IPv6 And Docker
| LinkedIn
Fair warning: this might give you a headache.
If you're working on IPv6 transition engineering and you have Linux applications running inside
containers, then you're going to want to look at , because it's not going to be painless.
The way Docker servers connect containers to the network resembles the method that your home router connects all the hosts on your network to the Internet behind a single IPv4 address. It uses a network address translator (NAT), and if you want containers that passively listen at ports to be reachable from arbitrary remote addresses, then you need to use a Docker-specific method to open and map the ports. (No, it doesn't use a
server. Because I don't know.)
Being that the whole idea behind IPv6 is to have enough addresses to number every host on the Internet without using NAT middleboxes, your home router has to do things quite a bit
on its first-kilometer connection to provide IPv6 service to hosts on the local network. For one thing, it has to ask the network for enough routable address space for all the subnetworks behind it. For another thing, all the addresses are public realm, so when they change (because the router moves or the service provider renumbers) all the local networks have to be renumbered.
Because starting the Docker server conceptually makes an ordinary host into an Internet router, transitioning from IPv4 to&IPv6 with Docker can be an exciting adventure. An IPv4 NAT router can continue to pretend to be an ordinary IPv4 host on its outward-facing interface, but an IPv6 host that becomes a router must be recognized by the network as an IPv6 router. Getting that to happen with the host running your Docker server can be interesting.
Typical IPv6 network deployments today make a hard distinction between hosts and routers. Hosts receive and process router advertisements and possibly DHCP configurations, and they're assigned one or more IPv6 interface addresses. Generally, routers send advertisements to hosts and they participate in an interior routing domain protocol with other routers. Usually with some kind of security association.
As you can hopefully infer from this, turning a host into a router is not a straightforward process.
Docker doesn't include very much in the way of automation for making the server host into a router. There are some options on the docker server and in its configuration file that can be used manually to delegate an IPv6 prefix to its internal bridge. The helpful documentation reminds you to enable IPv6 forwarding in the server kernel. Alas, you are on your own when it comes to acquiring a prefix delegation from the network.
If you were paying attention to the hyperlinks that I included earlier, you may have noticed that your home router acquires a prefix delegation using DHCP, and it's reasonable to think that a Docker server should be able to do the same thing.
Alas, that may be prohibited by policy on your network.
Many enterprise network operators are concerned about the "rogue router" problem. Somebody connects a commodity home router product to the network, and now anybody with access to the local side of the router can have free access to the enterprise network through it. Operators have trouble stopping this from happening with IPv4, but they often rather like to disable IPv6 prefix delegation. Because they can, and it makes them sleep easier at night.
And if you're on a network that assigns exactly one IPv6 address per host, then this will effectively prevent your Docker containers from reaching the network over IPv6. There is a
currently under debate in the
to establish a best current practice for always and everywhere assigning hosts multiple addresses. It remains to be seen whether IETF will publish it. That draft says that DHCP-PD is one way of assigning enough addresses to hosts, and if you're on a network that doesn't use DHCP, then you have the option with Docker of running a neighbor discovery proxy on your host instead.
Alas, unless operators get over their paranoia about IPv6 hosts having more than one address, you're likely to find that running a Docker server on your host may involve calling up your operator on the telephone and begging her to add your server host to the whitelist of devices that are allowed to be routers.
