Linux通过curl访问docker.sock/API执行docker操作:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的19个中间版本) | |||
第8行: | 第8行: | ||
=== 通过curl socket完成镜像拉取操作 === | === 通过curl socket完成镜像拉取操作 === | ||
通过docker cli进行操作+抓包获取基本报文格式 | |||
POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1 | POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1 | ||
Host: docker | Host: docker | ||
第22行: | 第22行: | ||
curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/images/json?filters=\{</nowiki>\"dangling\":\[\"true\"\]\}" | curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/images/json?filters=\{</nowiki>\"dangling\":\[\"true\"\]\}" | ||
=== | === 通过curl socket获取指定REPOSITORY+TAG镜像信息 === | ||
#!/bin/env bash | 注意是全名字匹配 | ||
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"mysql\":true\}\}" | |||
[{"Containers":-1,"Created":1602576181,"Id":"sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"],"RepoTags":["mysql:8.0.21"],"SharedSize":-1,"Size":544193587,"VirtualSize":544193587},{"Containers":-1,"Created":1532654095,"Id":"sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"],"RepoTags":["mysql:5.7.22"],"SharedSize":-1,"Size":371941626,"VirtualSize":371941626}] | |||
如果需要半匹配,用 <code>*</code> 号即可(测试下来发现好像只能省略后缀,不能省略前缀,可以匹配tag,区分大小写) | |||
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"*m*\":true\}\}"|jq . | |||
[ | |||
{ | |||
"Containers": -1, | |||
"Created": 1665115518, | |||
"Id": "sha256:9622db9aed586c97c6a18d912b965f3d4c02fdf749650c7ee57a9a6b8cde3dd7", | |||
"Labels": null, | |||
"ParentId": "", | |||
"RepoDigests": null, | |||
"RepoTags": [ | |||
"sonarqube:8.9.9-community" | |||
], | |||
"SharedSize": -1, | |||
"Size": 499466355, | |||
"VirtualSize": 499466355 | |||
}, | |||
{ | |||
"Containers": -1, | |||
"Created": 1612947183, | |||
"Id": "sha256:8415759abc07b3d3dcd43cecd924caa3ed68bc5d4a4166e50565a4a1b344a7e5", | |||
"Labels": null, | |||
"ParentId": "", | |||
"RepoDigests": null, | |||
"RepoTags": [ | |||
"node:14.15.5-stretch-slim" | |||
], | |||
"SharedSize": -1, | |||
"Size": 166658514, | |||
"VirtualSize": 166658514 | |||
}, | |||
{ | |||
"Containers": -1, | |||
"Created": 1602576181, | |||
"Id": "sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4", | |||
"Labels": null, | |||
"ParentId": "", | |||
"RepoDigests": [ | |||
"mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4" | |||
], | |||
"RepoTags": [ | |||
"mysql:8.0.21" | |||
], | |||
"SharedSize": -1, | |||
"Size": 544193587, | |||
"VirtualSize": 544193587 | |||
}, | |||
{ | |||
"Containers": -1, | |||
"Created": 1532654095, | |||
"Id": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213", | |||
"Labels": null, | |||
"ParentId": "", | |||
"RepoDigests": [ | |||
"mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b" | |||
], | |||
"RepoTags": [ | |||
"mysql:5.7.22" | |||
], | |||
"SharedSize": -1, | |||
"Size": 371941626, | |||
"VirtualSize": 371941626 | |||
} | |||
] | |||
=== 简单的通过curl + socket进行清理镜像的bash脚本例子 === | |||
#!/usr/bin/env bash | |||
#exec 1>/proc/1/fd/1 2>/proc/1/fd/2 | |||
docker_api_version=v1.41 | docker_api_version=v1.41 | ||
curl_options=( | curl_options=( | ||
第30行: | 第102行: | ||
) | ) | ||
dangling_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1</nowiki>" | jq -r .[].Id`) | dangling_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1</nowiki>" | jq -r .[].Id`) | ||
# TODO: clean up stopped non-k8s containers | |||
echo "cleaning dangling images:" | |||
for image in ${dangling_images[*]} | |||
do | |||
echo $image | |||
(set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" ) | |||
done | |||
echo "cleaning | echo -n "cleaning images without specific string: " | ||
for image in ${ | echo ${image_exclude:="(/kube-system/)|(/library/)"} | ||
clean_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json</nowiki>"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`) | |||
for image in ${clean_images[*]} | |||
do | do | ||
echo $image | echo $image | ||
(set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" ) | (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" ) | ||
