# 默認(rèn)已初始化安裝 CentOS 7.9
CPU: 4核 * 2
Memory: 16G
Disk: 2塊物理硬盤(sda,sdb) sda: 40GB(預(yù)裝最小化Linux), sdb: 200GB
Swap: 2GB
docker應(yīng)用的映射存儲(chǔ)目錄: /opt/mydocker
# 后續(xù)完成如下配置
hostname: docker01.mysite.com
ip: 10.0.0.210
gateway: 10.0.0.254
dns: 223.5.5.5 114.114.114.114
# swap改成12G, 關(guān)閉selinux, 開啟firewalld

[root@localhost ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                8			# 8個(gè)邏輯處理器
On-line CPU(s) list:   0-7
Thread(s) per core:    1
Core(s) per socket:    4			# 每個(gè)插槽的CPU核心數(shù)
Socket(s):             2			# CPU插槽數(shù)量, 物理CPU數(shù)量
...
[root@localhost ~]# lsmem | grep Total
Total online memory:      16G		# 16G內(nèi)存
Total offline memory:      0B
[root@localhost ~]# lsscsi 
[0:0:0:0]    disk    VMware   Virtual disk     2.0   /dev/sda 
[0:0:1:0]    disk    VMware   Virtual disk     2.0   /dev/sdb 
[3:0:0:0]    cd/dvd  NECVMWar VMware SATA CD00 1.00  /dev/sr0
[root@localhost ~]# fdisk -l | grep -i 'disk /dev'
Disk /dev/sdb: 214.7 GB, 214748364800 bytes, 419430400 sectors		# sdb: 200GB
Disk /dev/sda: 42.9 GB, 42949672960 bytes, 83886080 sectors			# sda: 40GB
Disk /dev/mapper/centos-root: 39.7 GB, 39720058880 bytes, 77578240 sectors
Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors

### centos配置網(wǎng)絡(luò)連接, sshd, yum包更新, ntp時(shí)間同步
vi /etc/sysconfig/network-scripts/ifcfg-ens192
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.0.0.210
PREFIX=24
GATEWAY=10.0.0.254
DNS1=223.5.5.5
DNS2=114.114.114.114
# :x保存
systemctl restart network

vim /etc/ssh/sshd_config
Port 22
PermitRootLogin yes
PasswordAuthentication yes
# :x保存
systemctl restart sshd

hostnamectl set-hostname docker01.mysite.com --static
su	# 切換root, 使hostname刷新
yum update -y	# 可選更新所有包
# 安裝一些基礎(chǔ)常用的包
yum -y install vim tcpdump lsof zip unzip strace traceroute net-tools bind-utils bridge-utils whois wget ftp nc lrzsz sysstat telnet ntp
yum -y install psmisc bc ntpdate dos2unix tree openldap-devel
yum -y install epel-release	  # epel源
yum -y install jq		  	  # json格式化工具

# 配置HWCLOCK硬件層的ntp時(shí)間同步
[root@localhost ~]# vim /etc/sysconfig/ntpd
# Command line options for ntpd
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g"
SYNC_HWCLOCK=yes
# :x保存
systemctl enable --now ntpd
timedatectl set-timezone Asia/Shanghai
[root@docker01 ~]# timedatectl 
      Local time: Sat 2024-05-01 14:13:37 CST
  Universal time: Sat 2024-05-01 06:13:37 UTC
        RTC time: Sat 2024-05-01 06:13:38
       Time zone: Asia/Shanghai (CST, +0800)	# 東8區(qū)時(shí)區(qū)
     NTP enabled: yes		# ntp已啟用
NTP synchronized: yes		# ntp已同步
 RTC in local TZ: no
      DST active: n/a

### sdb硬盤配置lvm
### lvdocker邏輯卷開機(jī)掛載到/opt/mydocker
fdisk /dev/sdb	# 對(duì)/dev/sdb進(jìn)行磁盤操作
n				# 添加新分區(qū)
p				# 新建主分區(qū)
1				# 定義編號(hào)1
2048			# 定義扇區(qū)大小，默認(rèn)2048
				# 定義容量大小，默認(rèn)100%FREE
t				# 更改分區(qū)的system id
8e				# Linux LVM的system id
w				# 保存配置
partprobe		# 重新識(shí)別磁盤
lsblk			# 查看塊設(shè)備信息
pvs    						# 查看已創(chuàng)建的物理卷信息列表
pvcreate /dev/sdb1    		# 新建pv物理卷
vgcreate vgdocker /dev/sdb1	# 新建vg卷組, 用來存放lvm邏輯卷
vgs							# 查看已創(chuàng)建的vg卷組
lvcreate -l 100%FREE -n lvdocker vgdocker		# 創(chuàng)建lv邏輯卷
[root@docker01 ~]# lvs
  LV        VG        Attr       LSize    Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  root      centos    -wi-ao----   36.99g                                                    
  swap      centos    -wi-ao----    2.00g                                                    
  lvdocker  vgdocker  -wi-a----- <200.00g
[root@docker01 ~]# mkfs.ext4 /dev/mapper/vgdocker-lvdocker
[root@docker01 ~]# blkid | grep docker
/dev/mapper/vgdocker-lvdocker: UUID="2a2e3964-5b40-42e5-a813-9f3c12e17a13" TYPE="ext4"
vim /etc/fstab			# 在最后一行添加配置, 把lvdocker邏輯卷開機(jī)掛載到/opt/mydocker目錄, 文件系統(tǒng)格式是ext4
#
# /etc/fstab
# Created by anaconda on Wed Jul 12 00:06:09 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=e56d6e40-f244-4d46-b5fb-80365ad2cfc4 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
UUID=2a2e3964-5b40-42e5-a813-9f3c12e17a13 /opt/mydocker ext4    defaults        0 0
# :x保存
mkdir -p /opt/mydocker	# 新建/opt/mydocker目錄
mount -a				# 刷新所有掛載源
[root@docker01 ~]# mount | grep docker
/dev/mapper/vgdocker-lvdocker on /opt/mydocker type ext4 (rw,relatime,seclabel,data=ordered)

