1979-UnixV7 Chroot
1979 AT&T's Bell Labs released the famous Unix System Version 7. In order to solve the compatibility problem of the inconsistent ABI (application binary interface) software, the chroot command was introduced. He changed the Root directory and other subdirectories to A new location in the file system that only accepts access by specific processes, providing a set of isolated disk space for each process. In 1982, Bill Joy, the founder of Sun, added it to BSD and solved the security vulnerabilities of chroot in BSD.Since then, many people have developed basic isolation programs based on chroot.
2000-FreeBSD Jails
FreeBSD Jails and Chroot are positioned similarly, but they include a process sandbox mechanism to isolate resources such as file systems, users, and networks. In this way, it can provide a corresponding IP address for each Jail, customized software installation package and even configuration scheme. Jails technology provides a simple security isolation mechanism for FreeBSD system. Its disadvantage is that this simple isolation will also affect the flexibility of the application in Jails to access system resources.
2004-Solaris Zones
Solaris Zone technology created a virtual layer for applications, allowing applications to run in an isolated zone and realizing effective resource management. Each zone has its own file system, process space, firewall, network configuration, etc. Solaris Zone technology truly introduces the concept of container resource management. Configure certain resources for the zone during application deployment. This resource limit can be dynamically modified according to the load of the zone during operation and it is effective in real time. When other zones do not need resources, the resources will automatically switch to the zone of the required resources , This kind of handover is instant without manual intervention, maximizing the utilization of resources, if necessary, it can also isolate certain resources for a single zone.
2001-2007-LXC
In 2001, through the VServer project of Jacques Gélinas, the implementation of the isolation environment entered the Linux field. Google Paul Menage developed cgroup technology based on the previous container foundation, and incorporated the Linux 2.6.24 kernel in 2007. Thus derived LXC-Linux Containers, whose functions are realized through Cgroups and Linux Namespaces. It is also the first complete implementation of Linux container management. Before the advent of LXC, Linux-Vserver, OpenVZ and FreeVPS already existed. Although these technologies are mature, these solutions have not yet integrated their container support into the mainstream Linux kernel. Compared with other container technologies, LXC can run on the original Linux kernel without any additional patches. Currently, the LXC project is sponsored and hosted by Canonical Co., Ltd. LXC uses the following core function modules:
- Kernel namespaces (ipc, uts, mount, pid, network and user)
- Apparmor and SELinux profiles
- Seccomp policies
- Chroots (using pivot_root)
- Kernel capabilities
- CGroups (control groups)
2013-Docker The
Docker project was originally created by a platform-as-a-service vendor called DotCloud, and then the company changed its name to Docker. Docker directly used Linux Containers (LXC) before 1.8 , and then abstracted its own Libcontainer layer, supporting multiple container technologies, and using LXC by default. Unlike other container platforms, Docker introduces a whole set of ecosystems related to container management. Including a set of efficient layered container mirroring model, a set of global and local container registry, a simplified REST API, a set of command line interface and so on.
Extended reading: The static file is called image, and docker run is called container 1. Common docker commands
- a. Prepare Dockerfile [ Dockerfile syntax explanation of Docker ]
-
b. Build the image: docker build -t Image name: version Dockerfile directory such as:
#Dockerfile is in the current directory, so the dot is used to indicate the Dockerfile path docker build -t base-jdk:8. -
c. Pull the mirror: docker pull Mirror name: version
#After the version is not added, the default is latestdocker pull nginx - d. Run the mirror: docker run Mirror name: version
# After the version is not added, the default is latest docker run nginx# With automatic restart mapping the external network port to mount the host directory command docker run --restart=always --privileged -p 9095:500 /udp -v /etc/nginx/:/etc/nginx/conf -d nginx
e. View all containers on the machine: docker ps returns the first column as the container IDf. View container logs: docker logs -f container ID (View via docker ps) g. Connect to the container to execute the command: docker exec -ti Container ID /bin/bash (If it is alpine, then: /bin/sh) h. View the complete information of the container: docker inspect Container IDi. Other less commonly used commands: docker system prune (empty unused images, intermediate image layers generated during the build process, completed container information
j. Complete docker run parameters-a: Specify the standard input and output content type, STDIN/STDOUT/STDERR can be selected;
-d: run the container in the background and return the container ID;
-i: run the container in interactive mode, usually used with -t at the same time;
-p : Port mapping, the format is: host (host) port: container port
-t: reassign a pseudo input terminal for the container, usually used together with -i;
--name="nginx-lb": specify a name for the container;
--dns 8.8.8.8: Specify the DNS server used by the container, the default is the same as the host;
--dns-search Example Domain : Specify the container DNS search domain name, the default is the same as the host;
-h "mars": Specify the hostname of the container;
- e username="ritchie": set environment variables;
--env-file=[]: read environment variables from the specified file;
--cpuset="0-2" or --cpuset="0,1,2": Bind the container to the specified CPU to run;
-m: set the maximum memory usage of the container;
--net="bridge": specify the container network connection type, support bridge/host/none/container: four types;
--link=[ ]: Add a link to another container;
--expose=[]: Open a port or a group of ports;