The most systematic mastery of Docker core technology (summary sharing)

This article brings you some related questions about container operation of docker core technology, detailed explanation of Dockerfile, etc. I hope it will be helpful to you.

1. Docker

1. Introduction

• Based on the Cgroup, Namespace, and Union FS technologies of the Linux kernel, Encapsulating and isolating processes is a virtual technology at the operating system level. Since the isolated process is independent of the host and other isolated processes, it is called a container.
• The initial implementation was based on LXC. LXC will be removed from 0.7 onwards. Switch to the self-developed Libcontainer. Starting from 1.11, it has further evolved to use runC and Containerd
• Docker has further encapsulated it on the basis of the container, from file system, network interconnection to process isolation, etc. , which greatly simplifies the creation and maintenance of containers, making Docker technology lighter and faster than virtual machine technology

2. Docker advantages

• Use it more efficiently System resources
• Faster startup time
• Consistent operating environment
• Continuous delivery and deployment
• Easier migration
• More Easily maintain and expand

3. Comparison between Docker and virtual machines

##2. Docker installation

Reference article installation: Install Docker Engine on Ubuntu | Docker Documentation

##3. Container operation

Start:
docker run:

-It interaction

-d Running

--P port mapping

--V disk hanging

• Start the terminated container

docker start

• Stop container

docker stop

• View container process

docker ps

##View container details

• docker inspect

## Copy the file to the container

• docker cp file1 :/file_to_path

#docker exits the container without closing the container: ctrl q p

• docker exits the container and closes the container: exit

• ##Query all docker images

• docker images

##Docker image warehouse

• Docker hub: https://hub.docker.com

  Create a private image warehouse: docker run -d -p 5000:5000 registry

  Four. Dockerfile Detailed explanation

Dockerfile is generally divided into four parts: basic image information, maintenance information, image operation instructions and container startup operation instructions

Common commands

From: Specify the basic mirror image, must be the first instructions

• ： Format:

From & LT; Image & GT FROM :

From & LT; Image & GT;@& LT; Digest & GT;

## Example:

## Ubuntu

AINTAINER: Maintenance Information

# This #Format:

MAINTAINER

Example

MAINTAINER ribbon

RUN: Command executed when building the image

Format:

Shell execution: RUN

Execution: RUN ["executable", "param1", "param2"]

Example:

RUN apk update

RUN ["/etc/execfile", "arg1", "arg2"]

RUN apt-get update && apt The two commands -get install are always connected with &&, otherwise the apt-get update build layer will be cached, which will cause the new package to fail to be installed

ADD: Add local files to the container, Types such as tar will automatically decompress and you can access network resources, similar to wget

Format:

ADD ...

Example:

ADD bin/amd64/httpserver /httpserver

COPY: The function is similar to ADD, but it does not decompress files and cannot access network resources

Use multi-stage in Dockerfile: multi-stage in Dockerfile (multi-stage build) - sparkdev - Blog Park

Format:

COPY ... Example:

COPYbin/amd64/httpserver /httpserver

CMD: Called after the container is built, that is, it is called only when the container starts

Format:

CMD ["executable","param1","param2"] (Execute executable file, priority)

CMD ["param1","param2"] ( If ENTRYPOINT is set, call ENTRYPOINT directly to add parameters)
           CMD command param1 param2 (execute shell internal command)

Example:

                                                                                          CMD ["ethtool", "--help"]

CMD echo "1111"

ENTRTPOINT: Configure the container to make it executable.

Format:

ENTRYPOINT ["executable", "param1", "param2"] (executable file, priority)

ENTRYPOINT command param1 param2 (shell internal command)

Example:

ENTRYPOINT /httpserver

CMD [-c]

LABAL: Used to add source data to the image

Format:

          LABEL = = = ...

Example:

       LABEL multi.label1="value1" multi.label2="value2" other="value3"

ENV: Set environment variables

Format:

ENV

Example:

ENV MY_SERVICE_PORT=80 UDP_PORT=90

EXPOSE: Specify external interaction Port

Format:

EXPOSE [...]

Example:

EXPOSE 80

EXPOSE 80/tcp

EXPOSE 80 90

VOLUME: Used to specify the persistence directory

Format:

VOLUME []

Example:

VOLUME ["/data", "/usr1/jenkins"]

USER: Specify the run The user name or UID of the container, and subsequent RUN will also use the specified user.

