标签:Daemon run sock var docker Docker
1、为什么有的容器里面会带有数据卷参数/var/run/docker.sock
在创建docker容器时,有时会用到/var/run/docker.sock这样的数据卷参数,例如fluentbit-operator initContainers容器的数据卷参数带有/var/run/docker.sock:
initContainers:
- command:
- /bin/sh
- -c
- set -ex; echo DOCKER_ROOT_DIR=$(docker info -f {{.DockerRootDir}}) > /fluentbit-operator/fluent-bit.env
image: docker:19.03
imagePullPolicy: IfNotPresent
name: setenv
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /fluentbit-operator
name: env
- mountPath: /var/run/docker.sock
name: dockersock
readOnly: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: fluentbit-operator
serviceAccountName: fluentbit-operator
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: env
- hostPath:
path: /var/run/docker.sock
type: ""
name: dockersock
本文主要介绍数据卷参数/var/run/docker.sock的作用。
2、Docker架构
搞清楚/var/run/docker.sock参数的前提是了解docker的client+server架构,如下是执行docker version命令的结果:
[root@node1 ~]# docker version Client: Docker Engine - Community Version: 20.10.12 API version: 1.41 Go version: go1.16.12 Git commit: e91ed57 Built: Mon Dec 13 11:45:41 2021 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.12 API version: 1.41 (minimum version 1.12) Go version: go1.16.12 Git commit: 459d0df Built: Mon Dec 13 11:44:05 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.13 GitCommit: 9cc61520f4cd876b86e77edfeb88fbcd536d1f9d runc: Version: 1.0.3 GitCommit: v1.0.3-0-gf46b6ba docker-init: Version: 0.19.0 GitCommit: de40ad0
可见在服务器上运行的docker由client和server组成,我们输入docker version命令实际上是通过客户端将请求发送到同一台服务器上的Doceker Daemon服务,由Docker Daemon返回信息,客户端收到信息后展示在控制台上,docker的架构图如下:
3、Docker的/var/run/docker.sock参数配置
官方地址:https://docs.docker.com/engine/reference/commandline/dockerd/#description
Daemon socket option The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd. By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock, requiring either root permission, or docker group membership. ......
可见daemon默认监听的是/var/run/docker.sock这个文件,所以docker客户端只要把请求发往这里,daemon就能收到并且做出响应。
按照上面的解释来推理:我们也可以向/var/run/docker.sock发送请求,也能达到docker ps、docker images这样的效果。
4、向Docker Daemon发送请求
为了验证Docker Daemon可以通过/var/run/docker.sock接收请求,我们用curl命令来验证。
1)执行命令查看当前服务器有哪些镜像:
curl -s --unix-socket /var/run/docker.sock http:/images/json
此命令可以直接发http请求到Docker Daemon,获取本地镜像列表,等同于在服务器上执行docker images命令,收到的响应是JSON,格式化后如下所示,可见通过/var/run/docker.sock向Docker Daemon发送请求是没有问题的:
{
"alert": {
"alert_name": "gdfgfdfg"
},
"resource_filter": {
"resource_type": "node",
"rs_type_id": "rst-3m8ZmxVylG90",
"rs_filter_param": "{\"node_id\":\"pansoft-manage-uat-107\"}",
"_nodes": [
"pansoft-manage-uat-107"
],
"_type": "node"
},
"policy": {
"creator": "admin",
"rs_type_id": "rst-3m8ZmxVylG90",
"policy_name": "",
"policy_description": "",
"policy_config": "{\"critical\":{\"repeat_type\":\"fixed-minutes\",\"repeat_interval_initvalue\":30,\"max_send_count\":2147483648},\"major\":{\"repeat_type\":\"fixed-minutes\",\"repeat_interval_initvalue\":120,\"max_send_count\":5},\"minor\":{\"repeat_type\":\"not-repeat\",\"repeat_interval_initvalue\":0,\"max_send_count\":1}}",
"available_start_time": "00:00:00",
"available_end_time": "23:59:00",
"language": "zh"
},
"rules": [
{
"rule_name": "容器组异常率",
"_config": {
"monitor_periods": 15,
"consecutive_count": 3,
"condition_type": ">",
"thresholds": "90",
"severity": "critical",
"unit": "%",
"_metricType": "node_pod_abnormal_ratio"
},
"monitor_periods": 15,
"consecutive_count": 3,
"condition_type": ">",
"thresholds": "90",
"severity": "critical",
"unit": "%",
"_metricType": "node_pod_abnormal_ratio",
"metric_id": "mt-lgGwk9n1XYlx"
}
],
"action": {
"action_name": "adl-PK2WWL66XRJn",
"nf_address_list_id": "adl-PK2WWL66XRJn"
}
}
2)执行以下命令,可以直接发http请求到Docker Daemon,获取运行中的容器列表,等同于docker ps:
curl -s --unix-socket /var/run/docker.sock http:/containers/json
收到的响应是JSON,格式化后如下所示:
[{
"Id": "fa3fd1993f864ccd695d50f157883fd1ae948b91bad1ab96da891c73584104d2",
"Names": ["/es_admin"],
"Image": "mobz/elasticsearch-head:5",
"ImageID": "sha256:b19a5c98e43bb87849b71f4389b9ed373f63e8c1fe0fabe2ac5a137497425db2",
"Command": "/bin/sh -c 'grunt server'",
"Created": 1622549687,
"Ports": [{
"IP": "0.0.0.0",
"PrivatePort": 9100,
"PublicPort": 9100,
"Type": "tcp"
}],
"Labels": {},
"State": "running",
"Status": "Up 5 seconds",
"HostConfig": {
"NetworkMode": "default"
},
"NetworkSettings": {
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "a7499f080f7060c80ec68c66e347326df547817bed12f0317e602ec060d75098",
"EndpointID": "6c29c0bb92596e91e20595dc075e5453515b6aec142fc677d50666cffa2d83bd",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
},
"Mounts": []
}]
更多与Docker Daemon交互的请求信息请参考官方文档:https://docs.docker.com/engine/api/v1.39 。
至此,我们对docker的client、server架构有了清楚的认识:Docker Daemon相当于一个server,监听来自/var/run/docker.sock的请求,然后做出各种响应,例如返回镜像列表,创建容器。
5、总结
再回到文章开篇处的问题,启动容器时的数据卷参数"/var/run/docker.sock:/var/run/docker.sock"有什么用?
宿主机的/var/run/docker.sock被映射到了容器内,有以下两个作用:
- 在容器内只要向/var/run/docker.sock发送http请求就能和Docker Daemon通信了,可以做的事情前面已经试过了,官方提供的API文档中有详细说明,镜像列表、容器列表这些统统不在话下;
- 如果容器内有docker二进制文件,那么在容器内执行docker ps、docker port这些命令,和在宿主机上执行的效果是一样的,虽然容器内和宿主机上的docker二进制可能不同,但是他们的请求发往的是同一个Docker Daemon;
基于以上结论,开篇问题中的fluentbit-operator initContainers这个容器(使用镜像docker:19.03,通过此镜像可以使用docker客户端命令)用到了数据卷参数/var/run/docker.sock,通过此参数在容器内执行docker相关命令,即执行如下命令查询当前服务器的docker数据盘路径:
docker info -f {{.DockerRootDir}}
参考:https://blog.csdn.net/boling_cavalry/article/details/92846483
标签:Daemon,run,sock,var,docker,Docker 来源: https://www.cnblogs.com/zhangmingcheng/p/16420449.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。