- Cluster = 가용성과 Load Balancing을 고려(어플리케이션은 어디로 던지는지 고려 안함, 죽으면, fail over되면 알아서 해결)


세팅정보를 저장할 DB가 있어야 함(Key:Value를 저장하는 nosql형태의 DB 사용, 여기서는 Discovery Service - ETCD를 사용한다)

NODE이중화는 최소 3 NODE

- 과반수 이상의 같은 Data의 경우 Recovery 가능

ETCD는 로컬볼륨으로 각 Node에 설치한다.

Master Node는 어떤 데이터도 갖지 않고 어플리케이션만 고려


Node간 통신을 위해서는 overlay 네트웍이 필요(VxLAN)

그리고 외부망 통신은 bridge로 한다!


SWARM의 장점은 세팅이 간단하다는 것

Kubernetes는 설치가 어렵다


*SWARM Scale in Scale out 예제 : 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
[root@host01-2 ~]#  docker swarm join \
>     --token SWMTKN-1-0qw1ki2xppg9rh6fhw310wi4dhczl54hl3uweydrfo2ld3aw2z-06n8xco8k8gpzwstwl5u2s0pr \
>     10.10.12.13:2377
Error response from daemon: This node is already part of a swarm. Use "docker swarm leave" to leave this swarm and join another one.
[root@host01-2 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
2626920fe992        docker_gwbridge     bridge              local
a4bddc4df10b        host                host                local
y39kmqh237vy        ingress             overlay             swarm
1e75b30aa8ac        isolated_nw         bridge              local
e9ef483dde2d        none                null                local
5c585fb9c7f2        temp_default        bridge              local
efe418b38219        test                bridge              local
[root@host01-2 ~]# docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
[root@host01-2 ~]# docker service create --replicas 2 --name hello reg.cloud.com/alpine ping docker.com
q86onfawwioyu50p9pfoh78om
overall progress: 2 out of 2 tasks
1/2: running   [==================================================>]
2/2: running   [==================================================>]
verify: Service converged
[root@host01-2 ~]# docker service ps hello
ID                  NAME                IMAGE                         NODE                 DESIRED STATE       CURRENT STATE           ERROR               PORTS
c5q5vvadwnj7        hello.1             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 2 minutes ago
wiqej3wj0xfy        hello.2             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 2 minutes ago
[root@host01-2 ~]# docker service scale hello=4
hello scaled to 4
overall progress: 4 out of 4 tasks
1/4: running   [==================================================>]
2/4: running   [==================================================>]
3/4: running   [==================================================>]
4/4: running   [==================================================>]
verify: Service converged
[root@host01-2 ~]# docker service ps hello
ID                  NAME                IMAGE                         NODE                 DESIRED STATE       CURRENT STATE            ERROR               PORTS
c5q5vvadwnj7        hello.1             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 3 minutes ago
wiqej3wj0xfy        hello.2             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 3 minutes ago
n02v6wp29911        hello.3             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 27 seconds ago
yse5jakppzod        hello.4             reg.cloud.com/alpine:latest   host01-2.cloud.com   Running             Running 27 seconds ago
[root@host01-2 ~]# docker service scale hello=1
hello scaled to 1
overall progress: 1 out of 1 tasks
1/1: running   [==================================================>]
verify: Service converged
[root@host01-2 ~]#
 
cs


 






*ETCD(Discovery Service)에서 IP 호스트 정보를 모두 인지하고 기록한다.


보통 다른 호스트와 통신이 필요할 때, 물리 네트워크 구간을 통해야 한다. 너무 어려움. 물리망을 마치 투명하게 만들 수 있다

=> 물리 어뎁터 기준 밑으로 물리망 (Underlay), 윗쪽은(Overlay)

=> Container들이 bridge network와 연동되어 요청을 직접 받는 것도 가능

=> VXLAN은 터널링의 표준?

=> Source / Destination을 지정할 수 있음!


*포트 설정 :

- EXPOSE의 정보를 통해서 HOST가 알아서 Container의 PORT를 찾아가게 된다.

- 외부 Client에서는 LB로 접근

- LB는 여러개 HOST로 연결 ( Port는 찾아서 자동 구성)

방법은 3가지 : 
1) -p <host port>:<container port>

2) -p <container port>

3) 호스트 머신에 동적으로 할당된 포트를 EXPOSE나 --expose를 사용하여 노출된 모든 포트에 매핑한다 : -P  


Kubernetes = 묶어서 관리하는 요소(Orchestration 도구)

Docker = Application 레벨에서만 생각

 




*Docker CP 명령어 


1
2
[root@host01-2 ~]# docker cp keen_newton:/etc/docker/registry/config.yml .
 
cs



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@host01-2 ~]# docker run -dp 80:80 -v $(pwd)/config.yml:/config.yml registry:2.5 config.yml
d60aad9dcefbd9f75511d176c51e65b9fdc4740f665aa98afed3e2e370de79cc
[root@host01-2 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                          NAMES
d60aad9dcefb        registry:2.5        "/entrypoint.sh conf…"   10 seconds ago      Up 9 seconds        0.0.0.0:80->80/tcp, 5000/tcp   flamboyant_joliot
[root@host01-2 ~]# docker exec -it d60aad9dcefb sh
/ # ls
bin            etc            media          run            tmp
config.yml     home           mnt            sbin           usr
dev            lib            proc           srv            var
entrypoint.sh  linuxrc        root           sys
/ # vi config.yml
/ # exit
[root@host01-2 ~]#
 
cs


*Docker Compose : 

docker compose = 단일 호스트

docker swarm (클러스터 관리툴)= 멀티 호스트


compose와 swarm을 연동할 수 있게 됐다..


* 표준 : yaml을 통해서 host에 배포? CLI는 단순 호출


*Docker compose 설치 : 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@host01-2 docker]# curl -L https://github.com/docker/compose/releases/download/1.21.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   617    0   617    0     0     93      0 --:--:--  0:00:06 --:--:--   150
100 10.3M  100 10.3M    0     0   374k      0  0:00:28  0:00:28 --:--:-- 1122k
[root@host01-2 docker]#
[root@host01-2 docker]# chmod +x /usr/local/bin/docker-compose
[root@host01-2 docker]# docker-compose version
docker-compose version 1.21.0, build 5920eb0
docker-py version: 3.2.1
CPython version: 3.6.5
OpenSSL version: OpenSSL 1.0.1t  3 May 2016
[root@host01-2 docker]#
 
cs


*YARM 파일 예시 : 

- XML과 유사, space로 구분, Tab은 안됨!!


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
version: '3.3'
 
services:
   db:
     image: reg.cloud.com/mysql:5.7
     volumes:  #가지고 뜨는 볼륨
       - dbdata:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress
 
   wordpress:
     depends_on: #시작 함수를 해준다(db 함수가 먼저 실행된다)
       - db
     image: reg.cloud.com/wordpress:latest
     ports:
       - "8000:80" #포트 매핑 
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
volumes:
    dbdata: #볼륨명
cs


