This is a creation in Article, where the information may have evolved or changed.
"Editor's word," Microsoft's official statement at the May build conference said it would release a beta version of Windows Server container this summer. In other words, we are not currently able to see the beta version of Windows Docker and cannot get started directly.
Microsoft's official statement at the May build conference said it would release a beta version of Windows Server container this summer. In other words, we are not currently able to see the beta version of Windows Docker and cannot get started directly. Next I would like to introduce the ten issues that everyone cares about:
1. What is the difference between Windows Docker and Hyper-V?
Like Hyper-V and VMWARE/XEN/KVM, hardware virtualization is secure but cumbersome.
Windows Docker is an OS virtualization technology with some isolation capabilities, better performance, and easier portability.
The two are not mutually replaceable relationships.
Note: Windows Docker is not the Windows Docker Client we saw at Docker 1.6, nor is it the Boot2docker Linux virtual machine under Windows, but the real Windows version of Docker. In fact, its official name is not called Docker, but is called Windows Server Container, and Hyper-V Container, with 2 products, Windows Server Container similar to Linux Docker, and Hyper-V container is somewhat similar to clear Linux or Hyper Docker.
This is because Docker is a brand name and Microsoft cannot use it directly.
2. What is the difference between Windows Docker and SoftGrid (App-V)/thinstall?
Docker is OS virtualization, and the main scenario is server-side applications, which communicate between these containers (applications) over a standard network interface, as if they were virtual machines.
SoftGrid is application virtualization, primarily for client application deployments. For example, office, which runs in the same session, is completely traditional and can communicate with each other, such as Word can call Excel forms, and so on. Different processes, see the file system will not be quarantined. Applies to batch deployment of client apps.
3. What is the relationship between the container and the sandbox?
Once saw a great comment, must share to you:
Sandboxing is focused in just security with code isolation. Containers has some security code isolation, but it's not the only or primary purpose. One-to-think about containers are as a layered/quarantined filesystem which makes it quick/easy/lightweight to run an A Pplication and also makes the application (in the container) very portable.
As we can see, in Windows 10, IE's successor Edge browser uses sandbox technology.
Office documents that are also running in protected mode run in the sandbox. As shown in.
Containers, however, must also be considered in terms of mobility, making sure that applications can become dynamic services that are submitted on demand. Previous hardware virtualization, the OS, apps, and so on to become documents, so that the server resources into on-demand services, now Windows Docker and Linux, can also become image, become a document, to become a dynamic service on demand.
4. What is the relationship between Windows Docker and other OS virtualization tools, such as VPS that have long been heard of?
From a technical point of view, the underlying principle is similar. Look at the picture.
Docker, like other OS virtualization technologies, has roughly the same technical implementation. The key to see who can drive the ecosystem, to win the support of other manufacturers. At the same time, Docker's layered file system implementation is also a particularly fascinating place. Here is the download address for this.
5. Windows Docker tiered file system?
First look at the Linux implementation. Daocloud's Daniel Liang teacher pointed out: Suppose we pull down the ubuntu:14.04 image and pass the command
docker run –it ubuntu:14.04 /bin/bashStart it up to run. The Rootfs that Docker creates for it, and the file system that the container can read and write. Refer to this one
From the container's point of view, although there is only one logical complete file system, the file system is composed of "2 layers", which are read-write file system and read-only file system, respectively. Mr. Sun's Xiongwen link is here.
Windows Docker uses a similar hierarchical file system. Reference.
Windows Docker uses the NTFS file system's reparse point technology (reparse points), where the top layer of the sandbox layer (sandbox) is read-write, allowing only the container to occupy itself while the other layers are read-only. In this diagram, the underlying OS layer and the middle application framework layer are read-only, while the top layer of the sandbox layer can read and write, which, in the container's perspective, is exclusive of the full file system.
This is somewhat similar to Hyper-V's differencing disk chain (the top of the sub-disks to read and write, and all parent and base disks above it are read-only).
