Advanced Java - Simple Understanding of Docker Container Isolation Principles

News 2023-04-17 05:27:54 views: null

foreword

Before starting to read this article, if you don’t know the usage scenarios and concepts of Docker, please read my blog first: Understanding Docker concepts in an easy-to-understand way

After understanding the concept and basic principles of Docker, let's study in depth how Docker's container isolation function is achieved?

Now suppose that in one of our Java projects, it relies on multiple frameworks such as Node, Mysql, Redis, RocketMQ, etc. at the same time. So after each service is packaged into a container, will there be any impact between them? What kind of impact will it have?

Docker container isolation mechanism

1. The containers do not interfere with each other .

From the above, we can understand that a series of services such as Redis, Mysql, Node, and Java programs are packaged into different containers through Docker, so why do we need to do container isolation? The reason is as follows

1.  Each service can see the process of other services, and can also access any local files at will. Based on this situation, if one of the services of the server is invaded, then other services will also be invaded.

2. Different containers are several different special processes on the server, and there will be a relationship between the processes: competition relationship. They will continue to consume server resources. If one of the containers takes up system resources, other services will have a chain reaction and will go down.

In order to avoid the above situation, there must be a so-called " boundary " between containers, so how does Docker keep the boundaries between containers?

There are mainly two ways to use Linux

        2.1 Cgroups

        Provided by the Linux kernel is mainly a technology for allocating resources for processes.

        2.2 NameSpace

        NameSpace is literally translated as a namespace in Chinese, which is like simulating the running environment of the current container, so that the process ID of the current container remains unchanged. And the container can only access a virtual file system that Docker mounts to it . This achieves isolation between containers.

To sum up: NameSpace limits the vision of the container , and Cgroup limits the resources of the container .

2. What is a virtual file system ?

It is actually an independent file system serving containers, also known as " container image " or a more professional term: " rootfs ".

It contains the files , configuration and directories needed by an operating system . But note: it does not contain the system kernel.

Because in Linux, files and the kernel are stored separately. The operating system only loads the kernel when it starts up. This means that all containers will share the kernel of the operating system on the server .

At the same time, rootfs also solves a problem: " reusability ".

Suppose, now we have packaged a Centos container image containing a JavaWeb project, but we need to introduce an Nginx reverse proxy for access later, then do we need to reintegrate and package the container? At this time, a new concept will be introduced: layer.

3. What is a layer?

layer (layer). It is a conceptual one. Every time we make changes to rootfs, we only keep the " incremental " content instead of repackaging a mirror. It also comes from the operation of Linux: union file system (union file system)

4.Docker command extension

1.docker create <image_id>

Explanation: Add a readable and writable layer to the specified image , and build a new container.

Note: The container is not started at this time

2.docker start <container_id>

Explanation: Create a new process isolation space for the container file system.

Note: Each container can only have one process isolation space. It cannot be created multiple times

3.docker run <image_id>

Explanation: A simple understanding is container startup.

Extension : what is the difference between it and docker start? In fact, docker run is a combination of docker create and docker start. It will first use create to create a container using the image, and then run it. Just like git pull is a combined command of fetch and merge.

4.docker ps

Explanation: List all running containers. If you need to see the container that is not running, you need to use docker ps -a.

5.docker commit <container_id>

Explanation: It turns the readable and writable layer in the container into a read-only layer , thus turning the container into an immutable image

Guess you like

Origin blog.csdn.net/qq_33351639/article/details/129197393
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com