Good luck with your Docker containers and IPv6 everyone.Looking for more of the latest headlines on LinkedIn?4140人阅读
docker（7）
docker 网络配置详解:
1、Docker原生网络实现
&&&&为了实现容器到容器和容器到宿主机之间的通信，Docker本身就已经提供了几种解决方案。当Docker进程启动之后，它会配置一个虚拟的网桥叫docker0在宿主机上，实际上是 Linux 的一个 bridge。这个接口允许Docker去分配虚拟的子网给即将启动的容器们。这个网桥在容器内的网络和宿主机网络之间将作为接口的主节点。
&&&&&Docker容器启动后，将创建一个新的虚拟接口并分配一个网桥子网内的IP地址。这个IP地址嵌在容器内网络中，用于提供容器网络到宿主机docker0网桥上的一个通道。Docker自动配置iptables规则来放行并配置NAT，连通宿主机上的docker0。
&&&&同时，Docker 随机分配一个本地未占用的私有网段（在 RFC1918 中定义）中的一个地址给 docker0 接口。比如典型的 172.17.42.1，掩码为 255.255.0.0。此后启动的容器内的网口也会自动分配一个同一网段（172.17.0.0/16）的地址。
在宿主机上使用如下命：ip addr
lin@ubuntu:~$ ip addr1: lo: &LOOPBACK,UP,LOWER_UP& mtu 65536 qdisc noqueue state UNKNOWN group default
& &link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 & &inet 127.0.0.1/8 scope host lo & & & valid_lft forever preferred_lft forever & &inet6 ::1/128 scope host
& & & valid_lft forever preferred_lft forever2: eno: &BROADCAST,MULTICAST,UP,LOWER_UP& mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 & &link/ether 00:0c:29:33:ca:0f brd ff:ff:ff:ff:ff:ff & &inet 192.168.0.167/24 brd 192.168.0.255 scope global eno & & & valid_lft forever preferred_lft forever & &inet6 fe80::20c:29ff:fe33:ca0f/64 scope link
& & & valid_lft forever preferred_lft forever3: docker0: &BROADCAST,MULTICAST,UP,LOWER_UP& mtu 1500 qdisc noqueue state UP group default
& &link/ether 02:42:86:27:36:61 brd ff:ff:ff:ff:ff:ff & &inet 172.17.0.1/16 scope global docker0 & & & valid_lft forever preferred_lft forever & &inet6 fe80::42:86ff:fe27:3661/64 scope link
& & & valid_lft forever preferred_lft forever5: vethedf2614@if4: &BROADCAST,MULTICAST,UP,LOWER_UP& mtu 1500 qdisc noqueue master docker0 state UP group default
& &link/ether b2:0c:cb:5c:5b:2c brd ff:ff:ff:ff:ff:ff link-netnsid 0 & &inet6 fe80::b00c:cbff:fe5c:5b2c/64 scope link
& & & valid_lft forever preferred_lft forever
可以看到&docker0&这个是docker启动时在宿主机上创建的虚拟网卡, 用来管理docker container的网络
宿主机安装 brctl&&apt-get install bridge-utils ；
使用命令：brctl show
lin@ubuntu:~$ brctl showbridge name & & bridge id & & & & & & & STP enabled & & interfacesdocker0 & & & & 73661 & & & no & & & & & & &vethedf2614
可以看到虚拟的网络关系，其中 vethedf2614 是docker container的虚拟网卡， docker每新建一个container, docker0 就会创建一个新的虚拟网卡，名称以 veth 开头，其余是随机的.
下图是他的一个结构：
2、docker 的四种网络模式
&&&&Docker在创建容器时有四种网络模式，bridge为默认不需要用--net去指定，其他三种模式需要在创建容器时使用--net去指定。
bridge模式，使用--net=bridge指定，默认设置。
none模式，使用--net=none指定。
host模式，使用--net=host指定。
container模式，使用--net=container:容器名称或ID指定。（如：--net=container:30b668ccb630）
&&&&bridge模式：docker网络隔离基于网络命名空间&Network Namespace&，在物理机上创建docker容器时会为每一个docker容器分配网络命名空间，并且把容器IP桥接到物理机的虚拟网桥上。
&&&&none模式：此模式下创建容器是不会为容器配置任何网络参数的，如：容器网卡、IP、通信路由等，全部需要自己去配置。
&&&&host模式：此模式创建的容器没有自己独立的网络命名空间，是和物理机共享一个Network Namespace，并且共享物理机的所有端口与IP，并且这个模式认为是不安全的。
&&&&container模式：此模式和host模式很类似，只是此模式创建容器共享的是其他容器的IP和端口而不是物理机，此模式容器自身是不会配置网络和端口，创建此模式容器进去后，你会发现里边的IP是你所指定的那个容器IP并且端口也是共享的，而且其它还是互相隔离的，如进程等。
下面简单介绍一下 docker内部网桥的新建与容器指定网桥
使用 &如下命令可以看到docker内置的三种network 默认下使用bridge
lin@ubuntu:~$ docker network lsNETWORK ID & & & & &NAME & & & & & & & &DRIVER590c6ae86a55 & & & &bridge & & & & & & &bridge & & & & & & &c0573deb0a47 & & & &none & & & & & & & &null & & & & & & & &f & & & &host & & & & & & & &host & & & & & & & &
使用如下命令可以新构建一个bridge network
lin@ubuntu:~$ &docker network create -d bridge my-bridge-network 157484bdedf67edde93eef23217befe5b6ffc61bdd
