container

1、 Container and image

1. Analyze how the operating system manages processes ？
When we log into an operating system , We can go through ps（Process Statu） You can see all kinds of processes , Including the system's own 、 Or belonging to its own application 、 Or belonging to other applications .

So these What are the characteristics of the process Well ？
First, they can see each other , Mutual communication ; second , They use the same file system , This means that these processes can read and write to the same file ; Third , They use the same system resource .

This What problems will the three characteristics bring Well ？
First, they can see each other , Mutual communication , This means that processes with advanced permissions can attack other processes . second , They use the same file system , There are two problems ：1. These processes can add, delete, modify and query the existing data , This means that the advanced permission process can delete the processes needed by other applications , Destroy the operation of other processes .2. The required dependencies between processes can lead to conflicts , This will put pressure on the operation and maintenance cost . Last , Because they use the same system resources , This means that there may be resource preemption between applications , When an application is very expensive CPU And memory , It will destroy the operation of other applications , It will cause other applications to fail to provide normal services .

How can we solve such a problem ？ How to provide an independent running environment for these processes ？
The first question is for us , How to provide a separate file system ？Linux and Unix Provides a system called volume recording , It can change a subdirectory into a root directory , Of course, this is isolated at the view level , This means that this process can have an independent file system with the help of volume records , In this way, the addition, deletion, modification and query of the file system by this process will not affect the use of other processes .
second , Processes can see each other , Mutual communication , Even use the same network resources . In this case, we can use namespace Such a technology helps us isolate the process , That is, isolate on the view of resources . Record in volume and namespace With the help of the , This process can run in a separate environment .
Of course, in this independent environment , They still use the resources of the same operating system , That means it will still erode the resources of the whole system , In order to reduce its impact on other processes , We can go through cgroup To limit its resource utilization . such as , This process can only use 2G Memory , This process can only use 4 individual CPU wait . Record on volume 、namespace as well as cgroup With the help of the , We can provide a relatively independent environment for the process . In this way, processes will not affect each other .
So how do we define these process collections ？

2. What is a container ？
Containers , Is a view isolation 、 Resources can be limited 、 Process set of independent file system .
View isolation - If you can see part of the process , Independent host name, etc .
Control resource utilization - Such as 2G Memory size ,CPU Number of applications, etc .

3. What are the advantages of containers ？
It uses resources on the system , Therefore, this independent file system does not need to have kernel related code , Or tools . It only needs to provide the binary files and configuration files required by the container , Even dependence . As long as a container has all the files it needs to run , Then the container can run .
All the file sets needed to run the container are called Container mirror .

4. How to build a mirror ？
Usually , We will adopt Dockerfile To build a mirror image , Because it provides some convenient syntax pools to help us build a good image .

Dockerfile - Describe the steps to build the image ：
Each build step adds files to the existing file system , Delete file , Even modify existing files . This will lead to changes in the file system , We call this change changeset.
We can see the following picture , This picture shows golang Mirror image , Each colored box represents the impact of each construction step and the construction steps 、 Description and so on . We will find that , When we apply the changes produced by these construction steps to an empty folder in turn , We can get a complete image . We can also find these changeset Reusable , The blue part of the picture below shows alpine Mirror image , The green part means golang Self change . You can find golang Image is based on alpine The image is built . In other words, images can be reused with each other .

5. So these changeset Brought about by the Layering and reuse What advantages can the characteristics of bring ？
First of all , It can improve the efficiency of distribution . Let's simply imagine , For a large mirror , We split it into small pieces , We can improve the distribution efficiency , Because we can parallel down these data .
second , Because these data are shared with each other , That means when our local storage already contains these data , Then we just need to download some nonexistent data .
Third , Because these mirrored data are shared , It can save a lot of disk space .

6. How to build a mirror ？
First, let's see the following picture , This is a Dockerfile, Indicates how to build a golang Of application Of .
first line ：FROM golang:1.12-alpine A mirror image , In other words, the following is based on golang Build , Images can be reused .
The second line ： WORKDIR Indicates which specific directory the next construction steps will be carried out in , Be similar to cd operation
The third line ：COPY Indicates that the files on the dataset can be copied into the container , Copy to the image .
Fourth 、 Five elements ：RUN Indicates that the corresponding action is performed in a specific file system , such as go get Means download golang Program dependencies ,go install Said I would go build, Then move the generated binary to a searchable place , such as user\bin Below directory
When we're done , You can get one golang Of application.
Sixth elements ：CMD When we use this image , Its default program name is app.

When we have such a Dockerfile after , We can use it docker build We can build what we need application. Of course, the result of this build is stored locally . In general , The image will be built in an isolated or other packaging environment .

that How does the image run in a production environment or a test environment ？
At this time, we need a transfer station , This transfer station is a central storage , We call this central storage docker registry, That is, image warehouse , It is responsible for storing all the image data we generate , We just need to pass docker push You can push the local image to the image warehouse , In this way, we can download the data in the production environment or test environment , And run it .

7. How to run a mirror ？ That is, how to run a container ？
First step ： Remove the corresponding image from the image warehouse , such as ： download busybox Mirror image
docker pull busybox:1.25
The second step ： View the local image list ：
docker images
The third step ： Select the appropriate image and run ：
docker run [-d] --name demo busybox:1.25 top

analysis docker run Which parameters need to be specified ？
First , Give it a name , For example demo; then , What kind of image does this container use , That is to say busybox:1.25; the last one top Indicates that the process corresponding to this container is a top command .

