About
Docker 是一种开源平台,用于开发、交付和运行应用程序。它使用容器技术,允许将应用程序及其依赖项打包成一个可移植的容器,然后在任何支持 Docker 的环境中运行。Docker 容器是轻量级的、可移植的、自包含的运行时环境,它包含应用程序和其依赖的所有内容,从而确保应用程序在不同的环境中能够一致地运行。
Docker Compose 是一个用于定义和运行多容器 Docker 应用程序的工具。通过一个简单的 docker-compose.yml 文件,您可以定义应用程序的服务、网络和卷等配置,然后使用 docker-compose 命令启动整个应用程序。
Docker Compose 简化了多容器应用的管理,允许用户通过一组声明性配置来定义整个应用程序的架构,并通过单个命令进行启动、停止和管理。
安装 Docker
1、安装前提软件包:
apt update
apt install -y apt-transport-https ca-certificates curl software-properties-common2、添加 GPG 密钥和存储库
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list3、安装
apt update
apt install -y docker-ce docker-ce-cli containerd.io4、检查服务
systemctl list-unit-files --type=service --state=enabled
systemctl enable docker
systemctl status docker
systemctl start dockerdocker --version安装 Docker Compose
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-composedocker-compose --version部署容器化应用
1、编辑 docker-compose.yml 配置文件(示例)
version: '3'
services:
web:
image: nginx:latest
db:
image: postgres:latest
environment:
POSTGRES_PASSWORD: examplepassword
app:
image: mycustomapp:latest
ports:
- "8080:80"
depends_on:
- db2、启动容器
docker-compose -f /path/to/your/docker-compose.yml up -d3、检查容器运行状态
docker-compose ps进阶
nftables
容器网络与 Host 网络是隔离的,因此容器与外部通信需要端口映射与转发支持,默认会自动配置 iptables ,但 Debian 11 默认防火墙换成了 nftables 。
sysctl net.ipv4.ip_forward
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -psystemctl start docker
systemctl stop docker containerd
iptables-save > iptables-docker.conf
iptables-restore-translate -f iptable-docker.conf > docker.nft
nft flush ruleset
nft -f docker.nft
nft -s list ruleset > /etc/nftables-docker.confsystemctl stop docker containerd
nano /etc/docker/daemon.json
{
"iptables": false
}
nft flush ruleset仅供参考:nano /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state { established, related } accept
iif "lo" accept
iif != "lo" ip daddr 127.0.0.0/8 drop
iif != "lo" ip6 daddr ::1 drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport { 80, 443 } accept
tcp dport 22 accept
}
chain forward {
type filter hook forward priority filter; policy accept;
jump DOCKER-USER
jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related accept
oifname "docker0" jump DOCKER
iifname "docker0" oifname != "docker0" accept
iifname "docker0" oifname "docker0" accept
}
chain output {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" jump DOCKER-ISOLATION-STAGE-2
return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" drop
return
}
chain DOCKER-USER {
return
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local jump DOCKER
}
chain DOCKER {
iifname "docker0" return
}
}nft -f /etc/nftables.conf
systemctl start docker版权声明:本文为原创文章,版权归 BenhoN 所有。
本文链接:https://blog.benhon.net/archives/install_docker_in_latest_debian_11.html
所有原创文章采用知识共享 署名-非商业性使用 4.0 国际 许可协议进行许可,你可以自由地转载和修改,但请务必注明文章来源并且不可用于商业目的。