*yml 파일 실행으로 wordpress 설치(결국 yml 파일을 잘 구성하는것이 중요)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
[root@host01-2 temp]# docker volume ls
DRIVER              VOLUME NAME
local               2042e79725f9ebcc220a00ec036065afe47f6a313c7fbc37424dc06707506024
local               3731b5e0372bf0b19e572f7022041069ef60631b68035fb044241a38f6de04de
local               4a35da8fe0f8f7855c92230679c18089d8734a66754c8e8523ac486a55cc4d05
local               5aaa3c1d276e0a539b0928437df457197be510c035cbfa8d34a7b7c345060335
local               6a37dd2b5eda64b880db3e122f3985e45bd249c94030d2db0d158691a45901eb
local               7177f41f8225923f8cde394fcd529b72ab9719a35fc1bd9723e2a6f2ab707681
local               7267f43dfed496a69277236002ab423079b871400ff68596856517e57291e7b3
local               9a8f8faa0acf42207fe6d8e6b24598edb2a3561616bf4f9abcc27295773ffa76
local               data
local               f4f24f0b97c0e0e3d739141827867affd43edd21b3667de33e7527a888b43f12
[root@host01-2 temp]# docker rm -rf volume
unknown shorthand flag: 'r' in -rf
See 'docker rm --help'.
[root@host01-2 temp]# docker rm -f volume
Error: No such container: volume
[root@host01-2 temp]# docker rm -f volume 2042e79725f9ebcc220a00ec036065afe47f6a313c7fbc37424dc06707506024 3731b5e0372bf0b19e572f7022041069ef60631b68035fb044241a38f6de04de
Error: No such container: volume
Error: No such container: 2042e79725f9ebcc220a00ec036065afe47f6a313c7fbc37424dc06707506024
Error: No such container: 3731b5e0372bf0b19e572f7022041069ef60631b68035fb044241a38f6de04de
[root@host01-2 temp]#
[root@host01-2 temp]#
[root@host01-2 temp]#
[root@host01-2 temp]#
[root@host01-2 temp]# docker-compose -f docker-compose.yml ^C
[root@host01-2 temp]# clear
[root@host01-2 temp]# ls
docker-compose.yml
[root@host01-2 temp]# docker-compose up -d
Creating network "temp_default" with the default driver
Creating volume "temp_dbdata" with default driver
Pulling db (reg.cloud.com/mysql:5.7)...
5.7: Pulling from mysql
Digest: sha256:a0423a7d021b7a7775f1d2db1014bd15fde029f538c1f8d97c9832aa4a25209f
Status: Downloaded newer image for reg.cloud.com/mysql:5.7
Pulling wordpress (reg.cloud.com/wordpress:latest)...
latest: Pulling from wordpress
85b1f47fba49: Already exists
d8204bc92725: Pull complete
92fc16bb18e4: Pull complete
31098e61b2ae: Pull complete
f6ae64bfd33d: Pull complete
003c1818b354: Pull complete
a6fd4aeb32ad: Pull complete
a094df7cedc1: Pull complete
e3bf6fc1a51d: Pull complete
ad235c260360: Pull complete
edbf48bcbd7e: Pull complete
fd6ae81d5745: Pull complete
69838fd876d6: Pull complete
3186ebffd72d: Pull complete
b24a415ea2c0: Pull complete
225bda14ea90: Pull complete
fc0ad3550a92: Pull complete
0e4600933a8c: Pull complete
Digest: sha256:5b3b36db3c19d5b8c6ded6facec4daac57fe2ea1879351a2e65ac8919cea37ce
Status: Downloaded newer image for reg.cloud.com/wordpress:latest
Creating temp_db_1 ... done
Creating temp_wordpress_1 ... done
[root@host01-2 temp]# docker-comose ps
-bash: docker-comose: command not found
[root@host01-2 temp]# docker-compose ps
      Name                    Command               State          Ports
--------------------------------------------------------------------------------
temp_db_1          docker-entrypoint.sh mysqld      Up      3306/tcp
temp_wordpress_1   docker-entrypoint.sh apach ...   Up      0.0.0.0:8000->80/tcp
[root@host01-2 temp]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
a4bddc4df10b        host                host                local
1e75b30aa8ac        isolated_nw         bridge              local
e9ef483dde2d        none                null                local
02e52b7344b7        temp_default        bridge              local
efe418b38219        test                bridge              local
[root@host01-2 temp]# docker volum ls
docker: 'volum' is not a docker command.
See 'docker --help'
[root@host01-2 temp]# docker volume ls
DRIVER              VOLUME NAME
local               2042e79725f9ebcc220a00ec036065afe47f6a313c7fbc37424dc06707506024
local               3731b5e0372bf0b19e572f7022041069ef60631b68035fb044241a38f6de04de
local               4a35da8fe0f8f7855c92230679c18089d8734a66754c8e8523ac486a55cc4d05
local               5aaa3c1d276e0a539b0928437df457197be510c035cbfa8d34a7b7c345060335
local               67e959ee45f5221450510cbd82e314be628275fdfc34729002ed667c026e94b8
local               6a37dd2b5eda64b880db3e122f3985e45bd249c94030d2db0d158691a45901eb
local               7177f41f8225923f8cde394fcd529b72ab9719a35fc1bd9723e2a6f2ab707681
local               7267f43dfed496a69277236002ab423079b871400ff68596856517e57291e7b3
local               9a8f8faa0acf42207fe6d8e6b24598edb2a3561616bf4f9abcc27295773ffa76
local               data
local               f4f24f0b97c0e0e3d739141827867affd43edd21b3667de33e7527a888b43f12
local               temp_dbdata
[root@host01-2 temp]# ls /var/lib/docker/volumse/lab_dbdata/_data/-l
ls: cannot access /var/lib/docker/volumse/lab_dbdata/_data/-l: No such file or directory
[root@host01-2 temp]# ls /var/lib/docker/volumse/lab_dbdata/_data/ -l
ls: cannot access /var/lib/docker/volumse/lab_dbdata/_data/: No such file or directory
[root@host01-2 temp]# ls /var/lib/docker/volumes/temp_dbdata/_data/ -l
total 188488
-rw-r-----1 polkitd ssh_keys       56 May 24 17:19 auto.cnf
-rw-------1 polkitd ssh_keys     1675 May 24 17:19 ca-key.pem
-rw-r--r--1 polkitd ssh_keys     1107 May 24 17:19 ca.pem
-rw-r--r--1 polkitd ssh_keys     1107 May 24 17:19 client-cert.pem
-rw-------1 polkitd ssh_keys     1679 May 24 17:19 client-key.pem
-rw-r-----1 polkitd ssh_keys     1321 May 24 17:19 ib_buffer_pool
-rw-r-----1 polkitd ssh_keys 79691776 May 24 17:21 ibdata1
-rw-r-----1 polkitd ssh_keys 50331648 May 24 17:21 ib_logfile0
-rw-r-----1 polkitd ssh_keys 50331648 May 24 17:19 ib_logfile1
-rw-r-----1 polkitd ssh_keys 12582912 May 24 17:21 ibtmp1
drwxr-x---2 polkitd ssh_keys     4096 May 24 17:19 mysql
drwxr-x---2 polkitd ssh_keys     8192 May 24 17:19 performance_schema
-rw-------1 polkitd ssh_keys     1679 May 24 17:19 private_key.pem
-rw-r--r--1 polkitd ssh_keys      451 May 24 17:19 public_key.pem
-rw-r--r--1 polkitd ssh_keys     1107 May 24 17:19 server-cert.pem
-rw-------1 polkitd ssh_keys     1675 May 24 17:19 server-key.pem
drwxr-x---2 polkitd ssh_keys     8192 May 24 17:19 sys
drwxr-x---2 polkitd ssh_keys     4096 May 24 17:21 wordpress
[root@host01-2 temp]# docker-compose down
Stopping temp_wordpress_1 ... done
Stopping temp_db_1        ... done
Removing temp_wordpress_1 ... done
Removing temp_db_1        ... done
Removing network temp_default
[root@host01-2 temp]# docker-compose ps
Name   Command   State   Ports
------------------------------
[root@host01-2 temp]# docker volume ls
DRIVER              VOLUME NAME
local               2042e79725f9ebcc220a00ec036065afe47f6a313c7fbc37424dc06707506024
local               3731b5e0372bf0b19e572f7022041069ef60631b68035fb044241a38f6de04de
local               4a35da8fe0f8f7855c92230679c18089d8734a66754c8e8523ac486a55cc4d05
local               5aaa3c1d276e0a539b0928437df457197be510c035cbfa8d34a7b7c345060335
local               67e959ee45f5221450510cbd82e314be628275fdfc34729002ed667c026e94b8
local               6a37dd2b5eda64b880db3e122f3985e45bd249c94030d2db0d158691a45901eb
local               7177f41f8225923f8cde394fcd529b72ab9719a35fc1bd9723e2a6f2ab707681
local               7267f43dfed496a69277236002ab423079b871400ff68596856517e57291e7b3
local               9a8f8faa0acf42207fe6d8e6b24598edb2a3561616bf4f9abcc27295773ffa76
local               data
local               f4f24f0b97c0e0e3d739141827867affd43edd21b3667de33e7527a888b43f12
local               temp_dbdata
[root@host01-2 temp]# docker-compose up -d
Creating network "temp_default" with the default driver
Creating temp_db_1 ... done
Creating temp_wordpress_1 ... done
[root@host01-2 temp]#
 
cs






*Docker의 네트워크 모델: 

