Docker: a lightweight Linux container for unified development and deployment

Use a lightweight and flexible VM of the Docker container to take over the dependency on hell. Learn how Docker is based on LXC technology to make apps portable and independent by packaging applications in containers. Imagine that you can easily package the application and its dependencies, and then test the labels in other development and testing scenarios: Docker

Use Docker containers-lightweight and flexible VMS to take over "relying on hell ". Learn how Docker is based on LXC technology to make apps portable and independent by packaging applications in containers.

Imagine that you can easily package an application and its dependencies, and then smoothly run the application in other development, testing, and production environments. This is the goal of the open-source Docker project. Although it is not yet officially in the production stage, the latest release (0.7.x in this article) makes Docker a step closer to achieving this great goal.

Docker containers try to solve the problem of "relying on hell. Modern applications generally come from the combination of existing components and rely on other services and applications. For example, your Python application may use Postgre to store data, use Redis Cache, and use Apache as a web server. Each of these components has its own dependencies that may conflict with other components. By packaging each component and its dependencies, the Docker container solves the following problems:

• Conflicting dependency: you need to run one web site on PHP4.3 and another on PHP5.5? If you run PHP of every version in an independent Docker container, that's okay.

• Lack of dependency: installing an application in a new environment is just an instant for a Docker container, because all dependencies are packaged into a container together with the application.

• Platform dependency: moving from one release to another is no longer a hassle. If both systems run Docker containers, there will be no problem in executing the same containers.

Docker container: Background

In early 2013, Docker was born as an open-source project in dotCloud, a platform-as-a-service, cloud computing-centric company. Docker is a natural extension technology developed by the company to run cloud services on thousands of servers. It is written in the Go language. The Go language is a static programming language developed by Google based on C language and with loose syntax. After six to nine months of rapid development, the company hired a new CEO, joined the Linux Foundation, and changed the company name to Docker, it also announced that it would focus on the development of Docker containers and their ecosystems. As a welcome degree of Docker containers, it was written 8985 times by Star and Fork1304 times on GitHub. It indicates the popularity of Docker containers in Google search. With the release of the first version of Docker container product deployment and extensive communities, Docker containers are useful, it is expected that the waveforms of the past 12 months will be eclipsed in the next 12 months.

. Trend chart of Docker software on Google search over the past 12 months

Under the Hood

Docker uses some powerful kernel-level technologies and makes it easy for us. The concept of container virtualization has appeared a few years ago, but some kernel-level technologies such as LXCs (Linux container) are managed by providing a simple toolset and unified API interfaces), cgroups, and a write-copy file system, Docker has created a better tool than its various components. It is a potential rule converter for development operators, system administrators, and developers.

Docker provides tools to make it as simple as possible to create and operate containers. container sandboxes process each other. You can temporarily treat a container as a lightweight virtual machine.

 

Linux containers and LXC, a user space control package for Linux containers, constitute the core of Docker. LXC uses kernel-level namespaces to isolate hosts and containers from each other. The user namespace separates the host from the user database of the container. This ensures that the root user of the container does not have the root permission of the host. The program namespace is only responsible for displaying and managing programs in the container, rather than running on the host. In addition, the network namespace provides its own network devices and virtual IP addresses to containers.

Another component provided by LXC is the control group (cgroups ). The namespace is responsible for isolation between hosts and containers, while the control group implements resource accounting and restrictions. When Docker is allowed to limit the resources consumed by a container, such as memory, disk space, and input/output, the control group also outputs a large number of related metrics. These indicators enable Docker to monitor the resource consumption of each process in the container and ensure that each process only obtains available resources for fair sharing.

 

In addition to the above components, Docker has been using AuFS (advanced multi-level unified file system) as the container file system. AuFS is a hierarchical file system that transparently covers one or more existing file systems. When a process needs to modify a file, AuFS creates a copy of the file. AuFS can combine multiple layers into a single-layer representation of the file system. This process is called write replication.

What really cool is that AuFS allows Docker to use some images as the basis of containers. For example, you may have a CentOS system image that can serve as the basis for many different containers. Thanks to AuFS, only one copy of the CentOS image is enough, which saves both storage and memory and ensures faster container deployment.

 

Another advantage of using AuFS is the Docker version container image capability. Each new version is a simple difference from the previous version, which effectively minimizes the number of image files. However, this also means that you always need an audit trail that records the changes of the container from one version to another.

Traditionally, Docker relies on AuFS to provide a write replication storage mechanism. However, a recently added storage startup API may reduce this dependency. Initially, three available storage drivers were available: AuFS, VFS, and device -products that work with redhat.

