docker使用入门

Docker 使用指南 (一)—— 基本操作
Docker 使用指南 (二)—— 搭建本地仓库
Docker 使用指南 (三)—— 网络配置
Docker 使用指南 (四)—— 数据卷的使用
Docker 使用指南 (五)—— Dockerfile 详解
Docker 使用指南 (六)—— 使用 Docker 部署 Django 容器栈

docker与虚拟机对比

虚拟机

虚拟机是一种模拟系统,即在软件层面上通过模拟硬件的输入和输出,让虚拟机的操作系统得以运行在没有物理硬件的环境中(也就是宿主机的操作系统上)。其中,这个能够模拟出硬件输入输出,让虚拟机的操作系统可以启动起来的程序,被叫做hypervisor。

一般来说,虚拟机都会有自己的kernel,自己的硬件,这样虚拟机启动的时候需要先做开机自检,启动kernel,启动用户进程等一系列行为,虽然现在电脑运行速度挺快,但是这一系列检查做下来,也要几十秒,也就是虚拟机需要几十秒来启动。

img

容器

宿主机和虚拟机的kernel是一致的(与虚拟机区别:不用做硬件输入输出的搬运工了,只需要做kernel输入输出的搬运工即可),这种虚拟机被命名为操作系统层虚拟化,也被叫做容器。
由于在虚拟机的系统中,虚拟机认为自己有独立的文件系统,进程系统,内存系统,等等一系列,所以为了让容器接近虚拟机,也需要有独立的文件系统,进程系统,内存系统,等等一系列,为了达成这一目的,宿主机系统采用的办法是:只要隔离容器不让它看到主机的文件系统,进程系统,内存系统,等等一系列,那么容器系统就是一个接近虚拟机的玩意了。

img

Docker就是一种容器。

docker英语学习资料

Tools

Moby = open source development

Docker CE = free product release based on Moby

Docker EE = commercial product release based on Docker CE.

Docker EE is on the same code base as Docker CE, so also built from Moby, with commercial components added, such as “docker data center / universal control plane”

Continuous Integration / Continuous Delivery

  • Awesome-ciandcd - Not specific to docker but relevant.
  • Buddy - The best of Git, build & deployment tools combined into one powerful tool that supercharged our development.
  • Captain - Convert your Git workflow to Docker containers ready for Continuous Delivery by @harbur.
  • Cyclone - A cloud native CI/CD platform built for container workflow by @caicloud.
  • Docker plugin for Jenkins - The aim of the docker plugin is to be able to use a docker host to dynamically provision a slave, run a single build, then tear-down that slave.
  • Dockunit - Docker based integration tests. A simple Node based utility for running Docker based unit tests. By @dockunit
  • DockerSpec - A small Ruby Gem to run RSpec and Serverspec, Infrataster and Capybara tests against Dockerfiles or Docker images easily. By @zuazo
  • Drone - Continuous integration server built on Docker and configured using YAML files.
  • GitLab CI - GitLab has integrated CI to test, build and deploy your code with the use of GitLab runners.
  • GOCD-DockerGo Server and Agent in docker containers to provision.
  • InSpec - InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements. By @chef
  • Microservices Continuous Deployment - Continuous deployment of a microservices application.
  • Screwdriver - Yahoo’s OpenSource buildplatform designed for Continous Delivery.
  • Skipper - Easily dockerize your Git repository by @Stratoscale
  • SwarmCI - Create a distributed, isolated task pipeline in your Docker Swarm.
  • Watchtower - Automatically update running Docker containers by @CenturyLinkLabs

CI Services

  • CircleCI - Push or pull Docker images from your build environment, or build and run containers right on CircleCI.
  • CodeFresh - Everything you need to build, test, and share your Docker applications. Provides automated end to end testing.
  • CodeShip - Work with your established Docker workflows while automating your testing and deployment tasks with our hosted platform dedicated to speed and security.
  • ConcourseCI - A CI SaaS platform for developers and DevOps teams pipeline oriented.
  • Semaphore CI — A high-performance cloud solution that makes it easy to build, test and ship your containers to production.
  • Shippable - A SaaS platform for developers and DevOps teams that significantly reduces the time taken for code to be built, tested and deployed to production.
  • IBM DevOps Services - Continuous delivery using a pipeline deployment onto IBM Containers on Bluemix.
  • TravisCI - A Free github projects continuous integration Saas platform for developers and Devops.
  • Wercker - A Docker-Native continous integration & deployment Automation platform for Kubernetes & Microservice Deployments.