CNM을 사용한다: Container Network Model


SandboxID...

샌드박스는 독립적인 환경에 컨테이너의 네트워킹 configuration을 물고 있는 것이다


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
       "NetworkSettings": {
            "Bridge""",
            "SandboxID""91896e3968b1aedee2ba4275531b7ff1435f2cd3233a703c553990f65246cdeb",
            "HairpinMode"false,
            "LinkLocalIPv6Address""",
            "LinkLocalIPv6PrefixLen"0,
            "Ports": {},
            "SandboxKey""/var/run/docker/netns/91896e3968b1",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID""8bd83561b900d05dab2ed804b28ded759cf1e174858dad6e6c6d47f549e33d51",
            "Gateway""172.17.0.1",
            "GlobalIPv6Address""",
            "GlobalIPv6PrefixLen"0,
            "IPAddress""172.17.0.2",
            "IPPrefixLen"16,
            "IPv6Gateway""",
            "MacAddress""02:42:ac:11:00:02",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa",
                    "EndpointID""8bd83561b900d05dab2ed804b28ded759cf1e174858dad6e6c6d47f549e33d51",
                    "Gateway""172.17.0.1",
                    "IPAddress""172.17.0.2",
                    "IPPrefixLen"16,
                    "IPv6Gateway""",
                    "GlobalIPv6Address""",
                    "GlobalIPv6PrefixLen"0,
                    "MacAddress""02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }
]
[root@host01-2 _data]# ^C
[root@host01-2 _data]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
a4bddc4df10b        host                host                local
e9ef483dde2d        none                null                local
[root@host01-2 _data]# docker attach 76d13a20d92c
Error: No such container: 76d13a20d92c
[root@host01-2 _data]# docker ps
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS              PORTS               NAMES
e3343a6dd1be        reg.cloud.com/busybox   "sh"                2 minutes ago       Up 2 minutes                            focused_albattani
[root@host01-2 _data]# docker attach e3343a6dd1be
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
150: eth0@if151: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ #
 
cs


서로 다른 L2의 인스턴스들이 서로 통신하려면...

eth0를 가지고 별도 컨테이너가 2개의 컨테이너의 bridge 역할을 한다.


*docker의 기본 네트워크


docker0를 통해 통신한다. 아래는 bridge 구성 : 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[root@host01-2 _data]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
a4bddc4df10b        host                host                local
e9ef483dde2d        none                null                local
 
[root@host01-2 _data]# docker inspect bridge
[
    {
        "Name""bridge",
        "Id""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa",
        "Created""2018-05-21T15:11:08.970105946+09:00",
        "Scope""local",
        "Driver""bridge",
        "EnableIPv6"false,
        "IPAM": {
            "Driver""default",
            "Options": null,
            "Config": [
                {
                    "Subnet""172.17.0.0/16"#bridge의 
                    "Gateway""172.17.0.1"
                }
            ]
        },
        "Internal"false,
        "Attachable"false,
        "Ingress"false,
        "ConfigFrom": {
            "Network"""
        },
        "ConfigOnly"false,
        "Containers": {},
        "Options": {
            "com.docker.network.bridge.default_bridge""true",
            "com.docker.network.bridge.enable_icc""true"#같은 bridge 내에서 통신하게 할 것인가? 이 부분이 false라면 컨테이너간 통신이 안된다
            "com.docker.network.bridge.enable_ip_masquerade""true"#masquerade는 일종의 NAT역할을 한다.
            "com.docker.network.bridge.host_binding_ipv4""0.0.0.0",
            "com.docker.network.bridge.name""docker0"#docker0 가 bridge 역할
            "com.docker.network.driver.mtu""1500"
        },
        "Labels": {}
    }
]
[root@host01-2 _data]#
 
cs


- 기본적으로 도커의 네트워크는 HOST에서 iptables 룰을 타고 나간다.

=> 네트워크 지연이 거의 없다...베어메탈과 거의 동급

=> 반면 보안쪽으로 민감한 사항들도 있다. 


- 컨테이너간 통신(C1 : 80, C2: 81, C3: 82 일 경우 서로 통신은 어떻게 하나?) :
=> localhost로 통신하면 된다.


- 도커는 결국 하나다(bridge라는 driver) :

1
2
3
4
5
6
7
[root@host01-2 _data]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local  #bridge  
a4bddc4df10b        host                host                local  #호스트와 네트워크를 공유
e9ef483dde2d        none                null                local  #네트워크 X
 
 
cs






* 멀티호스트 네트워킹(VxLAN 사용) / 단일호스트 네트워킹


- VXLAN

- SDN

- NFV


- Service Channing

보안을 고려한 분산 네트워크 시, 

L2로 구성되어있는데 IPS가 1개만 있다면, 결국 IPS가 없는 인스턴스에서 다른 하나의 인스턴스까지 접근해야 하는 아키텍처를 구성해야 한다.

