Plesk Documentation and Help Portal

概要: Docker is a platform used to run applications in containers. It enables you to use specific software, such as Redis or MongoDB, or a specific version of software, which might not be supported by your operating system or might need compiling.

Docker is available as a Plesk extension. With it, you can run and manage containers based on specific Docker images, and to use Docker both on the local host and on remote servers.

In this topic, you will learn how to create, configure, and manage Docker containers in Plesk. You will also learn how to control remote Docker hosts from Plesk.

要求和局限性

警告: Docker 扩展会从 Docker Hub 按原样下载镜像而不会以任何方式进行预先配置。其中的某些Docker 容器或软件仅用于可信的环境可能需要额外的安全设置。在Plesk中启动这些下载的镜像之前，需要自行增强其安全性。具体的说明，请参阅容器或软件供应商的文档。例如查看 Redis 文档中的安全章节。

Docker is supported in Plesk for the following operating systems: CentOS 7, Red Hat Enterprise Linux 7, Debian 10, Debian 11, Debian 12, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, AlmaLinux 8.x, AlmaLinux 9.x, Rocky Linux 8.x, and Virtuozzo 7 with Update 1 Hotfix 1 (7.0.1-686) or later.

在 Plesk for Windows 中，您可以使用安装在远程机器上的 Docker（请参阅 **使用远程的 Docker**）。
您无法在于 Docker 容器内部署的 Plesk 中使用 Docker。
要在Plesk中使用远程的Docker服务，需要额外的许可证。可单独购买或将其作为 Hosting Pack、Power Pack 或 Developer Pack 的一部分进行购买。
Docker 只能在x64 系统上运行。
不能迁移或备份 Plesk 中的 Docker 容器。但是您可以备份容器使用的数据（请查看 卷宗映射 ）并下载快照。
支持安装有 Update 1 Hotfix 1 (7.0.1-686) 或更新版本的Virtuozzo 7。注意从此次更新起，创建基于CentOS 7的新容器会默认启用防火墙，因为 Virtuozzo 着力推动增强安全性。Plesk 管理员应手动配置防火墙以确保将 Plesk正常运行所需的端口打开。

前提条件

Before you can start using Docker, the Docker extension must be installed on the Plesk server:

如果您是Plesk管理员，请从扩展目录安装扩展。
否则，请联系您的主机提供商，并要求他们为您安装该扩展。

Once the extension is installed, you are ready to begin. You will see the Docker option in the Navigation Pane.

Containers

You can access images from Docker Hub in the Run Container catalog (Docker > Containers > Run Container).

To access the catalog:

if you have not previously installed a container, in Docker > Containers, click Run Container.

if you have previously installed a container, in Docker > Containers, click the plus icon .

To view available images, use the search box.

Specify the image name, the repository, or both.

These repositories are available to search:

本地 repository - 包含本地镜像。这些镜像已下载好且存储在带有Docker的服务器上。详情请查看 管理本地镜像 。

Docker Hub.

Multiple versions may be available for each application. You can run a specific version by selecting the appropriate tag, as shown below:

若要运行容器：

Go to Docker > Containers > Run Container.
Use the search box to find images in the catalog. If the image is stored locally, (local) appears after the version.
To view the image description and documentation on Docker Hub, click the more info icon . This does not apply to local images.
Click the image card.
- To run a specific version, select the image version you want to run from the Image version drop-down and click Next.
- To run the latest version of the selected application, click Next.
Plesk 会创建一个容器并提示您指定其设置，例如环境变量，然后运行该容器。您可以点击取消（在设置页面上）来取消运行。有关设置的详情请参阅 容器设置 。
After you tweak the settings, click Run. The container appears in the list of containers in the Containers tab.

See the Console Log to find out if the container runs without issues.

容器设置

注解: 如果您想要更改容器设置，您则需要停止运行容器：当您保存新设置时，Plesk 会重新创建容器。

To edit container settings, go to the Containers tab and click the settings icon image settings icon next to the container you want to edit.

限制内存

By default, using RAM in a Docker container is unlimited. To limit using RAM, select the Memory limit checkbox and enter the limit value in megabytes in the MB field.

注解: 目前还不能限制Docker 容器的CPU和磁盘使用量。

注解: Docker容器是管理员级别的对象，不受订阅级别的cgroup限制 (CPU、RAM和磁盘使用量）的控制。

自动启动

如果没有选中 系统重启后自动启动 选项，那么在系统重启后，使用该容器的网站可能会中断，您则需要手动启动容器。

端口映射

默认会启用 自动端口映射 选项，容器的内部端口会被映射到主机系统上的任意端口（例如，32768）。

To change the port on the host system, deselect Automatic port mapping and specify another external port in Manual mapping. If Manual mapping does not appear when you deselect the option, it means that the container does not expose ports.

When using manual mapping, by default Docker only binds to the specified port on the host system’s localhost interface (127.0.0.1). This way, the port is inaccessible from the Internet, and the application inside the container is safe from attacks. To have Docker bind to the specified port on all network interfaces of the host system, deselect Make the port inaccessible from the Internet. If you do this, the application inside the container becomes accessible from the Internet, and can be reached on the specified port via any of the host system’s IP addresses.

