I. Overview
1. Docker’s predecessor, LXC
LXC is the abbreviation of Linux Container (Linux container). Lightweight virtualization can be provided to isolate processes and resources without providing instruction interpretation mechanisms and other complexities of full virtualization. Equivalent to NameSpace in C++. Containers effectively partition resources managed by a single operating system into isolated groups to better balance conflicting resource usage needs among isolated groups.
2. The relationship between LXC and Docker
Docker is not a substitute for LXC. The bottom layer of docker is implemented using LXC. LXC sandboxes the Linux process, so that the processes are isolated from each other and can control the resource allocation of each process. Based on LXC, docker provides a series of more powerful functions.
3. What is Docker
Docker is an open source application container engine, based on the Go language and open source in compliance with the Apache2.0 protocol. Technologies such as Linuxkernel-based cgroup, namespace, and Union FS of the OverlayFS class encapsulate and isolate processes, which is a virtualization technology at the operating system level. The initial implementation was based on LXC, which was removed from version 0.7 and later LXCand replaced by the self-developed libcontainer. Starting from 1.11, it further evolved to use runC and containerd.
runcIs a Linux command line tool for creating and running containers according to the OCI Container Runtime Specification .
containerdIt is a daemon that manages the container life cycle and provides a minimal set of functions to execute containers and manage images on a node.
Containers completely use the sandbox mechanism and do not have any interfaces with each other (iphone-like apps), and the container overhead is extremely low.
4. Docker application scenarios
-
Automated packaging and publishing of web applications.
-
Automated testing and continuous integration and release.
-
Deploy and tune databases or other back-end applications in service-based environments.
-
Build your own PaaS environment by compiling from scratch or extending an existing OpenShift or Cloud Foundry platform.
5. Advantages of Docker
-
Flexible: Even the most complex applications can be containerized.
-
Lightweight: Containers utilize and share the host kernel.
-
Interchangeable: Updates and upgrades can be deployed instantly.
-
Portable: Can be built locally, deployed to the cloud, and run anywhere.
-
Scalable: Container replicas can be added and automatically distributed. Stackable: You can stack services vertically and instantly.
7. What has Docker changed?
-
Product Oriented: Product Delivery
-
Development-oriented: Simplify environment configuration
-
Test-oriented: multi-version testing
-
Operation-oriented: environmental consistency
-
Architecture-oriented: automated expansion (microservices)
8. Docker engine
-
Server is a resident process
-
REST API implements the interaction protocol between client and server
-
CLI implements container and image management and provides users with a unified operating interface
9. Docker architecture
Docker uses a C/S architecture, and the Client communicates with the Server process through the interface to build, run and publish the container. The client and server can run in the same cluster, or they can communicate remotely across hosts.
To put it simply, the process of running a program with docker is to use the remote API to go to the warehouse, pull the image locally, and then run the image into a container.
build: build, which is to build the image.
ship: transportation, transportation image, transportation from warehouse and host.
run: The running image is a container.
Build, ship, run correspond to images, warehouses, and containers one-to-one.
10. Three important concepts of docker
Image:
The operating system is divided into kernel and user space. For Linux, after the kernel is started, rootthe file system will be mounted to provide user space support. The Docker image (Image) is equivalent to a rootfile system. For example, the official image ubuntu:18.04contains a complete set of Ubuntu 18.04 minimal system rootfile systems.
Docker image is a special file system. In addition to providing programs, libraries, resources, configuration and other files required for container runtime, it also contains some configuration parameters prepared for runtime (such as anonymous volumes, environment variables, users, etc. ). The image does not contain any dynamic data, and its content will not be changed after it is built.
Tiered storage:
Because the image contains the complete rootfile system of the operating system, its volume is often huge. Therefore, when designing Docker, it makes full use of Union FS technology and designs it as a hierarchical storage architecture. So strictly speaking, an image is not a packaged file like an ISO. An image is just a virtual concept. Its actual manifestation is not composed of a file, but a set of file systems, or in other words, a combination of multi-layer file systems. composition.
When the image is built, it will be built layer by layer, with the previous layer being the basis of the next layer. After each layer is constructed, it will not change again. Any changes on the subsequent layer only occur on its own layer. For example, the operation of deleting a file at the previous level does not actually delete the file at the previous level, but only marks the file as deleted at the current level . When the final container is run, although this file will not be seen, in fact, the file will always follow the image. Therefore, when building an image, you need to be extra careful. Each layer should only contain what needs to be added to the layer. Any extra things should be cleaned up before the construction of the layer is completed.
