First, what is a container
The container is a basic tool, refers to any tool may be used to accommodate other items, may be partially or fully enclosed, it is used for receiving, storing, transporting items; objects may be placed in a container, and the container contents can be protected;
The use of containers of human history have at least 100,000 years.
Second, the implementation of virtualization
1, the host level virtualization
This implementation is installed on the host virtual machine management software, and then the N virtual complete systems, each system has its own kernel. There are two types of realization
1.1, Type-I type (direct mounting on the host Virtual machine Manager, no need to install an operating system on the host)
xen、ESX/ESXI
1.2, Type-II type (based on the needs of the host operating system installed Virtual Machine Manager)
VMware Workstation、kvm、VirtualBox
2, the container-level virtualization
This implementation is not in each virtual machine to create a separate kernel, but by the kernel on the host of the six kinds of resources out of isolation through the core mechanism (namespaces), each namespace is a separate container (VM)
So far position, the entire container linux technology field, which is by 6 namespaces kernel-level, chroot and Cgroups together to achieve
2.1、Linux Namespaces
| namespace | System call arguments | Isolate content | Kernel version |
| UTS | CLONE_NEWUTS | Host and domain name | 2.6.19 |
| IPC |
CLONE_NEWIPC | Semaphores, message queues and shared memory | 2.6.19 |
| PID | CLONE_NEWPID | Process number | 2.6.24 |
| Network | CLONE_NEWNET | Network equipment, network stack, ports, etc. | 2.6.29 |
| Mount | CLONE_NEWNS | Mount point, file system | 2.4.19 |
| User | CLONE_NEWUSER | Users and user groups | 3.8 |
2.2, Control Groups (CGroups) role
Art isolation mechanism of the container is achieved by namespaces, and the resource allocation of the container is achieved by the mechanism at the kernel level by CGroups, it will level the system resources into a plurality of groups, and the amount of resources assigned within each group assigned to a particular process namespace of up to implement
2.2.1, CGroups function
| blkio | IO block device |
| cpu | CPU |
| cpuacct | CPU resource usage reports |
| cpuset | CPU sets the multi-processor platforms, there are two assignment methods for a ratio of a number of core points are |
| devices | Device Access |
| freezer | Suspend or resume the task |
| memory | Memory usage and reporting |
| perf_event | Cgroup tasks for unified performance tests |
| net_cls | Data packet cgroup tasks created category identifier |
2.3、LXC(Linux Container)
LXC is the first addition to Vserver, truly complete container technology with a set of easy to use tools and templates to greatly simplify the use of a program container technology. LXC by a set of toolkits to help us quickly achieve a create a namespace, using the template file to complete the installation of various internal needs. At the same time, some tools can automatically switch the chroot, so you can use multiple concurrent user space, and each user space, as we previously used virtual machine is a stand-alone system.
Three, Docker birth
LXC although greatly simplifies the use of container technology, but compared to past use of virtual machines in terms of its complexity is not much reduced, there is no good isolation of virtual machines on a large scale in the use and distribution are not Convenience. But the advantage is that it allows each user-space process of direct performance of the host, with no additional overhead. So it was a Docker
3.1, Docker LXC is an enhanced version, which itself is not a container, but easy to use tool container. The container is a linux kernel in the art, Docker just simple use of this technique in popularity. Docker In earlier versions of the core is LXC secondary package release. Docker do use LXC container management engine, but when you create a container, do not use a template to generate installation. But by mirroring technique (to an operating system used by user-space prior to components require a nicely, and integrally packaged into a file, image file), the image file in a centralized repository. When you need to create the container, Docker call LXC tools lxc-create. But do not go through the installation template lxc, but connected to the match on the mirror server to download the image file, and then start the container-based images. So, Docker greatly simplifies the use of the difficulty of container. After we create a boot container, only one command, docker-run, docker-stop you can start and stop of a container. In order to make use of the entire container easier to manage, Docker uses a more elaborate limiting mechanism, in a container, running only one process. The LXC is to a container when a user space to use, you can run the N process, so making our container management process is very inconvenient. Docker constructed using a built in layers in the bottom mirror, the joint mount. This benefit is in the mirror after the distribution was not so large. It can be freely combined to achieve different environments of the mirror mount
2.3, Docker container change of the engine
Docker early LXC container is achieved based management engine, and later when mature, self-built a Docker container engine called libcontainer, later CNCF intervention, Docker has developed a standard industrial container engine, called runC, the new version of Docker currently used the container used engine is RunC.