Docker远程访问

  Docker目前采用了标准的C/S 架构，客户端和服务端既可以运行在一个机器上，也可以运行在不同的机器上并用过socket或者RESTful API来进行通信

root@admin-dsq:/var/lib/docker# docker version
Client:
 Version:           18.09.5
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        e8ff056
 Built:             Thu Apr 11 04:44:24 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.5
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       e8ff056
  Built:            Thu Apr 11 04:10:53 2019
  OS/Arch:          linux/amd64
  Experimental:     false

[root@docker-study ~]# docker version 
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:48:22 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:19:08 2018
  OS/Arch:          linux/amd64
  Experimental:     false
[root@docker-study ~]#

Server

  Docker Daemon 一般在宿主机后台运行，作为服务端接受来自客户的请求（bulid、pull、run……）。
  在设计上，Docker Daemon 是一个模块化的架构，通过专门的Engine模块来分发管理来自各个客户端的任务。
  Docker端默认监听本地的unix:///var/run/docker.sock，只允许本地的root 或者 位于Docker用户组的成员访问。

Client

  Docker客户端为用户提供一系列可执行命令，用户使用其与docker daemon 进行交互。
  同样客户端默认通过本地的unix:///var/run/docker.sock套接字向server发送命令，如果server没有在监听默认的地址，则需要客户端在执行命令的时候显式指定服务端地址

配置远程访问

unix:///var/run/docker.sock方式（默认）

  可以直接通过docker daemon -H 0.0.0.0:2375来进行监听端口的修改，但是修改后本地无法访问

  第一个问题，没有daemon命令

[root@docker-study ~]# docker daemon -H 0.0.0.0:2375
docker: 'daemon' is not a docker command.
See 'docker --help'
[root@docker-study ~]#

  解决：

[root@docker-study ~]# man docker | grep daemon
       docker is a client for interacting with the daemon (see dockerd(8)) through the CLI.
         The socket(s) to bind to in daemon mode specified using one or more
         Use TLS and verify the remote (daemon: verify client, client: verify daemon).

  看到里面又指出dockerd，继续看帮助手册

NAME
       dockerd - Enable daemon mode

SYNOPSIS
      ………………………………

DESCRIPTION
       dockerd is used for starting the Docker daemon (i.e., to command the daemon to manage images, containers etc).  So dockerd is a
       server, as a daemon.

       To run the Docker daemon you can specify dockerd.  You can check the daemon options using dockerd --help.  Daemon options should be
       specified after the dockerd keyword in the following format.

  在描述中看到可以直接使用dockerd命令

  又一个问题：

[root@docker-study ~]# dockerd -H 0.0.0.0:2375
Error starting daemon: pid file found, ensure docker is not running or delete /var/run/docker.pid

  linux系统中/var/run/目录下的*.pid文件是一个文本文件，其内容只有一行，即某个进程的PID。.pid文件的作用是防止进程启动多个副本，只有获得特定pid文件（固定路径和文件名）的写入权限（F_WRLCK）的进程才能正常启动并将自身的进程PID写入该文件，其它同一程序的多余进程则自动退出。

原文https://blog.csdn.net/qq_29344757/article/details/79875693 

[root@docker-study ~]# systemctl stop docker 
[root@docker-study ~]# dockerd -H 0.0.0.0:2375
WARN[2019-04-01T15:37:42.169194593+08:00] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!] 
INFO[2019-04-01T15:37:42.243451549+08:00] parsed scheme: "unix"                         module=grpc
INFO[2019-04-01T15:37:42.243544854+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2019-04-01T15:37:42.243795794+08:00] parsed scheme: "unix"                         module=grpc
INFO[2019-04-01T15:37:42.243845181+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2019-04-01T15:37:42.243882171+08:00] ccResolverWrapper: sending new addresses to cc: [{unix:///run/containerd/containerd.sock 0  <nil>}]  module=grpc
INFO[2019-04-01T15:37:42.244259439+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2019-04-01T15:37:42.244554066+08:00] ccResolverWrapper: sending new addresses to cc: [{unix:///run/containerd/containerd.sock 0  <nil>}]  module=grpc
INFO[2019-04-01T15:37:42.244639324+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2019-04-01T15:37:42.244632164+08:00] pickfirstBalancer: HandleSubConnStateChange: 0xc42075c160, CONNECTING  module=grpc
INFO[2019-04-01T15:37:42.244733235+08:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4208058f0, CONNECTING  module=grpc
INFO[2019-04-01T15:37:42.248230966+08:00] pickfirstBalancer: HandleSubConnStateChange: 0xc4208058f0, READY  module=grpc
INFO[2019-04-01T15:37:42.248916291+08:00] pickfirstBalancer: HandleSubConnStateChange: 0xc42075c160, READY  module=grpc
INFO[2019-04-01T15:37:42.328176882+08:00] [graphdriver] using prior storage driver: overlay2 
INFO[2019-04-01T15:37:42.378297370+08:00] Graph migration to content-addressability took 0.00 seconds 
INFO[2019-04-01T15:37:42.381815767+08:00] Loading containers: start.                   
INFO[2019-04-01T15:37:43.185355254+08:00] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address 
INFO[2019-04-01T15:37:43.367934536+08:00] Loading containers: done.                    
INFO[2019-04-01T15:37:43.461672778+08:00] Docker daemon                                 commit=4d60db4 graphdriver(s)=overlay2 version=18.09.0
INFO[2019-04-01T15:37:43.461917242+08:00] Daemon has completed initialization          
WARN[2019-04-01T15:37:43.476514418+08:00] Could not register builder git source: failed to find git binary: exec: "git": executable file not found in $PATH 
INFO[2019-04-01T15:37:43.503134754+08:00] API listen on [::]:2375

