之所以要延遲多少秒做健康狀態檢查是因為,docker運行為容器以後,會立刻把該容器的狀態標記為running狀態,而對於有些初始化比較慢的容器,如果馬上對它做健康狀態檢查,可能是不健康的狀態,這樣一來我們對瞭解容器是否健康就不是很準確了;如果配合某些工具,很可能存在檢測到容器不健康就把該容器刪除,... ...
前面我們聊到了dockerfile的 FROM、COPY 、ADD、LABEL、MAINTAINER、ENV、ARG、WORKDIR、VOLUME、EXPOSE、RUN、CMD、ENTRYPOINT指令的使用和說明,回顧請參考https://www.cnblogs.com/qiuhom-1874/tag/Dockerfile/;今天我們來聊聊剩下的dockerfile指令的使用和說明;
1、USER:該指令用於指定運行image時的或運行dockerfile中任何RUN、CMD或ENTRYPOINT指令指定的程式時的用戶名或UID;預設情況下,container的運行身份為root用戶;語法格式 USER <UID>|<UserName>; 需要註意的是,<UID>可以為任意數字,但實踐中其必須為/etc/passwd中某用戶的有效UID,否則,docker run命令將運行失敗;
示例:
[root@node1 test]# cat Dockerfile FROM centos:7 LABEL maintainer="qiuhom <[email protected]>" LABEL version="1.0" LABEL description="this is test file \ that label-values can span multiple lines." RUN useradd nginx USER nginx CMD ["sleep","3000"] [root@node1 test]#
提示:以上dockerfile表示在鏡像運行成容器時,以nginx用戶運行 sleep 3000
驗證:編譯成鏡像,啟動為容器,然後進入到容器里看看sleep 3000 是否是nginx用戶在運行?
[root@node1 test]# docker build . -t test:v1 Sending build context to Docker daemon 1.051MB Step 1/7 : FROM centos:7 ---> b5b4d78bc90c Step 2/7 : LABEL maintainer="qiuhom <[email protected]>" ---> Running in 0f503dae4448 Removing intermediate container 0f503dae4448 ---> d31363b96f38 Step 3/7 : LABEL version="1.0" ---> Running in 8dad05999903 Removing intermediate container 8dad05999903 ---> 2281f36d7c3c Step 4/7 : LABEL description="this is test file \ that label-values can span multiple lines." ---> Running in d2be9ed44aee Removing intermediate container d2be9ed44aee ---> 8de872e222fb Step 5/7 : RUN useradd nginx ---> Running in 37bda6ba6b60 Removing intermediate container 37bda6ba6b60 ---> dc681f95f5ca Step 6/7 : USER nginx ---> Running in 97d2357826f9 Removing intermediate container 97d2357826f9 ---> ed277ac0c482 Step 7/7 : CMD ["sleep","3000"] ---> Running in 0ea578fa10bc Removing intermediate container 0ea578fa10bc ---> 461f6ceabc88 Successfully built 461f6ceabc88 Successfully tagged test:v1 [root@node1 test]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE test v1 461f6ceabc88 3 seconds ago 204MB centos 7 b5b4d78bc90c 4 weeks ago 203MB [root@node1 test]# docker run --name t1 --rm -d test:v1 37e46346d6ca0ab05b67f5350d4c2a7b6b86b8d34c8d1622d78ef70b7d3dff86 [root@node1 test]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 37e46346d6ca test:v1 "sleep 3000" 3 seconds ago Up 2 seconds t1 [root@node1 test]# docker exec -it t1 /bin/bash [nginx@37e46346d6ca /]$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND nginx 1 0.1 0.0 4364 352 ? Ss 10:02 0:00 sleep 3000 nginx 6 0.4 0.0 11828 1808 pts/0 Ss 10:02 0:00 /bin/bash nginx 23 0.0 0.0 51756 1708 pts/0 R+ 10:02 0:00 ps aux [nginx@37e46346d6ca /]$ exit exit [root@node1 test]#
提示:可以看到基於上面的dockerfile構建的鏡像運行為容器,裡面預設跑的進程就是我們在dockerfile中指定用戶運行的進程;使用USER指定用戶運行容器里的進程,需要註意該用戶要對運行進程所需資源的所有許可權;否則容器運行不起來;
