these commands to make crt and key: openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=abc.com" -days 5000 -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -key server.key -subj "/CN=vm-56-65" -out server.csr **there "/CN=vm-56-65" shuold be "/CN=[yourhostname]" openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000 put these keys into /var/run/kubernetes/ and start api-server as: ./kube-apiserver --logtostderr=true --log-dir=/var/log/ --v=0 --admission_control=ServiceAccount --etcd_servers=http://127.0.0.1:4001 --insecure_bind_address=0.0.0.0 --insecure_port=8080 --kubelet_port=10250 --service-cluster-ip-range=10.0.0.1/24 --allow_privileged=false --service-node-port-range='30000-35535' --client_ca_file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt start controller-manager with these two flags: --root-ca-file="/var/run/kubernetes/ca.crt" --service-account-private-key-file="/var/run/kubernetes/server.key" now try to create a pod __________________________________________________________________ ##添加用户到 wheel 组,并且可以sudo成 root # chmod +w /etc/sudoers # vi /etc/sudoers 修改为: %wheel ALL=(ALL) NOPASSWD: ALL # chmod -w /etc/sudoers # usermod -g wheel lizhiwei ___________________________________________________________________ ## 更改kube-proxy工作模式为iptables,提高性能 # vi /etc/kubenetes/proxy 添加如下内容: KUBE_PROXY_ARGS="--legacy-userspace-proxy=false" ____________________________________________________________________ ###### Ubuntu、Debian 查询命令属于哪个安装包 ###### RHEL、CentOS 查询命令属于哪个rpm包 [root@node7 ~]# rpm -qif "/usr/bin/dig" [root@node7 ~]# rpm -qf "/usr/bin/dig" [root@node7 ~]# rpm -qif "/usr/bin/dig" ____________________________________________________________________ ## 在ulimit.yaml 19行后插入limit.txt内容 sed '19 r limit.txt' unlimit.yaml ____________________________________________________________________ Create the storage directory: mkdir -p /var/lib/docker/devicemapper/devicemapper. Create your pool: dd if=/dev/zero of=/var/lib/docker/devicemapper/devicemapper/data bs=1G count=0 seek=250 will create a sparse file of 250G. If you specify bs=1G count=250 (without the seek option) then it will create a normal file (instead of a sparse file). _____________________________________________________________________ ## Docker Registry 中 tags 查询方法 http://chineseall:5000/v1/repositories/17k-tomcat-hudson/tags _____________________________________________________________________ linux 删除特殊文件 # ls -il . # find ./ -inum 1669219 # find ./ -inum 1669219 -exec rm -i {} \; 【例子】: miger@miger-Latitude-E6400-ATG:~/tools/k8s/17k.yaml/12comment_duboo$ ls ! comment-rc.yaml comment-svc.yaml miger@miger-Latitude-E6400-ATG:~/tools/k8s/17k.yaml/12comment_duboo$ ls -il 总用量 12 1669219 -rw-r--r-- 1 miger miger 844 1月 4 10:24 ! 1669238 -rw-r--r-- 1 miger miger 876 1月 4 10:24 comment-rc.yaml 1669237 -rw-r--r-- 1 miger miger 308 1月 4 10:24 comment-svc.yaml miger@miger-Latitude-E6400-ATG:~/tools/k8s/17k.yaml/12comment_duboo$ find ./ -inum 1669219 miger@miger-Latitude-E6400-ATG:~/tools/k8s/17k.yaml/12comment_duboo$ find ./ -inum 1669219 -exec rm -i {} \; rm:是否删除普通文件 "./!"