Windows Docker's layered file system, I was to understand it as a symbolic link (just to help understand, not really credulous), when top layer of the sandbox layer when opening a file, the equivalent of opening a symbolic link, while trying to modify, then cow (Copy on write). In the end, how to use the underlying file system technology, how to implement multiple containers concurrently access to read-only layer file performance, how to cache, etc., is not known. sorry!
6. File system isolation for Windows Docker
Some of the hot topics in the previous period, in addition to stocks, is an online tourism business tragedy, anecdotal and even rumors of its data mistakenly deleted!!!
A customer once asked: Can Docker avoid this tragedy? As a matter of fact, Docker and virtual machines are no substitute for disaster recovery and backup mechanisms. But Docker does have the ability to file system isolation. As I saw in the Build conference, the presenter performs the removal of all files and registry keys in the C-packing directory in Windows container, even though the container is destroyed, but does not affect the other containers at all, and does not affect the host, as is the case with Linux Docker. Look at the picture.
7. IPC Isolation mechanism
In another sun teacher, Sun Jianbo's article, we see that Linux Docker uses the IPC isolation mechanism. Windows Docker also uses a similar isolation mechanism. This mechanism is called session isolation.
So in windows, which technology will be used to isolate the session, the Basin simple summary:
- The first is Terminal Services, the session is invented for this technology.
- Fast User Switching, which is actually the same as Terminal Services, except that Fast User Switching only provides the latest logged-on user's desktop (shell).
- Starting with Windows Vista, system-level processes and services run in Session 0, which is why we can no longer use the "mstsc/console" command to log on to the server's console session.
- Starting with Windows 8, Metro application (a tablet-specific application) also uses session isolation technology.
In other words, the session is prepared for a multi-user mechanism such as Terminal Services.
With the WinObj gadget in the Sysinternals Suite Toolkit, you can see the effect of session isolation.
As can be seen in the diagram, different sessions have different object namespaces, such as different containers, have their own separate window station (Terminal Services, other occasions only the current login user has Winsta window station), Basenamedobjects directory, containing events, mutexes and memory segments and other objects. Applications in different sessions are not able to send window messages (Windows message to prevent smash attacks).
Windows Docker inherits session isolation technology, where different containers access the same named object on the same Windows host without causing conflicts.
In the Build assembly demo, 2 containers were launched, all created from the same Windows Server core image. Run the tasklist command in one of the containers to display the current process information, including the session.
In this case, we can see that the container is running in session 14.
The tasklist is also run in another container. You can see that the container is running in session 15.
Similar to two containers, respectively, through Remote Desktop access, get different sessions (session), thus obtaining namespace isolation ability.
What can you see from two? where system and idle processes are shared, this means that Docker is the core of the shared host. Of course the process number does not mean anything, because all windows, the PID of the two processes are the same! Each container has its own svchost process, csrss process, and wininit process. These processes are per-session.
8. Can Windows docker display a graphical interface?
Traditional Windows applications are mostly GUI-based, so these applications may need to be remotely manipulated in a graphical manner. Windows Docker is connected through the container's RDP service.
The diagram shows a system process management tool that is connected to Process Explorer through the RDP service. Because RDP is actually Terminal Services, the Process Explorer is a graphical one that runs in a new session! That's a bit of a mouthful.
As we can see from this diagram, because the Process Explorer is open in a terminal session, we can view two sessions in the container's task Manager:
- Session 14 is Docker's own session, where it tries to start the process exploer, but nothing is seen, this is normal, because the graphical interface can not be displayed in the Docker client, Linux also uses similar VNC/RDP and other methods to open special channel access.
- Session 15 is a session that is accessed through RDP
9. Create Windows Docker
and Linux Docker,windows Docker (remember there are two products, Windows server container and Hyper-V container) fully support the Linux Docker interface and toolset. Like TVs and projectors, their internal implementations are quite different, and the interface between them and the computer is almost identical.