lin@ubuntu:~$ docker network lsNETWORK ID & & & & &NAME & & & & & & & &DRIVER157484bdedf6 & & & &my-bridge-network & bridge & & & & & & &590c6ae86a55 & & & &bridge & & & & & & &bridge & & & & & & &c0573deb0a47 & & & &none & & & & & & & &null & & & & & & & &f & & & &host & & & & & & & &host & &
查看网桥信息
lin@ubuntu:~$ docker network inspect bridge
会发现 自己创建的网桥的信息是空的。
断开容器的网桥连接
$ docker network disconnect bridge containerName
运行一个容器（db） 指定网桥 是刚刚新建的网桥
$ docker run -d --net=my-bridge-network --name db training/postgres
这时候网桥信息是有内容的。
下面做一个两个容器间测试网络是否联通的例子：
正常情况下docker默认的是bridge这个网桥，若是运行两个容器，查看网桥信息
lin@ubuntu:~$ docker network inspect bridge & & &[ & &{ & & & &&Name&: &bridge&, & & & &&Id&: &590c6ae86a557283cfb7c00e7c0f5c11b43bb480fe04b2ee67725&, & & & &&Scope&: &local&, & & & &&Driver&: &bridge&, & & & &&IPAM&: { & & & & & &&Driver&: &default&, & & & & & &&Config&: [ & & & & & & & &{ & & & & & & & & & &&Subnet&: &172.17.0.0/16& & & & & & & & &} & & & & & &] & & & &}, & & & &&Containers&: { & & & & & &&36f7ddcba825ef44e215b579a5d22&: { & & & & & & & &&EndpointID&: &fd55daa643b8be77affac7cee&, & & & & & & & &&MacAddress&: &02:42:ac:11:00:02&, & & & & & & & &&IPv4Address&: &172.17.0.2/16&, & & & & & & & &&IPv6Address&: && & & & & & &}, & & & & & &&eac373d9b0a26e67e6ae&: { & & & & & & & &&EndpointID&: &b0f9a3ee5e2e8570eccbafe5d30a2d4157&, & & & & & & & &&MacAddress&: &02:42:ac:11:00:03&, & & & & & & & &&IPv4Address&: &172.17.0.3/16&, & & & & & & & &&IPv6Address&: && & & & & & &} & & & &}, & & & &&Options&: { & & & & & &&com.docker.network.bridge.default_bridge&: &true&, & & & & & &&com.docker.network.bridge.enable_icc&: &true&, & & & & & &&com.docker.network.bridge.enable_ip_masquerade&: &true&, & & & & & &&com.docker.network.bridge.host_binding_ipv4&: &0.0.0.0&, & & & & & &&com.docker.network.bridge.name&: &docker0&, & & & & & &&com.docker.network.driver.mtu&: &1500& & & & &} & &}]lin@ubuntu:~$
可以看到连个容器，分别用了172.17.0.2 和172.17.0.3 两个IP。进入容器 使用ping命令是可以ping通两个容器的
root@36f7d9838bb6:/# ping 172.17.0.3PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.125 ms64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.080 ms
3、docker 自定义网桥
很多时间，你并不需要docker给你分配的默认为172.17.x.x的ip 这样就需要自定义docker网桥；
1、查看docker运行状态
lin@ubuntu:~$ ps -ef | grep docker &root & & &7673 & & 1 &0 10:51 ? & & & &00:00:31 /usr/bin/docker daemon -H fd://lin@ubuntu:~$
2、docker 正在运行，需要先停止docker
$ sudo service docker stop
3、查看docker默认网桥
lin@ubuntu:~$ ifconfig | grep docker0docker0 & Link encap:Ethernet &HWaddr 02:42:86:27:36:61 &
4、停止docker默认网桥并删除
lin@ubuntu:~$ brctl show
lin@ubuntu:~$ sudo ip link set dev docker0 downlin@ubuntu:~$ sudo brctl delbr docker0
6、自定义网桥分配Ip
lin@ubuntu:~$ sudo brctl addbr bridge0lin@ubuntu:~$ sudo ip addr add 192.168.1.1/24 dev bridge0 lin@ubuntu:~$ sudo ip link set dev bridge0 up
7、查看是否配置成功
lin@ubuntu:~$ ip addr show bridge0
8、配置docker文件，默认桥接到创建的网桥上
echo 'DOCKER_OPTS=&-b=bridge0&' && /etc/default/docker
9、重启docker服务
sudo service docker start
&&相关文章推荐
* 以上用户言论只代表其个人观点，不代表CSDN网站的观点或立场
访问：422874次
积分：4334
积分：4334
排名：第7283名
原创：93篇
转载：16篇
评论：64条
(2)(1)(1)(5)(4)(10)(4)(8)(4)(4)(1)(5)(5)(3)(2)(1)(1)(3)(3)(2)(3)(4)(2)(5)(6)(11)(9)
(window.slotbydup = window.slotbydup || []).push({
id: '4740881',
container: s,
size: '200,200',
display: 'inlay-fix'docker-compose编写（英文）
时间： 17:04:12
&&&& 阅读：70
&&&& 评论：
&&&& 收藏：0
标签：&&&&&&&&&&&&&&&&&&&&&&&&&&&原文地址：https://docker.github.io/compose/compose-file/
Compose file reference
The Compose file is a&&file defining&,&&and&. The default path for a Compose file is./docker-compose.yml.
