提问
I keep rereading the Docker documentation to try to understand the difference between Docker and a full VM. How does it manage to provide a full filesystem, isolated networking environment, etc. without being as heavy?
Why is deploying software to a Docker image (if that's the right term) easier than simply deploying to a consistent production environment?
我重读了Docker文档,尝试去了解Docker和虚拟机的差别。Docker是怎么提供一个完全文件系统,一个孤立的网络环境,等等,还不是重量级的?
为什么部署应用到Docker镜像(如果这个镜像用的对话)比起到一个相同的生产环境要简单。
最后应该是想说 为什么部署Docker比起部署虚拟机简单
回答一:
Docker originally used LinuX Containers (LXC), but later switched to runC (formerly known as libcontainer), which runs in the same operating system as its host. This allows it to share a lot of the host operating system resources. Also, it uses a layered filesystem (AuFS) and manages networking.
Docker一开始用的是 Linux Container,但是之后选择了runC(原名libcontainer),runC可以以和主机相同的操作系统运行。这允许他去共用一些主机的操作系统资源。他也用了分层式文件系统(AuFS)来管理网络。
AuFS is a layered file system, so you can have a read only part and a write part which are merged together. One could have the common parts of the operating system as read only (and shared amongst all of your containers) and then give each container its own mount for writing.
AuFS是一个分层式文件系统,所以你可以把只读的部分和只写的部分合并在一块。你可以把操作系统中的公共部分变成只读(并把这部分和你其他的容器分享),然后给每个容器他自己的挂载去来写入。
So, let's say you have a 1 GB container image; if you wanted to use a full VM, you would need to have 1 GB times x number of VMs you want. With Docker and AuFS you can share the bulk of the 1 GB between all the containers and if you have 1000 containers you still might only have a little over 1 GB of space for the containers OS (assuming they are all running the same OS image).
这就是说,你如果有1GB的容器镜像,你想要用一个完整的虚拟机,你需要有你想要数量个的1GB虚拟机。但如果用Docker和AuFS,你可以共用1GB的大部分在所有的Docker容器之间。假如说你有1000个Docker容器,你可能只会用1GB多一点点的空间来保存容器的操作系统(假设他们都用同一个操作系统镜像)。
A full virtualized system gets its own set of resources allocated to it, and does minimal sharing. You get more isolation, but it is much heavier (requires more resources). With Docker you get less isolation, but the containers are lightweight (require fewer resources). So you could easily run thousands of containers on a host, and it won't even blink. Try doing that with Xen, and unless you have a really big host, I don't think it is possible.
一个完整的虚拟化的系统拿到他自己被分配的资源,仅会做最小的共享。确实你得到了更多的独立性,但是他花费更重的代价(需要更多的资源)。用Docker,你会少一些独立性,但是容器是轻量级的(需要更少的资源)。所以你能很容易地运行数以千计的容器在一台主机上,他甚至不会闪烁。如果用Xen去实现,我认为
这是不可能的,除非你有一个很强的主机。
A full virtualized system usually takes minutes to start, whereas Docker/LXC/runC containers take seconds, and often even less than a second.
一个完整的虚拟化的系统通常要花数分钟来启动,但是Docker/LXC/runC容器仅花数秒。甚至少于一秒。
There are pros and cons for each type of virtualized system. If you want full isolation with guaranteed resources, a full VM is the way to go. If you just want to isolate processes from each other and want to run a ton of them on a reasonably sized host, then Docker/LXC/runC seems to be the way to go.
每种虚拟化的系统都有各自的利弊。如果你想要完全隔离并保证资源,虚拟机是一个好的方法。如果你想要隔离进程,并且跑一堆Docker容器在一台正常大小的主机上,Docker/LXC/runC是一个好的方法。
For more information, check out this set of blog posts which do a good job of explaining how LXC works.
更多的信息,可以看这组博客很好地解释了LXC的工作原理。
回答Why is deploying software to a docker image (if that's the right term) easier than simply deploying to a consistent production environment?
Deploying a consistent production environment is easier said than done. Even if you use tools like Chef and Puppet, there are always OS updates and other things that change between hosts and environments.
部署一个相同的生产环境说起简单,做起来难。即使你用类似于Chef和Puppet的工具,这里还是会存在一些操作系统升级或者其他的东西改变主机和环境。
Docker gives you the ability to snapshot the OS into a shared image, and makes it easy to deploy on other Docker hosts. Locally, dev, qa, prod, etc.: all the same image. Sure you can do this with other tools, but not nearly as easily or fast.
Docker给了你将系统快照分享给Docker镜像的能力,这使得能够很容易把他部署到Docker主机上。本地,dev,qa,prod等等环境,都能用相同的镜像。当然,你可以用其他工具做同样的事情,但不会像Docker一样又快又简单。
This is great for testing; let's say you have thousands of tests that need to connect to a database, and each test needs a pristine copy of the database and will make changes to the data. The classic approach to this is to reset the database after every test either with custom code or with tools like Flyway - this can be very time-consuming and means that tests must be run serially. However, with Docker you could create an image of your database and run up one instance per test, and then run all the tests in parallel since you know they will all be running against the same snapshot of the database. Since the tests are running in parallel and in Docker containers they could run all on the same box at the same time and should finish much faster. Try doing that with a full VM.
这很容易测试;假设说你有上千的测试用例需要连接数据库,并且每一个用例都需要一份原始的数据库拷贝,然后改变数据。典型的方法是在每个测试用例之后用自定义代码或者类似于Flyway的工具去重置数据库。这将是非常花费时间,并且这意味着测试必须连续运行。但是,用Docker的话,你只需要创建数据库的镜像并在每次测试运行一个实例,然后就可以并行的运行多个测试,所以你知道他们是使用同一个数据库快照运行。优于测试是并行执行,并且在Docker容器中他们共用相同的环境,所以应该会更快完成。尝试用虚拟机试试。
回答评论From comments...
Interesting! I suppose I'm still confused by the notion of "snapshot[ting] the OS". How does one do that without, well, making an image of the OS?
很有意思!我现在比较困惑“操作系统的快照”的概念。这如果不用操作系统的镜像怎么做到?
Well, let's see if I can explain. You start with a base image, and then make your changes, and commit those changes using docker, and it creates an image. This image contains only the differences from the base. When you want to run your image, you also need the base, and it layers your image on top of the base using a layered file system: as mentioned above, Docker uses AUFS. AUFS merges the different layers together and you get what you want; you just need to run it. You can keep adding more and more images (layers) and it will continue to only save the diffs. Since Docker typically builds on top of ready-made images from a registry, you rarely have to "snapshot" the whole OS yourself.
好的,我看看我能不能解释。首先你需要有一个基础镜像,然后做一些你自己的改变,并用docker提交这些改变,这样做就新建了一个镜像。这个镜像仅仅包含了基础镜像的不同。但你想要运行你的镜像,你需要基础镜像,并且就像上述的一样,Docker使用了分层式文件系统(AuFS)把你的镜像放在了基础镜像的上面。AuFS把不同层合并在一起,这样你就拿到了你想要的东西。你只需要去运行他。你只需要不断地加新的镜像(层),Docker会继续保存这些不同。由于Docker通常用一个已经存在的镜像开始创建,所以你很少需要自己把操作系统做成快照。
这篇文章大体还是在讲Docker因为共享底层操作系统原因,在可操作性和存储容量,运维
上虚拟机简单的多。我收获的主要是怎么和底层系统搭上关系。因为分层式文件系统的原因
新的镜像在老的镜像上加了一层不同的配置,老的镜像掩盖了操作系统的存在。