8. Summary
An image is similar to a template , A container is like a concrete instance . Images are built once and run everywhere .
Containers ： A collection of processes separated from other parts of the system .
Mirror image ： A collection of all the files needed by the container -Build once, Run anywhere.

2、 The life cycle of the container

Single process model
（1）Init Process life cycle = Container life cycle
（2） During the operation period, it can run exec Perform O & M operations
Data persistence
（1） Container independent lifecycle
（2） Data volume - docker volume vs bind

Briefly review the previous section , A container is actually a set of collections with isolation characteristics , In the use of docker run You will choose an image as an independent file system when you are , And specify the corresponding running program , Then the running program we specify is called Init process .
When we use processes , You'll find this Init When the process starts , The container also starts , When this Init When the process exits , The container also exits . We can think of the container life cycle and Init The life cycle of a process is consistent . Of course, there is more than one container Init process ,Init The process will also have other child processes . Or through docker exec The generated operation and maintenance operations also belong to Init Within the scope of process management . When this Init When the process exits , Its child process also exits . This is to prevent the leakage of resources .

But what's the problem ？
First , An application may be a stateful , It may produce some very important data , for instance redis and MySQL wait . When a container exits , After being deleted , The data is also lost . This is unacceptable for data playback , So we need to persist the data generated in the container . that The container can persist to the specified directory , This directory is called data volume .

What are the characteristics of data volumes ？
It's pretty obvious The lifecycle of a data volume is independent of the lifecycle of the container , That is to say, the creation of containers 、 function 、 stop it 、 Deletion has nothing to do with the life cycle of the data volume , Because it is a special move, The help of data persistence is the container .

So what kind of use methods and characteristics do they have ？ How do we use data volumes ？
Simply speaking , We'll put the data volume move Go into the container , In this way, the container can write the data to the corresponding directory , The exit of the container will not lead to the loss of data . And usually we have two ways ： The first is bind The way , That is to put the directory on the dataset directly bind Go into the container , There is a drawback to this approach , It depends on the directory of the dataset , We need to manage the data set directory in a unified way ; The second way is similar to , Just leave the management of this directory to the running engine of the container , First, through docker create volume demo Create this data volume , The directory of this data volume is given to docker Managed , But the left part of this command becomes volume The name of , The other parts are the same as the first way .
We can find that data volumes exist independently of containers , It can help us to persist data quickly .

3、 The architecture of the container project

1.moby Container engine architecture
moby It is the most popular container management engine architecture at present .
moby deamon Provides information about containers for objects , Mirror image , Network and volume Management of . So what primary key does it rely on ？
The most important primary key it relies on is containerd,containerd Is a container runtime management engine , Independent of moby deamon Of , It can provide relevant management of container objects for objects .
But we will focus on the introduction of containers , We'll find that at the bottom of it is a place called containerd shim Such a module , This module is also a daemon , Why is it designed like this ？
First , It needs to manage the lifecycle of the container , Containers may be created by different container runtime , Because we now have many mainstream solutions of container virtualization technology , such as runC,kata,gVisor wait , Under the mainstream scheme of these different container runtime , We need to provide a flexible plug-in management , That is to say shim It is developed for different container runtime , So you can containerd Out of the middle , Manage through plug-ins . In addition, we can also see that the implementation of plug-in management can be implemented containerd Dynamic take over , It also has an important feature ： It will not affect the operation of existing containers .
When we don't have this ability , Let's see what the consequences are ？
When moby deamon When I unexpectedly quit , No one manages the container , Then it will exit and disappear , This will also affect the operation of our application . Except for this case outside , We talk more often about moby upgrade , If we don't offer this shim The mechanism of , We will find that , We can't upgrade in place , So containerd shim The meaning of existence is very important , It implements a dynamic takeover capability .
This is it. moby Dissolve the architecture analysis of the management engine .

4、 Containers vsVM

1. Container and VM Differences between
What is? VM？
VM Is the use Hypevisor This virtualization technology simulates hardware resources , such as CPU、 Memory, etc , So we can build on the virtual machine Guest OS, That is what we often call building a virtual machine , every last Guest OS All have a separate kernel ,Ubuntu,CentOS,Windows wait , Each application is independent of each other , Because it's in a Guest OS I can't see anything else Guest OS Applications inside ,VM It can provide a better isolation effect , But this isolation effect also has a certain price . We need to hand over part of the computing resources to virtualization , In this way, it is difficult for us to make full use of the existing computing resources , And every one Guest OS Need to occupy a lot of sub disk space , Because each operating system may occupy a lot of sub disk space , for instance Windows Your installation may require 10-30G Space ,Ubuntu You may need to 5-6G Space , This will cause slow start-up , Consume a lot of resources , And occupy a lot of sub disk space , Such shortcomings give birth to container technology .

We know that containers are for processes , So it doesn't have to Guest OS, It only needs independent file technology , Provide the set of files it needs to run , All isolation is process level , So it starts faster than VM, And it consumes less disk space than VM. Of course, this process level isolation is not as good as expected , Its isolation effect is better than VM Much worse .
under these circumstances , Containers are also developing towards strong isolation .