A service definition contains configuration which will be applied to each container started for that service, much like passing command-line parameters to&docker run. Likewise, network and volume definitions are analogous to&docker network create&and&docker volume create.
As with&docker run, options specified in the Dockerfile (e.g.,&CMD,&EXPOSE,&VOLUME,&ENV) are respected by default - you don’t need to specify them again in&docker-compose.yml.
You can use environment variables in configuration values with a Bash-like&${VARIABLE}&syntax - see&&for full details.
Service configuration reference
Note:&There are two versions of the Compose file format – version 1 (the legacy format, which does not support volumes or networks) and version 2 (the most up-to-date). For more information, see the&section.
This section contains a list of all configuration options supported by a service definition.
Configuration options that are applied at build time.
build&can be specified either as a string containing a path to the build context, or an object with the path specified under&&and optionally&&and&.
build: ./dir
context: ./dir
dockerfile: Dockerfile-alternate
buildno: 1
If you specify&image&as well as&build, then Compose names the built image with the&webapp&and optional&tagspecified in&image:
build: ./dir
image: webapp:tag
This will result in an image named&webapp&and tagged&tag, built from&./dir.
Note: In the&,&build&is different in two ways:
Only the string form (build: .) is allowed - not the object form.
Using&build&together with&image&is not allowed. Attempting to do so results in an error.
&only. In version 1, just use&.
Either a path to a directory containing a Dockerfile, or a url to a git repository.
When the value supplied is a relative path, it is interpreted as relative to the location of the Compose file. This directory is also the build context that is sent to the Docker daemon.
Compose will build and tag it with a generated name, and use that image thereafter.
context: ./dir
dockerfile
Alternate Dockerfile.
Compose will use an alternate file to build with. A build path must also be specified.
context: .
dockerfile: Dockerfile-alternate
Note: In the&,&dockerfile&is different in two ways:
It appears alongside&build, not as a sub-option:
dockerfile: Dockerfile-alternate
Using&dockerfile&together with&image&is not allowed. Attempting to do so results in an error.
Add build arguments, which are environment variables accessible only during the build process.
First, specify the arguments in your Dockerfile:
ARG buildno
ARG password
RUN echo "Build number: $buildno"
RUN script-requiring-password.sh "$password"
Then specify the arguments under the&build&key. You can pass either a mapping or a list:
context: .
buildno: 1
password: secret
context: .
- buildno=1
- password=secret
You can omit the value when specifying a build argument, in which case its value at build time is the value in the environment where Compose is running.
- password
Note: YAML boolean values (true,&false,&yes,&no,&on,&off) must be enclosed in quotes, so that the parser interprets them as strings.
cap_add, cap_drop
Add or drop container capabilities. See&man 7 capabilities&for a full list.
- NET_ADMIN
- SYS_ADMIN
Override the default command.
command: bundle exec thin -p 3000
The command can also be a list, in a manner similar to&:
command: [bundle, exec, thin, -p, 3000]
cgroup_parent
Specify an optional parent cgroup for the container.
cgroup_parent: m-executor-abcd
container_name
Specify a custom container name, rather than a generated default name.
container_name: my-web-container
Because Docker container names must be unique, you cannot scale a service beyond 1 container if you have specified a custom name. Attempting to do so results in an error.
List of device mappings. Uses the same format as the&--device&docker client create option.
- "/dev/ttyUSB0:/dev/ttyUSB0"
depends_on
Express dependency between services, which has two effects:
docker-compose up&will start services in dependency order. In the following example,&db&and&redis&will be started before&web.
docker-compose up SERVICE&will automatically include&SERVICE’s dependencies. In the following example,docker-compose up web&will also create and start&db&and&redis.
Simple example:
version: ‘2‘
depends_on:
image: redis
image: postgres
Note:&depends_on&will not wait for&db&and&redis&to be “ready” before starting&web&- only until they have been started. If you need to wait for a service to be ready, see&&for more on this problem and strategies for solving it.
