Docker Registry分类：​

用于保存docker镜像，包括镜像的层次结构和元数据；​

用户可自建Registry，也可使用官方的Docker Hub；​

Sponsor Registry，第三方的，供客户和docker社区使用；​

Mirror Registry，第三方的，只让客户使用；​

Vendor Registry，由发布Docker镜像的供应商提供的registry；​

Private Registry，通过设有防火墙和额外的安全层的私有实体提供的registry；​

docker registry​

默认用https，拒绝使用http，除非明确配置或告知；​

hub.docker.com #搜registry​

docker-distribution​

yum info docker-registry​

yum -y install docker-registry #包名叫docker-distribution​

rpm -ql docker-distribution​

/etc/docker-distribution/registry/config.yml #rootdirectory；端口默认5000​

/usr/bin/registry​

/usr/lib/systemd/system/docker-distribution.service​

/var/lib/registry #镜像存放路径​

ss -tnl​

docder tag myweb:v0.3-11 node02.magedu.com:5000/myweb:v0.3-11​

docker images ls​

docker push node02.magedu.com:5000/myweb:v0.3-11 #https问题，解决，在服务端配置：​

vim /etc/docker/daemon.json​

{​

...,​

"insecure-registries": ["node02.magedu.com:5000"]​

}​

systemctl restart docker​

注：完整的可用参数列表，​​https://docs.docker.com/engine/reference/commandline/dockerd/#run-multiple-daemons​​​

ll /var/lib/registry #每一层单独推送​

docker pull node02.magedu.com:5000/myweb:v0.3-11​

Harbor #vmware的中国团队开发​

project harbor is an open source trusted cloud native registry project that stores|signs|scans content​

harbor extends the open source docker distribution by adding the functionalities usually required by users such as security,identity and management;​

harbor supports advaned features such as user management,access control,activity monitoring, and replication between instances.​

feathers:​

multi-tenant content signing and validation;​

security and vulnerability analysis;​

audit logging;​

identity integration and role-based access control;​

image replication between instances;​

extensible api and graphical ui;​

internationalization;​

harbor安装依赖docker compose；​

​​https://github.com/vmware/harbor​​ #harbor-offline-installer-v1.4.0.tgz​

单机用harbor：​

yum info docker-compose​

yum -y install docker-compose #epel仓库​

tar xf harbor-offline-installer-v1.4.0.tgz -C /usr/local/​

cd /usr/local/harbor/​

vim docler-compose.yml​

vim harbor.cfg​

hostname = node02.magedu.com​

harbor_admin_password = Harbor12345​

db_password = root123​

./install.sh​

docker-compose --help​

docker-compose pause #在harbor/下，会自动找到docker-compose.yml里的配置​

docker-compose stop|start|scale​

​​http://172.20.0.67/harbor​​​

vim /etc/docker/daemon.json​

{​

...,​

"insecure-registries": ["node02.magedu.com"] #默认80可省，如果写上，镜像的tag也要写​

}​

systemctl restart docker​

docker tag myweb:v0.3-1 node02.magedu.com/devel/myweb:v0.3-1​

docker login node02.magedu.com​

docker push node02.magedu.com/devel/myweb​

docker的系统资源限制及验证：​

docker的隔离能力有限，仅在一定程度上有用，尚未有best practice；​

limit a container's resources​

by default, a container has no resource constraints and can use as much of a given resource as the host's kernel scheduler allows;​

docker provieds ways to control how much memory,cpu,or block io a container can use,setting runtime configuration flags of the docker run command; memory是不可压缩资源，cpu是可压缩资源；​

many of these features require your kernel to support linux capabilities, to check for support,you can use the docker info command;​

memory, OOME:​

on linux hosts, if the kernel detects that there is not enough memory to perform important system functions, it throws an OOME or out of memory exception, and starts killing processes to free up memory;​

一旦发生OOME，任何进程都有可能被杀死（根据oom_score，可调整进程的oom_score_odj，分数越低越不容易被杀），包括docker daemon；​

docker特地调整了docker daemon的OOM优先级，以免它被内核正法，但容器的优先级并未被调整；​

重要的容器应用，运行时就要调整oom_odj，使得不容易被杀；​

limit a container's access to memory​

多数参数都要与-m（--memory）连用（即在有-m的前提下用其它参数才有效）；​

--memory --memory-swap​

正数M 正数S #容器可用总空间为S，其中ram为M，swap为S-M，若S=M，则无可用swap资源​

正数M 0 #相当于unset未设置swap​

正数M unset #若docker host启用了swap，则容器的可用swap为2*M​

正数M -1 #若docker host启用了swap，则容器可使用最大至主机上的所有swap资源​

注：在容器内使用free看到的swap空间并不具有其所展现出的空间指示意义；​

--memory-swappiness #倾向性，0-100，0能不用就不用，100能用就用​

--memory-reservation​

--oom-kill-disable​

cpu​

by default, each container's access the host machine's cpu cycles is unlimited;​

you can set various constraints to limit a given container's access to the host machine's cpu cycles;​

most users use and configure the default CFS scheduler完全公平调度器;​

in docker1.13 and higher, you can also configure the realtime scheduler;​

--cpus=<value> #指定使用几核，可用小数​

--cpuset-cpus string #指进程运行在哪个cpu核上，可多个，内核用0-3编号，如0,1​

--cpu-shares int​

--cpu-period int​

--cpu-quota int​

--oom-kill-disable #启动容器时设置此项，则无论如何都不会被kill掉​

--oom-score-adj int #-1000-1000，数值越小越不容易被kill掉​

docker pull lorel/docker-stress-ng #在hub上搜stress​

docker run --name stress -it --rm lorel/docker-stress-ng:latest stress --help​

docker run --name stress -it --rm -m 256m lorel/docker-stress-ng:latest stress --vm 2 #启动2个进程作压测，每个进程默认占用256m内存，每个容器只分配256m内存​

docker top stress​

docker stats​

docker run --name stress -it --rm --cpus 2 lorel/docker-stress-ng:latest stress --cpu 8 #启了8个进程压测，每个容器只分配2个；另测--cpuset-cpus 0,2，--cpu-shares 1024​

docker stats​

docker run --name stress2 -it --rm --cpu-shares 1024 lorel/docker-stress-ng:latest stress --cpu 8 ​

docker run --name stress3 -it --rm --cpu-shares 1024 lorel/docker-stress-ng:latest stress --cpu 8 ​