Deployment and Infrastructure

  • Centurion - Centurion is a mass deployment tool for Docker fleets. It takes containers from a Docker registry and runs them on a fleet of hosts with the correct environment variables, host volume mappings, and port mappings. By @newrelic
  • Clocker - Clocker creates and manages a Docker cloud infrastructure. Clocker supports single-click deployments and runtime management of multi-node applications that run as containers distributed across multiple hosts, on both Docker and Marathon. It leverages Calico and Weave for networking and Brooklyn for application blueprints. By @brooklyncentral
  • Conduit - Experimental deployment system for Docker by @ehazlett
  • depcon - Depcon is written in Go and allows you to easily deploy Docker containers to Apache Mesos/Marathon, Amazon ECS and Kubernetes. By @gonodr
  • deploy - Git and Docker deployment tool. A middle ground between simple Docker composition tools and full blown cluster orchestration. Declarative configuration and short commands for managing (syncing, building, running) of infrastructures of more than a few services. Able to deploy whole preconfigured server or system of services with a single line (without having to scroll the line).
  • Docket - Custom docker registry that allows for lightning fast deploys through bittorrent by @netvarun
  • dockit - Do docker actions and Deploy gluster containers! By @humblec
  • Longshoreman - Longshoreman automates application deployment using Docker. Just create a Docker repository (or use a service), configure the cluster using AWS or Digital Ocean (or whatever you like) and deploy applications using a Heroku-like CLI tool. By longshoreman
  • rocker-compose - Docker composition tool with idempotency features for deploying apps composed of multiple containers. By @grammarly
  • Zodiac - A lightweight tool for easy deployment and rollback of dockerized applications. By @CenturyLinkLabs

Developer Tools

Development Environments

  • Binci - Containerize your development workflow. (formerly DevLab by @TechnologyAdvice)
  • Devstep - Development environments powered by Docker and buildpacks by @fgrehm
  • Docker osx dev - A productive development environment with Docker on OS X by @brikis98
  • Docker-sync - Drastically improves performance (50-70x) when using Docker for development on Mac OS X/Windows and Linux while sharing code to the container. By @EugenMayer
  • Stacker - Docker Compose Templates. Stacker provides an abstraction layer over Docker Compose and a better DX (developer experience).
  • Vagga - Vagga is a containerisation tool without daemons. It is a fully-userspace container engine inspired by Vagrant and Docker, specialized for development environments by @tailhook

Docker Compose file

Dockerfile

Garbage Collection

Hosting Images (registries)

Services to securely store your Docker images.
* Amazon EC2 Container Registry Amazon EC2 Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
* Atomic Registry - Red Hat Atomic Registry is an open source enterprise registry based on the Origin and Cockpit projects, enhancing the Docker registry library.
* Azure Container Registry Manage a Docker private registry as a first-class Azure resource
* CargoOS A bare essential OS for running the Docker Engine on bare metal or Cloud.
* Cycle.io Bare-metal container hosting.
* Docker Hub provided by Docker Inc.
* Docker Registry v2 - The Docker toolset to pack, ship, store, and deliver content
* GCE Container Registry Fast, private Docker image storage on Google Cloud Platform
* GitLab Container Registry - Repositories focused on using it images in GitLab CI
* Quay.io (part of CoreOS) - Secure hosting for private Docker repositories
* Rescoyl - Private Docker registry (free and open source) by @noteed
* Sonatype Nexus - Repository with Universal Support, also for Docker images
* TreeScale - Build and Distribute container based applications.
* VMWare Harbor Project Harbor by VMWare is an enterprise-class registry server that stores and distributes Docker images. Harbor extends the open source Docker Distribution by adding the functionalities usually required by an enterprise, such as security, identity and management.

