Installation de Docker sur les VM Ravada
Installation Docker
- installer les utilitaires de la gestion de paquetages :
yum install yum-utils - ajouter le dépôt de paquetages Docker :
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo - installer docker (mais pas la best version1, incompatible avec la
CentOS 8) :
yum install --nobest docker-ce docker-ce-cli containerd.io(l'empreinte de la partie publique de la clé de signature des paquetages doit être060A 61C5 1B55 8A7F 742B 77AA C52F EB6B 621E 9F35, noter l'installation de paquetages relatifs à SELinux) - créer un nouveau répertoire de configuration pour configurer le
proxy :
mkdir /etc/systemd/system/docker.service.d/ - dans un nouveau fichier :
/etc/systemd/system/docker.service.d/http-proxy.conf
[Service] Environment="FTP_PROXY=http://192.168.144.1:3128" Environment="HTTP_PROXY=http://192.168.144.1:3128" Environment="HTTPS_PROXY=http://192.168.144.1:3128" Environment="NO_PROXY=localhost,127.0.0.0/8,172.17.0.1/16"
(noter que le fichier de l'unité de service du démon docker —
/lib/systemd/system/docker.service — est dans un autre
dossier-racine : configuration vs système)
- Recharger Systemd :
sudo systemctl daemon-reload - Redémarrer Docker s'il est déjà démarré :
sudo systemctl restart docker - désactiver le parefeu :
sudo systemctl disable --now firewalld - activer le service :
sudo systemctl enable --now docker - tester :
sudo docker run hello-world(et oui, les conteneurs docker tournent en tant que root)
Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 1b930d010525: Pull complete Digest: sha256:fc6a51919cfeb2e6763f62b6d9e8815acbf7cd2e476ea353743570610737b752 Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/
Utilisation Docker
Le « client »
Pour commencer à exploiter Docker, nous allons utiliser une image officielle :
[user@M81 ]$ sudo docker run -it --name client debian:buster-slim /bin/bash
Unable to find image 'debian:buster-slim' locally
buster-slim: Pulling from library/debian
bc51dd8edc1b: Pull complete
Digest: sha256:9ab269df3cfa21324fcbfcf5366722d99d77ab480a8cbb0727612f7ea4e6ae27
Status: Downloaded newer image for debian:buster-slim
root@5b9355a3228b:/#
L'image buster-slim (69,2 Mo à comparer aux 114 Mo de l'image
standard) est utilisée en mode interactif (i) pour accéder à un
terminal (t), et fournit bien un prompt.
Pour installer des paquetages, il faut commencer par configurer le proxy pour APT :
echo 'Acquire::HTTP::Proxy "http://192.168.144.1:3128";' > /etc/apt/apt.conf.d/01proxy
Alors les commandes APT fonctionnent :
root@0fb7dba55fbc:/# apt update Get:1 http://deb.debian.org/debian buster InRelease [122 kB] Get:2 http://deb.debian.org/debian buster-updates InRelease [49.3 kB] Get:3 http://security-cdn.debian.org/debian-security buster/updates InRelease [65.4 kB] Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB] Get:5 http://security-cdn.debian.org/debian-security buster/updates/main amd64 Packages [180 kB] Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7380 B] Fetched 8330 kB in 2s (4228 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 9 packages can be upgraded. Run 'apt list --upgradable' to see them.
Pour sortir du client, il suffit d'utiliser la commande exit ou le
racourci C-d. Alors le conteneur s'arrête (la commande demandée,
/bin/bash est terminée). Pour accéder à nouveau au conteneur
modifié, il faut le redémarrer en mode interactif :
root@0fb7dba55fbc:/# exit
[user@M81 ~]$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[user@M81 ~]$ sudo docker start -i client
root@0fb7dba55fbc:/# apt update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian buster-updates InRelease
Hit:3 http://security-cdn.debian.org/debian-security buster/updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
9 packages can be upgraded. Run 'apt list --upgradable' to see them.
