In this chapter:
1. What container that?
2, LXC technical presentations
3, namespaces- namespace, resource isolation
4, resource allocation --Cgroup container, resource allocation
5, LXC and dockers
-------------------------------------------------------------------
Based virtualization basics, we begin this section describes the technology related content docker: docker can understand a technical extension application virtualization basics for us to learn;
1. What container that?
2, LXC technical presentations
Before understanding LXC, we first review under the host virtualization technology : host virtualization divided into two categories:
type-I, type-II (VMM have management platform)
No matter what type, we need to implement a system through a virtual platform technology, the purpose is to run on this platform up the corresponding application process (for example httpd), to provide services;
Therefore, in order to run an application process, we had to run underneath a core system to support the normal operation of this process, if we can skip the running kernel, so go directly to a virtual machine running the application process, so that ye not more conservation of resources. So, so, there have been our container technology --LXC (LinuX container);
The purpose LXC technology: deploy virtual core layer; go directly to a virtual process, providing system hardware resource utilization!
In this case, to bring the corresponding question: If you want to run the same service two, so, how to distinguish between these two processes at the same LXC environment? As shown below:
3, namespaces- namespace, resource isolation
We know, Linux kernel relies on the underlying C language development, but there is a C language function module namespace is designed to isolate resources - from the beginning of the kernel, resource isolation; it can be said, to avoid resource conflict;
It is one of the default kernel Linux kernel function;
Isolation of resources are as follows:
1, independent of the host and domain name --UTS
2, need to have their own independent count mounts --Mount
3, IPC isolation, to achieve inter-communication - isolated signal, message queues and shared memory
4, all processes belong to the init process - init process independent of each space to be independent isolation
5, for each space micro earn a root user, for their own space, it is a root user, and for other space in terms of a normal user;
6, virtual own dedicated network card, or tcp / ip protocol stack, network isolation;
Container technology needs to meet the above conditions of isolation, in order to realize; therefore, Namespaces technology is the foundation technology of the container, as shown below:
[Kernel support for the earliest start of default kernel version 6 kinds of namespaces]
At this point, we can deploy resources based on the kernel while using namespaces technology resource isolation, and this technology, we called container technology ;
To call these namespaces CONTAINER resources, namespaces provide a corresponding API interface, for example:
clone () to create a new process. According to the system call parameters to determine which type of namespace is created, and their child processes it will be included in the namespace
unshare () will process out of a namespace
setns () in the process of accession to the namesp
4, resource allocation --Cgroup container, resource allocation
With the resource isolation, we have to realize resource allocation; kernel resource allocation techniques --Control Groups (Cgroups technology)
Cgroups allocation of resources, including:
blkiq: IO block device
CPU:CPU
cpuacct: CPU resource usage reports
cpuset:多处理器平台上的CPU集合
devices:设备访问
freezer:挂起或恢复任务
memory:内存用量及报告
perf_event:对cgroup中的任务进行统一性能测试
net_cls:CGroup中的任务创建的数据报文的类标识符
Cgroup对应的功能参数:
针对于不同的组,我们使用CGroup技术进行不同的资源分配;(不是大锅饭,而是精细的进行资源分配,满足每个容器的资源利用)
5、LXC与dockers
最早的容器技术来自于BSD的jail技术,目的就是为了实现进程隔离,使得一个进程被攻陷后不会影响到其他进程,这是出于安全的目录;
而Linux将该技术移植到自己的系统之上,叫做vserver(功能类似于chroot),创建一个自己的更目录,区分与当前的目录系统;
我们知道,为了使用Linux的内核资源,namespaces提供了相应的API接口(clone(),unshare(),setns(),);这样就是我们的容器技术;
真正的容器技术--LXC、docker等,则是为namespaces、cgroup封装了一个更好管理的接口;
LXC
这个技术就是最早的容器技术;它方便了容器的管理,例如:
lxc-create 可以用来创建虚拟的用户空间; template 可以用来创建模板【模板可以选择应用创建在那些不同的发型版系统上】
然后,我们需要找到一个目录空间,将这个目录制定为该用户空间的根目录,应用则运行在这个所谓的“根目录”下,这就是所谓的容器技术;
lxc技术对于容器技术的发张功不可没,但是它有着与生俱来的缺点--无法实现大规模部署;
于是,出现了docker技术;
docker
为了解决lxc对于批量化管理容器的缺陷,我们对lxc进行二次封装,这样得到的管理工具就是我们的docker了;
docker的工作原理:
docker环境下,我们将一个系统所需要的所有的文件集中打包,这就是一个镜像文件,我们将这个镜像放在仓库中,而这个镜像文件可以不是系统,而且可以是具体的服务文件,比如NGINX服务文件;
然后将这个镜像文件从“仓库”中下载到本地,运行run命令,这样就可以启动这个仓库(类似于运行了一个命令);
系统在基于一些列的机制对docker启动的容器进行资源份分配;这种环境下,我们运行的docker进程就是一个进程;且多个容器就是多个隔离进程,相互之间不会影响;
如上图:各种进程的运行,运行在自己的独立的容器之中,容器之间相互独立,相互隔离!这样大大加强了进程之间的安全性,且docker下进程所需要的资源,都由docker环境来提供;
批量创建容器:分层构建、灵活挂载的方式来创建容器;
例如,底层提供一个centos,上层运行进程即可。多个进程可以共享一个centos底层即可;然后将服务挂在到两个目录下,就是两个容器!且,挂在的文件是只读文件;然后再在本地目录添加一层,去满足该容器需要修改文件的需求;
这样迁移又会有困难;所以在真正使用的时候,真正数据并不保存于本地,而是存放于后面的共享存储中;
如下图:
另外一个问题则是,如果关联进程启动顺序如何确定?
例如:nmp NGINX MySQL PHP进程运行顺序如何来决定启动?这就涉及到容器的编排问题;常见的解决方案如下:
machine + swarm + compose 来进行系统编排;
mesos + marathon 方案;
kubernetes --> k8s;
以上工具都是用来进行容器进程编排的工具;
容器技术的缺点:
1、不管怎么说,系统启动容器,比直接启动进程是消耗了更多的资源空间;
2、调试工具;本身一个系统下运行多个进程,这些进程使用一套调试工具即可。但是现在进程之间相互隔离,则每个容器都需要提供一套调试工具;
3、调试进程得进入到容器中进行调试,相对于原本只需要在系统下调试,相对而言更加困难!
总结:
容器给运维带来了极大的不便,但是给开发带来了极大的便利,它真正让代码实现了一次编写多环境运行,它极大的节约了软件开发的成本;
这也是当今社会容器技术如此火的原因;