Linux通过curl访问docker.sock/API执行docker操作:修订间差异

来自三线的随记
无编辑摘要
无编辑摘要
 
(未显示同一用户的19个中间版本)
第8行: 第8行:


=== 通过curl socket完成镜像拉取操作 ===
=== 通过curl socket完成镜像拉取操作 ===
基本报文
通过docker cli进行操作+抓包获取基本报文格式
  POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1
  POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1
  Host: docker
  Host: docker
第22行: 第22行:
  curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/images/json?filters=\{</nowiki>\"dangling\":\[\"true\"\]\}"
  curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/images/json?filters=\{</nowiki>\"dangling\":\[\"true\"\]\}"


=== 一个简单的通过socket进行清理dangling镜像的例子 ===
=== 通过curl socket获取指定REPOSITORY+TAG镜像信息 ===
  #!/bin/env bash
注意是全名字匹配
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"mysql\":true\}\}"
[{"Containers":-1,"Created":1602576181,"Id":"sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"],"RepoTags":["mysql:8.0.21"],"SharedSize":-1,"Size":544193587,"VirtualSize":544193587},{"Containers":-1,"Created":1532654095,"Id":"sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"],"RepoTags":["mysql:5.7.22"],"SharedSize":-1,"Size":371941626,"VirtualSize":371941626}]
如果需要半匹配,用 <code>*</code> 号即可(测试下来发现好像只能省略后缀,不能省略前缀,可以匹配tag,区分大小写)
curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"*m*\":true\}\}"|jq .
[
  {
    "Containers": -1,
    "Created": 1665115518,
    "Id": "sha256:9622db9aed586c97c6a18d912b965f3d4c02fdf749650c7ee57a9a6b8cde3dd7",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": null,
    "RepoTags": [
      "sonarqube:8.9.9-community"
    ],
    "SharedSize": -1,
    "Size": 499466355,
    "VirtualSize": 499466355
  },
  {
    "Containers": -1,
    "Created": 1612947183,
    "Id": "sha256:8415759abc07b3d3dcd43cecd924caa3ed68bc5d4a4166e50565a4a1b344a7e5",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": null,
    "RepoTags": [
      "node:14.15.5-stretch-slim"
    ],
    "SharedSize": -1,
    "Size": 166658514,
    "VirtualSize": 166658514
  },
  {
    "Containers": -1,
    "Created": 1602576181,
    "Id": "sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"
    ],
    "RepoTags": [
      "mysql:8.0.21"
    ],
    "SharedSize": -1,
    "Size": 544193587,
    "VirtualSize": 544193587
  },
  {
    "Containers": -1,
    "Created": 1532654095,
    "Id": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"
    ],
    "RepoTags": [
      "mysql:5.7.22"
    ],
    "SharedSize": -1,
    "Size": 371941626,
    "VirtualSize": 371941626
  }
]
 
=== 简单的通过curl + socket进行清理镜像的bash脚本例子 ===
  #!/usr/bin/env bash
#exec 1>/proc/1/fd/1 2>/proc/1/fd/2
  docker_api_version=v1.41
  docker_api_version=v1.41
  curl_options=(
  curl_options=(
第30行: 第102行:
  )
  )
  dangling_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1</nowiki>" | jq -r .[].Id`)
  dangling_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1</nowiki>" | jq -r .[].Id`)
# TODO: clean up stopped non-k8s containers
echo "cleaning dangling images:"
for image in ${dangling_images[*]}
do
  echo $image
  (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" )
done
   
