Docker's Mirror and Container

I. What is docker?

The Docker container is a Docker process + image file (the Docker image contains the running environment and configuration)

Official Definition: Docker is a platform designed for developers and system administrators to build, distribute and run distributed applications, using Docker container as the basic unit of resource division and scheduling, encapsulating the entire software runtime environment. It is a cross-platform, portable and easy-to-use container solution.

Docker provides container resource isolation and security through kernel virtualization technology (namespace and cgroups, etc.). Docker implements isolation through virtualization of operating system layer, so Docker container does not need additional operating system overhead similar to VM to improve resource utilization.

 

1.1 namespace isolation container operating environment

  • When a container is started with dockerrun, Docker creates a separate namespace for the container in the background. Namespaces provide the most basic and direct isolation, and processes running in containers are not detected and affected by processes running on local hosts and other containers through normal channels.
  • From the perspective of network architecture, all containers actually communicate with each other through the Docker0 interface of the local host, just as physical machines communicate with each other through physical switches.  

1.2 Security of Resource Control in Control Group

Control group is another key component of Linux container mechanism, which is responsible for resource audit and restriction. When a container is started with docker run, Docker creates a separate set of control group policies for the container in the background.  
It provides many useful features; ensures that containers can share the host's memory, CPU, disk and other resources fairly; and, of course, more importantly, the control group ensures that when resource pressures occur in containers, they do not affect the local host system and other containers.  
Although the control group is not responsible for isolating the access and processing of data and processes between containers, it is essential to prevent denial of service attacks (DDoS). Especially on multi-user platforms (such as public or private PaaS), control groups are very important. For example, when some application containers are abnormal, the local system and other containers can be guaranteed normal operation without affecting.

 

Advantage

  • Continuous deployment and testing: Eliminate environmental differences online and offline, and ensure environmental consistency and standardization of application life cycle. Developers use mirrors to build standard development environments. After development, they migrate by encapsulating the mirrors of the complete environment and applications. As a result, test and maintenance personnel can deploy software mirrors directly for testing and publishing, greatly simplifying the process of continuous integration, testing and publishing.
  • Cross-Cloud Platform Support: The greatest benefit of Docker is its adaptability. More and more cloud platforms support Docker. At the same time, it makes it possible to deploy multi-platform applications.
  • Environment Standardization and Version Control: Based on the environment consistency and standardization provided by Docker, you can use Git and other tools to version control the Docker image. Compared with code-based version control, you can also control the entire application running environment, and rollback quickly in case of failure. Docker compresses and backups faster than previous virtual machine images, and mirror startup is as fast as starting a normal process.
    • High resource utilization and isolation: Docker container has no additional overhead of the management program, and shares the operating system with the underlying layer. It has better performance and lower system load. Under the same conditions, it can run more application examples and make full use of system resources. At the same time, Docker has good resource isolation and restriction capabilities, which can accurately allocate CPU, memory and other resources to applications, ensuring that applications do not interact with each other.
    • Container Cross-Platform and Mirror: Docker has set up a set of standardized configuration methods for containers, packaging applications and their dependent running environments into images, realizing the concept of "build once, run everywhere". It greatly improves the cross-platform of containers.
    • Application Mirror Warehouse: Docker officially built a Mirror Warehouse.

 

II. Basic operation of docker

 ->docker --version  #View Version
   Docker version 17.09.0-ce, build afdb6d4Copy code

Search for an image and pull it down
The command to download the mirror is very simple, just use the docker pull command. On docker's mirror site, mirrors are stored in the way of "user name / mirror name".
You can use docker images to view pulled-down images, where IMAGE ID is the IMAGE ID. When you delete images, you can use this IMAGE ID to delete docker rmi [IMAGE ID,REPOSITORY]

 ->docker search centos
   NAME            DESCRIPTION                      STARS         OFFICIAL      AUTOMATED
   centos          The official build of CentOS.    3824          [OK]
                            ...
 ->docker pull centos #Pull out the mirror
 ->docker images
   REPOSITORY          TAG        IMAGE ID        CREATED       SIZE
   centos              latest     a7876479f1aa    4 years ago   128MB
 ->docker rmi a7876479f1aa #Delete imageCopy code

Run hello world in a docker container, create a container using docker run, and docker run generates a container and saves it. Then you can run it directly instead of creating a new container. The container here is container. The container of docker can be understood as a process running in a sandbox. . This sandbox contains the necessary resources for the process to run, including file systems, system libraries, shell environments, and so on. But by default, this sandbox will not run any programs. You need to run a process in a sandbox to start a container. This process is the only process in the container, so when the process ends, the container will stop completely.
You can see the running container through dockers. When we run docker run centos echo "hello word" and see output "hello word" and then run dockers, no container will output. This is because the container does not run any process after running echo "hello word", so the container exits. All containers can be viewed through docker ps-A

 ->docker run centos echo "hello word" #Create a container through the centos image to output "hello word"
   hello word
 ->docker ps -a
   CONTAINER ID   IMAGE      COMMAND              CREATED          STATUS              PORTS     NAMES
   e46ec634bbe1   centos     "echo 'hello word'"  12 minutes ago   Exited (0) 12 minutes agoCopy code

The next step is to install a simple program for the container. The centos image was downloaded before, so you can use the yum command to install the program.
Note: After the yum command is executed, the container will stop, but changes to the container will not be lost. But when you re-run a container from image, the previously installed program does not exist, because all the modifications are for container, not image, so the container from image run is a brand new one.