警告: Docker presumes that authentication is carried out by the application itself, but sometimes it is not so (for example, MySQL/MariaDB does not allow anonymous access by default, but redis does). Making the application inside a container accessible from the Internet may result in the application being attacked by a malicious actor.

卷映射

Docker volumes are directories on your server mounted to a Docker container. This is how you have persistent storage that can be accessed from your host system. The data in Docker volumes is not deleted when you stop or delete a container.

警告: The data stored in Docker volumes will not be included in the Plesk backup. To prevent data loss, back up any essential data stored in a volume with a third-party backup tool.

欲了解更多有关容器中的数据的信息，请参阅 Docker 文档。

若要添加卷宗映射，请指定以下项：

In the Host field - the absolute path to the directory on the server that you want to mount in the container.
In the Container field - the absolute path to a directory inside the container.

To map more directories, click Add one more.

设置环境变量

容器内的应用会使用环境变量。您可能需要添加更多变量或编辑现有的变量。Plesk 允许您添加任意数量的变量。

对容器的操作

您可对容器执行以下操作：

Stop (Stop), start (Start) or restart (Restart) a container. In these cases, the container will be recreated with the current settings.

注解: 如果数据没有保存到挂载的卷宗（请参阅 卷宗映射 部分），将会丢失。
Click the arrow next to the container to view logs and resource consumption.
Click the settings icon next to the container to change container settings, such as environment variables or volume mapping (Settings).
重命名容器（设置 > 容器名称 ）。

Click the more options icon image more icon next to the container to do one or more of the following:

Recreate a container using the same or another version of the image (Recreate).
Create an image based on a container with your custom settings (Save as Image).
Take a snapshot of a container (Download Snapshot).
Remove a container (Remove).

重新创建容器

通常在您想要更新应用到更新的版本时需要重新创建容器。实际上就是您可以使用目录中的任何应用版本而非更新的版本重建容器。

重新创建过程中会保留自定义设置。若要保留容器内应用所使用的数据，需要在重新创建容器之前指定卷宗映射。通过卷宗映射能够访问容器内使用的目录（请参阅容器设置中的卷映射部分）。

若要重新创建容器：

#. Go to Docker and click the more options icon image more icon next to the container you want to recreate. #. Click Recreate in the container settings and specify the image version and whether to use default environment variables.

使用远程 Docker

By default, Plesk uses Docker installed as a local service. However, you can use one or more Docker services installed outside of Plesk. Note that you can use only one service at a time. You can see which server is active in the Environments tab of the Docker settings page in Plesk.

注解: 管理远程Docker服务需要Plesk附加许可证密钥。若没有，则只能管理在Plesk服务器上运行的本地Docker服务。

配置远程服务

请根据 Docker 文档配置运行Docker的远程服务器以在 Plesk 中使用该 Docker 作为远程服务器。

管理远程服务

You can establish a connection between a Plesk server with the Docker extension and a remote node with Docker service.

以下步骤同时适用于 Plesk for Linux 和 Plesk for Windows。

These steps must be performed on the remote host:

#. Create the /etc/docker/daemon.json configuration file for Docker with the following content:

1 2 3 4 5 6 7 8

{ "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"], "tls": true, "tlsverify": true, "tlscacert": "/root/ca.pem", "tlscert": "/root/server-cert.pem", "tlskey": "/root/server-key.pem" }

#. Prepare .pem files. You can use the following example. Replace the IP on line 4 with the IP address of your remote node and run each command:

1 2 3 4 5 6 7 8 9 10

openssl genrsa -aes256 -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem openssl genrsa -out server-key.pem 4096 openssl req -subj "/CN=192.0.2.1" -new -key server-key.pem -out server.csr openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem openssl genrsa -out key.pem 4096 openssl req -subj '/CN=client' -new -key key.pem -out client.csr openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem chmod 0400 ca-key.pem server-key.pem key.pem chmod 0444 ca.pem server-cert.pem cert.pem

Run the following commands to modify the current Docker service so it starts after host configuration:

1 2 3 4

cp /lib/systemd/system/docker.service /etc/systemd/system/ sed -i 's/\ -H\ fd:\/\///g' /etc/systemd/system/docker.service systemctl daemon-reload systemctl restart docker

Save the outputs of the following files on your local machine for use by the client to connect remotely:

1 2 3

cat key.pem cat cert.pem cat ca.pem

On the local server, configure the Docker remote host:

Go to Docker > Environments.
Click Add Server and specify the settings of the remote server with Docker.
若要开始在 Plesk 中使用该 Docker，请选定 设为活动 选项。

The link to Docker will appear in the Navigation Pane.

若要在 Docker 服务之间切换：

Go to Docker > Environments.
In the list of servers, select the Docker node that you are going to use and click Set Active.

Alternatively, you can set the Docker node as active while editing its settings.

