A very detailed summary of Docker learning notes

First, Docker introduction

Docker two main components: Docker: Open source container virtualization platform Docker Hub: Docker hub for sharing and managing Docker containers

Docker uses the client-server (c/s) architecture pattern. The Docker client communicates with the Docker daemon. The Docker daemon handles complex and onerous tasks, such as building, running, and publishing your Docker container. The Docker client and daemon can run on the same system, and of course you can use the Docker client to connect to a remote Docker daemon. The Docker client communicates with the daemon through the socket or the RESTful API.

1.1 Docker Daemon

As shown in the figure above, the Docker daemon is running on a single host. Instead of interacting directly with the daemon, the user communicates indirectly with the Docker client. 1.2 Docker Client

Docker clients, which are actually Docker binaries, are the main users interacting with Docker. It receives user instructions and communicates with the Docker daemon behind it, so it goes back and forth. 1.3 Docker Interior

To understand the internal Docker build, you need to understand the following three parts: Docker image-Docker images Docker warehouse-Docker registeries Docker container-Docker containers do Cker Mirroring

A docker image is a read-only template that is run by the Docker container, and each image is made up of a series of layers (layers). Docker uses UnionFS to federate these layers into separate mirrors. UnionFS allows files and folders (called branches) in a standalone file system to be transparently overwritten to form a single coherent file system. Because of the presence of these layers, Docker is so light-weight. When you change a Docker image, such as upgrading to a new version of a program, a new layer is created. Therefore, instead of replacing the entire original image or re-establishing it (which you might do when using the virtual machine), just a new layer is added or upgraded. Now you don't have to republish the entire image, just upgrade, and the layer makes distributing Docker images simple and fast. Docker Warehouse

The Docker repository is used to store images, which can be understood as code warehouses in code control. Similarly, Docker repositories have public and private concepts. The public Docker warehouse name is the Docker Hub. The Docker Hub provides a large collection of mirrors for use. These images can be created on their own, or on the basis of someone else's image. The Docker warehouse is the distribution part of Docker. Docker Container

Docker containers and folders are similar, and a Docker container contains all the environments that an application needs to run. Each Docker container is created from a Docker image. Docker containers can run, start, stop, move, and delete. Each Docker container is a standalone and secure application platform, and the Docker container is the running part of Docker. 1.4 Libcontainer

Docker uses Libcontainer to replace the interaction diagram of Lxc,libcontainer and Linux systems starting with version 0.9 as follows:

Image source: Docker 0.9:introducing execution Drivers and Libcontainer 1.5 namespace "namespaces" pid namespace

The process of different users is separated by PID namespace, and the same PID can be used in different namespace. Has the following characteristics: The PID in each namespace is a process with its own pid=1 (similar to the/sbin/init process) each namespace process can only affect its own process in the same namespace or sub-namespace because/ Proc contains running processes, so/proc directories in Pseudo-filesystem in container can only see the processes in their namespace because namespace allows nesting, parent namespace can affect child name Space process, so the namespace process can be seen in the parent namespace, but with different PID

Reference Document: Introduction to Linux namespaces–part 3:pid mnt namespace

Similar to chroot, a process is placed into a specific directory for execution. MNT namespace allows different namespace processes to see different file structures so that each namespace process sees a file directory that is isolated. Unlike chroot, the information in/proc/mounts for each container in the namespace contains only mount point where the namespace is located. Net Namespace

Network isolation is achieved through NET namespace, each net namespace has a separate network devices, IP addresses, IP routing tables,/proc/net directory. So that every container network can be isolated. Docker by default uses Veth to connect the virtual NIC in container with a Docker bridge on the host.

Reference Document: Introduction to Linux namespaces–part 5:net UTS namespace

UTS ("UNIX time-sharing System") namespace allows each container to have a separate hostname and domain name so that it can be viewed as a separate node on the network rather than a process on the Host.

Reference Document: Introduction to Linux namespaces–part 1:uts IPC namespace

Process interactions in container are also based on common inter-process interaction methods (interprocess COMMUNICATION-IPC) of Linux, including common semaphores, message queues, and shared memory. Unlike VMS, however, the container process interaction is actually a process interaction in the same PID namespace on the host, so you need to add namespace information to the IPC resource request-each IPC resource has a unique 32bit ID.

Reference Document: Introduction to Linux namespaces–part 2:ipc User namespace

Each container can have a different user and group ID, which means that the user inside the container can execute the program inside the container rather than the user on the Host.

