What are the two core technologies of docker?-Docker-php.cn

Home

Operation and Maintenance

Docker

What are the two core technologies of docker?

青灯夜游

May 11, 2022 pm 12:57 PM

docker

Two core technologies: 1. "Linux namespaces", which is a kind of encapsulation and isolation of global system resources, so that processes in different namespaces have independent global system resources; 2. "Control Groups", which can Isolate physical resources on the host machine and implement resource quotas and measurements.

What are the two core technologies of docker?

The operating environment of this tutorial: linux5.9.8 system, docker-1.13.1 version, Dell G3 computer.

Docker is a cloud open source project based on Go language.

Docker uses virtualization technology to solve the problem of consistent development environment, test environment, and production environment, allowing App and its running environment to achieve the purpose of "Build, Ship and Run Any APP, Anywhere". Container virtualization technology that facilitates continuous integration and facilitates overall release and expansion.

Docker’s two core technologies: Namespaces and Controller Groups.

1. Isolation: Linux Namespace (ns)

Linux namespaces are a kind of encapsulation and isolation of global system resources. This allows processes in different namespaces to have independent global system resources. Changing system resources in one namespace will only affect processes in the current namespace and has no impact on processes in other namespaces. These resources include: process trees, network interfaces, mount points, inter-process communication and other resources. Processes in the same namespace can sense each other's changes and know nothing about external processes. This can give the process in the container the illusion that it is in an independent system, thus achieving the purpose of isolation.

Each user instance is isolated from each other and does not affect each other. The method given by the general hardware virtualization method is VM, while the method given by LXC is container, and to be more specific, it is kernel namespace. Among them, pid, net, ipc, mnt, uts, user and other namespaces Isolate the container's process, network, messages, file system, UTS ("UNIX Time-sharing System") and user space.

1), pid namespace

Processes of different users are isolated through pid namespace, and different namespaces can have the same pid. The parent process of all LXC processes in docker is the docker process, and each lxc process has a different namespace. At the same time, since nesting is allowed, Docker in Docker can be easily implemented.

2), net namespace

With pid namespace, the pids in each namespace can be isolated from each other, but the network port still shares the host port. Network isolation is achieved through net namespace. Each net namespace has independent network devices, IP addresses, IP routing tables, and /proc/net directories. In this way, each container's network can be isolated. By default, docker uses veth to connect the virtual network card in the container to a docker bridge: docker0 on the host.

3), process interaction in ipc namespace

container still uses the common Linux inter-process interaction method (interprocess communication - IPC), including common semaphores and messages Queues and shared memory. However, unlike a VM, the inter-process interaction of a container is actually an inter-process interaction with the same pid namespace on the host, so namespace information needs to be added when applying for IPC resources - each IPC resource has a unique 32-bit ID.

4), mnt namespace

is similar to chroot, placing a process in a specific directory for execution. mnt namespace allows processes in different namespaces to see different file structures, so that the file directories seen by processes in each namespace are isolated. Different from chroot, the information in /proc/mounts of the container in each namespace only contains the mount point of the namespace.

5), uts namespace

UTS("UNIX Time-sharing System") namespace allows each container to have an independent hostname and domain name, making it more reliable on the network can be regarded as an independent node rather than a process on the Host.

6), user namespace

Each container can have different user and group id, that is to say, the user inside the container can be used to execute the program inside the container. Users not on the Host.

2. Resource restrictions: Control Groups (cgroups)

The namespace isolates the file system, network and host for the newly created process Processes between machines are isolated from each other, but namespaces cannot provide us with physical resource isolation. But if you run multiple containers on the same machine that know nothing about each other and the host machine, these containers jointly occupy the physical resources of the host machine.

Control Groups (CGroups for short) are able to isolate physical resources on the host machine, such as CPU, memory, disk I/O and network bandwidth. Each CGroup is a group of processes restricted by the same standards and parameters. There is a hierarchical relationship between different CGroups, which means that they can inherit some standards and parameters for restricting resource usage from their parent class.

cgroups implements quotas and measurement of resources. The use of cgroups is very simple. It provides a file-like interface. Create a new folder in the /cgroup directory to create a new group. Create a new task file in this folder and write the pid to the file to realize the process. resource control. groups can limit the resources of the nine subsystems of blkio, cpu, cpuacct, cpuset, devices, freezer, memory, net_cls, and ns. The following is a detailed description of each subsystem:

blkio this Subsystem settings restrict input and output control for each block device. For example: disk, CD, USB, etc.
cpu This subsystem uses the scheduler to provide cpu access to cgroup tasks.
cpuacct generates cpu resource reports for cgroup tasks.
cpuset If it is a multi-core CPU, this subsystem will allocate separate CPU and memory for cgroup tasks.
devices Allows or denies cgroup task access to devices.
freezer Pauses and resumes cgroup tasks.
memory Sets memory limits for each cgroup and generates memory resource reports.
net_cls tags each network packet for cgroup convenience.
ns Namespace subsystem.

