本記事はCentOS 7.6にDocker CE(Community Edition)のインストールし、コンテナを実行するまでの流れをまとめたものです。
CentOS 7.6はOSインストール後から何も設定していない状態です。
本環境構築日は 2019/3/15 です。
※知見無く、備忘録としての記載のため、誤りある可能性がありますことご留意くださいm(__)m
構築環境について
OS : CentOS 7.6 on VMware Player
[root@machipon23-docker ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@machipon23-docker ~]# uname -r
3.10.0-957.el7.x86_64
docker : 18.09.3
[root@machipon23-docker ~]# docker --version
Docker version 18.09.3, build 774a1f4
[root@machipon23-docker ~]# docker version
Client:
Version: 18.09.3
API version: 1.39
Go version: go1.10.8
Git commit: 774a1f4
Built: Thu Feb 28 06:33:21 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.3
API version: 1.39 (minimum version 1.12)
Go version: go1.10.8
Git commit: 774a1f4
Built: Thu Feb 28 06:02:24 2019
OS/Arch: linux/amd64
Experimental: false
参考サイト
・docker docs
https://docs.docker.com/install/linux/docker-ce/centos/
https://docs.docker.com/install/linux/linux-postinstall/
インストール前準備
以下の要件を満たす必要があります。
- centos-extras リポジトリ有効化
⇒ デフォルトで有効化されている - overlay2 storage driver 使用推奨
⇒ デフォルトで overlay カーネルモジュールが存在している。
また、デフォルトでoverlay2ドライバが適用される
centos-extras リポジトリ有効化確認
[root@machipon23-docker ~]# yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
repo id repo name status
base/7/x86_64 CentOS-7 - Base 10,019
extras/7/x86_64 CentOS-7 - Extras 371
updates/7/x86_64 CentOS-7 - Updates 1,163
repolist: 11,553
overlay カーネルモジュール存在確認
[root@machipon23-docker ~]# lsmod | grep overlay
overlay 71964 0
[root@machipon23-docker ~]# modinfo overlay
filename: /lib/modules/3.10.0-957.el7.x86_64/kernel/fs/overlayfs/overlay.ko.xz
alias: fs-overlay
license: GPL
description: Overlay filesystem
author: Miklos Szeredi <miklos@szeredi.hu>
retpoline: Y
rhelversion: 7.6
srcversion: 1CF79904F61F2BFDF6F89EC
depends:
intree: Y
vermagic: 3.10.0-957.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: B7:0D:CF:0D:F2:D9:B7:F2:91:59:24:82:49:FD:6F:E8:7B:78:14:27
sig_hashalgo: sha256
parm: check_copy_up:uint
parm: ovl_check_copy_up:Warn on copy-up when causing process also has a R/O fd open
parm: redirect_max:ushort
parm: ovl_redirect_max:Maximum length of absolute redirect xattr value
parm: redirect_dir:bool
parm: ovl_redirect_dir_def:Default to on or off for the redirect_dir feature
parm: redirect_always_follow:bool
parm: ovl_redirect_always_follow:Follow redirects even if redirect_dir feature is turned off
parm: index:bool
parm: ovl_index_def:Default to on or off for the inodes index feature
⇒ overlay モジュールが存在しないと、docker サービスの起動ができません。
bridge情報を確認するためにインストール(実施する必要はない)
[root@machipon23-docker ~]# yum install -y bridge-utils tcpdump
インストール開始
docker-ce.repoを追加しdocker-ceをインストール
[root@machipon23-docker ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@machipon23-docker ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
[root@machipon23-docker ~]# yum install -y docker-ce docker-ce-cli containerd.io
dockerサービス起動
[root@machipon23-docker ~]# systemctl start docker