Custom DNS servers. Can be a single value or a list.
Custom DNS search domains. Can be a single value or a list.
Mount a temporary file system inside the container. Can be a single value or a list.
tmpfs: /run
entrypoint
Override the default entrypoint.
entrypoint: /code/entrypoint.sh
The entrypoint can also be a list, in a manner similar to&:
entrypoint:
- zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-/xdebug.so
- memory_limit=-1
- vendor/bin/phpunit
Add environment variables from a file. Can be a single value or a list.
If you have specified a Compose file with&docker-compose -f FILE, paths in&env_file&are relative to the directory that file is in.
Environment variables specified in&environment&override these values.
env_file: .env
- ./common.env
- ./apps/web.env
- /opt/secrets.env
Compose expects each line in an env file to be in&VAR=VAL&format. Lines beginning with&#&(i.e. comments) are ignored, as are blank lines.
Note:&If your service specifies a&&option, variables defined in environment files will&not&be automatically visible during the build. Use the&&sub-option of&build&to define build-time environment variables.
environment
Add environment variables. You can use either an array or a dictionary. A true, false, yes no, need to be enclosed in quotes to ensure they are not converted to True or False by the YML parser.
Environment variables with only a key are resolved to their values on the machine Compose is running on, which can be helpful for secret or host-specific values.
environment:
RACK_ENV: development
SHOW: ‘true‘
SESSION_SECRET:
environment:
- RACK_ENV=development
- SHOW=true
- SESSION_SECRET
Note:&If your service specifies a&&option, variables defined in&environment&will&not&be automatically visible during the build. Use the&&sub-option of&build&to define build-time environment variables.
Expose ports without publishing them to the host machine - they’ll only be accessible to linked services. Only the internal port can be specified.
Extend another service, in the current file or another, optionally overriding configuration.
You can use&extends&on any service together with other configuration keys. The&extends&value must be a dictionary defined with a required&service&and an optional&file&key.
file: common.yml
service: webapp
The&service&the name of the service being extended, for example&web&or&database. The&file&is the location of a Compose configuration file defining that service.
If you omit the&file&Compose looks for the service configuration in the current file. The&file&value can be an absolute or relative path. If you specify a relative path, Compose treats it as relative to the location of the current file.
You can extend a service that itself extends another. You can extend indefinitely. Compose does not support circular references and&docker-compose&returns an error if it encounters one.
For more on&extends, see the&.
external_links
Link to containers started outside this&docker-compose.yml&or even outside of Compose, especially for containers that provide shared or common services.&external_links&follow semantics similar to&links&when specifying both the container name and the link alias (CONTAINER:ALIAS).
external_links:
- project_db_1:mysql
- project_db_1:postgresql
Note:&If you’re using the&, the externally-created containers must be connected to at least one of the same networks as the service which is linking to them.
extra_hosts
Add hostname mappings. Use the same values as the docker client&--add-host&parameter.
An entry with the ip address and hostname will be created in&/etc/hosts&inside containers for this service, e.g:
162.242.195.82
Specify the image to start the container from. Can either be a repository/tag or a partial image ID.
image: redis
image: ubuntu:14.04
image: tutum/influxdb
image: :4000/postgresql
image: a4bc65fd
If the image does not exist, Compose attempts to pull it, unless you have also specified&, in which case it builds it using the specified options and tags it with the specified tag.
Note: In the&, using&build&together with&image&is not allowed. Attempting to do so results in an error.
Add metadata to containers using&. You can use either an array or a dictionary.
It’s recommended that you use reverse-DNS notation to prevent your labels from conflicting with those used by other software.
com.example.description: "Accounting webapp"
com.example.department: "Finance"
com.example.label-with-empty-value: ""
- "com.example.description=Accounting webapp"
- "com.example.department=Finance"
- "com.example.label-with-empty-value"
Link to containers in another service. Either specify both the service name and a link alias (SERVICE:ALIAS), or just the service name.
- db:database
Containers for the linked service will be reachable at a hostname identical to the alias, or the service name if no alias was specified.
Links also express dependency between services in the same way as&, so they determine the order of service startup.
Note:&If you define both links and&, services with links between them must share at least one network in common in order to communicate.
&only. In version 1, use&&and&.
Logging configuration for the service.
driver: syslog
syslog-address: "tcp://192.168.0.42:123"
The&driver&name specifies a logging driver for the service’s containers, as with the&--log-driver&option for docker run ().
