Introduced a.
We often make a comparison between Docker container and virtual machine. The difference between Dokcer container and virtual machine is that when Docker is used, it does not actually generate a real “container”. What Docker helps users launch is the app itself, but it puts a lot of restrictions on those processes when they’re created. This includes enabling the Namespace configuration to isolate containers and setting the specified Cgroups parameter to set resource limits for processes.
Of course, this is not enough, since a host can have multiple containers and they are isolated between them, then what is their file system, which is related to an important role, the key to make Docker accepted by the public — Docker image.
File system isolation
First, it is natural to think that the application in the container should see a completely separate file system. In this way, the container can operate its own file directory without affecting the host and other containers.
In Linux, there is a concept called Mount Namespace that provides isolation of file systems by isolating file system Mount points. Dokcer leverages this to provide file system isolation for individual containers. Docker remounts its entire root directory “/” before the container process starts, so the container itself is using a completely separate file system.
Of course, this is not enough to leave the container’s file system empty. So in addition to isolating each container’s own file system, Docker also mounts an entire operating system’s file system, such as Ubuntu, in the container’s root directory. The contents of this container root directory are all Ubuntu directories and files, namely /bin, /etc, /data, /usr, etc
This file system, mounted at the root of the container and used to provide an isolated post-execution environment for container processes, is called a container image.
Image and operating system
Since an image contains an operating system’s files, configuration, directories, etc., is it an operating system?
The answer is no, because the image does not contain the operating system kernel, and all containers on a host machine actually share the operating system kernel of the current host machine. This is also a disadvantage of containers compared to virtual machines. When we operate applications in containers, especially when interacting with the kernel, we need to be careful that we directly affect the operating system kernel of the host machine.
Three. Why do we need mirror images
We all know that mirroring is a very important feature of Docker, so why do we need mirroring?
1. Resolve environmental consistency issues
In the early development of container platform for users in the use of containers to the cluster to deploy application, usually need to carry out a package of operation, different from the Docker simple mirror build operation, at the same time, developers must for each language, each frame, even every version of the application of maintaining a good package, at the same time, due to the different environment after on cloud There is a lot of configuration work to do.
However, the appearance of Docker image has completely changed this situation. As mentioned above, image not only contains the language, framework and other environments required by the application, but directly covers the file system of the entire operating system, achieving the purpose of highly consistent local environment and cloud environment. All the developers have to do is create a container and run the image in that container.
In other words, mirroring achieves operating system-level runtime environment consistency, eliminating the problem of differences between local development and remote environments.
2. Layering mechanism
In real development, it would be a hassle if we had to rebuild an image every time we developed an application or made changes to an existing application.
Therefore, Docker image adopts a relatively innovative way, which is to introduce the concept of layer. Since we want to avoid saving a mirror image for every change we make, we use the idea of increments to maintain incremental content. In other words, each step the user takes to create an image generates a layer.
In Dockerfile, for example, most instructions generate a layer, and the resulting image is actually layered on top of each other. At the same time, the layers can be shared. Assume that there is A local five-layer mirror A, and mirror A and mirror B share the previous five layers. Then, when we pull mirror B from the mirror warehouse, we only need to pull the last layer that is not available locally, instead of pulling the whole IMAGE B from the root.
The benefits brought by the layered mechanism also affect the future development of Docker. After version 17.05, Docker introduced the multi-stage construction mechanism of Dockerfile, which greatly reduced the volume of the image.