[root@machipon23-docker ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
コンテナ実行
hello-worldコンテナ実行
[root@machipon23-docker ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:2557e3c07ed1e38f26e389462d03ed943586f744621577a99efb77324b0fe535
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
コンテナ確認
[root@machipon23-docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
984557c7d945 hello-world "/hello" 3 minutes ago Exited (0) 8 seconds ago jovial_clarke
dockerの全般情報を表示
[root@machipon23-docker ~]# docker info
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 1
Server Version: 18.09.3
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: e6b3f5632f50dbc4e9cb6288d911bf4f5e95b18e
runc version: 6635b4f0c6af3810594d2770f662f34ddc15b40d
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-957.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.934GiB
Name: machipon23-docker
ID: DNQZ:5FEI:BVCN:OKRN:ZNKG:HLSK:JLNO:CLZE:6LJR:KWVQ:JXXD:NSFE
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
ubuntu コンテナを起動してみる
イメージが存在しないため、https://index.docker.io/v1/ からダウンロードされる。
[root@machipon23-docker ~]# docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
Status: Downloaded newer image for ubuntu:latest
自動起動するためログアウトする
root@365bda9f414d:/# root@365bda9f414d:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 5.2 0.0 18496 2012 pts/0 Ss 16:04 0:00 bash
root 11 0.0 0.0 34388 1456 pts/0 R+ 16:04 0:00 ps aux
root@365bda9f414d:/# exit
ログアウトすると、コンテナは停止状態になります。
[root@machipon23-docker ~]# docker container ls --all
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
365bda9f414d ubuntu "bash" 29 seconds ago Exited (0) 9 seconds ago serene_bell
984557c7d945 hello-world "/hello" 5 minutes ago Exited (0) 2 minutes ago jovial_clarke
[root@machipon23-docker ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 94e814e2efa8 3 days ago 88.9MB
hello-world latest fce289e99eb9 2 months ago 1.84kB
ログアウト後も起動状態にしておきたい場合はバックグラウンド(-dオプション)で起動する必要がある
[root@machipon23-docker ~]# docker run -itd centos bash
[root@machipon23-docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4ae1371a0f98 centos "bash" 28 seconds ago Up 27 seconds recursing_albattani
4a62398eadd6 ubuntu "bash" 15 minutes ago Exited (0) About a minute ago happy_engelbart
8a28bb1c5c01 ubuntu "bash" 8 hours ago Exited (0) About an hour ago frosty_mendel
26d3abc8ab66 hello-world "/hello" 8 hours ago Exited (0) 8 hours ago nifty_murdock
[root@machipon23-docker ~]# docker exec -it 4ae1371a0f98 bash
[root@4ae1371a0f98 /]# exit
[root@machipon23-docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4ae1371a0f98 centos "bash" 2 minutes ago Up 2 minutes recursing_albattani
4a62398eadd6 ubuntu "bash" 17 minutes ago Exited (0) 3 minutes ago happy_engelbart
8a28bb1c5c01 ubuntu "bash" 8 hours ago Exited (0) About an hour ago frosty_mendel
26d3abc8ab66 hello-world "/hello" 8 hours ago Exited (0) 8 hours ago nifty_murdock
インストールは以上となります。
とても簡単ですね!
