一、 Docker commit 构建镜像
- docker commit 构建新镜像三部曲
运行容器
修改容器
将容器保存为新的容器
[root@server1 ~]# docker images busybox
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest edabd795951a 2 days ago 1.22MB
[root@server1 ~]# docker history busybox
IMAGE CREATED CREATED BY SIZE COMMENT
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
[root@server1 ~]# docker run -it --name test busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ # touch file1
/ # touch file2
/ # touch file3
/ # touch file4
[root@server1 ~]# docker commit -m "v1" test demo:v1
# 保存容器内的修改,把容器的改变创建成一个新的镜像
# -m:提交信息 v1,容器名称是test,新容器名称:demo
sha256:936bad569dcbed70f3be93123affe075cb5c7f52c4a3acdb144ef77261130f64
[root@server1 ~]# docker history demo:v1 #三层
IMAGE CREATED CREATED BY SIZE COMMENT
936bad569dcb 38 seconds ago sh 51B v1
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
[root@server1 ~]# docker history busybox:latest #两层
IMAGE CREATED CREATED BY SIZE COMMENT
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
我们发现:
demo:v1的镜像分层后两层和busybox:latest一样,这两层是他们共用的
虽然有两个镜像,但是系统在下载时,发现这两层一样就不会重新下载了,只下载不一样的镜像层
这就是镜像分层的意义,大大节省了空间
[root@server1 ~]# docker rmi demo:v1 #删除镜像
Untagged: demo:v1
Deleted: sha256:936bad569dcbed70f3be93123affe075cb5c7f52c4a3acdb144ef77261130f64
Deleted: sha256:512e5b01d1e3a53fd575f8c353d093fb59cce9ada9396844ea0888f2f6a79ca9
[root@server1 ~]# docker history busybox:latest
IMAGE CREATED CREATED BY SIZE COMMENT
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
删除demo:v1镜像不会影响busybox,除非busybox也被删除
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
89ee196f092e busybox "sh" 4 minutes ago Exited (0) 4 minutes ago test
[root@server1 ~]# docker rm test
test
[root@server1 ~]# docker run -it --name test busybox
/ # ls
bin dev etc home proc root sys tmp usr var
/ # touch file1
/ # touch file2
/ # touch file3
/ # touch file4
/ # ls
bin dev etc file1 file2 file3 file4 home proc root sys tmp usr var
/ #
[root@server1 ~]# docker commit -m "v1" test demo:v1
sha256:3e5b346cab8c35837690bed7cf43ed8fc463bc062e87bbe4c5ca0c6e712d0889
[root@server1 ~]# docker rm test
test
[root@server1 ~]# docker run -it --name test demo:v1
/ # ls
bin dev etc file1 file2 file3 file4 home proc root sys tmp usr var
/ # rm -f file3
/ # rm -f file4
/ # touch file5
/ # touch file6
/ # ls
bin dev etc file1 file2 file5 file6 home proc root sys tmp usr var
[root@server1 ~]# docker commit -m "v2" test demo:v2
sha256:b2f75c29ea0770da5d450b181967f2862630ae8ff760939f8080f3bd5e20c718
[root@server1 ~]# docker rm test
test
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker history demo:v1
IMAGE CREATED CREATED BY SIZE COMMENT
3e5b346cab8c 4 minutes ago sh 54B v1
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
[root@server1 ~]# docker history demo:v2
IMAGE CREATED CREATED BY SIZE COMMENT
b2f75c29ea07 53 seconds ago sh 105B v2
3e5b346cab8c 4 minutes ago sh 54B v1
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
- docker commit 缺点:
效率低、可重复性弱
容易出错
使用者无法对镜像进行审计,存在安全隐患(只能看见修改了,无法看见修改了什么)
二、 Dockerfile 构建镜像
[root@server1 ~]# mkdir docker
[root@server1 ~]# cd docker
[root@server1 docker]# vim Dockerfile
FROM busybox
RUN echo "hello world" > testfile
RUN echo demo >> testfile
- FROM:
构建基于什么基础镜像
