Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about the core technology and implementation of DocKer. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

When it comes to virtualization technology, the first thing we think of must be Docker. After four years of rapid development, Docker has become standard for many companies, and it is no longer a toy that can only be used in the development phase. As a product widely used in the production environment, Docker has a very mature community and a large number of users, and the content in the code base has become very large.

Similarly, due to the development of the project, the split of functions, and various strange renaming of PR, it becomes more difficult for us to understand the overall architecture of Docker again.

Although there are many components of Docker, and the implementation is very complex, but this article does not want to introduce too many details of the implementation of Docker, we would like to talk about what core technologies support the emergence of Docker virtualization technology.

First of all, the emergence of Docker must be because the current backend really needs a virtualization technology in the development and operation and maintenance stage to solve the problem of consistency between the development environment and the production environment. Through Docker, we can also bring the environment in which the program runs into version control, eliminating the possibility of different running results due to the environment. But although the above requirements promote the emergence of virtualization technology, but without the appropriate underlying technology support, then we still can not get a perfect product. The rest of this article will introduce several core technologies used by Docker, and if we understand how and how they are used, we will be able to understand how Docker is implemented.

Namespaces

Namespace (namespaces) is a method provided by Linux to separate resources such as process tree, network interface, mount point, and inter-process communication. In daily use of Linux or macOS, we do not need to run multiple completely separate servers, but if we start multiple services on the server, these services will actually affect each other. Each service can see the processes of other services and can access any files on the host machine, which we do not want to see in many cases. We prefer that different services running on the same machine can be completely isolated, just like running on multiple different machines.

In this case, once a service on the server is compromised, the intruder can access all the services and files on the current machine, which we do not want to see, and Docker actually isolates different containers through Linux's Namespaces.

Linux's namespace mechanism provides the following seven different namespaces, including CLONE_NEWCGROUP, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWUTS, which allow us to set on which resources the new process should be isolated from the host machine when creating a new process.

Process

Process is a very important concept in Linux and the current operating system. It represents an executing program and is also a task unit in modern time-sharing systems. On every * nix operating system, we can print out the processes that are executing in the current operating system through the ps command.

At present, there are many processes executing on the machine, two of which are very special, one is the / sbin/init process with pid 1, and the other is the kthreadd process with pid 2, both of which are created by the God process idle in Linux. The former is responsible for performing part of the kernel initialization and system configuration, and also creates some registration processes similar to getty. The latter is responsible for managing and scheduling other kernel processes.

Docker isolates the network through the namespace of Linux, and forwards packets through iptables, so that Docker containers can elegantly provide services to host machines or other containers.

The above is the core technology and implementation of DocKer shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.