Docker 相关

Docker

What is docker？

   Docker 是一个开源的应用容器引擎，让开发者可以打包他们的应用以及依赖包到一个可移植的容器中，然后发布到任何流行的Linux 机器上，也可以实现虚拟化。

What‘s The difference of docker and virtual machine?

 docker容器有这样几个优点：1.启动速度快 2.资源利用率高，普通桌面机可以运行很多台容器 3.性能开销小，因为共用宿主机操作系统。针对启动速度快，我觉得虚拟机并没有慢太多，openstack可以以接近10台/min的速度创建。资源利用率的话在容器啥都不干的情况下也许是可以运行很多台，但开容器就是为了提供服务，在有应用运行的情况下同样要占用资源，所以如果是单单比运行容器数量显得没有什么意义。 
   虚拟机是建立在虚拟机监视器（supervisor）之上的，而docker是通过Linux内核支持的cgroup等技术实现的资源隔离实现的，直接使用硬件资源，而虚拟机是通过supervisor对硬件资源虚拟化，资源利用率相较会低些。 
Docker Aufs
      AUFS (AnotherUnionFS) 是一种 Union FS, 简单来说就是支持将不同目录挂载到同一个虚拟文件系统下(unite several directories into a single virtual filesystem)的文件系统, 更进一步地, AUFS支持为每一个成员目录(AKA branch)设定'readonly', 'readwrite' 和 'whiteout-able' 权限, 同时AUFS里有一个类似。

得益于AUFS的特性, 每一个对readonly层文件/目录的修改都

图3

只会存在于上层的writeable层中。这样由于不存在竞争, 多个container可以共享readonly的layer。

所以docker将readonly的层称作 “image” - 对于container而言整个rootfs都是read-write的，但事实上所有的修改都写入最上层的writeable层中,

   image不保存用户状态，可以用于模板、重建和复 
More about docker 

On top of this low-level foundation of kernel features, Docker offers a high-level tool with several powerful functionalities:

• Portable deployment across machines. Docker defines a format for bundling an application and all its dependencies into a single object which can be transferred to any docker-enabled machine, and executed there with the guarantee that the execution environment exposed to the application will be the same. Lxc implements process sandboxing, which is an important pre-requisite for portable deployment, but that alone is not enough for portable deployment. If you sent me a copy of your application installed in a custom lxc configuration, it would almost certainly not run on my machine the way it does on yours, because it is tied to your machine's specific configuration: networking, storage, logging, distro, etc. Docker defines an abstraction for these machine-specific settings, so that the exact same docker container can run - unchanged - on many different machines, with many different configurations.
• Application-centric. Docker is optimized for the deployment of applications, as opposed to machines. This is reflected in its API, user interface, design philosophy and documentation. By contrast, the lxc helper scripts focus on containers as lightweight machines - basically servers that boot faster and need less ram. We think there's more to containers than just that.
• Automatic build. Docker includes a tool for developers to automatically assemble a container from their source code, with full control over application dependencies, build tools, packaging etc. They are free to use make, maven, chef, puppet, salt, debian packages, rpms, source tarballs, or any combination of the above, regardless of the configuration of the machines.
• Versioning. Docker includes git-like capabilities for tracking successive versions of a container, inspecting the diff between versions, committing new versions, rolling back etc. The history also includes how a container was assembled and by whom, so you get full traceability from the production server all the way back to the upstream developer. Docker also implements incremental uploads and downloads, similar to “git pull”, so new versions of a container can be transferred by only sending diffs.
• Component re-use. Any container can be used as an “base image” to create more specialized components. This can be done manually or as part of an automated build. For example you can prepare the ideal python environment, and use it as a base for 10 different applications. Your ideal postgresql setup can be re-used for all your future projects. And so on.
• Sharing. Docker has access to a public registry (http://index.docker.io) where thousands of people have uploaded useful containers: anything from redis, couchdb, postgres to irc bouncers to rails app servers to hadoop to base images for various distros. The registry also includes an official “standard library” of useful containers maintained by the docker team. The registry itself is open-source, so anyone can deploy their own registry to store and transfer private containers, for internal server deployments for example.
• Tool ecosystem. Docker defines an API for automating and customizing the creation and deployment of containers. There are a huge number of tools integrating with docker to extend its capabilities. PaaS-like deployment (Dokku, Deis, Flynn), multi-node orchestration (maestro, salt, mesos, openstack nova), management dashboards (docker-ui, openstack horizon, shipyard), configuration management (chef, puppet), continuous integration (jenkins, strider, travis), etc. Docker is rapidly establishing itself as the standard for container-based tooling.

