docker本地鏡像倉庫的管理

啟動一個容器需要鏡像怜校，根據(jù)Dockerfile構(gòu)建鏡像也會下載依賴的鏡像茄茁，當(dāng)使用docker pull拉取了外部鏡像倉庫的鏡像時巩割，docker是如何管理本地鏡像的數(shù)據(jù)呢宣谈？

我的虛機(jī)中docker鏡像存儲驅(qū)動使用的是overlay闻丑，/var/lib/docker/image/overlay2/repositories.json萝嘁，這個文件是一個簡單的json文件牙言，數(shù)據(jù)格式也非常簡單怪得，Repositories下面就依次列出了本地已經(jīng)存在的所有鏡像徒恋。

merge目錄就是經(jīng)過overlay2掛載以后，容器看到的rootfs的目錄結(jié)構(gòu)亿乳。

root@iZt4n1u8u50jg1r5n6myn2Z:~# cat /var/lib/docker/image/overlay2/repositories.json | jq
{
  "Repositories": {
    "alpine": {
      "alpine:3.11": "sha256:a787cb9865032e5b5a407ecdf34b57a23a4a076aaa043d71742ddb6726ec9229",
      "alpine@sha256:bcae378eacedab83da66079d9366c8f5df542d7ed9ab23bf487e3e1a8481375d": "sha256:a787cb9865032e5b5a407ecdf34b57a23a4a076aaa043d71742ddb6726ec9229"
    },
    "bitnami/php-fpm": {
      "bitnami/php-fpm:latest": "sha256:0d94e6597148af2af2cd8b894256ba21c6acb437f72518f7ce251a3ea85421d3",
      "bitnami/php-fpm@sha256:dba2bb41c613c825d2e7fa88fdcd2ec662f90e1c026615c05789a1ed34a17d99": "sha256:0d94e6597148af2af2cd8b894256ba21c6acb437f72518f7ce251a3ea85421d3"
    },
    "busybox": {
      "busybox:latest": "sha256:d23834f29b3875b6759be00a48013ba523c6a89fcbaeaa63607512118a9c4c19",
      "busybox@sha256:52817dece4cfe26f581c834d27a8e1bcc82194f914afe6d50afad5a101234ef1": "sha256:d23834f29b3875b6759be00a48013ba523c6a89fcbaeaa63607512118a9c4c19"
    },
    "calico-node": {
      "calico-node:base": "sha256:80a1a6b0a19c0d01d79fbb10ad9c17dd901106fa085958fbb75fcbf8873f08c4"
    },
    "calico/bird": {
      "calico/bird:v0.3.3-182-g4b493986-amd64": "sha256:039b1de045060e8dad02608cc29ba9e1b144bd364fe3521dca5ce98bb2aaef47",
      "calico/bird@sha256:f040de1b528e3a7fd59a7c81aa9ca6096cc4ac2564337c2ff3d52dbdf07ca9be": "sha256:039b1de045060e8dad02608cc29ba9e1b144bd364fe3521dca5ce98bb2aaef47"
    },
    "calico/bpftool": {
      "calico/bpftool:v5.3-amd64": "sha256:bc0875ac43440ae8d7361f76d83472e3000231885866c46d2f0d7cb36c9a8368",
      "calico/bpftool@sha256:2903c00eef4431140adc4655b10f5645dc1f9cc78c8a20d04682356670a02ba5": "sha256:bc0875ac43440ae8d7361f76d83472e3000231885866c46d2f0d7cb36c9a8368"
    },
}

查看鏡像的manifest信息

使用docker manifest inspect可以查看鏡像的manifest信息，manifest描述了關(guān)于鏡像存儲的一些信息聊训，mediaType表示配置描述的類型带斑。

• config中的mediaType為container.image.v1+json勋拟，這個就表示存儲鏡像的配置信息是一個json類型的文件敢靡，sha256中的數(shù)字就是鏡像的配置文件的id，docker inspect這個id或者使用cat命令輸出該文件的內(nèi)容，這兩個是一致的吓揪。
• 下面的layers中的mediaType為image.rootfs.diff.tar.gzip柠辞，就表示這是鏡像中的一層數(shù)據(jù)主胧，存儲格式為tar包。

root@iZt4n1u8u50jg1r5n6myn2Z:~# docker manifest inspect goharbor/harbor-db-base:dev
{
        "schemaVersion": 2,
        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
        "config": {
                "mediaType": "application/vnd.docker.container.image.v1+json",
                "size": 4111,
                "digest": "sha256:2ed2ba057d8cabed044c54d36f918ea16673e3a289fa89c7520f57d46d7b3bfd"
        },
        "layers": [
                {
                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                        "size": 15994577,
                        "digest": "sha256:cb54d1184a86b82843c849bbd232f27fd0b1b012c8770baea97b5a05244b2f48"
                },
                {
                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                        "size": 1080392,
                        "digest": "sha256:7463ba7e68d03f78269f3f2ae4f6b15cc45d72d6c15989cf0cbdfe8dd625c2d0"
                },
                {
                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                        "size": 5665629,
                        "digest": "sha256:ba06e5eb0d9c49f23d81fa2cdcc91f792ecf3a0c27710bdcf5622cef940897bc"
                },
                {
                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                        "size": 62049341,
                        "digest": "sha256:604a291316d51f6a760b233cb6ce9680cc36cbe464933ff258c7a1bffd9c80af"
                },
                {
                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
                        "size": 12733349,
                        "digest": "sha256:e12f21e5718e13baf221587a559b1700dee8957cb39e9ef8906846c0195535a3"
                }
        ]
}

