I. What is docker?
The Docker container is a Docker process + image file (the Docker image contains the running environment and configuration)
Official Definition: Docker is a platform designed for developers and system administrators to build, distribute and run distributed applications, using Docker container as the basic unit of resource division and scheduling, encapsulating the entire software runtime environment. It is a cross-platform, portable and easy-to-use container solution.
Docker provides container resource isolation and security through kernel virtualization technology (namespace and cgroups, etc.). Docker implements isolation through virtualization of operating system layer, so Docker container does not need additional operating system overhead similar to VM to improve resource utilization.
1.1 namespace isolation container operating environment
- When a container is started with dockerrun, Docker creates a separate namespace for the container in the background. Namespaces provide the most basic and direct isolation, and processes running in containers are not detected and affected by processes running on local hosts and other containers through normal channels.
- From the perspective of network architecture, all containers actually communicate with each other through the Docker0 interface of the local host, just as physical machines communicate with each other through physical switches.
1.2 Security of Resource Control in Control Group
Control group is another key component of Linux container mechanism, which is responsible for resource audit and restriction. When a container is started with docker run, Docker creates a separate set of control group policies for the container in the background.
It provides many useful features; ensures that containers can share the host's memory, CPU, disk and other resources fairly; and, of course, more importantly, the control group ensures that when resource pressures occur in containers, they do not affect the local host system and other containers.
Although the control group is not responsible for isolating the access and processing of data and processes between containers, it is essential to prevent denial of service attacks (DDoS). Especially on multi-user platforms (such as public or private PaaS), control groups are very important. For example, when some application containers are abnormal, the local system and other containers can be guaranteed normal operation without affecting.
Advantage
- Continuous deployment and testing: Eliminate environmental differences online and offline, and ensure environmental consistency and standardization of application life cycle. Developers use mirrors to build standard development environments. After development, they migrate by encapsulating the mirrors of the complete environment and applications. As a result, test and maintenance personnel can deploy software mirrors directly for testing and publishing, greatly simplifying the process of continuous integration, testing and publishing.
- Cross-Cloud Platform Support: The greatest benefit of Docker is its adaptability. More and more cloud platforms support Docker. At the same time, it makes it possible to deploy multi-platform applications.
- Environment Standardization and Version Control: Based on the environment consistency and standardization provided by Docker, you can use Git and other tools to version control the Docker image. Compared with code-based version control, you can also control the entire application running environment, and rollback quickly in case of failure. Docker compresses and backups faster than previous virtual machine images, and mirror startup is as fast as starting a normal process.
- High resource utilization and isolation: Docker container has no additional overhead of the management program, and shares the operating system with the underlying layer. It has better performance and lower system load. Under the same conditions, it can run more application examples and make full use of system resources. At the same time, Docker has good resource isolation and restriction capabilities, which can accurately allocate CPU, memory and other resources to applications, ensuring that applications do not interact with each other.
- Container Cross-Platform and Mirror: Docker has set up a set of standardized configuration methods for containers, packaging applications and their dependent running environments into images, realizing the concept of "build once, run everywhere". It greatly improves the cross-platform of containers.
- Application Mirror Warehouse: Docker officially built a Mirror Warehouse.
II. Basic operation of docker
->docker --version #View Version
Docker version 17.09.0-ce, build afdb6d4Copy codeSearch for an image and pull it down
The command to download the mirror is very simple, just use the docker pull command. On docker's mirror site, mirrors are stored in the way of "user name / mirror name".
You can use docker images to view pulled-down images, where IMAGE ID is the IMAGE ID. When you delete images, you can use this IMAGE ID to delete docker rmi [IMAGE ID,REPOSITORY]
->docker search centos
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
centos The official build of CentOS. 3824 [OK]
...
->docker pull centos #Pull out the mirror
->docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest a7876479f1aa 4 years ago 128MB
->docker rmi a7876479f1aa #Delete imageCopy codeRun hello world in a docker container, create a container using docker run, and docker run generates a container and saves it. Then you can run it directly instead of creating a new container. The container here is container. The container of docker can be understood as a process running in a sandbox. . This sandbox contains the necessary resources for the process to run, including file systems, system libraries, shell environments, and so on. But by default, this sandbox will not run any programs. You need to run a process in a sandbox to start a container. This process is the only process in the container, so when the process ends, the container will stop completely.
You can see the running container through dockers. When we run docker run centos echo "hello word" and see output "hello word" and then run dockers, no container will output. This is because the container does not run any process after running echo "hello word", so the container exits. All containers can be viewed through docker ps-A
->docker run centos echo "hello word" #Create a container through the centos image to output "hello word"
hello word
->docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e46ec634bbe1 centos "echo 'hello word'" 12 minutes ago Exited (0) 12 minutes agoCopy codeThe next step is to install a simple program for the container. The centos image was downloaded before, so you can use the yum command to install the program.
Note: After the yum command is executed, the container will stop, but changes to the container will not be lost. But when you re-run a container from image, the previously installed program does not exist, because all the modifications are for container, not image, so the container from image run is a brand new one.
->docker run centos yum -y install net-tools
->docker ps -a #You can see that there are already two container s
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f1bbd6c30e3 centos "yum install -y ne..." 1 minutes ago Exited (0) 1 minute ago competent
35129633c933 centos "echo hello word" 1 minutes ago Exited (0) 1 minute ago dazzlingCopy codeNow the container is available and the required program is installed, but there is only one container, which can't run. Don't rush to see how to run the container. But there are also several ways to run the container. One way is to create the container and run it. As I said before, it needs an activity to keep the container running. When all the processes in the container exit, the container stops accordingly, so it's easy to create the container and keep it running by using the ping command.
