Basic Architecture
Docker adopts a standard C/S architecture, including server and client.
Server side:
Docker daemon generally runs in the background of the host host, accepts requests from clients as a server side, and processes these requests (create, run, and distribute containers). In design, the Docker daemon is a very loosely coupled architecture that distributes and manages various tasks from the client through a dedicated Engine module.
Client:
The Docker client provides a series of executable commands for the user, and the user uses these commands to interact with the server.
Namespace
Namespace is a powerful feature introduced by the Linux kernel for container virtualization. Each container can have its own separate namespace, and applications running in it run as if they were separate operating systems. Namespaces ensure that containers do not affect each other.
In the operating system, including the kernel, file system, network, PID, UID, IPC, memory, hard disk, CPU and other resources, all resources are directly shared by the application process.
Linux uses namespaces to allow certain processes to run in namespaces that are isolated from each other. Although, these processes all share a kernel and some runtime environment, but are invisible to each other - they all think they are exclusive to the system.
Process namespace
Network namespace
IPC namespace
Mount namespace
UTS namespace
User Namespace
Control
Group Control Group (CGroups) is a feature of the Linux kernel, which is mainly used to isolate, limit, and audit shared resources. Only by controlling the resources allocated to containers can Docker avoid system resource competition when multiple containers are running at the same time.
The control group provides the following functions:
Resource Limiting can be set to not exceed the set memory limit.
Priority (Prioritization) allows some groups to get more CPU and other resources limited by priority.
Resource auditing (Accounting) is used to count how much resources are actually used by the system for appropriate purposes. The cpuacct subsystem can be used to record the CPU time used by a process group.
Isolation is the isolation of namespaces so that one group does not see another group's processes, network connections, and filesystems.
Control controls suspend, resume, and restart operations.
Union File System
Union File System (UnionFS) is a lightweight, high-performance layered file system. It supports the modification information in the file system as a commit, and the layers are stacked. Colleagues can mount different directories to the same file system. under a virtual file system. The Union File System is the technical basis for implementing Docker images. Images can be inherited through layers.
When Docker starts a container with an image, it will use the image to allocate a file system and mount a new read-write layer to the container, the container will be created in this file system, and the read-write layer will be added to the image .
Docker network implementation
Docker's network implementation utilizes network namespaces and virtual network devices (especially veth pairs) on Linux.
To realize network communication, the machine needs at least one network interface (physical interface or virtual interface) to communicate with the outside world and can send and receive data packets.
Network interfaces in Docker are virtual interfaces by default. The biggest advantage of virtual interfaces is that the forwarding efficiency is extremely high. This is because Linux implements data forwarding between virtual interfaces by performing data replication in the kernel, that is, the data packets in the send buffer of the send interface will be directly copied to the receive buffer of the receive interface without going through external physical network devices. exchange. For the local system and the system in the container, the virtual interface is no different from a normal Ethernet card, but it is much faster.
Docker container networking makes good use of Linux virtual networking technology. It creates a virtual interface on the local host and the container, respectively, and allows them to communicate with each other (such a pair of interfaces is called a veth pair).
