Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to implement the underlying technology of the Docker container, which may not be well understood by many people. In order to make you understand better, the editor summarized the following content for you. I hope you can get something from this article.

In order to better understand the characteristics of containers, we will discuss the underlying implementation techniques of containers.

Cgroup and namespace are the two most important technologies. Cgroup implements resource quota and namespace implements resource isolation.

Cgroup

Cgroup is called Control Group. The Linux operating system uses cgroup to set limits on the use of CPU, memory, and IO resources by processes. I'm sure you've guessed it: what we saw earlier-- cpu-shares,-m,-- device-write-bps-- is actually configuring cgroup.

What exactly does cgroup look like? We can find it in / sys/fs/cgroup. Or use an example to illustrate, start a container and set-- cpu-shares=512.

View the ID of the container

In the / sys/fs/cgroup/cpu/docker directory, Linux creates a cgroup directory for each container, named after the container length ID

The directory contains all the cpu-related cgroup configurations, and the file cpu.shares holds the configuration of-- cpu-shares, with a value of 512.

Similarly, memory and the cgroup configuration of Block IO are saved in / sys/fs/cgroup/memory/docker and / sys/fs/cgroup/blkio/docker.

Namespace

In each container, we can see resources such as file systems, network cards and so on, which appear to be the container's own. Take the network card, for example, each container will think that it has a separate network card, even if there is only one physical network card on the host. This approach is very good, it makes the container more like a stand-alone computer.

The technology that Linux implements this way is namespace. Namespace manages globally unique resources in host and can make each container feel like it is only using it. In other words, namespace implements the isolation of resources between containers.

Linux uses six namespace, corresponding to six resources: Mount, UTS, IPC, PID, Network, and User, which we discuss below.

Mount namespace

Mount namespace makes the container appear to have the entire file system.

The container has its own / directory, which can execute mount and umount commands. Of course, we know that these operations only take effect in the current container and will not affect host and other containers.

UTS namespace

To put it simply, UTS namespace lets the container have its own hostname. By default, the container's hostname is its short ID, which can be set with the-h or-- hostname parameter.

IPC namespace

IPC namespace allows containers to have their own shared memory and semaphores (semaphore) for interprocess communication without being mixed up with the IPC of host and other containers.

PID namespace

As we mentioned earlier, the container runs as a process in host. For example, there are two containers running in host:

You can view container processes through ps axf

All container processes are hung under the dockerd process, and you can also see the container's own child processes. If we enter a container, ps can only see its own progress.

And the PID of the process is different from the PID of the corresponding process in host, and the process of PID=1 in the container is certainly not the init process of host. In other words: the container has its own set of PID, which is the function provided by PID namespace.

Network namespace

Network namespace allows the container to have its own network card, IP, routing and other resources. We will discuss it in detail later in the network section.

User namespace

User namespace allows the container to manage its own users, and host cannot see the users created in the container.

The user cloudman is created in the container, but the corresponding user is not created in host.

First of all, we learn the various operations of the container and how to transform the container state through a large number of experiments, and then discuss the methods to limit the container's use of CPU, memory and Block IO. Finally, we learn the underlying technologies to implement the container: cgroup and namespace.

The following are common operation commands for containers:

Create creates a container

Run running Container

Pause pause container

Unpause cancels the pause to continue running the container

Stop sends SIGTERM stop container

Kill sends SIGKILL Quick stop Container

Start startup container

Restart restart the container

Attach attach to the terminal where the container starts the process

Exec starts a new process in the container, usually using the "- it" parameter

Logs displays the console output of the container startup process and prints continuously with "- f"

Rm removes a container from disk

After reading the above, do you have any further understanding of how to implement the underlying technology of the Docker container? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.