Since Version 0.7, Docker has collaborated with all Linux distributions. However, it does not take into account most non-Linux systems, such as Windows and OS X. The recommended way to use Docker on those operating systems is to use Vagrant to provide a virtual machine on VirtualBox.

 

Container VS. other virtualization types

What is the difference between a container and hypervisor-based virtualization? Simply put, containers are virtualized at the operating system level, while management programs are virtualized at the hardware level. The effect is similar, but the difference is very important, which is why I spent some time exploring their differences and the differences and trade-offs produced by them.

Virtualization:

Containers and virtual machines (VMs) are both virtualization tools. On a virtual machine, a hypervisor makes isolated hardware available. Generally, there are two types of hypervisor: type 1 runs directly on the hardware bare metal, and type 2 runs on the customer's operating system as the software additional layer. Open-source Xen and VMware ESX are examples of type 1. Type 2 instances include Oracle Open-source VirtualBox and VMware servers. Although type 1 is a better candidate than a Docker container, other parts of the article do not distinguish between the two types.

In contrast, containers construct protected components available in the operating system-they effectively virtualize the operating system. The two containers running on the same operating system do not know that they are sharing resources because they have their own abstract network layers and processes.

 

Operating systems and resources

Because hypervisor-based virtualization only provides access to hardware, you also need to install the operating system. In this way, multiple complete operating systems are run, and one is run on each virtual machine, which quickly consumes resources such as memory (RAM), CPU, and bandwidth on the server.

The container runs on the operating system, and the operating system is regarded as its own host environment. It only runs in such a space: these spaces are part of the host operating system, and the space used by each container is independent of each other. This brings two distinct advantages. The first advantage is to use resources more efficiently. If a container does not perform any operation, it will not exhaust resources, and the container can call its host operating system to implement part or all of its functions. The second advantage is the low cost of containers, so you can quickly create and delete containers. The container does not need to restart or shut down the entire operating system. The container only needs to terminate the processes running in its own independent space. Therefore, starting and stopping a container is more like starting and exiting an application. Therefore, starting and stopping a container is very fast.

 

Two types of virtual machines and containers are displayed.

. Virtual Machine and container

Independent performance and security

The processes executed in the Docker container are independent from those running on the host operating system or in other Docker containers. However, all processes run in the same kernel. Docker uses LXC to provide separate namespaces for each container. the technology in the kernel has been quite mature for more than five years. In addition, the container also uses the control group. this technology in the Linux kernel is longer than that in LXC, and it reviews and limits resources.

 

The Docker service process itself is a potential attack carrier because it can only run with root permissions currently. Improvements to LXC and Docker should both allow running containers with non-root permissions and allow another user to run the Docker service process.

Although this type of isolation used by containers is generally very powerful, it is still controversial whether it is as strong as a virtual machine running on the hypervisor. If the kernel is stopped, all containers will stop running. Virtual machines are mature and widely used in production environments. In contrast, Docker and its supporting technologies have almost no action. In particular, Docker makes a lot of changes every day, and we all know that changes are the natural enemy of security.

 

Docker and virtual machines-competitor

We have been comparing Docker and virtual machines above. now let's see what the two technologies complement each other. Docker runs very well in a virtualized environment. Obviously, you do not need to encapsulate every application or component of each virtual host. And assuming you have a Linux virtual machine, you can easily deploy Docker containers. This is why the official installation method for running Docker on non-Linux systems, such as OS X and Windows, is to install Precise64 based on Ubuntu virtual machine with the assistance of Vagrant. Http://www.docker.io sites have detailed and simple instructions.

First, virtualization and containers are very similar in some aspects. In the beginning, containers are very lightweight virtual machines. However, with your understanding of the container, your understanding of the container will be subtle and significantly different. Docker gives full play to the advantages of containers in the packaging and deployment of lightweight applications.

 

 

Docker repository

One of Docker's killer features is the ability to quickly search, download, and start container images created by other developers. The registration center is the place where the image is stored. Docker Ltd provides a public registration center, also known as the index Center. You can regard this registration center and Docker client as equivalent to Node NPM, Perl CPAN or Ruby's RubyGems.

In addition to creating various basic images for Docker containers, the common Docker registration center also provides software images that can run immediately, these include databases, content management systems, development environments, and Web servers. By default, the Docker command line client searches for a public registration center. However, you can also maintain a private registration center. If you want to publish images of components that contain proprietary intellectual property code or that are only used within the company, the registration center is a good choice. Uploading an image to the registration center is as easy as downloading it. You only need to create an account, and it is free of charge. Finally, the registration center of Dcoker Limited also has a Web interface to facilitate searching, reading, commenting, and recommending images (that is, marking asterisks "). Images are surprisingly easy to use. I encourage you to start browsing images through links in this document resource section.