Docker core Technology preview

When it comes to virtualization technology, Docker must be the first thing that comes to mind. After four years of rapid development, Docker has become the standard for many companies and is no longer a toy that can only be used in the development stage. As a product widely used in the production environment, Docker has a very mature community and a large number of users, and the content in the code base has also become very large.

Although Docker currently has numerous components and a very complex implementation, this article does not introduce the specific implementation details of Docker. Instead, we would like to talk about the core technologies supporting the emergence of Docker virtualization technology.

1. Namespaces

Namespace is a method that Linux provides us to separate resources such as process tree, network interface, mount point, and inter-process communication. In daily use of Linux or macOS, we wouldn’t run multiple completely separated servers, but if we start multiple services on the server, these services will actually affect each other, and each service can see other services The process can also access any file on the host machine. This is not what we want. We want that different services running on the same machine can be completely isolated, just like running on multiple different The same on the machine.

In this case, once a service on the server is hacked, the hacker would be able to access all the services and files on the current machine and Docker actually isolates the different containers through Linux’s Namespaces technology.

The Linux namespace mechanism provides the following 7 different namespaces, including

  • CLONENEWCGROUP
  • CLONENEWIPC
  • CLONENEWNET
  • CLONENEWNS
  • CLONENEWPID
  • CLONENEWUSER
  • CLONE_NEWUTS.

When creating a new process, we can set which resources the new process should be in through these seven options.

2. CONTROL GROUP(CGroups)

We can isolate file system, network, mount point through namespace for the new created process, but the namespace is not able to provide us with the isolation on the physical resources, such as CPU or memory. The multiple container on the same server don’t know each other’s exist, which lead that the container is common to take up the physical resources of the host machine as much as possible.

If one of the containers is executing a CPU-intensive task, it will affect the performance and execution efficiency of tasks in other containers, causing multiple containers to influence each other and grab resources. How to limit the resource usage of multiple containers has become the main problem after solving process virtual resource isolation, and CGroups can isolate the physical resources on the host machine, such as CPU, memory, disk I/O, and network bandwidth.

CGroup technology can allocate resources for a group of processes, that is, the CPU, memory, network bandwidth and other resources we mentioned above. In CGroup, all tasks are a process of a system, and CGroup is a group of processes divided according to a certain standard and all resource control is implemented with CGroup as a unit, and each process can join a CGroup at any time or exit a CGroup at any time.

3. UNION FILESYSTEM

Linux namespace and control groups respectively solve the problem of different resource isolation. The former solves the isolation of processes, networks, and file systems, while the latter realizes the isolation of resources such as CPU and memory, but there is another very important problem in Docker needs to be solved-that is, image.

So what exactly is image, and how it is composed and organized? We can use docker run to download the Docker image very easily from remote and run it locally at our machine.

The Docker image is actually a compressed package. We can use the following command to show the files in a Docker image:

$ docker export $(docker create busybox) | tar -C rootfs -xvf -
$ ls
bin  dev  etc  home proc root sys  tmp  usr  var

As we can see that the directory structure in the busybox image is not much different from the content in the root directory of the Linux operating system. So we can say that the Docker image is a file.

UnionFS is actually a file system service designed for the Linux operating system to “unify” multiple file systems to the same mount point. AUFS or Advanced UnionFS is actually an upgraded version of UnionFS, which can provide better performance and efficiency.

The above three are the core technologies of docker, there are many imperfections, please discuss together

RSS