Shulou(Shulou.com)06/02 Report--

Definition of Docker:

Docker is an open source application container engine that allows developers to package their applications and dependency packages into a portable container, publish them to any popular Linux machine, and virtualize them. Containers are fully sandboxed and will not have any interface with each other. -- extracted from Baidu Encyclopedia

In fact, although there are many books about docker, it is rare to give a clear definition of docker, because it is difficult to generalize into a concept, but should be more elaborated on its features and technical areas. To sum up some online viewpoints, Docker is a lightweight alternative to virtualization. This technology does not rely on any language, framework, or system, and can turn App into a standardized, portable, self-managed component that can be developed, debugged, and run in any mainstream system without server hardware.

To put it simply, it is very convenient to quickly create a container (similar to a virtual machine) on the Linux system, deploy and run the application on the container, and easily install, deploy and upgrade the application through the configuration file. Because of the use of containers, it is very convenient to separate the production environment from the development environment without affecting each other, which is one of the most common ways of playing docker.

Docker core technology:

Namespace is a Linux kernel technology used to isolate resources. Resources are the surrounding environment seen, used and dependent during the running of the process. There are different kinds of resources, the most typical of which are file system, network system, process PID, IPC resources and so on.

Namespaces Namespace:

PID process isolation

NET management network interface

IPC manages access InterProcess Communication for cross-process communication

MNT management mount point

UTS isolates the kernel and version identification Unix Timesharing System

For user-mode processes, use Namespace through system calls provided by Linux, and these system calls include:

When clone () creates a process, it restricts it to a Namespace

Unshare () detaches a process from a Namespace

Setns () causes a process to join a Namespace

CGroup, originally called Process Container, was proposed by Google engineers in 2006, then changed its name to Control Groups in 2007 and was integrated into the Linux 2.6.24 kernel. It is used to control the resources of a set of processes, including the following functions:

Resource limits (Resource Limitation): limits the total amount of resources used by process groups

Priority control (Prioritization): controls the priority of a process running by assigning the number of CPU time slices to the process group

Resource Statistics (Accounting): counts the resource usage of the system, such as CPU usage time, memory usage, etc.

Process control (Control): perform suspending, resuming, and other operations on a process group

CGroup includes the following concepts:

Task (Task): a Task is a process in a Linux system

Control group (Control Group): the smallest unit of resource control; resource limits, priority control, and so on are all defined on the control group. A task can join a control group or migrate from one control group to another.

Hierarchy: multiple control groups form a tree-like hierarchy called hierarchy.

Subsystem: a subsystem is a type of resource controller. The subsystem must be attached to a level to work.

Cpu: control task's use of cpu

Cpuacct: generate task report on cpu resource usage

Cpuset: assign a separate cpu to task

Blkio: setting input / output limits for block devices

Devices: turns task access to the device on or off

Freezer: suspending or resuming task

Memory: set task limits on memory usage and automatically generate these task reports on memory resource usage

Perfevent: enables task to conduct unified performance testing

Net_cls: allows the Linux flow control program to identify packets generated from a specific cgroup by marking network packets with a level identifier (classid).

AuFS is a layered file system that transparently overwrites one or more existing file systems. Support to mount different directories to the same virtual file system, you can combine different directories together to form a single directory. This is a virtual file system, which can be mounted directly without formatting.

Docker has been using AuFS as the container's file system. When a process needs to modify a file, AuFS creates a copy of the file. AuFS can combine multiple layers into a single-layer representation of a file system. This process is called write replication (copy on write). AuFS allows Docker to use certain images as the basis for the container. For example, you might have a CentOS system image that can be used as the basis for many different containers. Thanks to AuFS, a copy of the CentOS image is sufficient, which saves storage and memory and ensures faster container deployment.

Another benefit of using AuFS is the version container mirroring capability of Docker. Each new version is a simple difference from the previous version, effectively keeping the image files to a minimum. However, it also means that you always have an audit trail that records changes from one version of the container to another.

Basic concepts related to Docker:

Image: mirror, Container is a dynamic concept, while mirroring is a relatively static concept. The image is actually the file system in the container, which can also be said to be an extremely compact environment for running Linux programs.

Container: container, fundamentally speaking, a container (Container) is actually a process running on the operating system, only adding isolation and restrictions on resources. Docker Container is an instantiated object of Image that shares the operating system kernel.

Daemon:

Docker Daemon is the Linux daemon that creates and runs Container, and is also the most important core component of Docker

Docker Daemon can be understood as the Container of Docker Container.

Docker Daemon can bind local ports and provide Rest API services for remote access and control

Registry:docker image repository. When docker requests to use an Image that is not in the current system, docker will find it from the image repository and download it to the system. The place where the docker gets the Image is Registry. By default, registry refers to docker's official repository, that is, Docker Hub Registry (https://hub.docker.com). It should be noted that Docker Hub is privately owned by dotCloud. Currently, there is only one DaoCloud in China that provides proxy caching services. Of course, docker also provides a way to build a private Registry, which will be explained in later chapters.

The three basic components of Docker:

Warehouse Repository

Mirror Image

Container Container

The relationship among the three is as follows: first, docker Repository provides a variety of packaged docker applications, that is, mirror Image;. Secondly, users can search Repository for the image Image they need and download it locally. Finally, users use the downloaded Image to create docker Container.

Capabilities of Docker containers:

File system isolation: each container has its own root file system

Process isolation: each container runs in its own process environment

Network isolation: virtual network interfaces and IP addresses between containers are separated

Resource isolation and grouping: use cgroups to allocate resources such as CPU and memory independently to each Docker container

Usage scenarios of Docker:

1. Develop, test and deploy services using Docker containers

2. Create an isolated operating environment

3. Set up the test environment

4. Build a multi-user platform as a service (PaaS) infrastructure

Provide software as a service (SaaS) applications

6. High-performance, super-large-scale host deployment

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.