Format:

USER user
USER user:group
USER uid
USER uid:gid
USER user:gid
USER uid:group

Example:

USER www

ARG: Used to specify variables passed to the build runtime

Format:

ARG [=]
Example:
ARG build_user=ribbon

##

5. Detailed explanation of Linux NameSpace

• Detailed explanation of NamesSpace:

Linux NameSpace_Frank_Abagnale's Blog-CSDN Blog This article provides a more detailed introduction. You can refer to this article

• Common operations of NameSpace

• to view the namespace of the current system:

lsns -t

• View the namespace of a process:

ls -la /proc//ns/

• View a namespace running command

nsenter -t -n

6. Detailed explanation of Linux Cgroups

• Detailed explanation of Cgroups

Container Core: cgroups - Brief Book You can refer to this article to learn more

• Simulate Cgroups to control CPU resources

Pass Simulate to better familiarize yourself with the effect of Cgroups controlling resources. First create the cpudemo folder

Execute top and you can see that busyloop takes up two CPU resources

Add the process to the cgroup process configuration group

Set cpuquota

You can see that success will occupy 200% The CPU resources are reduced to 1%

• Simulating Cgroups exceeding the limit memory resources and being killed by OOM

/ Create the memorydemo folder in the sys/fs/cgroup/memory directory

Run the memory-consuming program and use watch to query the memory usage

Configure the process into the cgroups configuration group

Set the maximum memory size

Waiting for the program Killed by OOM, dmesg can see the kill information

Note: To delete self-created cgroup folders, you need to use cgroup-tools

7. Union FS

The technologies used by Docker are all derived from Linux technologies and are not There is no innovation, and the innovation of Docker is the file system.

1. Concept:

• File system that mounts different directories under the same virtual file system
• Supports setting readonly, readwrite and without for each member directory -able permissions
• File system layering, the directory with readonly permissions can be logically modified. The modifications here are incremental and do not affect the readonly part
• Usual Union FS uses: Multiple disks are mounted to the same directory, and the other is to combine the readonly part and the writeable directory

2. Illustration of Union FS

In the design of the Docker image, The concept of layer is introduced, that is to say, every step of the user's image creation operation will generate a layer, that is, an incremental rootfs (a directory), so that the containers where application A and application B are located jointly reference the same The ubuntu operating system layer and the Golang environment layer (as read-only layers) each have their own application layer and writable layer. When starting the container, mount the relevant layers to a directory through UnionFS as the root file system of the container.

3. Container storage driver

4. Simulate Union FS to better understand the effect

Since the current version of docker uses the overlayFS storage driver, we use the overlay mounting method to conduct experiments. Overlayfs passes through three directories: lower Directory, upper directory, and work directory are implemented. There can be multiple lower directories. The work directory is the basic working directory. After mounting, the content will be cleared and its content will not be visible to the user during use. Finally, the joint mounting is completed. The unified view presented to the user is called the merged directory.

Execute the following command:

mkdir upper lower merged work
echo "lower" > lower/in_lower.txt
echo "from lower" > lower/in_both.txt
echo "from upper" > upper/in_both.txt
echo "upper" > upper/in_upper.txt
path=$(pwd)
mount -t overlay overlay -o lowerdir=${path}/lower,upperdir=${path}/upper,workdir=${path}/work ${path}/merged

## You can see that the overlay storage driver file is mounted using Effect. After the experiment is completed, you need to restore the environment after umounting the merged directory, and then deleting the four directories. If you delete the others first, rm: cannot remove 'merged/': Device or resource busy may appear, resulting in the merged directory not being deleted.

Eight. Docker network

1. Installation tools

Centos system:

        $ yum install bridge-utils

Ubuntu system:

                                                            $ apt-get   install bridge-utils

2. Docker network mode

• Query the built-in docker Network mode

• docker run Select the network mode to run

1) Host mode: Specify using --net=host. Share a set of net with the host

# 2) none mode: use --net=none specified. The network configuration needs to be configured by yourself

3) Bridge mode: Use --net=bridge to specify, the default setting.

docker network logic diagram bridge and NAT

4) Container mode: Use --net=container:NAME_or_ID to specify. Using the network configuration of other containers

# The network mode diagram is roughly as shown below

3. Simulate the operation of Docker to start a network bridge

• Create --net=none nginx

• Create network namespace

## Create network namespace link

## Check the currently created bridge device

Create veth pair

to configure A network

Configure B network

• Generate eth0 network device in nginx docker

Configure ip gateway for eth0

nginx can access

Configure nat so that windows can also access through ip

Delete the specified nat rule after use

Recommended learning: "docker video tutorial

"

The above is the detailed content of The most systematic mastery of Docker core technology (summary sharing). For more information, please follow other related articles on the PHP Chinese website!