With the above 6 namespace isolation from the process, network, IPC, filesystem, UTS, and user perspective, a container can demonstrate the ability of a standalone computer, and different container are isolated from the OS level. However, the resources between the different namespace are still competing, and there is still a need for similar ulimit to manage the resources that each container can use-cgroup. Reference Docker Getting start:related Knowledge Docker Introduction with its related terminology, underlying principles and technology 1.6 resource quotas "cgroups"

Cgroups implements quotas and metrics for resources. Cgroups is very simple to use, provide similar file interface, create a new group in the/cgroup directory, create a new task file in this folder, and write the PID to the file, to achieve the resource control of the process. Specific resource configuration options you can create a new sub-subsystem, {subsystem prefix}, in this folder. {Resource Item} is a typical configuration method, such as Memory.usageinbytes, which defines a memory limit option for the group in subsystem memories. In addition, the subsystem in cgroups can be combined arbitrarily, a subsystem can be in different groups, or a group contains multiple subsystem-that is, a subsystem. Memory-related throttling CPU in Cgroup does not define CPU capacity as a hardware virtualization scenario, but it can define the priority of CPU rotation, so processes with higher CPU precedence are more likely to get CPU operations. By writing parameters to Cpu.shares, you can define Cgroup CPU priority-here is a relative weight, not an absolute value Blkio block IO-related statistics and restrictions, byte/operation statistics and restrictions (IOPS, etc.), read and write speed limits, etc. , but the main statistic here is the sync IO devices device permission limit

Reference Document: How to use Cgroup II, Docker installation

Docker installation method is not introduced here, the specific installation of the reference official document

Get current Docker version

$ sudo docker version
client version:1.3.2
client API version:1.15
Go version (Client): go1.3.3
Git Comm It (client): 39fa2fa/1.3.2
os/arch (client): linux/amd64
server version:1.3.2
server API version:1.15
Go Version (server): go1.3.3
Git commit (server): 39fa2fa/1.3.2

Third, Docker basic usage

Docker Hub:docker Mirror home page, including official images and other public mirrors

Because of national conditions, the national download Docker HUB of the official relevant image is slow, you can use the docker.cn image, the image remains the same as the official, the key is the speed block, recommended use. 3.1 Search Images

$ sudo docker search Ubuntu

3.2 Pull Images

3.3 Running an interactive shell

$ sudo docker run-i-T Ubuntu:14.04/bin/bash

Docker run-run a container-T-assign a (pseudo) TTY (link is external)-I-interactive mode (so we can interact with it) ubuntu:14.04-use Ubuntu basic mirror Like 14.04/bin/bash-run command bash shell

Note: Ubuntu will have multiple versions, by specifying the tag to launch a specific version [Image]:[tag]

$ sudo Docker PS # View the currently running container, ps-a lists all the containers for the current system CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
6c9129e9df10        ubuntu:14.04        /bin/bash 6 minutes ago up       6 minutes                            Cranky_babbage

3.4 Related shortcut keysExit: Ctrl-dorexit detach:ctrl-p + ctrl-q Attach:docker Attach Container-id iv. Docker Command Help 4.1 Docker Help Docker Command

$ sudo docker # docker command help Commands:attach attach to a running container # current Shell under Attach connection The specified run mirror build build a image from a Dockerfile # Dockerfile custom Image Commit Create a new image
              From a container ' s changes # commits the current container for the new image CP Copy files/folders from the containers filesystem to the host path
    # Copy the specified file or directory from the container to the host create create a new container # Creates a fresh container, same as run, but does not start the container Diff Inspect Changes on a container ' s filesystem # View Docker container change events Get Real time events from the SER    Ver # get container real-time event from Docker service exec run a command in an existing container # run commands on existing containers export Stream the contents of a container as a tar archive # export the content stream of a container as a tar archive [corresponding to import] history S How the historical of an image # shows an image forming history images list Images # list System Current Mirror Import CreAte a new filesystem image from the contents of a Tarball # Create a new file system image from the contents of the TAR package [corresponding to export] info Display system-wide Information # Show system related information inspect Return low-level information on a container # view Container details kill Kill a running container # Kill specify Docker container load load an image from a   
              Tar archive # load an image from a tar package [corresponding to save] login Register or Login to the Docker registry server
    # Sign up or log out of a Docker source server logout Log out from a Docker registry server # exiting from the current Docker registry Logs Fetch the logs of a container # Output current container log information port Lookup the public-facing port which is 
    Nat-ed to Private_port # view map port corresponding container internal source port Pause Pause all processes within a container # pause container  PS List Containers # List the container list pull pull a image or a repository from the
Docker Registry Server              # pull the specified image from the Docker image source server or the library mirror push push an image or a repository to the Docker registry server  # Push the specified image or library image to the Docker source server restart restart a running container # Restart the running container RM Remove                 
              One or more containers # Removes a single or more containers RMI Remove-one or more images # remove one or more mirrors [no containers use the image to delete, or delete the relevant container to continue or-f Force Delete] Run run a command in a new container # Create a fresh container  and run a command save save a image to a tar archive # Save a mirror for a tar package [corresponding to load] search search for an
    Image on the Docker hub # search for mirrors in Docker hub start start a stopped containers # boot container                Stop stop a running containers # stops the container tag tag an image into a repository # label the source image top Lookup The running processes of a container # view process information running in the container unpause unpause a paused C                Ontainer    # Cancel suspend container version show the Docker version information # View Docker build number wait Block until a conta Iner stops, then print its exit code # Intercept container when stop exit status value Run ' Docker COMMAND--help ' for more information on a command.

