Docker basic concepts and frameworks

Article first appeared in the public micro-channel number "programmer fruit"
Address: https://mp.weixin.qq.com/s/8VM-c_UkxYcVw2Itiapw4w

A, Docker Profile

What is a container?

• A kind of virtual technology solutions
• OS-level virtualization
• Only the same or similar operating system running kernel
• It depends on the Linux kernel characteristics: Namespace and Cgroups (Control Group)

What are the advantages of container technology?

We are container seen from the figure, the container technology footprint is relatively small, due to the need to simulate hardware virtual machine behavior, loss of memory and CUP is relatively large. Therefore, the same configuration of the server, the container technology have the following advantages:

• Resource consumption is relatively small
• CPU / memory consumption low

Since the container that these advantages, why until Docker's, really are concerned about this? An important reason is the complexity of the vessel technology. The container itself is very complicated, he relies on many features of the Linux kernel, and he is not easy to install, easy to manage and not automated. The Docker is to change all this produced.

What is the Docker?

• The application is automatically deployed to the container open source engine
• Go language open source project, was born in early 2013, the company originally initiator is dotCloud

Docker features

• It provides a simple and lightweight modeling : simple, very Docker containers to get started, users need only a few minutes, you can put your own project of Docker.
• Logic duties separation : Using Docker, developers need only care about the program running in the container, operation and maintenance personnel only need to be concerned about how to manage the container; the purpose of Docker design is to strengthen the build environment developers to write code environment and applications to be deployed consistency.
• Rapid and efficient development life cycle : Docker One of the goals is to reduce the code development to testing to deployment operating cycle on the line, so that application portability have developed in the container, delivery and distribution in the form of a container, such development, testing production, use the same environment, so it avoids the overhead of additional debugging and deployment, so that we can effectively shorten the cycle of the product line.
• Encourage the use of service-oriented architecture : Docker recommend a single container to run only one application or process, thus forming a distributed application model, in this mode application or service can be described as a series of interconnected internal container so that deploy distributed application extension or debugging becomes very simple. It's like the common idea that we develop; high cohesion, low coupling, a single task. So as to avoid the deployment of different services on the same server, which may affect between each other to bring the service. When problems arise in the operation of such a service, but also relatively easy to locate where the problem is.

Docker usage scenarios

• 1. Docker container use development, testing, deployment services : Because Docker itself is very lightweight, so local developers can build, run and share Docker containers. Container can be created in a development environment before submitting to the test, and ultimately into production.
• 2. Create an isolated operating environment : in many enterprise applications, different versions of the same service may serve different users, it is very easy to use Docker create different build environment to run different services.
• 3. Set up a test environment : Due to the lightweight Docker, so developers can easily take advantage of Docker set up a test environment locally, the program used to test compatibility in the system do not; even build deploy test cluster.
• 4. Construction of multi-user platform as a service (PaaS) infrastructure .
• 5. Provides software as a service (SaaS) applications .
• 6. High-performance, ultra-large-scale deployment host .

Second, the basic composition of Docker

Docker includes a look at a few important main parts:

• Docker Client Client
• Docker Daemon Daemon
• Docker Image Mirror
• Docker Container vessel
• Docker Registry warehouse

Docker client / daemon

• Docker是C/S架构的程序：Docker客户端向Docker服务器端，也就是Docker的守护进程发出请求，守护进程处理完所有的请求工作并返回结果。
• Docker 客户端对服务器端的访问既可以是本地也可以通过远程来访问。

Docker Image 镜像

• 镜像是Docker容器的基石，容器基于镜像启动和运行。镜像就好比容器的源代码，保存了用于启动容器的各种条件。
• Docker镜像是一个层叠的只读文件系统。
• Docker镜像使用联合加载技术

docker的镜像是一个层叠的只读文件系统，最低端是一个引导文件系统（即bootfs），第二层是root文件系统（即rootfs），它位于bootfs之上，可以是一种或多种操作系统，比如ubuntu或者centos。在docker中，root文件系统永远只能是只读状态，并且docker运用联合加载技术又会在root文件系统之上加载更多的只读文件系统，联合加载指的是一次加载多个文件系统，但是在外面看起来只能看到一个文件系统，联合加载会将各层文件系统叠加到一起，这样最终的文件系统会包含所有的底层文件和目录，docker将这样的文件系统称为镜像。

Docker Container 容器

• 容器通过镜像来启动，Docker的容器是Docker的执行来源，容器中可以运行客户的一个或多个进程，如果说镜像是Docker声明周期中的构建和打包阶段，那么容器则是启动和执行阶段。

当一个容器启动时，docker会在该镜像的最顶层加载一个读写文件系统，也就是一个可写的文件层，我们在docker运行的程序，就是在这个层中进行执行的，当docker第一次启动一个容器时，初始的读写层是空的，当文件系统发生变化时，这些变化都会应用到这一层上，比如像修改一个文件，该文件首先会从读写层下面的只读层复制到该读写层，该文件的只读版本依然存在，但是已经被读写层中的该文件副本所隐藏，这就是docker的一个重要技术：写时复制（copy on write)。每个只读镜像层都是只读的，永远不会变化，当创建一个新容器时，docker会构建出一个镜像栈，如下图所示：

Docker Registry 仓库

• docker用仓库来保存用户构建的镜像，仓库分为公有和私有两种,Docker公司提供了一个公有的仓库Docker Hub。

三、Docker 依赖的 Linux内核特性

Docker依赖于Linux内核的两个重要特性：

• Namespaces 命名空间
• Control groups (cgroups) 控制组

Namespaces 命名空间

很多编程语言都包含了“命名空间”的概念，我们可以认为“命名空间”是一种“封装”的概念， 而“封装”本身实际上实现的是代码的隔离。而在操作系统中，命名空间提供的是系统资源的隔离，而系统资源包括了进程、网络、文件系统等。

我们从Docker公开的文档来看，它使用了5种命名空间：

• PID（Process ID） 进程隔离
• NET（Network）管理网络接口
• IPC（InterProcess Communication）管理跨进程通信的访问
• MNT（Mount）管理挂载点
• UTS（Unix Timesharing System） 隔离内核和版本标识

那么，这些隔离的资源，是如何被管理起来的呢？这就需要用到——Control groups(cgroup)控制组了。

Control groups (cgroups) 控制组

Control groups are Linux kernel provides a possible limit, record, process isolation mechanism of physical resources used by the group.
Originally proposed by google engineers, and was introduced in version 2.6.24 of the Linux kernel in 2007. It can be said, Control groups for the container is born, there is no Control groups would be no container technology today.

Control groups provides the following features:

• Resource limitations : for example, memory (RAM) subsystem can process a group setting an upper limit memory usage, memory use once the process group reached the limit, the process group issued again when memory application, it will send "out of memory" (out of memory) warning.

• Priority setting : it can set the process group which may use more CPU resources or disk IO.

• Resource metering : It can be calculated using the process set how much system resources. Especially in the billing system, which is very important.

• Resource control : it can suspend or resume the process group.

Namespace and ability to bring Docker's cgroup

Here we understand the concepts and functions of the Namespace and CGroup, which brought the two properties Docker what capacity? as follows:

• File system isolation : isolation is the first file system, each Docker containers can have their own root file system.

• Process isolation : Each container run in its own process environment.

• Network Isolation : virtual network interfaces and IP addresses between the containers are separated.

• Isolation and grouping resources : the independent allocation using cgroups cpu and memory resources such Docker to each container.

I welcome the attention of the public number "programmer fruit", concerns a surprise ~~