2、HEALTHCHECK:該指令用於定義如何對容器做健康狀態檢測;運行為容器後,容器里的進程不掛掉,當然容器也就不會掛掉,但是存在一種情況,容器沒有掛掉,容器里的進程無法正常提供服務了,這個時候我們就需要通過一定的手段,第一時間知道容器里的進程是否健康(是否能夠正常提供服務);healthcheck指令就是用來定義如果去檢測容器內部進程是否健康;語法格式HEALTHCHECK [OPTIONS] CMD command;其中CMD是固定格式,而後面的command是對容器里的進程做健康狀態檢查的命令;而options是用來指定對容器做健康狀態檢查的周期時間相關信息;--interval=DURATION (default: 30s),該選項用於指定對容器做健康狀態檢查的頻率,預設是30s一次;--timeout=DURATION (default: 30s),該選項用於指定對容器內部的進程做健康狀態檢查的超時時長,預設是30秒;--start-period=DURATION (default: 0s)指定對容器中的進程做健康狀態檢查延遲時間,預設0表示不延遲;這裡補充一點,之所以要延遲多少秒做健康狀態檢查是因為,docker運行為容器以後,會立刻把該容器的狀態標記為running狀態,而對於有些初始化比較慢的容器,如果馬上對它做健康狀態檢查,可能是不健康的狀態,這樣一來我們對瞭解容器是否健康就不是很準確了;如果配合某些工具,很可能存在檢測到容器不健康就把該容器刪除,然後重新創建,以此重覆;這樣就會導致我們的容器啟動不起來; --retries=N (default: 3)表示指定對容器做健康狀態檢查的重試次數,預設是3次;也就是說檢查到容器不健康的前提或健康的前提,它都會檢查3次,如果3次檢查都是失敗狀態那麼就標記該容器不健康;而對於我們指定的命令來講,命令的返回值就決定了容器是否健康,通常命令返回值為0表示我們執行的命令正常退出,也就意味著容器是健康狀態;命令返回值為1表示容器不健康;返回值為2我們通常都是保留不使用;HEALTHCHECK NONE就表示不對容器做健康狀態檢查;
示例:
[root@node1 test]# cat Dockerfile FROM centos:7 LABEL maintainer="qiuhom <[email protected]>" LABEL version="1.0" LABEL description="this is test file \ that label-values can span multiple lines." RUN yum install -y httpd ADD ok.html /var/www/html/ CMD ["/usr/sbin/httpd","-DFOREGROUND"] HEALTHCHECK --interval=5s --timeout=5s --start-period=5s --retries=2 \ CMD curl -f http://localhost/ok.html || exit 1 [root@node1 test]#
提示:以上HEALTHCHECK指令表示每5秒檢查一次,超時時長為5秒,延遲5秒開始檢查,重試2次;如果curl -f http://localhost/ok.html這條命令正常返回0,那麼就表示容器健康,否則就返回1,表示容器不健康;
驗證:把以上dockerfile構建成鏡像啟動為容器,我們把ok.html刪除或移動到別的目錄,看看容器是否標記為不健康?
[root@node1 test]# docker build . -t test:v1.1 Sending build context to Docker daemon 1.052MB Step 1/8 : FROM centos:7 ---> b5b4d78bc90c Step 2/8 : LABEL maintainer="qiuhom <[email protected]>" ---> Using cache ---> d31363b96f38 Step 3/8 : LABEL version="1.0" ---> Using cache ---> 2281f36d7c3c Step 4/8 : LABEL description="this is test file \ that label-values can span multiple lines." ---> Using cache ---> 8de872e222fb Step 5/8 : RUN yum install -y httpd ---> Running in 9964718a2c3e Loaded plugins: fastestmirror, ovl Determining fastest mirrors * base: mirrors.bfsu.edu.cn * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-93.el7.centos will be installed --> Processing Dependency: httpd-tools = 2.4.6-93.el7.centos for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-5.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed ---> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed ---> Package httpd-tools.x86_64 0:2.4.6-93.el7.centos will be installed ---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: httpd x86_64 2.4.6-93.el7.centos base 2.7 M Installing for dependencies: apr x86_64 1.4.8-5.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k centos-logos noarch 70.0.6-3.el7.centos base 21 M httpd-tools x86_64 2.4.6-93.el7.centos base 92 k mailcap noarch 2.1.41-2.el7 base 31 k Transaction Summary ================================================================================ Install 1 Package (+5 Dependent packages) Total download size: 24 M Installed size: 32 M Downloading packages: warning: /var/cache/yum/x86_64/7/base/packages/apr-1.4.8-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY Public key for apr-1.4.8-5.el7.x86_64.rpm is not installed -------------------------------------------------------------------------------- Total 2.0 MB/s | 24 MB 00:12 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-8.2003.0.el7.centos.x86_64 (@CentOS) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-5.el7.x86_64 1/6 Installing : apr-util-1.5.2-6.el7.x86_64 2/6 Installing : httpd-tools-2.4.6-93.el7.centos.x86_64 