Image Builder

  • bocker (2) - Write Dockerfile completely in Bash. Extensible and simple. –> Reusable by @icy
  • box - Build Dockerfile images with a mruby DSL, includes flattening and layer manipulation
  • container-factory - Produces Docker images from tarballs of application source code by @mutable
  • dlayer - Stats collector for Docker layers by @wercker
  • docker-companion - A command line tool written in Golang to squash and unpack docker images by @mudler
  • docker-make - Build, tag,and push a bunch of related docker images via a single command.
  • DockerSlim shrinks fat Docker images creating the smallest possible images.
  • elsy - An opinionated, multi-language, build tool based on Docker and Docker Compose
  • flyimg - Docker image resizing, cropping, and compression on the fly.
  • habitus - A Build Flow Tool for Docker http://www.habitus.io by @cloud66
  • MicroBadger - Analyze the contents of images and add metadata labels
  • packer - Hashicorp tool to build machine images including docker image integrated with configuration management tools like chef, puppet, ansible
  • portainer - Apache Mesos framework for building Docker images by @duedil-ltd
  • rocker - Extended Dockerfile builder. Supports multiple FROMs, MOUNTS, templates, etc. by .
  • SkinnyWhale Skinnywhale helps you make smaller (as in megabytes) Docker containers.
  • Whales - A tool to automatically dockerize your applications by @icalialabs.

Linter / Validator

Local Container Manager

Monitoring & Logging

  • cAdvisor - Analyzes resource usage and performance characteristics of running containers. Created by @Google
  • Docker-Fluentd - Docker container to Log Other Containers’ Logs. One can aggregate the logs of Docker containers running on the same host using Fluentd by @kiyoto
  • Docker-mon - Console-based Docker monitoring by @icecrime
  • Dockerana - packaged version of Graphite and Grafana, specifically targeted at metrics from Docker.
  • DoMonit - A simple Docker Monitoring wrapper For Docker API
  • Dynatrace - Monitor containerized applications without installing agents or modifying your Run commands
  • Glances - A cross-platform curses-based system monitoring tool written in Python by @nicolargo
  • Grafana Docker Dashboard Template - A template for your Docker, Grafana and Prometheus stack @vegasbrianc
  • InfluxDB, cAdvisor, Grafana - InfluxDB Time series DB in combination with Grafana and cAdvisor by @vegasbrianc
  • LogJam - Logjam is a log forwarder designed to listen on a local port, receive log entries over UDP, and forward these messages on to a log collection server (such as logstash) by @gocardless
  • Logsene for Docker Monitoring of Metrics, Events and Logs implemented in Node.js. Integrated logagent-js to detect and parse various log formats. @sematext
  • Logspout - Log routing for Docker container logs by @gliderlabs
  • Out-of-the-box Host/Container Monitoring/Logging/Alerting Stack - Docker host and container monitoring, logging and alerting out of the box using cAdvisor, Prometheus, Grafana for monitoring, Elasticsearch, Kibana and Logstash for logging and elastalert and Alertmanager for alerting. Set up in 5 Minutes. Secure mode for production use with built-in Automated Nginx Reverse Proxy (jwilder’s).
  • Seagull - Friendly Web UI to monitor docker daemon. by @tobegit3hub
  • Zabbix Docker module - Zabbix module that provides discovery of running containers, CPU/memory/blk IO/net container metrics. Systemd Docker and LXC execution driver is also supported. It’s a dynamically linked shared object library, so its performance is (~10x) better, than any script solution.
  • Zabbix Docker - Monitor containers automatically using zabbix LLD feature.
  • Docker-Alertd - Monitor and send alerts based on docker container resource usage/statistics

Monitoring & Logging Services

  • AppDynamics - AppDynamics gives enterprises real-time insights into application performance, user performance, and business performance so they can move faster in an increasingly sophisticated, software-driven world.
  • Axibase Time-Series Database - Long-term retention of container statistics and built-in dashboards for Docker. Collected with native Google cAdvisor storage driver.
  • CA Technologies Docker Monitoring - $$$ - Agile Operations solutions from CA deliver the modern Docker monitoring businesses need to accelerate and optimize the performance of microservices and the dynamic Docker environments running them. Monitor both the Docker environment and apps that run inside them.
  • Collecting docker logs and stats with Splunk
  • CoScale - Full stack monitoring for containerized applications and microservices. Powered by anomaly detection to find performance problems faster.
  • Datadog - Datadog is a full-stack monitoring service for large-scale cloud environments that aggregates metrics/events from servers, databases, and applications. It includes support for Docker, Kubernetes, and Mesos.
  • Meros - Analyzes containers resources, captures logs, remote web SSH terminal and powerful DevOps alerts.
  • Prometheus - Open-source service monitoring system and time series database
  • Sysdig - An open source troubleshooting tool that provides a rich set of real-time, system-level information. It has container-specific features and is very useful in Docker environments.
  • Site24x7 - Docker MOnitoring for DevOps and IT is a SaaS Pay per Host model
  • SPM for Docker - Monitoring of host and container metrics, Docker events and logs. Automatic log parser. Anomaly Detection and alerting for metrics and logs. @sematext

