chroot
Container technology has emerged since the first advent of chroot in 1979.
Wikipedia defines chroot as follows:
It is an operation on Unix and Linux systems to change the apparent root directory of the running software process and its child processes. A program that runs in this environment and sets the root directory via chroot cannot access files outside the specified root directory, cannot read, or change its content.
In layman's terms, chroot can change the root directory of a process so that the program cannot access other directories outside the directory. This is very similar to ours in a container. Let's use an example to demonstrate chroot.
chroot instance description:
1)、mkdir rootfs
#Create a directory named rootfs in the current directory
2)、cd rootfs
#Enter the directory name: rootfs directory
3), docker export $(docker create docker101tutorial) -o docker101tutorial.tar
# Export the file system with the container name: docker101tutorial as a docker101tutorial.tar archive file to docker101tutorial.tar and save
#It can also be simply understood as creating some directories and placing some binary files under rootfs
4)、tar -xf docker101tutorial.tar
#Unzip the contents of the docker101tutorial.tar file
5) 、 ls
#View the contents of the files in the current rootfs directory
6)、chroot /Users/xiaoqin.wu/rootfs /bin/sh
#Start a sh process, and use /Users/xiaoqin.wu/rootfs as the root directory of the sh process
Compare the command 5 in the above figure: ls view the result of the file content in the /Users/xiaoqin.wu/rootfs directory and the result of using the command 7: ls to view the current process in the sh process is the same. So far, it shows that the current process is realized by using chroot. Isolation from the host, a directory-isolated container is completed, but it cannot be called a container yet.
The reason is as follows:
Use command 8: netstat -nr to view routing information
From the results, it is found that the network information is not isolated. In fact, the process and other information are not isolated at this time. In order to realize a complete container, three other technologies of Linux are needed to achieve, namely:
-
Namespace
-
Cgroup
-
Joint File System
Docker
In 2013, the emergence of Docker enabled the rapid development of container technology
Docker uses Linux's three major mechanisms: Namespace, Cgroup, and Joint File System to ensure implementation.
The principle is as follows:
Namespace:
It is a function of the Linux kernel that isolates kernel resources so that all processes in the container can run in a separate namespace and can only access resources in the current container namespace.
Namespace can isolate related resources such as process ID, host name, user ID, file name, network access, and inter-process communication.
Docker mainly uses the following five namespaces.
pid namespace: used to isolate the process ID.
net namespace: Isolate network interfaces. In the virtual net namespace, users can have their own independent IPs, routes, ports, etc.
mnt namespace: File system mount point isolation.
ipc namespace: isolation of semaphore, message queue and shared memory.
uts namespace: Isolation of host name and domain name.
Cgroups:
It is a Linux kernel function that can limit and isolate the resource usage (CPU, memory, disk I/O, network, etc.) of a process. In the implementation of containers, Cgroups are usually used to limit the use of resources such as CPU and memory of the container.
Joint file system:
Used for image building and container operating environment.
The Union File System, also known as UnionFS, is a file system that operates through the process of creating a file layer. Therefore, the Union File System is very light and fast. Docker uses the joint file system to provide a build layer for the container, so that the container can implement copy-on-write and hierarchical construction and storage of images. Commonly used joint file systems include AUFS, Overlay and Devicemapper.
From the emergence of chroot in 1973 to 2013, Docker added the mirroring function and encapsulated the mirror warehouse to make the distribution of mirrors more convenient. Therefore, Docker finally broke out in 2013 and became a representative of container technology.
Welcome to pay attention to [The Way of Infinite Testing] public account , reply [receive resources],
Python programming learning resources dry goods,
Python+Appium framework APP UI automation,
Python+Selenium framework Web UI automation,
Python+Unittest framework API automation,
Resources and codes are sent for free~
There is a QR code of the official account at the bottom of the article, you can just scan it on WeChat and follow it.
Remarks: My personal public account has been officially opened, dedicated to the sharing of test technology, including: big data testing, functional testing, test development, API interface automation, test operation and maintenance, UI automation testing, etc., WeChat search public account: "Infinite The Way of Testing", or scan the QR code below:
Add attention and let us grow together!