3/6 Installing : centos-logos-70.0.6-3.el7.centos.noarch 4/6 Installing : mailcap-2.1.41-2.el7.noarch 5/6 Installing : httpd-2.4.6-93.el7.centos.x86_64 6/6 Verifying : mailcap-2.1.41-2.el7.noarch 1/6 Verifying : apr-util-1.5.2-6.el7.x86_64 2/6 Verifying : httpd-2.4.6-93.el7.centos.x86_64 3/6 Verifying : apr-1.4.8-5.el7.x86_64 4/6 Verifying : httpd-tools-2.4.6-93.el7.centos.x86_64 5/6 Verifying : centos-logos-70.0.6-3.el7.centos.noarch 6/6 Installed: httpd.x86_64 0:2.4.6-93.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 centos-logos.noarch 0:70.0.6-3.el7.centos httpd-tools.x86_64 0:2.4.6-93.el7.centos mailcap.noarch 0:2.1.41-2.el7 Complete! Removing intermediate container 9964718a2c3e ---> a931e93eea06 Step 6/8 : ADD ok.html /var/www/html/ ---> 97e61f41911d Step 7/8 : CMD ["/usr/sbin/httpd","-DFOREGROUND"] ---> Running in e91ccdef90c2 Removing intermediate container e91ccdef90c2 ---> 7c8af9bb7eb3 Step 8/8 : HEALTHCHECK --interval=5s --timeout=5s --start-period=5s --retries=2 CMD curl -f http://localhost/ok.html || exit 1 ---> Running in 80682ab087d3 Removing intermediate container 80682ab087d3 ---> aa53cba15046 Successfully built aa53cba15046 Successfully tagged test:v1.1 [root@node1 test]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE test v1.1 aa53cba15046 8 seconds ago 312MB test v1 461f6ceabc88 57 minutes ago 204MB centos 7 b5b4d78bc90c 4 weeks ago 203MB [root@node1 test]# docker run --name t1 --rm -d test:v1.1 332590e683fcb29f60a28703548fce7aa83df715cbb840e1283472834867d6a1 [root@node1 test]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 332590e683fc test:v1.1 "/usr/sbin/httpd -DF…" 3 seconds ago Up 2 seconds (health: starting) t1 [root@node1 test]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 332590e683fc test:v1.1 "/usr/sbin/httpd -DF…" 7 seconds ago Up 6 seconds (healthy) t1 [root@node1 test]#
提示:可以看到基於我們寫的dockerfile構建的鏡像已經成功運行為容器,並且標記為healthy;接下來我們進入容器把ok.html幹掉,然後在看看容器是否標記為不健康狀態?
提示:從上面的信息可以看到我們把ok.html移除後,容器狀態就變成不健康狀態了;我們再把ok.html還原到原有位置,看看容器是否會從不健康轉換為健康呢?
提示:可以看到把ok.html還原到/var/www/html/目錄後,容器從不健康狀態變為了健康狀態;
3、SHELL:該指令用於指定預設shell,該指令開始到下一個SHELL中間的命令都是SHELL指定的shell 運行,所以SHELL指令在dockerfile中可出現多次,後面的SHELL指令指定的shell會覆蓋前面所有SHELL指令指定的shell;預設在Linux上是["/bin/sh","-c"]在Windows上述["cmd","/s","/c"];SHELL指令必須是以json數組的格式定義;語法SHELL ["executable", "parameters"];
4、STOPSIGNAL:該指令用於定義停止容器的信號;預設停止容器是15號信號 SIGTERM;語法STOPSIGNAL signal
5、ONBUILD:該指令用於在Dockerfile中定義一個觸發器;Dockerfile用於build映像文件,此映像文件亦可作為base image被另一個Dockerfile用作FROM指令的參數,並以之構建新的映像文件;在後面的這個Dockerfile中的FROM指令在build過程中被執行時,將會“觸發”創建其base image的Dockerfile文件中的ONBUILD指令定義的觸發器;用法格式ONBUILD <INSTRUCTION>;儘管任何指令都可註冊成為觸發器指令,但ONBUILD不能自我嵌套,且不會觸發FROM和MAINTAINER指令;使用包含ONBUILD指令的Dockerfile構建的鏡像應該使用特殊的標簽,例如ruby:2.0-onbuild;在ONBUILD指令中使用ADD或COPY指令應該格外小心,因為新構建過程的上下文在缺少指定的源文件時會失敗;
示例:
[root@node1 test]# cat Dockerfile FROM centos:7 LABEL maintainer="qiuhom <[email protected]>" ONBUILD RUN yum install -y httpd [root@node1 test]#
提示:以上dockerfile表示在本次構建鏡像中不運行yum install -y httpd這條命令,而是在後面的dockerfile中以本dockerfile製作的進行作為基礎繼續時,yum install -y httpd這條命令就會被觸發執行;簡單講onbuild就是指定dockerfile指令延遲執行;這裡一定要記住一點onbuild指令後面一定是跟的是dockerfile指令;
驗證:將上面的dockerfile編譯鏡像,看看yum install -y httpd 是否執行了?
