原创转载请注明出处:http://agilestyle.iteye.com/blog/2354828
Docker的目标
- 提供简单轻量的建模方式
- 职责的逻辑分离
- 快速高效的开发生命周期
- 鼓励使用面向服务的架构
Docker的使用场景
- 使用Docker容器开发、测试、部署服务
- 创建隔离的运行环境
- 搭建测试环境
- 构建多用户的平台即服务(PaaS)基础设施
- 提供软件即服务(SaaS)应用程序
- 高性能、超大规模的宿主机部署
Docker基本组成
Docker Client客户端
The Docker client, in the form of the docker binary, is the primary user interface to Docker. It accepts commands and configuration flags from the user and communicates with a Docker daemon. One client can even communicate with multiple unrelated daemons.
Docker Daemon守护进程
The Docker daemon runs on a host machine. The user uses the Docker client to interact with the daemon.
- C/S架构
- 本地/远程
Docker Image镜像
A Docker image is a read-only template with instructions for creating a Docker container. For example, an image might contain an Ubuntu operating system with Apache web server and your web application installed. You can build or update images from scratch or download and use images created by others. An image may be based on, or may extend, one or more other images. A docker image is described in text file called a Dockerfile, which has a simple, well-defined syntax.
- 容器的基石
- 层叠的只读文件系统
- 联合加载(union mount)
Docker Container容器
A Docker container is a runnable instance of a Docker image. You can run, start, stop, move, or delete a container using Docker API or CLI commands. When you run a container, you can provide configuration metadata such as networking information or environment variables. Each container is an isolated and secure application platform, but can be given access to resources running in a different host or container, as well as persistent storage or databases.
- 通过镜像启动
- 启动和执行阶段
- 写时复制(copy on write)
Docker Registry仓库
A docker registry is a library of images. A registry can be public or private, and can be on the same server as the Docker daemon or Docker client, or on a totally separate server.
- 公有
- 私有
- Docker Hub
Docker’s architecture
Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate using a REST API, over UNIX sockets or a network interface.
Note:
通过Docker Client来访问Docker Daemon,从而操作Docker Container,而Docker Container是通过Docker Image来创建的,而Docker Image又保存在Docker Registry中
Docker Underlying Technology
Namespaces —— 系统资源的隔离
Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
Docker Engine uses namespaces such as the following on Linux:
- The pid namespace: Process isolation (PID: Process ID). —— 进程隔离
- The net namespace: Managing network interfaces (NET: Networking). —— 管理网络接口
- The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication). —— 管理跨进程通信的访问
- The mnt namespace: Managing filesystem mount points (MNT: Mount). —— 管理挂载点
- The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System). —— 隔离内核和版本标识
Control groups —— 用来分配资源,来源于Google
Docker Engine on Linux also relies on another technology called control groups (cgroups). A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. For example, you can limit the memory available to a specific container.
- 资源限制
- 优先级设定
- 资源计量
- 资源控制
Union file systems
Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.
Container format
Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container format is libcontainer. In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones.
Docker容器的能力
- 文件系统的隔离:每个容器都有自己的root文件系统
- 进程隔离:每个容器都运行在自己的进程环境中
- 网络隔离:容器间的虚拟网络接口和IP地址都是分开的
- 资管隔离和分组:使用cgroups将CPU和内存之类的资源独立分配给每个Docker容器