Le « serveur »
Afin de pouvoir utiliser docker pour faire « tourner » des services, il faut un peu tricher…
Dockerfile
Docker fournit la possibilité de construire des images personnalisées en spécifiant ces images dans un fichier Dockerfile. À partir de la version légère de la dernière version de Debian, il faut :
- configurer le proxy
- mettre à jour les informations APT
- installer
systemd - masquer certaines unité de services et supprimer certains fichiers incompatibles avec l'exécution dans un conteneur
- spécifier le signal d'extinction envoyé par Docker
- monter les volumes de l'hôte qui sont en
tmpfs - utiliser
initcomme commande lancée dans le conteneur
NB: Vous pouvez récupérer ce fichier depuis votre VM, avec les
autres ressources du module M81, depuis le dépôt git : git clone
https://git.unicaen.fr/lpasrsi/m81.git
FROM debian:buster-slim
RUN echo 'debconf debconf/frontend select teletype' | debconf-set-selections
RUN echo 'Acquire::HTTP::Proxy "http://192.168.144.1:3128";' > /etc/apt/apt.conf.d/01proxy
RUN apt-get -qq update
RUN apt-get full-upgrade -y -qq
RUN apt-get install -y -qq --no-install-recommends systemd systemd-sysv
RUN apt-get clean
RUN rm -rf \
/var/lib/apt/lists/* \
/var/log/alternatives.log \
/var/log/apt/history.log \
/var/log/apt/term.log \
/var/log/dpkg.log
RUN systemctl mask -- \
dev-hugepages.mount \
sys-fs-fuse-connections.mount
RUN rm -f \
/etc/machine-id \
/var/lib/dbus/machine-id
ENV container docker
STOPSIGNAL SIGRTMIN+3
VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ]
CMD [ "/sbin/init" ]
Construction de l'image « buster-systemd »
Alors on peut construire l'image, et lui donner un nom :
[user@M81 ]$ sudo docker build . Sending build context to Docker daemon 2.56kB Step 1/14 : FROM debian:buster-slim buster-slim: Pulling from library/debian bc51dd8edc1b: Pull complete Digest: sha256:9ab269df3cfa21324fcbfcf5366722d99d77ab480a8cbb0727612f7ea4e6ae27 Status: Downloaded newer image for debian:buster-slim ---> 837fd7c8d960 Step 2/14 : RUN echo 'debconf debconf/frontend select teletype' | debconf-set-selections ---> Running in f5f850ff4f94 Removing intermediate container f5f850ff4f94 ---> a0ff03f118c4 Step 3/14 : RUN echo 'Acquire::HTTP::Proxy "http://192.168.144.1:3128";' > /etc/apt/apt.conf.d/01proxy ---> Running in 94460a94534f Removing intermediate container 94460a94534f ---> 5b283d1eb14f Step 4/14 : RUN apt-get -qq update ---> Running in 653f3d94d5c9 Removing intermediate container 653f3d94d5c9 ---> 458c83039819 Step 5/14 : RUN apt-get full-upgrade -y -qq ---> Running in 6ad870f839df debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../base-files_10.3+deb10u3_amd64.deb ... Unpacking base-files (10.3+deb10u3) over (10.3+deb10u2) ... Setting up base-files (10.3+deb10u3) ... Installing new version of config file /etc/debian_version ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../libsystemd0_241-7~deb10u3_amd64.deb ... Unpacking libsystemd0:amd64 (241-7~deb10u3) over (241-7~deb10u2) ... Setting up libsystemd0:amd64 (241-7~deb10u3) ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../libext2fs2_1.44.5-1+deb10u3_amd64.deb ... Unpacking libext2fs2:amd64 (1.44.5-1+deb10u3) over (1.44.5-1+deb10u2) ... Setting up libext2fs2:amd64 (1.44.5-1+deb10u3) ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../e2fsprogs_1.44.5-1+deb10u3_amd64.deb ... Unpacking e2fsprogs (1.44.5-1+deb10u3) over (1.44.5-1+deb10u2) ... Preparing to unpack .../libidn2-0_2.0.5-1+deb10u1_amd64.deb ... Unpacking libidn2-0:amd64 (2.0.5-1+deb10u1) over (2.0.5-1) ... Setting up libidn2-0:amd64 (2.0.5-1+deb10u1) ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../libgnutls30_3.6.7-4+deb10u2_amd64.deb ... Unpacking libgnutls30:amd64 (3.6.7-4+deb10u2) over (3.6.7-4) ... Setting up libgnutls30:amd64 (3.6.7-4+deb10u2) ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../libudev1_241-7~deb10u3_amd64.deb ... Unpacking libudev1:amd64 (241-7~deb10u3) over (241-7~deb10u2) ... Setting up libudev1:amd64 (241-7~deb10u3) ... (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../libcom-err2_1.44.5-1+deb10u3_amd64.deb ... Unpacking libcom-err2:amd64 (1.44.5-1+deb10u3) over (1.44.5-1+deb10u2) ... Preparing to unpack .../libss2_1.44.5-1+deb10u3_amd64.deb ... Unpacking libss2:amd64 (1.44.5-1+deb10u3) over (1.44.5-1+deb10u2) ... Setting up libcom-err2:amd64 (1.44.5-1+deb10u3) ... Setting up libss2:amd64 (1.44.5-1+deb10u3) ... Setting up e2fsprogs (1.44.5-1+deb10u3) ... Processing triggers for libc-bin (2.28-10) ... Removing intermediate container 6ad870f839df ---> 9d6f053fb4ee Step 6/14 : RUN apt-get install -y -qq --no-install-recommends systemd systemd-sysv ---> Running in d60aca12aaf3 debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libapparmor1:amd64. (Reading database ... 