Create Windows containers, like Linux, have Docker file, direct Docker build, generate image.
A simple example of Docker file:
From Windowsservercore
Workdir \
COPY bin\debug\ \deapp
CMD \demoapp\demoapp.exe
In the future, Microsoft's Windows Azure cloud, which can directly support Docker, whether it's Windows or Linux, can sign in to Azure Linux or Windows containers directly with the latest Visual Studio. Of course, you can also use Azure's Visual Studio Online services directly.
Different versions of Windows Docker, and the similarities and differences between Linux
First share the Spirit Sparrow Cloud Boss Zoo Yue Teacher's ppt.
You can see the session and Jo, which is the isolation technology for Windows Docker, and Jo Technology is similar to Cgroup in Linux. You can refer to Chrome's related technologies. Chrome is using a lot of Windows isolation technology.
Look at one more picture.
Here you can see the similarities and differences between different versions of Windows Docker and Linux. Where Hyper-V Container has a higher security capability than Windows Server Container.
You can refer to this picture for differences between Windows Server container and Hyper-V container. The biggest difference is that Hyper-V container supports multi-tenant security capabilities while supporting domain addition. Windows Server Container does not add a domain, which means that Windows Server Container is not available if the app needs to be added to the domain.
q& A
Q: From the previous part of the explanation, I think the main use of Windows Server Docker is Dandbox sandbox technology, right?
A: As with Linux Docker, there are both sandbox technologies and hierarchical file systems.
Q: Does Windows also have an image used in a container? Can I use it in the Dockr of liunx after downloading it? Does the image of Linux run in Windows Server Docker?
Answer: Windows Docker and Linux are incompatible. You cannot run Linux image on Windows. Because Docker is a shared kernel, the two implementations are completely different.
Q: Does the GUI support?
A: You can support the GUI, just like Linux Docker. However, because the Docker client itself cannot support the GUI, it needs to be connected using RDP client.
Q: Windows Docker is just based on windows, and there's no difference between different distributions like Linux?
A: Because Docker is essentially OS virtualization technology, it relies on OS kernel,windows and Linux being incompatible with each other. One of the current workarounds is to resolve from the source of the code, such as the same code, which can be checked in to a Windows container or embedded on a Linux container (running Linux version of. NET).
Q: Does the Win pc not have to install virtual machines like the current installation of Docker?
A: No, Windows Docker is the native Windows version of the Docker mechanism, and Linux Docker is equivalent, not a virtual machine such as Boot2docker.
Q: Does Windows Docker already have an image of Windows?
A: Yes, there will be Windows sever image, such as the Windows Server Core we are familiar with, and there will be Windows Nano server in the future.
Q: Are these image not all with the GUI? Management, does Microsoft currently have its own container management platform?
A: There can be a GUI, but the environment in the cloud tends to weaken the GUI, which is why Microsoft launches Windows Nano Server without a GUI, nano server, not only the GUI, not even the console, Need to be managed remotely via the PowerShell command line. In addition, Windows Docker supports the traditional Linux Docker interface.
Q. What are some of the more typical scenarios for Windows Docker?
A: A typical scenario for Windows Docker, almost like Linux, is to implement dynamic service of applications, interrupting the tight coupling between applications and underlying hardware devices.
Q. What are some of the more typical scenarios for Windows Docker?
A: A typical scenario for Windows Docker, almost like Linux, is to implement dynamic service of applications, interrupting the tight coupling between applications and underlying hardware devices.
===========================
The above content is organized according to the July 21, 2015 Night Group sharing content. Share people
Peng, Microsoft Cloud Computing Solutions Consultant, Senior Lecturer, Microsoft. Dockone Weekly will organize the technology to share, welcome interested students add: LIYINGJIESX, into group participation, you want to listen to the topic can give us a message.