IAAS > PAAS 



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
[root@host01-2 _data]# docker inspect bridge
[
    {
        "Name""bridge",
        "Id""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa",
        "Created""2018-05-21T15:11:08.970105946+09:00",
        "Scope""local",
        "Driver""bridge",
        "EnableIPv6"false,
        "IPAM": {
            "Driver""default",
            "Options": null,
            "Config": [
                {
                    "Subnet""172.17.0.0/16",
                    "Gateway""172.17.0.1"
                }
            ]
        },
        "Internal"false,
        "Attachable"false,
        "Ingress"false,
        "ConfigFrom": {
            "Network"""
        },
        "ConfigOnly"false,
        "Containers": {},  #컨테이너가 없다
        "Options": {
            "com.docker.network.bridge.default_bridge""true",
            "com.docker.network.bridge.enable_icc""true",
            "com.docker.network.bridge.enable_ip_masquerade""true",
            "com.docker.network.bridge.host_binding_ipv4""0.0.0.0",
            "com.docker.network.bridge.name""docker0",
            "com.docker.network.driver.mtu""1500"
        },
        "Labels": {}
    }
]
[root@host01-2 _data]# docker inspect bridge
[
    {
        "Name""bridge",
        "Id""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa"                                                                                                                      ,
        "Created""2018-05-21T15:11:08.970105946+09:00",
        "Scope""local",
        "Driver""bridge",
        "EnableIPv6"false,
        "IPAM": {
            "Driver""default",
            "Options": null,
            "Config": [
                {
                    "Subnet""172.17.0.0/16",
                    "Gateway""172.17.0.1"
                }
            ]
        },
        "Internal"false,
        "Attachable"false,
        "Ingress"false,
        "ConfigFrom": {
            "Network"""
        },
        "ConfigOnly"false,
        "Containers": {
            "8c4add8d8d16d6b7d9eb247cee125e012a803c61f5b6592c8819dd30b926fbab":                                                                                                                       {
                "Name""c1",
                "EndpointID""dfda49ba957d32e371c012c3952f01aaff83e2c3c9668fbae                                                                                                                      07cb53595ef02d5",
                "MacAddress""02:42:ac:11:00:02",
                "IPv4Address""172.17.0.2/16",
                "IPv6Address"""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge""true",
            "com.docker.network.bridge.enable_icc""true",
            "com.docker.network.bridge.enable_ip_masquerade""true",
            "com.docker.network.bridge.host_binding_ipv4""0.0.0.0",
            "com.docker.network.bridge.name""docker0",
            "com.docker.network.driver.mtu""1500"
        },
        "Labels": {}
    }
]
[root@host01-2 _data]# docker inspect bridge
[
    {
        "Name""bridge",
        "Id""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa",
        "Created""2018-05-21T15:11:08.970105946+09:00",
        "Scope""local",
        "Driver""bridge",
        "EnableIPv6"false,
        "IPAM": {
            "Driver""default",
            "Options": null,
            "Config": [
                {
                    "Subnet""172.17.0.0/16",
                    "Gateway""172.17.0.1"
                }
            ]
        },
        "Internal"false,
        "Attachable"false,
        "Ingress"false,
        "ConfigFrom": {
            "Network"""
        },
        "ConfigOnly"false,
        "Containers": {
            "703292574cb0d7730b1fe601acf826a99ac2530b056624ae2ad808e1e90db2f1": {
                "Name""c2",
                "EndpointID""43da37e1fef531cf525de9dae8801889e819108f27113bed9b09bda6e82cb95e",
                "MacAddress""02:42:ac:11:00:03",
                "IPv4Address""172.17.0.3/16",
                "IPv6Address"""
            },
            "8c4add8d8d16d6b7d9eb247cee125e012a803c61f5b6592c8819dd30b926fbab": {
                "Name""c1",
                "EndpointID""dfda49ba957d32e371c012c3952f01aaff83e2c3c9668fbae07cb53595ef02d5",
                "MacAddress""02:42:ac:11:00:02",
                "IPv4Address""172.17.0.2/16",
                "IPv6Address"""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge""true",
            "com.docker.network.bridge.enable_icc""true",
            "com.docker.network.bridge.enable_ip_masquerade""true",
            "com.docker.network.bridge.host_binding_ipv4""0.0.0.0",
            "com.docker.network.bridge.name""docker0",
            "com.docker.network.driver.mtu""1500"
        },
        "Labels": {}
    }
]
[root@host01-2 _data]# docker attach c1
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
152: eth0@if153: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # exit
d[root@host01-2 _data]# docker ps a
"docker ps" accepts no arguments.
See 'docker ps --help'.
 
Usage:  docker ps [OPTIONS] [flags]
 
List containers
[root@host01-2 _data]# docker ps -aa
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS                     PORTS               NAMES
703292574cb0        reg.cloud.com/busybox   "sh"                29 seconds ago      Up 27 seconds                                  c2
8c4add8d8d16        reg.cloud.com/busybox   "sh"                50 seconds ago      Exited (05 seconds ago                       c1
[root@host01-2 _data]# docker ps -a
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS                     PORTS               NAMES
703292574cb0        reg.cloud.com/busybox   "sh"                31 seconds ago      Up 29 seconds                                  c2
8c4add8d8d16        reg.cloud.com/busybox   "sh"                52 seconds ago      Exited (07 seconds ago                       c1
[root@host01-2 _data]# network inspect
-bash: network: command not found
[root@host01-2 _data]# docker network inspect
"docker network inspect" requires at least 1 argument.
See 'docker network inspect --help'.
 
Usage:  docker network inspect [OPTIONS] NETWORK [NETWORK...] [flags]
 
Display detailed information on one or more networks
[root@host01-2 _data]# docker inspect bridge
[
    {
        "Name""bridge",
        "Id""76d13a20d92c8d68860705f57e8989055660ac78cafea4eaa033cb1fd856e6fa",
        "Created""2018-05-21T15:11:08.970105946+09:00",
        "Scope""local",
        "Driver""bridge",
        "EnableIPv6"false,
        "IPAM": {
            "Driver""default",
            "Options": null,
            "Config": [
                {
                    "Subnet""172.17.0.0/16",
                    "Gateway""172.17.0.1"
                }
            ]
        },
        "Internal"false,
        "Attachable"false,
        "Ingress"false,
        "ConfigFrom": {
            "Network"""
        },
        "ConfigOnly"false,
        "Containers": {
            "703292574cb0d7730b1fe601acf826a99ac2530b056624ae2ad808e1e90db2f1": {
                "Name""c2",  #c1은 사라지고 c2만 
                "EndpointID""43da37e1fef531cf525de9dae8801889e819108f27113bed9b09bda6e82cb95e",
                "MacAddress""02:42:ac:11:00:03",
                "IPv4Address""172.17.0.3/16",
                "IPv6Address"""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge""true",
            "com.docker.network.bridge.enable_icc""true",
            "com.docker.network.bridge.enable_ip_masquerade""true",
            "com.docker.network.bridge.host_binding_ipv4""0.0.0.0",
            "com.docker.network.bridge.name""docker0",
            "com.docker.network.driver.mtu""1500"
        },
        "Labels": {}
    }
]
[root@host01-2 _data]#
root@host01-2 _data]# docker ps  -a
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS                     PORTS               NAMES
703292574cb0        reg.cloud.com/busybox   "sh"                3 minutes ago       Up 3 minutes                                   c2
8c4add8d8d16        reg.cloud.com/busybox   "sh"                3 minutes ago       Exited (02 minutes ago                       c1
[root@host01-2 _data]# docker attach c2
/ # cat /etc/resolv.conf
# Generated by NetworkManager
search cloud.com
nameserver 10.10.12.1
 
 
cs


*기본적으로 host 네트워크를 공유함으로 통신이 docker0를 통해 이루어진다. User Defined Network를 사용하기 위해서는...DNS설정 필요...사용자 정의 네트워크를 만들어 띄울 수 있다,


* 사용자 정의 네트워크를 만들어 띄우기 

Container name이 DNS로 올라간다


*사용자 정의 네트워크를 통해 C3, C4 컨테이너를 띄워보자(기존 host network와 다른 네트워크) :

(C3에서 C4로 ping 실행 시 dns에서 ip를 알려준다.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[root@host01-2 _data]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
a4bddc4df10b        host                host                local
e9ef483dde2d        none                null                local
[root@host01-2 _data]# docker network create test
efe418b38219518e5a7b4d09902dd5c4772c9a4ce9a715a842b60d6848165825
 
[root@host01-2 _data]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
76d13a20d92c        bridge              bridge              local
a4bddc4df10b        host                host                local
e9ef483dde2d        none                null                local
efe418b38219        test                bridge              local
[root@host01-2 _data]# docker run --name c3 --network=test --itd reg.cloud.com/busybox
unknown flag: --itd
See 'docker run --help'.
[root@host01-2 _data]# docker run --name c3 --network=test -itd reg.cloud.com/busybox
28674f6d5ac97c95694b4342a76e34120c872c9914881d7fb7a8d9860f587fe8
[root@host01-2 _data]# docker run --name c4 --network=test -itd reg.cloud.com/busybox
48d67f53f81a5c61a1358e02576a1000d8a8d1395df4dfb13e0675408d90d714
[root@host01-2 _data]# docker attach c3
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
157: eth0@if158: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # hostname
28674f6d5ac9
/ # ping c4
PING c4 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.257 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.178 ms
64 bytes from 172.18.0.3: seq=2 ttl=64 time=0.177 ms
64 bytes from 172.18.0.3: seq=3 ttl=64 time=0.181 ms
64 bytes from 172.18.0.3: seq=4 ttl=64 time=0.180 ms
64 bytes from 172.18.0.3: seq=5 ttl=64 time=0.178 ms
64 bytes from 172.18.0.3: seq=6 ttl=64 time=0.178 ms
64 bytes from 172.18.0.3: seq=7 ttl=64 time=0.206 ms
 
cs







*docker0와 별도의 사용자 정의 네트워크 구성
isolated_nw라는 사용자정의 네트워크를 새로 만들고
C3, C4, C5 컨테이너를 구성한다.