6457 files and directories currently installed.) Preparing to unpack .../00-libapparmor1_2.13.2-10_amd64.deb ... Unpacking libapparmor1:amd64 (2.13.2-10) ... Selecting previously unselected package libcap2:amd64. Preparing to unpack .../01-libcap2_1%3a2.25-2_amd64.deb ... Unpacking libcap2:amd64 (1:2.25-2) ... Selecting previously unselected package libargon2-1:amd64. Preparing to unpack .../02-libargon2-1_0~20171227-0.2_amd64.deb ... Unpacking libargon2-1:amd64 (0~20171227-0.2) ... Selecting previously unselected package dmsetup. Preparing to unpack .../03-dmsetup_2%3a1.02.155-3_amd64.deb ... Unpacking dmsetup (2:1.02.155-3) ... Selecting previously unselected package libdevmapper1.02.1:amd64. Preparing to unpack .../04-libdevmapper1.02.1_2%3a1.02.155-3_amd64.deb ... Unpacking libdevmapper1.02.1:amd64 (2:1.02.155-3) ... Selecting previously unselected package libjson-c3:amd64. Preparing to unpack .../05-libjson-c3_0.12.1+ds-2_amd64.deb ... Unpacking libjson-c3:amd64 (0.12.1+ds-2) ... Selecting previously unselected package libssl1.1:amd64. Preparing to unpack .../06-libssl1.1_1.1.1d-0+deb10u2_amd64.deb ... Unpacking libssl1.1:amd64 (1.1.1d-0+deb10u2) ... Selecting previously unselected package libcryptsetup12:amd64. Preparing to unpack .../07-libcryptsetup12_2%3a2.1.0-5+deb10u2_amd64.deb ... Unpacking libcryptsetup12:amd64 (2:2.1.0-5+deb10u2) ... Selecting previously unselected package libidn11:amd64. Preparing to unpack .../08-libidn11_1.33-2.2_amd64.deb ... Unpacking libidn11:amd64 (1.33-2.2) ... Selecting previously unselected package libip4tc0:amd64. Preparing to unpack .../09-libip4tc0_1.8.2-4_amd64.deb ... Unpacking libip4tc0:amd64 (1.8.2-4) ... Selecting previously unselected package libkmod2:amd64. Preparing to unpack .../10-libkmod2_26-1_amd64.deb ... Unpacking libkmod2:amd64 (26-1) ... Selecting previously unselected package systemd. Preparing to unpack .../11-systemd_241-7~deb10u3_amd64.deb ... Unpacking systemd (241-7~deb10u3) ... Setting up libapparmor1:amd64 (2.13.2-10) ... Setting up libcap2:amd64 (1:2.25-2) ... Setting up libargon2-1:amd64 (0~20171227-0.2) ... Setting up libjson-c3:amd64 (0.12.1+ds-2) ... Setting up libssl1.1:amd64 (1.1.1d-0+deb10u2) ... Setting up libidn11:amd64 (1.33-2.2) ... Setting up libip4tc0:amd64 (1.8.2-4) ... Setting up libkmod2:amd64 (26-1) ... Setting up libdevmapper1.02.1:amd64 (2:1.02.155-3) ... Setting up libcryptsetup12:amd64 (2:2.1.0-5+deb10u2) ... Setting up systemd (241-7~deb10u3) ... Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /lib/systemd/system/getty@.service. Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /lib/systemd/system/remote-fs.target. Created symlink /etc/systemd/system/dbus-org.freedesktop.timesync1.service → /lib/systemd/system/systemd-timesyncd.service. Created symlink /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service → /lib/systemd/system/systemd-timesyncd.service. Setting up dmsetup (2:1.02.155-3) ... Selecting previously unselected package systemd-sysv. (Reading database ... 7314 files and directories currently installed.) Preparing to unpack .../systemd-sysv_241-7~deb10u3_amd64.deb ... Unpacking systemd-sysv (241-7~deb10u3) ... Setting up systemd-sysv (241-7~deb10u3) ... Processing triggers for libc-bin (2.28-10) ... Removing intermediate container d60aca12aaf3 ---> 427c6ae67a33 Step 7/14 : RUN apt-get clean ---> Running in a2fe197df33f Removing intermediate container a2fe197df33f ---> 2c93d30fd6b2 Step 8/14 : RUN rm -rf /var/lib/apt/lists/* /var/log/alternatives.log /var/log/apt/history.log /var/log/apt/term.log /var/log/dpkg.log ---> Running in 45df8a383ec0 Removing intermediate container 45df8a383ec0 ---> 9a5826eac6fc Step 9/14 : RUN systemctl mask -- dev-hugepages.mount sys-fs-fuse-connections.mount ---> Running in 2d5cd7d13899 Created symlink /etc/systemd/system/dev-hugepages.mount → /dev/null. Created symlink /etc/systemd/system/sys-fs-fuse-connections.mount → /dev/null. Removing intermediate container 2d5cd7d13899 ---> 5c2e3b76f180 Step 10/14 : RUN rm -f /etc/machine-id /var/lib/dbus/machine-id ---> Running in 7176990aba48 Removing intermediate container 7176990aba48 ---> fc8e46da4385 Step 11/14 : ENV container docker ---> Running in 35ddb6d3857a Removing intermediate container 35ddb6d3857a ---> 65e894367f97 Step 12/14 : STOPSIGNAL SIGRTMIN+3 ---> Running in d603ba3c2a35 Removing intermediate container d603ba3c2a35 ---> e0dbb4223313 Step 13/14 : VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ] ---> Running in 52568ac0c61a Removing intermediate container 52568ac0c61a ---> e9e5bc74e040 Step 14/14 : CMD [ "/sbin/init" ] ---> Running in faadf1a8084b Removing intermediate container faadf1a8084b ---> dec5c8d68f44 Successfully built dec5c8d68f44 [user@M81 ]$ sudo docker tag dec5c8d68f44 buster-systemd
Utilisation
Cette image peut être utilisée pour lancer un conteneur qui tournera en tâche de fond, en montant le volume des CGroup en lecture seule :
sudo docker run -d --name serveur -v /sys/fs/cgroup:/sys/fs/cgroup:ro debian-systemd 5f993eb665e284d51f9a7e72fa8dec2832de75e172e8a5adaff72c8fb7779b59 [user@M81 ~]$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5f993eb665e2 buster-systemd "/sbin/init" 8 seconds ago Up 7 seconds serveur [user@M81 ~]$ sudo docker exec -it serveur /bin/bash root@5f993eb665e2:/# exit [user@M81 ~]$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5f993eb665e2 buster-systemd "/sbin/init" About a minute ago Up About a minute serveur
Le conteneur continue de fonctionner même si l'on quitte le shell.
Le réseau sous Docker
Par défaut
Le réseau dans lequel une adresse IP est distribuée aux conteneurs
Docker est — par défaut — celui attribué à l'interface docker0.
Cette interface est un bridge
[user@m81 ~]$ sudo docker start -i client
root@1267be5f49ea:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
root@1267be5f49ea:/# exit
[user@m81 ~]$ ip address show dev docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ad:1f:12:c5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:adff:fe1f:12c5/64 scope link
valid_lft forever preferred_lft forever
[user@m81 ~]$ nmcli connection show docker0 | grep connection.type
connection.type: bridge
La commande docker network permet d'obtenir des infos similaires
[user@m81 ~]$ sudo docker network ls
NETWORK ID NAME DRIVER SCOPE
6b0f98ae8584 bridge bridge local
f36ec9d55d60 host host local
f52ec303908c none null local
[user@m81 ~]$ sudo docker network inspect 6b0f98ae8584 | grep -e bridge.name -e Subnet
"Subnet": "172.17.0.0/16",
"com.docker.network.bridge.name": "docker0",
Créer un nouveau « réseau »
La commande docker permet aussi de créer un nouveau réseau :
[user@m81 ~]$ sudo docker network create dmz
3df5c6c32b351d27a21bfbb548156bd121103d9e96f05ff6938b37b2067d590b
[user@m81 ~]$ sudo docker network list
NETWORK ID NAME DRIVER SCOPE
6b0f98ae8584 bridge bridge local
3df5c6c32b35 dmz bridge local
f36ec9d55d60 host host local
f52ec303908c none null local
[user@m81 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:bb:49:d5 brd ff:ff:ff:ff:ff:ff
inet 192.168.144.190/24 brd 192.168.144.255 scope global dynamic noprefixroute ens3
valid_lft 34807sec preferred_lft 34807sec
inet6 fe80::5c12:27fb:7a9f:8c76/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ad:1f:12:c5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:adff:fe1f:12c5/64 scope link
valid_lft forever preferred_lft forever
10: br-3df5c6c32b35: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:d0:50:20:98 brd ff:ff:ff:ff:ff:ff
inet 172.21.0.1/16 brd 172.21.255.255 scope global br-3df5c6c32b35
valid_lft forever preferred_lft forever
Docker a choisi un nouveau réseau IP privé (selon la RFC1918)
172.21.0.1/16.
On peut alors lancer le serveur dans ce réseau :
[user@m81 ~]$ sudo docker run -d --name serveur --network dmz -v /sys/fs/cgroup:/sys/fs/cgroup:ro debian-systemd
[user@m81 ~]$ sudo docker exec -it serveur /bin/bash
root@57a13eba910e:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:15:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.21.0.2/16 brd 172.21.255.255 scope global eth0
valid_lft forever preferred_lft forever