Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "what is the technology of Docker container". In the operation of practical cases, many people will encounter such a dilemma. Then let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Container technology is a virtualization technology at the operating system level. Under the Linux system, the container can take advantage of kernel functions such as Namespaces, AppArmor, SELinux configuration, Chroot and CGroups to deliver an isolated environment similar to virtual machines. With the continuous development, the lightweight, isolation, standardization and large-scale deployment of container technology have promoted the popularity and development of micro-services and cloud native applications.

Docker container

There is no doubt that Docker is the most popular and widely used container technology. Why? The author summarizes the following two main reasons.

1. Different from the early container technology, Docker not only focuses on the sharing and isolation of host resources for applications, but also pays more attention to micro-service, large-scale deployment and management automation of applications. The development of micro-services and cloud native applications has greatly improved the public acceptance of Docker technology.

The hierarchical image model adopted by Docker makes the encapsulation of the application environment more lightweight and standardized by Docker, makes the image sharing and distribution easier, and greatly simplifies the difficulty of large-scale deployment and operation and maintenance.

The Copyon Write mechanism and Volume mechanism of the Docker mirror model reasonably satisfy and promote the stateless and micro-service of the application.

Docker advocates one application (process) and one container, which is in line with the concept of micro-services.

2. Docker is not just a toolkit, it is surrounded by a whole ecosystem. Including mirror library, container management scheduling, network, storage, security. This whole ecosystem makes it possible for applications to use container technology for large-scale packaging, deployment, operation and maintenance, and management.

How to give full play to the characteristics of the container in the production environment also needs a series of tools, products and programs in its ecological circle to support. Below we will take a closer look at Docker and the container technology ecosystem it represents.

Container biosphere

The following figure shows the components in the container ecosystem, which we will analyze one by one from the bottom to the top.

1. Container OS

Container OS is not a necessary condition for running a container, and a container can also run in a generic Linux. Most container OS is a condensed version of Linux OS. Compared with large and comprehensive Linux OS, container OS such as RancherOS, CoreOS, Redhat Atomic, Ubuntu Core, VMware Photon has the characteristics of lighter weight and less resources, so it is suitable for more standardized data centers and some areas of IOT. At the same time, Microsoft also launched Windows Nano Server in 2015 as an installation option for Windows2016, which is more than 90% smaller than the full Windows2016 deployment.

2. Container engine

The container engine is responsible for the isolation and resource sharing of container applications. It drives and manages all containers on the host, and includes container volume management, container network management, container configuration, image management, and container logs. The container engine in the container ecosystem mainly has two standard OCI and AppC, two engines Docker and RKT. The following is a comparison table:

3. Container storage

Generally running in a container is a stateless application. For stateful applications, the persistence of application data requires the support of container storage. In order to support the third-party storage scheme, Docker introduced the Volume Plugin mechanism in version 1.8. As a Volume Plugin, Flocker needs to be used in conjunction with third-party external storage to provide persistent storage for the container, while shielding the differences between third-party storage systems, similar to the location of Cinder in OpenStack. Torus (the development of the project was stopped in February 2017, and "Developmenton Torus at CoreOS stopped as of Feb 2017" is quoted from the Github Torus project description) and Comet (capacity Cloud), as independent distributed storage systems, can directly provide complete data storage services for containers.

As a rare self-developed distributed system in China, Comet storage system not only optimizes the performance of containers, but also provides enterprise-level storage features such as multi-level data protection and application awareness.

4. Container network

Container network solves the problem of interconnection of containers after large-scale deployment. There are Docker native CNM container network model and CNI container network model supported by CoreOS. In addition to Docker's native Libnetwork network scheme, there are several commercial container network schemes in the container network ecosystem.

Flannel is a network scheme based on CNI model designed by CoreOS for Kubernetes. It allows containers to be interconnected in the way of UDP Overlay or Vxlan, and allows containers created by hosts of different nodes in the cluster to have a virtual IP address unique to the cluster.

Weaver and Flannel are similar in many ways. However, Weaver uses Name Service to manage IP allocation, and does not need a global Kv Store.

Calico is a pure three-layer network, which uses the technology of BGP for routing and switching. Because it does not require packets like several other network models, its performance is relatively optimal.

5. Image repository

The image repository provides image storage and pull/push services. Warehouses are divided into public warehouses (such as Docker Hub, Quay) and private warehouses (such as AppHouse, Harbor). The largest public repository is Docker Hub, the official image repository of Docker. Due to network access restrictions or data security considerations for enterprise users, you can also set up a private image warehouse in the enterprise private data center, which can be achieved by deploying AppHouse (tolerant Cloud) or Harbor.