C4를 Web이라는 이름으로 조회

C5를 DB라는 이름으로 조회


*Alias 할당 방법 (link로 구성) - db, web이라는 이름으로도 ping 가능

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@host01-2 ~]# docker run --network=isolated_nw -itd --name c5 --link c4:web  reg.cloud.com/b^Cybox
[root@host01-2 ~]# docker rm -f $(docker ps -aq)
9891fb7e3af2
ec900985c74c
1df32b36382b
33c48eda73cc
079bb7c7c709
[root@host01-2 ~]# docker run --network=isolated_nw -itd --name c5 --link c4:web  reg.cloud.com/busybox
0a0c051a84839085601e938e3843015263b1867cf87db9985051cb20d2aca433
[root@host01-2 ~]# docker run --network=isolated_nw -itd --name c4 --link c5:db  reg.cloud.com/busybox
6c07e34435a360d3142f0955a06a64197775902095ea54ff9009c6107593c98d
[root@host01-2 ~]# docker attach c4
/ # ping c5
PING c5 (172.25.0.2): 56 data bytes
64 bytes from 172.25.0.2: seq=0 ttl=64 time=0.287 ms
64 bytes from 172.25.0.2: seq=1 ttl=64 time=0.180 ms
^C
--- c5 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.180/0.233/0.287 ms
/ # ping db
PING db (172.25.0.2): 56 data bytes
64 bytes from 172.25.0.2: seq=0 ttl=64 time=0.159 ms
64 bytes from 172.25.0.2: seq=1 ttl=64 time=0.183 ms
^C
--- db ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.159/0.171/0.183 ms
/ # ^C
/ #
 
cs



*Alias 할당 방법 (network_alias로 구성) - alias로 호출하면(c6, c7 round robin방식으로 라턴)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@host01-2 ~]# docker run -itd --network=isolated_nw --name c6 --network-alias app reg.cloud.com/busybox
117113d2b352a4a7253914d1b1178cf92e6ef6aa49bf194f25f81fe8ccf5452a
^[[A[root@host01-2 ~]# docker run -itd --network=isolated_nw --name c7 --network-alias app reg.cloud.com/busybox
23b79ec545f71d9a448829fbdd1c30ee1a1110d07742a067c7475544d6987abe
[root@host01-2 ~]# docker run --network=isolated_nw -it --name c8 reg.cloud.com/busybox
/ # ping c6
PING c6 (172.25.0.4): 56 data bytes
64 bytes from 172.25.0.4: seq=0 ttl=64 time=0.261 ms
64 bytes from 172.25.0.4: seq=1 ttl=64 time=0.176 ms
^C
--- c6 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.176/0.218/0.261 ms
/ # ping c7
PING c7 (172.25.0.5): 56 data bytes
64 bytes from 172.25.0.5: seq=0 ttl=64 time=0.265 ms
64 bytes from 172.25.0.5: seq=1 ttl=64 time=0.179 ms
^C
--- c7 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.179/0.222/0.265 ms
/ # ping app
PING app (172.25.0.4): 56 data bytes
64 bytes from 172.25.0.4: seq=0 ttl=64 time=0.189 ms
64 bytes from 172.25.0.4: seq=1 ttl=64 time=0.177 ms
^C
--- app ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.177/0.183/0.189 ms
/ #
 
 
cs






* LINK 개념(old) - 지금은 사용 안함(Why? 싱글 호스트만 지원가능) => 이제는 User Defined Network를 사용한다


C1(DB) <------C2(web) 


DNS서버를 조회하기 전에 C2서버에서 먼저 조회하는 파일이 /etc/hosts 파일임!!

C2으로부터 expose의 정보가 모두 c2로 넘어간다?


* link 사용법(env로 MYSQL_ROOT_PASSWORD를 포함한 env 정보가 넘어간다)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
[root@host01-2 ~]# docker run --name db -e MYSQL_ROOT_PASSWORD=1234 -d reg.cloud.com/mysql
c718db3a5bed23a0c8f4bba81b2500e9350b3813364cf2780c86b27ac1754732
[root@host01-2 ~]# docker logs db
Initializing database
2018-05-24T05:50:32.189359Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2018-05-24T05:50:34.743553Z 0 [Warning] InnoDB: New log files created, LSN=45790
2018-05-24T05:50:35.111689Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2018-05-24T05:50:35.216022Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 60c3bc8a-5f16-11e8-a17f-0242ac110002.
2018-05-24T05:50:35.234417Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2018-05-24T05:50:35.235689Z 1 [Warning] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2018-05-24T05:50:39.434990Z 1 [Warning] 'user' entry 'root@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435049Z 1 [Warning] 'user' entry 'mysql.session@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435078Z 1 [Warning] 'user' entry 'mysql.sys@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435139Z 1 [Warning] 'db' entry 'performance_schema mysql.session@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435158Z 1 [Warning] 'db' entry 'sys mysql.sys@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435198Z 1 [Warning] 'proxies_priv' entry '@ root@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435294Z 1 [Warning] 'tables_priv' entry 'user mysql.session@localhost' ignored in --skip-name-resolve mode.
2018-05-24T05:50:39.435326Z 1 [Warning] 'tables_priv' entry 'sys_config mysql.sys@localhost' ignored in --skip-name-resolve mode.
[root@host01-2 ~]# docker ps
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS               NAMES
c718db3a5bed        reg.cloud.com/mysql     "docker-entrypoint.s…"   22 seconds ago      Up 21 seconds       3306/tcp            db
23b79ec545f7        reg.cloud.com/busybox   "sh"                     22 minutes ago      Up 22 minutes                           c7
117113d2b352        reg.cloud.com/busybox   "sh"                     22 minutes ago      Up 22 minutes                           c6
6c07e34435a3        reg.cloud.com/busybox   "sh"                     25 minutes ago      Up 25 minutes                           c4
0a0c051a8483        reg.cloud.com/busybox   "sh"                     25 minutes ago      Up 25 minutes                           c5
[root@host01-2 ~]# docker exec db env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=c718db3a5bed
MYSQL_ROOT_PASSWORD=1234
GOSU_VERSION=1.7
MYSQL_MAJOR=5.7
MYSQL_VERSION=5.7.20-1debian8
HOME=/root
[root@host01-2 ~]# docker run -it --link db:sql reg.cloud.com/mysql bash
root@e0de0246a2a3:/# cat /etc/resolv.conf
# Generated by NetworkManager
search cloud.com
nameserver 10.10.12.1
root@e0de0246a2a3:/# cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      sql c718db3a5bed db
172.17.0.3      e0de0246a2a3
root@e0de0246a2a3:/# ping sql
PING sql (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.328 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.202 ms
^C--- sql ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.202/0.265/0.328/0.063 ms
root@e0de0246a2a3:/# env
HOSTNAME=e0de0246a2a3
TERM=xterm
MYSQL_VERSION=5.7.20-1debian8
SQL_ENV_MYSQL_VERSION=5.7.20-1debian8
SQL_PORT_3306_TCP=tcp://172.17.0.2:3306
SQL_NAME=/brave_panini/sql
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SQL_PORT_3306_TCP_ADDR=172.17.0.2
SQL_ENV_MYSQL_MAJOR=5.7
PWD=/
SQL_PORT_3306_TCP_PORT=3306
SQL_ENV_MYSQL_ROOT_PASSWORD=1234
HOME=/root
SHLVL=1
SQL_PORT_3306_TCP_PROTO=tcp
MYSQL_MAJOR=5.7
GOSU_VERSION=1.7
SQL_ENV_GOSU_VERSION=1.7
SQL_PORT=tcp://172.17.0.2:3306
_=/usr/bin/env
root@e0de0246a2a3:/#
 
cs






*Docker Monitoring


docker stats {ContainerID}

docker top {ContainerID} 

= 누가 어떤 프로세스로 무슨 작업을 하고 있는지


*cAdvisor 설치(화면 모니터링)

