What does pod mean in docker

In docker, pod means a combined multi-container running unit; pod is a basic unit in Kubernetes. It can be regarded as an extension or enhanced container of the container, packaging multiple processes in a "Name Space", it forms a pod, and the application packaging of different processes in the pod is still independent.

The operating environment of this tutorial: linux7.3 system, docker version 19.03, Dell G3 computer.

What does pod mean in docker

Pod is a combined multi-container running unit and a basic unit in Kubernetes. You can think of it as an extension or enhanced container of a container. Pod includes a main container and several auxiliary containers, which together complete a specific function. When multiple processes (containers are also an isolated process) are packaged in a Name Space, a Pod is formed. The application packaging of different processes in the Pod is still independent (each container will have its own image).

The significance of Pod is that it can maintain the close relationship between the main container and the auxiliary container while maintaining the independence of the main container. Since the main container and the auxiliary container have the same life cycle and can be created and destroyed at the same time, putting them in a Pod can make their interaction more efficient.

On the other hand, the main container needs to complete some main tasks, and other tasks may be common and can be packaged separately and run by the auxiliary container.

Extended knowledge

What is a container?

It is not easy to give an accurate definition of a container, because everyone has a different perspective on containers. In Liu Junhui's view, containers are not only a way of providing computing units; they are also a form of packaging for applications.

- A container is a computing unit

As a computing unit, a container is the same as a thread, process, virtual machine, or physical machine (as shown in the figure below). On a continuum scale, isolation, security, and overhead are lower toward the left and higher toward the right. A container is a computing unit between a process and a virtual machine.

But not all applications are suitable for containers. Developers can choose the most suitable computing unit based on the characteristics and needs of their own applications. For example, if your application is high-performance, mutually trusting, and in the same management area, then threads or processes will suffice; but if your application is multi-tenant and runs in the same space as other applications, then you You need to consider how to safely isolate these applications so that data will not be leaked or performance will be affected. At this time, containers may be a good choice.

Because the container is a "highly isolated process", it adds new isolation mechanisms based on the isolation of general processes. These isolation mechanisms are provided by the Linux kernel, which include some namespaces ( Name Spaces) and CGroup. Namespaces can be divided into three categories: network, storage and computing. Among them, the most important is the network namespace. It ensures that the container's network is independent of other container networks. The file system that each container sees is not shared with other containers. Each container can only see its own process ID, and the process numbers are also consecutive.

When it comes to the biggest difference between containers and virtual machines, Liu Junhui believes that compared with virtual machines, the biggest feature of containers is that they do not have their own independent operating system, but share an operating system on their host; The virtual machine runs on "a separate server." Therefore, the cost of containers will be smaller than that of virtual machines, but the isolation will be lacking.

- A container is a packaging form of an application

Anyone who has experience in application development knows that an application is not a single executable file, but a slightly complex Yidian's application consists of multiple parts, including: code, executable files, configuration dependencies, external dependencies (dynamic link libraries), etc.

So when applying distribution packaging, you need to consider factors such as the version of the target operating system, system architecture, and the modules it depends on. Otherwise the application will modify different parts of the system when installed.

As a packaging for an application, its biggest feature is that it realizes the independence and portability of the application. The container itself contains all the dependencies of the application, which allows it to run on any infrastructure. Various accidents may occur due to system version and architecture issues.

02What is Docker?

Simply put, Docker can be regarded as a very successful container management platform. The most important part of Docker is its running management environment (as shown in the figure below).

As mentioned above, a container is a computing unit, and the Docker running environment is used to create, manage and destroy these computing units. When creating and managing these computing units, you need to use the packaging of the computing unit (that is, its software distribution package). These packages are stored in its running environment in the form of container images. All container computing units are processed through These images are created.

But the image itself will have version release, upgrade and other requirements, which involves DockerHub, another important component of Docker. DockerHub is a bit like Apple's App Store. It is a very large "container market" and all commonly used software can be found on DockerHub.

The last important module of Docker is the user interface and management tools, which are used to issue commands to the running environment of the container or view the status. You only need to use a Docker command and add some parameters to create, delete, and view the running status of the container.

Next, let’s take a look at the actual operation of Docker. We will take running a Hello World container as an example to talk about the usage of Docker. In fact, you only need to install Docker and you can try to run this Hello World container.

Through the following code, let’s take a look at what Docker has done:

First we see that Docker is looking for the latest version of Hello World locally, and it finds that the local If you don't have this image, go to DockerHub and download it. Then, the image is run, and then Docker creates such a container in the background.