done | done | ||
echo "End of docker images clean" | |||
=== curl socket获取Exited容器名字 === | |||
curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/containers/json?filters=\{</nowiki>\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2- | |||
=== curl socket删除容器 === | |||
curl -X DELETE -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/containers/$container</nowiki>" | |||
=== 利用daemonset部署curl + socket进行清理镜像的定时任务到k8s集群中 === | |||
${your_image} 自行替换 | |||
依赖工具 curl + jq + crontab | |||
改不同的发行版crontab需要自行适配cron的启动命令 | |||
==== 例如Debian系容器镜像可以通过下列方式进行构建依赖的容器镜像 ==== | |||
#debian_install_package="curl wget iputils-ping iproute2 dnsutils net-tools vim telnet netcat procps lsof tcpdump cron jq" #常见依赖工具 | |||
debian_install_package="curl cron jq" | |||
sed -i -e "s/security.debian.org/mirrors.ustc.edu.cn/" -e "s/deb.debian.org/mirrors.ustc.edu.cn/" /etc/apt/sources.list && \ | |||
apt-get update && \ | |||
apt-get install --no-install-recommends -y ${debian_install_package} && \ | |||
apt-get autoremove && \ | |||
apt-get clean && \ | |||
rm -rf /var/lib/apt/lists/* && \ | |||
touch /var/spool/cron/crontabs/root && \ | |||
chmod -v 600 /var/spool/cron/crontabs/root && \ | |||
chgrp -v crontab /var/spool/cron/crontabs/root | |||
操作/var/spool/cron/crontabs/root文件只是为了方便通过echo等方式直接操作root用户的crontab | |||
==== 使用microdnf的yum系容器镜像可以通过下列方式进行构建依赖的容器镜像 ==== | |||
#microdnf_install_package="curl wget iputils iproute bind-utils net-tools hostname vim telnet nmap-ncat procps lsof tcpdump cronie findutils zip unzip jq" #常见依赖工具 | |||
microdnf_install_package="cronie jq" | |||
microdnf install ${microdnf_install_package} && \ | |||
rpm -i /tmp/${java_version}-linux-x64.rpm && \ | |||
microdnf clean all && \ | |||
rm -rvf /tmp/* && \ | |||
touch /var/spool/cron/root && \ | |||
chmod 600 /var/spool/cron/root | |||
操作/var/spool/cron/root文件同样只是为了方便通过echo等方式直接操作root用户的crontab | |||
注意有的发行版容器镜像需要tty才可以输出详细的crond 前台运行日志,例如某些Alpine (<code>/usr/sbin/crond -f -S /dev/stdout</code> + <code>tty: true</code>) | |||
==== 具体k8s编排 ==== | |||
apiVersion: apps/v1 | |||
kind: DaemonSet | |||
metadata: | |||
labels: | |||
k8s-app: docker-image-cleaner | |||
app: docker-image-cleaner | |||
name: docker-image-cleaner | |||
namespace: kube-system | |||
spec: | |||
revisionHistoryLimit: 5 | |||
selector: | |||
matchLabels: | |||
k8s-app: docker-image-cleaner | |||
app: docker-image-cleaner | |||
template: | |||
metadata: | |||
labels: | |||
k8s-app: docker-image-cleaner | |||
app: docker-image-cleaner | |||
spec: | |||
containers: | |||
- image: ${your_image} | |||
imagePullPolicy: IfNotPresent | |||
name: docker-image-cleaner | |||
command: | |||
- cron | |||
- -L | |||
- "8" | |||
- "-f" | |||
lifecycle: | |||
postStart: | |||
exec: | |||
command: | |||
- /bin/sh | |||
- -c | |||
- | | |||
cat <<\EOF > /clean.sh | |||
#!/usr/bin/env bash | |||
exec 1>/proc/1/fd/1 2>/proc/1/fd/2 | |||
docker_api_version=v1.41 | |||
curl_options=( | |||
"-L" | |||
"-s" | |||
"--unix-socket" "/var/run/docker.sock" | |||
) | |||
# Remove exited non-k8s containers | |||
exited_containers=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/containers/json?filters=\{</nowiki>\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2- | grep -v k8s`) | |||
echo "removing exited non-k8s containers" | |||
for container in ${exited_containers[*]} | |||
do | |||
echo $container | |||
(set -x;curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/containers/$container</nowiki>") | |||
done | |||
echo "cleaning dangling images:" | |||
for image in ${dangling_images[*]} | |||
do | |||
echo $image | |||
(set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" ) | |||
done | |||
echo -n "cleaning images without specific string: " | |||
echo ${image_exclude:="(/kube-system/)|(/library/)"} | |||
clean_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json</nowiki>"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`) | |||
for image in ${clean_images[*]} | |||
do | |||
echo $image | |||
(set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" ) | |||