->docker run centos yum -y install net-tools
->docker ps -a  #You can see that there are already two container s
  CONTAINER ID  IMAGE     COMMAND                CREATED         STATUS           PORTS     NAMES
  2f1bbd6c30e3  centos    "yum install -y ne..." 1 minutes ago   Exited (0) 1 minute ago    competent
  35129633c933  centos    "echo hello word"      1 minutes ago   Exited (0) 1 minute ago    dazzlingCopy code

Now the container is available and the required program is installed, but there is only one container, which can't run. Don't rush to see how to run the container. But there are also several ways to run the container. One way is to create the container and run it. As I said before, it needs an activity to keep the container running. When all the processes in the container exit, the container stops accordingly, so it's easy to create the container and keep it running by using the ping command.

->docker run centos ping lozz.cc
  PING lorencoll.coding.me (103.218.240.147) 56(84) bytes of data.
  64 bytes from 103.218.240.147 (103.218.240.147): icmp_seq=1 ttl=37 time=16.0 ms
  64 bytes from 103.218.240.147 (103.218.240.147): icmp_seq=2 ttl=37 time=16.4 ms
  Ctrl+C
->docker ps  #View active containers
  CONTAINER ID    IMAGE      COMMAND        CREATED              STATUS       PORTS        NAMES
  10c5c2754279     centos    "ping lozz.cc" About a minute ago   Up About a minute         jollyCopy code

If you start, you stop. Stop can stop a container with the docker stop container_id command. Now let's talk about the second way to start a container. This method is used when the container has been created. We know that every run creates a new container, sometimes it doesn't need to be created. Build, you can use docker start container_id to start a container. It's important to note that the inactive process container will still exit after starting, because the container is created from the mirror, so the container also contains additional commands to create the container, when docker start The attachment command to create this container will be executed again. Is it a bit twisted? Knock it once.

->docker ps    #View active containers
  CONTAINER ID    IMAGE    COMMAND          CREATED          STATUS      PORTS         NAMES
  10c5c2754279    centos   "ping lozz.cc"   23 minutes ago   Up 23 minutes             jolly

->docker ps -a #View all existing containers
  CONTAINER ID    IMAGE    COMMAND                CREATED          STATUS      PORTS        NAMES
  10c5c2754279    centos   "ping lozz.cc"         21 minutes ago   Up 21 minutes            jolly
  2f1bbd6c30e3    centos   "yum install -y ne..." 36 minutes ago   Exited (0) 3 minute ago  competent
  35129633c933    centos   "echo hello word"      About hour ago   Exited (0) hour ago      dazzling

# Attempt to start the installation net-tools Containers,
# -i It means to output information to the console and return directly to the console without this parameter. CONTAINER ID
->docker start -i 2f1bbd6c30e3
  Loaded plugins: fastestmirror, ovl
  Loading mirror speeds from cached hostfile
   * base: mirrors.aliyun.com
   * extras: mirrors.aliyun.com
   * updates: mirrors.cn99.com
  Package net-tools-2.0-0.22.20131004git.el7.x86_64 already installed and latest version
  Nothing to do
->docker ps  #View active containers
  CONTAINER ID    IMAGE    COMMAND          CREATED          STATUS      PORTS         NAMES
  10c5c2754279    centos   "ping lozz.cc"   30 minutes ago   Up 30 minutes             jolly
->docker stop 10c5c2754279  #Containers that stop executing ping commands
  10c5c2754279
->docker start -i 10c5c2754279  #Start the container that executes the ping command
  PING lorencoll.coding.me (103.72.144.62) 56(84) bytes of data.
  64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=1 ttl=37 time=15.1 ms
  64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=2 ttl=37 time=16.3 ms
  64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=3 ttl=37 time=16.8 ms
  Ctrl+CCopy code

As you can see from the above prompt, the start command also executes the yum-y install net-tools in the previous creation command docker run CentOS yum-y install net-tools, because the container has been installed with net-tools, so yum prompts you not to install it, to see if there is only one in the active container. Previous containers are running. So now there's a question, can't the container I installed net-tools work? In fact, otherwise, the reason why this container "can't work" is that it was created without specifying the appropriate command, and it's also possible to use it. We packed it into an image, that is, a mirror, and packed it and then passed it through. Docker's idea of application isolation is also in line with Docker's idea of creating containers. The command to package containers into mirrors is simple docker commit container_id image_name. My packing command is docker commit 2f1bbd6c30e3 lorenwe/centos_net_tools. The name is regular, and docker used earlier. User id, if you want to push this image to the name of docker hub, you can't name it casually. It doesn't matter if you don't push it to docker hub, but it can't be too casual, right.

