What are the two core technologies of docker?

Two core technologies: 1. "Linux namespaces", which is a kind of encapsulation and isolation of global system resources, so that processes in different namespaces have independent global system resources; 2. "Control Groups", which can Isolate physical resources on the host machine and implement resource quotas and measurements.

The operating environment of this tutorial: linux5.9.8 system, docker-1.13.1 version, Dell G3 computer.

Docker is a cloud open source project based on Go language.

Docker uses virtualization technology to solve the problem of consistent development environment, test environment, and production environment, allowing App and its running environment to achieve the purpose of "Build, Ship and Run Any APP, Anywhere". Container virtualization technology that facilitates continuous integration and facilitates overall release and expansion.

Docker’s two core technologies: Namespaces and Controller Groups.

1. Isolation: Linux Namespace (ns)

Linux namespaces are a kind of encapsulation and isolation of global system resources. This allows processes in different namespaces to have independent global system resources. Changing system resources in one namespace will only affect processes in the current namespace and has no impact on processes in other namespaces. These resources include: process trees, network interfaces, mount points, inter-process communication and other resources. Processes in the same namespace can sense each other's changes and know nothing about external processes. This can give the process in the container the illusion that it is in an independent system, thus achieving the purpose of isolation.

Each user instance is isolated from each other and does not affect each other. The method given by the general hardware virtualization method is VM, while the method given by LXC is container, and to be more specific, it is kernel namespace. Among them, pid, net, ipc, mnt, uts, user and other namespaces Isolate the container's process, network, messages, file system, UTS ("UNIX Time-sharing System") and user space.

1), pid namespace

Processes of different users are isolated through pid namespace, and different namespaces can have the same pid. The parent process of all LXC processes in docker is the docker process, and each lxc process has a different namespace. At the same time, since nesting is allowed, Docker in Docker can be easily implemented.

2), net namespace

With pid namespace, the pids in each namespace can be isolated from each other, but the network port still shares the host port. Network isolation is achieved through net namespace. Each net namespace has independent network devices, IP addresses, IP routing tables, and /proc/net directories. In this way, each container's network can be isolated. By default, docker uses veth to connect the virtual network card in the container to a docker bridge: docker0 on the host.

3), process interaction in ipc namespace

container still uses the common Linux inter-process interaction method (interprocess communication - IPC), including common semaphores and messages Queues and shared memory. However, unlike a VM, the inter-process interaction of a container is actually an inter-process interaction with the same pid namespace on the host, so namespace information needs to be added when applying for IPC resources - each IPC resource has a unique 32-bit ID.

4), mnt namespace

is similar to chroot, placing a process in a specific directory for execution. mnt namespace allows processes in different namespaces to see different file structures, so that the file directories seen by processes in each namespace are isolated. Different from chroot, the information in /proc/mounts of the container in each namespace only contains the mount point of the namespace.

5), uts namespace

UTS("UNIX Time-sharing System") namespace allows each container to have an independent hostname and domain name, making it more reliable on the network can be regarded as an independent node rather than a process on the Host.

6), user namespace

Each container can have different user and group id, that is to say, the user inside the container can be used to execute the program inside the container. Users not on the Host.

2. Resource restrictions: Control Groups (cgroups)

The namespace isolates the file system, network and host for the newly created process Processes between machines are isolated from each other, but namespaces cannot provide us with physical resource isolation. But if you run multiple containers on the same machine that know nothing about each other and the host machine, these containers jointly occupy the physical resources of the host machine.

Control Groups (CGroups for short) are able to isolate physical resources on the host machine, such as CPU, memory, disk I/O and network bandwidth. Each CGroup is a group of processes restricted by the same standards and parameters. There is a hierarchical relationship between different CGroups, which means that they can inherit some standards and parameters for restricting resource usage from their parent class.

cgroups implements quotas and measurement of resources. The use of cgroups is very simple. It provides a file-like interface. Create a new folder in the /cgroup directory to create a new group. Create a new task file in this folder and write the pid to the file to realize the process. resource control. groups can limit the resources of the nine subsystems of blkio, cpu, cpuacct, cpuset, devices, freezer, memory, net_cls, and ns. The following is a detailed description of each subsystem:

• blkio this Subsystem settings restrict input and output control for each block device. For example: disk, CD, USB, etc.

• cpu This subsystem uses the scheduler to provide cpu access to cgroup tasks.

• cpuacct generates cpu resource reports for cgroup tasks.

• cpuset If it is a multi-core CPU, this subsystem will allocate separate CPU and memory for cgroup tasks.

• devices Allows or denies cgroup task access to devices.

• freezer Pauses and resumes cgroup tasks.

• memory Sets memory limits for each cgroup and generates memory resource reports.

• net_cls tags each network packet for cgroup convenience.

• ns Namespace subsystem.

There is also a certain relationship between the above nine subsystems. Please refer to the official documentation for details.

Recommended learning: "docker video tutorial"

The above is the detailed content of What are the two core technologies of docker?. For more information, please follow other related articles on the PHP Chinese website!