Networking

  • Calico-Docker - Calico is a pure layer 3 virtual network that allows containers over multiple docker-hosts to talk to each other.
  • Flannel - Flannel is a virtual network that gives a subnet to each host for use with container runtimes. By @coreos
  • netshoot - The netshoot container has a powerful set of networking tools to help troubleshoot Docker networking issues by @nicolaka
  • Weave (The Docker network) - Weave creates a virtual network that connects Docker containers deployed across multiple hosts.

PaaS

  • Atlantis - Atlantis is an Open Source PaaS for HTTP applications built on Docker and written in Go
  • Convox Rack - Convox Rack is open source PaaS built on top of expert infrastructure automation and devops best practices.
  • Dcw - Docker-compose SSH wrapper: a very poor man PaaS, exposing the docker-compose and custom-container commands defined in container labels.
  • Dokku - Docker powered mini-Heroku that helps you build and manage the lifecycle of applications (originally by @progrium)
  • Empire - A PaaS built on top of Amazon EC2 Container Service (ECS)
  • Flynn - A next generation open source platform as a service
  • Nanobox - A micro-PaaS (μPaaS) for creating consistent, isolated, development environments deployable anywhere
  • OpenShift - An open source PaaS built on Kubernetes and optimized for Dockerized app development and deployment by Red Hat
  • Tsuru - Tsuru is an extensible and open source Platform as a Service software
  • Workflow - The open source PaaS for Kubernetes by Deis. Formerly Deis v1.

Remote Container Manager / Orchestration

  • Awesome Kubernetes by @ramitsurana
  • autodock - Daemon for Docker Automation by @prologic
  • blimp - Uses Docker Machine to easily move a container from one Docker host to another, show containers running against all of your hosts, replicate a container across multiple hosts and more by @defermat and @schvin
  • Capitan - Composable docker orchestration with added scripting support by @byrnedo.
  • CloudSlang - CloudSlang is a workflow engine to create Docker process automation
  • clusterdock - Docker container orchestration to enable the testing of long-running cluster deployments
  • ContainerShip A simple container management platform
  • CoreOS - Linux for Massive Server Deployments
  • Crane - Control plane based on docker built-in swarm @Dataman-Cloud
  • Deploying a Containerized App on a Public Node with Mesos - Docker plus Mesosphere provides an easy way to automate and scale deployment of containers in a production environment
  • ElasticKube - Open source management platform for Kubernetes
  • Fleet - A Distributed init System providing low-level orchestration by @coreos
  • Flocker - Flocker is a data volume manager and multi-host Docker cluster management tool by @ClusterHQ
  • gantryd - A framework for easy management of docker-based components across machines by @DevTable
  • Haven - Haven is a simplified container management platform that integrates container, application, cluster, image, and registry managements. By @codeabovelab
  • Helios - A simple platform for deploying and managing containers across an entire fleet of servers by @spotify
  • Kontena - Application Containers for Masses https://www.kontena.io/
  • Kubernetes - Open source orchestration system for Docker containers by Google
  • Maestro - Maestro provides the ability to easily launch, orchestrate and manage mulitiple Docker containers as single unit by @tascanini
  • Mantl - Mantl is a modern platform for rapidly deploying globally distributed services
  • Marathon - Marathon is a private PaaS built on Mesos. It automatically handles hardware or software failures and ensures that an app is “always on”
  • MCollective Docker Agent - Uses MCollective to orchestrate your Docker containers and images by @m4ce
  • Nomad - Easily deploy applications at any scale. A Distributed, Highly Available, Datacenter-Aware Scheduler by @hashicorp
  • Panamax - An open-source project that makes deploying complex containerized apps as easy as Drag-and-Drop by @CenturyLinkLabs.
  • Portainer - A lightweight management UI for managing your Docker host or Docker Swarm cluster (previously DockerUI by @kevana)
  • Rancher - An open source project that provides a complete platform for operating Docker in production by @rancher.
  • Serf - Service orchestration and management tool by @hashicorp
  • Shipyard - Composable Docker Management
  • Swarmpit - Lightweight Docker Swarm orchestration. Swarmpit provides clean way to manage your Docker Swarm cluster with various handful features such Service management, smart search, shared access and private registries.