The characteristics of tiered storage also make it easier to reuse and customize images. You can even use the previously built image as the base layer, and then further add new layers to customize what you need and build a new image.
Container
The relationship between image ( Image) and container ( ) is just like and Containerin object-oriented programming . The image is a static definition, and the container is the entity when the image is run. Containers can be created, started, stopped, deleted, paused, etc.类实例
The essence of a container is a process, but unlike processes that are executed directly on the host, container processes run in their own independent namespace. Therefore, a container can have its own rootfile system, its own network configuration, its own process space, and even its own user ID space. The processes in the container run in an isolated environment and are used as if they are operating on a system independent of the host. This feature makes applications packaged in containers more secure than running directly on the host. Because of this isolation feature, many people often confuse containers and virtual machines when they first learn Docker.
As mentioned earlier, images use tiered storage, and the same goes for containers. Each container runtime uses the image as the base layer, and creates a storage layer for the current container on top of it. We can call this storage layer prepared for container runtime reading and writing the container storage layer .
The life cycle of the container storage layer is the same as that of the container. When the container dies, the container storage layer also dies. Therefore, any information saved in the container storage layer will be lost when the container is deleted.
According to Docker best practices, containers should not write any data to their storage layer, and the container storage layer should remain stateless . All file writing operations should use a data volume (Volume) or bind a host directory . Reading and writing in these locations will skip the container storage layer and directly read and write to the host (or network storage). Its performance and Greater stability.
The life cycle of the data volume is independent of the container. If the container dies, the data volume will not die. Therefore, after using the data volume, the data will not be lost after the container is deleted or re-run.
Warehouse (Registry)
After the image is built, it can be easily run on the current host. However, if we need to use this image on other servers, we need a centralized service for storing and distributing images. Docker Registry is such a service.
A Docker Registry can contain multiple warehouses ( Repository); each warehouse can contain multiple labels ( Tag); each label corresponds to an image.
Usually, a warehouse will contain images of different versions of the same software, and tags are often used to correspond to each version of the software. We can <仓库名>:<标签>specify which version of this software is the image through the format. If no label is given, it will be used latestas the default label.
Taking the Ubuntu image as an example, ubuntuit is the name of the warehouse, which contains different version labels, such as, 16.04, 18.04. We can use ubuntu:16.04or ubuntu:18.04to specify which version of the image is required. If a tag is omitted, for example ubuntu, that will be treated as such ubuntu:latest.
The warehouse name often appears in the form of a two-part pathjwilder/nginx-proxy . For example , the former often means the user name in the Docker Registry multi-user environment, and the latter often means the corresponding software name. But this is not absolute and depends on the specific Docker Registry software or service used.
Docker Registry public services:
The Docker Registry public service is a Registry service that is open to users and allows users to manage images. Generally, such public services allow users to upload and download public images for free, and may provide paid services for users to manage private images.
The most commonly used Registry public service is the official Docker Hub , which is also the default Registry and has a large number of high-quality official images. In addition, there are Red Hat's Quay.io ; Google's Google Container Registry . Kubernetes images use this service.
For some reasons, accessing these services may be slower within the country. Some domestic cloud service providers provide image services for Docker Hub ( Registry Mirror). These image services are called accelerators . Common ones include Alibaba Cloud accelerator , DaoCloud accelerator , etc. Using the accelerator will download the Docker Hub image directly from a domestic address, which is much faster than downloading directly from Docker Hub.
There are also some domestic cloud service providers that provide public services similar to Docker Hub. For example, NetEase Cloud Image Service , DaoCloud Image Market , Alibaba Cloud Image Library , etc.
Private Docker Registry:
In addition to using public services, users can also build a private Docker Registry locally. Docker officially provides Docker Registry images, which can be used directly as private Registry services.
The open source Docker Registry image only provides the server implementation of the Docker Registry APIdocker , which is sufficient to support commands and does not affect use. However, it does not include a graphical interface, as well as advanced functions such as image maintenance, user management, and access control. These advanced features are provided in the official commercial version Docker Trusted Registry .
In addition to the official Docker Registry, there are third-party software that implements the Docker Registry API and even provides a user interface and some advanced functions. For example, Harbor and Sonatype Nexus .
Reference links:
Mirror · Docker - from entry to practice · Look at the cloud
Docker Tutorial | Newbie Tutorial
Detailed explanation of Docker - Youyou Xiaosheng - Blog Park
Docker1 architecture principles and simple use - Music - Blog Park