[k8s study notes-Introduction to container concepts (3)-Container images]

Enterprise 2023-09-20 20:08:45 views: null

container image

In the previous section, we learned the two most basic technologies of containers, namespace and c groups.

The function of Namespace is "isolation", which allows the application process to only see the "world" within the Namespace; while the function of Cgroups is "restriction", which surrounds the "world" with an invisible wall. After such a hassle, the process is really "installed" in an isolated room, and these rooms are the application "sandboxes" that the PaaS project depends on for its survival.

How to see an independent file system in an application process in a container

mount namespace usage rules

Mounting first is effective. It allows you to see a new directory structure in the container : even if Mount Namespace is turned on, the file system seen by the container process may be exactly the same as that of the host, because what is modified by Mount Namespace is the container process. Awareness of file system "mount points". The view of the process will be changed only after the "mount" operation occurs. Before this, newly created containers would directly inherit each mount of the host. In other words, it can be understood that it is an isolated increment and cannot be separated from the original stock.

The difference from other namespaces: its changes to the container process view must be accompanied by a mount operation (mount) to take effect.

How to use mount namespace

The entire root directory "/" of the container process needs to be remounted before it can be started . Due to the existence of the Mount Namespace, this mount is not visible to the host, so the container process can mess around in it.

Mount the file system (container image) in the root directory : Generally, a file system of a complete operating system is mounted in the root directory of the container (mounted on the root directory of the container to provide an isolated execution environment for the container process The file system is the so-called " container image , professional name is rootfs (root file system)"), such as the ISO of Ubuntu16.04. In this way, after the container is started, we can view the contents of the root directory by executing "ls /" in the container, which is all the directories and files of Ubuntu 16.04.

The core principles of the Docker project

  1. Enable Linux Namespace configuration;
  2. Set the specified Cgroups parameters;
  3. Change the root directory of the process (Change Root).

How to understand container images

1. Container image : packages the files and directories of the entire operating system, including the application and all the dependencies it needs to run.

2. The image file does not include the operating system kernel : rootfs is only a file, configuration and directory included in the operating system, and does not include the operating system kernel. In the Linux operating system, these two parts are stored separately. The operating system will only load the specified version of the kernel image when it is booted.
3. Container sharing kernel : All containers on the same machine share the host operating system. Kernel
4. Global variables : If your application needs to configure kernel parameters, load additional kernel modules, and interact directly with the kernel, you need to pay attention: these operations and dependent objects are all owned by the host operating system. Kernel, it is a "global variable" for all containers on the machine, affecting the whole body.

Consistency Advantages of Containers

All dependencies are encapsulated : For an application, the operating system itself is the most complete " dependency library" it needs to run . What is packaged in rootfs is not just the application, but the files and directories of the entire operating system , which means that the application and all the dependencies required for its operation are packaged together.

Breaking the gap between local and cloud : Because the image is consistent with the running environment at the operating system level, it bridges the insurmountable gap between the local development and remote execution environments of applications.

The structure of the container image

Insert image description here

Summarize

Today I learned how to implement the Linux container file system. This mechanism is the container image we often mention, also called rootfs. It is just all the files and directories of an operating system, does not include the kernel, and is only a few hundred megabytes at most. In contrast, the images of traditional virtual machines are mostly "snapshots" of a disk. The size of the disk is at least as large as the image.

By combining Mount Namespace and rootfs, containers can build a complete file system isolation environment for processes. Of course, the realization of this function must also thank the two system calls chroot and pivot_root for the ability to switch the process root directory.

On the basis of rootfs, Docker innovatively proposed a solution of using multiple incremental rootfs to jointly mount a complete rootfs. This is the concept of "layer" in container images.

Through the "layered image" design, with the Docker image as the core, technical personnel from different companies and different teams are closely connected. Moreover, since the operation of container images is incremental, the content pulled and pushed by each image is much smaller than the original size of multiple complete operating systems; and the existence of the sharing layer can make all these containers The total space required by the mirror is also smaller than the sum of each mirror. This makes team collaboration based on container images much more agile than collaboration based on virtual machine disk images that move several gigabytes.

More importantly, once this image is released, if you download this image anywhere in the world, the content you get will be exactly the same, and you can completely reproduce the original complete environment of the image creator. This is an important manifestation of the "strong consistency" of container technology.

(ps. It feels good to get up early on Sunday to study. Come on, finish the series of courses on containers)

Guess you like

Origin blog.csdn.net/Amelie123/article/details/126081070
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com