Docker 容器作为 Linux 服务?
Docker containers as Linux services?
我刚刚在远程虚拟机上创建了一个安全的 Docker Registry 和 运行(使用 docker run ...)。然后我 运行 docker ps 发现它实际上是 运行ning。我退出了机器,然后 SSH 返回。再次,我 运行 docker ps 并验证了它 "survived" 我退出了 SSH 会话。
这让我想知道:做 Docker 容器实际上 运行 作为 Linux 服务? 如果没有,有没有办法得到他们 运行 作为传统(upstart 或 systemd 为基础的)服务?甚至有 reason/merit 可以这样做吗?
docker 引擎作为守护进程运行。
这是在“Host integration”中提到的:
As of Docker 1.2, restart policies are the built-in Docker mechanism for restarting containers when they exit. If set, restart policies will be used when the Docker daemon starts up, as typically happens after a system boot. Restart policies will ensure that linked containers are started in the correct order.
If restart policies don’t suit your needs (i.e., you have non-Docker processes that depend on Docker containers), you can use a process manager like upstart, systemd or supervisor instead.
顺便说一句,这涉及(当容器运行时带有某些选项)一些安全问题:参见 issue 14767 and issue 6401:
The container (with --net host option) is the host when it comes to the network stack so any services running on the host are accessible to the container. It just so happens that you communicate to upstart ( and others ) this way.
This feature is a runtime only option, just like the --privileged flag, therefore an image cannot request this, it must be explicitly set at runtime.
我刚刚在远程虚拟机上创建了一个安全的 Docker Registry 和 运行(使用 docker run ...)。然后我 运行 docker ps 发现它实际上是 运行ning。我退出了机器,然后 SSH 返回。再次,我 运行 docker ps 并验证了它 "survived" 我退出了 SSH 会话。
这让我想知道:做 Docker 容器实际上 运行 作为 Linux 服务? 如果没有,有没有办法得到他们 运行 作为传统(upstart 或 systemd 为基础的)服务?甚至有 reason/merit 可以这样做吗?
docker 引擎作为守护进程运行。
这是在“Host integration”中提到的:
As of Docker 1.2, restart policies are the built-in Docker mechanism for restarting containers when they exit. If set, restart policies will be used when the Docker daemon starts up, as typically happens after a system boot. Restart policies will ensure that linked containers are started in the correct order.
If restart policies don’t suit your needs (i.e., you have non-Docker processes that depend on Docker containers), you can use a process manager like
upstart,systemdorsupervisorinstead.
顺便说一句,这涉及(当容器运行时带有某些选项)一些安全问题:参见 issue 14767 and issue 6401:
The container (with
--net hostoption) is the host when it comes to the network stack so any services running on the host are accessible to the container. It just so happens that you communicate to upstart ( and others ) this way.This feature is a runtime only option, just like the
--privilegedflag, therefore an image cannot request this, it must be explicitly set at runtime.