### (可選)關(guān)閉selinux
# setenforce 0
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
### 優(yōu)化centos基礎(chǔ)配置, swap內(nèi)存修改成 12G(centos虛擬機(jī)16G內(nèi)存), swap內(nèi)存使用權(quán)重60
swapoff -a
dd if=/dev/zero of=/swap_12g bs=1024 count=12582912
chmod 600 /swap_12g
mkswap /swap_12g
swapon /swap_12g
echo "vm.swappiness = 60" >> /etc/sysctl.conf
sysctl -p
[root@docker01 ~]# swapon
NAME      TYPE SIZE USED PRIO
/swap_12g file  12G   0B   -2
### 禁用ipv6
sysctl -a 2>1 | grep disable_ipv6	# 跟下列參數(shù)不同則自定義該參數(shù)
cat <<EOF > /etc/sysctl.d/not-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF
### 優(yōu)化文件系統(tǒng)和網(wǎng)絡(luò)性能
cat <<EOF > /etc/sysctl.d/fs.conf
fs.file-max = 10000000
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
EOF
cat <<EOF > /etc/sysctl.d/net.conf
net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
EOF
sysctl -p /etc/sysctl.d/*.conf

### docker底層原理
docker的生命周期有三部分組成：倉(cāng)庫(kù)（repository）+ 鏡像（image）+ 容器（container）
docker是利用Linux內(nèi)核虛擬機(jī)化技術(shù)（LXC），提供輕量級(jí)的虛擬化，以便隔離進(jìn)程和資源。LXC不是硬件的虛擬化，而是Linux內(nèi)核的級(jí)別的虛擬機(jī)化，相對(duì)于傳統(tǒng)的虛擬機(jī)，節(jié)省了很多硬件資源。
NameSpace
LXC是利用內(nèi)核namespace技術(shù)，進(jìn)行進(jìn)程隔離。其中pid, net, ipc, mnt, uts等namespace將 container 的進(jìn)程, 網(wǎng)絡(luò), 消息, 文件系統(tǒng)和 hostname 隔離開。
Control Group
LXC利用的宿主機(jī)共享的資源，雖然用namespace進(jìn)行隔離，但是資源使用沒有收到限制，這里就需要用到Control Group技術(shù)，對(duì)資源使用進(jìn)行限制，設(shè)定優(yōu)先級(jí)，資源控制等。
images: 鏡像, 只讀模板. 鏡像的描述文件是Dockerfile
Dockerfile: 鏡像的描述文件
FROM		定義基礎(chǔ)鏡像
MAINTAINER	作者
RUN			運(yùn)行Linux命令
ENV			環(huán)境變量
CMD			運(yùn)行進(jìn)程
...
container: 容器, 鏡像的運(yùn)行實(shí)例, 鏡像 > 容器
獲取鏡像: docker pull nginx    從鏡像倉(cāng)庫(kù)拉取
使用鏡像創(chuàng)建容器, 分配文件系統(tǒng), 掛載一個(gè)讀寫層(與宿主機(jī)實(shí)現(xiàn)數(shù)據(jù)交互),在讀寫層加載鏡像
分配網(wǎng)絡(luò)/網(wǎng)橋接口, 創(chuàng)建一個(gè)網(wǎng)絡(luò)接口, 讓容器和宿主機(jī)通信
容器獲取IP地址
執(zhí)行容器命令, 如/bin/bash
使用 -p 將docker容器端口映射到宿主機(jī)端口, 實(shí)現(xiàn)容器的端口通信
使用 -v 將docker容器目錄映射到宿主機(jī)目錄, 實(shí)現(xiàn)容器的文件系統(tǒng)關(guān)聯(lián)
反饋容器啟動(dòng)結(jié)果
registry: 鏡像倉(cāng)庫(kù)(也是一個(gè)容器)
官方鏡像倉(cāng)庫(kù)地址: https://hub.docker.com/
國(guó)內(nèi)鏡像倉(cāng)庫(kù)地址(阿里云鏡像地址)：https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

