Docker data management (volume / bind mount / tmpfs)

Docker provides three different ways for mounting the host data into the container: volumes, bind mounts, tmpfs volumes. When you do not know which way to choose, remember, volumes are always the right choice.

volumes are Docker data persistence mechanism. bind mounts dependent on the host directory structure, volumes entirely by Docker management. Volumes has the following advantages:

Volumes easier backup and migration.
Can be managed by Docker CLI or API
Volumes can be no difference between Windows and Linux work.
Share Volumes multiple containers more secure.
Volume drive allows you to store data to a remote host or cloud, and encrypt the data content, and add additional functionality.
A new data content may be pre-filled container.

Moreover, volumes will not increase the size of the container, the container life cycle independent.

If your container does not need to generate persistent data, use tmpfs mount mode, data is written to avoid container layer write.

Although we can save the data written in the docker container, but still have several shortcomings:

Data containers will stop running as the vessel disappear, and when other processes need these data, it is difficult to extract the data from the container;
Data is written to the container layer closely corresponds to his host operating system, data can not easily be moved to other places;
To write data to a data writing layer container requires a particular storage drive using the linux kernel build a unified file system to manage the file system of the host and the container. This extra layer of virtualization will obviously reduce performance. To avoid performance degradation, the use of data volumes Docker manner, directly to the host file system for writing.

Choosing the right type of mount

Either mount mode selection, inside the container view, data is the data, and is no different. The total data from the host is displayed as a directory or a file in a file system container. Simple to understand how differences between these three ways to mount it, we can understand in these three ways, at different locations within the container data stored in the host machine, as shown below:

Volumes the mode: the data is stored in the container to the host (Linux) a specific directory (/ var / lib / docker / volumes /). This directory can only Docker management, other processes can not be modified. If you want to persist container application data, Volumes Docker is the recommended way to mount.
Bind mounts the mode: the data is stored in the container to an arbitrary position of the host file system, and even to store important system files or directories. In addition to the process other than Docker can also modify any of them;
Tmpfs under way: data containers will be stored in memory in the host, the host will not be written to the file system, and therefore can not be sustained application data storage container.

Details describes three ways to mount

Volumes:

Created and managed by Docker process. You can create a volume specified by the command docker volume create, can also be created by the process in the process of creating Docker containers or services;
When you create a volume as a container, this volume will be stored in a directory on the host machine. When you mount the volume into a container, that is to mount the directory container. This mechanism is very similar bind mount, of course, in addition to volume is being managed by Docker and isolated from the host than other core functions.
A volume can be mounted to a plurality of containers simultaneously. When there is no container in the use of this volume, the volume can still be used Docker process, rather than automatically deleted. Of course, you can use the manual command to delete volume: docker volume prune
When you mount a volume, you can choose for his name (named), may not be named (anonymous). If you do not name it, when the volume was first mounted into a container, Docker process will assign it a random names, to ensure that the host operating system, the volume name unique. In addition to name, naming and not naming the volume is no different.
Volume also supports the use of volume drivers, to help you save the data to a remote host or cloud.

Bind mounts:

In earlier versions docker existed in function, compared with the volumes, his features more limited. When using bind mounts, host files or directories to be mounted into the container. The container in accordance with the absolute path of the file or directory mount use or modify the data in the host machine. The host does not need to pre-existing directory or file is created automatically when needed. Use Bind mounts in performance is very good, but it depends on the host have a proper directory structure of the file system. If you want to create a new application Docker, we still recommend using a named volume way, because you can not manage bind mounts by Docker CLI. (Warning: bind mounts a double-edged sword, because the use bind mounts containers can be carried out in the interior of the container through the process of modifying the host file system, including the creation, modification and deletion of critical system files and directories, this function is powerful , but apparently also cause security implications, including the impact to the process other than the Docker on the host)

tmpfs mounts：

In this way of mounting, the container application data will not be saved to the hard disk lasting, wherein data can only be used during the life cycle of a container, or storage for some unwanted persistent storage, Some sensitive data or information. For example, within the docker, swarm service using the secrets to mount tmpfs manner to the container and services. (About secrets, reference https://docs.docker.com/engine/swarm/secrets/)

Bind mounts and volumes can be mounted by using a flag or -v --volume into the container, but slightly different formats. tmpfs can use the logo --tmpfs to mount. However, in Docker17.06 and above, we recommend using --mount three ways to mount the container or service, because this format more clearly.

