Docker 常见问题

• 非root用户操作docker

  sudo gpasswd -a ${USER} docker
  

  重启终端或主机

  修改docker默认网段

  docker 默认使用的网络地址范围是172.17.0.0/16，有些时候可能会出现网络冲突，所以需要修改默认docker0的地址

  [root@localhost ~]# sudo tee /etc/docker/daemon.json << ERIC
  {
     "bip": "162.17.0.1/16",
     "fixed-cidr": "162.17.0.0/16"
  }
  
  ERIC
  
  [root@localhost ~]# sudo systemctl restart docker
  

  查看IP

  ## 查看 docker0 IP
  [root@localhost ~]# ip a show docker0
  3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
      link/ether 02:42:71:ed:02:e0 brd ff:ff:ff:ff:ff:ff
      inet 162.17.0.1/16 brd 162.17.255.255 scope global docker0
         valid_lft forever preferred_lft forever
  
  
  ## 查看 docker 网络列表
  [root@localhost ~]# docker network ls
  NETWORK ID     NAME              DRIVER    SCOPE
  c295de3ea8b6   bridge            bridge    local
  b9d0558462de   grafana_default   bridge    local
  5ae034fa180e   host              host      local
  e7a9b37db757   none              null      local
  
  
  ## 查看 bridge IP
  [root@localhost ~]# docker network inspect bridge
  [
      {
          "Name": "bridge",
          "Id": "c295de3ea8b6f61080240d3d923ecee2c6d57b32f94594778f715e502643e702",
          "Created": "2023-09-25T16:28:15.367859557+08:00",
          "Scope": "local",
          "Driver": "bridge",
          "EnableIPv6": false,
          "IPAM": {
              "Driver": "default",
              "Options": null,
              "Config": [
                  {
                      "Subnet": "162.17.0.0/16",
                      "Gateway": "162.17.0.1"
                  }
              ]
          },
          "Internal": false,
          "Attachable": false,
          "Ingress": false,
          "ConfigFrom": {
              "Network": ""
          },
          "ConfigOnly": false,
          "Containers": {},
          "Options": {
              "com.docker.network.bridge.default_bridge": "true",
              "com.docker.network.bridge.enable_icc": "true",
              "com.docker.network.bridge.enable_ip_masquerade": "true",
              "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
              "com.docker.network.bridge.name": "docker0",
              "com.docker.network.driver.mtu": "1500"
          },
          "Labels": {}
      }
  ]
  

  ---

  容器网络如果不使用默认网桥，那么需要手动指定

  version: '3.6'
  services:
    nginx:
      image: nginx:1.21.1
      container_name: nginx
      hostname: nginx
      restart: always
      ports:
        - 9090:9090
      # 明确指定网桥
      network_mode: bridge
  

  docker 拉取镜像x509: certificate signed by unknown authority

  docker pull nginx
  Using default tag: latest
  Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority
  

  原因

  主机不能够链接外网，所以会抛出这个异常 原因是：因为我的主机不能够上外网，所以我采用了使用自建的代理服务器，我的HTTP代理服务器地址是172.16.15.205:8888

  我尝试了如下3种方式，最后一种方式才是有效的做法：

  1. 配置镜像加速文件

     • cat > /etc/docker/daemon.json << ERIC
       {
          "registry-mirrors": [
              "https://registry.cn-hangzhou.aliyuncs.com"
          ]
       }
       ERIC
       
       systemctl daemon-reload && systemctl restart docker
       

     • 这种做法根本不起作用

  2. 配置docker客户端代理文件

     • cat > ~/.docker/config.json << ERIC
       {
       "proxies":
       {
         "default":
         {
           "httpProxy": "172.16.15.205:8888",
           "httpsProxy": "172.16.15.205:8888",
           "noProxy": "127.0.0.0/8"
         }
       }
       }
       ERIC
       
       systemctl daemon-reload && systemctl restart docker
       

     • 这种做法也不起作用

  3. 修改docker.service文件

     • vim /etc/systemd/system/multi-user.target.wants/docker.service
       
       
       ## ......以上省略
       
       [Service]
       ## 在Service中加入如下代码，来配置HTTP代理服务器
       Environment=HTTP_PROXY=http://172.16.15.205:8888
       Environment=HTTPS_PROXY=http://172.16.15.205:8888
       Environment=NO_PROXY=localhost,127.0.0.1
       