镜像包括两种:
本地存在,本地不存在(就会通过网络下载)
[root@server1 docker]# docker build -t demo:v3 . #构建, -t:指定名称
Sending build context to Docker daemon 2.048kB
#发送构建文件到docker引擎
#默认情况下会把当前目录的数据全部发送给docker引擎
Step 1/3 : FROM busybox
---> edabd795951a
Step 2/3 : RUN echo "hello world" > testfile
---> Running in ac110845ba2b
Removing intermediate container ac110845ba2b
---> c574d6ac4d98
Step 3/3 : RUN echo demo >> testfile
---> Running in 0e75a3b33e43
Removing intermediate container 0e75a3b33e43
---> ee3b110ef310
Successfully built ee3b110ef310
Successfully tagged demo:v3
可以审计,做了什么一目了然
[root@server1 docker]# docker history demo:v3 # 查看镜像的分层结构
IMAGE CREATED CREATED BY SIZE COMMENT
ee3b110ef310 49 seconds ago /bin/sh -c echo demo >> testfile 17B
c574d6ac4d98 50 seconds ago /bin/sh -c echo "hello world" > testfile 12B
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
[root@server1 docker]# vim Dockerfile
FROM busybox
RUN echo "hello world" > testfile
RUN echo demo >> testfile
RUN rm -f testfile
[root@server1 docker]# docker build -t demo:v4 . # 镜像的缓存特性
Sending build context to Docker daemon 2.048kB
Step 1/4 : FROM busybox
---> edabd795951a
Step 2/4 : RUN echo "hello world" > testfile
---> Using cache # 使用缓存
---> c574d6ac4d98
Step 3/4 : RUN echo demo >> testfile
---> Using cache
---> ee3b110ef310
Step 4/4 : RUN rm -f testfile
---> Running in e5bb69fc4e2b
Removing intermediate container e5bb69fc4e2b
---> 4977591a1860
Successfully built 4977591a1860
Successfully tagged demo:v4
[root@server1 docker]# docker history demo:v4
IMAGE CREATED CREATED BY SIZE COMMENT
4977591a1860 26 seconds ago /bin/sh -c rm -f testfile 0B
ee3b110ef310 2 minutes ago /bin/sh -c echo demo >> testfile 17B
c574d6ac4d98 2 minutes ago /bin/sh -c echo "hello world" > testfile 12B
edabd795951a 2 days ago /bin/sh -c #(nop) CMD ["sh"] 0B
<missing> 2 days ago /bin/sh -c #(nop) ADD file:4e5169fa630e0afed… 1.22MB
[root@server1 docker]# docker run --rm -it demo:v3 # --rm:退出容器自动回收
/ # ls
bin dev etc home proc root sys testfile tmp usr var
/ # cat testfile
hello world
demo
/ #
[root@server1 docker]# docker run --rm -it demo:v4
/ # ls
bin dev etc home proc root sys tmp usr var
dockerfile是用docker commit提交的
只是展示了修改内容,便于安全审计
dockerfile编写nginx源码编译文件
1. 设置加速器
默认镜像在官方下载,指定仓库镜像位置在阿里云下载,更快
把阿里云当一个代理
[root@server1 docker]# cd /etc/docker/
[root@server1 docker]# ls
key.json
[root@server1 docker]# vim daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
[root@server1 docker]# systemctl daemon-reload
[root@server1 docker]# systemctl reload docker
2. 拉取centos7镜像
[root@server1 docker]# docker pull centos:7
3. 编写dockerfile文件
[root@server1 docker]# cd
[root@server1 ~]# cd docker
[root@server1 docker]# vim Dockerfile
FROM centos:7
MAINTAINER westos 1587196906@qq.com
ENV hostname server1
EXPOSE 80
ADD nginx-1.18.0.tar.gz /tmp
WORKDIR /tmp/nginx-1.18.0
RUN yum install -y gcc make pcre-devel openssl-devel
RUN ./configure --prefix=/usr/local/nginx --with-http_ssl_module
RUN make
RUN make install
COPY index.html /usr/local/nginx/html
VOLUME ["/var/www/html"]
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
- MAINTAINER:
设置镜像的作者,比如用户邮箱等- COPY:
把文件从build context复制到镜像
支持两种形式:COPY src dest 和 COPY [“src”, “dest”]
src必须指定build context中的文件或目录- ADD:
