Docker Tips(持续更新) - Docker常见问题

1. docker-composer.yml中容器使用外部网络

version: "3.7"
services:
    alpine-gdb:
        build: .
        image: alpine:gdb
        container_name: "alpine-gdb"
        entrypoint: ["tail", "-f", "/dev/null"]
        volumes:
            - .:/data/
        #network_mode: "bridge"
        networks:
            - mysql_default
            - proxy-net
            - gdb
networks:
    gdb:
    mysql_default:
        external: true
    proxy-net:
        external: true

2. Docker环境安装问题 - Mac Network

2.1. 已知限制

  1. macOS上没有docker0网桥
  2. macOS主机无法ping容器IP
  3. macOS主机无法访问docker(Linux)桥接网络

2.2. 变通方式

// 容器内访问macOS主机,基于特定的域名解析
ping host.docker.internal # 对应主机
ping gateway.docker.internal # 对应网关

// 主机=>容器:基于端口映射
$ docker run -d -p 80:80 --name webserver nginx
$ docker run -d -P --name webserver nginx

3. dns修改

$ docker run -it --rm --dns=223.5.5.5 --dns=223.6.6.6 centos:perf-tools /bin/bash
[root@ea0ac0fcd834 /]# cat /etc/resolv.conf
nameserver 223.5.5.5
nameserver 223.6.6.6

// 无法生效
echo "$(sed '2,$c nameserver 223.5.5.5\nnameserver 223.6.6.6' /etc/resolv.conf)" > /etc/resolv.conf

4. perf在容器中无法使用问题

┌─Error:─────────────────────────────────────────────────────────────────┐
│No permission to enable cycles event.                                   │
│                                                                        │
│You may not have permission to collect system-wide stats.               │
│                                                                        │
│Consider tweaking /proc/sys/kernel/perf_event_paranoid,                 │
│which controls use of the performance events system by                  │
│unprivileged users (without CAP_SYS_ADMIN).                             │
│                                                                        │
│The current value is 3:                                                 │
│                                                                        │
│  -1: Allow use of (almost) all events by all users                     │
│      Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK │
│>= 0: Disallow ftrace function tracepoint by users without CAP_SYS_ADMIN│
│      Disallow raw tracepoint access by users without CAP_SYS_ADMIN     │
│>= 1: Disallow CPU event access by users without CAP_SYS_ADMIN          │
│>= 2: Disallow kernel profiling by users without CAP_SYS_ADMIN          │
│                                                                        │
│To make this setting permanent, edit /etc/sysctl.conf too, e.g.:        │
│                                                                        │
│  kernel.perf_event_paranoid = -1                                       │
│                                                                        │
│                                                                        │
│                                                                        │
│Press any key...                                                        │
└────────────────────────────────────────────────────────────────────────┘

原因: 由于perf_event_open系统调用被阻止,我们通常通过使用以下方法附加到容器来完成此操作:

4.1. 解决方式1:以特权指令运行容器+sysctl系统配置修改

// --privileged Give extended privileges to this container
docker run -it --rm --name some-centos --privileged --dns=223.5.5.5 --dns=223.6.6.6 centos:perf-tools /bin/bash
// 修改系统配置
sysctl kernel.kptr_restrict=0

4.2. 解决方式2:加入特定sysctl配置

// --sysctl map Sysctl options (default map[])
kernel.perf_event_paranoid = -1

5. strace运行问题

strace: attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted

6. ping工具

apt-get update
apt-get install iputils-ping

7. c编译环境安装

apk update && apk add build-base autoconf

8. YUM告警问题

8.1. Docker中阿里云的yum源告警问题(由于配置了多个baseurl)

Determining fastest mirrors
 * base: mirrors.aliyuncs.com
 * extras: mirrors.aliyuncs.com
 * updates: mirrors.aliyuncs.com
http://mirrors.aliyuncs.com/centos/7/os/x86_64/repodata/repomd.xml: [Errno 14] curl#52 - "Empty reply from server"
Trying other mirror.
http://mirrors.cloud.aliyuncs.com/centos/7/os/x86_64/repodata/6614b3605d961a4aaec45d74ac4e5e713e517debb3ee454a1c91097955780697-primary.sqlite.bz2: [Errno 14] curl#6 - "Could not resolve host: mirrors.cloud.aliyuncs.com; Unknown error"
Trying other mirror.

原因:阿里云的yum源指定了多个:
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
        http://mirrors.aliyuncs.com/centos/$releasever/os/$basearch/
        http://mirrors.cloud.aliyuncs.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7

通过man yum.conf可以看到,不推荐这样配置
baseurl Must be a URL to the directory where the yum repository's `repodata' directory lives. Can be an http://, ftp:// or file:// URL. You can  specify  multiple
URLs in one baseurl statement. The best way to do this is like this:
[repositoryid]
name=Some name for this repository
baseurl=url://server1/path/to/repository/
      url://server2/path/to/repository/
      url://server3/path/to/repository/

If you list more than one baseurl= statement in a repository you will find yum will ignore the earlier ones and probably act bizarrely. Don't do this, you've been
warned.

8.2. 包无签名

warning: /var/cache/yum/x86_64/7/base/packages/bash-completion-2.1-6.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY

9. Docker命令

9.1. 镜像搜索

// 搜索指定镜像## 
$ docker images -f reference="tkstorm*"
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
tkstorm_webx        latest              d5eba30216c8        2 days ago          17.7MB
tkstorm_phpfpmx     latest              0856f58e9335        2 days ago          282MB

9.2. 查询容器名称

docker ps --format "{{.Names}}"

10. alipine 阿里云代理

sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && \
    apk update && apk add --no-cache git curl tcpdump

11. docker在 envsubst的问题

参考: https://github.com/docker-library/docs/issues/496

command: /bin/sh -c "envsubst '$$NGINX_HOST $$NGINX_PORT' < /data/www/frontend/ngx.tmpl > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"

12. Docker容器能力开放

version: "3.7"
services:
    nginx:
        cap_add:
            - SYS_PTRACE
        security_opt:
            - seccomp:unconfined
...