What is virtualization?
Virtualization allows you to run two completely different operating systems on the same hardware. Each guest operating systems have gone through all the boot process, the kernel is loaded and so on. You can have a very strict security,
for example, the guest operating system does not have full access to the host operating system or other client and screwed up.
Can be classified based on how virtualization virtualization approach imitate guest operating systems and hardware simulation client operating environment. There are three main types of virtualization:
• simulation
• paravirtualization
• container-based virtualization
Docker and virtual machines What is the difference?
Docker is not a virtual method. It relies on other tools, container-based virtualization or operating system-level virtualization of actual implementation. For this purpose, initially using LXC Docker driver, and then moved
to libcontainer now renamed runc. Docker primarily focused on auto-deploy applications within an application container. Packaging and container applications designed to run a single service, and the system
container is designed to run multiple processes, such as virtual machine. Therefore, Docker be regarded as a container or manage applications on container system deployment tools.
• different virtual machines, containers do not need to boot the operating system kernel, so you can create a container in less than a second. This feature enables container-based virtualization more unique and desirable than other virtualization methods.
• As the container-based virtualization host adds little or no overhead, container-based virtualization has near-native performance
• virtualization, virtualization and other different, no additional software for the container-based.
• All containers on the host shared hosting scheduler, thus saving the need for additional resources.
• Compared with the virtual machine image, container status (Docker or LXC image) size is very small, so the image of the container is easy to distribute.
• container resource management is achieved through cgroup. Cgroups not allowed container consuming more resources than that assigned to them. While all the host's resources are visible in the virtual machine, but can not be used.
This can be achieved by running the top or on the container and simultaneously htop host. Output all environments look very similar.
Container internal mechanisms?
Around 2006 people including some Google employees, including the realization of a namespace named the new Linux kernel-level features (though the idea had existed as early as in FreeBSD).
A function of the operating system is to allow the global resources (such as network and disk) to share the process. If these resources are packaged in the global namespace, so they are only in the same namespace
those processes running visible, how to do? For example, you can get a chunk of disk and place it in a namespace X, then processes running in namespace Y can not see or access it.
Similarly, the name of the space X in the process can not access the contents of the name space assigned to any of the Y memory. Of course, X in the process can not see or communicate with the namespace Y in the process. This global
provides a virtualization and resource isolation.
This is the working principle of Docker: Each container runs in its own namespace, but using exactly the same with all the other containers kernel. Isolation occurs because the kernel knows allocated to
process namespace, and ensure that the process can only access its own namespace resources during API call.
What is the Docker Hub?
Docker hub of the registry is a cloud-based service that allows you to link to the code repository, build and test them mirroring, memory mirroring and manually push the point Docker
link to the cloud, so you can deploy the image to the host. It found that the container mirrored throughout the development process, distribution and change management, user and team collaboration, and workflow automation mention
for the pooling of resources.
Mirror and UnionFS
Linux namespace and control groups were different resources to solve the problem of isolation, the former solves the process, isolated network and file system, which implements the CPU,
isolating memory and other resources, but there is another very important Docker the problems to be solved - that is mirrored. Docker fact, is essentially a mirror image compression
package, we can use the command to a file export Docker in the mirror, you can see the contents of the root directory structure of the Linux operating system in the mirror
and there is not much difference, can He said Docker is a mirror file.
Storage drive
Docker file system used in a series of different storage drive and run an administrative image containers, these storage Docker driven roll (Volume) is somewhat different
storage engine can be shared among a plurality of storage containers. When the image is created docker run command will add a mirror at the top of a writable layer, that
is, the container layer, all changes to the runtime containers are actually read and write changes to the container layer. The difference is that the mirror and the container, all of the mirrors are read-only and each
container is equal to actually image plus a writable layer, i.e. may correspond to the same image a plurality of containers UnionFS actually a Linux operating system design
for multiple file systems "joint" to the same file system mount point of service. The AUFS namely Advanced UnionFS UnionFS is actually an upgraded version,
it can provide better performance and efficiency. AUFS only storage drive of a Docker use, in addition to AUFS, Docker also supports different storage
drives, including aufs, devicemapper, overlay2, zfs vfs and so on, in the latest in Docker, overlay2 replaced aufs become
recommended storage drive, but we will still use as the default driver aufs Docker on the machine does not overlay2 driven.