查看鏡像的詳細(xì)配置信息

使用docker inspect命令查看一個鏡像的詳細(xì)配置信息。

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# docker inspect google/cadvisor:v0.33.0
[
    {
        "Id": "sha256:752d61707eac173cfe56a23aa9de051597444286163667d60f8e6d4c63306472",
        "RepoTags": [
            "google/cadvisor:v0.33.0"
        ],
        "RepoDigests": [
            "google/cadvisor@sha256:47f1f8c02a3acfab77e74e2ec7acc0d475adc180ddff428503a4ce63f3d6061b"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2019-02-27T18:40:08.005242894Z",
        "Container": "60b721dff23e41eee7d1728fdf0d62deff5c0ee053e29ba5da556b8b4fae93fa",
        "ContainerConfig": {
            "Hostname": "60b721dff23e",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "8080/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GLIBC_VERSION=2.28-r0"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "#(nop) ",
                "ENTRYPOINT [\"/usr/bin/cadvisor\" \"-logtostderr\"]"
            ],
            "Healthcheck": {
                "Test": [
                    "CMD-SHELL",
                    "curl -f http://localhost:8080/healthz || exit 1"
                ],
                "Interval": 30000000000,
                "Timeout": 3000000000
            },
            "ArgsEscaped": true,
            "Image": "sha256:338328de3ca3663d600e94c0a2b3aee1df611f293c858b63d2fa9fa44bd53329",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": [
                "/usr/bin/cadvisor",
                "-logtostderr"
            ],
            "OnBuild": null,
            "Labels": {}
        },
        "DockerVersion": "18.06.2-ce",
        "Author": "dengnan@google.com vmarmol@google.com vishnuk@google.com jimmidyson@gmail.com stclair@google.com",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "8080/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GLIBC_VERSION=2.28-r0"
            ],
            "Cmd": null,
            "Healthcheck": {
                "Test": [
                    "CMD-SHELL",
                    "curl -f http://localhost:8080/healthz || exit 1"
                ],
                "Interval": 30000000000,
                "Timeout": 3000000000
            },
            "ArgsEscaped": true,
            "Image": "sha256:338328de3ca3663d600e94c0a2b3aee1df611f293c858b63d2fa9fa44bd53329",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": [
                "/usr/bin/cadvisor",
                "-logtostderr"
            ],
            "OnBuild": null,
            "Labels": null
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 68607708,
        "VirtualSize": 68607708,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/1fc34ade9326a48261bfb2f5e3b134cc1db5b9e2f1faf7d5df5049be05d1fbd1/diff:/var/lib/docker/overlay2/5b1f40c8ed48fd43aa47d947d84eda7b80ca866aeb49c485dda326ca8eb76f76/diff",
                "MergedDir": "/var/lib/docker/overlay2/8f377f94a7e3ab7c609e4054b414d346416a1f62a3ad9098ff7c0510a82212e9/merged",
                "UpperDir": "/var/lib/docker/overlay2/8f377f94a7e3ab7c609e4054b414d346416a1f62a3ad9098ff7c0510a82212e9/diff",
                "WorkDir": "/var/lib/docker/overlay2/8f377f94a7e3ab7c609e4054b414d346416a1f62a3ad9098ff7c0510a82212e9/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb",
                "sha256:6a395a55089d2d886fdc814cf412e20d9d279110a3eb5768550b01f61e7b9cdb",
                "sha256:09c65671850474d73700a2943d1564b60036dcc84122f8ffcd6cb34a2d2f9479"
            ]
        },
    }
]

Layers中有三個sha256的數(shù)字蛤虐，表示這個鏡像有三層組成驳庭，最上面是最底層的氯窍，最下面是最上層的。

1不皆、sha256:767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb
2霹娄、sha256:6a395a55089d2d886fdc814cf412e20d9d279110a3eb5768550b01f61e7b9cdb
3鲫骗、sha256:09c65671850474d73700a2943d1564b60036dcc84122f8ffcd6cb34a2d2f9479

查找第一層的數(shù)據(jù)

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# find -name "767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb"
./image/overlay2/layerdb/sha256/767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb
./image/overlay2/distribution/v2metadata-by-diffid/sha256/767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker#

按照公式查找第二層

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# echo -n "sha256:767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb sha256:6a395a55089d2d886fdc814cf412e20d9d279110a3eb5768550b01f61e7b9cdb" | sha256sum 
57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e  -