可以直接copy压缩包,并且可以直接解压到当前目录
也可以自动下载URL并拷贝到镜像
ADD http://172.25.4.250/html.tar /var/www
但是这种方式只是从网上下载到指定目录,并不解压- ENV:
设置环境变量,变量可以被后续的指令使用- EXPOSE:
容器应用对外暴露的端口
如果容器中运行应用服务,可以把服务端口暴露出去- WORKDIR:
切目录,相当于 cd ,如果不存在会自动建立
WORKDIR /tmp/nginx-1.18.0
当前在docker目录,nginx源码包被解压到了/tmp目录,需要进入/tmp/nginx-1.18.0 才能编译- RUN:
在容器中运行命令并创建新的镜像层,常用于安装软件包
RUN yum install -y vim- VOLUME:
申明数据卷,通常指定的是应用的数据挂在点- CMD 与 ENTRYPOINT:
这两个指令都是用于设置容器启动后执行的命令,但CMD会被docker run后面的命令行覆盖,而ENTRYPOINT不会被忽略,一定会被执行,docker run 后面的参数可以传递给ENTRYPOINT指令当作参数。
Dockerfile中只能指定一个ENTRYPOINT,如果指定多个,只有最后一个有效
4. 构建镜像
[root@server1 docker]# docker build -t demo:v9 .
Sending build context to Docker daemon 1.043MB
Step 1/13 : FROM centos:7
Step 2/13 : MAINTAINER westos 1587196906@qq.com
Step 3/13 : ENV hostname server1
Step 4/13 : EXPOSE 80
Step 5/13 : ADD nginx-1.18.0.tar.gz /tmp
Step 6/13 : WORKDIR /tmp/nginx-1.18.0
Step 7/13 : RUN yum install -y gcc make pcre-devel openssl-devel
Step 8/13 : RUN ./configure --prefix=/usr/local/nginx --with-http_ssl_module
Step 9/13 : RUN make
Step 10/13 : RUN make install
Step 11/13 : COPY index.html /usr/local/nginx/html
Step 12/13 : VOLUME ["/var/www/html"]
Step 13/13 : CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
Successfully built 66a7a74a1cd1
Successfully tagged demo:v9
[root@server1 docker]# docker images demo
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v9 66a7a74a1cd1 About an hour ago 378MB
[root@server1 docker]# docker history demo:v9
IMAGE CREATED CREATED BY SIZE COMMENT
66a7a74a1cd1 About an hour ago /bin/sh -c #(nop) CMD ["/usr/local/nginx/sb… 0B
440379e5b23b About an hour ago /bin/sh -c #(nop) VOLUME [/var/www/html] 0B
862a7f38de8a About an hour ago /bin/sh -c #(nop) COPY file:89a58ee0b2565a73… 15B
07e2ac9ab5b3 About an hour ago /bin/sh -c make install 5.94MB
682bdcc62be4 About an hour ago /bin/sh -c make 20MB
84a6fe29b5e1 About an hour ago /bin/sh -c ./configure --prefix=/usr/local/n… 72.7kB
2aba652dd8c8 About an hour ago /bin/sh -c yum install -y gcc make pcre-deve… 142MB
03e3328c3024 About an hour ago /bin/sh -c #(nop) WORKDIR /tmp/nginx-1.18.0 0B
df2e25969042 About an hour ago /bin/sh -c #(nop) ADD file:46b14d1c307d23f50… 6.25MB
494db99a98fd About an hour ago /bin/sh -c #(nop) EXPOSE 80 0B
9ee8f8ebde20 About an hour ago /bin/sh -c #(nop) ENV hostname=server1 0B
7385834b8b80 About an hour ago /bin/sh -c #(nop) MAINTAINER westos 1587196… 0B
7e6257c9f8d8 3 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) LABEL org.label-schema.sc… 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:61908381d3142ffba… 203MB
镜像的优化
- 选择最精简的基础镜像
- 减少镜像的层数
- 清理镜像构建的中间产物
- 注意优化网络请求
- 尽量去用构建缓存
- 使用多阶段构建镜像
1. 减少镜像层数,清理镜像构建的中间产物
[root@server1 docker]# vim Dockerfile
FROM centos:7
MAINTAINER westos 1587196906@qq.com
ENV hostname server1
EXPOSE 80
ADD nginx-1.18.0.tar.gz /tmp
WORKDIR /tmp/nginx-1.18.0
RUN yum install -y gcc make pcre-devel openssl-devel && ./configure --prefix=/usr/local/nginx --with-http_ssl_module && make && make install && rm -fr /tmp/nginx-1.18.0 && yum clean all
## 写在一行:减少镜像层数
## yum clean all:清理镜像构建的中间产物
VOLUME ["/var/www/html"]
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
[root@server1 docker]# docker build -t demo:v1 .