The default value is json-file.
driver: "json-file"
driver: "syslog"
driver: "none"
Note:&Only the&json-file&and&journald&drivers make the logs available directly from&docker-compose up&and&docker-compose logs. Using any other driver will not print any logs.
Specify logging options for the logging driver with the&options&key, as with the&--log-opt&option for&docker run.
Logging options are key-value pairs. An example of&syslog&options:
driver: "syslog"
syslog-address: "tcp://192.168.0.42:123"
log_driver
&only. In version 2, use&.
Specify a log driver. The default is&json-file.
log_driver: syslog
&only. In version 2, use&.
Specify logging options as key-value pairs. An example of&syslog&options:
syslog-address: "tcp://192.168.0.42:123"
&only. In version 2, use&.
Network mode. Use the same values as the docker client&--net&parameter. The&container:...&form can take a service name instead of a container name or id.
net: "bridge"
net: "host"
net: "none"
net: "container:[service name or container name/id]"
network_mode
&only. In version 1, use&.
Network mode. Use the same values as the docker client&--net&parameter, plus the special form&service:[service name].
network_mode: "bridge"
network_mode: "host"
network_mode: "none"
network_mode: "service:[service name]"
network_mode: "container:[container name/id]"
&only. In version 1, use&.
Networks to join, referencing entries under the&.
some-service:
- some-network
- other-network
Aliases (alternative hostnames) for this service on the network. Other containers on the same network can use either the service name or this alias to connect to one of the service’s containers.
Since&aliases&is network-scoped, the same service can have different aliases on different networks.
Note: A network-wide alias can be shared by multiple containers, and even by multiple services. If it is, then exactly which container the name will resolve to is not guaranteed.
The general format is shown here.
some-service:
some-network:
other-network:
In the example below, three services are provided (web,&worker, and&db), along with two networks (new&andlegacy). The&db&service is reachable at the hostname&db&or&database&on the&new&network, and at&db&or&mysql&on the&legacy&network.
version: ‘2‘
build: ./web
build: ./worker
image: mysql
- database
ipv4_address, ipv6_address
Specify a static IP address for containers for this service when joining the network.
The corresponding network configuration in the&&must have an&ipam&block with subnet and gateway configurations covering each static address. If IPv6 addressing is desired, thecom.docker.network.enable_ipv6&driver option must be set to&true.
An example:
version: ‘2‘
image: busybox
command: ifconfig
ipv4_address: 172.16.238.10
ipv6_address: 2001:3984:3989::10
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "true"
driver: default
- subnet: 172.16.238.0/24
gateway: 172.16.238.1
- subnet: 2001:3984:3989::/64
gateway: 2001:3984:3989::1
pid: "host"
Sets the PID mode to the host PID mode. This turns on sharing between container and the host operating system the PID address space. Containers launched with this flag will be able to access and manipulate other containers in the bare-metal machine’s namespace and vise-versa.
Expose ports. Either specify both ports (HOST:CONTAINER), or just the container port (a random host port will be chosen).
Note:&When mapping ports in the&HOST:CONTAINER&format, you may experience erroneous results when using a container port lower than 60, because YAML will parse numbers in the format&xx:yy&as sexagesimal (base 60). For this reason, we recommend always explicitly specifying your port mappings as strings.
security_opt
Override the default labeling scheme for each container.
security_opt:
- label:user:USER
- label:role:ROLE
stop_signal
Sets an alternative signal to stop the container. By default&stop&uses SIGTERM. Setting an alternative signal usingstop_signal&will cause&stop&to send that signal instead.
stop_signal: SIGUSR1
Override the default ulimits for a container. You can either specify a single limit as an integer or soft/hard limits as a mapping.
nproc: 65535
soft: 20000
hard: 40000
volumes, volume_driver
Mount paths or named volumes, optionally specifying a path on the host machine (HOST:CONTAINER), or an access mode (HOST:CONTAINER:ro). For&, named volumes need to be specified with the&. When using&, the Docker Engine will create the named volume automatically if it doesn’t exist.
You can mount a relative path on the host, which will expand relative to the directory of the Compose configuration file being used. Relative paths should always begin with&.&or&...
# Just specify a path and let the Engine create a volume
- /var/lib/mysql
# Specify an absolute path mapping
- /opt/data:/var/lib/mysql
# Path on the host, relative to the Compose file
- ./cache:/tmp/cache
# User-relative path
- ~/configs:/etc/configs/:ro
# Named volume
- datavolume:/var/lib/mysql
If you do not use a host path, you may specify a&volume_driver.
volume_driver: mydriver
Note that for&, this driver will not apply to named volumes (you should use the&driver&option when&instead). For&, both named volumes and container volumes will use the specified driver.