#確認(rèn)層次
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat ./image/overlay2/layerdb/sha256/57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e/parent 
sha256:767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb

按照公式查找第三層枕磁，chainID=sha256sum(H(chainID) diffid)

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# echo -n "sha256:57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e sha256:09c65671850474d73700a2943d1564b60036dcc84122f8ffcd6cb34a2d2f9479" | sha256sum 
bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd  -
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# find -name "bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd"
./image/overlay2/layerdb/sha256/bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd

#確認(rèn)
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat ./image/overlay2/layerdb/sha256/bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd/parent 
sha256:57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e

根據(jù)上面計算出來的chains计济，查看目錄下的cache-id排苍，查看對應(yīng)的目錄

# 計算出來的三層
1淘衙、767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb
2、57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e
3毯侦、bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd

# 查看第一層數(shù)據(jù)目錄
cat image/overlay2/layerdb/sha256/767f936afb51c8a3ad9a96592a4be092048bb70f2ca410028a0b3f64b826acbb/cache-id
5b1f40c8ed48fd43aa47d947d84eda7b80ca866aeb49c485dda326ca8eb76f76

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls overlay2/5b1f40c8ed48fd43aa47d947d84eda7b80ca866aeb49c485dda326ca8eb76f76/diff/
bin  dev  etc  home  lib  media  mnt  proc  root  run  sbin  srv  sys  tmp  usr  var
# 查看第二層的數(shù)據(jù)
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat image/overlay2/layerdb/sha256/57cbd50652751eebe058602a11d336fca0819d6394a11d032c6260fd3e811d2e/cache-id 
1fc34ade9326a48261bfb2f5e3b134cc1db5b9e2f1faf7d5df5049be05d1fbd1

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls  overlay2/1fc34ade9326a48261bfb2f5e3b134cc1db5b9e2f1faf7d5df5049be05d1fbd1/diff/
etc  lib  lib64  sbin  usr  var

# 查看第三層的數(shù)據(jù)
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat image/overlay2/layerdb/sha256/bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd/cache-id 
8f377f94a7e3ab7c609e4054b414d346416a1f62a3ad9098ff7c0510a82212e9

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls overlay2/8f377f94a7e3ab7c609e4054b414d346416a1f62a3ad9098ff7c0510a82212e9/diff/
usr

啟動一個容器

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# docker run --entrypoint sh --rm -it google/cadvisor:v0.33.0 
/ # ls
bin    dev    etc    home   lib    lib64  media  mnt    proc   root   run    sbin   srv    sys    tmp    usr    var

查看容器id

root@iZt4n1u8u50jg1r5n6myn2Z:~# docker ps 
CONTAINER ID   IMAGE                           COMMAND                  CREATED          STATUS                             PORTS                                                                                  NAMES
072afc5171ff   google/cadvisor:v0.33.0         "sh"                     13 seconds ago   Up 12 seconds (health: starting)   8080/tcp                                                                               goofy_colden 

查看容器的相關(guān)信息

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# find -name "072afc5171ff*"
./containers/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0
./containers/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0-json.log
./image/overlay2/layerdb/mounts/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# 

image/overlay2/layerdb/mounts目錄下有個以容器id命名的目錄，有一個init-id后綴的文件霍狰，從名稱上看應(yīng)該是容器的一些特性化數(shù)據(jù)蔗坯，做一個形象的解釋是，一個進(jìn)程在容器中運行腿短，雖然被限制了很多橘忱，但是該有的配套設(shè)施還是要有的卸奉。如在docker run中添加的dns信息就會存儲在這個init-id目錄下的etc/resolve.conf榄棵。

# init-id和mount-id是一樣的，是本層的id
# parent的id是最上面的一層拧略。
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat ./image/overlay2/layerdb/mounts/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0/init-id 
a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300-init
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# 
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker#  cat ./image/overlay2/layerdb/mounts/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0/mount-id 
a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# 
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# cat ./image/overlay2/layerdb/mounts/072afc5171fff6aceaf669c7ecb6df9902129f912512c7f8bfe5aac7dad748c0/parent 
sha256:bdb7cdf8feed1bb5298e86ea62b251f6e22f505f13238c3a06e33a50313c38cd

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls  ./overlay2/a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300-init/diff/
dev  etc

root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls overlay2/a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300/
diff  link  lower  merged  work
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls overlay2/a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300/diff/
root
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# ls overlay2/a7a9309e6d612f56f02aa88df32c3366f1ac65c27ca523f85b628569cc19b300/merged/
bin  dev  etc  home  lib  lib64  media  mnt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@iZt4n1u8u50jg1r5n6myn2Z:/var/lib/docker# 

下篇預(yù)告

容器啟動后看到的目錄只有一個，這個目錄又是多個目錄聯(lián)合形成的腺怯，那么容器訪問一個rootfs文件的流程又是怎樣的呢呛占？下篇將會深入介紹overlayfs文件系統(tǒng)的原理，敬請期待。