Docker客户端通常通过Unix套接字在本地与守护程序通信 /var/run/docker.sock,或通过网络通过TCP套接字。 以下是启动时提供给Docker守护程序的选项的典型示例:
# ps -ef |grep dockerd
root 23438 1 0 00:41 ? 00:00:03 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root 24354 24336 0 08:15 pts/0 00:00:00 grep --color=auto dockerdDocker的客户端和服务端通信有三种方式
-H unix://指的是Docker使用本地的unix套接字/var/run/docker.sock进行通信-H tcp://0.0.0.0:2376使守护程序可以通过端口2376上的任何网络接口使用。需要在安全组中打开此端口(并且,如果可能的话,请将该端口限制为IP地址白名单),以便远程客户端可以访问守护程序,为了安全起见,一般不建议开启。-H fd://这是在systemd内部运行Docker是使用的远程通信方式,由systemd创建套接字并激活Docker守护进程。
Linux 系统:
添加远程 API 访问接口
ubuntu:
编辑 docker 配置文件/lib/systemd/system/docker.service, 找到运行主命令的那行,其内容大致为"ExecStart=/usr/bin/dockerd -H fd:// … "的那一行,给dockerd命令加参数-H tcp://0.0.0.0:2375,意思是在 2375 端口开放 API 访问。
例如在我的设备上,配置文件相应的那一行原本为:
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock添加参数后变为
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock
配置后的信息如下:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
Wants=containerd.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.target重新加载
systemctl daemon-reload # 重新加载守护进程配置
systemctl restart docker.service # 重启 docker 服务测试:
centos
首先编辑docker的宿主机文件/lib/systemd/system/docker.service
修改以ExecStart开头的行:(因为我的系统是centos 7的,所以修改为下面得)
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock如果是centos7以下的话,就把ExecStart修改为:
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375修改后保存文件,然后通知docker服务做出的修改
systemctl daemon-reload
重启docker服务
service docker restart
接下来测试一下看是否能连接到docker api。上面的2375就是对应端口
curl http://localhost:2375/verion
Mac:
brew install socat
socat TCP-LISTEN:2375,reuseaddr,fork UNIX-CONNECT:/var/run/docker.sock &
TCP4-LISTEN:在本地建立的是一个TCP ipv4协议的监听端口;
reuseaddr:绑定本地一个端口;
fork:设定多链接模式,即当一个链接被建立后,自动复制一个同样的端口再进行监听
socat启动监听模式会在前端占用一个shell,因此需使其在后台执行。
docker -H tcp://10.10.11.99:2375 version