[root@server1 docker]# docker images demo
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v1 26fbedb6ce46 38 seconds ago 290MB
demo v9 66a7a74a1cd1 About an hour ago 378MB
查看重构后的镜像大小,v1比v9小了88M,但是还不够小
[root@server1 docker]# docker history demo:v1
IMAGE CREATED CREATED BY SIZE COMMENT
26fbedb6ce46 About a minute ago /bin/sh -c #(nop) CMD ["/usr/local/nginx/sb… 0B
d63ccabea907 About a minute ago /bin/sh -c #(nop) VOLUME [/var/www/html] 0B
a83cb1335b05 About a minute ago /bin/sh -c yum install -y gcc make pcre-deve… 80.5MB
03e3328c3024 About an hour ago /bin/sh -c #(nop) WORKDIR /tmp/nginx-1.18.0 0B
df2e25969042 About an hour ago /bin/sh -c #(nop) ADD file:46b14d1c307d23f50… 6.25MB
494db99a98fd About an hour ago /bin/sh -c #(nop) EXPOSE 80 0B
9ee8f8ebde20 About an hour ago /bin/sh -c #(nop) ENV hostname=server1 0B
7385834b8b80 About an hour ago /bin/sh -c #(nop) MAINTAINER westos 1587196… 0B
7e6257c9f8d8 3 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) LABEL org.label-schema.sc… 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:61908381d3142ffba… 203MB
2. 使用多阶段构建镜像
不管是make还是make install都是为了最后生成/usr/local/nginx /usr/local/nginx,可以重新起个容器直接考过来
优化时尽量不要动别的地方,这样可以使用缓存
[root@server1 docker]# vim Dockerfile
FROM centos:7 as build
MAINTAINER westos 1587196906@qq.com
ENV hostname server1
EXPOSE 80
ADD nginx-1.18.0.tar.gz /tmp
WORKDIR /tmp/nginx-1.18.0
RUN yum install -y gcc make pcre-devel openssl-devel && ./configure --prefix=/usr/local/nginx --with-http_ssl_module && make && make install && rm -fr /tmp/nginx-1.18.0 && yum clean all
FROM centos:7
COPY --from=build /usr/local/nginx /usr/local/nginx
EXPOSE 80
VOLUME ["/var/www/html"]
CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]
[root@server1 docker]# docker build -t demo:v2 .
