understand how docker works
TRANSCRIPT
![Page 1: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/1.jpg)
Understand how Docker works
⼩小拿@果壳 2015.10.28
1
![Page 2: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/2.jpg)
Outline• Virtualization
• Hypervisor
• chroot, namespaces, cgroups, AuFS
• LXC
• Container
• Docker
![Page 3: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/3.jpg)
Virtualization
Virtualization is a proven software technology that makes it possible to run multiple operating systems
and applications on the same server at the same time.
![Page 4: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/4.jpg)
Features
• transform hardware to software
• run multiple operating systems as virtual machines
![Page 5: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/5.jpg)
Intuitive Idea
![Page 6: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/6.jpg)
Hypervisor (VMM)
a “meta” operating system in a virtualized environment
![Page 7: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/7.jpg)
Types of Hypervisors
• native or bare-metal hypervisors
• hosted hypervisors
![Page 8: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/8.jpg)
Bare-Metal Hypervisor
![Page 9: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/9.jpg)
Hosted Hypervisor
![Page 10: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/10.jpg)
Space-Time Analysis
• heavy
• slow
![Page 11: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/11.jpg)
docker is a lightweight
![Page 12: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/12.jpg)
![Page 13: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/13.jpg)
(giant 1) chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the
current running process and its children.
chroot jail
![Page 14: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/14.jpg)
root directory
![Page 15: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/15.jpg)
two Linux process resource management solutions
• namespaces (what you have)
• cgroups (what you can do)
![Page 16: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/16.jpg)
(giant 2) Linux Namespace
• A lightweight process virtualization
• Isolation: Enable a process to have different views of the system than other processes.
![Page 17: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/17.jpg)
Features• PID namespace provides isolation for the allocation of process identifiers
(PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.
• Network namespace isolates the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.
• UTS namespace allows changing the hostname.
• Mount namespace allows creating a different file system layout, or making certain mount points read-only.
• IPC namespace isolates the System V inter-process communication between namespaces.
• User namespace isolates the user IDs between namespaces.
![Page 18: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/18.jpg)
Operations• CLONE_NEWIPC
• CLONE_NEWNET
• CLONE_NEWNS
• CLONE_NEWPID
• CLONE_NEWUSER
• CLONE_NEWUTS
![Page 19: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/19.jpg)
Example (PID) from coolshell
![Page 20: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/20.jpg)
Example (PID)
![Page 21: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/21.jpg)
(giant 3) cgroups
cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
![Page 22: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/22.jpg)
Features• Resource limitation: groups can be set to not exceed a
configured memory limit, which also includes the file system cache
• Prioritization: some groups may get a larger share of CPU utilization[8] or disk I/O throughput
• Accounting: measures how much resources certain systems use, which may be used, for example, for billing purposes
• Control: freezing the groups of processes, their checkpointing and restarting
![Page 23: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/23.jpg)
Operations
![Page 24: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/24.jpg)
Example (CPU) from coolshell
![Page 25: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/25.jpg)
LXC
LinuX Container = namespaces + cgroups
![Page 26: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/26.jpg)
(giant 4) AuFS
AuFS (Advanced multi layered Unification FileSystem) implements a union mount for Linux file systems.
![Page 27: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/27.jpg)
![Page 28: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/28.jpg)
“When I see a bird that walks like a duck and swims like a duck and quacks like a duck,
I call that bird a duck.”
Duck Typing
![Page 29: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/29.jpg)
Docker = LXC + AuFS• chroot
• namespaces
• cgroups
• aufs
• …
![Page 30: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/30.jpg)
Container
![Page 31: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/31.jpg)
Pros and Cons
![Page 32: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/32.jpg)
Pros and Cons
![Page 33: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/33.jpg)
Why must install boot2docker?
![Page 34: Understand how docker works](https://reader033.vdocuments.site/reader033/viewer/2022051521/587b230c1a28ab736c8b6fcb/html5/thumbnails/34.jpg)
Why only contains Linux distros?