Introduction to Docker:
- Docker is a software that runs on Linux and Windows and is used to create, manage, and orchestrate containers.
- Docker is part of the Moby open source project developed on GitHub.
- Docker company, located in San Francisco, is the maintainer of the entire Moby open source project. Docker company also provides a commercial version and a community version.
Docker runtime and orchestration engine:
- The Docker engine is an infrastructure tool for running and orchestrating containers. Readers with VMware management experience can compare it to ESXi.
- ESXi is the core hypervisor for running virtual machines, and the Docker engine is the core container runtime for running containers.
- Other Docker companies or third-party products are developed and integrated around the Docker engine.
Docker open source project (Moby):
- Domestic code cloud platform=》https://gitee.com/mirrors/moby
Moby is an open-source project created by Docker to enable and accelerate software containerization.
It provides a "Lego set" of toolkit components, the framework for assembling them into custom container-based systems, and a place for all container enthusiasts and professionals to experiment and exchange ideas. Components include container build tools, a container registry, orchestration tools, a runtime and more, and these can be used as building blocks in conjunction with other tools and projects.
Solomon Hykes, CTO of Docker, explained the move:
According to the design, Moby is aimed at system builders who want to build their own systems based on containers, rather than application developers who can use Docker or other container platforms. Participants of the Moby project can choose from a component library derived from Docker, or they can also choose to "bring your own components" (BYOC), which can be packaged into a container, and then mix and match all components to create a customized container system.
Docker application scenarios:
- [Microservice architecture] Through the analysis and business modeling of specific business areas, the complex business logic is separated into a small and specific, low-coupling and highly autonomous set of services, and the native container is lightweight and uniformly deployed. Features bring new ideas for the unified management, scheduling, and deployment of various microservices, and greatly reduce the dependencies between services and services, and between versions and versions, so that the same microservice can maintain good performance in different environments. consistency.
- [Continuous Integration (CI) and Continuous Delivery/Deployment (CD)] The DevOps platform based on native containers provides users with a basic development environment, so that developers only need to focus on code development and reduce the workload of installation and configuration of related tools. At the same time, rich container images allow operation and maintenance personnel to quickly deploy services needed for development on the platform, and support binding services through environment variables. Realize the isolation of development environment, test environment and production environment as well as the rapid construction and recycling of the environment, which improves the overall efficiency.
- [Rapid Elastic Scaling] With the help of containers' quick start, rapid deployment, and massive concurrency capabilities, for applications that require large changes in demand and need to quickly start hundreds or even thousands of machines, containers can meet sudden business needs very well.
Docker VS VM (virtual machine):
Both containers and virtual machines depend on [Host] to run. The host machine can be = "[Notebook], [PC Host], [Raspberry Pi], [Physical Server in the Data Center], [An instance of the public cloud].
In the above example, it is assumed that the host is a physical server that needs to run 4 business applications.
- [Docker container model] After the server is started, the selected operating system will start. In the Docker world, you can choose Linux, or a new version of Windows that supports container primitives in the kernel. Like the virtual machine model, the OS also occupies all hardware resources. Above the OS layer, a container engine (such as Docker) needs to be installed. The container engine can obtain system resources, such as the process tree, file system, and network stack, and then divide the resources into secure and isolated resource structures called containers. Each container looks like a real operating system, inside which can run applications. According to the previous assumptions, 4 applications need to be run on the physical machine. Therefore, it is necessary to divide 4 containers and run an application in each container, as shown in the figure above (left).
- [VM model] In the virtual machine model, first turn on the physical machine and start the hypervisor boot program. Once the Hypervisor starts, it will occupy all the physical resources on the machine, such as CPU, RAM, storage, and NIC. Hypervisor will then divide these physical resources into virtual resources, and they look exactly the same as real physical resources. The Hypervisor then packages these resources into a software structure called a virtual machine (VM). In this way, users can use these virtual machines and install operating systems and applications in them. As mentioned earlier, we need to run 4 applications on the physical machine, so we need to create 4 virtual machines and install 4 operating systems on the Hypervisor, and then install 4 applications. When the operation is completed, the structure is as shown in the figure above (right side).
Docker summary:
- Docker is an open source application container engine that supports third-party development and integration;
- Docker allows developers to package their applications and dependent packages into a lightweight, portable image, and then release and deploy to any popular Linux machine, which can also be virtualized;
- Docker containers are created through Docker images.
- There will be no interface conflicts between Docker containers, achieving process-level isolation;
- Docker container has extremely low performance overhead, takes up less resources, has a fast startup speed, and is more lightweight than VMs;
[Docker core system]:
- Container: container --- container module "==" object --- independent running application;
- Mirror image: independent running application of container module "==";
- Warehouse: dock, storage image of assembly "==";
[Docker external running architecture diagram]
Docker is a typical client-server (C/S) architecture model. It uses remote APIs to manage and create Docker containers. Commonly used tools on the client side include:
- Bash Shell (Linux default)
- XShell (is a powerful secure terminal emulation software)
- PowerShell (is an open source, cross-platform task-based command-line shell and scripting language built on .net core, compatible with cmd)
- Windows PowerShell (Windows platform, built on .net, compatible with cmd)
[The composition of Docker]
Note: More reference for pwsh=》https://docs.microsoft.com/zh-cn/powershell/scripting/overview?view=powershell-7
| Docker image (Images) | A Docker image is a template used to create a Docker container. |
| Docker 容(Container) | A container is an application or a group of applications that run independently. |
| Docker client (Client) | The Docker client uses the Docker API ( https://docs.docker.com/reference/api/docker_remote_api ) to communicate with the Docker daemon through the command line or other tools . |
| Docker host (Host) | A physical or virtual machine is used to execute the Docker daemon and container. |
| Docker warehouse (Registry) | The Docker warehouse is used to store images, which can be understood as a code warehouse in code control. Docker Hub ( https://hub.docker.com ) provides a huge collection of images for use. |
| Docker Machine | Docker Machine is a command line tool that simplifies the installation of Docker. You can install Docker on the corresponding platforms through a simple command line, such as VirtualBox, Digital Ocean, and Microsoft Azure. |
[Docker daemon communication and security client]
Docker uses a client-server model. The client uses CLI, while the server (daemon) implements functions and provides REST API externally.
The client is called docker (docker.exe on Windows) and the daemon is called dockerd (dockerd.exe on Windows). The default installation method installs the client and server on the same host, and is configured to communicate through the local secure PIC Socket.
- Linux:/var/run/docker.sock。
- Windows://./pipe/docker_engine。
By default, 2375 is used as the unencrypted communication port between the client and the server, and 2376 is used for encrypted communication. This is fine in the laboratory, but the production environment is unacceptable. TLS is the solution!
Docker allows users to configure only secure TLS connections between the client and the daemon. This configuration is recommended in a production environment, even in a trusted internal network!
Docker provides two modes for using TLS-based secure communication between the client and the daemon.
- Daemon mode: Docker daemon only accepts links to authenticated clients.
- Client mode: The Docker client only accepts links initiated by the Docker daemon with a certificate, and the certificate needs to be signed by a trusted CA.
Using both modes at the same time can provide the highest level of security. The following will use a simple experimental environment to complete the configuration process of Docker's daemon mode and client mode TLS.
[Application containerized construction process]:
Part of the reference above:
- [Introduction and History of Docker] = " http://c.biancheng.net/view/3118.html
- [Docker open source Moby and LinuxKit] = " https://www.sohu.com/a/143808015_464005
- [Docker Communication and Security Client] = " http://c.biancheng.net/view/3268.html