Successfully built 052476932b42
Successfully tagged demo:v2
[root@server1 docker]# docker images demo
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v2 052476932b42 13 seconds ago 209MB
demo v1 26fbedb6ce46 4 minutes ago 290MB
demo v9 66a7a74a1cd1 About an hour ago 378MB
比之前又小了81M
[root@server1 docker]# docker history demo:v2
IMAGE CREATED CREATED BY SIZE COMMENT
052476932b42 25 seconds ago /bin/sh -c #(nop) CMD ["/usr/local/nginx/sb… 0B
1ac4db6f9307 25 seconds ago /bin/sh -c #(nop) VOLUME [/var/www/html] 0B
dcc590212194 25 seconds ago /bin/sh -c #(nop) EXPOSE 80 0B
92ea9c254bae 25 seconds ago /bin/sh -c #(nop) COPY dir:3ea1e0d3aae4a80a9… 5.94MB
7e6257c9f8d8 3 weeks ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 3 weeks ago /bin/sh -c #(nop) LABEL org.label-schema.sc… 0B
<missing> 3 weeks ago /bin/sh -c #(nop) ADD file:61908381d3142ffba… 203MB
[root@server1 docker]# docker images centos:7
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 7 7e6257c9f8d8 3 weeks ago 203MB
可以看到centos:7镜像203M,也就是说我们构建的镜像才6M,如果我们关闭nginx源码编译的debug会更小
重点是基础镜像太大了
可不可以让基础镜像小一点
3. 使用最精简的镜像
[root@server1 docker]# docker run -it --rm demo:v2 sh
sh-4.2# ldd /usr/local/nginx/sbin/nginx # nginx二进制程序所需要的系统的动态库模块
linux-vdso.so.1 => (0x00007fff5e1c6000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fafdd955000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fafdd739000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fafdd502000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fafdd2a0000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007fafdd02e000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fafdcbcb000)
libz.so.1 => /lib64/libz.so.1 (0x00007fafdc9b5000)
libc.so.6 => /lib64/libc.so.6 (0x00007fafdc5e7000)
/lib64/ld-linux-x86-64.so.2 (0x00007fafddb59000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fafdc3e4000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fafdc197000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fafdbeae000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fafdbcaa000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fafdba77000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fafdb867000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fafdb663000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fafdb449000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fafdb222000)
sh-4.2# exit
能不能把这些模块和nginx二进制程序打包放在busybox这种特别小的镜像里
- 导入镜像
[root@server1 ~]# docker pull gcr.io/distroless/base-debian10
[root@server1 ~]# docker load -i base-debian10.tar
de1602ca36c9: Loading layer 3.041MB/3.041MB
1d3b68b6972f: Loading layer 17.77MB/17.77MB
Loaded image: gcr.io/distroless/base-debian10:latest
- 编写dockerfile
[root@server1 docker]# mkdir demo
[root@server1 docker]# cd demo/
[root@server1 demo]# vim Dockerfile
FROM nginx as base
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
ARG TIME_ZONE
RUN mkdir -p /opt/var/cache/nginx && \
cp -a --parents /usr/lib/nginx /opt && \
cp -a --parents /usr/share/nginx /opt && \
cp -a --parents /var/log/nginx /opt && \
cp -aL --parents /var/run /opt && \
cp -a --parents /etc/nginx /opt && \
cp -a --parents /etc/passwd /opt && \
cp -a --parents /etc/group /opt && \
cp -a --parents /usr/sbin/nginx /opt && \
cp -a --parents /usr/sbin/nginx-debug /opt && \
cp -a --parents /lib/x86_64-linux-gnu/ld-* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpcre.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libc* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libdl* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpthread* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libcrypt* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libssl.so.* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libcrypto.so.* /opt && \
cp /usr/share/zoneinfo/${TIME_ZONE:-ROC} /opt/etc/localtime
FROM gcr.io/distroless/base-debian10
COPY --from=base /opt /
EXPOSE 80 443
ENTRYPOINT ["nginx", "-g", "daemon off;"]
- 构建镜像
[root@server1 docker]# docker build -t demo:v3 -f Dockerfile1 .
Successfully built 536838e91320
Successfully tagged demo:v3
- 查看镜像大小
[root@server1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
demo v3 536838e91320 5 seconds ago 31.7MB
demo v2 052476932b42 13 seconds ago 209MB
demo v1 26fbedb6ce46 4 minutes ago 290MB
demo v9 66a7a74a1cd1 About an hour ago 378MB
转载自原文链接, 如需删除请联系管理员。
原文链接:Dockerfile 构建镜像以及镜像优化的方法,转载请注明来源!