docker構築前と構築後のOS差分について
パッケージインストール後に変更される項目
グループは追加されるけど、ユーザは何も追加されない
[root@machipon23-docker ~]# tail /etc/group
cgred:x:996:
docker:x:995:
[root@machipon23-docker ~]# egrep '995|996' /etc/passwd
dockerサービス起動後に変更される項目
iptables に IPマスカレード等が設定されます。
[root@machipon23-docker ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
IPマスカレード有効化するために 0 から 1 に変更されています。
[root@machipon23-docker ~]# cat /proc/sys/net/ipv4/ip_forward
1
docker0 ブリッジが設定されています。コンテナを起動すると docker0 ブリッジに veth が接続されます。
[root@machipon23-docker ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02427f4e027f no
・コンテナ起動後
[root@machipon23-docker ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02429b7b62fd no vethc610beb
vethfa78fc2
以下のカーネルパラメータが変更されていました。
"<"がdocker構築前、">"がdocker構築後パラメータ
< fs.dentry-state = 35619 19953 45 0 0 0
---
> fs.dentry-state = 77806 56614 45 0 0 0
< fs.file-nr = 1152 0 197426
< fs.inode-nr = 29550 317
< fs.inode-state = 29550 317 0 0 0 0 0
---
> fs.file-nr = 1216 0 197426
> fs.inode-nr = 38805 302
> fs.inode-state = 38805 302 0 0 0 0 0
< fs.may_detach_mounts = 0
---
> fs.may_detach_mounts = 1
< kernel.ns_last_pid = 15060
---
> kernel.ns_last_pid = 15551
< kernel.random.entropy_avail = 771
---
> kernel.random.entropy_avail = 992
< kernel.random.uuid = c9f802f9-7012-457e-92e8-bfcda9aa0ebb
---
> kernel.random.uuid = bd770926-b945-463d-b7d3-92bb9be1e8b9
< kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 49006
---
> kernel.sched_domain.cpu0.domain0.max_newidle_lb_cost = 355932
< kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 20214
---
> kernel.sched_domain.cpu1.domain0.max_newidle_lb_cost = 45446
< kernel.tainted = 0
---
> kernel.tainted = 536870912
< net.ipv4.conf.all.accept_redirects = 1
---
> net.ipv4.conf.all.accept_redirects = 0
291c297
< net.ipv4.conf.all.forwarding = 0
---
> net.ipv4.conf.all.forwarding = 1
317c323
< net.ipv4.conf.default.forwarding = 0
---
> net.ipv4.conf.default.forwarding = 1
330a337,362
< net.ipv4.conf.ens33.forwarding = 0
---
> net.ipv4.conf.ens33.forwarding = 1
369c401
< net.ipv4.conf.lo.forwarding = 0
---
> net.ipv4.conf.lo.forwarding = 1
402c434
< net.ipv4.ip_forward = 0
---
> net.ipv4.ip_forward = 1
429a462,474
< net.netfilter.nf_conntrack_count = 41
---
> net.netfilter.nf_conntrack_count = 48
> net.ipv4.conf.docker0.accept_local = 0
> net.ipv4.conf.docker0.accept_redirects = 1
> net.ipv4.conf.docker0.accept_source_route = 0
> net.ipv4.conf.docker0.arp_accept = 0
> net.ipv4.conf.docker0.arp_announce = 0
> net.ipv4.conf.docker0.arp_filter = 0
> net.ipv4.conf.docker0.arp_ignore = 0
> net.ipv4.conf.docker0.arp_notify = 0
> net.ipv4.conf.docker0.bootp_relay = 0
> net.ipv4.conf.docker0.disable_policy = 0
> net.ipv4.conf.docker0.disable_xfrm = 0
> net.ipv4.conf.docker0.force_igmp_version = 0
> net.ipv4.conf.docker0.forwarding = 1
> net.ipv4.conf.docker0.log_martians = 0
> net.ipv4.conf.docker0.mc_forwarding = 0
> net.ipv4.conf.docker0.medium_id = 0
> net.ipv4.conf.docker0.promote_secondaries = 1
> net.ipv4.conf.docker0.proxy_arp = 0
> net.ipv4.conf.docker0.proxy_arp_pvlan = 0
> net.ipv4.conf.docker0.route_localnet = 0
> net.ipv4.conf.docker0.rp_filter = 1
