Detailed explanation of the concept of docker container layers

Today we look at the concept of container layers.

In the previous section, we learned that a container is a process. On the basis of this process, the following three parts are added:

1. Start the Linux Namespace configuration to achieve isolation from the physical machine.

2. Set Cgroups parameters to limit container resources.

3. Generate a system file directory, that is, the rootfs file, also called a mirror file

It should be noted here that rootfs is only a combination of basic files that the container needs to use, and does not include the operating system kernel. The operating system kernel of the container still uses the kernel of the host machine. Of course, the existence of rootfs is not meaningless. Its existence enables the container to have the most important performance: consistency.

01 Container consistency

The container's rootfs packages all the files and directories of the operating system, including all dependencies. With this feature, whether the container is locally or in the cloud, users only need to unzip the packaged container image, and the application running environment will be set up.

This is the consistency of the container.

02 Concept of Layer

"The reason why I can see far is because I stand on the shoulders of giants", Newton once said this and it still applies today. "Don't reinvent the wheel." When we develop applications, we only need to use the Linux operating system to develop them. We don't need to redevelop a Linux system to run our applications.

During the use of the container, if we already have an existing MySQL container image with data A in it, and other people also want a MySQL container image to import their data B, then we only need to delete data A in our own MySQL container and then re-import data B.

In the scenario described above, once data A is deleted and data B is imported, we cannot use this container ourselves because data A has been deleted. This is obviously not the result we want. Obviously, both dataset A and dataset B require a container image (that is, rootfs) with MySQL installed but no data.

When Docker software was designed, the concept of "layer" was introduced, which cleverly solved this problem.

The concept of "layer" is implemented through the union file system AuFS, the full name is Advance UnionFS. Its concept is not difficult to understand, as shown below:

Directory 1 contains file a, file c

Directory 2 contains file b, file c

By combining files, directories 1 and 2 are mounted on directory 3. At this time, directory 3 has three files: a, b, and c.

At this time, if files a, b, and c are modified in directory 3, the corresponding directories 1 and 2 will also take effect.

How to implement layers through a "union file system" is actually a rather complicated question, so I'll leave it to interested readers to think about it. Here, we only need to understand that the concept of layers is implemented through a union file system.

Here is an example of a "layer" for a mysql base image:

[root@VM-0-14-centos ~]# docker image inspect docker.io/mysql
 [
    {
        "Id": "sha256:db2b37ec6181ee1f367363432f841bf3819d4a9f61d26e42ac16e5bd7ff2ec18",
        "RepoTags": [
            "docker.io/mysql:latest"
        ],
......
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:d0fe97fa8b8cefdffcef1d62b65aba51a6c87b6679628a2b50fc6a7a579f764c",
                "sha256:329fe06a30f03f9131ce8d9db2e8a9f725b18efe3457d6f015e1c4d8a3f41a0a",
                "sha256:ec8c80284c72bcf47ffedc0dde4d5792de761d52f974c30d37d52b9ac00e8a2a",
                "sha256:9dae2565e824235798981525d6ff9114817b7139c073e0d216b00ae9e58f74d0",
                "sha256:36b89ee4c647b9c21de8b5476b4922efc873aba69705c169e1a3edcf9128679b",
                "sha256:c21e35e55228365b268f57fac382a6e991db216cb03d9b7079496f5498956ab0",
                "sha256:15b463db445cb750fa6bc908a41fd18e38c4d2a02a978b66beb598c4f3f57b95",
                "sha256:7832ac00d41eda3a773a18408dea0b8e05ddbdd3a1e94afef3b6e3dc6444b7bb",
                "sha256:7f893b7c04ac2f939737d2da4e15af796c7acc0fd10c2951d9ae5bf33ceec2dc",
                "sha256:060fef62a228fff7e9dc3b7008bc9089e642ef29dc699f7e90c36ced5b2e75c6",
                "sha256:af6e790b82373cc65ca73efe5cc8945731525a9dcae6deeea2a5a5802561a72a",
                "sha256:9b0377a95c0e0bd5aa5b220449d17333faaa0e2bd7e8b93565beeadbf3906646"
            ]
        }
    }
]

As you can see, RootFS is the file system of the container, and Layers is the “layer”.

So what layers does a Docker container image consist of? ? ?

According to different functions, it is mainly divided into read-only layer, init layer and read-write layer.

Read-only layer:

Read-only layers are mounted read-only. These layers incrementally mount a portion of the operating system.

Read-write layer:

It is the top layer of the image, and its mount mode is read-write. Before writing files, this directory is empty. Once a write operation is performed in the container, the content you modified will appear in this layer in an incremental manner.

init layer:

The init layer is an internal layer specially generated by docker, which mainly stores files such as /etc/hosts and /etc/resolv.conf.

The reason for storing these specific files is that these files are originally part of the operating system, but the user's application often modifies these files. These modifications are only valid for the current container. We do not want these changes to be submitted together with the read-write layer when docker commits.

A few notes:

1. When the user executes docker commit, only the contents of the read-write layer will be committed.

2. If we want to delete a read-only layer file a.txt, then we only need to write a file with the same name .wh.a.txt in the read-write layer. In this way, the a.txt file will be obscured by the .wh.a.txt file, thus achieving the purpose of deletion.

03 Advantages of layered design

Through layered design and incremental data operations, the content pulled and modified each time is smaller than that of a complete operating system;

The sharing of the underlying read-only layer makes the total space used by multiple container images smaller than the sum of each container image.

At the same time, team collaboration based on container images can connect people from different companies and fields and iterate new functions more quickly.

The above is a detailed explanation of the concept of Docker container layers. For more information about Docker container layers, please pay attention to other related articles on 123WORDPRESS.COM!