Brief introduction
Due to the high technology development of technology, physical-server performance in increasingly high today, the server uses a lot of production environments, because not a lot of users to access, leading to excess performance. The production of business and the need to deploy multiple servers to ensure their normal operation, if you always buy the physical server, will obviously cause economic costs increased significantly, this time you need virtualization technology to complete the rational allocation of physical machine performance.
Virtualization technology has been born in the last century, but the physical machine performance last century is clearly unable to provide large-scale virtualized environments, there is no popular. Most virtualization technology has now unstoppable trend of each company into the production environment, without the cost savings can be substantial, but also can improve IT agility, flexibility and scalability.
Virtual machine technology was first born is a host-level virtualization, mainframe-class virtualization is a typical representative of KVM / XEN, it can deploy multiple virtual machines to run simultaneously on a physical machine, but not mutually between various virtual machines influence, even if one of the servers for various reasons after the "end", it will not affect other virtual machine and the host's normal operation. But the disadvantage of this technique is also very clear that each virtual machine has a separate kernel space, resource consumption of the system is considerable.
The container virtualization technology is to solve this problem, it does not need to be installed to run a large kernel, but only the runtime environment for a service integrated in a container, greatly reducing the consumption of system resources, and there "second class" self-healing function, after a container down immediately discarded, and then went straight to restart a container to take over its position, of course, this feature requires operation and maintenance personnel to be well optimized container can be achieved, the figure is the difference between the two.
Consisting of linux namespace
Although the container virtualization technology has many benefits, but run N containers on the host, how stable between the container and the environment affect each other between the individual containers, it has become a pressing issue. Each vessel fewer system resources, can sparrow though small, they have fully-equipped. It also must have a host name, network interface cards, and other resources. In order to solve this is not a conflict between the individual containers, the Namespace must use the Linux
namespace is the underlying concept of the Linux system, implemented in the kernel layer, i.e., a number of different types of namespaces are deployed among the kernel, each shared runtime container docker a host of core.
At the same time, between each host to run isolated from each other, and are not aware of the presence of another vessel, thought he is the master of the host machine. So a container must have the following several namespaces
MNT Namespace: stand-alone root file system, start the service in order to achieve inside the container and the container to build the operating environment of 
IPC Namespace: able to communicate with each other to ensure that the process in the container, but can not cross-container access to the other data container
UTS Namespace: identifying a system comprising a host name and domain name is used to uniquely identify the host system and independent of the operation of other containers on which 
PID Namespace: each container has a PID of a process 1, used to create and manage the recovery process 
net Namespace: container network is a very important part of each container are similar to the same virtual machine has its own card, monitor port, TCP / IP protocol stack, and so on. Some firewall rules are automatically generated when you run the container and the outside world for communication
within the container network card logic chart, 
in the view of the container 
map to view the host of the network card on the container 
to see automatically generated firewall rules 
User Namespace: each container must be separately users and groups, and does not conflict with the host, the user will simply limit the range of action within each container
Container resource constraints
在使用VMware创建虚拟机时,每个虚拟在安装和启动之前都会有这么一个界面来设置这个虚拟机之前,可以设置此虚拟机占用宿主机的内存,CPU,网卡等硬件设备的大小。
容器亦是如此,虽然一个容器内的程序可以在其“领地”内行使对所有资源使用权利,但还是要对其做资源限制,容器亦是如此,如果不对容器使用的资源做任何限制,当容器内的资源不够时,容器便会侵蚀宿主机的资源,直至把宿主机的资源占完,成为这台物理机新的“主人”。
对容器的资源限制还可以提高对于宿主机的安全性,假设一个容器出现漏洞被别人拿到控制权后,资源限制可使其只能够使用这个容器中的资源,而无法对宿主机的资源形成危害。
那么为了避免物理机的“主人”被其它容器取而代之,就需要一些手段来限制,主要使用的技术便是Linux control groups,简称Linux Cgroups。它的主要作用是限制一个进程组能够使用的资源上限,包括 CPU、内存、磁盘、网络带宽等等。此外,还能够对进程进行优先级设置,以及将进程挂起和恢复等操作。
在容器使用的过程中,一旦内存超过期初给它分配了空间,那么内核将主动杀死这个容器所使用的进程。
此功能在内核层默认已经开启,验证系统的Cgroups是否开启
Cgroup的具体实现
blkio:块设备 IO 限制
cpu:使用调度程序为 cgroup 任务提供 cpu 的访问
cpuacct:产生 cgroup 任务的 cpu 资源报告
cpuset:如果是多核心的 cpu,这个子系统会为 cgroup 任务分配单独的 cpu 和内存
devices:允许或拒绝 cgroup 任务对设备的访问
freezer:暂停和恢复 cgroup 任务。
memory:设置每个 cgroup 的内存限制以及产生内存资源报告
ns:命名空间子系统
perf_event:增加了对每 group 的监测跟踪的能力,可以监测属于某个特定的 group 的所 有线程以及运行在特定 CPU 上的线程
有了这些就具备了容器的基础运行环境,但是还需要有相应的容器创建与删除的管理工具、以及怎么样把容器运行起来、容器数据怎么处理、怎么进行启动与关闭等问题需要解决,于是容器管理技术便应运而生。
容器管理工具
容器的管理技术早期诞生的有 Linux Container(LXC),它可以提供轻量级的虚拟化来隔离各个容器之间的通讯。但是LXC启动容器依赖于模板,而模板需要一步步创构建文件系统、准备基础目录及可执行程序等一堆步骤才可使容器运行,另外后期代码升级也需要重新从头构建模板。
折旧与容器的理念背道而驰,容器本身是为了简化操作而诞生的,如此大费周折的启动一个容器,显然不是生产环境中所期望的,后来由于docker的诞生,便以势不可挡之势侵占了大部分LXC的市场。
然而并不是说docker启动容器时不需要模板,docker也是需要的。只是它把这些模板包装成为一个个的镜像。而docker的镜像即可以保存在一个公共的地方供所有人共享使用,也可以保存在本地的私有仓库中使用。
当我们在使用镜像时,只要把别人制作的镜像下载下来就可以使用。如果我们觉得别人的配置不符合生产环境中的需求,我们还可以在别人制作的镜像基础之上做自定义配置,配置完成后保存为自己的一个镜像。如此形成了前人栽树后人乘凉的良性循环,这也是容器技术越来越火爆的原因之一
docker官方镜像仓库地址:https://hub.docker.com/
docker 的组成
docker host (Host): a physical or virtual machine for running docker service process and container.
docker server (Server): docker daemon running docker container.
docker client (Client): The client uses docker order or other tool calls docker API.
docker warehouse (Registry): Save mirrored warehouse, like git or svn version control system such
docker mirror (Images): Mirroring can be understood as creating an instance of the use of templates.
docker container (Container): the container is an external service provider generates a set of services or from the mirror.