Background:
In terms of linux, the linux operating system will have a main process with pid=1 and derive other processes to control different services
For example: PID = 2 -- > Python PID = 3 – > java pid4 – > PHP, the three services may affect each other
Users expect to run these three different services in different runtime environments without affecting each other and increasing the server cost
Can these three services be encapsulated separately? KVM virtualization technology enables one operating system to simulate multiple operating systems / different runtime
environment
With the development of technology, virtualization technology costs a lot (for example, as long as you run a py script, if you want to use virtualization, you need to install an operating system, which is inconvenient / reasonable)
Extended container technology
The abstraction layer (user layer) of the virtualization layer is stripped and docker engine is used
Instead of the guest operating system, it can be directly connected to the host operating system through the engine, which greatly reduces the overhead
1232
2464
One of the differences between docker and virtual machine (resource utilization / loss)
###How to isolate application A from application B
How to judge the isolation between applications and applications
Operating system dimension
Application A is isolated from application B. in the operating system, it is realized through namespaces (namespaces). Only the following six spaces can be isolated
It is considered that the two applications achieve complete / complete isolation
1, Namespace
The container isolates 6 namespaces (namespace dimensional isolation - encapsulated with containerization Technology) * * **
Mount file system, mount point - a file system cannot be repeatedly mounted in a specified directory, for example: / mnt
User the user and user group of the action process..........
pid process number
uts host name and host domain
ipc semaphores, message queues, and shared memory (understand that different applications should use different memory spaces when calling memory resources)
net network equipment, network protocol stack, port, etc
-
cgroups management version 3.8
-
Cgroups resource management module in Linux kernel
-
cgroups manages some system resources
Namespaces
Docker uses a technology called namespaces to provide isolated workspaces for containers. When you run a container, docker creates a -- group namespace for the container. These namespaces provide a - layer of isolation. Each aspect of the container runs in a separate namespace, and its access is limited to that namespace.
Docker Engine on Linux Use the following namespaces on:
This PID namespace: process isolation (PID: process ID)
The command space: manage network interface (net: Network)
The IPC namespace: manage access to IPC resources (IPC: interprocess communication)
This MNT namespace: managed file system mount point (MNT: Mount)
The UTS namespace: isolates kernel and version identifiers. (UTS: Unix time sharing system)
The docker engine requires a kernel version (at least 3.8 +)
docker requires the resource management function of cgroups
The latest namespace is 3.8
What's the point of using docker?
ECS belongs to IAAS and Docker (k8s) belongs to PAAS
IASS: infrastructure services
SAAS: application as a service
PAAS: platform and service
Docker images: image
Docker container: container
Docker registry: image warehouse
The place where the image is stored is found on the public Docker Hub by default. You can build a personal warehouse
2, docker and virtualization
2.1cgroups
The Docker Engine on Linux also relies on another technology called cgroups. cgroup restricts applications to a specific set of resources. The control group allows the Docker Engine to share available hardware resources to the container and selectively implement restrictions and constraints.
For example, you can limit the memory available for a particular container.
2.2 full virtual, semi virtual and container technology
[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-SS6HlBWQ-1641814563053)(C:\Users \ Zhao Jinhua \ Desktop \ finishing review \ docker picture \ 1.png)]
2.3 how to distinguish different applications in virtual machines?
Generally, it is impossible for a virtual machine to run only one application, because this is really a waste of resources. We can think about it. Now the computer in hand can import several virtual machines with VMware. Therefore, cloud foundation creates an isolated environment called "sandbox" for each application by introducing mechanisms such as operating system Cgroups and Namespace, Then start the applications in these "sandboxes". In this way, the applications in the virtual machine will not interfere with each other and fly freely. We will discuss the implementation principles of Cgroups and Namespace later
The so-called isolated environment here is "container".
2.4 microservices
[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-ynGF9ZOG-1641814563054)(C:\Users \ Zhao Jinhua \ Desktop \ finishing review \ docker image \ 2.png)]
Splitting 40G packets into four groups of 10G packets for simultaneous operation is the concept of microservices. Originally, a machine was needed to run 40G packets, but microservices were miniaturized, divided into multiple small blocks and processed at the same time, which greatly accelerated the speed of deployment.
