Docker has been popular for a while, and has been reluctant to touch it, feeling it is not stable enough. Although all kinds of soft text overwhelming, what PAAs microservices, container engines, lightweight virtual machines (of course, the bottom of the CGROUPS,LXC technology has long been familiar) and so on, often noncommittal, the reason is only one: large-scale industrial applications have not yet appeared, or have never witnessed.
Time has come recently, due to job requirements, need to do some MQ image, so systematic study of Docker (of course, the driving force of my systematic learning is not only to use it in depth, but also the go language of the two years of practical charm). This article simply records some of the uses of Docker and how it feels, and you are welcome to PAT.
Docker installation
As a loyal Linuxer,ubuntu is my favorite office platform, of course, my own practice is based on the platform, if it is other platforms, please check my reference documents in the several online articles. The installation script is as follows:
sudo sh-c "Echo Deb Http://get.docker.com/ubuntu Docker main >/etc/apt/sources.list.d/docker.list" sudo apt-get updat Eapt-get Install Lxc-docker
For users, Docker follows the C/S architecture mode, the latest version is 1.4.1, such as:
Client version:1.4.1client API Version:1.16go version (client): Go1.3.3git commit (client): 5bc2ff8os/arch (client): Lin Ux/amd64server version:1.4.1server API version:1.16go version (server): Go1.3.3git commit (server): 5BC2FF8
However, each time you knock the Docker command with Sudo, very annoying, execute the script as follows:
sudo groupadd docker# Add the current user to the Docker user group, here I am a von landed sudo Gpasswd-a von Dockersudo service Docker Restartdocker version# if not Takes effect, the system restarts sudo reboot
Remark: Why do you play this way? That's what the official document says.
Giving non-root Access
The Docker daemon always runs as the root user, and since Docker version 0.5.2, the Docker daemon binds to a Unix socket I Nstead of a TCP port. By default this Unix socket is owned by the user root, and so, by default, you can access it with sudo.
Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called Docker and add users to it, then T He docker Daemon would make the ownership of the Unix sockets read/writable by the Docker group when the daemon starts. The Docker daemon must always run as the root user and if you run the Docker client as a user in the Docker group then yo U don ' t need to add sudo to all the client commands. As of 0.9.0, you can specify this a group other than Docker should own the Unix socket with THE-G option.
Warning:the Docker Group (or the group specified with-g) is root-equivalent; See Docker Daemon Attack Surface details.
Once installed OK, find an official HelloWorld example to play, execute the following command:
Docker pull Learn/tutorialdocker run Learn/tutorial/bin/echo Hello World
The Docker architecture and its core technologies are different from virtualization technologies such as Whole-system virtualizers (for example, VMware ESXi, QEMU or Hyper-V) and paravirtualizers technologies such as Xen, do The Cker core is an operating system-level virtualization scenario, as shown in:
The back end of Docker is a loosely coupled architecture that has a combination of modules and an organic mix to support the operation of Docker. The overall architecture looks like this:
The user uses the Docker client to establish communication with the Docker daemon and sends the request to the latter.
Docker Daemon, as the principal part of the Docker architecture, first provides the functionality of the server to allow it to accept requests from the Docker client, and the engine performs a series of tasks within Docker, each of which is in the form of a job.
During job operation, when container mirroring is required, the image is downloaded from Docker registry and the download image is stored as graph through the mirror management driver Graphdriver, and when the network environment needs to be created for Docker, The Docker container network environment is created and configured through network management-driven networkdriver, and is accomplished by execdriver when it is necessary to restrict the Docker container from running resources or executing user directives.
While Libcontainer is a separate container Management Pack, Networkdriver and Execdriver are implemented by Libcontainer to implement specific operations on the container.
When the command to run the container is executed, an actual Docker container is running, and the container has a separate file system, a separate and secure operating environment, and so on. Each user instance is isolated from each other and does not affect each other. How does it do that? The general hardware virtualization method gives the VM, and Docker relies on the kernel namespace. The PID, NET, IPC, MNT, UTS, user and other namespace will container the process, network, message, file system, UTS ("UNIX time-sharing system") and user space isolation.
Below is a brief introduction to these pieces:
(1) PID namespace
The process of different users is separated by PID namespace, and the same PID can be used in different namespace. The parent process for all LXC processes in Docker is the Docker process, and each LXC process has a different namespace. It is also possible to implement Docker in Docker conveniently because it allows nesting.
(2) Net Namespace
With PID namespace, the PID in each namespace can be isolated from each other, but the network port is also the port that shares the host. Network isolation is achieved through NET namespace, each net namespace has a separate network devices, IP addresses, IP routing tables,/proc/net directory. So that every container network can be isolated. Docker by default uses Veth to connect the virtual NIC in container with a Docker Bridge:docker0 on host.
(3) IPC namespace
Process interactions in container are also based on common inter-process interaction methods (interprocess COMMUNICATION-IPC) of Linux, including common semaphores, message queues, and shared memory. Unlike VMS, however, container interaction between processes is actually a process interaction in the same PID namespace on the host, so you need to add namespace information to the IPC resource request-each IPC resource has a unique 32-bit ID.