Reverse Proxy

Security

  • CIS Docker Benchmark - This InSpec compliance profile implement the CIS Docker 1.12.0 Benchmark in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment. By @dev-sec
  • Clair - Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. By @coreos
  • docker-bench-security - script that checks for dozens of common best-practices around deploying Docker containers in production. By @docker
  • notary - a server and a client for running and interacting with trusted collections. By @docker
  • oscap-docker - OpenSCAP provides oscap-docker tool which is used to scan Docker containers and images. By RedHat
  • Twistlock $$$ - Twistlock Security Suite detects vulnerabilities, hardens container images, and enforces security policies across the lifecycle of applications.

Serverless

  • AMP - The open source unified CaaS/FaaS platform for Docker, batteries included. By @Appcelerator
  • Apache OpenWhisk - a serverless, open source cloud platform that executes functions in response to events at any scale. By @apache
  • Docker-Lambda - Docker images and test runners that replicate the live AWS Lambda environment. By @lamb-ci
  • FaaS - Docker Serverless/Functions as a Service (on Docker Swarm). By @alexellis
  • Funker - Functions as Docker containers example voting app. By @bfirsh
  • IronFunctions - The serverless microservices platform FaaS (Funcitons as a Service) which uses Docker containers to run Any language or AWS Lambda functions
  • SCAR - Serverless Container-aware Architectures (SCAR) is a serverless framework that allows easy deployment and execution of containers (e.g. Docker) in Serverless environments (e.g. Lambda) by @grycap

Service Discovery

Services for running containers

  • Amazon ECS - A management service on EC2 that supports Docker containers.
  • Arukas - Heroku-inspired CaaS
  • Azure ACS - A management service on Azure Virtual Machines that supports Docker containers.
  • Cloud 66 - Full-stack hosted container management as a service
  • Codenvy - One-click Docker environments and cloud workspace for development teams
  • ContainerShip Cloud - Multi-Cloud Container Hosting Automation Platform.
  • DataMC - DataMc is a PaaS for Production ready and fully managed Data Platform
  • Docker Cloud - Former Tutum
  • Dockhero - Dockhero is a Heroku add-on which turns a Docker image into a microservice attached to the Heroku app. Currently in beta.
  • Giant Swarm - Simple microservice infrastructure. Deploy your containers in seconds.
  • Google Container Engine - Docker containers on Google Cloud Computing powered by Kubernetes.
  • Hyper_ - Secure container hosting service with “nano-containers” and per-second billing.
  • IBM Bluemix Container Service - Run Docker containers in a hosted cloud environment on IBM Bluemix.
  • OpenShift Dedicated - A hosted OpenShift cluster for running your Docker containers managed by Red Hat.
  • Sloppy.io - all-in-one solution for container deployment and hosting – made and hosted in Germany
  • Triton - Elastic container-native infrastructure by Joyent.

Terminal User Interface

Testing

  • dgoss - A fast YAML based tool for validating docker containers.
  • Pumba - Chaos testing tool for Docker. Can be deployed on Kubernets and CoreOS clusters.