When updating the package, it generally needs to be updated in full, which is extremely time-consuming. At this time, you can upgrade the image of a single split module separately. Generally, it is only about 10G, and the upgrade time is reduced.
2.5 enterprise - overall process of development, operation and maintenance
① First, the code is developed by the developer, and then compiled and packaged
PS: Packaging: maven is usually used The tools are packaged in war or jar
② After completing the package, place it in the corresponding runtime environment for trial operation
PS: the runtime environment here refers to: for example, Tomcat (Java environment) php (php environment) 1
③ In the middle will be added Some test procedures are used to test the effectiveness, availability and enforceability of the code
④ After the above tests are completed, the O & M will pull the software package and run it in the actual production run time
In the environment
Problem: in the o point above, the runtime environments of different development languages are confused, which will have great hidden dangers and inconvenience
Traditionally, the so-called runtime environment, such as tomcat (java environment), PHP (PHP environment), etc
In the container, the so-called runtime environment refers to the inside of the "container"
Before that, container 1 was a runtime environment, and the component constituting the container was image image (a template of runtime environment)
2.6 docker data flow diagram
[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-Q5c6mNTg-1641814563055)(C:\Users \ Zhao Jinhua \ Desktop \ finishing review \ docker image \ 3.png)]
Docker daemon (dockerd) listens to Docker API requests and manages docker objects, such as images, containers, and network volumes. Daemons can also communicate with other daemons to manage docker services.
Docker images: image
Docker container: container
Docker registry: image warehouse 65, 55lo'iuu
2.7 docker image flow direction
[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-e9idnL4L-1641814563055)(C:\Users \ Zhao Jinhua \ Desktop \ finishing review \ docker image \ 4.png)]
2.8 container and VM (virtual machine)
[the external chain image transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the image and upload it directly (img-vQJZNElH-1641814563056)(C:\Users \ Zhao Jinhua \ Desktop \ sorting and review \ docker image \ 5.png)]
What are the advantages of 2.9 docker over virtualization
| difference | container | VM |
|---|---|---|
| Starting speed | Second order | Minute level |
| Operational performance | Near native (running directly in the kernel) | About 50% loss |
| Disk occupancy | MB | GB |
| quantity | hundreds of | Generally more than ten sets |
| Isolation | Process level | System level (more thorough) |
| operating system | Mainly support Linux | Almost all |
| Encapsulation degree | Only package the project code and dependencies, and share the host kernel | Complete operating system, isolated from the host |
What are the advantages of docker?
PS: (three unified encapsulated modes image, runtime environment container, and unified platform engine)
What are the advantages over Virtualization (comparison in the table)
The main difference between docker and VM lies in resource utilization and isolation (shared kernel and independent manufacturing system)
Docker makes container technology into a standardized platform CAAS (docker unifies - / specifies the standardized platform of container technology). What's the meaning of using docker?
Docker engine unifies the infrastructure environment - docker container environment (engine)
Docker engine unifies program packaging (boxing) - docker image
Docker engine unifies the program deployment (running) mode - docker container
Image - the service / application state at a certain time encapsulated by
Container - the running state of the application (the state of normal service provision - runtime)
It realizes one-time construction, multiple times and multiple uses
Docker Ce (community version) docker EE (enterprise version)
3, Docker
3.1 usage scenario of locker
K8S image mirroring + container
war jar - github gitlab private warehouse (code warehouse) - jenkins (test)
(application encapsulation / image building) I - "operation and maintenance download", using container technology for operation / release
Packaged application simple deployment
It can be migrated arbitrarily away from the underlying hardware (realizing the isolation of applications, splitting and decoupling applications), for example, from the server
Tencent cloud moves to Alibaba cloud
Continuous integration and continuous delivery (CI/CD): development to test release
Deploy microservices
The virtual machine that provides PAAS products (platform as a service) {OpenStack is similar to Alibaba cloud ECS and belongs to IAAS and Docker(
K8S) belongs to PAAS}
docker three elements
Mirror - template
Container - image based, running state / runtime state
Warehouse - store image template
3.2 Docker Engine
Docker Engine is a C/S client server application with the following main components:
Server side: the server is a long-running program called daemon process (dockerd command).
