introduction of Docker
Docker two main components: Docker: Open source container virtualization platform Docker Hub: Docker SaaS platform for sharing, managing Docker containers-Docker hub
Docker uses client-server (c/s) schema mode. The Docker client communicates with the Docker daemon. The Docker daemon handles complex and onerous tasks, such as building, running, and publishing your Docker container. Docker clients and Daemons can run on the same system, and of course you can use the Docker client to connect to a remote Docker daemon. Docker client and daemon communication between the socket or the RESTful API.
1.1 Docker Daemon Process
As shown in the figure above, the Docker daemon runs on a single host. Instead of interacting directly with the daemon, users communicate with them indirectly through Docker clients. 1.2 Docker Client
The Docker client, which is actually a Docker binary program, is the primary user-Docker interaction. It receives user instructions and communicates with the Docker daemon behind it, so back and forth. 1.3 Docker Interior
To understand the Docker build, you need to understand the following three parts: Docker mirrors-Docker images Docker warehouse-Docker Registeries-Docker container docker containers do Cker Mirroring
Docker mirroring is a read-only template for the Docker container runtime, and each mirror consists of a series of layers (layers). Docker uses UnionFS to combine these layers into a separate mirror. UnionFS allows files and folders (called branches) in a standalone file system to be transparently overwritten to form a separate, coherent filesystem. Because of the existence of these layers, Docker is so light. When you change a docker image, such as upgrading to a program to a new version, a new layer is created. So you don't have to replace the entire original mirror or rebuild it (you might do this when you're using a virtual machine), just a new layer is added or upgraded. Now you don't have to redistribute the entire image, just upgrade, and the layer makes distributing Docker mirrors simple and fast. Docker Warehouse
The Docker warehouse is used to save mirrors, which can be understood as code warehouses in code control. Similarly, the Docker warehouse also has a public and private concept. The public Docker warehouse name is Docker Hub. The Docker Hub provides a large set of mirrors for use. These mirrors can be created on their own, or on the basis of others ' mirrors. The Docker warehouse is the distribution part of the Docker. Docker Container
Docker containers and folders are similar, and a Docker container contains all the environments required for an application to run. Each Docker container is created from a Docker mirror image. The Docker container can run, start, stop, move, and delete. Each Docker container is an independent and secure application platform, and the Docker container is the operating part of the Docker. 1.4 Libcontainer
Docker from version 0.9 to use Libcontainer to replace the Lxc,libcontainer and Linux system interaction diagram as follows:
Image source: Docker 0.9:introducing execution drivers and Libcontainer 1.5 namespace "namespaces" pid namespace
The process of different users is separated by PID namespace, and the same PID can be used in different namespace. Has the following characteristics: The PID in each namespace is a process with its own pid=1 (similar to the/sbin/init process) processes in each namespace can only affect their own processes in the same namespace or child namespace because/ Proc contains running processes, so the Pseudo-filesystem/proc directory in container can only see processes in its own namespace because the namespace allows nesting, the parent namespace can affect child name Space process, so the process of namespace can be seen in the parent namespace, but with different PID
Reference documentation: Introduction to Linux namespaces–part 3:pid mnt namespace
Similar to chroot, a process is put into a specific directory for execution. MNT namespace allows different namespace processes to see different file structures, so that the file directories seen by processes in each namespace are isolated. Unlike Chroot, the/proc/mounts information in each namespace contains only the mount point of the namespace where the container is located. Net Namespace
Network isolation is implemented through NET namespace, each net namespace has independent network devices, IP addresses, IP routing tables,/proc/net directory. So that each container network can be isolated. Docker the virtual NIC in container is connected to a Docker bridge on the host by default Veth.
Reference documentation: Introduction to Linux namespaces–part 5:net UTS namespace
UTS ("UNIX time-sharing System") namespace allows each container to have a separate hostname and domain name so that it can be viewed as a separate node on the network rather than as a process on the Host.
Reference documentation: Introduction to Linux namespaces–part 1:uts IPC namespace
Process interaction in container is also a common method of inter-process interaction (interprocess COMMUNICATION-IPC), including common semaphores, message queues, and shared memory in Linux. Unlike VMS, however, container interactions are actually interactions between processes in the host with the same PID namespace, so the namespace information needs to be added when an IPC resource is requested-each IPC resource has a unique 32bit ID.
Reference documentation: Introduction to Linux namespaces–part 2:ipc User namespace
Each container can have different user and group IDs, which means that users within the container can execute programs within container rather than users on the Host.
