如何从一个 docker 容器执行命令到另一个 [英] How to execute command from one docker container to another

问题描述

我正在创建一个应用程序，允许用户上传视频文件，然后进行一些处理.

I'm creating an application that will allow users to upload video files that will then be put through some processing.

我有两个容器.

1. Nginx 容器，为用户可以上传视频文件的网站提供服务.
2. 安装了 FFmpeg 和其他一些处理工具的视频处理容器.

1. Nginx container that serves the website where users can upload their video files.
2. Video processing container that has FFmpeg and some other processing stuff installed.

我想要达到的目标.我需要容器 1 才能在容器 2 上运行 bash 脚本.

What I want to achieve. I need container 1 to be able to run a bash script on container 2.

据我所知，一种可能性是让它们通过 API 通过 HTTP 进行通信.但随后我需要在容器 2 中安装一个 Web 服务器并编写一个 API，这似乎有点矫枉过正.我只想执行一个 bash 脚本.

One possibility as far as I can see is to make them communicate over HTTP via an API. But then I would need to install a web server in container 2 and write an API which seems a bit overkill. I just want to execute a bash script.

有什么建议吗?

推荐答案

你有几个选择，但首先想到的是:

You have a few options, but the first 2 that come time mind are:

1. 在容器 1 中，安装 Docker CLI 并绑定挂载/var/run/docker.sock(你需要从启动容器时托管).然后，在容器内，您应该能够对已安装的绑定使用 docker 命令socket 就好像您是从主机执行它们一样(您也可能需要 chmod 容器内的套接字以允许非 root用户执行此操作.
2. 您可以在容器 2 上安装 SSHD，然后从容器 1 安装 ssh 并运行您的脚本.这里的优点是您不需要在容器内进行任何更改来说明它们在 Docker 中运行而不是在裸机中运行的事实.不利的一面是，您需要将 SSHD 设置添加到 Dockerfile 或启动脚本中.

1. In container 1, install the Docker CLI and bind mount /var/run/docker.sock (you need to specify the bind mount from the host when you start the container). Then, inside the container, you should be able to use docker commands against the bind mounted socket as if you were executing them from the host (you might also need to chmod the socket inside the container to allow a non-root user to do this.
2. You could install SSHD on container 2, and then ssh in from container 1 and run your script. The advantage here is that you don't need to make any changes inside the containers to account for the fact that they are running in Docker and not bare metal. The down side is that you will need to add the SSHD setup to your Dockerfile or the startup scripts.

我能想到的大多数其他想法只是选项 (2) 的变体，SSHD 被其他一些工具取代.

Most of the other ideas I can think of are just variants of option (2), with SSHD replaced by some other tool.

还要注意 Docker 网络有点奇怪(至少在 Mac 主机上)，因此您需要确保容器使用相同的 docker-network 并且能够通过它进行通信.

Also be aware that Docker networking is a little strange (at least on Mac hosts), so you need to make sure that the containers are using the same docker-network and are able to communicate over it.

编辑添加:
完全清楚，不要在实验室或非常受控的开发环境之外使用选项 1.它采用一个安全套接字，该套接字对 主机 上的 Docker 运行时拥有完全权限，并从 容器 授予对其进行未经检查的访问.这样做可以很容易地突破 Docker 沙箱并破坏主机系统.我认为唯一可以接受的地方是作为完整堆栈集成测试设置的一部分，该设置只能由开发人员临时运行.这是一个技巧，在某些非常特定的情况下可以成为有用的捷径，但缺点也不容小觑.

Edit to add:
To be completely clear, don't use option 1 outside of a lab or very controlled dev environment. It is taking a secure socket that has full authority over the Docker runtime on the host, and granting unchecked access to it from a container. Doing that makes it trivially easy to break out of the Docker sandbox and compromise the host system. About the only place I would consider it acceptable is as part of a full stack integration test setup that will only be run adhoc by a developer. It's a hack that can be a useful shortcut in some very specific situations but the drawbacks cannot be overstated.

这篇关于如何从一个 docker 容器执行命令到另一个的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！