使用自定义设置创建镜像

如果您想要基于您对容器所做的修改创建新镜像，请使用 另存为镜像 命令。会创建容器的快照，作为新的镜像在镜像目录中出现。因此，您可以使用自定义设置（例如环境变量）创建镜像。

若要基于您的容器创建镜像：

Go to Docker > Containers, click the more options icon image more icon next to the container and click > Save as Image. In the Save <container name> as Image side panel, specify:

Image name.
An optional Tag. You can specify the image version here. By default, the version will be “latest”.

The created image appears in the Images tab and is marked Local image.

管理本地镜像

本地镜像是由 Docker 在本地磁盘上存储的镜像，对于此类镜像无需从镜像目录中下载。

镜像可通过以下方式成为本地镜像：

选定镜像的任何版本（标签），镜像即开始下载。不过您是稍后运行容器还是取消运行（在设置页面上），镜像都会本地保存。
You upload an image to Docker in Plesk (Upload image in the Docker Images tab).
从容器创建一个自定义镜像（参阅使用自定义设置创建镜像）。
使用命令行界面创建镜像。

To download another version of an image from the online catalog, click the Pull icon image pull icon , choose the version you want to pull from the drop-down, and click Pull.

If Docker has at least one downloaded version from a group of versions belonging to an image, this image is marked Local image in the catalog. Plesk also shows how many local images exist for a product.

若要查看本地镜像和移除过期的本地镜像：

Go to Docker > Images.
To find a specific local image, use the Search bar.
若要查看某个产品的所有本地镜像，请点击产品名称下的链接。将会显示所有本地镜像的标签和已占据的磁盘空间。
Select the specific image(s) you want to remove and click Remove.

设置 nginx 处理从域名到容器的代理请求

某些 Docker 容器会显示端口，因此可通过这些端口访问容器中的应用。

当您在网站上使用 Docker 容器中的应用时，您会发现不方便在其 URL 中指定非标准的端口。为了避免该不方便情况出现，您可以设置 nginx 处理从域名到该端口的代理请求，因而域名可以使用一个标准的端口（例如 80），无需在 URL 中明确指定该端口。

要求

必须在 Plesk 中运行 Nginx。
You must map the port inside a container to a port on the host system (for example, 32768) manually

To map the port inside a container:

Go to Docker > Containers and click the settings icon next to the container you want to edit.
Turn off Automatic port mapping.
Map the port inside the container manually to a specific port on your system (for example, 32768). You can make this port inaccessible from the Internet.

You can set up nginx to proxy requests from domains to that port, so domains can use a standard port on nginx (for example, 80). To make this possible, add a rule for nginx in the domain settings.

To add a rule for nginx in the domain settings:

进入 网站与域名 > 域名> Docker 代理规则* > 添加规则 并指定以下项：

URL 。指定使用在容器中运行的应用的网站的 URL。可以是主网站也可以是其中一部分。
容器。选择以 Docker 容器形式运行的应用。
端口。选择在容器设置中指定的某个映射（某个容器内的一个端口映射到您的系统上的一个端口）。Nginx 将会代理到系统上该端口的请求。

代理规则在web服务器配置中实现，例如在网站的 nginx.conf 文件中（在 /var/www/vhosts/system/$domain/conf/ 目录中）：

#extension docker begin
location ~ ^/.* {
    proxy_pass http://0.0.0.0:9080;
    proxy_set_header Host             $host;
    proxy_set_header X-Real-IP        $remote_addr;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
}
#extension docker end

代理规则在NAT后的服务器上应运行良好。

注解: 通过代理规则连接到某网站的Docker容器不计入订阅的磁盘空间使用量。如果网站目录以卷的形式挂载到 Docker 容器则例外，因为这样位于容器的所有文件都将计入网站的磁盘空间使用量。

Deploying Docker Compose YAML files

You can deploy Docker Compose YAML files using the online text editor, uploading a file from local storage, or using a Docker Compose file stored inside a website’s Home directory. Typical operations on stacks are supported, such as up (including pull and force-recreate), stop, and down. You can modify and update the stacks after creation.

注解: You cannot deploy Dockerfiles or any other files required by an application using this section.

To deploy a Docker Compose file:

Go to Docker > Stacks > Add Stack.
Fill in a project name and choose one of the methods for deploying the docker-compose file:
- Editor: Define or paste the content of your Compose file.
- Upload: Upload a Compose file from local storage.
- Webspace: Select a Compose file stored in a domain’s Home directory. For Webspace, choose the domain where the file is located. For Compose File, browse to the Compose file location.

You can declare and build custom containers. Any artifacts created during the build process will be placed inside the website’s Home directory.

For more information about the Compose file format, refer to the Docker documentation.

Deploying Portainer containers in Docker

Portainer is a container management software that makes it easier to deploy containers and stacks, view a container’s status and logs, create users and teams, secure your environments, and more.

To install Portainer, go to Docker > Install Portainer. After installation is complete, to manage Portainer containers inside Docker, go to Docker > Go to Portainer.

注解: Portainer is currently a beta feature.

For more information about Portainer, refer to the Portainer documentation.