1
2
3
4
5
6
7
8
9
10
11
12
docker run \
   --detach=true \
   --volume=/:/rootfs:ro \
   --volume=/var/run:/var/run:rw \
   --volume=/sys:/sys:ro \
   --volume=/var/lib/docker/:/var/lib/docker:ro \
   --publish=8080:8080 \
   --privileged=true \
   --name=cadvisor \
google/cadvisor:latest
 

cs



*Docker 컨테이너 스토리지

- Docker는 Paper Use(PPU) 쓰고 버리고 초단위

- Lifecycle이 VM보다도 더 짧다...

=>비즈니스 관점에서는 순익은 높이고 비용은 최소화해야 한다.

=>Container가 실행하는 Data는 기본적으로 Layer File System....

Container가 실행되면서 Layer 생성을 위한 임시 공간이 할당된다.

=>config 값들과 같은 연속성을 유지해야 하는 값들(+html, db data)

등은 별도 볼륨으로 분리해야 한다!


왜 분리하는가?

1) 성능!! 고성능의 IOPS로 높은 성능을 보장한다

2) 컨테이너가 여러 컨테이너끼리 동일한 Data를 공유




*볼륨 스토리지의 특징(중요) :

- 단순 스토리지 개념이 아님!!

- HOST에서 변경점이 있으면 Container에서도 그대로 반영된다,

=>이름은 똑같이 볼륨이지만 Kubernetes에서 사용하는 볼륨과 Docker에서 사용하는 볼륨의 개념이 다르다.









방식1) 제일하면 안되는 방식(폴더간 매핑... 폴더를 폴더와 매핑)

> docker run -v 호스트경로:컨테이너경로

> docker run -v 컨테이너경로

=>주의 : 컨테이너가 특정 호스트에 있는 특정 폴더에 접근하려는 목적이 강하기 때문에 보안에 취약 




방식2) 추천 방석(docker volume : File to File 매핑)

호스트 경로는 안준다.(자동으로 /var/lib/dockers/volume 밑에 생긴다)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[root@host01-2 docker]# docker volume ls
DRIVER              VOLUME NAME
local               725d0db9e073e1d9a6d19637cad363b7ee9f32f91d4ce8998feff15f8ae4bd5d
[root@host01-2 docker]# docker volume rm 725d0db9e073e1d9a6d19637cad363b7ee9f32f91d4ce8998feff15f8ae4bd5d
725d0db9e073e1d9a6d19637cad363b7ee9f32f91d4ce8998feff15f8ae4bd5d
[root@host01-2 docker]# ls
builder  containerd  containers  image  network  overlay2  plugins  runtimes  swarm  tmp  trust  volumes
[root@host01-2 docker]# docker volume ls
DRIVER              VOLUME NAME
local               89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea
[root@host01-2 docker]# ls /var/lib/docker/volumes/ -l
total 24
drwxr-xr-x. 3 root root    19 May 24 10:17 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea
-rw-------1 root root 32768 May 24 10:17 metadata.db
[root@host01-2 docker]# ^C
[root@host01-2 docker]# cd 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea
-bash: cd: 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea: No such file or directory
[root@host01-2 docker]# cd /var/lib/docker/volumes/
[root@host01-2 volumes]# cd 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea
[root@host01-2 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea]# ls
_data
[root@host01-2 89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea]# cd _data
[root@host01-2 _data]# ls
[root@host01-2 _data]# docker run -it -v /data --name c2 reg.cloud.com/busybox
docker: Error response from daemon: Conflict. The container name "/c2" is already in use by container "711ed6a35974f20a4ba91846567fbb04446b6022fcf159f02c8d36614fbcfb23". You have to remove (or rename) that container to be able to reuse that name.
See 'docker run --help'.
[root@host01-2 _data]# docker run -it -v /data --name c2 reg.cloud.com/busybox^C
[root@host01-2 _data]# docker -ls
Unable to parse logging level: s
[root@host01-2 _data]# docker ps
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS                    NAMES
711ed6a35974        reg.cloud.com/busybox    "sh"                     2 minutes ago       Up 2 minutes                                 c2
d873910cde91        google/cadvisor:latest   "/usr/bin/cadvisor -…"   About an hour ago   Up About an hour    0.0.0.0:8080->8080/tcp   cadvisor
[root@host01-2 _data]# docker exec 711ed6a35974
"docker exec" requires at least 2 arguments.
See 'docker exec --help'.
 
Usage:  docker exec [OPTIONS] CONTAINER COMMAND [ARG...] [flags]
 
Run a command in a running container
[root@host01-2 _data]# docker attach 711ed6a35974
/ # mkdir temphahaha
/ # ls
bin         data        dev         etc         home        proc        root        sys         temphahaha  tmp         usr         var
/ # read escape sequence
[root@host01-2 _data]#
 
[root@host01-2 _data]# docker attach 711ed6a35974
/ # ls
bin         data        dev         etc         home        proc        root        sys         temphahaha  tmp         usr         var
/ # cd data/
/data # ls
/data # mkdir hahaha
/data # ls
hahaha
/data # read escape sequence
[root@host01-2 _data]# ls
hahaha
[root@host01-2 _data]#
 
cs


hahaha라는 폴더가 host와 container에 똑같이 생긴다.

아래와 같이(docker volume create <볼륨명>) 방법으로 매핑할 수도 있다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@host01-2 _data]# docker volume --help
 
Usage:  docker volume COMMAND
 
Manage volumes
 
Commands:
  create      Create a volume
  inspect     Display detailed information on one or more volumes
  ls          List volumes
  prune       Remove all unused local volumes
  rm          Remove one or more volumes
 
Run 'docker volume COMMAND --help' for more information on a command.
[root@host01-2 _data]# docker volume create data
data
[root@host01-2 _data]# docker volume ls
DRIVER              VOLUME NAME
local               89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea
local               data
[root@host01-2 _data]# ls
hahaha
[root@host01-2 _data]# cd /var/lib/docker/volumes/
[root@host01-2 volumes]# ls
89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea  data  metadata.db
[root@host01-2 volumes]# cd data/
[root@host01-2 data]# ls
_data
[root@host01-2 data]# cd ..
[root@host01-2 volumes]# ls
89b2631760a0c93c23ef15fabb4e8aa041a24cabb74f9d321af8bc259fade2ea  data  metadata.db
[root@host01-2 volumes]# ^C
[root@host01-2 volumes]# docker run -it -v data:/data --name c3 reg.cloud.com/busybox
/ # ls
bin   data  dev   etc   home  proc  root  sys   tmp   usr   var
/ # cd data/
/data # ls
/data # cd ..
/ # ls
bin   data  dev   etc   home  proc  root  sys   tmp   usr   var
/ # ^C
/ #
 
cs


>>컨테이너를 지우더라도 볼륨을 없어지지 않는다!!


