Original: Taste of Little Sister (wechat official ID: XjjDog), welcome to share, please reserve the source.
A classmate once gave me an analogy: The host computer is like a big house, and Docker has turned it into N small partitions. Between these small partitions, there are separate toilets, cots, TV…
Small as the sparrow is, it has all five organs. This analogy is very appropriate. Linux provides a very comprehensive isolation mechanism, so that each cubicle is not affected by each other. Even if the little room next door is full of spring, my little room is as cold and quiet, it does not affect me at all.
Docker relies on three old technologies: chroot, Namespace and cgroup to achieve these functions. In this article, we’ll start by talking about namespace. After all, isolation is the first element of a container.
The Linux kernel provides up to eight types of Namespace. In these separate namespaces, resources do not affect each other, and the isolation measures are very good.
1. 8 types
Let’s take a look at what namespaces Linux supports. You can observe these details with the unshare command. When man unshare is executed on the terminal, a description of these namespaces appears.
- The Mount (
mnt
) isolate the mount point - Process ID (
pid
Isolate the process ID - Network (
net
) isolate network devices, port numbers, etc - Interprocess Communication (
ipc
) Isolate System V IPC and POSIX Message Queues - UTS Namespace(
uts
) isolate host and domain names - User Namespace (
user
) Isolates users and user groups
In addition, Linux has added cgroups and Time isolation types in version 4.6 and 5.6, bringing the total to eight.
- Control Group (cgroup) Namespace Isolate Cgroups root directory (added in version 4.6)
- Time Namespace isolation system Time (added in version 5.6)
2. 1 example
Using the unshare command, you can quickly set up some isolation examples. Let’s take the simplest and most intuitive PID namespace to see how it works.
The Linux process number 1 is known as the systemd process. In Docker, however, we only see a very small list of processes by executing the ps command.
Execute the following command to enter the isolation environment with bash as the root process:
unshare --pid --fork --mount-proc /bin/bash
Copy the code
The effect is shown below. As you can see, our bash has become process 1, and process information from the host and other isolated environments is not visible here.
First, in isolation, execute Sleep 1000. Open another terminal, perform PSTREE on the host, and we will see the progress of the isolation environment.
Next, compare the namespace information of the process corresponding to sleep with the namespace information of the host machine. As you can see, the VALUES of their PID namespace are different.
Here are some other experimental commands for namespace that you can actually use.
3. Experiment
unshare --mount --fork /bin/bash
Copy the code
Create a mount namespace and use a different mount directory for each environment.
unshare --uts --fork /bin/bash
Copy the code
Uts can be used to isolate host names, allowing each namespace to have a separate hostname, which you can change with the hostname command.
unshare --ipc --fork /bin/bash
Copy the code
The IPC Namespace is primarily used to isolate interprocess communication. Linux interprocess communication, including pipe, signal, message, shared memory, semaphore, socket and so on. The use of the IPC Namespace means that these communication modes across namespaces will not work! But that’s what we’re hoping for.
unshare --user -r /bin/bash
Copy the code
User namespaces are pretty straightforward. We can create xjjDog accounts in one Namespace and xjjdog accounts in another Namespace without affecting each other.
unshare --net --fork /bin/bash
Copy the code
Net namespace, which is very useful. It can be used to isolate information such as network devices, IP addresses, and ports.
End
As you can see, Linux provides fine isolation of various resources through various namespaces. Docker itself is an old wine in a new bottle. Docker is innovative in that it adds a central repository and encapsulates many easy-to-use commands.
You may notice that so far we have not isolated Cpu and memory resource usage, nor have namespaces to address these issues.
Resource limiting is done using Cgroups quotas and has nothing to do with Namespace. We will introduce the Cgroups technology in a later article.
Finally, attach a life cycle diagram of Docker. Source (docker – Saigon. Making. IO/post/docker…). . If you need it, you can add my friend to get it.
Up to now, Docker application tool chain has been very mature, and many students have already mastered it. If you are very interested in container technology, it is better to take a look at the underlying principle. That way, whether Google pushes its own container or continues to use Docker, it can be quickly mastered.
Xjjdog is a public account that doesn’t allow programmers to get sidetracked. Focus on infrastructure and Linux. Ten years architecture, ten billion daily flow, and you discuss the world of high concurrency, give you a different taste. My personal wechat xjjdog0, welcome to add friends, further communication.