Volume of application scenarios

Among a plurality of vessels need to share data. If there is no manual volume is created, it will automatically be created prior to the first mount to a container when the container is stopped or deleted, this volume will not be deleted. A plurality of containers may be simultaneously or rw ro manner mount the volume. Only manually delete the specified volume, it will be deleted.
When the host is not dedicated to Docker file system structure. Use volume can run host configuration decoupling container.
When you want to save the data to a remote host or cloud.
When you want to direct backup / restore / migrate data in a different host, volume is a good choice. You can stop the running of the vessel with a volume, volume and then directly to the backup directory is located, such as / var / lib / docker / volumes / <volume-name>

bind mounts of application scenarios

The shared host system configuration file to the container, which is the default DNS Docker configured to provide a container, i.e., bind mounts by way of the host file /etc/resolv.conf mounted to the vessel.
The source or host results in the development environment to the shared container. For example: When you make a Maven project test on the host, Maven project every time you make a change on the host, the container can be obtained direct result of changes
When you can determine the host file system structure should be fully consistent with the interior of the container.

tmpfs applicable scene

When (the state of the data to be written as a large number of non-permanent) you for safety reasons, or reasons for performance optimization of container, the container does not need data that can be used in this way when the long-term preservation.

Use bind mounts and volumes of small Tips

If you use volumes way to mount an empty volume to a non-empty directory in a container, then the non-empty directory that already exist in the contents will be copied to the volume in. Similarly, if you specify the volume that does not exist at the start of the container, an empty volume is automatically created;
If bind mounts mount manner, or a way to mount volumes of a non-empty volume to a non-empty directory container, the contents of the container to the non-empty directory temporarily mounted over the volume of the the content covered (not deleted), when unmounted, the container that is not empty files in the directory still exists. Just like in the / mnt directory under linux If there are some files, when the USB mount / mnt, in / mnt will only see the contents of the USB in the original document but not visible when mounted USB canceled after re-entering the / mnt you can see the original files.

Choose to use -v or --mount

Initially, -v --volume or separate containers used, - mount for swarm services. However, from the beginning 17.06 Docker, may also be used for --mount separate containers. -mount command more precise detail. -v option will be merged. Use --mount.

If you need to develop volume drive option, you must use --mount.

or -v --volume: 3 part by the composition parameters, using the ":" interval. The order can not be reversed.
- The first part is the name of volumes, is unique on the host. Anonymous volume name given system.
- The second part is mounted to a container of a file or folder path.
- The third part is optional list separator, such as "or", these options will be discussed below.
-mount: a plurality of key-value pairs, <key> = <value>. -mount than --volume command -v or longer, but easier to understand.
- type, can be a bind, volume or tmpfs. This article focuses on volumes, so the type has been used volume.
- source, volumes names, anonymous volume can be omitted. source may be abbreviated as src.
- destination, a file or a directory path to mount the container. Or may be used also abbreviated as dst target.
- readonly, designated as read-only mounted in the container.
- volume-opt, optional attribute can be used repeatedly.

The different behavior of -v and --mount

And bind mounts different, for all -mount and -v options are available.

When using the service volumes, only supports --mount.

Create and manage volumes

Unlike bind mount, you can create and manage volumes outside the container.

Create a volume:

$ docker volume create my-vol

Show all volumes

$ docker volume ls

local my-vol

View volumes

$ docker volume inspect my-vol

[

{

"Driver": "local",

"Labels": {},

"Mountpoint": "/var/lib/docker/volumes/my-vol/_data",

"Name": "my-vol",

"Options": {},

"Scope": "local"

}

]

To delete a volume:

$ docker volume rm my-vol

Start with a volume of container

If you start with a container volume, volume has not been created, Docker will be created for you. The following example mount myvol2 into the container / app / lower.

-V -mount following examples and the results are the same.

--mount:

$ docker run -d \

--name devtest \

--mount source=myvol2,target=/app \

nginx:latest

-v:

$ docker run -d \

--name devtest \

-v myvol2: / app \

nginx:latest

Use inspect to see mount correctly view the Mounts part:

"Mounts": [

{

"Type": "volume",

"Name": "myvol2",

"Source": "/var/lib/docker/volumes/myvol2/_data",

"Destination": "/app",

"Driver": "local",

"Mode": "",

"RW": true,

"Propagation": ""

}

It can be seen properly mounted, and can read and write.