   
  echo "cleaning dangline images:"
  echo -n "cleaning images without specific string: "
  for image in ${dangling_images[*]}
echo ${image_exclude:="(/kube-system/)|(/library/)"}
clean_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json</nowiki>"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`)
  for image in ${clean_images[*]}
  do
  do
   echo $image
   echo $image
   (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" )
   (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" )
  done
  done
echo "End of docker images clean"
=== curl socket获取Exited容器名字 ===
curl -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/containers/json?filters=\{</nowiki>\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2-
=== curl socket删除容器 ===
curl -X DELETE -s --unix-socket /var/run/docker.sock "<nowiki>http://localhost/v1.41/containers/$container</nowiki>"
=== 利用daemonset部署curl + socket进行清理镜像的定时任务到k8s集群中 ===
${your_image} 自行替换
依赖工具 curl + jq + crontab
改不同的发行版crontab需要自行适配cron的启动命令
==== 例如Debian系容器镜像可以通过下列方式进行构建依赖的容器镜像 ====
#debian_install_package="curl wget iputils-ping iproute2 dnsutils net-tools vim telnet netcat procps lsof tcpdump cron jq" #常见依赖工具
debian_install_package="curl cron jq"
sed -i -e "s/security.debian.org/mirrors.ustc.edu.cn/" -e "s/deb.debian.org/mirrors.ustc.edu.cn/" /etc/apt/sources.list && \
apt-get update && \
apt-get install --no-install-recommends -y ${debian_install_package} && \
apt-get autoremove && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*  && \
touch /var/spool/cron/crontabs/root  && \
chmod -v 600 /var/spool/cron/crontabs/root  && \
chgrp -v crontab /var/spool/cron/crontabs/root
操作/var/spool/cron/crontabs/root文件只是为了方便通过echo等方式直接操作root用户的crontab
==== 使用microdnf的yum系容器镜像可以通过下列方式进行构建依赖的容器镜像 ====
#microdnf_install_package="curl wget iputils iproute bind-utils net-tools hostname vim telnet nmap-ncat procps lsof tcpdump cronie findutils zip unzip jq" #常见依赖工具
microdnf_install_package="cronie jq"
microdnf install ${microdnf_install_package} && \
rpm -i /tmp/${java_version}-linux-x64.rpm && \
microdnf clean all && \
rm -rvf /tmp/* && \
touch /var/spool/cron/root && \
chmod 600 /var/spool/cron/root
操作/var/spool/cron/root文件同样只是为了方便通过echo等方式直接操作root用户的crontab
注意有的发行版容器镜像需要tty才可以输出详细的crond 前台运行日志,例如某些Alpine (<code>/usr/sbin/crond -f -S /dev/stdout</code> + <code>tty: true</code>)
==== 具体k8s编排 ====
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: docker-image-cleaner
    app: docker-image-cleaner
  name: docker-image-cleaner
  namespace: kube-system
spec:
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      k8s-app: docker-image-cleaner
      app: docker-image-cleaner
  template:
    metadata:
      labels:
        k8s-app: docker-image-cleaner
        app: docker-image-cleaner
    spec:
      containers:
      - image: ${your_image}
        imagePullPolicy: IfNotPresent
        name: docker-image-cleaner
        command:
        - cron
        - -L
        - "8"
        - "-f"
        lifecycle:
          postStart:
            exec:
              command:
                - /bin/sh
                - -c
                - |
                  cat <<\EOF > /clean.sh
                  #!/usr/bin/env bash
                  exec 1>/proc/1/fd/1 2>/proc/1/fd/2
                  docker_api_version=v1.41
                  curl_options=(
                    "-L"
                    "-s"
                    "--unix-socket" "/var/run/docker.sock"
                  )
                  # Remove exited non-k8s containers
                  exited_containers=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/containers/json?filters=\{</nowiki>\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2- | grep -v k8s`)
                  echo "removing exited non-k8s containers"
                  for container in ${exited_containers[*]}
                  do
                    echo $container
                    (set -x;curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/containers/$container</nowiki>")
                  done
                  echo "cleaning dangling images:"
                  for image in ${dangling_images[*]}
                  do
                    echo $image
                    (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" )
                  done
 
                  echo -n "cleaning images without specific string: "
                  echo ${image_exclude:="(/kube-system/)|(/library/)"}
                  clean_images=(`curl "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/json</nowiki>"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`)
                  for image in ${clean_images[*]}
                  do
                    echo $image
                    (set -x; curl -X DELETE "${curl_options[@]}" "<nowiki>http://localhost/${docker_api_version}/images/$image</nowiki>" )
                  done
                  echo "End of image clean"
                  EOF
                  chmod u+x /clean.sh
                  echo "0 2 * * * bash /clean.sh" |crontab -
                  crontab -l > /proc/1/fd/1
        resources:
          limits:
            cpu: 500m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 64Mi
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: true
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker-sock
      restartPolicy: Always
      tolerations:
      - effect: NoSchedule
        operator: Exists
      volumes:
      - hostPath:
          path: /var/run/docker.sock
          type: ""
        name: docker-sock
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 60%
    type: RollingUpdate 
[[分类:Docker]]
[[分类:Docker]]
[[分类:Linux]]
[[分类:Linux]]
{{DEFAULTSORT:Docker.sock}}
{{DEFAULTSORT:Docker.sock}}

2024年3月27日 (三) 18:21的最新版本

官方API doc: https://docs.docker.com/engine/api/v1.41/

官方API doc(with example): https://docs.docker.com/engine/api/sdk/examples/

不同版本的docker的api doc: https://docs.docker.com/engine/api/#api-version-matrix

tips: Linux下对socket进行抓包

通过curl socket完成镜像拉取操作

通过docker cli进行操作+抓包获取基本报文格式

POST /v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public HTTP/1.1
Host: docker
User-Agent: Docker-Client/20.10.17 (linux)
Content-Length: 0
Content-Type: text/plain