Note: No path expansion will be done if you have also specified a&volume_driver.
See&&and&&for more information.
volumes_from
Mount all of the volumes from another service or container, optionally specifying read-only access (ro) or read-write (rw). If no access level is specified, then read-write will be used.
volumes_from:
- service_name
- service_name:ro
- container:container_name
- container:container_name:rw
Note:&The&container:...&formats are only supported in the&. In&, you can use container names without marking them as such:
- service_name
- service_name:ro
- container_name
- container_name:rw
cpu_shares, cpu_quota, cpuset, domainname, hostname, ipc, mac_address, mem_limit, memswap_limit, privileged, read_only, restart, shm_size, stdin_open, tty, user, working_dir
Each of these is a single value, analogous to its&&counterpart.
cpu_shares: 73
cpu_quota: 50000
cpuset: 0,1
user: postgresql
working_dir: /code
domainname:
hostname: foo
mac_address: 02:42:ac:11:65:43
mem_limit:
memswap_limit:
privileged: true
restart: always
read_only: true
shm_size: 64M
stdin_open: true
Volume configuration reference
While it is possible to declare volumes on the fly as part of the service declaration, this section allows you to create named volumes that can be reused across multiple services (without relying on&volumes_from), and are easily retrieved and inspected using the docker command line or API. See the&&subcommand documentation for more information.
Specify which volume driver should be used for this volume. Defaults to&local. The Docker Engine will return an error if the driver is not available.
driver: foobar
driver_opts
Specify a list of options as key-value pairs to pass to the driver for this volume. Those options are driver-dependent - consult the driver’s documentation for more information. Optional.
driver_opts:
foo: "bar"
If set to&true, specifies that this volume has been created outside of Compose.&docker-compose up&will not attempt to create it, and will raise an error if it doesn’t exist.
external&cannot be used in conjunction with other volume configuration keys (driver,&driver_opts).
In the example below, instead of attempting to create a volume called&[projectname]_data, Compose will look for an existing volume simply called&data&and mount it into the&db&service’s containers.
version: ‘2‘
image: postgres
- data:/var/lib/postgresql/data
external: true
You can also specify the name of the volume separately from the name used to refer to it within the Compose file:
name: actual-name-of-volume
Network configuration reference
The top-level&networks&key lets you specify networks to be created. For a full explanation of Compose’s use of Docker networking features, see the&.
Specify which driver should be used for this network.
The default driver depends on how the Docker Engine you’re using is configured, but in most instances it will bebridge&on a single host and&overlay&on a Swarm.
The Docker Engine will return an error if the driver is not available.
driver: overlay
driver_opts
Specify a list of options as key-value pairs to pass to the driver for this network. Those options are driver-dependent - consult the driver’s documentation for more information. Optional.
driver_opts:
foo: "bar"
Specify custom IPAM config. This is an object with several properties, each of which is optional:
driver: Custom IPAM driver, instead of the default.
config: A list with zero or more config blocks, each containing any of the following keys:
subnet: Subnet in CIDR format that represents a network segment
ip_range: Range of IPs from which to allocate container IPs
gateway: IPv4 or IPv6 gateway for the master subnet
aux_addresses: Auxiliary IPv4 or IPv6 addresses used by Network driver, as a mapping from hostname to IP
A full example:
driver: default
- subnet: 172.28.0.0/16
ip_range: 172.28.5.0/24
gateway: 172.28.5.254
aux_addresses:
host1: 172.28.1.5
host2: 172.28.1.6
host3: 172.28.1.7
If set to&true, specifies that this network has been created outside of Compose.&docker-compose up&will not attempt to create it, and will raise an error if it doesn’t exist.
external&cannot be used in conjunction with other network configuration keys (driver,&driver_opts,&ipam).
In the example below,&proxy&is the gateway to the outside world. Instead of attempting to create a network called&[projectname]_outside, Compose will look for an existing network simply called&outside&and connect the&proxy&service’s containers to it.
version: ‘2‘
build: ./proxy
build: ./app
external: true
You can also specify the name of the network separately from the name used to refer to it within the Compose file:
name: actual-name-of-network
Versioning
There are two versions of the Compose file format:
Version 1, the legacy format. This is specified by omitting a&version&key at the root of the YAML.
Version 2, the recommended format. This is specified with a&version: ‘2‘&entry at the root of the YAML.