Utilities

  • athena - An automation platform with a plugin architecture that allows you to easily create and share services.
  • Chaperone - A single PID1 process designed for docker containers. Does user management, log management, startup, zombie reaping, all in one small package. by @garywiz
  • codelift - CodeLift is an automated Docker image build utility for ‘dockerizing’ services by @BoozAllen
  • Composerize - Convert docker run commands into docker-compose files
  • dexec - Command line interface written in Go for running code with Docker Exec images.
  • dext-docker-registry-plugin - Search the Docker Registry with the Dext smart launcher.
  • Docker meets the IDE - Integrating your favorite containers in the editor of your choice by domeide
  • Docker Volume Clone Utility - A Docker Utility to Clone Volumes @gdiepen
  • docker-compose-search - A search engine for Docker Compose application stacks by @francescou
  • docker-do - hassle-free docker run, like env but for docker by @benzaita
  • docker-gen - Generate files from docker container meta-data by @jwilder
  • docker-ls - CLI tools for browsing and manipulating docker registries by @mayflower
  • docker-replay - Generate docker runcommand and options from running containers. By bcicen
  • docker-volumes - Docker Volume Manager by @cpuguy83
  • dockerize - Utility to simplify running applications in docker containers by @jwilder
  • Dockly - Dockly is a gem made to ease the pain of packaging an application in Docker by @swipely
  • dockramp - Proof of Concept: A Client Driven Docker Image Builder by @jlhawn
  • draw-compose - Utility to draw a schema of a docker compose by @Alexis-benoist
  • DVM - Docker version manager by @howtowhale
  • Eclipse Che - Developer workspace server with Docker runtimes, cloud IDE, next-generation Eclipse IDE
  • forward2docker - Utility to auto forward a port from localhost into ports on Docker containers running in a boot2docker VM by @bsideup
  • GoSu - Run this specific application as this specific user and get out of the pipeline (entrypoint script tool) by @tianon
  • ns-enter - no more ssh, enter name spaces of container by @jpetazzo
  • OctoLinker - A browser extension for GitHub that makes the image name in a Dockerfile clickable and redirect you to the related Docker Hub page.
  • percheron - Organise your Docker containers with muscle and intelligence by @ashmckenzie
  • Powerline-Docker - A Powerline segment for showing the status of Docker containers by @adrianmo
  • Squid-in-a-can - in case of proxy problem by @jpetazzo
  • TrivialRC - A minimalistic Runtime Configuration system and process manager for containers @vorakl
  • udocker - A tool to execute simple docker containers in batch or interactive systems without root privileges by @inidigo-dc

Volume management and plugins

  • Blockbridge - The Blockbridge plugin is a volume plugin that provides access to an extensible set of container-based persistent storage options. It supports single and multi-host Docker environments with features that include tenant isolation, automated provisioning, encryption, secure deletion, snapshots and QoS. By @blockbridge
  • Convoy - an open-source Docker volume driver that can snapshot, backup and restore Docker volumes anywhere. By @rancher
  • Docker Unison A docker volume container using Unison for fast two-way folder sync. Created as an alternative to slow boot2docker volumes on OS X. By @leighmcculloch
  • Netshare A Docker volume plugin written in Go that supports mounting NFS, AWS EFS & CIFS volumes within a container. By @gondor
  • Docker Machine NFS Activates NFS for an existing boot2docker box created through Docker Machine on OS X.
  • REX-Ray Vendor agnostic storage orchestration engine to provide persistent storage for Docker containers as well as Mesos frameworks and tasks.
  • Local Persist Specify a mountpoint for your local volumes (created via docker volume create) so that files will always persist and so you can mount to different directories in different containers.
  • Minio - S3 compatible object storage server in Docker containers

Web Interface

Useful Resources

Good Tips

附录(原理理解)

docker原理

Docker使用Go语言编写,并且使用了一系列Linux内核提供的特性来实现其功能。

一个能执行Docker的系统分为两大部分:

  • Linux的核心元件
  • Docker相关元件

Docker使用的Linux核心模块功能包括下列各项:

  • Cgroup – 用来分配硬件资源
  • Namespace – 用来隔离不同Container的执行空间
  • AUFS(chroot) – 用来建立不同Container的档案系统
  • SELinux – 用来确保Container的网路的安全
  • Netlink – 用来让不同Container之间的行程进行沟通
  • Netfilter – 建立Container埠为基础的网路防火墙封包过滤
  • AppArmor – 保护Container的网路及执行安全
  • Linux Bridge – 让不同Container或不同主机上的Container能沟通

linux运行docker原理

docker容器和宿主机共享linux kernel。为了让容器像虚拟机那样有独立的文件系统,进程系统,内存系统,等等一系列,linux宿主机系统采用的办法是:通过隔离容器不让它看到主机的文件系统,进程系统,内存系统,等等一系列。

mac os和windows运行docker的原理

通过boot2docker(http://boot2docker.io/ )启动一个虚拟linux kernel,所有的docker容器都跑在这个kernel上。

docker 其实真正想做的事情是把资源隔离的接口标准化(最新的版本里windows的接口也被抽象到了docker自己的体系),严格说它是所有相似资源隔离的一层抽象和搬运工。