? y ______________________________________________________________________ Centos7 禁用 ipv6 方法: # lsmod | grep ipv6 # lsmod | grep ipv6 # cat /proc/sys/net/ipv6/conf/all/disable_ipv6 # vi /etc/default/grub ; GRUB_CMDLINE_LINUX="ipv6.disable=1 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap crashkernel=auto rhgb quiet" # grub2-mkconfig -o /boot/grub2/grub.cfg # reboot —————————————————————————————— ## flanneld 安装 1、rpm包安装 2、修改/etc/sysconfig/flanneld 文件: ## added by mgr. FLANNEL_ETCD="http://etcd.local:4001" # etcd config key. This is the configuration key that flannel queries # For address range assignment FLANNEL_ETCD_KEY="/coreos.com/network" # Any additional options that you want to pass #FLANNEL_OPTIONS="" ## added by mgr. FLANNEL_OPTIONS="ens32" 3、初始化etcd $ vi flannel-conf.json { "Network": "10.0.0.0/16", "SubnetLen": 24, "Backend": { "Type": "vxlan", "VNI": 1 } } # curl -L http://etcd.local:4001/v2/keys/coreos.com/network/config -XPUT --data-urlencode value@flannel-conf.json 设置docker0网桥的IP地址 source /run/flannel/subnet.env--ip-masq=false ifconfig docker0 $FLANNEL_SUBNET 是docker daemon restart的时候,往iptables的nat表的DO--ip-masq=falseCKER chain里面加了一条MASQUERADE规则。 解决办法: docker的启动参数DOCKER_OPTS里面加入--ip-masq=false —————————————————————————————— ## docker 清理本地容器缓存 $ docker ps -a |awk '{print $1}' |xargs docker rm # for i in `docker ps -a |grep Exited |awk '{print $1}'`; do docker rm -f $i; done ## 清理集群中docker缓存 $ for i in {1..9}; do ssh root@node0$i "docker ps -a |awk '{print \$1}' |xargs docker rm"; done; —————————————————————————————— ## heapster 安装问题: 我们在apiserver的启动参数中添加: 全选复制放进笔记 --admission_control=ServiceAccount apiserver在启动的时候会自己创建一个key和crt(见/var/run/kubernetes/apiserver.crt和apiserver.key) 然后在启动./kube-controller-manager 时添加flag: --service_account_private_key_file=/var/run/kubernetes/apiserver.key 这样启动k8smaster后,我们就会发现 kubectl get serviceaccount 结果如下: NAME SECRETS default 1 ______________________________________________________________________ #APIServer无法启动 # etcdctl rm --recursive registry ______________________________________________________________________ ## kubernetes 初始化 # docker pull docker.io/kubernetes/pause # docker images # docker tag kubernetes/pause gcr.io/google_containers/pause:0.8.0 # docker tag gcr.io/google_containers/pause:0.8.0 gcr.io/google_containers/pause _______________________________________________________________________ # docker run --name=mysql --hostname=mysql -d -p 3306:3306 -v /data/mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=chinesealldb docker.io/mysql/mysql-server # docker ps -l # docker ps -l # docker images # docker run --name=discuz --hostname=discuz -d -p 80:80 --link mysql:mysql docker.io/skyzhou/docker-discuz ________________________________________________________________________ # Some useful commands to use docker. # Author: yeasy@github # Created:2014-09-25 alias docker-pid="sudo docker inspect --format '{{.State.Pid}}'" alias docker-ip="sudo docker inspect --format '{{ .NetworkSettings.IPAddress }}'" #the implementation refs from https://github.com/jpetazzo/nsenter/blob/master/docker-enter function docker-enter() { #if [ -e $(dirname "$0")/nsenter ]; then #Change for centos bash running if [ -e $(dirname '$0')/nsenter ]; then # with boot2docker, nsenter is not in the PATH but it is in the same folder NSENTER=$(dirname "$0")/nsenter else # if nsenter has already been installed with path notified, here will be clarified NSENTER=$(which nsenter) #NSENTER=nsenter fi [ -z "$NSENTER" ] && echo "WARN Cannot find nsenter" && return if [ -z "$1" ]; then echo "Usage: `basename "$0"` CONTAINER [COMMAND [ARG]...]" echo "" echo "Enters the Docker CONTAINER and executes the specified COMMAND." echo "If COMMAND is not specified, runs an interactive shell in CONTAINER." else PID=$(sudo docker inspect --format "{{.State.Pid}}" "$1") if [ -z "$PID" ]; then echo "WARN Cannot find the given container" return fi shift OPTS="--target $PID --mount --uts --ipc --net --pid" if [ -z "$1" ]; then # No command given. # Use su to clear all host environment variables except for TERM, # initialize the environment variables HOME, SHELL, USER, LOGNAME, PATH, # and start a login shell. #sudo $NSENTER "$OPTS" su - root sudo $NSENTER --target $PID --mount --uts --ipc --net --pid su - root else # Use env to clear all host environment variables. sudo $NSENTER --target $PID --mount --uts --ipc --net --pid env -i $@ fi fi } ________________________________________________________________________ 进入容器 在使用 -d 参数时,容器启动后会进入后台。 某些时候需要进入容器进行操作,有很多种方法,包括使用 docker attach 命令或 nsenter 工具等。 attach 命令 docker attach 是Docker自带的命令。下面示例如何使用该命令。 $ sudo docker run -idt ubuntu 243c32535da7d142fb0e6df616a3c3ada0b8ab417937c853a9e1c251f499f550 $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 243c32535da7 ubuntu:latest "/bin/bash" 18 seconds ago Up 17 seconds nostalgic_hypatia $sudo docker attach nostalgic_hypatia root@243c32535da7:/# 但是使用 attach 命令有时候并不方便。当多个窗口同时 attach 到同一个容器的时候,所有窗口都会同步显示。当某个窗口因命令阻塞时,其他窗口也无法执行操作了。 nsenter 命令 安装 nsenter 工具在 util-linux 包2.23版本后包含。 如果系统中 util-linux 包没有该命令,可以按照下面的方法从源码安装。 $ cd /tmp; curl https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz | tar -zxf-; cd util-linux-2.24; $ ./configure --without-ncurses $ make nsenter && sudo cp nsenter /usr/local/bin 使用 nsenter 可以访问另一个进程的名字空间。nsenter 要正常工作需要有 root 权限。 很不幸,Ubuntu 14.04 仍然使用的是 util-linux 2.20。安装最新版本的 util-linux(2.24)版,请按照以下步骤: $ wget https://www.kernel.org/pub/linux/utils/util-linux/v2.24/util-linux-2.24.tar.gz; tar xzvf util-linux-2.24.tar.gz $ cd util-linux-2.24 $ ./configure --without-ncurses && make nsenter $ sudo cp nsenter /usr/local/bin 为了连接到容器,你还需要找到容器的第一个进程的 PID,可以通过下面的命令获取。 