命令实现

curl --unix-socket /var/run/docker.sock "http://localhost/v1.41/images/create?fromImage=10.82.123.123%2Fpublic%2Fmaven&tag=3.3.9-public" -X POST

如果拉取镜像需要认证可以加上http header

X-Registry-Auth: eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInNlcnZlcmFkZHJlc3MiOiIxMC44Mi4xMjMuMTIzIn0=

通过curl socket获取镜像dangling镜像信息

curl -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/images/json?filters=\{\"dangling\":\[\"true\"\]\}"

通过curl socket获取指定REPOSITORY+TAG镜像信息

注意是全名字匹配

curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"mysql\":true\}\}"

[{"Containers":-1,"Created":1602576181,"Id":"sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"],"RepoTags":["mysql:8.0.21"],"SharedSize":-1,"Size":544193587,"VirtualSize":544193587},{"Containers":-1,"Created":1532654095,"Id":"sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213","Labels":null,"ParentId":"","RepoDigests":["mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"],"RepoTags":["mysql:5.7.22"],"SharedSize":-1,"Size":371941626,"VirtualSize":371941626}]

如果需要半匹配,用 * 号即可(测试下来发现好像只能省略后缀,不能省略前缀,可以匹配tag,区分大小写)

curl -s --unix-socket /var/run/docker.sock "http:/v1.24/images/json?filters=\{\"reference\":\{\"*m*\":true\}\}"|jq .

[
  {
    "Containers": -1,
    "Created": 1665115518,
    "Id": "sha256:9622db9aed586c97c6a18d912b965f3d4c02fdf749650c7ee57a9a6b8cde3dd7",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": null,
    "RepoTags": [
      "sonarqube:8.9.9-community"
    ],
    "SharedSize": -1,
    "Size": 499466355,
    "VirtualSize": 499466355
  },
  {
    "Containers": -1,
    "Created": 1612947183,
    "Id": "sha256:8415759abc07b3d3dcd43cecd924caa3ed68bc5d4a4166e50565a4a1b344a7e5",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": null,
    "RepoTags": [
      "node:14.15.5-stretch-slim"
    ],
    "SharedSize": -1,
    "Size": 166658514,
    "VirtualSize": 166658514
  },
  {
    "Containers": -1,
    "Created": 1602576181,
    "Id": "sha256:8e85dd5c32558ea5c22cc4786cff512c1940270a50e7dbc21ad2df42f0637de4",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "mysql@sha256:86b7c83e24c824163927db1016d5ab153a9a04358951be8b236171286e3289a4"
    ],
    "RepoTags": [
      "mysql:8.0.21"
    ],
    "SharedSize": -1,
    "Size": 544193587,
    "VirtualSize": 544193587
  },
  {
    "Containers": -1,
    "Created": 1532654095,
    "Id": "sha256:6bb891430fb6e2d3b4db41fd1f7ece08c5fc769d8f4823ec33c7c7ba99679213",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "mysql@sha256:aaba540cdd9313645d892f4f20573e8b42b30e5be71c054b7befed2f7da5f85b"
    ],
    "RepoTags": [
      "mysql:5.7.22"
    ],
    "SharedSize": -1,
    "Size": 371941626,
    "VirtualSize": 371941626
  }
]

简单的通过curl + socket进行清理镜像的bash脚本例子

#!/usr/bin/env bash
#exec 1>/proc/1/fd/1 2>/proc/1/fd/2
docker_api_version=v1.41
curl_options=(
  "-s"
  "--unix-socket" "/var/run/docker.sock"
)
dangling_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json?filters=%7B%22dangling%22%3A%5B%22true%22%5D%7D&all=1" | jq -r .[].Id`)
# TODO: clean up stopped non-k8s containers
echo "cleaning dangling images:"
for image in ${dangling_images[*]}
do
  echo $image
  (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" )
done

echo -n "cleaning images without specific string: "
echo ${image_exclude:="(/kube-system/)|(/library/)"}
clean_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`)
for image in ${clean_images[*]}
do
  echo $image
  (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" )
done
echo "End of docker images clean"

curl socket获取Exited容器名字

curl -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/containers/json?filters=\{\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2-

curl socket删除容器

curl -X DELETE -s --unix-socket /var/run/docker.sock "http://localhost/v1.41/containers/$container"

