https://docs.docker.com/engine/reference/commandline/run/
https://docs.docker.com/engine/reference/commandline/exec/
- docker run – Runs a command in a new container.
- docker start – Starts one or more stopped containers
- docker stop – Stops one or more running containers
- docker build – Builds an image form a Docker file
- docker pull – Pulls an image or a repository from a registry
- docker push – Pushes an image or a repository to a registry
- docker export – Exports a container’s filesystem as a tar archive
- docker exec – Runs a command in a run-time container
- docker search – Searches the Docker Hub for images
- docker attach – Attaches to a running container
- docker commit – Creates a new image from a container’s changes
--ipc=host
and --ipc=container:id
选项已添加到Docker create
和run
命令中以共享IPC资源。
--ipc="" : Set the IPC mode for the container, 'container:<name|id>': reuses another container's IPC namespace 'host': use the host's IPC namespace inside the container
Configure namespaced kernel parameters (sysctls) at runtime
The --sysctl
sets namespaced kernel parameters (sysctls) in the container. For example, to turn on IP forwarding in the containers network namespace, run this command:
$ docker run --sysctl net.ipv4.ip_forward=1 someimage
Note
Not all sysctls are namespaced. Docker does not support changing sysctls inside of a container that also modify the host system. As the kernel evolves we expect to see more sysctls become namespaced.
CURRENTLY SUPPORTED SYSCTLS
IPC Namespace:
kernel.msgmax
,kernel.msgmnb
,kernel.msgmni
,kernel.sem
,kernel.shmall
,kernel.shmmax
,kernel.shmmni
,kernel.shm_rmid_forced
.- Sysctls beginning with
fs.mqueue.*
- If you use the
--ipc=host
option these sysctls are not allowed.
Network Namespace:
- Sysctls beginning with
net.*
- If you use the
--network=host
option using these sysctls are not allowed.
System V共享内存(shmget、shmat、shmdt)以及Mmap映射Regular File。System V共享内存支持一定程度上的内存数据持久化,即当程序创建共享内存对象后,如果不显式删除或物理主机重启,该IPC对象会一直保留,其中的数据也不会丢 失;mmap映射Regular File的方式支持内存数据持久化到文件中,即便物理主机重启,这部分数据依旧不会丢失,除非显式删除文件。
mmap常见的有两类共享内存映射方式,一种映射到/dev/zero,另外一种则是映射到 Regular Fiile。前者在程序退出后数据自动释放,后者则保留在映射的文件中。
一个启动的Docker容器就是一个拥有了自己的内核名字空间的进程,其pid、net、ipc、mnt、uts、user等均与其他进程隔离,对于运行于该容器内的程序而言,它仿佛会觉得它独占了一台“主机”。