### 安裝docker依賴環(huán)境, 安裝docker-ce社區(qū)版, 配置鏡像加速
# step 1: 安裝必要的一些系統(tǒng)工具
yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加軟件源信息
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sed -i 's/download.docker.com/mirrors.aliyun.com\/docker-ce/g' /etc/yum.repos.d/docker-ce.repo
# Step 3: 更新并安裝 Docker-CE
yum makecache fast
yum -y install docker-ce
# 防火墻規(guī)則允許網(wǎng)絡(luò)橋接、允許ipv4網(wǎng)絡(luò)轉(zhuǎn)發(fā)
cat <<EOF > /etc/sysctl.d/docker.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
modprobe br_netfilter	# 先執(zhí)行這行命令啟動(dòng)網(wǎng)橋過濾功能, 否則會(huì)報(bào)錯(cuò)/proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
sysctl -p /etc/sysctl.d/docker.conf
# 配置鏡像加速 阿里云鏡像倉(cāng)庫(kù)、網(wǎng)易鏡像倉(cāng)庫(kù)、中科大鏡像倉(cāng)庫(kù)
mkdir -p /etc/docker
vim /etc/docker/daemon.json
{
    "registry-mirrors":[
	    "https://x9w5e7g4.mirror.aliyuncs.com",
        "https://hub-mirrors.c.163.com/",
        "https://Docker.mirrors.ustc.edu.cn/"
    ]
}
systemctl daemon-reload;systemctl enable --now docker
[root@docker ~]# docker version			# 查看docker版本, Docker Engine - Community 社區(qū)版
Client: Docker Engine - Community
 Version:           26.1.2
 API version:       1.45
 Go version:        go1.21.10
 Git commit:        211e74b
 Built:             Wed May  8 14:01:02 2024
 OS/Arch:           linux/amd64
 Context:           default
Server: Docker Engine - Community
 Engine:
  Version:          26.1.2
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.10
  Git commit:       ef1912d
  Built:            Wed May  8 13:59:55 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.31
  GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

# 輸出以下文本說明docker-ce正常運(yùn)行且正常拉取鏡像了
[root@docker01 ~]# docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:2498fce14358aa50ead0cc6c19990fc6ff866ce72aeb5546e1d59caac3d0d60f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/
For more examples and ideas, visit:
 https://docs.docker.com/get-started/

### 部署nginx鏡像, nginx默認(rèn)執(zhí)行目錄 /usr/share/nginx/html/ 映射到 /opt/mydocker/nginx/html/ 目錄, 使用宿主機(jī)的8000端口訪問nginx容器的80端口
### 編寫 /opt/mydocker/nginx/html/index.html 文件, docker 啟動(dòng) nginx 容器, 驗(yàn)收代碼項(xiàng)目
docker pull nginx
docker run --name nginx8000 -p 8000:80 -v /opt/mydocker/nginx/html/:/usr/share/nginx/html/ -itd nginx
# --name 自定義容器名稱
# -p [宿主機(jī)端口]:[容器端口]  將容器的80端口映射到宿主機(jī)的8000端口
# -v [宿主機(jī)目錄]:[容器目錄]	將容器的/usr/share/nginx/html/目錄映射到宿主機(jī)的/opt/mydocker/nginx/html/   目錄不存在的話會(huì)自動(dòng)遞歸創(chuàng)建
# -d 在后臺(tái)運(yùn)行
# -it 交互式啟動(dòng), 無前臺(tái)進(jìn)程的容器需要使用 -it 參數(shù), 容器才會(huì)處于running狀態(tài), 例如 centos 鏡像.
# nginx容器自帶前臺(tái)進(jìn)程,  -it 參數(shù)可選可不選, 容器會(huì)保持running狀態(tài).
# 添加index.html到nginx監(jiān)聽的站點(diǎn)
echo '<h1>welcome to my nginx server.</h1>' > /opt/mydocker/nginx/html/index.html
# 修改firewall-cmd配置，放通8000端口的訪問
[root@docker01 ~]# firewall-cmd --remove-service=dhcpv6-client --per
[root@docker01 ~]# firewall-cmd --add-port=8000/tcp --per
[root@docker01 ~]# firewall-cmd --reload
[root@docker01 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 
  services: ssh			# 僅保留sshd服務(wù)，取消dhcpv6-client服務(wù)
  ports: 8000/tcp		# 放通tcp的8000端口
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# 本地驗(yàn)證
[root@docker01 ~]# curl localhost:8000
<h1>welcome to my nginx server.</h1>
[root@docker01 ~]# netstat -tnlp | grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      10681/docker-proxy  

# 網(wǎng)絡(luò)驗(yàn)證
PS C:\> curl http://10.0.0.210:8000 | ForEach-Object Content
<h1>welcome to my nginx server.</h1>