Stop the container and then delete the volume

$ docker container stop devtest

$ docker container rm devtest

$ docker volume rm myvol2

Start a service with volumes

When you start the service definition of a volume, each service can use their native volume. If you use a local volume, the container can not share data, but some drivers support shared storage volume. Docker for AWS and Docker for Azure Cloudstor plug-ins support the use of persistent storage.

The following examples serve to start nginx 4 parts, each using a local storage myvol2.

$ docker service create -d \

--replicas=4 \

--name devtest-service \

--mount source=myvol2,target=/app \

nginx:latest

Use docker service ps devtest-service to view the service is running:

$ docker service ps devtest-service

ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS

4d7oz1j85wwn devtest-service.1 nginx:latest moby Running Running 14 seconds ago

Delete Service

$ docker service rm devtest-service

Identification of different services

docker service create command does not support the -v or -volume. You must use -mount.

Using a container loading volume

As above, if you start a container to create a new volume, in containers are mounted directory (/ app /) there are files or folders, the contents of this directory will be copied to the volume. Then mount the container use volume, this volume using another container can also access preloaded content.

To illustrate this, the example nginx start a container and loading a new volume nginx-vol, which comprises a content container / usr / share / nginx / html directory, which is stored nginx default HTML content.

--mount and -v same results

--mount:

$ docker run -d \

--name=nginxtest \

--mount source=nginx-vol,destination=/usr/share/nginx/html \

nginx:latest

-v

$ docker run -d \

--name=nginxtest \

-v nginx-vol:/usr/share/nginx/html \

nginx:latest

The following are cleaning up after running the command

$ docker container stop nginxtest

$ docker container rm nginxtest

$ docker volume rm nginx-vol

Read-only volume

Docker need to write data to the host for a number of development applications, the container back. But sometimes container only needs to read the data. Remember that the same can be mounted a plurality of containers Volume, a reader mounted container may be a read-only mount the container may also be mounted both at the same.

This example modification example above, but it is read-only loading container, 'or' delimiters list of options,

--mount and -v same results

--mount

$ docker run -d \

--name=nginxtest \

--mount source=nginx-vol,destination=/usr/share/nginx/html,readonly \

nginx:latest

-v

$ docker run -d \

--name=nginxtest \

-v nginx-vol:/usr/share/nginx/html:ro \

nginx:latest

Use docker inspect nginxtest mount command to check whether the correct view Mounts part

"Mounts": [

{

"Type": "volume",

"Name": "nginx-vol",

"Source": "/var/lib/docker/volumes/nginx-vol/_data",

"Destination": "/usr/share/nginx/html",

"Driver": "local",

"Mode": "",

"RW": false,

"Propagation": ""

}

Cleanup command

$ docker container stop nginxtest

$ docker container rm nginxtest

$ docker volume rm nginx-vol

Sharing data between machines

When building a highly available applications, you need to configure multiple services to the same access to the same files.

There are several ways to achieve this effect. One is to add access to the cloud storage file, such as Amazon S3 in your application. Another is to use a support service outer volume storage drives (NFS, Amazon S3) a.

Volume in drive allows you to store application system abstract the underlying. For example, if your service uses NFS drive volume, you can use a different driver update service, as the data stored in the cloud, no need to modify application logic.

Use volume drive

当你使用docker volume create创建一个volume，或者当你启动一个带有没创建volume的容器，你可以指定volume驱动。下面例子使用vieux/sshfs volume驱动，首先创建一个独立的volume，然后启动一个创建新volume的容器。

初始化设置

这个例子假设你有两个节点，第一个是Docker主机而且可以连接到第二个的ssh.

在Docker主机中安装vieux/sshfs插件：

$ docker plugin install --grant-all-permissions vieux/sshfs

使用volume驱动创建volume

这个样例指定一个SSH密码，但是如果两个主机共享keys配置，你可以省略密码。每个volume驱动可以没有或者更多配置选项，可以使用-o标识。

$ docker volume create --driver vieux/sshfs \

-o sshcmd=test@node2:/home/test \

-o password=testpassword \

sshvolume

test@node2:/home/test 为远程主机挂载点

启动一个带有使用volume驱动创建volume的容器

这个样例指定一个SSH密码，但是如果两个主机共享keys配置，你可以省略密码。每个volume驱动可以没有或者更多配置选项。如果volume驱动要穿可选参数，你必须使用—mount。

$ docker run -d \

--name sshfs-container \

--volume-driver vieux/sshfs \

--mount src=sshvolume,target=/app,volume-opt=sshcmd=test@node2:/home/test,volume-opt=password=testpassword \

nginx:latest