[root@node1 test]# docker build . -t test:v1.5 Sending build context to Docker daemon 1.052MB Step 1/3 : FROM centos:7 ---> b5b4d78bc90c Step 2/3 : LABEL maintainer="qiuhom <[email protected]>" ---> Using cache ---> d31363b96f38 Step 3/3 : ONBUILD RUN yum install -y httpd ---> Running in d3601fa1c3b7 Removing intermediate container d3601fa1c3b7 ---> 370e3a843c3c Successfully built 370e3a843c3c Successfully tagged test:v1.5 [root@node1 test]#
提示:可以看到yum install -y httpd 這條命令並沒有執行;
驗證:將我們上面製作好的鏡像作為基礎鏡像,再來製作其他鏡像,看看yum install -y httpd 被執行?
[root@node1 aaa]# pwd /root/test/aaa [root@node1 aaa]# ls Dockerfile [root@node1 aaa]# cat Dockerfile FROM test:v1.5 LABEL maintainer="qiuhom <[email protected]>" [root@node1 aaa]# docker build . -t myweb:v1 Sending build context to Docker daemon 2.048kB Step 1/2 : FROM test:v1.5 # Executing 1 build trigger ---> Running in cf93e9f03e89 Loaded plugins: fastestmirror, ovl Determining fastest mirrors * base: mirrors.huaweicloud.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.4.6-93.el7.centos will be installed --> Processing Dependency: httpd-tools = 2.4.6-93.el7.centos for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: system-logos >= 7.92.1-1 for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: /etc/mime.types for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libaprutil-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 --> Processing Dependency: libapr-1.so.0()(64bit) for package: httpd-2.4.6-93.el7.centos.x86_64 --> Running transaction check ---> Package apr.x86_64 0:1.4.8-5.el7 will be installed ---> Package apr-util.x86_64 0:1.5.2-6.el7 will be installed ---> Package centos-logos.noarch 0:70.0.6-3.el7.centos will be installed ---> Package httpd-tools.x86_64 0:2.4.6-93.el7.centos will be installed ---> Package mailcap.noarch 0:2.1.41-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: httpd x86_64 2.4.6-93.el7.centos base 2.7 M Installing for dependencies: apr x86_64 1.4.8-5.el7 base 103 k apr-util x86_64 1.5.2-6.el7 base 92 k centos-logos noarch 70.0.6-3.el7.centos base 21 M httpd-tools x86_64 2.4.6-93.el7.centos base 92 k mailcap noarch 2.1.41-2.el7 base 31 k Transaction Summary ================================================================================ Install 1 Package (+5 Dependent packages) Total download size: 24 M Installed size: 32 M Downloading packages: warning: /var/cache/yum/x86_64/7/base/packages/apr-1.4.8-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY Public key for apr-1.4.8-5.el7.x86_64.rpm is not installed -------------------------------------------------------------------------------- Total 7.2 MB/s | 24 MB 00:03 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-8.2003.0.el7.centos.x86_64 (@CentOS) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-5.el7.x86_64 1/6 Installing : apr-util-1.5.2-6.el7.x86_64 2/6 Installing : httpd-tools-2.4.6-93.el7.centos.x86_64 3/6 Installing : centos-logos-70.0.6-3.el7.centos.noarch 4/6 Installing : mailcap-2.1.41-2.el7.noarch 5/6 Installing : httpd-2.4.6-93.el7.centos.x86_64 6/6 Verifying : mailcap-2.1.41-2.el7.noarch 1/6 Verifying : apr-util-1.5.2-6.el7.x86_64 2/6 Verifying : httpd-2.4.6-93.el7.centos.x86_64 3/6 Verifying : apr-1.4.8-5.el7.x86_64 4/6 Verifying : httpd-tools-2.4.6-93.el7.centos.x86_64 5/6 Verifying : centos-logos-70.0.6-3.el7.centos.noarch 6/6 Installed: httpd.x86_64 0:2.4.6-93.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7 centos-logos.noarch 0:70.0.6-3.el7.centos httpd-tools.x86_64 0:2.4.6-93.el7.centos mailcap.noarch 0:2.1.41-2.el7 Complete! Removing intermediate container cf93e9f03e89 ---> a89914bda4b5 Step 2/2 : LABEL maintainer="qiuhom <[email protected]>" ---> Running in e175e0542b5e Removing intermediate container e175e0542b5e ---> 4f406abeaab7 Successfully built 4f406abeaab7 Successfully tagged myweb:v1 [root@node1 aaa]#
提示:可以看到在我們的dockerfile中並沒有寫 RUN yum install -y httpd ,但build時卻執行了 yum install -y httpd ;這是因為onbuild指令被觸發了;我們可以理解為如果我們製作的鏡像有onbuild指令指定的命令,那麼該鏡像被其他dockerfile 作為基礎鏡像時(或者被其他docker FROM指令引用時)onbuild指定就會被激活,被執行;