To move your project from version 1 to 2, see the&&section.
Note:&If you’re using&&or&, each file must be of the same version - you cannot mix version 1 and 2 in a single project.
Several things differ depending on which version you use:
The structure and permitted configuration keys
The minimum Docker Engine version you must be running
Compose’s behaviour with regards to networking
These differences are explained below.
Compose files that do not declare a version are considered “version 1”. In those files, all the&&are declared at the root of the document.
Version 1 is supported by&Compose up to 1.6.x. It will be deprecated in a future Compose release.
Version 1 files cannot declare named&,&&or&.
image: redis
Compose files using the version 2 syntax must indicate the version number at the root of the document. All&must be declared under the&services&key.
Version 2 files are supported by&Compose 1.6.0+&and require a Docker Engine of version&1.10.0+.
Named&&can be declared under the&volumes&key, and&&can be declared under the&networkskey.
Simple example:
version: ‘2‘
image: redis
A more extended example, defining volumes and networks:
version: ‘2‘
- front-tier
- back-tier
image: redis
- redis-data:/var/lib/redis
- back-tier
redis-data:
driver: local
front-tier:
driver: bridge
back-tier:
driver: bridge
In the majority of cases, moving from version 1 to 2 is a very simple process:
Indent the whole file by one level and put a&services:&key at the top.
Add a&version: ‘2‘&line at the top of the file.
It’s more complicated if you’re using particular configuration features:
dockerfile: This now lives under the&build&key:
context: .
dockerfile: Dockerfile-alternate
log_driver,&log_opt: These now live under the&logging&key:
driver: syslog
syslog-address: "tcp://192.168.0.42:123"
links&with environment variables: As documented in the&, environment variables created by links have been deprecated for some time. In the new Docker network system, they have been removed. You should either connect directly to the appropriate hostname or set the relevant environment variable yourself, using the link hostname:
environment:
- DB_PORT=tcp://db:5432
external_links: Compose uses Docker networks when running version 2 projects, so links behave slightly differently. In particular, two containers must be connected to at least one network in common in order to communicate, even if explicitly linked together.
Either connect the external container to your app’s&, or connect both the external container and your service’s containers to an&.
net: This is now replaced by&:
network_mode: host
net: bridge
network_mode: bridge
network_mode: none
If you’re using&net: "container:[service name]", you must now use&network_mode: "service:[service name]"&instead.
net: "container:web"
network_mode: "service:web"
If you’re using&net: "container:[container name/id]", the value does not need to change.
net: "container:cont-name"
network_mode: "container:cont-name"
net: "container:abc12345"
network_mode: "container:abc12345"
volumes&with named volumes: these must now be explicitly declared in a top-level&volumes&section of your Compose file. If a service mounts a named volume called&data, you must declare a&data&volume in your top-level&volumes&section. The whole file might look like this:
version: ‘2‘
image: postgres
- data:/var/lib/postgresql/data
By default, Compose creates a volume whose name is prefixed with your project name. If you want it to just be called&data, declare it as external:
external: true
Variable substitution
Your configuration options can contain environment variables. Compose uses the variable values from the shell environment in which&docker-compose&is run. For example, suppose the shell contains&EXTERNAL_PORT=8000and you supply this configuration:
- "${EXTERNAL_PORT}:5000"
When you run&docker-compose up&with this configuration, Compose looks for the&EXTERNAL_PORT&environment variable in the shell and substitutes its value in. In this example, Compose resolves the port mapping to""&before creating the&web&container.
If an environment variable is not set, Compose substitutes with an empty string. In the example above, ifEXTERNAL_PORT&is not set, the value for the port mapping is&:5000&(which is of course an invalid port mapping, and will result in an error when attempting to create the container).
Both&$VARIABLE&and&${VARIABLE}&syntax are supported. Extended shell-style features, such as&${VARIABLE-default}&and&${VARIABLE/foo/bar}, are not supported.
You can use a&$$&(double-dollar sign) when your configuration needs a literal dollar sign. This also prevents Compose from interpolating a value, so a&$$&allows you to refer to environment variables that you don’t want processed by Compose.
command: "$$VAR_NOT_INTERPOLATED_BY_COMPOSE"
If you forget and use a single dollar sign ($), Compose interprets the value as an environment variable and will warn you:
The VAR_NOT_INTERPOLATED_BY_COMPOSE is not set. Substituting an empty string.
&标签：&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&国之画&&&& &&&&chrome插件&&
版权所有 京ICP备号-2
迷上了代码！