컨테이너와 볼륨을 한꺼번에 지우기:

1
2
[root@host01-2 volumes]# docker rm -f -v
 
cs


볼륨으로 컨테이너를 띄우는 동시에 백그라운드로 빠지기

1
2
3
[root@host01-2 test]# docker run -itd -v /test:/data --name c1 reg.cloud.com/busybox
2e890f6a2d2c513ebfc9918440fd7df7768bb075ffbd43f7b727273e29f6e483
 
cs


2개의 컨테이너가 같은 볼륨을 바라보도록 하려면(여기서는 /data와 /log), C1과 C2 볼륨을 컨테이너에 마운트한다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[root@host01-2 test]# docker run -itd -v /test:/data --name c1 reg.cloud.com/busybox
2e890f6a2d2c513ebfc9918440fd7df7768bb075ffbd43f7b727273e29f6e483
[root@host01-2 test]# ^C
[root@host01-2 test]# ls
test.txt
[root@host01-2 test]# docker ps
CONTAINER ID        IMAGE                   COMMAND             CREATED             STATUS              PORTS               NAMES
2e890f6a2d2c        reg.cloud.com/busybox   "sh"                36 seconds ago      Up 35 seconds                           c1
[root@host01-2 test]# docker run -itd -v /test:/log --name c2 reg.cloud.com/ubuntu
5a88cf37f5aa94bd3ee1f1a8df41e9bcf4dd4566f5435b0247c599bb73edcc2d
[root@host01-2 test]# docker attach c1
/ # ls
bin   data  dev   etc   home  proc  root  sys   tmp   usr   var
/ # touch /data/c1.txt
/ # ls
bin   data  dev   etc   home  proc  root  sys   tmp   usr   var
/ # cd /data/
/data # ls
c1.txt    test.txt
/data # read escape sequence
[root@host01-2 test]# docker attach c2
root@5a88cf37f5aa:/#
root@5a88cf37f5aa:/# ls /log/ -l
total 0
-rw-r--r--1 root root 0 May 24 01:39 c1.txt
-rw-r--r--1 root root 0 May 21 07:21 test.txt
root@5a88cf37f5aa:/# vi c1.txt
bash: vi: command not found
root@5a88cf37f5aa:/# :wq
bash: :wq: command not found
root@5a88cf37f5aa:/# ls
bin  boot  dev  etc  home  lib  lib64  log  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@5a88cf37f5aa:/# cd /log/
root@5a88cf37f5aa:/log# ls
c1.txt  test.txt
 
cs







3) 디바이스 매핑 (Device to Device 매핑)

볼륨 마운팅


dockerfile을 아래와 같이 입력했다고 가정했을 때 문법상 문제는없다


FROM ubuntu:14.04

VOLUME /MountVol

RUN data > /MountVol/date.txt

RUN cat > /MountVol/date.txt


하지만 2번 라인에 볼륨을 만드는 부분은 런타임에서만 생성되고 사라지는 문제점이 있다


*Docker 메모리 제어


-m(--memory) : 최대 메모리 값


--memory-reservation : 호스트에서 보장하는 최소 메모리 


-m > --memory-reservation


--kernel-memory : 총 할당메모리에서 kernel memory가 차지하는 값 



*Docker CPU 제어


--cpu : 컨테이너가 사용할 수 있는 CPU 리소스

(ex: .5 = 50%를 줄 경우,

     1.5 = 150%를 줄 경우(CPU가 여러개 )

      3.5 = 350%를 줄 경우(CPU가 3코어 이상)

)


*컨테이너 종료 코드와 재시작 정책:


- no: 재시작 정책의 기본값으로 컨테이너는 명시적으로 실행할때만 시작

- always: 어떤 종료 코드로 종료했는지 상관없이 docker 서비스가 시작되면 항상 컨테이너를 재시작하도록 설정

- on-failure: 0이 아닌 코드로 컨테이너를 종료할 경우에만 컨테이너를 다시 시작됨(실행 시 에러가 났을 시 Retry 횟수를 지정해주어야 한다)

1
2
# docker run --restart=on-failure:5 mongo
# 5는 오류났을 시  회수
cs





*이미지 Tag 명 변경 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[root@host01-2 overlay2]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testrun                 latest              f18e71700865        2 hours ago         303MB
<none>                  <none>              8af1360f5b43        2 hours ago         303MB
hongtest                latest              9a8341b96270        3 hours ago         98.4MB
<none>                  <none>              ab0f85b7f2e6        3 hours ago         1.13MB
<none>                  <none>              9579d5ccef21        3 hours ago         1.13MB
hongimages              latest              f6d8cd4a7d71        3 hours ago         1.13MB
ubuntu                  14.04               8cef1fa16c77        3 weeks ago         223MB
ubuntu                  latest              452a96d81c30        3 weeks ago         79.6MB
registry                2.5                 36e3b1f8d3f1        4 months ago        37.8MB
reg.cloud.com/ubuntu    latest              20c44cd7596f        6 months ago        123MB
reg.cloud.com/busybox   latest              6ad733544a63        6 months ago        1.13MB
reg.cloud.com/centos    latest              d123f4e55e12        6 months ago        197MB
[root@host01-2 overlay2]# vi ~/.bashrc
[root@host01-2 overlay2]# docker tag hongtest registry:3.0
[root@host01-2 overlay2]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testrun                 latest              f18e71700865        2 hours ago         303MB
<none>                  <none>              8af1360f5b43        2 hours ago         303MB
hongtest                latest              9a8341b96270        3 hours ago         98.4MB
registry                3.0                 9a8341b96270        3 hours ago         98.4MB
<none>                  <none>              ab0f85b7f2e6        3 hours ago         1.13MB
<none>                  <none>              9579d5ccef21        3 hours ago         1.13MB
hongimages              latest              f6d8cd4a7d71        3 hours ago         1.13MB
ubuntu                  14.04               8cef1fa16c77        3 weeks ago         223MB
ubuntu                  latest              452a96d81c30        3 weeks ago         79.6MB
registry                2.5                 36e3b1f8d3f1        4 months ago        37.8MB
reg.cloud.com/ubuntu    latest              20c44cd7596f        6 months ago        123MB
reg.cloud.com/busybox   latest              6ad733544a63        6 months ago        1.13MB
reg.cloud.com/centos    latest              d123f4e55e12        6 months ago        197MB
[root@host01-2 overlay2]#
 
cs



*이미지 Tag 삭제(명령어는 없고 이미지를 지우면 된다) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@host01-2 overlay2]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
testrun                 latest              f18e71700865        2 hours ago         303MB
<none>                  <none>              8af1360f5b43        2 hours ago         303MB
registry                3.0                 9a8341b96270        3 hours ago         98.4MB
hongtest                latest              9a8341b96270        3 hours ago         98.4MB
<none>                  <none>              ab0f85b7f2e6        3 hours ago         1.13MB
<none>                  <none>              9579d5ccef21        3 hours ago         1.13MB
hongimages              latest              f6d8cd4a7d71        3 hours ago         1.13MB
ubuntu                  14.04               8cef1fa16c77        3 weeks ago         223MB
ubuntu                  latest              452a96d81c30        3 weeks ago         79.6MB
registry                2.5                 36e3b1f8d3f1        4 months ago        37.8MB
reg.cloud.com/ubuntu    latest              20c44cd7596f        6 months ago        123MB
reg.cloud.com/busybox   latest              6ad733544a63        6 months ago        1.13MB
reg.cloud.com/centos    latest              d123f4e55e12        6 months ago        197MB
[root@host01-2 overlay2]# docker rmi hongtest
Untagged: hongtest:latest
[root@host01-2 overlay2]#
 
cs



*docker image tag의 latest 포인터 이동(3.0을 latest로 만들기) :

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@host01-2 overlay2]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
registry                3.0                 9a8341b96270        3 hours ago         98.4MB
registry                2.5                 36e3b1f8d3f1        4 months ago        37.8MB
[root@host01-2 overlay2]# docker tag registry:3.0 registry:latest
[root@host01-2 overlay2]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
registry                3.0                 9a8341b96270        3 hours ago         98.4MB
registry                latest              9a8341b96270        3 hours ago         98.4MB
registry                2.5                 36e3b1f8d3f1        4 months ago        37.8MB
 
 
 
cs


*Dockerfile 만들기


Dockerfile은 쉽고 간단하며 명확한 구문을 갖는 텍스트 파일로 이미지 생성을 위한 핵심 요소!


