Objective:
We have to use containers, naturally we can not avoid the container design generation process, and after the build is related to load operation and management, so today we are from the design of delivery and architecture of the two aspects of the container.
Note: This issue is shared by the creator of the original, Yun Shu network finishing release.
In the previous article, "Container origin" says what the container is, so this time we talk about the container from two angles. We have to use containers, naturally we can not avoid the container design generation process, and after the build is related to load operation and management, so today we are from the design of delivery and architecture of the two aspects of the container. (Note: Because of the wide range of Docker applications currently in the container, the following container defaults to Docker.) )
A. Design Delivery Operating Angle
Briefly
Docker Image the designer of the design of the Docker image according to Dockerfile's syntax rules, after the completion of the build command to generate Docker image, when the tester is delivered, the tester simply loads the test based on Docker Image.
Use procedure
We see a lot of benefits in containers, so what is the process of using containers?
First of all, the design of the container cannot be avoided, that is, the user designs the container with their own needs. Here we first look at the use of traditional compiled language, a programmer first write code, and then through the compiler to compile the code into machine instructions, and according to a certain system rules organized to form an executable file (such as the EXE file in Windows), and then delivered to the tester, When the tester is completed and delivered to the user, the user executes the file directly, without concern for the code's design compilation and testing process.
The corresponding container, there is also a design compile and test use process, in the container design process has a called dockerfile, this file is equivalent to the user Docker design, after the completion of the Dockerfile Build command can be understood as the compilation process, In effect, a Docker image image is generated from the dockerfile description, and then the image is delivered to the tester, who passes the image to the user after passing the test. The corresponding stage table is:
Stage |
Development |
Delivery |
Run |
|
form of the container |
Dockerfile |
Docker |
Container |
|
|
Description file |
Image |
Dynamic processes |
|
|
|
Image file |
|
|
Commands to execute |
Build |
Run , Commit |
Top , Start,restart |
|
The table above can be understood as the image file Dockerfile generated by the description file, Docker image, loading docker image run formed a dynamic process container container. Once the load is executed, the behavior of the container process needs to interact with the Linux kernel. The container process is based on the support of the Linux kernel, so take this factor into account and we can make the picture like this.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7B/53/wKiom1bLtEGhiTmIAAAiKyF7rtc776.png "title=" 2.png " alt= "Wkiom1blteghitmiaaaikyf7rtc776.png"/>
It is seen from the diagram that the container process interacts with the Linux kernel through Libcontainer, and because the new version of Docker does not support LXC, only Libcontainer is listed. Container execution requires the support of the Linux kernel, here for simplicity just say two basic functions, space isolation and resource limitations.
1.) space isolation
Space isolation is the use of Linux namespaces, which is the name space, the basic role of this function is to isolate, such as two users U1 and U2, in different namespace run is invisible to each other, A concrete example is that the U1 process PID and the U2 process PID can be the same, if it is a regular process, then the same OS under the two process PID is not the same.
2.) Resource Limitations
Resources are constrained by the Linux kernel's cgroups, which is used to limit the amount of resources used by each container process, such as CPU, memory, IO, etc., so that one container process consumes too much resources and the other resource processes are affected.
With namespaces and cgroups these two very basic important functions, the space isolation makes each container process has close virtual machine independence, the resource restriction causes each container process to have the "equality" of the running resources, so the container-based application has the close to the virtual machine's some saving features, At the same time see the container is actually strongly dependent on the Linux kernel function, this is very different from the virtual machine everyone's OS or kernel independence, such as the kernel bugs and vulnerabilities will affect the various container processes, these need space, this is not the first to expand.
Here you see that the container process is running on a Linux kernel, so there's no avoiding the OS, so here's the problem: what kind of operating system is used to support container operation? Centos,ubuntu is now commonly used, here to mention the CoreOS and rancher OS, these two systems are very suitable for container support. Why do you say that?
We already know that the container shared kernel running environment, this operating system with basic kernel functions can be, in fact, compared to the operating system can be very small, of course, you can also take the general operating system to cut, but not the optimal solution, the reason mentioned CoreOS and rancher OS, The two OS is not only small (Rancher os 29 trillion, CoreOS 200 trillion), but also for the container support made a lot of adjustments. For example, the rancher OS, which processes all containers, system Docker plays the necessary functions of the systems, and then the user Docker (Container). Therefore, the CoreOS and rancher OS can be thought of as containers.
A. Docker Architecture
Now let's look at the container from another angle: for Docker operation, it is a typical client server C/S model or architecture, as shown in the following figure:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7B/53/wKioL1bLtMvTdXp9AABPDnzeH6g732.png "title=" 3.png " alt= "Wkiol1bltmvtdxp9aabpdnzeh6g732.png"/>
Three commonly used basic commands are listed: Build (build image), pull (pulls image from repository), run (runs Docker), different colors represent the process of different command execution. We see that all the client commands are presented to the Docker Daemon, Docker Daemon is responsible for mirroring (image), container process (Container), Warehouse (Registry) coordination and management, Docker Daemon The concept of Docker engine and Docker job. For an in-depth understanding of Docker Daemon, it is recommended to take a look at Docker's Golang source code to save time from Maindaemon or Newdaemon.
These angles are based on Docker (container) on a single node, and when Docker is running on multiple hosts, Docker management and orchestration on multiple nodes requires new tools and can be understood as the management of Docker clusters, with Swarm,rancher, Kunbernets and so on, here first not unfold. OK, today's sharing on a temporary paragraph, follow-up content please continue to pay attention!
__________________________________________________________________________________
Warm tips:
Cloud networking and rancher Labs launch "Rancher | The actual combat group" , we share the Docker technology online for you, and we have a selection of periodicals for the past period.
This group brings together rancher China's strongest technical elite team and the industry technical experts, the purpose is to have a more professional platform for the exchange of rancher combat technology, real-time and rancher founding team face-to-head! At the same time, you are welcome to share your own experience, difficult questions, we will regularly invite guests to do all kinds of topics to share and review, joint practice research Docker container ecosystem.
Be interested in rancher and Docker technology, or continue to explore the details of this article, welcome to join this group to participate in the discussion!
Add Group Method:
1. Follow the public number of "Yun Shu Network"
2. message "I want to add a group"
QQ Group number: 216521218
Cloud Network: Container Series II: Container Perspective-design delivery and architecture