Shulou(Shulou.com)06/02 Report--

Blog outline:

I. Overview of Docker

II. Namespace concept

III. Basic concepts and examples of Cgroup

I. Overview of Docker introduction to 1.Docker

Docker as the most popular project in the open source community, it is an open source tool to run applications in the Linux container, is a lightweight "virtual machine", all the source code of docker is maintained in https://github.com/docker, its official website is: https://www.docker.com.

Docker's Logo is designed as a blue whale, towing many containers. As shown in the figure:

As shown in the figure: whales can be thought of as hosts, while containers can be understood as isolated containers, each containing its own application. Just like the design purpose of Docker: Buid, Ship and Run Any App, Anywhere, that is, through the management of the life cycle of application components, such as encapsulation, release, deployment, operation, etc., to achieve the goal of "once encapsulating, running everywhere" at the application component level. The components here can be either an application, a set of services, or even a complete operating system.

The difference between 2.Docker and virtual machine

As a lightweight way of virtualization, Docker has significant advantages over traditional virtual machines. As shown in the figure:

The reason why Docker has many advantages is inseparable from the characteristics of operating system virtualization. Traditional virtual machines require additional hypervisors and virtual operating system layers, while Docker containers are virtualized directly above the operating system level, as shown in the figure:

Usage scenarios of 3.Docker

Now we need to be able to easily create applications running on the cloud platform, we must break away from the underlying hardware, and we also need to have access to these resources at any time and place, which is what Docker can provide.

Docker's container technology can easily create a lightweight, portable, self-sufficient container for any application on a single clause. Packaging applications through this container means simplifying the trivial repetitive work of redeploying and debugging, and greatly improving productivity.

For example, if the server is migrated from Tencent Cloud to Aliyun, if Docker container technology is used, you only need to start the required container on the new server.

Advantages of 4.Docker: flexibility: can be containerized in complex applications; lightweight: containers make use of shared host kernels; immediacy: updates and upgrades can be deployed at any time; versatility: once encapsulated and run everywhere; scalability: control the number of container copies to scale at will; second, Namespace concept

The virtualization technology is used to solve the coupling problem between host and virtual machine (referred to as "decoupling"). The traditional virtualization technology belongs to complete decoupling, while the virtualization technology of docker belongs to semi-decoupling.

Coupling: refers to the phenomenon that two or more systems or two forms of motion influence each other or even unite through interaction.

Decoupling: contact coupling, conflict phenomena

How is Docker decoupled? This requires the use of-- Namespace (namespace).

Namespace (Namespace): a method that Linux provides for us to separate resources such as process tree, network interface, mount point, and inter-process communication.

Namespace (Namespace) mainly implements six isolations in docker, as shown in the figure:

Docker implements isolation between containers and containers and between containers and docker host by using the technology of Namespace (namespaces).

When Docker creates a container, it creates new instances of the above six NameSpace, and then puts all the processes in the container into these NameSpace, so that the parent process of the container is only aware of its own child processes and knows nothing about the other processes of the host, thus creating an "illusion" that it is an independent system.

If the docker host is a centos system, and when running a docker container, the container is also a centos system, and the necessary directories and files are provided by soft connection through the docker host, including the host's kernel; but if the docker container running is a Ubuntu system, there will always be some differences between directories, files and centos systems, so you need to use-- Busybox (deception layer).

If you need to use virtual machines to deploy some services that require a kernel version, it is not suitable to use virtualization technology such as docker, and it is recommended to use virtualization technologies such as KVM.

The service docker itself does not occupy the port, but just keeps it running in the background.

III. Basic concepts and examples of Cgroup

Cgroup (control group): a mechanism provided by the Linux kernel to restrict the use of Docker host resources by Docker containers.

Four functions of Cgroup:

1) Resource limit; Cgroup can limit the total amount of resources used by the process group; 2) priority allocation; the number of CPU time slices allocated and the IO bandwidth of the hard disk actually control the priority of the process; 3) Resource statistics; Cgroup can count the system resource usage, such as CPU usage time, memory usage, etc., for postpaid billing. At the same time, the suspend function is also supported, that is, all resources are restricted and cannot be used through cgroup. Note that this does not mean that our program cannot be used, but that it cannot use resources and is in a waiting state. 4) process control; suspending, resuming and other operations can be performed on the process group

Through Cgroup, we can specifically control the allocation, priority, rejection, management, and monitoring of system resources. In this way, when the service in the docker container is subject to external interference, it can be limited to the container without affecting the operation of the host or other containers, and the security is improved.

