docker - underlying isolation mechanism and network type

Mobile 2023-09-13 17:52:39 views: null

1. Why quarantine?

        Docker requires isolation primarily to achieve the core goal of containerization, which is to package an application and its dependencies into independent containers so that they can run consistently in different environments. Isolation brings many benefits that help improve the process of developing , deploying , and managing applications while providing greater security and resource management efficiency

2. Underlying isolation mechanism

        1.namespace  . Namespace is an isolation mechanism provided by the Linux kernel. It is used to isolate the resource views of different processes so that they appear to be running in independent environments. Each namespace provides an isolation of resources . For example, process id, network, file system, host name, etc.

        Docker uses different namespaces to achieve isolation between containers , such as PID command space , Network namespace , Mount namespace , UTS namespace , etc. This allows processes within the container to run independently without interfering with other containers.

        2.cgroups , the full name is Control Group. Control group is a Linux kernel function that is used to limit and isolate the resource usage of process groups . cgroups allow a group of processes to be bound to a set of resource limits such as CPU, memory, disk, and network bandwidth.

        3. LXC . The core idea of ​​LXC is to use the namespaces (Namespaces) and control group (cgroups) functions of the Linux kernel to implement container isolation and resource management. This allows each container to have its own process space , network space , file system space, etc., thereby achieving an isolation effect similar to traditional virtual machines, but at a lower performance overhead.

3. Docker network type

        Docker provides a variety of network modes for controlling communication between containers and between containers and external networks . Each network mode has different characteristics and applicable scenarios . Here are some common Docker network modes:

  1. Bridge mode (Bridge): This is Docker's default network mode. In bridge mode, the Docker host creates a virtual network bridge named "docker0" and each container connects to the bridge interface. Containers can communicate with each other and with the outside world through the host's network interface . This mode is suitable for scenarios where the container needs to be isolated and the container can communicate with the external network.

     

  2. Host mode (Host): In host mode, the container directly uses the host's network stack and shares the network namespace with the host. This means that the container's network is exactly the same as the host's , and the container has access to all network services on the host . Host mode is suitable for situations where maximum network performance is required, but reduces container isolation

  3. No network mode (None): In no network mode, the container does not have its own network interface and cannot communicate with the external network . This mode is suitable for some special scenarios, such as performing some non-network-related tasks inside the container.

     

  4. Container mode (Container): This mode specifies that the newly created container shares a Network Namespace with an existing container, rather than sharing it with the host. The newly created container will not create its own network card and configure its own IP, but will share the IP, port range, etc. with a specified container. Similarly, apart from the network, the two containers are also isolated in other aspects such as file systems, process lists, etc. The processes of the two containers can communicate through the lo network card device.

     

  5. Overlay mode (Overlay): Overlay network mode is used to create a cross-host container network between multiple Docker hosts , and is usually used to build distributed applications. This mode implements communication between containers on different hosts.

        Each network mode has its applicable scenarios, advantages and disadvantages, and choosing the appropriate network mode depends on the application's program requirements and design goals.

Guess you like

Origin blog.csdn.net/m0_53891399/article/details/132394749
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com