文件系统隔离

每个进程容器运行在完全独立的根文件系统里。

容器中的文件系统都是挂载到了宿主机真实系统中的一个目录下面的。对于不同的容器,挂载点是不一样的,而容器不能穿越根目录上一级去访问, 所以这里对每一个容器都做到了文件系统隔离。

外挂数据卷:

可以把war包等文件的放置路径映射到主机上的某个路径,达到业务逻辑和数据持久化分割开(类似MVC思想)。

资源隔离

Cgroups:Cgroups是Linux内核功能,它让两件事情变成可能:限制Linux进程组的资源占用(内存、CPU);为进程组制作 PID、UTS、IPC、网络、用户及装载命名空间。

docker使用cgroup为每个进程容器分配不同的系统资源,将不同进程的资源使用隔离开。

命名空间

Docker充分利用了一项称为namespaces的技术来提供隔离的工作空间,我们称之为container(容器)。当你运行一个容器的时候,Docker为该容器创建了一个命名空间。这样提供了一个隔离层,每一个应用在它们自己的命名空间中运行而且不会访问到命名空间之外。

一些Docker使用到的命名空间有:

  • pid命名空间: 进程隔离(PID: Process ID)
  • net命名空间: 管理网络接口(NET: Networking)
  • ipc命名空间: 管理进程间通信资源 (IPC: InterProcess Communication)
  • mnt命名空间: 管理挂载点 (MNT: Mount)
  • uts命名空间: 隔离内核和版本标识 (UTS: Unix Timesharing System)

namespace让进程隔离更灵活:

linux实现进程的方法为fork,实现的方式分为两个步骤:

  1. 在内存中复制一个父进程,得到“子进程”,此时子进程就是父进程上下文的简单克隆,内容完全一致
  2. 设置子进程的 pid,parent_pid,以及其他和父进程不一致的内容

从进程被制造的步骤可以看出,进程大部分资源和父进程共享,如果需要制造一个看起来像虚拟机的进程,我们需要比普通的进程多做几步:

  • 可以自定义rootfs,比如我们把整个ubuntu发行版的可执行文件以及其他文件系统都放在目录/home/admin/ubuntu/ 下,当我们重定义rootfs = /home/admin/ubuntu 后,则该文件地址被印射为 “/“
  • 把自身pid 印射为0,并看不到其他任何的pid,这样自身的pid成为系统内唯一存在pid,看起来就像新启动了系统
  • 用户名隔离,可以把用户名设置为“root”
  • hostname隔离,可以另取一个hostname,成为新启动进程的hostname
  • IPC隔离,隔离掉进程之间的互相通信
  • 网络隔离,隔离掉进程和主机之间的网络

这些隔离资源需要的方法代码在linux系统内核中已经有提供支持。

所以虽然docker帮助我们准备好了rootfs地址,镜像里面的文件,以及各种资源隔离的配置,但是在启动一个容器的时候,它只是调用系统中早已内置的可以隔离资源的方法,而kernel支持这些方法,也是在创建进程的方法上做了一层资源隔离的扩展而已。这就解释了docker两个特性:

  • 启动速度快,因为本质来说容器和进程差别没有想象中的大,共享了很多代码,流程也差的不多
  • linux内核版本有最低的要求,因为linux是在某个版本后开始支持隔离特性

网络隔离

每个进程容器运行在自己的网络命名空间里,拥有自己的虚拟接口和IP地址

在安装好docker后,会默认初始化一个docker0的网桥。在host机器上,会为每一个容器生成一个默认的网卡,这个网卡的一端连接在容器的eth0,一端连接到docker0。这样就实现了每个容器有一个单独的IP。

如果需要外部能够访问容器,需要做端口映射规则,和配置虚拟机一样的道理, 只不过这里的80端口并没有占用了本地端口,而是在容器内部做了监听,外部是通过docker0桥接过去的,每个容器间也做到了端口和网络隔离。

映射端口:

负责接受把docker容器里的某个端口与主机某个端口绑定。

日志记录

Docker将会收集和记录每个进程容器的标准流(stdout/stderr/stdin),用于实时检索或批量检索。

参考来源:

https://zhuanlan.zhihu.com/p/31654581

https://blog.csdn.net/wh211212/article/details/75196905#garbage-collection