->docker ps -a
  CONTAINER ID    IMAGE    COMMAND                CREATED        STATUS     PORTS     NAMES
  10c5c2754279    centos   "ping lozz.cc"         About an hour ago                   jolly
  2f1bbd6c30e3    centos   "yum install -y ne..." About an hour ago                   competent
  35129633c933    centos   "echo hello word"      About an hour ago                   dazzling
->docker commit 2f1bbd6c30e3 lorenwe/centos_net_tools
  sha256:35f8073cede14473601d9f138a9815bc9ab5c7d97f914ca2f5ce910bd78b5750
->docker images
  REPOSITORY                  TAG          IMAGE ID         CREATED             SIZE
  lorenwe/centos_net_tools    latest       35f8073cede1     23 seconds ago      277MB
  centos                      latest       d123f4e55e12     2 weeks ago         197MB
  d4w/nsenter                 latest       9e4f13a0901e     14 months ago       83.8kBCopy code

It's so simple that a new image is created. Now you can do something interesting with this image. It's still the docker run command, but this time add some more parameters, such as docker run-itd -- name my_net_tools lorenwe/centos_net_tools/bin/bash.
The parameters itd are'standard input to container','assign a virtual terminal','run as a daemon (background)', - name naturally specifies the name of the container after creation, / bin/bash executes the bash script and executes the above commands to create a container running in the background.

->docker run -itd --name my_net_tools lorenwe/centos_net_tools /bin/bash
  e1d843f7726f67d2635042695e2065b383736a341edd2e83753be9fabec03de0
->docker ps  #View active containers
  CONTAINER ID   IMAGE                     COMMAND      CREATED      STATUS   PORTS      NAMES
  e1d843f7726f   lorenwe/centos_net_tools  "/bin/bash"  7 seconds ago                    my_net_tools
  10c5c2754279   centos                    "ping lozz.cc"            Up 25 minutes       jollyCopy code

Well, it runs, and then, of course, you can go into the container and play with it. Use docker attach container_id to enter the Docker container.

->docker attach e1d843f7726f
[root@e1d843f7726f /]# ip addr
bash: ip: command not found
[root@e1d843f7726f /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.3  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:ac:11:00:03  txqueuelen 0  (Ethernet)
        RX packets 40  bytes 1900 (1.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@e1d843f7726f /]#Copy code

This is because the container is based on centos, and docker's basic CentOS image is a streamlined version, so many commands do not exist, such as this ip addr, which is also the reason for the previous choice to install net-tools, because installing this can use ifconfig to view network card configuration. So far, do you have a basic understanding of docker? Is it a sudden inspiration, such as to build a Nginx static server, the step is to pull a basic mirror down, through the basic mirror run out of a container, then install Nginx in the container, and then pack it into a new package? A new mirror will do. Actually, using docke to build mirrors will not do that. The steps are tedious and not very flexible. After all, the lorenwe/centos_net_tools mirrors built before also have 277MB! It's not easy to distribute, so Dockerfile appears. Its function is to describe a mirror in a specific format and build the image through docker. The described process is actually similar to the previous manual process. It can build the same environment through the same Dockerfile. It is also the reason why docke is often used to unify the operating environment of the system in work.

4. Push docker to docker hub

The push image command is very simple. It only needs docker push image_name. Before pushing the image to docker hub, there is still some preparation work to be done. You need to register an account with docker hub first, and then log in the account in docker to push the image.

->docker login  #Log in to docker hub
  Login with your Docker ID to push and pull images from Docker Hub. 
  If you don't have a Docker ID, head over to https://hub.docker.com to create one.
  Username (lorenwe): lorenwe
  Password:
  Login Succeeded
  # Now you can push the mirror to docker hub
->docker images
  REPOSITORY                TAG        IMAGE ID            CREATED             SIZE
  lorenwe/centos_net_tools  latest     35f8073cede1        About an hour ago   277MB
  centos                    latest     d123f4e55e12        2 weeks ago         197MB
  d4w/nsenter               latest     9e4f13a0901e        14 months ago       83.8kB
->docker push lorenwe/centos_net_tools
  The push refers to a repository [docker.io/lorenwe/centos_net_tools]
  d0ba94ecc37e: Pushed
  cf516324493c: Mounted from library/centos
  latest: digest: sha256:276814315437cf5d416ed4b5713fe10c914beaea96bcf583b786a6778c80830f size: 741Copy code

Because the walls and docker hub servers are far away from the sky, the push will be very slow. After success, you can see the image of your push in the personal center of docker hub. If you want to use this image in the future, you can directly pull the docker. You can also push the image to the domestic container mirror service platform, such as me. The container Hub of Aliyun is used, probably because it is fast, so it is comfortable to use. The only bad thing is that the long and stinky mirror name is a little uncomfortable.

V. Concluding remarks

The docker foundation to this step is almost introduced. The purpose of this article is to explain the relationship between the docker image and the container in plain language and examples. There are many functions that docker has not been introduced, so there is time to do follow-up articles in the future, such as Docker file, docker volume. Sharing and network communication are some particularly interesting functions. It is no longer a dream to build a portable distributed development platform.

Keywords: PHP Docker CentOS yum network

Added by Aravinthan on Fri, 02 Aug 2019 09:42:30 +0300