Shulou(Shulou.com)06/01 Report--

Editor to share with you what is the difference between Docker and Docker Machine, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The difference between Docker and Docker Machine

Docker is an application of Client-Server architecture, which is officially called Docker Engine. Docker is just a nickname for Docker Engine, and of course Docker has other meanings, such as the name of a company. For simplicity, Docker in this article is equivalent to Docker Engine.

When it comes to Docker, we must know that it contains three parts:

Docker daemon

A set of REST API that interacts with Docker daemon

A command line client

The following figure clearly shows the relationship between them:

Docker Machine is a tool for installing and managing Docker. It has its own command-line tool: docker-machine.

Docker daemon socket

Since Docker clients want to communicate with Docker daemon over REST API, let's take a look at what methods they can take:

Unix socket

Systemd socket activation

Tcp

We can simply think of 1 and 2 as a way of interprocess communication on the same host. As for 3, it is easy to understand: cross-network communication through tcp protocol.

Since 1 and 2 are used for interprocess communication on the same machine, we can guess that Docker clients and Docker daemon installed on the same host communicate in this way. As a matter of fact, we can view the Docker daemon startup configuration added by default when installing Docker and open the file / etc/systemd/system/multi-user.target.wants/docker.service:

The-H in the figure is used to specify the socket for Docker Daemon listening, and the type specified here is system socket activation. Communicating with types 1 and 2 requires the process to have root privileges. This is the main reason why a user and user group with root privileges is automatically created during Docker installation. The name of the newly created user and user group is docker. It is recommended that you add all users who need to operate Docker to this group, otherwise you will encounter the problems shown in the following figure when you execute the command:

We can also specify multiple-H parameters at the same time so that Docker daemon listens for different socket types at the same time. For example, to add listening to TCP port 2376, you can use the following command line parameters:

$sudo dockerd-H fd://-H tcp://0.0.0.0:2376

Run the above command, and then look at the port on which the machine is listening:

At this point, we can access port 2376 of the host from the Docker client on the remote host.

DOCKER_HOST environment variable

The default configuration of the Docker client is to access the native Docker daemon. When you specify the DOCKER_HOST variable, the Docker client accesses the Docker daemon specified in this variable. Let's review the docker-machine env command:

It turns out that the $eval $(docker-machine env krdevdb) command we executed earlier is setting the DOCKER_HOST environment variable.

Solve security problems

Our Docker daemon listens on the tcp port, but unfortunately we don't have any protection at this time. So any Docker client can interact with our Docker daemon through the tcp port, which is obviously unacceptable. The solution is to enable the TLS certificate authentication mechanism for both Docker daemon and Docker clients. In this way, communication between Docker daemon and Docker clients is encrypted, and only clients with specific certificates installed can interact with the corresponding Docker daemon.

At this point, the groundbreaking part of this article is finally over, and then we will discuss Docker Machine-related content.

Docker Machine create command

Depending on the Docker Machine driver, the create command performs different operations, but there are two steps that we are more concerned about here:

Docker-machine does the following on the host you specify:

Install Docker and configure it.

Generate certificates to protect the Docker service.

Configure Docker daemon

There is no secret to the installation process of Docker, so I won't repeat it here. We focus on the configuration of Docker daemon. If we take a closer look, we can see that the Docker installed through docker-machine has an extra directory related to Docker in the / etc/systemd/system directory: docker.service.d. There is only one file 10-machine.conf in this directory:

Well,-H tcp://0.0.0.0:2376 's presence here doesn't surprise us too much. After we've done a lot of groundwork, you should take it for granted. The first few parameters of tls are mainly related to certificates, which will be described in more detail in the following security settings. What is somewhat confusing is the / usr/bin/docker in the image above. The current latest version of Docker Machine is still setting up Docker daemon in the old way, and hopefully it will be updated in the next version.

This configuration file is critical because it overrides the configuration file of the default installation of Docker, thus starting Docker daemon in the manner specified by Docker Machine. At this point we have a Docker daemon that can be accessed remotely.

Generate a certificate

We see four parameters that start with-- tls in the Docker daemon configuration file, which are-- tlsverify,-- tlscacert,-- tlscert, and-tlskey. One of them, tlsverify, tells Docker daemon that the remote client needs to be authenticated through TLS. The other three parameters specify the path of a file in pem format, and check it out according to the file path they specify:

If you compare the manual installation of Docker, you will find that these three files are not in the / etc/docker directory. There is no doubt that they were generated by Docker Machine, mainly to enable Docker daemon's TLS authentication feature. With regard to TLS, the author is slightly involved in the article "deploying Docker Registry in the local area network". At that time, it was a manually configured certificate, which can be referred to by interested friends.

Now let's go back to the host where Docker Machine is installed.

Check the / home/nick/.docker/machines/krdevdb directory and find some files with the same name (ca.pem, server-key.pem, and server.pem). Compare them with the files on the host drdevdb and find that they are the same!

Let's take a look at this picture again:

In addition to the DOCKER_HOST we've looked at, there are three other environment variables. The DOCKER_TLS_VERIFY tells the Docker client that TLS authentication needs to be enabled. DOCKER_CERT_PATH specifies the directory of files that TLS validation depends on, which is the / home/nick/.docker/machines/krdevdb directory we looked at earlier.

At this point, the security problem that bothers us has finally been explained: Docker Machine generates a series of security key and digital certificate (* .pem) files in the process of executing the create command. One copy of these files is stored on the local and remote Docker hosts, the local one is used to configure the Docker client, and the one on the remote host is used to configure Docker daemon, so that both sides set the TLS authentication flag, thus realizing secure communication.

These are all the contents of this article entitled "what's the difference between Docker and Docker Machine". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.