CLIENT side: the rest API, which specifies the interface that the program can use to communicate with the daemon and indicate its operation.
Command line interface (CLI) client (docker command).
docker run
docker start
docker rm
The client enters the docker server in the kernel through the restAPI
——>Processed by the server side
——>It is returned to the docker client side through the rest API for display
3.3 Docker architecture
Docker uses a client server architecture. Docker client and docker
The daemon talks, and the daemon completes the heavy work of building, running and distributing Docker containers.
Docker is different from traditional virtualization. It does not need virtual hardware resources and directly uses the container engine, so it is fast
Docker Client: client / provides a platform for user interaction and presentation+
Tool for managing and controlling docker server (function)
Docker client (docker) is the main way for many docker users to interact with docker. When you use something like
docker during command
run, the client will send these commands to dockerd to execute these commands. The docker command uses docker
API. Docker clients can communicate with multiple daemons.
Docker daemon: daemon
Docker daemon (dockerd) listens for dockers
API requests and manages Docker objects, such as images, containers, networks, and volumes. Daemons can also communicate with other daemons to manage Docker services.
Docker images: image
cgroups namespace
3.4 docker three components
Containers can be packaged as images
-
Docker container: container
-
Docker registry: image warehouse (yum warehouse)
Components:
- Image: a collection of group resources, including application software packages, application related dependent packages, and the basic environment (generally referred to as the operating system environment) required to run the application, which can be understood as the template of the container
- Container: a - runtime state based on image
- Warehouse: store image images. Warehouse categories: 1. Public warehouse - docker hub 2. Private warehouse registry
harbor
4, Install Docker
#Environment configuration
systemctl stop firewalld && systemctl disable firewalld
setenforce 0
#Install dependent packages
yum -y install yum-utils device-mapper-persistemt-data lvm2
#Set alicloud image source
cd /etc/yum.repos.d/
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#Install docker CE community version (docker EE for enterprise version, charged)
yum -y install docker-ce
#start-up
systemctl enable docker && systemctl start docker
12345678910111213141516
Configuring alicloud image acceleration
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://4iv7219l.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
12345678
network optimization
cat >> /etc/sysctl.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -p
systemctl restart network
systemctl restart docker
1234567
One click installation
[root@c7-1 ~]#cat docker.sh
#!/bin/bash
#Environment configuration
systemctl stop firewalld && systemctl disable firewalld
setenforce 0
#Install dependent packages
yum -y install yum-utils device-mapper-persistemt-data lvm2
#Set alicloud image source
cd /etc/yum.repos.d/
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#Install docker CE community version (docker EE for enterprise version, charged)
yum -y install docker-ce
#Configure alicloud image acceleration (try to use your own)
#Address https://help.aliyun.com/document_detail/60750.html
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://4iv7219l.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
#network optimization
cat >> /etc/sysctl.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl -p
systemctl restart network
systemctl enable docker && systemctl restart docker
1234567891011121314151617181920212223242526272829303132333435
PS
Docker server side configuration file daemon json
#Production configuration example, at daemon Defined in JSON
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quary.io"]
"registry-mirrors": ["https://q"]
"bip": "172.7.5.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
#Parameter description
"graph": "/data/docker", #Specify data directory
"storage-driver": "overlay2", #Specify storage engine
"insecure-registries": ["registry.access.redhat.com","quary.io"] #Private warehouse
"registry-mirrors": ["https://q"] # Configure mirror acceleration
"bip": "172.7.5.1/24", #In the docker network, the middle two suggest the same as the host. If there is a problem with the container, it is better to locate the host
"exec-opts": ["native.cgroupdriver=systemd"], #Additional parameters at startup (drive, k8s use)
"live-restore": true #When the docker container engine hangs, the container running with docker can still run (separate)