(4) Mnt namespace
Similar to chroot, a process is placed into a specific directory for execution. MNT namespace allows different namespace processes to see different file structures so that each namespace process sees a file directory that is isolated. Unlike chroot, the information in/proc/mounts for each container in the namespace contains only mount point where the namespace is located.
(5) UTS namespace
UTS ("UNIX time-sharing System") namespace allows each container to have a separate hostname and domain name so that it can be viewed as a separate node on the network rather than a process on the host.
(6) User namespace
Each container can have a different user and group ID, which means that the program can be executed internally within the container with the user inside the container rather than the user on the host.
Docker Practice Essentials 1. Incremental mirroring based on an image that already contains a JDK
Why Oracle JDK image size and the official Dockerfile/java almost, more than 700 trillion, if it is openjdk, will be smaller, probably more than 500 trillion. Second, the self-made script is not good to write, but do not worry, I have been pondering, the script see the back, for your reference. Finally, the problem is that the celestial network slow, JDK compression package is often not down ...
2.detach from container back to your terminal (do not stop container), use Ctrl+p or ctrl+q
3. The difference between CMD and entrypoint directive (common denominator: only the last cmd and entrypoint commands in Dockfile will be executed)
CMD command: The main purpose of a CMD is to provide defaults for an executing container.
Use the following:
CMD ["Executable", "param1", "param2"] (exec form, this is the preferred form)
CMD ["param1", "param2"] (as default parameters to EntryPoint)
CMD command param1 param2 (Shell form)
The first usage: Run an executable file and provide parameters.
Second usage: Specify parameters for EntryPoint.
The third usage (shell form): is a command executed in a "/bin/sh-c" way.
Note: The Docker Run command overrides parameters in CMD if specified
entrypoint directive: An entrypoint allows you to configure a container that would run as an executable.
Use the following:
entrypoint ["Executable", "param1", "param2"] (the preferred exec form)
entrypoint command param1 param2 (Shell form)
Note: The second usage will mask the commands that are added to the Docker run and the parameters in the cmd
4. There are currently two major JDK version images (Https://registry.hub.docker.com/search?q=java). In general, I will choose the Oracle JDK version, Dockerfile/java, but the file is mirrored very large, and I try to make an Oracle JDK7 image, found that the volume and official almost, more than 700 trillion. Pure Ubuntu image more than 200 trillion, installed a JDK, burst to more than 700 trillion, how painful the understanding ah. Note your own JDK image dockefile, Welcome to reuse the script:
############################################################# Dockerfile to run ROCKETMQ containers# Based on Ubuntu image############################################################# set the base image to use to Ubuntufrom ubuntu# set th E file maintainer (your name-the file ' s author) maintainer Gosling "<span style=" font-family:arial, Helvetica, sans- serif; " >gosling</span> @gmail. com "# Update package Repositoryrun echo" Deb Http://archive.ubuntu.com/ubuntu trusty Main Universe ">/etc/apt/sources.listrun apt-get update-y# Install python tools (so-can do Add-apt-repository) RUN Apt-get install-y-Q python-software-properties software-properties-common#install Oracle jdk7 #RUN # echo Oracle-java8 -installer Shared/accepted-oracle-license-v1-1 Select True | Debconf-set-selections && # add-apt-repository ppa:webupd8team/java-y && # apt-get update-y && # apt-get Install oracle-java8-installer-y && # apt-get Clean && # updAte-alternatives--display java && # echo "Java_home=/usr/lib/jvm/java-8-oracle" >>/etc/environmentrun Add-apt-repository ppa:webupd8team/java-y && apt-get update-y && Echo Oracle-java7-installer Shared/accepted-oracle-license-v1-1 Select True | /usr/bin/debconf-set-selections && apt-get-y Install oracle-java7-installer && apt-get Clean & amp;& update-alternatives--display java && echo "Java_home=/usr/lib/jvm/java-7-oracle" >>/et C/environmentworkdir/datacmd ["Bash"]
5. Using the NC Upload file image does not have vim, cannot edit/etc/hosts, now has a local, want to upload up:
First map the ports (9999 ports of the host and the 9999 ports of the container):
Docker run-i-t-p 22222:33333 Ubuntu/bin/bash
Second, the container on the monitor 9999:
nc-l-P 9999 >/etc/hosts
Finally, the 9999 port transport is used locally:
NC localhost 9999 </etc/hosts
6. Using Docker exec or integrated sshd
Refer to the official blog, http://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/
Reference articles
1. Docker Chinese Guide, http://www.widuu.com/chinese_docker/installation/ubuntu.html
2. Docker from introduction to practice, http://yeasy.gitbooks.io/docker_practice/
3. Dockerfile Best Practices, https://docs.docker.com/articles/dockerfile_best-practices/
4. Ubuntu Docker installation, https://docs.docker.com/installation/ubuntulinux/#ubuntu-trusty-1404-lts-64-bit
5. How Docker removes sudo, https://docs.docker.com/installation/ubuntulinux/#giving-non-root-access
6. Operating system virtualization scheme, Http://en.wikipedia.org/wiki/Operating-system-level_virtualization
7. Docker source code Analysis, Http://www.infoq.com/cn/articles/docker-source-code-analysis-part1
8. Docker Technology Preview, Http://www.infoq.com/cn/articles/docker-core-technology-preview
Docker first Experience