-인스트럭션: 대소문자를 구분하지 않지만 가독성을 위해 대문자 사용! 구성 순서가 중요

-주석 : #

-MAINTAINER: 구성 위치 상관없으며 레이어를 생성하지 않음


*인스트럭션 종류

FROM

MAINTAINER

LABEL

RUN

COPY files 

ADD files

EXPOSE


ENTRYPOINT

CMD



- ADD와 COPY의 구분

1
2
3
4
5
6
7
8
COPY files/nginx.conf /etc/nginx/nginx.conf
#COPY는 url을 지정할 수 없다
 
ADD files/nginx.conf /etc/nginx/nginx.conf
#ADD는 url을 지정할 수 있다
 
#주의사항 files는 현재 커서가 있는 위치를 의미한다
#nginx.conf 뒤에 /가 붙으면 해당 폴더 밑에 파일들을 copy한다는 의미(따라서 /는 빼야 )
cs


RUN, COPY, ADD를 할 때마다

Docker에서는 임시 레이어를 만들고 Commit을 수행한다.

그리고 결국 Alpine까지 4개의 레이어로 구성된 이미지가 만들어진다!


*RUN 명령어를 시작할 때 아래와 같이 실행하면 좋은점:
=>RUN은 이미지 빌드 명령어임! 실행 인스트럭션이 아님!

임시 레이어를 매번 생성하지 않아 시간이 단축됨.


좋은 예)

RUN apk add --update nginx && \

       rm -rf /var/cache/apk/* && \

       mkdir -p /tmp/nginx/


나쁜 예)

RUN apk add --update nginx

RUN rm -rf /var/cache/apk/*

RUN mkdir -p /tmp/nginx/



*ENDPOINT 와 CMD는 실행 인스트럭션임(기본적으로 1회만 실행)

=>이미지 생성 시 영향 없음


1) Shell :  ping $HOSTNAME

2) DockerFile : ["ping", "$HOSTNAME"]  

// ping은 shell명령어, $HOSTNAME은 파라미터

// 그래서 2)번은 실행이 안된다...아래와 같이 입력 필요

// ["/bin/bash", "-c", "ping"]

ENTRYPOINT["sh start.sh"]

CMD echo $HOSTNAME

=>CMD안에 값을 overwrite한다


*LABEL은 메타데이터 인스트럭션임

ex1) LABEL description="This is an example Dockerfile for NGINX."

=> Key = description

=> Value = "This is an example Dockerfile for NGINX."


ex2) LABEL key1="value1" \
               key2="value2" \
               key3="value3" 

*ARGS와 ENV : 

ARGS user=kim
ENV password=passwd

- ARGS는 runtime 순간에만 수행되고 없어진다.
- ENV는 docker run 시에도 변수를 사용할 수 있다(runtime 순간 이후에도 메모리에 변수가 떠있다)

*ARG 인스트럭션 :

FROM ubuntu
ARG user=hong
ARG version
1
2
[root@host01-2 overlay2]# docker build --build-arg user=somebodyElse
 
cs
=>user 파라미터가 runtime 빌드 시 덮어씌워진다 






*EXPOSE 인스트럭션

EXPOSE는 config(설정)과는 전혀 상관없다.

정보 제공을 위한 것!


EXPOSE 80

EXPOSE 443


Config에 들어가는 것이 아니라, 단순 Information을 위함

그럼 왜 쓰느냐?

web 서버가 80이 아닌 다른 포트(5500)으로 떴을 시 다른 프로세스가 통신할 때 조회가 필요할 수 있으니 정보를 입력해놓는다.


EXPOSE 80/UDP

EXPOSE 1000-2000

#port range 설정



*RUN 인스트럭션(Cache 문제)


아래 예시를 보자 : 


1) 

FROM reg.cloud.com/ubuntu

RUN apt-get update

RUN apt-get install -y mongodb-server


2) 10년 후

FROM reg.cloud.com/ubuntu

RUN apt-get update

RUN apt-get install -y mongodb-server

RUN apt-get install -y nodejs


(mongodb-server는 당연히 최신으로 받을것으로 예상되지만 10년 전 repo를 그대로 가져옴...cache 재활용의 문제...최신 것으로 받으려면 FROM절을 다르게 해야 함)

=> Docker Cache를 안 쓰게 할 수도 있지만...OFF를 해버리면 전체에서 Cache를 안 쓰는 것으로 판단한다. 오래걸림.


1
2
[root@host01-2 overlay2]# docker build --no-cacheColored by Color Scripter
cs



*USER 인스트럭션 : 

USER tomcat

이라고 하면 이 인스트럭션 이후부터는 root계정이 아닌 tomcat 계정으로 실행하게 된다


만약 계정이 없다면 RUN BUILD 시 생성해준다: 


1
2
RUN groupadd -r tomcat && useradd -r -g tomcat:tomcat 
cs


*HEALTHCHECK 인스트럭션


웹서버를 구성한다고 가정했을 때 컨테이너가 up 상태로 되어 있다 하더라도, ip:port로 request를 했을 때 웹페이지가 실행이 안되는 경우가 있다. 


이런 상황을 방지하기 위해 HEALTHCHECK를 활용하면 좋다 : 

1
2
3
HEALTHCHECK --interval=<interval> --timeout=<timeout> CMD <commadn>
 
HEALTHCHECK --interval=5m --imeout=2s --retries=3 CMD curl -f http://localhost/ || exit 1
cs





*SHELL 인스트럭션 ; 


기본 등록 Shell이 올라가도록 설정


SHELL ["executable", "parameters"]

 

ex)

SHELL ["/bin/sh", "-c"]





* DOCKERFILE - 권장사항


.dockerignore 이라는 파일이 존재한다. 이미지 생성 작업 중에 불필요한 파일을 로드하지 않도록 설정하는 파일임!


*DOCKERFILE로 이미지 생성하기

docker build -f <dockerfile의 파일이름과 경로, 생략시 dockerfile 사용> -t <생성될 이미지에 적용할 이름>


ex) docker build .

docker build -t hong/myapp

docker build -t hong/myapp:1.0.0 -t hong/myapp:latest


*DOCKERFILE 예시 : 

1
2
3
4
5
6
7
8
9
10
11
FROM ubuntu:latest
MAINTAINER HONG <hk@daum.net>
RUN apt-get update && apt-get install -y mysql-client mysql-server
ENV username mysqluser
ENV password pass
ENV database db1
ADD databasesetup.sh /
RUN chmod 644 /databasesetup.sh
RUN "/usr/bin/sh databasesetup.sh"
EXPOSE 3306
CMD ["/usr/bin/mysqld_safe"
cs


ENTRYPOINT는 Shell 파일(ex: temp.sh)

CMD는 해당 Shell 파일에 넘겨줄 Parameter를 넣는다

=> CMD["tmp1", "tmp2"] 인데

docker run 시 뒤에 parameter가 1개만 있을 경우

(ex: docker run --rm image:v1 aux)

실행 shell파일은 temp.sh aux가 된다...


+ Recent posts