Get start with docker
   docker step by step ，link 
 

Reference
 DockerRegistry  https://docker.github.io/registry/
 Docker Api  http://dockone.io/article/107
 DockerFile reference  https://docs.docker.com/engine/reference/builder/#/add  
 Docker官网   https://docs.docker.com/registry/
 Docker baike  http://baike.baidu.com/item/Dockerhttp://baike.baidu.com/item/Docker

Docker Registry v1搭建

    比较全面的参考： http://seanlook.com/2014/11/13/deploy-private-docker-registry-with-nginx-ssl/

    带登录信息的方式 ： curl http://sean:sean@sean.domain.com:8080/v1/search

DockerRegistry:v2 api

https://docs.docker.com/registry/spec/api/

Docker registry 2.0搭建私有仓库

http://www.jianshu.com/p/f2705a5da6a2# （基本按照下面docker官网的方式搭建）

官网英文版：

deploy registry，部署registry https://docs.docker.com/registry/deploying/#/running-a-domain-registry

insecure registry，非安全的注册中心， https://docs.docker.com/registry/insecure/

Docer registry

ssl certificate                                                 http://studygolang.com/articles/8313 （适用于golang）

                                                                        http://studygolang.com/articles/5949    （适用于golang） 

                                                                        http://blog.csdn.net/yinlijun2004/article/details/5716753（通过CA生成证书，不适合golnag）

                                                                        http://blog.csdn.net/liuchunming033/article/details/48470575（生成证书 ，不适合golnag）

           

Token Authentication Server                        http://dockone.io/article/845

authorization for docker ->introduce:          http://flavio.castelli.name/2015/04/23/introducing-portus-a-user-interface-for-docker-registry/

                                              Portus github :           https://github.com/SUSE/Portus

                                              docker_auth github : https://hub.docker.com/r/cesanta/docker_auth/

参照这篇文章会更好： https://the.binbashtheory.com/creating-private-docker-registry-2-0-with-token-authentication-service/

1.创建证书（需要能被golang支持，否则会报错： failed to parse private key ）

 openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.pem 

2.创建registry:2.4.1 and docker_auth:latest

docker run -d --name docker_auth -p 5001:5001 \-v /home/nature01/registry/auth_server/config:/config:ro \-v /var/log/docker_auth:/logs --restart=always \-v /home/nature01/registry/auth_server/ssl:/ssl \cesanta/docker_auth /config/auth_config.ymldocker run -d -p 5000:5000 \-e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry \-e REGISTRY_AUTH=token \-e REGISTRY_AUTH_TOKEN_REALM=https://127.0.0.1:5001/auth \-e REGISTRY_AUTH_TOKEN_SERVICE="Docker registry" \-e REGISTRY_AUTH_TOKEN_ISSUER="example" \-e REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/server.pem \-v /home/nature01/data/auth_server/ssl:/ssl \-v /home/nature01/data/docker_registry/data:/var/lib/registry \--restart=always \--name registry registry:2.4.1

# Password is specified as a BCrypt hash. Use htpasswd -B to generate.

      如果使用Google postman 请求的话，他要求导入证书，可以参考 ：http://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate （就是先把你的证书导出到一个文件，在导入到chrome的可信任证书目录下，然后就可以访问了）

       如何通过程序交互获取token 然后发送token获得registry的响应，参考：http://www.cakesolutions.net/teamblogs/docker-registry-api-calls-as-an-authenticated-user

      1、向registry发请求:  http://112.74.163.191:5000/v2/busybox/tags/list

      2、此时会响应请求失败

   响应：

  

{  "errors": [    {      "code": "UNAUTHORIZED",      "message": "authentication required",      "detail": [        {          "Type": "repository",          "Name": "busybox",          "Action": "pull"        }      ]    }  ]}

response ，header信息

Content-Length →139Content-Type →application/json; charset=utf-8Date →Fri, 28 Oct 2016 09:13:30 GMTDocker-Distribution-Api-Version →registry/2.0Www-Authenticate →Bearer realm="https://127.0.0.1:5001/auth",service="Docker registry",scope="repository:busybox:pull",error="insufficient_scope"X-Content-Type-Options →nosniff

Www-Authenticate 此处已经指示了如何获得认证的token

 3.向 Bearer realm 发送请求  https://112.74.163.191:5001/auth?account=admin&service=Docker registry&scope=repository:busybox:pull  并且选择 authorization 

  响应中会返回token

4、通过响应中的token在想registry发起请求。header中带上 Authorization   Bearer {token}

--------------

Docker 数据目录切换

默认/var/lib/docker

通过参数中添加 -g （其中 -g 的解释后面会显示默认的docker运行目录）