利用daemonset部署curl + socket进行清理镜像的定时任务到k8s集群中

${your_image} 自行替换

依赖工具 curl + jq + crontab

改不同的发行版crontab需要自行适配cron的启动命令

例如Debian系容器镜像可以通过下列方式进行构建依赖的容器镜像

#debian_install_package="curl wget iputils-ping iproute2 dnsutils net-tools vim telnet netcat procps lsof tcpdump cron jq" #常见依赖工具

debian_install_package="curl cron jq"
sed -i -e "s/security.debian.org/mirrors.ustc.edu.cn/" -e "s/deb.debian.org/mirrors.ustc.edu.cn/" /etc/apt/sources.list && \
apt-get update && \
apt-get install --no-install-recommends -y ${debian_install_package} && \
apt-get autoremove && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*  && \
touch /var/spool/cron/crontabs/root  && \
chmod -v 600 /var/spool/cron/crontabs/root  && \
chgrp -v crontab /var/spool/cron/crontabs/root

操作/var/spool/cron/crontabs/root文件只是为了方便通过echo等方式直接操作root用户的crontab

使用microdnf的yum系容器镜像可以通过下列方式进行构建依赖的容器镜像

#microdnf_install_package="curl wget iputils iproute bind-utils net-tools hostname vim telnet nmap-ncat procps lsof tcpdump cronie findutils zip unzip jq" #常见依赖工具

microdnf_install_package="cronie jq"

microdnf install ${microdnf_install_package} && \
rpm -i /tmp/${java_version}-linux-x64.rpm && \
microdnf clean all && \
rm -rvf /tmp/* && \
touch /var/spool/cron/root && \
chmod 600 /var/spool/cron/root

操作/var/spool/cron/root文件同样只是为了方便通过echo等方式直接操作root用户的crontab

注意有的发行版容器镜像需要tty才可以输出详细的crond 前台运行日志,例如某些Alpine (/usr/sbin/crond -f -S /dev/stdout + tty: true)

具体k8s编排

apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: docker-image-cleaner
    app: docker-image-cleaner
  name: docker-image-cleaner
  namespace: kube-system
spec:
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      k8s-app: docker-image-cleaner
      app: docker-image-cleaner
  template:
    metadata:
      labels:
        k8s-app: docker-image-cleaner
        app: docker-image-cleaner
    spec:
      containers:
      - image: ${your_image}
        imagePullPolicy: IfNotPresent
        name: docker-image-cleaner
        command:
        - cron
        - -L
        - "8"
        - "-f"
        lifecycle:
          postStart:
            exec:
              command:
               - /bin/sh
               - -c
               - |
                 cat <<\EOF > /clean.sh
                 #!/usr/bin/env bash
                 exec 1>/proc/1/fd/1 2>/proc/1/fd/2
                 docker_api_version=v1.41
                 curl_options=(
                   "-L"
                   "-s"
                   "--unix-socket" "/var/run/docker.sock"
                 )
                 # Remove exited non-k8s containers
                 exited_containers=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/containers/json?filters=\{\"status\":\[\"exited\"\]\}" | jq -r ".[].Names[]" | cut -c 2- | grep -v k8s`)
                 echo "removing exited non-k8s containers"
                 for container in ${exited_containers[*]}
                 do
                   echo $container
                   (set -x;curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/containers/$container")
                 done

                 echo "cleaning dangling images:"
                 for image in ${dangling_images[*]}
                 do
                   echo $image
                   (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" )
                 done
 
                 echo -n "cleaning images without specific string: "
                 echo ${image_exclude:="(/kube-system/)|(/library/)"}
                 clean_images=(`curl "${curl_options[@]}" "http://localhost/${docker_api_version}/images/json"|jq -r ".[] | select(.RepoTags != null )| .RepoTags[]"|grep -v \<none|grep -Ev "${image_exclude}"`)
                 for image in ${clean_images[*]}
                 do
                   echo $image
                   (set -x; curl -X DELETE "${curl_options[@]}" "http://localhost/${docker_api_version}/images/$image" )
                 done
                 echo "End of image clean"
                 EOF
                 chmod u+x /clean.sh
                 echo "0 2 * * * bash /clean.sh" |crontab -
                 crontab -l > /proc/1/fd/1
        resources:
          limits:
            cpu: 500m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 64Mi
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: true
        volumeMounts:
        - mountPath: /var/run/docker.sock
          name: docker-sock
      restartPolicy: Always
      tolerations:
      - effect: NoSchedule
        operator: Exists
      volumes:
      - hostPath:
          path: /var/run/docker.sock
          type: ""
        name: docker-sock
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 60%
    type: RollingUpdate