With more than 6 namespace from processes, networks, IPC, file systems, UTS, and user-side isolation, a container can externally demonstrate the capabilities of a stand-alone computer, and different container are isolated from the OS level. However, resources are still competing with each other, and a similar ulimit is still needed to manage the resources that each container can use-Cgroup namespace. Reference Docker getting start:related Knowledge Docker Introduction and its related terminology, underlying principles and technology 1.6 resource quotas "cgroups"
Cgroups implements quotas and metrics for resources. Cgroups is very simple to use, providing a similar file interface, creating a new folder in the/cgroup directory creates a new group, creates a new task file in the folder, and writes the PID to the file to enable resource control of the process. The specific resource configuration options allow you to create a new child subsystem in this folder, {subsystem prefix}. {Resource Item} is a typical configuration method, such as memory.usageinbytes defines a memory limit option for the group in subsystem memory. In addition, the subsystem in cgroups can be combined arbitrarily, a subsystem can be in a different group, or a group can contain multiple subsystem-that is, a subsystem. Memory memory-related restrictions CPUs are not as capable of defining CPU power as hardware virtualization scenarios, but can define the priority of CPU rotation, so processes with higher CPU priority are more likely to get CPU operations. By writing parameters to Cpu.shares, you define the CPU priority for the Cgroup-here is a relative weight, rather than absolute Blkio block IO-related statistics and limitations, byte/operation statistics and limitations (IOPS, etc.), read-write speed limits, etc. , but the main statistics here are synchronous IO devices device permission limits
Reference Document: Cgroup II, Docker installation
Docker installation methods are not described here, the specific installation of reference official files
Get the current Docker version
$ sudo docker version
client version:1.3.2
client API version:1.15 go
version (client): go1.3.3
Git Comm It (client): 39fa2fa/1.3.2
os/arch (client): linux/amd64
server version:1.3.2
server API version:1.15 Go
version (server): go1.3.3
Git commit (server): 39fa2fa/1.3.2
iii. Basic usage of Docker
Docker Hub:docker mirrored home, including official mirrors and other public mirrors
Because of the national conditions, domestic download docker HUB official related mirrors slow, you can use docker.cn mirror, mirror and official consistent, the key is the speed block, recommended use. 3.1 Search Images
$ sudo docker search Ubuntu
3.2 Pull Images
3.3 Running an interactive shell
$ sudo docker run-i-T Ubuntu:14.04/bin/bash
Docker run-run a container-T-assign a (pseudo) TTY (link is external)-I-interactive mode (so we can interact with it) ubuntu:14.04-use the Ubuntu base mirror Like 14.04/bin/bash-run command bash shell
Note: Ubuntu will have multiple versions, starting a specific version by specifying tag [Image]:[tag]
$ sudo Docker PS # View the currently running container, ps-a list all container CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6c9129e9df10 ubuntu:14.04 /bin/bash 6 minutes ago up 6 minutes Cranky_babbage
3.4 Related shortcut keysExit: Ctrl-dorexit detach:ctrl-p + ctrl-q Attach:docker Attach Container-id
iv. Docker Command Help
4.1 Docker Help
Docker Command
$ sudo docker # docker command help Commands:attach attach to a running container # current Shell Attach Company To specify that the run mirror build is image from a Dockerfile # by Dockerfile Custom Mirror commit Create a new image
From a container ' s changes # commits the current container for the new mirrored CP Copy files/folders from the containers filesystem to the host path
# Copy the specified file or directory from the container to the host create create a new container # Creates a new container with run but does not start the container Diff Inspect Changes on a container ' s filesystem # View Docker container changes events get real time events from the SER Ver # get container real-time event from Docker service exec run a command in a existing container # run commands on existing containers export Stream the contents of a container as a tar archive # export the contents stream of the container as a tar archive [corresponding to import] history S How the history of a image # shows a mirror formation history images list Images # list System Current Mirror Import CreAte a new filesystem image from the contents of a Tarball # Create a new file system image from the contents of the TAR package [corresponding to export] info Display system-wide Information # Show system related information inspect return low-level information on a container # view Container details kill Kill a running container # Kill specify Docker container load load an image from a
Tar archive # Load a mirror from a tar package [corresponding save] login Register or Login to the Docker registry server
# Register or Login to a Docker source server logout log out from a Docker registry server # Exit from the current Docker registry Logs Fetch the logs of a container # Output current container log information port Lookup the public-facing port which is
Nat-ed to Private_port # View the container internal source port corresponding to the mapping port pause pause all processes within a container # pause container PS List Containers # Lists Container lists pull pull an image or a repository from the
Docker Registry Server # from the Docker mirror source server pull the specified mirror or library image push push an image or a repository to the Docker registry server # Push specified mirror or library mirroring to Docker source server Restart restart a running Container # Restart container rm Remove
One or more containers # Removes a or more containers rmi remove or more images # remove one or more mirrors [no container uses the mirror to delete, or delete the related container to continue or-f Force Delete] Run run a command in a new container # Create a container and run a command save a image to a tar archive # save a mirror as a tar package [corresponding load] search search for an
Image on the Docker hub # search mirror in Docker hub start a stopped containers # start container Stop stop a running containers # Stop container tag tag an image into a repository # to the mirror in the source tag top Lookup The running processes of a container # view process information running in a container unpause unpause a paused C Ontainer # Cancel suspend container version show the Docker version information # View Docker version number wait block until a conta Iner stops, then print its exit code # intercepts the exit state value when the container stops Run ' Docker COMMAND--help ' for more information on a command.