PID=$(docker inspect --format "{{ .State.Pid }}" <container>) 通过这个 PID,就可以连接到这个容器: $ nsenter --target $PID --mount --uts --ipc --net --pid 下面给出一个完整的例子。 $ sudo docker run -idt ubuntu 243c32535da7d142fb0e6df616a3c3ada0b8ab417937c853a9e1c251f499f550 $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 243c32535da7 ubuntu:latest "/bin/bash" 18 seconds ago Up 17 seconds nostalgic_hypatia $ PID=$(docker-pid 243c32535da7) 10981 $ sudo nsenter --target 10981 --mount --uts --ipc --net --pid root@243c32535da7:/# 更简单的,建议大家下载 .bashrc_docker,并将内容放到 .bashrc 中。 $ wget -P ~ https://github.com/yeasy/docker_practice/raw/master/_local/.bashrc_docker; $ echo "[ -f ~/.bashrc_docker ] && . ~/.bashrc_docker" >> ~/.bashrc; source ~/.bashrc 这个文件中定义了很多方便使用 Docker 的命令,例如 docker-pid 可以获取某个容器的 PID;而 docker-enter 可以进入容器或直接在容器内执行命令。 $ echo $(docker-pid <container>) $ docker-enter <container> ls _________________________________________________ 使用基于容器的虚拟化技术提升虚拟机性能 发表于 2013-05-12 23:08:14 在过去的几年中,基于管理程序(hypervisor-based)的虚拟化逐渐占据虚拟化市场的主导地位。这不难理解,因为这种技术的灵活性使得用户几乎可以安装所有类型的操作系统。然而,如果你并不需要在同时运行多种不同类型操作系统环境下工作,基于容器(container-based)的虚拟化也许是一个更佳的选择,它能为用户带来性能优势。 基于容器(container-based)的虚拟化技术的基本思想是在底层运行一个内核,其余多个不同的虚拟机运行于该内核之上。相比基于管理程序(hypervisor-based)的虚拟化,每个虚拟机不是完整的操作系统实例,这种技术仅安装每个操作系统实例的一部分,每个实例以智能的方式与安装在主操作系统内核中的虚拟化层协同工作。基于管理程序的虚拟化多用于Linux环境,现今最主要的两大阵营是商业化产品Parallels Virtuozzo和开源产品OpenVZ。 基于管理程序(hypervisor-based)的虚拟化VS基于容器(container-based)的虚拟化 为了理解基于容器(container-based)的虚拟化,最好的办法就是跟基于管理程序(hypervisor-based)的虚拟化做对比。后者的工作方式是,通过管理程序层,来转发所有来自虚拟机的指令给底层硬件设备层。这个管理程序层是一个带有虚拟化功能特性的精简操作系统内核。在VMware ESX Server 和 思杰的XenServer产品中,管理程序层采用的是Linux内核,Windows Hyper-V采用微软内核完成这项工作。 而虚拟机(VM)运行于管理程序层之上。这种模式下,每一个虚拟机就是一个完整的操作系统。这种技术最大的挑战来自于,在不提前虚拟化所有硬件的驱动的情况下,访问硬件设备。半虚拟化技术(paravirtualization)就是解决这个问题的方案;然而在另外一种全虚拟化的技术中,所有的硬件在分配给虚拟机(VM)使用前都必须首先进行虚拟化。虚拟机将运行的是一个完整的操作系统,应用程序也是被虚拟化的。 基于容器(container-based)的虚拟化(也被称作操作系统虚拟化)使用了不用的方法来实现。标准的主机操作系统运行于底层,例如当使用ParallelsVirtuozzo 虚拟化产品时,底层运行的是windows或Linux操作系统。在操作系统之上是虚拟化层,看起来就像虚拟化层是运行于操作系统上的一个应用程序一样。虚拟化层提供了自有的文件系统和内核服务提取能力,用来确保在所有虚拟机之间分割硬件资源,因此每个独立的虚拟机也被称为“容器“。虚拟化层保证了每一个容器对外成为一个独立的服务器。 这两种虚拟化技术最大的不同就在于基于容器(container-based)的虚拟化技术中,每个虚拟机安装的不是完整的虚拟机。因此不需要安装一个完整安装的操作系统。部分虚拟化中,容器运行得更像一个完全独立的应用程序运行于操作系统中。虚拟化层保证它不合其他的容器相影响,然后容器本身呈现为一个虚拟机。这种方法的优点是不需要重复的功能,像硬件访问功能。只有一个操作系统关心硬件的访问。 基于容器(container-based)的虚拟化同时也避免了传统方式下,由于通过虚拟驱动程序访问硬件设备所带来的性能问题。但是这种技术也有一项缺点,那就是灵活性受到限制,用户无法同时安装多种不同操作系统的虚拟机。然而,一般来讲,当用户需要的仅仅是在已经使用的某种操作系统基础上,再增加几个相同的实例时,为什么不选择基于容器(container-based)的虚拟化技术? 基于容器(container-based)的虚拟化技术优势 相比基于管理程序(hypervisor-based)的虚拟化,基于容器(container-based)的虚拟化提供了完全不同的虚拟化方法。它采用在一个OS中运行多个独立容器的方式,取代原有的在每个虚拟机中都安装完整操作系统的方式。因此在基于容器(container-based)的虚拟化设备中只需运行于一个完整操作系统环境,这种技术最大的优势就在于,无需安装重复的功能模块,从而提高了系统性能。 _________________________________________________ Swarm是Docker公司在2014年12月初新发布的容器管理工具。和Swarm一起发布的Docker管理工具还有Machine以及Compose。 h __________________________________________________
Etcd
日常笔记
0
赞
1 人读过
新浪微博
微信
更多分享
腾讯微博
QQ空间
人人网
文档导航
myron