Understanding Docker Technology

What is Docker

Docker is a open platform for developing,shipping, and running applications.

Docker is the PAAs provider DotCloud Open source based LXC, the source code hosted on GitHub, based on the Go language development, following the APPACHE2.0 protocol of the container engine.

Docker allows the packager to be deployed and shipped with all of its dependencies into standardized units for deployment software.

Docker with light, open source, security features.

Docker VS VMs

Docker containers are similar to VMS in terms of resource isolation and scalability, but unlike VM architectures, Docker is easy to be portable and efficient.

VMS Architecture

A VM contains applications, necessary binaries and libraries, and a complete operating system, all of which may have a size of dozens of G.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7A/F5/wKioL1bC8hbAAYdSAACsVn96gUI853.png "title=" 1.png " alt= "Wkiol1bc8hbaaydsaacsvn96gui853.png"/>

Containers Architecture

Containers contains the app and all of its dependencies, but shares the kernel with other containers. Run on the host operating system just like a user-space-independent process. Docker containers are not only run on a specific architecture, but can run on any computer, any schema, and any cloud.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7A/F5/wKioL1bC8mSBJCo0AACEZjvNIe4812.png "title=" 2.png " alt= "Wkiol1bc8msbjco0aacezjvnie4812.png"/>

Understanding the Docker architecture

Docker What can be used for

1 , rapid delivery of applications

2 , deployment, and scaling are easier

3 , achieving higher densities and running more load

Docker Important Components

Docker : Open source containerized platform

DockerHub : SaaS platform for sharing and managing Docker containers

Docker Architecture

Docker With the c/S architecture, the Docker client sessions with the Docker daemon that creates, runs, and distributes containers. Docker clients and Docker Daemons can run on the same system, or connect to the remote Docker daemon through Docker clients. The Docker client and the Docker daemon communicate through the sockets or restful APIs.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7A/F5/wKiom1bC8hryMLQeAAB6H6AJL2c652.png "title=" 3.png " alt= "Wkiom1bc8hrymlqeaab6h6ajl2c652.png"/>

Docker Daemon

as shown, the Docker daemon is running on a single host. The user is not communicating directly with the Docker Deamon, but through the Docker client.

Docker Client

Docker The binary form of the Docker client is the basic user interface that connects Docker. It receives commands from the client and sessions with Docker daemon.

Docker Internal

Docker Mirroring (Building)

Docker The image is a read-only template, which may be a CentOS operating system with Apache. Docker images are used to create Docker containers, so Docker mirroring is the build component of Docker.

Docker Warehouse (distributing)

Docker The warehouse is a storage mirror. is to upload or download a mirrored public or private repository. Public warehouses are provided by the Docker hub. So Docker registries is the distribution component of Docker.

Docker Containers (running)

Docker containers and catalogs are similar. A Docker container contains the things that an application needs to run. Each Docker container is created using Docker image and can be run, started, stopped, moved, and deleted. Each Docker container is a standalone and secure application platform. Therefore, Docker containers is the run component of Docker

Docker the technology used

LXC

LXC How to implement virtualization

As mentioned earlier, Docker is a LXC-based operating system-level virtualization. So you can understand how Docker is virtualized in the following ways.

1. Isolated type

LXC is through the container, specifically through the Kerner namespace realization of the

2 , can be quotas

LXC is to control resources through Cgroups .

3 , Mobility

Docker using AUFS to achieve

4 , Security

for LXC, the user's process is a subprocess of the lxc-start process, isolated only in kernel namespace, so some kernel patches are required to ensure that the user's operating environment is not compromised by a malicious intrusion from host hosts. DotCloud mainly uses kernel grsecpatch to solve

Namespaces (namespace)

LXC can achieve isolation type, mainly rely on the kernel namespace, the period of PID, NET, IPC, MNT, UTS and other namespace will container process, network, message, file system and host isolation.

PID namespace

The process of different users is separated by PID namespace. Different namespace can have the same PID namespace. Has the following characteristics

1 , the PID in each namespace is a process with its own pid=1 (similar to the/sbin/init process)

2 , processes in each namespace can only affect processes in their own namespace or sub-namespace

3 because/proc contains a running process, the/proc directory of Pseudo-filesystem in container can only see the processes in its own namespace

4 because namespace allows nesting, the parent namespace can affect the process of the child namespace, so the process of the child namespace can be seen in the parent namespace, but with a different PID

UTS namespace

UTS ("UNIX time-sharing System") namespace allows each container to have a separate hostname and domain name so that it can be viewed as a separate node on the network rather than a process on the Host.

NET Namespace

Network isolation is achieved through net namespace, and each net namespace has a separate network

devices, IP addresses, IP routingtables,/proc/net directory. So that every container network

can be separated. Docker defaults to veth the virtual network card in the container with the

A docker bridge is connected together.

MNT namespace

Similar to chroot, a process is placed into a specific directory for execution. MNT namespace allows different

namespace process sees a different file structure, so that each process in the namespace sees a file directory that is isolated. Unlike chroot, the information in/proc/mounts for each container in the namespace contains only mount point where the namespace is located.

IPC namespace

Container process Interaction in Linux is also a common method of inter-process interaction (interprocess COMMUNICATION-IPC), including common semaphores, message queues, and shared memory. Unlike VMS, however, the container process interaction is actually a process interaction in the same PID namespace on the host, so you need to add namespace information to the IPC resource request-each IPC resource has a unique 32bit ID.

User namespace

Each container can have a different user and group ID, which means that the user inside the container can execute the program inside the container rather than the user on the Host.

With the above 6 namespace isolation from the process, network, IPC, filesystem, UTS, and user perspective, a container can demonstrate the ability of a standalone computer, and different container are isolated from the OS level. However, the resources between the different namespace are still competing, and there is still a need for similar ulimit to manage the resources each container can use.

Resource Quota-control Groups

cgroups quotas and metrics for resources are implemented. Cgroups is very simple to use, provide similar file interface, create a new group in the/cgroup directory, create a new task file in this folder, and write the PID to the file, to achieve the resource control of the process. Specific resource configuration options you can create a new sub-subsystem, {subsystem prefix}, in this folder. {Resource Item} is a typical configuration method, such as Memory.usage_in_bytes, which defines a memory limit option for the group in subsystem memories. In addition, the subsystem in cgroups can be combined arbitrarily, a subsystem can be in different groups, or a group contains multiple subsystem-that is, a subsystem.

1 , Memory

Memory-related limitations

2 , CPU

In Cgroup, it is not possible to define CPU capacity as a hardware virtualization scenario, but to define the priority of CPU rotation, so processes with higher CPU priority are more likely to get CPU operations. By writing parameters to Cpu.shares, you can define the CPU priority of the Cgroup-this is a relative weight, not an absolute value.

3 , Blkio

Block IO related statistics and limitations, byte/operation statistics and restrictions (IOPS, etc.), read and write speed limits, etc., but the main statistics here are synchronous IO

4 , Devices

Device Permission Limits

5 , net_cls, CPUACCT, freezer, and other management items.

Reference documents:

https://docs.docker.com/engine/understanding-docker/

Https://www.docker.com/what-docker

linuxcontainers.org

Http://tiewei.github.io/cloud/Docker-Getting-Start

This article is from the "Chang Jie listen to the Wind People" blog, please make sure to keep this source http://kevinhao.blog.51cto.com/5204735/1742544

Understanding Docker Technology