The emergence of Docker makes container application management very easy. Running a container only requires one command. Downloading images from DockerHub, creating various isolation environments, creating containers and external network communication environments can all be completed by Docker. It can be said that Docker can manage the entire life cycle of the container.

03 Containers vs. virtual machines, the lumberjack’s ax and saw

As a summary of containers, we can summarize the biggest features of containers as lightweight and completely independent deployment. These two characteristics are very consistent with the elastic unlimited expansion and on-demand use of cloud native. Because of this, containers have become the cornerstone of cloud native.

Although containers and virtual machines are both computing units, going from virtual machines to containers cannot be seen as a simple performance improvement or architecture change, but a change in application philosophy.

For example, lumberjacks used to use axes when reading. Later, everyone felt that using axes was too laborious, so an expert introduced another tool for cutting trees, the saw. But if a lumberjack takes a saw to cut down a tree, he will find that there is no ax that is easy to use. But the truth is, an ax and a saw are two concepts used.

Speaking of the difference in concepts between containers and virtual machines, we can further feel it through the following chart.

Typical applications of containers can be divided into two categories, one is microservices and the other is DevOps.

Microservices refer to different units or functions of the system running different containers. The number of containers for each service can be adjusted according to its own load. For example, a large system includes functions such as user login, product display, and product interaction, but all parts of the system do not increase linearly at the same time. Some parts may be busier, and some parts may have excess capacity.

DevOps refers to the streamlined development, testing, and production processes. Because of the "self-contained" feature of the container, when it is used as a standard circulation item, the application packaging of the development environment, test environment and production environment can be completely consistent. This reduces accidents caused by application dependency configuration errors, etc., thus making The entire pipeline of development, testing, and production becomes more efficient.

04 Pod, an enhanced container

Pod is a combined multi-container running unit and a basic unit in Kubernetes. You can think of it as an extension or enhanced container of a container. Pod includes a main container and several auxiliary containers, which together complete a specific function. When multiple processes (containers are also an isolated process) are packaged in a Name Space, a Pod is formed. The application packaging of different processes in the Pod is still independent (each container will have its own image).

The significance of Pod is that it can maintain the close relationship between the main container and the auxiliary container while maintaining the independence of the main container. Since the main container and the auxiliary container have the same life cycle and can be created and destroyed at the same time, putting them in a Pod can make their interaction more efficient.

On the other hand, the main container needs to complete some main tasks, and other tasks may be common and can be packaged separately and run by the auxiliary container.

It is highly recommended that everyone go to a website called Katacoda. It has a large number of free online experiments, including hands-on projects such as Docker and Docker Image, and it is completely free now. You might as well go here and get your hands dirty.

When a container platform runs multiple tenant applications, it is easy for "lateral attacks" to occur, that is, the process uses system vulnerabilities to escalate privileges, such as upgrading its own privileges to administrator, thereby gaining Operation permissions on other processes or containers running on the system. Currently, such vulnerabilities usually lead to malicious use of computing resources for "mining."

To address this problem, there are currently two solutions, one is "limiting system calls"; the other is "independent kernel".

Restricting system calls refers to reducing the application's capabilities by limiting the system calls of an application, thereby avoiding harm to other applications. Currently, Google's Givsor and IBM's Nabla both adopt this approach. As shown in the figure below, an application originally accesses all system calls, but in Nabla mode, the application only accesses necessary system calls, and other calls are blocked.

But the disadvantage of this method is that it requires you to give the application "just the right" permissions at the beginning. If you accidentally do not give enough permissions, the application may crash. .

The independent kernel refers to the virtual machine solution, which refers to adding a new kernel to the container. This kernel is lightweight and includes two implementation methods: "microkernel" and Unikernel. Unikernels and applications are compiled together, and they can be called directly through functions without system calls.

The advantage of this solution is that the container essentially only deals with its own kernel, while the kernel deals with the host. The interaction between the kernel and the host only requires some common instructions and does not involve Directly call instructions that harm the system. Currently, Kata Container and JD.com Cloud native containers use this method.

The advantage of this approach is that, as a minimized operating system, the microkernel can satisfy all system calls while removing some unnecessary system operation parts; its system startup time is very short and can reach Second level, and the overhead is smaller than that of a virtual machine.

Recommended learning: "docker video tutorial"

The above is the detailed content of What does pod mean in docker. For more information, please follow other related articles on the PHP Chinese website!