Docker Option
Usage of Docker:--api-enable-cors=false enable cors headers in the Sqlremote API # remote
API Open CORS Header-B,--bridge= "" "Attach containers to a pre-existing bridge # bridging network Use ' None ' to disable container networking--bip= ""
Use this CIDR notation to the Network Bridge ' s IP, not compatible with-b # is not compatible with the-B option, specifically not tested-D,--daemon=false Enable daemon mode # daemon Mode-D,--debug=false Enable debug Mode # de Bug mode--dns=[] Force docker to use specific DNS servers # Forced Docker usage refers to Set DNS server--dns-search=[] Force docker to use specific DNS search domains # forced Docker Use the specified DNS search domain-E,--exec-driver= "native" Force the Docker runtime to use a specific exec driver # Force Docker run with specified execution drive--fixe D-cidr= "" IPv4 Subnet for fixed IPs (EX:10.20.0.0/16) t His subnet must being nested in the bridge subnet (which is defined by-b or--BIP)-G,--group= "Docker" Group to assign the UNIX sockets specified by-h when running into daemon mode use ' (The empty string) to disable setting of a group-g,--graph= "/var/lib/docker" Path to use as the root of T He docker runtime # container runs the root directory path-H,--host=[] the socket (s) to bind to in daemon mo De # daemon Mode docker Specifies the binding method [TCP or local socket] specified US
ing one or more tcp://host:port, Unix:///path/to/socket, fd://* or FD://SOCKETFD. --icc=true Enable Inter-containerCommunication # Cross-container communication--insecure-registry=[] Enable insecure communication with SP
Ecified Registries (no certificate verification for HTTPS and enable HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16) --ip= "0.0.0.0" Default IP address to use when binding container ports # Specifies the listener addresses, all IP- Ip-forward=true Enable Net.ipv4.ip_forward # Open Forwarding--ip-masq=true Enable IP masquerading for bridge ' s IP range--iptables=true Enable Docker ' s addition of iptables rules # Add corresponding iptables rule--mtu=0 Set the container S Network MTU # Set Network MTU if no value is Provided:d Efault to the ' default route MTU or 1500 if no default route is Available-p,--pidfile= '/var/run/docker.pid ' Path to Use for daemon PID file # Specify PID file location--registry-mirror=[] Specify a preferred Docker registry Mirr Or-s,--storage-driver= "" Force the Docker runtime to use a specific storage # Forces the Docker runtime to use the specified storage-driven--selinux-enabled=false Enable selinux support # Open SELinux support--storage-opt=[] Set storage driver Options # set to save Storage-driven option--tls=false use TLS; Implied by Tls-verify flags # Open TLS--tlscacert= "/ROOT/.DOCKER/CA.PEM" Trust only remotes Pro Viding a certificate signed by the CA given this--tlscert= "/root/.docker/cert.pem" Path to TLS certificate file # TLS certificate file location--tlskey= "/root/.docker/key.pem" Path to TLS key file # TLS key file location--tlsverify=false use TLS and VeriFY the remote (daemon:verify client, client:verify daemon) # using TLS and confirming the remotely controlled host-V,--version=false P Rint version information and quit # output Docker versioning information
4.2 Docker Search