企业🤖AI Agent构建引擎,智能编排和调试,一键部署,支持私有化部署方案 广告
[TOC] ### **Docker run命令** docker run命令的用法如下,我们可以传入很多的options ``` $ docker run --help Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...] Run a command in a new container Options: --add-host list Add a custom host-to-IP mapping (host:ip) -a, --attach list Attach to STDIN, STDOUT or STDERR --blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0) --blkio-weight-device list Block IO weight (relative device weight) (default []) --cap-add list Add Linux capabilities --cap-drop list Drop Linux capabilities --cgroup-parent string Optional parent cgroup for the container --cidfile string Write the container ID to the file --cpu-period int Limit CPU CFS (Completely Fair Scheduler) period --cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota --cpu-rt-period int Limit CPU real-time period in microseconds --cpu-rt-runtime int Limit CPU real-time runtime in microseconds -c, --cpu-shares int CPU shares (relative weight) --cpus decimal Number of CPUs --cpuset-cpus string CPUs in which to allow execution (0-3, 0,1) --cpuset-mems string MEMs in which to allow execution (0-3, 0,1) -d, --detach Run container in background and print container ID --detach-keys string Override the key sequence for detaching a container --device list Add a host device to the container --device-cgroup-rule list Add a rule to the cgroup allowed devices list --device-read-bps list Limit read rate (bytes per second) from a device (default []) --device-read-iops list Limit read rate (IO per second) from a device (default []) --device-write-bps list Limit write rate (bytes per second) to a device (default []) --device-write-iops list Limit write rate (IO per second) to a device (default []) --disable-content-trust Skip image verification (default true) --dns list Set custom DNS servers --dns-option list Set DNS options --dns-search list Set custom DNS search domains --entrypoint string Overwrite the default ENTRYPOINT of the image -e, --env list Set environment variables --env-file list Read in a file of environment variables --expose list Expose a port or a range of ports --group-add list Add additional groups to join --health-cmd string Command to run to check health --health-interval duration Time between running the check (ms|s|m|h) (default 0s) --health-retries int Consecutive failures needed to report unhealthy --health-start-period duration Start period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s) --health-timeout duration Maximum time to allow one check to run (ms|s|m|h) (default 0s) --help Print usage -h, --hostname string Container host name --init Run an init inside the container that forwards signals and reaps processes -i, --interactive Keep STDIN open even if not attached --ip string IPv4 address (e.g., 172.30.100.104) --ip6 string IPv6 address (e.g., 2001:db8::33) --ipc string IPC mode to use --isolation string Container isolation technology --kernel-memory bytes Kernel memory limit -l, --label list Set meta data on a container --label-file list Read in a line delimited file of labels --link list Add link to another container --link-local-ip list Container IPv4/IPv6 link-local addresses --log-driver string Logging driver for the container --log-opt list Log driver options --mac-address string Container MAC address (e.g., 92:d0:c6:0a:29:33) -m, --memory bytes Memory limit --memory-reservation bytes Memory soft limit --memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap --memory-swappiness int Tune container memory swappiness (0 to 100) (default -1) --mount mount Attach a filesystem mount to the container --name string Assign a name to the container --network string Connect a container to a network (default "default") --network-alias list Add network-scoped alias for the container --no-healthcheck Disable any container-specified HEALTHCHECK --oom-kill-disable Disable OOM Killer --oom-score-adj int Tune host's OOM preferences (-1000 to 1000) --pid string PID namespace to use --pids-limit int Tune container pids limit (set -1 for unlimited) --privileged Give extended privileges to this container -p, --publish list Publish a container's port(s) to the host -P, --publish-all Publish all exposed ports to random ports --read-only Mount the container's root filesystem as read only --restart string Restart policy to apply when a container exits (default "no") --rm Automatically remove the container when it exits --runtime string Runtime to use for this container --security-opt list Security Options --shm-size bytes Size of /dev/shm --sig-proxy Proxy received signals to the process (default true) --stop-signal string Signal to stop a container (default "SIGTERM") --stop-timeout int Timeout (in seconds) to stop a container --storage-opt list Storage driver options for the container --sysctl map Sysctl options (default map[]) --tmpfs list Mount a tmpfs directory -t, --tty Allocate a pseudo-TTY --ulimit ulimit Ulimit options (default []) -u, --user string Username or UID (format: <name|uid>[:<group|gid>]) --userns string User namespace to use --uts string UTS namespace to use -v, --volume list Bind mount a volume --volume-driver string Optional volume driver for the container --volumes-from list Mount volumes from the specified container(s) -w, --workdir string Working directory inside the container ``` 接下来,我们来了解一下这些OPTIONS以及它们与K8S的Yaml文件的对应关系。 ### **--add-host list** 。。。 ### **--cidfile string** string是一个文件的路径,比如`/xxx/file`。把容器的ID写入到这个文件当中。注意这个文件不能存在。 比如: ``` $ docker run --cidfile /root/cidfile-centos7 centos:7 $ docker ps -a --no-trunc CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3ee6e672cce06df201bfe3d1792f0d98ed0e9ed7c2b947a0a3b38ea357dbf724 centos:7 "/bin/bash" 17 seconds ago Exited (0) 16 seconds ago flamboyant_vaughan $cat /root/cidfile-centos7 3ee6e672cce06df201bfe3d1792f0d98ed0e9ed7c2b947a0a3b38ea357dbf724 ``` ### **--cap-add(--cap-drop) list** 参考 https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 向容器添加(或删除)linux权限,比如: ``` $ docker run --add-cap AUDIT_CONTROL,AUDIT_READ ``` 在Pod中的设置如下: ``` apiVersion: v1 kind: Pod metadata: ... spec: ... containers: - name: container1 securityContext: capacities: add: [AUDIT_CONTROL,AUDIT_READ] drop: [] ``` ### **--security-opt list** 示例如下: ``` --security-opt seccomp=unconfined,apparmor=unconfined ``` seccomp(securecomputing)在Pod的yaml文件中如下: ``` pod.spec: containers: - name: container1 securityContext: seccompProfile: type: unconfined ``` 对于apparmor,需要在Pod的annotation中为Container设置(参考[文章](https://kubernetes.io/zh/docs/tutorials/clusters/apparmor/))。目前该我还处于测试阶段,所以需要在Pod的annotation中设置: ``` pod.metadata: annotations: container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref> ``` `<container_name>`的名称是容器的简称,用以描述简介,并且简称为`<profile_ref>`。`<profile_ref>`可以作为其中之一: * `runtime/default`应用运行时的默认配置 * Equivalent to not specifying a profile (without a PodSecurityPolicy default), except it still requires AppArmor to be enabled. * For Docker, this resolves to the `docker-default` profile for non-privileged containers, and unconfined (no profile) for privileged containers * `localhost/<profile_name>`应用在名为`<profile_name>`的主机上加载的配置文件 * `unconfined`表示不加载配置文件 对于docker来说,如果我们不为Pod设置annotation,那么特权容器默认配置为`unconfined`,非特权容器默认配置为`docker-default` ### **--device list** 示例: ``` docker run --device /dev/fuse:/dev/fuse:rwm --device /dev/dri/renderD128:/dev/dri/renderD128:rwm ``` Pod的yaml文件中不支持device的直接挂载,如果要做到,有两种方法,一是把Pod设置为特权模式,然后使用hostpath把设备挂载进去;二是自行开发device-plugin,比如GPU。 参考:https://cloud.tencent.com/developer/article/1506474 ### **参考** * https://docs.docker.com/engine/reference/commandline/run/ * https://docs.docker.com/engine/reference/run/ * https://cloud.tencent.com/developer/article/1506474