  此时另起一个终端

[root@docker-study ~]# netstat -antp | grep 2375 #查看端口
tcp6       0      0 :::2375                 :::*                    LISTEN      23099/dockerd       
[root@docker-study ~]# docker version # 访问本地
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
[root@docker-study ~]#

  回到上一个终端

INFO[2019-04-01T15:37:43.503014754+08:00] API listen on [::]:2375                      

^CINFO[2019-04-01T16:14:40.215430655+08:00] Processing signal 'interrupt'                
INFO[2019-04-01T16:14:40.224031663+08:00] stopping event stream following graceful shutdown  error="<nil>" module=libcontainerd namespace=moby
[root@docker-study ~]# netstat -antp | grep 2375
[root@docker-study ~]#

  这种方法只是起到运行时的配置，并没有对配置文件进行修改，Ctrl+c 后，处理信号中断，2375端口关闭

---

tcp://host:port方式

  admin-dsq为server，docker-study为client

  在Server端对docker.server作如下修改

root@admin-dsq:/var/lib/docker# cat /lib/systemd/system/docker.service 
…………
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock #监听本地及2375端口
…………

root@admin-dsq:/var/lib/docker#systemctl daemon-reload
root@admin-dsq:/var/lib/docker#systemctl restart docker

[root@docker-study ~]# docker -H 172.18.74.62 info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 18.09.5
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-145-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 4.031GiB
Name: admin-dsq
ID: 26JC:YRWW:2HL7:W5AA:6FGM:UZEZ:EXMR:IR6A:GA2Z:IJBS:S5OA:QYKA
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support

  现在使用命令docker info连接的就是服务端的docker了

  关于第一个警告是此方法没有安全认证，任何对远程API的访问等同于对主机根目录的访问，在下一篇文章中在进行安全认证。

 关于第二个警告：

摘自http://www.talkwithtrend.com/Question/123541?order=asc

  根据错误提示，只是cgroups中的swap account没有开启。这个功能应该是用在 类似docker run -m=1524288 -it ubuntu /bin/bash 的命令，用来限制一个docker容器的内存使用上限，所以这里只是WARNING，不影响使用。

  解决办法：

When users run Docker, they may see these messages when working with an image:
WARNING: Your kernel does not support cgroup swap limit. WARNING: Your
kernel does not support swap limit capabilities. Limitation discarded.
To prevent these messages, enable memory and swap accounting on your system. To enable these on system using GNU GRUB (GNU GRand Unified Bootloader), do the following.
Log into Ubuntu as a user with sudo privileges.
Edit the /etc/default/grub file. #  编辑文件
Set the GRUB_CMDLINE_LINUX value as follows:
GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"  # 设置值
Save and close the file. #保存退出
Update GRUB.
$ sudo update-grub #执行命令update-grub
Reboot your system. # 重启操作系统

RESTful API方式

[root@docker-study ~]# curl 172.18.74.62:2375/info

详情见: https://docs.docker.com/develop/sdk/
        https://docs.docker.com/engine/api/
        https://docs.docker.com/registry/spec/api/
        https://docs.docker.com/reference/dtr/2.6/api/
        https://docs.docker.com/reference/ucp/3.1/api/