> net.ipv4.conf.docker0.secure_redirects = 1
> net.ipv4.conf.docker0.send_redirects = 1
> net.ipv4.conf.docker0.shared_media = 1
> net.ipv4.conf.docker0.src_valid_mark = 0
> net.ipv4.conf.docker0.tag = 0
> net.ipv4.neigh.docker0.anycast_delay = 100
> net.ipv4.neigh.docker0.app_solicit = 0
> net.ipv4.neigh.docker0.base_reachable_time_ms = 30000
> net.ipv4.neigh.docker0.delay_first_probe_time = 5
> net.ipv4.neigh.docker0.gc_stale_time = 60
> net.ipv4.neigh.docker0.locktime = 100
> net.ipv4.neigh.docker0.mcast_solicit = 3
> net.ipv4.neigh.docker0.proxy_delay = 80
> net.ipv4.neigh.docker0.proxy_qlen = 64
> net.ipv4.neigh.docker0.retrans_time_ms = 1000
> net.ipv4.neigh.docker0.ucast_solicit = 3
> net.ipv4.neigh.docker0.unres_qlen = 31
> net.ipv4.neigh.docker0.unres_qlen_bytes = 65536
> net.ipv6.conf.docker0.accept_dad = 1
> net.ipv6.conf.docker0.accept_ra = 1
> net.ipv6.conf.docker0.accept_ra_defrtr = 1
> net.ipv6.conf.docker0.accept_ra_pinfo = 1
> net.ipv6.conf.docker0.accept_ra_rt_info_max_plen = 0
> net.ipv6.conf.docker0.accept_ra_rtr_pref = 1
> net.ipv6.conf.docker0.accept_redirects = 1
> net.ipv6.conf.docker0.accept_source_route = 0
> net.ipv6.conf.docker0.autoconf = 1
> net.ipv6.conf.docker0.dad_transmits = 1
> net.ipv6.conf.docker0.disable_ipv6 = 0
> net.ipv6.conf.docker0.enhanced_dad = 1
> net.ipv6.conf.docker0.force_mld_version = 0
> net.ipv6.conf.docker0.force_tllao = 0
> net.ipv6.conf.docker0.forwarding = 0
> net.ipv6.conf.docker0.hop_limit = 64
> net.ipv6.conf.docker0.keep_addr_on_down = 0
> net.ipv6.conf.docker0.max_addresses = 16
> net.ipv6.conf.docker0.max_desync_factor = 600
> net.ipv6.conf.docker0.mc_forwarding = 0
> net.ipv6.conf.docker0.mldv1_unsolicited_report_interval = 10000
> net.ipv6.conf.docker0.mldv2_unsolicited_report_interval = 1000
> net.ipv6.conf.docker0.mtu = 1500
> net.ipv6.conf.docker0.ndisc_notify = 0
> net.ipv6.conf.docker0.optimistic_dad = 0
> net.ipv6.conf.docker0.proxy_ndp = 0
> net.ipv6.conf.docker0.regen_max_retry = 3
> net.ipv6.conf.docker0.router_probe_interval = 60
> net.ipv6.conf.docker0.router_solicitation_delay = 1
> net.ipv6.conf.docker0.router_solicitation_interval = 4
> net.ipv6.conf.docker0.router_solicitations = 3
> net.ipv6.conf.docker0.temp_prefered_lft = 86400
> net.ipv6.conf.docker0.temp_valid_lft = 604800
> net.ipv6.conf.docker0.use_optimistic = 0
> net.ipv6.conf.docker0.use_tempaddr = 0
> net.ipv6.neigh.docker0.anycast_delay = 100
> net.ipv6.neigh.docker0.app_solicit = 0
> net.ipv6.neigh.docker0.base_reachable_time_ms = 30000
> net.ipv6.neigh.docker0.delay_first_probe_time = 5
> net.ipv6.neigh.docker0.gc_stale_time = 60
> net.ipv6.neigh.docker0.locktime = 0
> net.ipv6.neigh.docker0.mcast_solicit = 3
> net.ipv6.neigh.docker0.proxy_delay = 80
> net.ipv6.neigh.docker0.proxy_qlen = 64
> net.ipv6.neigh.docker0.retrans_time_ms = 1000
> net.ipv6.neigh.docker0.ucast_solicit = 3
> net.ipv6.neigh.docker0.unres_qlen = 31
> net.ipv6.neigh.docker0.unres_qlen_bytes = 65536
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-filter-pppoe-tagged = 0
> net.bridge.bridge-nf-filter-vlan-tagged = 0
> net.bridge.bridge-nf-pass-vlan-input-dev = 0
以上