Docker restricts the resources used by the container through the following aspects:

Restrict CPU; restrict memory and SWAP; restrict block IO

Examples are as follows:

1. Limit CPU [root@localhost ~] # cat / sys/fs/cgroup/cpu/cpu.shares1024// View Host default CPU weight is 1024 [root@localhost ~] # docker run-it-- name test centos:7 / / create a random container for testing [root@6afc120f16e1 /] # cat / sys/fs/cgroup/cpu/cpu.shares1024// you can see that by default, the default CPU weight of the docker container is also 1024

It is dangerous if there are no restrictions on the container, because the Docker host and the Docker container have the same weight value for CPU, so that when they preempt CPU resources, the ratio is 1:1. It is obvious that some restrictions need to be made in a production environment, as follows:

[root@localhost] # docker run-it-- name test1-c 512 centos:7// runs an easy test1 based on centos image, and its CPU uses a weight of 512 cycles / setting method, which is relatively simple, just adding an option of "- t"! [root@fc842b8af840 /] # cat / sys/fs/cgroup/cpu/cpu.shares512// verify whether the setting is successful 2. Limit physical memory and Swap

Container memory mainly consists of two parts: physical memory and Swap (swap partition)

You can control the container's memory usage with the following parameters:

-m or-- memory: set memory usage limit;-- memory-swap: set memory + swap usage limit [root@localhost ~] # cat / sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712 / check the memory usage of the host (in bytes). Such a large number means there is no limit [root@localhost ~] # docker run-it-- name test2 centos:7 [root@d65dd3da663c /] # cat / sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712, check the usage of the container to the host memory in bytes. Such a large number means there is no limit.

You can see that this is not safe from the following, so you need to restrict it using the following methods:

[root@localhost ~] # docker run-it-- name test4-m 200m-- memory-swap 300m centos:7 / / create a container and limit the container to use a maximum of 200m memory and 100m swap / /-- memory-swap: this value is the value of physical memory plus Swap [root@3de51b7474c5 /] # cat / sys/fs/cgroup/memory/memory.limit_in_bytes 209715200 / check whether physical memory is valid (in bytes) You can perform conversion to verify [root@3de51b7474c5 /] # cat / sys/fs/cgroup/memory/memory.memsw.limit_in_bytes 314572800 / check whether physical memory and swap partition memory are valid (in bytes). This value is the value of physical memory plus Swap partition. Restrict block IO

Block IO: read and write performance of the disk.

In docker, you can control the IO of the read and write disk of the container by setting weights to limit bps and iops.

Bps: amount of data read and written per second iops: number of IO per second

By default, all containers can read and write disks equally, and the priority of the container's block IO can be changed through the "- blkio-weight" parameter.

Common options are:

-- device-read-bps: display read bps;--device-write-bps of a device: display bps;--device-read-iops written to a device: display read iops;--device-write-iops of a device: display iops written to a device

By default, a container is run without restriction:

[root@3de51b7474c5 /] # time dd if=/dev/zero of=test.out bs=1M count=800 oflag=direct//oflag=direct is used to specify the directIO method to write to the file, so that the-- device-write-bps will take effect. The main test is read and write performance 8000.0 records in800+0 records out838860800 bytes (839 MB) copied, 1.6379 s, 512 MB/s / / The result is to write 512MBreal 0m2.022suser 0m0.001ssys 0m1.146s [root@localhost ~] # docker run-it-- name test5-- device-write-bps / dev/sda:30M centos:7// to create a container with a limit of 30m [root@f5bd3f122881 /] # time dd if=/dev/zero of=test.out bs=1M count=800 oflag=direct800+0 records in800+0 records out838860800 bytes (839 MB) copied, 26.6317 s, 31.5 MB/s / / although it exceeds the limit. But there is no limit to the strength of real 0m26.633suser 0m0.004ssys 0m2.097s.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.