       ## ......以下省略
       
       
       
       
       systemctl daemon-reload && systemctl restart docker
       

     • 只有这种做法是好用的

  Docker 启动时持续运行

  ## 容器的启动命令改成这样
  /bin/bash -c tail -f /dev/null
  

  ---

  迁移docker目录

  Docker默认安装目录为 /var/lib/docker/ 注意目录区别，在Linux操作系统中： /var/lib/docker 表示的是快捷方式，也就是软链接 /var/lib/docker/表示的是真实目录，也就是硬链接

  ## 停docker
  systemctl stop docker
  
  ## 移动文件
  mv /var/lib/docker/ /opt/
  
  ## 给/opt/docker/目录创建软链接(注意目录的后面是有斜杠的)，软链接的路径为/var/lib/docker(注意软链接的后面是没有斜杠的)
  ln -s /opt/docker/ /var/lib/docker
  
  ## 查看
  root@cloudserver:/# ll /var/lib/docker
  /var/lib/docker -> /app/docker//      ## 没错，后面有两个斜杠，它表示为软链接
  

  镜像拉取失败

  [root@k8s-node1 ~]# docker pull k8s.dev-share.top/library/node:slim
  Error response from daemon: Get https://k8s.dev-share.top/v2/: dial tcp 47.92.200.41:443: getsockopt: connection refused
  [root@k8s-node1 ~]#
  [root@k8s-node1 ~]# cat > /etc/docker/daemon.json << ERIC
  {
      "insecure-registries": ["http://k8s.dev-share.top"],
      "registry-mirrors": [
          "https://registry.cn-hangzhou.aliyuncs.com"
      ]
  }
  ERIC
  
  # 每次配置完 daemon.json文件都需要重启服务
  [root@k8s-node1 ~]#
  [root@k8s-node1 ~]# systemctl daemon-reload && systemctl restart docker
  [root@k8s-node1 ~]#
  [root@k8s-node1 ~]# docker pull k8s.dev-share.top/library/node:slim
  slim: Pulling from library/node
  743f2d6c1f65: Pull complete
  89252b028f01: Pull complete
  a4c96ce39a15: Pull complete
  b3d04fa69e29: Pull complete
  6194decb3876: Pull complete
  Digest: sha256:1b5871385c87ed5cc64e6a6f2a4b789a03266d29b4a0c72c4a740ed67f29286e
  Status: Downloaded newer image for k8s.dev-share.top/library/node:slim
  [root@k8s-node1 ~]#
  [root@k8s-node1 ~]# docker images | grep node
  k8s.dev-share.top/library/node                      slim                d9bfca6c7741        7 days ago          150MB
  [root@k8s-node1 ~]#
  

  ---

docker login 失败

[root@k8s-node2 ~]# docker login harbor.software.com:8082 -u admin -p Harbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://harbor.software.com:8082/v2/: http: server gave HTTP response to HTTPS client
[root@k8s-node2 ~]# cat /etc/docker/daemon.json
{
    // 1 无论使用什么方式登录， docker login 的链接地址必须在这里出现
    // 2 使用 /etc/hosts 做解析也没用
    // 3 与创建 harbor.yml 中配置的 hostname 无关
    "insecure-registries": ["http://192.168.2.10:8082"],
    "registry-mirrors": [
        "https://registry.cn-hangzhou.aliyuncs.com"
    ]
}
[root@k8s-node2 ~]#

## 正确做法 例如
[root@k8s-node2 ~]# docker login 192.168.2.10:8082 -u admin -p Harbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@k8s-node2 ~]#

有些细节要注意

1. docker push私服镜像需要登录
2. 节点机器 要使用私服上的镜像，需要配置 私服仓库地址授信
3. 修改 /etc/docker/daemon.json 文件时要重新加载 docker
4. 文章中的示例使用的是，由外网地址访问私服，下载速度很慢并且不安全，真正的生产环境一定是内网环境，速度快也安全

Dockerfile构建镜像时，其基础镜像是ubuntu18.04，在apt-get install时，出现了如下错误

E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/trusty-security/main/source/Sources Hash Sum mismatch

使用**apt**时解决方案

[root@master cn-ansible]# vim Dockerfile
FROM ubuntu:18.04
# 在构建镜像时，替换镜像中的官方下载源，将它指向国内阿里云
RUN sed -i s/'archive.ubuntu.com'/'mirrors.aliyun.com'/g /etc/apt/sources.list

......

使用**apk`**时解决方案

RUN echo 'http://mirrors.ustc.edu.cn/alpine/v3.13/main/' > /etc/apk/repositories