done | |||
echo "End of image clean" | |||
EOF | |||
chmod u+x /clean.sh | |||
echo "0 2 * * * bash /clean.sh" |crontab - | |||
crontab -l > /proc/1/fd/1 | |||
resources: | |||
limits: | |||
cpu: 500m | |||
memory: 256Mi | |||
requests: | |||
cpu: 100m | |||
memory: 64Mi | |||
securityContext: | |||
capabilities: | |||
add: | |||
- NET_ADMIN | |||
privileged: true | |||
volumeMounts: | |||
- mountPath: /var/run/docker.sock | |||
name: docker-sock | |||
restartPolicy: Always | |||
tolerations: | |||
- effect: NoSchedule | |||
operator: Exists | |||
volumes: | |||
- hostPath: | |||
path: /var/run/docker.sock | |||
type: "" | |||
name: docker-sock | |||
updateStrategy: | |||
rollingUpdate: | |||
maxUnavailable: 60% | |||
type: RollingUpdate | |||
[[分类:Docker]] | [[分类:Docker]] | ||
[[分类:Linux]] | [[分类:Linux]] | ||
{{DEFAULTSORT:Docker.sock}} | {{DEFAULTSORT:Docker.sock}} |
2024年3月27日 (三) 18:21的最新版本
官方API doc: https://docs.docker.com/engine/api/v1.41/
官方API doc(with example): https://docs.docker.com/engine/api/sdk/examples/
不同版本的docker的api doc: https://docs.docker.com/engine/api/#api-version-matrix
tips: Linux下对socket进行抓包
通过curl socket完成镜像拉取操作
通过docker cli进行操作+抓包获取基本报文格式
POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1 Host: docker User-Agent: Docker-Client/20.10.17 (linux) Content-Length: 0 Content-Type: text/plain
命令实现
curl --unix-socket /var/run/docker.sock "http://localhost/v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public" -X POST
如果拉取镜像需要认证可以加上http header
X-Registry-Auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInNlcnZlcmFkZHJlc3MiOiIxMC44Mi4xMjMuMTIzIn0=
通过curl socket获取镜像dangling镜像信息
curl -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/images/json?filters=\{\"dangling\":\[\"true\"\]\}"
通过curl socket获取指定REPOSITORY+TAG镜像信息
注意是全名字匹配
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"mysql\":true\}\}" [{"Containers":-1,"Created":1602576181,"Id":"sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"],"RepoTags":["mysql:8.0.21"],"SharedSize":-1,"Size":544193587,"VirtualSize":544193587},{"Containers":-1,"Created":1532654095,"Id":"sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"],"RepoTags":["mysql:5.7.22"],"SharedSize":-1,"Size":371941626,"VirtualSize":371941626}]
如果需要半匹配,用 *
号即可(测试下来发现好像只能省略后缀,不能省略前缀,可以匹配tag,区分大小写)
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"*m*\":true\}\}"|jq . [ { "Containers": -1, "Created": 1665115518, "Id": "sha256:9622db9aed586c97c6a18d912b965f3d4c02fdf749650c7ee57a9a6b8cde3dd7", "Labels": null, "ParentId": "", "RepoDigests": null, "RepoTags": [ "sonarqube:8.9.9-community" ], "SharedSize": -1, "Size": 499466355, "VirtualSize": 499466355 }, { "Containers": -1, "Created": 1612947183, "Id": "sha256:8415759abc07b3d3dcd43cecd924caa3ed68bc5d4a4166e50565a4a1b344a7e5", "Labels": null, "ParentId": "", "RepoDigests": null, "RepoTags": [ "node:14.15.5-stretch-slim" ], "SharedSize": -1, "Size": 166658514, "VirtualSize": 166658514 }, { "Containers": -1, "Created": 1602576181, "Id": "sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4", "Labels": null, "ParentId": "", "RepoDigests": [ "mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4" ], "RepoTags": [ "mysql:8.0.21" ], "SharedSize": -1, "Size": 544193587, "VirtualSize": 544193587 }, { "Containers": -1, "Created": 1532654095, "Id": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213", "Labels": null, "ParentId": "", "RepoDigests": [ "mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b" ], "RepoTags": [ "mysql:5.7.22" ], "SharedSize": -1, "Size": 371941626, "VirtualSize": 371941626 } ]
简单的通过curl + socket进行清理镜像的bash脚本例子
#!/usr/bin/env bash #exec 1>/proc/1/fd/1 2>/proc/1/fd/2 docker_api_version=v1.41 curl_options=( "-s" "--unix-socket" "/var/run/docker.sock" ) dangling_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1" | jq -r .[].Id`) # TODO: clean up stopped non-k8s containers echo "cleaning dangling images:" for image in ${dangling_images[*]} do echo $image (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" ) done echo -n "cleaning images without specific string: " echo ${image_exclude:="(/kube-system/)|(/library/)"} clean_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`) for image in ${clean_images[*]} do echo $image (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" ) done echo "End of docker images clean"
