Analysis of the principles of docker containers

01 What is the essence of a container?

Today's focus is to explain clearly what containers are.

To understand the concept of containers, first we need to know what a process is? When we execute a program in the Linux operating system, this program may be a binary file. When it is called, it becomes a collection of data in the computer memory, values ​​in registers, instructions in the stack, and various device status information. Such a combination of computer execution environments is called a process.

A container provides a "boundary" for the process. In plain words, it "wraps" the process. In essence, it achieves this "wrapping" action by constraining and modifying some dynamic performance of the process.

It is not difficult to see that a container is a special process with "boundaries".

Now let's look at the process characteristics of a MySQL container.

1. First check the containerID value of the mysql container on our machine, as follows:

[root@VM-16-13-centos service]# docker ps | grep mysql
4784586d01e0 mysql "docker-entrypoint..." 3 months ago Up 3 months k8s_mysql.16d54d16_mysql-pd7jr_default_0032bce0-2b0f-11eb-98ad-5254002dbd85_d775f414

As you can see, the value of containerID is 4784586d01e0

2. First, we enter a container through the docker exec command (the introduction of this command will be described below), and use the ps -ef command to view the process:

[root@VM-16-13-centos service]# docker exec -it 4784586d01e0 bash
root@mysql-pd7jr:/# ps -ef
UID PID PPID C STIME TTY TIME CMD
mysql 1 0 0 2020 ? 03:20:20 mysqld
root 882 0 0 09:42 ? 00:00:00 bash
root 888 882 0 09:46 ? 00:00:00 ps -ef

It can be found that the process number of the mysqld process is 1.

Here I want to say more:

1. docker exec -it 4784586d01e0 bash

This instruction tells the container that I want to enter this container and run a bash instruction.

2. If your docker does not support the ps command, you need to install the ps command using the following command:

apt-get update & apt-get install procps

Then we exit the container and check the process ID of the mysqld process again:

[root@VM-16-13-centos service]# ps -ef|grep mysql
root 5152 5059 0 2020 pts/5 00:00:00 mysql -uroot -px xxxx
root 13644 24879 0 2020 pts/4 00:00:00 mysql -uroot -px xxxx
polkitd 18853 18837 0 2020 ? 03:20:25 mysqld

The process number is found to be 18853.

We can conclude that the results of the mysqld process being executed inside and outside the container are different.

Why is this happening?

The essence of this is that the processes in the docker container are isolated in a new environment, so that these processes can only see the recalculated PID number. As we said before, Docker essentially "packages" a process on a physical machine by constraining and modifying some of the dynamics of the process. The phenomenon we see is the result of "packaging".

So how does Linux constrain and modify physical machine processes? Here we introduce new concepts:

For most Linux containers such as Docker, Linux's Cgroups technology is the main means of creating constraints.
Namespace technology is the main method used to modify the process view.

02 Introduction to Cgroup Technology and Namespace Technology

Namespace technology is mainly used to provide resource isolation for containers. The method to implement the Namespace function is relatively simple. Usually, when we create a Linux process, the system will execute a clone command, similar to:

int pid = clone(main_function, stack_size, SIGCHLD, NULL);

It returns the PID number of the process we created.

The Namespace technology adds an additional parameter when Linux creates a process. This new parameter is temporarily called newid. In this way, the PID number of the process we see in the container is this newid. We call this Namespace PID Namespace.

In addition to this Namespace, there are others, such as mount Namespace and Network Namespace, which are used to isolate mount points and networks respectively.

Of course, not all resources can be namespaced, for example, time and operating system kernel are shared by all containers on a server.

Once the container starts running, we need to control the machine resources it uses, such as disk, memory, CPU, etc. Otherwise, it may exhaust the resources of the physical machine and cause some system processes to crash. Cgroup technology is specifically designed to limit resources for Linux processes. Its full name is Linux Control Group, which is stored in the /sys/fs/cgroups directory in the form of files and directories, as follows:

[root@VM-16-13-centos service]# ls -l /sys/fs/cgroup/
total 0
drwxr-xr-x 4 root root 0 Nov 20 11:38 blkio
lrwxrwxrwx 1 root root 11 Nov 20 11:38 cpu -> cpu,cpuacct
lrwxrwxrwx 1 root root 11 Nov 20 11:38 cpuacct -> cpu,cpuacct
drwxr-xr-x 5 root root 0 Nov 20 11:38 cpu,cpuacct
drwxr-xr-x 3 root root 0 Nov 20 11:38 cpuset
drwxr-xr-x 4 root root 0 Nov 20 11:38 devices
drwxr-xr-x 3 root root 0 Nov 20 11:38 freezer
drwxr-xr-x 3 root root 0 Nov 20 11:38 hugetlb
drwxr-xr-x 5 root root 0 Nov 20 11:38 memory
lrwxrwxrwx 1 root root 16 Nov 20 11:38 net_cls -> net_cls,net_prio
drwxr-xr-x 3 root root 0 Nov 20 11:38 net_cls,net_prio
lrwxrwxrwx 1 root root 16 Nov 20 11:38 net_prio -> net_cls,net_prio
drwxr-xr-x 3 root root 0 Nov 20 11:38 perf_event
drwxr-xr-x 4 root root 0 Nov 20 11:38 pids
drwxr-xr-x 4 root root 0 Nov 20 11:38 systemd

Different file directories store restricted values ​​for different resource types. The most commonly used ones are:

blkio: Set i/o limits for block devices, generally used for devices such as disks

cpuset: assign separate CPU cores and corresponding memory nodes to processes

memory: Sets a limit on memory usage for the process.

When we start the container through the command, the operating system will fill in the PID corresponding to the docker process into the file of the corresponding control group, thereby controlling the CPU resource value used by the current process.

03 The relationship between containers, images, and repositories

Docker includes three basic concepts:

• Image
• Container
• Repository

These three parts make up the entire life cycle of Docker, as shown in the figure above.

The Docker image contains a file system, similar to a virtual machine image, and is a read-only template. This file system is also commonly referred to as rootfs, and usually contains a series of directories such as bin, etc, sys, and usr.

The Docker container is instantiated from the image, which is very similar to the object-oriented concept we learned. We can imagine the image as a class and the container as an object after the class is instantiated. This makes it very easy to understand the relationship between the image and the container.

Docker repository: Similar to the code repository, it is the place where Docker stores image files centrally

This relationship can be expressed more clearly as:

The above is a detailed explanation of the concept of docker containers. For more information about the concept of docker containers, please pay attention to other related articles on 123WORDPRESS.COM!