Original origin: chroot
In layman's terms, chroot can change any directory to the root directory of the current process, so that the process cannot access directories other than the root directory of the current process.
Docker uses LINUX three mechanisms to achieve, Namespace, Cgroup, and joint file system
Namespace
Namespace isolates the kernel resources , so that all processes in the container can run in a separate namespace and can only access resources in the current container namespace.
Namespace can isolate related resources such as process ID, host name, user ID, file name, network access, and inter-process communication
Docker uses the following 5 namespaces
-
mnt namespace, file system mount point isolation
-
net namesapce, network interface isolation
-
pid namespace, process id isolation
-
ipc namespace, semaphore, message queue and shared memory isolation
-
uts namesapce, the isolation of host name and domain name
Cgroup
A Linux kernel function that can limit and isolate the resource usage of processes (CPU, memory, disk I/O, network, etc.)
Joint File System
Also called UnionFS , it is a file system that operates through the process of creating a file layer . Commonly used joint file systems: AUFS, Overlay and Devicemapper.
The joint file system is very light and fast. Docker provides a build layer for the container through the joint file system, so that the container can realize copy-on-write and hierarchical construction and storage of images .
Conclusion
Docker provides tools and platforms to manage the life cycle of
containers 1. Use containers to develop applications and their supporting components.
2. The container becomes the unit for distributing and testing applications.
3. When ready, the application can be deployed as a container or coordination server into the production environment.
Afterword
The reason for the outbreak of Docker was the addition of the mirroring function and the encapsulation of the mirror warehouse to make mirror distribution more convenient