12345678910111213141516171819
5, Docker image and container command management
5.1 image command management
PS:
- The docker client is connected to the server (the server runs in the operating system as a daemon) restful api, a typical C/S architecture
- The daemon on the docker server downloads the image from the docker hub (PS: the server will first check whether the local system has this image)
- The server creates a new container, and then starts a container from the removed image. The container executes scripts / executable programs so that we can view / use
- The docker server returns these information flows (transfers) to the client and displays them (on the terminal)
#Query docker version and information
docker version
docker info
#Search for images (you can create your own images and upload them to the local or official website warehouse dockerfile)
docker search <Image name>
#Download Image
docker pull <Image name>
#View mirror list
docker images
#View mirror details
docker inspect <image ID>
#Label the image
docker tag <Image name>:<Original label> <Image name>:<new label>
#docker tag nginx:latest nginx:lnmp
#delete mirror
docker rmi <Image name>
docker rmi <Mirror label>
docker rmi <image ID>
docker rmi `docker images -aq` #Delete all mirrors
docker images | awk 'NR>=2{print "docker rmi -f "$3}' | bash
#Mirror export
docker save -o <Exported file name> <Image name>
#docker save -o nginx_v1 nginx:latest
#Mirror import
docker load < [Mirror file]
#docker load < nginx_v1
12345678910111213141516171819202122232425262728293031323334
5.2 container command management
#Query container
docker ps -a
#View system resource information occupied by container
docker stats
#Create container
docker create -it nginx:latest /bin/bash
#Description of common parameters
> -i Leave the standard input of the container open
> -t Assign a pseudo terminal
> -d Run as a background daemon
#Start / stop / restart container
docker start <container ID>
docker stop <container ID>
docker restart <container ID>
#Run in the background, and specify the container name as test
docker run -itd --name test nginx:latest /bin/bash
#Enter container
docker exec -it <container ID> /bin/bash #Exit exit
#Container export / import
docker export [container ID] > [file name]
docker import [Container file name] [Specify the mirror name] #Imported is a mirror
#Batch stop container
docker ps -a | awk 'NR>=2{print "docker stop "$1}' | bash
docker ps -a | awk 'NR>=2{print $1}' | xargs docker stop
#Batch delete container
docker rm -f `docker ps -aq`
docker ps -a | awk 'NR>=2{print "docker rm "$1}' | bash
docker ps -a | awk 'NR>=2{print $1}' | xargs docker rm -f
#Batch delete containers with "exit" status (specified status)
for i in `docker ps -a | grep -i exit | awk '{print $1}'`; do docker rm -f $i;done
#View container process number
docker inspect -f '{{.State.Pid}}' <Container name>
docker inspect -f '{{.State.Pid}}' <container ID>
12345678910111213141516171819202122232425262728293031323334353637383940414243
Replication of files between container and host
docker run -itd --name nginx_test nginx:latest /bin/bash #Copy host to container [root@tengxun-02 ~]#touch testfile [root@tengxun-02 ~]#ls testfile [root@tengxun-02 ~]#docker cp testfile nginx_test:/opt [root@tengxun-02 ~]#docker exec -it nginx_test bash root@2ca07b152329:/# cd /opt root@2ca07b152329:/opt# ls testfile #Copy container to host root@2ca07b152329:/opt# ls testfile root@2ca07b152329:/opt# touch haha root@2ca07b152329:/opt# ls haha testfile root@2ca07b152329:/opt# exit exit [root@tengxun-02 ~]#docker cp nginx_test:/opt/haha . [root@tengxun-02 ~]#ls haha testfile 1234567891011121314151617181920212223 Did you enter the container systemctl Command resolution add to --privileged=true(Specifies whether this container is a privileged container), which cannot be used if this parameter is used attach. > Example: docker run -itd --name test3 --privileged=true centos /sbin/init `/sbin/init The first process actively called when the kernel starts` have access to docker inspect <container ID> docker ps -a docker exec -it <container ID> /bin/bash yum install httpd -y systemctl status httpd 1234567891011
The standard running process of docker in the background:
(1) Checks whether the specified mirror exists locally. When the image does not exist, it will be downloaded from the public warehouse;
(2) Create and start a container using the image;
(3) Allocate a file system to the container and mount a read-write layer outside the read-only image layer;
(4) Bridging a virtual machine interface from the bridge interface configured by the host to the container;
(5) Assign an IP address in an address pool to the container;
(6) Execute the application specified by the user. After execution, the container is terminated.