Deploying the image repository needs to consider the security of the image storage and the fault tolerance of the system. The integrity of mirrored data can be ensured by building enterprise storage system or distributed storage system respectively, and the image warehouse with high availability characteristics can be selected for implementation and deployment.

6. Container security

The container lacks a security boundary like that of a virtual machine. The rapid migration, upgrade and deployment of containers also bring new security risks. Container security can be divided into image security and container runtime security.

Clair is CoreOS's open source container image security analyzer, which has the function of image security scanning and providing repair recommendations. At present, many manufacturers have integrated it into their own container platforms.

TwistLock has a protection scheme for both image scanning and container operation. Aqua's CSP also released version 2.0 in February 2017, and officials say there will be a better integration with Kubernetes.

AppSafe is a container security product launched by domestic container manufacturers Yourongyun, which can configure intelligent security policies for containers and provide real-time protection according to the configuration policies.

7. Container arrangement

Container platform is a management platform for large-scale deployment, upgrade and operation and maintenance of container applications. Container scheduling and resource scheduling are the core functions of container platform. The container platform also provides functions such as service discovery, operation monitoring, capacity expansion and reduction, load balancing, grayscale upgrade, fault redundancy and so on.

8. Operation and maintenance

The container platform runs and manages thousands of containers and applications. How to timely monitor and collect logs from the latitude of resources (host, container) and application has also become an unavoidable topic for containers to enter the production environment. Currently, container monitoring and logging solutions are divided into open source solution and SaaS service:

ELK log analysis system is composed of three open source tools, Elasticsearch+Logstash+Kibana, corresponding to the functions of search, data collection and display. Container-based log monitoring is usually EFK (Elasticsearch+Fluentd+Kibana), which uses less memory to replace Logstash to meet the larger and more intensive log collection requirements of the container platform.

Heapster is an open source container cluster monitoring and performance analysis tool that natively supports Kubernetes and CoreOS. Generally, the monitoring scheme based on Kubernetes is realized through Heapster+InfluxDB+Grafana to complete the functions of data collection, storage and display.

Zabbix is a mature open source distributed monitoring system. It has been widely used in non-container scenarios. Zabbix consists of Server on the server side and Agent on the monitored side. The data to be collected and the display form can be customized through rich templates. The container-based Zabbix monitoring solution needs to take into account the deployment of Agent and the view display of the container.

Prometheus is an open source monitoring tool, and it is also a monitoring scheme that is widely used in the container platform. Compared with the query API provided by Heapster,Prometheus, it is more powerful. It can implement complex queries based on Label, and is suitable for teams with certain technical capabilities.

Data Dog provides SaaS service based on container monitoring. Running Agent on the monitored host can accept the monitoring of Data Dog. The view is simple and easy to use. Its Monitors provides alarm service with customizable threshold, but the cost is high.

CAdvisor is a free and open source container monitoring tool for a single host, which can be used to monitor the current resource utilization and performance of the container. CAdvisor is easy to use, but the container platform needs to be used in conjunction with other open source tools or products, and does not have its own alarm function. CAdvisor has been integrated into Kubernetes.

Mesos is an open source distributed resource management framework under Apache. Based on Mesos, you can run different distributed computing platforms, such as Spark, Storm, Hadoop, Marathon. Mesos+Marathon can be used to manage large container clusters.

Kubernetes is an open source project based on Google Borg. Large-scale, distributed and highly available container clusters can be realized. At present, most of the products of domestic container manufacturers are based on Kubernetes for secondary development and package, which will not be discussed here.

Swarm is a native clustering tool for Docker, and Swarm uses standard Docker API to manage container clusters.

Container runtime risk: container runtime risk comes from many aspects. Containers that provide services will receive DDOS attacks, resulting in insufficient resources of all containers on the host; improper use of containers will lead to leakage of Root permissions of the host; excessive user permissions will lead to system crash through modification of host files by containers; data volume sharing will cause containers on the host to tamper with data, and so on. At present, some users have begun to pay attention to the container security, at the same time, many manufacturers have also launched a commercial scheme for container runtime security.

Image security: using an image of unknown origin on the Internet, downloading an unknown image from the Internet as a basic image, or creating an image without strict restrictions and controls on ports and services, malicious programs in DockerFile, etc., will lead to images of high-risk vulnerabilities. It is recommended to control the security of the image in two stages, one is to submit the image to the image repository, the other is to scan the image periodically, and to update the published or discovered vulnerability risks in a timely manner.

This is the end of the content of "what is the Technology of Docker Container"? thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.