curl socket获取Exited容器名字
curl -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/containers/json?filters=\{\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2-
curl socket删除容器
curl -X DELETE -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/containers/$container"
利用daemonset部署curl + socket进行清理镜像的定时任务到k8s集群中
${your_image} 自行替换
依赖工具 curl + jq + crontab
改不同的发行版crontab需要自行适配cron的启动命令
例如Debian系容器镜像可以通过下列方式进行构建依赖的容器镜像
#debian_install_package="curl wget iputils-ping iproute2 dnsutils net-tools vim telnet netcat procps lsof tcpdump cron jq" #常见依赖工具 debian_install_package="curl cron jq" sed -i -e "s/security.debian.org/mirrors.ustc.edu.cn/" -e "s/deb.debian.org/mirrors.ustc.edu.cn/" /etc/apt/sources.list && \ apt-get update && \ apt-get install --no-install-recommends -y ${debian_install_package} && \ apt-get autoremove && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ touch /var/spool/cron/crontabs/root && \ chmod -v 600 /var/spool/cron/crontabs/root && \ chgrp -v crontab /var/spool/cron/crontabs/root
操作/var/spool/cron/crontabs/root文件只是为了方便通过echo等方式直接操作root用户的crontab
使用microdnf的yum系容器镜像可以通过下列方式进行构建依赖的容器镜像
#microdnf_install_package="curl wget iputils iproute bind-utils net-tools hostname vim telnet nmap-ncat procps lsof tcpdump cronie findutils zip unzip jq" #常见依赖工具 microdnf_install_package="cronie jq" microdnf install ${microdnf_install_package} && \ rpm -i /tmp/${java_version}-linux-x64.rpm && \ microdnf clean all && \ rm -rvf /tmp/* && \ touch /var/spool/cron/root && \ chmod 600 /var/spool/cron/root
操作/var/spool/cron/root文件同样只是为了方便通过echo等方式直接操作root用户的crontab
注意有的发行版容器镜像需要tty才可以输出详细的crond 前台运行日志,例如某些Alpine (/usr/sbin/crond -f -S /dev/stdout
+ tty: true
)
具体k8s编排
apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: docker-image-cleaner app: docker-image-cleaner name: docker-image-cleaner namespace: kube-system spec: revisionHistoryLimit: 5 selector: matchLabels: k8s-app: docker-image-cleaner app: docker-image-cleaner template: metadata: labels: k8s-app: docker-image-cleaner app: docker-image-cleaner spec: containers: - image: ${your_image} imagePullPolicy: IfNotPresent name: docker-image-cleaner command: - cron - -L - "8" - "-f" lifecycle: postStart: exec: command: - /bin/sh - -c - | cat <<\EOF > /clean.sh #!/usr/bin/env bash exec 1>/proc/1/fd/1 2>/proc/1/fd/2 docker_api_version=v1.41 curl_options=( "-L" "-s" "--unix-socket" "/var/run/docker.sock" ) # Remove exited non-k8s containers exited_containers=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/containers/json?filters=\{\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2- | grep -v k8s`) echo "removing exited non-k8s containers" for container in ${exited_containers[*]} do echo $container (set -x;curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/containers/$container") done echo "cleaning dangling images:" for image in ${dangling_images[*]} do echo $image (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" ) done echo -n "cleaning images without specific string: " echo ${image_exclude:="(/kube-system/)|(/library/)"} clean_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`) for image in ${clean_images[*]} do echo $image (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" ) done echo "End of image clean" EOF chmod u+x /clean.sh echo "0 2 * * * bash /clean.sh" |crontab - crontab -l > /proc/1/fd/1 resources: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 64Mi securityContext: capabilities: add: - NET_ADMIN privileged: true volumeMounts: - mountPath: /var/run/docker.sock name: docker-sock restartPolicy: Always tolerations: - effect: NoSchedule operator: Exists volumes: - hostPath: path: /var/run/docker.sock type: "" name: docker-sock updateStrategy: rollingUpdate: maxUnavailable: 60% type: RollingUpdate