Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to realize the underlying technology of docker container". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Before discussing whether the operating system is included, let's take a look at two pictures, as shown below:

It is easy to tell that figure 1. The docker engine is drawn at the bottom of the application, similar to the position of the virtual machine. Docker virtualization technology replaces the virtual machine, which is more lightweight and looks easier to understand and accept.

Figure 2 the docker engine is drawn in the sidebar of the application. From the picture, the process runs directly on the virtual machine, while the docker container is more likely to assist and manage by-pass. There is no difference between other things. Figure 1 is also a common way of drawing on PPT and the Internet. Is this really correct? The following is revealed.

Implementation of container underlying technology

The bottom layer of docker is mainly realized by two technologies: cgroup and namespace. Cgroup realizes resource quota and namespace realizes resource isolation.

These two concepts seem very abstract, but in fact, let's take a look at an example, and everything will be clear. Execute docker exec-it 5080b69f08c4 / bin/bash.

[root@tomcat-7c5857b68f-fzrbr /] # ps aux | grep tomcat

Root 1 79.1 23.4 10168216 3788616? Ssl Oct22 8559 Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties 52 / usr/java/jre/bin/java-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start

Root 109 0.0 9052 668 pts/0 S + 19:24 0:00 grep-color=auto tomcat

After executing ps inside the container, two processes are running, one is my service, and the other is the ps I just executed. We have seen that the internal processes of the container have been completely isolated from the services in our host. In fact, this is to isolate the process space of the isolated application, so that the processes in these process spaces can only see the process numbers after recalculation. this is the namespace mechanism of linux. The bottom layer of linux is realized through the clone () function, and when you create a process in docker, you can return a new process space by specifying parameters. In this case, you can achieve the goal of pid as 1. In fact, you can check it on the host computer. The service running in this docker has the same process on the host, except that the pid of this process is the real pid.

In addition to the pid namespace isolation technology we just mentioned, Linux also provides us with isolation mechanisms such as Mount, UTS, IPC, Network, User and so on. The effect is to isolate the process context so that we can only see the specified content.

As mentioned above, namespace only quarantines the processes so that they cannot see the host processes inside the container, but for the host, these isolated processes can still be seen. In other words, these isolated processes are no different from other processes on the host. So the tomcat in the above example can still occupy the resources of the host at will? In fact, docker uses the underlying Cgroup of linux to restrict resources.

The full name of Linux Cgroups is Linux Control Group. Its main function is to limit the upper limit of resources that a process group can use, including CPU, memory, disk, network bandwidth and so on.

Go to the / sys/fs/cgroup/ folder inside the container, which contains many subdirectories, and you can restrict various resources through the file contents in these directories.

See here, taste again, the container is just a process.

What is a process? In the example you just cited above, instead of executing a ps in the tomcat container, these are obviously two processes. As I said, I can also run other services in this container. These are all running processes. How can this be said to be a process? If you don't believe it, you can go into the nginx container and take a look at the ps. It has more progress.

Root 1 0.0 0.0 54952 4416? Ss Oct29 0:00 nginx: master process / usr/xshj/openresty/nginx/sbin/nginx-g daemon off

Xshj 6 0.0 0.1 76164 23380? S Oct29 0:00 nginx: worker process

Xshj 7 0.0 0.1 76164 23380? S Oct29 0:00 nginx: worker process

Xshj 8 0.0 0.1 76164 23392? S Oct29 0:00 nginx: worker process

Xshj 9 0.0 0.1 76300 23392? S Oct29 0:00 nginx: worker process

Root 25 0.0 12484 992 pts/0 S + 18:47 0:00 grep-color=auto nginx

In fact, by one process, I mean that only one process is controlled by docker. Although other processes are also running, they are not controlled by docker. They are all wild processes. If the master dies, all the others have to die. This is why commands in Dockerfile cannot be run in the background when writing CMD. Simply put, docker keeps running only when its No. 1 process (PID is 1) is running. If the No.1 process exits, so does the Docker container. This problem is also a problem often encountered by beginners or students who have not been engaged in docker-related development. My container has just been started, how can I exit it? Because it needs a foreground process to hang it. For example, when executing the nginx command, we will use ENTRYPOINT ["/ usr/sbin/nginx", "- g", "daemon off;"]

Container single process does not mean that only one process can be run in the container, but that the container does not have the ability to manage multiple processes. This is because the PID=1 process in the container is the application itself, and the other processes are children of the PID=1 process.

Besides, Pod is the smallest unit of K8s scheduling, why can't it be a container, but need to come up with a concept of Pod? Because the container is in single-process mode, Pod is a process group. Through the concept of process groups, Pod can organize containers "in principle" to run together, thus being able to manage each container. What k8s needs to do is to map the concept of "process group" to container technology.

In-depth understanding of container technology

In fact, the core technology of docker can be summarized as: enable namespace configuration for the container of the process to be created, specify Cgroup parameters, and switch the container root directory. In essence, it is just an ordinary process running on a host.

To express disapproval, the characteristic that container technology has repeatedly emphasized since its birth is consistency. What you said is no different from the ordinary process. How to ensure consistency? The answer is simple: docker images can package not only applications, but also files and directories of the entire operating system, remember to be operating system files and directories. In this way, docker packages all dependent libraries of an application, including files and directories in the operating system, into an image. Docker solves the consistency of development to the online environment by packaging the operating system level.

After understanding the nature of the container, you can solve many practical problems. For example, I have an old project where the two services are closely coupled. According to the choreography idea of Pod in K8s, the cost of modification is very high. At this point, you can consider packaging the two services into an image, with one process started as the main process and the other running in the background. But the processes running in the background need to be managed by yourself, and to put it bluntly, no one knows if the service is dead. This is why K8s Pod can manage multiple closely related processes in an organized way.

For a long time, a container is a process in which resources are restricted and views are isolated on the host; which host operating system has only one kernel, that is, all containers depend on this kernel? For example, I have a requirement that my two containers are running on the same host, but they depend on different kernel versions or different kernel parameters that need to be configured. It can not be solved, which is also one of the main defects of containerization technology compared with virtual machines.

What about the packaged operating system?

Under the Internet search, there is a lot of talk that docker can package the operating system, which is actually inaccurate and easy to misunderstand the power of docker. Let's start with a set of conceptual kernels, operating systems, and distributions.

The Linux kernel is the core of the Linux operating system. This is what Linus originally wrote.

The Linux operating system is a combination of kernel and user domains (libraries, GNU utilities, configuration files, etc.).

The Linux distribution is a specific version of the Linux operating system, such as Debian,CentOS or Alpine.

Most Dockerfile writers explicitly or implicitly rely on a specific distribution of the Linux operating system running in the container, such as:

$cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.