There is also a certain relationship between the above nine subsystems. Please refer to the official documentation for details.

Recommended learning: "docker video tutorial"

The above is the detailed content of What are the two core technologies of docker?. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Docker on Linux: Containerization for Linux SystemsApr 22, 2025 am 12:03 AM

Docker is important on Linux because Linux is its native platform that provides rich tools and community support. 1. Install Docker: Use sudoapt-getupdate and sudoapt-getinstalldocker-cedocker-ce-clicotainerd.io. 2. Create and manage containers: Use dockerrun commands, such as dockerrun-d--namemynginx-p80:80nginx. 3. Write Dockerfile: Optimize the image size and use multi-stage construction. 4. Optimization and debugging: Use dockerlogs and dockerex

Docker: The Containerization Tool, Kubernetes: The OrchestratorApr 21, 2025 am 12:01 AM

Docker is a containerization tool, and Kubernetes is a container orchestration tool. 1. Docker packages applications and their dependencies into containers that can run in any Docker-enabled environment. 2. Kubernetes manages these containers, implementing automated deployment, scaling and management, and making applications run efficiently.

Docker's Purpose: Simplifying Application DeploymentApr 20, 2025 am 12:09 AM

The purpose of Docker is to simplify application deployment and ensure that applications run consistently in different environments through containerization technology. 1) Docker solves the environmental differences problem by packaging applications and dependencies into containers. 2) Create images using Dockerfile to ensure that the application runs consistently anywhere. 3) Docker's working principle is based on images and containers, and uses the namespace and control groups of the Linux kernel to achieve isolation and resource management. 4) The basic usage includes pulling and running images from DockerHub, and the advanced usage involves managing multi-container applications using DockerCompose. 5) Common errors such as image building failure and container failure to start, you can debug through logs and network configuration. 6) Performance optimization construction

Linux and Docker: Docker on Different Linux DistributionsApr 19, 2025 am 12:10 AM

The methods of installing and using Docker on Ubuntu, CentOS, and Debian are different. 1) Ubuntu: Use the apt package manager, the command is sudoapt-getupdate&&sudoapt-getinstalldocker.io. 2) CentOS: Use the yum package manager and you need to add the Docker repository. The command is sudoyumininstall-yyum-utils&&sudoyum-config-manager--add-repohttps://download.docker.com/lin

Mastering Docker: A Guide for Linux UsersApr 18, 2025 am 12:08 AM

Using Docker on Linux can improve development efficiency and simplify application deployment. 1) Pull Ubuntu image: dockerpullubuntu. 2) Run Ubuntu container: dockerrun-itubuntu/bin/bash. 3) Create Dockerfile containing nginx: FROMubuntu;RUNapt-getupdate&&apt-getinstall-ynginx;EXPOSE80. 4) Build the image: dockerbuild-tmy-nginx. 5) Run container: dockerrun-d-p8080:80

Docker on Linux: Applications and Use CasesApr 17, 2025 am 12:10 AM

Docker simplifies application deployment and management on Linux. 1) Docker is a containerized platform that packages applications and their dependencies into lightweight and portable containers. 2) On Linux, Docker uses cgroups and namespaces to implement container isolation and resource management. 3) Basic usages include pulling images and running containers. Advanced usages such as DockerCompose can define multi-container applications. 4) Debug commonly used dockerlogs and dockerexec commands. 5) Performance optimization can reduce the image size through multi-stage construction, and keeping the Dockerfile simple is the best practice.

Docker: Containerizing Applications for Portability and ScalabilityApr 16, 2025 am 12:09 AM

Docker is a Linux container technology-based tool used to package, distribute and run applications to improve application portability and scalability. 1) Dockerbuild and dockerrun commands can be used to build and run Docker containers. 2) DockerCompose is used to define and run multi-container Docker applications to simplify microservice management. 3) Using multi-stage construction can optimize the image size and improve the application startup speed. 4) Viewing container logs is an effective way to debug container problems.

How to start containers by dockerApr 15, 2025 pm 12:27 PM

Docker container startup steps: Pull the container image: Run "docker pull [mirror name]". Create a container: Use "docker create [options] [mirror name] [commands and parameters]". Start the container: Execute "docker start [Container name or ID]". Check container status: Verify that the container is running with "docker ps".

See all articles