Docker One: Basic principles

The architecture of Docker

Docker uses the C/s architecture, Docker Daemon (daemon) as the server side accepts client requests, and processes (create, run, distribute containers) they can run on a machine and also communicate through Sockerts or restful APIs.

Docker Client Host

Docker pullDocker daemon

Docker Runcontainer1

Docker Container2

Docker has three internal components

Docker images

Docker Registries Registration

Docker container

Docker images is a read-only template. For example: An image can contain an Ubuntu-operated olefin, which installs Apache or the application you need. Images can be used to create Docker Containers,docker provides a very simple mechanism to create images or update existing images, and you can even download a well-done images directly from others.

Docker Registries (registration)

Docker registries is also called Docker Repository, it has public warehouses and private warehouses in 2 forms, they can be used to let you upload and download images. Public warehouses are also known as Docker hubs. It provides a huge image library for you to download, and you can build your own private repository within your own LAN.

Docker containers

Docker containers is also called a Docker container, which is created from an image image. It can be started, started, stopped, deleted. Each container is a mutually isolated, secure platform.

2. How Docker Image Works

Each Docker has a number of layers, and Docker uses union file systems to combine these different layers into an image.

AUFS (ANOTHERUNIONFS) is a union FS, which simply supports the mounting of different directories under the same virtual file system (Unite serveral directories into a A and virtual FileSystem) file system, further understanding, AUFS support for each member directory (like Git Branch) set readonly, ReadWrite and Whiteout-able permissions, while Aufs has a similar layering concept, The branch of the ReadOnly permission can be modified logically (incrementally, without affecting the readonly section) and usually the Union FS has two uses, on the one hand can achieve the implementation of the building LVM, RAID will be a number of third lessons to hang in the same directory, Another more common use is to combine a readonly branch with a writeable branch, which is based on this approach allowing users to write on the OS image without changing it. The same is true of the container image that Docker built on Aufs.

3. Docker Warehouse

The Docker repository is used to save our images, and when we create our own image we can use the push command to upload it to a public or private repository so that the next time you use the image on another machine, you just pull it down from the warehouse.

4. Docker container

When we run the Docker run-i-T ubuntu/bin/bash command, Docker runs the following operation in the background:

If there is a local Ubuntu image to create a container from it, or download from the public repository, create a container from the image, assign a filesystem, and mount a layer of read-write layer outside of the readonly image layer, bridging a virtual interface into the container from the host host's configured Bridge interface, Configure an IP address from the address pool to a container, execute your specified program, start the/bin/bash process here,-i-t specify standard standards and outputs

5. Docker Bottom Technology

The 2 core technologies at the bottom of Docker are namespaces and control groups

1), PID namespace

The process of different users is separated by PID namespace (namespace), and the same PID can be used in different namespace. The parent process for all LXC processes in Docker is the Docker process, with each lxc having a different namespace. It is also possible to implement Docker in Docker conveniently because it allows nesting.

PID Namespace:linux through the namespace management process PID, for the same process (the same task_struct), in different namespaces, see the PID number is not the same, each PID namespace has its own PID management method, So call Getpid () in a different namespace and see the PID number is different. The PID namespace is the structure of a parent-child relationship, the system initially has only one PID namespace, and later if the fork process, plus the option to create a new PID namespace, then the parent namespace of this new namespace is the initial namespace, the process in which the namespace is forked, Both the child namespace and the parent namespace have a PID number that corresponds to this task_struct. TASK_STRUCT Task Structure

LXC is a shorthand for Linux container. The Linux container container is a kernel virtualization technology that provides lightweight virtualization to isolate processes and resources without the need to provide instruction interpretation mechanisms and other complexities of full virtualization. Equivalent to namespace in C + +. Containers effectively divide resources managed by a single operating system into orphaned groups to better balance conflicting resource usage requirements among orphaned groups.

2), net Namespace

With PID namespace, the PID in each namespace can be isolated from each other, but the network port is also the port that shares the host. Network isolation is achieved through net namespace, and each net namespace has a separate network Devices,ip

ADDRESSES,IP Routing tables,/proc/net directory. So that every container network can be isolated. Docker, by default, veth the virtual network card in container with a Docker bridge:docker () in the host.

3) IPC namespace

Process interactions in container are also based on common inter-process interaction methods (interprocess COMMUNICATION-IPC) of Linux, including common semaphores, message queues, and shared memory. Unlike VMS, however, container interaction between processes is actually a process interaction in the same PID namespace on the host, so you need to add namespace information to the IPC resource request-each IPC resource has a unique 32-bit ID.

4) Mnt namespace

A specific directory is executed. MNT namespace allows different namespace processes to see different file structures so that each namespace process sees a file directory that is isolated. Unlike chroot, the information in/proc/mounts for each Conrainer in the namespace contains only the mount point where the namespace is located

5) UTS namespace

UTS ("UNIX time-sharing System") namespace allows each container to have separate hostname and domain

Name so that it can be viewed as a separate node on the network rather than a process on the host.

6) User Namesapce

Each container can have a different user and group ID, which means that the program can be executed internally within the container with the user inside the container rather than the user on the host.

Control groups is primarily used to isolate the resource utilization of individual containers and host hosts.

This article is from the "16 Stage One Pit" blog, please be sure to keep this source http://tlinux.blog.51cto.com/7288656/1748891

Docker One: Basic principles