Docker Option

Usage of Docker:--api-enable-cors=false enable cors headers in the remote API #
                                           The API opens CORS header-B,--bridge= "" Attach containers to a pre-existing Network Bridge # bridging networks                               Use ' None ' to disable container networking--bip= ""
                                         Use this CIDR notation address for the Network Bridge's IP, not compatible with-b                                         # and-B option not compatible, specifically not tested-D,--daemon=false Enable daemon mode # daemon Mode-D,--debug=false Enable debug Mode # de Bug mode--dns=[] Force Docker to use specific DNS servers # Enforce Docker usage refers to DNS server--dns-search=[] Force Docker to use specific DNS search domains # forced Docker Using the specified DNS search domain-E,--exec-driver= "native" forces the Docker runtime to uses a specific exec driver # force Docker runtime using the specified execution drive--fixe D-cidr= "" IPv4 Subnet for fixed IPs (EX:10.20.0.0/16) t                   His subnet must being nested in the bridge subnet (which is defined by-b or--BIP)-G,--group= "Docker"  Group to assign the UNIX socket specified by-h if running in daemon mode use ' (The empty string) to disable setting of a group-g,--graph= "/var/lib/docker" Path to use as the root of T He docker runtime # container runs the root directory path-H,--host=[] the socket (s) to bind to in daemon mo De # daemon Mode docker specifies how to bind [TCP or local socket] specified US
  ing one or more tcp://host:port, Unix:///path/to/socket, fd://* or FD://SOCKETFD. --icc=true Enable Inter-containerCommunication # Cross-container communication--insecure-registry=[] Enable insecure communication with SP 
  Ecified Registries (no certificate verification for HTTPS and enable HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16) --ip= "0.0.0.0" Default IP address to use when binding container ports # Specify the listening address, default all IP--                         Ip-forward=true Enable Net.ipv4.ip_forward # turn on forwarding--ip-masq=true Enable IP masquerading for bridge ' s IP range--iptables=true enable Docker ' s addition of iptables rules # Add corresponding iptables rule--mtu=0 Set the container S Network MTU # Set NET MTU if no value is Provided:d Efault to the default route MTU or if no default route was Available-p,--pidfile= "/var/run/docker.pid" Path to Use for daemon PID file                           # Specify PID file location--registry-mirror=[] Specify a preferred Docker registry Mirr  Or-s,--storage-driver= "" Force the Docker runtime to use a specific storage driver #                                     Force Docker runtime to use the specified storage driver--selinux-enabled=false Enable selinux support # Enable SELinux support--storage-opt=[] Set storage driver Options # Set Save Storage drive Option--tls=false use TLS; Implied by Tls-verify flags # Open TLS--tlscacert= "/root/.docker/ca.pem" Trust only remotes Pro                               Viding a certificate signed by the CA given here--tlscert= "/root/.docker/cert.pem" Path to TLS certificate file                                       # TLS certificate file location--tlskey= "/root/.docker/key.pem" Path to TLS key file # TLS key file location--tlsverify=false use TLS and VeriFY the remote (daemon:verify client, client:verify daemon) # uses TLS and confirms that the control host-V,--version=false P Rint version information and quit # output Docker release information

4.2 Docker Search