->docker run centos ping lozz.cc
PING lorencoll.coding.me (103.218.240.147) 56(84) bytes of data.
64 bytes from 103.218.240.147 (103.218.240.147): icmp_seq=1 ttl=37 time=16.0 ms
64 bytes from 103.218.240.147 (103.218.240.147): icmp_seq=2 ttl=37 time=16.4 ms
Ctrl+C
->docker ps #View active containers
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10c5c2754279 centos "ping lozz.cc" About a minute ago Up About a minute jollyCopy codeIf you start, you stop. Stop can stop a container with the docker stop container_id command. Now let's talk about the second way to start a container. This method is used when the container has been created. We know that every run creates a new container, sometimes it doesn't need to be created. Build, you can use docker start container_id to start a container. It's important to note that the inactive process container will still exit after starting, because the container is created from the mirror, so the container also contains additional commands to create the container, when docker start The attachment command to create this container will be executed again. Is it a bit twisted? Knock it once.
->docker ps #View active containers
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10c5c2754279 centos "ping lozz.cc" 23 minutes ago Up 23 minutes jolly
->docker ps -a #View all existing containers
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10c5c2754279 centos "ping lozz.cc" 21 minutes ago Up 21 minutes jolly
2f1bbd6c30e3 centos "yum install -y ne..." 36 minutes ago Exited (0) 3 minute ago competent
35129633c933 centos "echo hello word" About hour ago Exited (0) hour ago dazzling
# Attempt to start the installation net-tools Containers,
# -i It means to output information to the console and return directly to the console without this parameter. CONTAINER ID
->docker start -i 2f1bbd6c30e3
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.cn99.com
Package net-tools-2.0-0.22.20131004git.el7.x86_64 already installed and latest version
Nothing to do
->docker ps #View active containers
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10c5c2754279 centos "ping lozz.cc" 30 minutes ago Up 30 minutes jolly
->docker stop 10c5c2754279 #Containers that stop executing ping commands
10c5c2754279
->docker start -i 10c5c2754279 #Start the container that executes the ping command
PING lorencoll.coding.me (103.72.144.62) 56(84) bytes of data.
64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=1 ttl=37 time=15.1 ms
64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=2 ttl=37 time=16.3 ms
64 bytes from 103.72.144.62 (103.72.144.62): icmp_seq=3 ttl=37 time=16.8 ms
Ctrl+CCopy codeAs you can see from the above prompt, the start command also executes the yum-y install net-tools in the previous creation command docker run CentOS yum-y install net-tools, because the container has been installed with net-tools, so yum prompts you not to install it, to see if there is only one in the active container. Previous containers are running. So now there's a question, can't the container I installed net-tools work? In fact, otherwise, the reason why this container "can't work" is that it was created without specifying the appropriate command, and it's also possible to use it. We packed it into an image, that is, a mirror, and packed it and then passed it through. Docker's idea of application isolation is also in line with Docker's idea of creating containers. The command to package containers into mirrors is simple docker commit container_id image_name. My packing command is docker commit 2f1bbd6c30e3 lorenwe/centos_net_tools. The name is regular, and docker used earlier. User id, if you want to push this image to the name of docker hub, you can't name it casually. It doesn't matter if you don't push it to docker hub, but it can't be too casual, right.
->docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10c5c2754279 centos "ping lozz.cc" About an hour ago jolly
2f1bbd6c30e3 centos "yum install -y ne..." About an hour ago competent
35129633c933 centos "echo hello word" About an hour ago dazzling
->docker commit 2f1bbd6c30e3 lorenwe/centos_net_tools
sha256:35f8073cede14473601d9f138a9815bc9ab5c7d97f914ca2f5ce910bd78b5750
->docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
lorenwe/centos_net_tools latest 35f8073cede1 23 seconds ago 277MB
centos latest d123f4e55e12 2 weeks ago 197MB
d4w/nsenter latest 9e4f13a0901e 14 months ago 83.8kBCopy codeIt's so simple that a new image is created. Now you can do something interesting with this image. It's still the docker run command, but this time add some more parameters, such as docker run-itd -- name my_net_tools lorenwe/centos_net_tools/bin/bash.
The parameters itd are'standard input to container','assign a virtual terminal','run as a daemon (background)', - name naturally specifies the name of the container after creation, / bin/bash executes the bash script and executes the above commands to create a container running in the background.
->docker run -itd --name my_net_tools lorenwe/centos_net_tools /bin/bash
e1d843f7726f67d2635042695e2065b383736a341edd2e83753be9fabec03de0
->docker ps #View active containers
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e1d843f7726f lorenwe/centos_net_tools "/bin/bash" 7 seconds ago my_net_tools
10c5c2754279 centos "ping lozz.cc" Up 25 minutes jollyCopy codeWell, it runs, and then, of course, you can go into the container and play with it. Use docker attach container_id to enter the Docker container.
->docker attach e1d843f7726f
[root@e1d843f7726f /]# ip addr
bash: ip: command not found
[root@e1d843f7726f /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.3 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:ac:11:00:03 txqueuelen 0 (Ethernet)
RX packets 40 bytes 1900 (1.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@e1d843f7726f /]#Copy codeThis is because the container is based on centos, and docker's basic CentOS image is a streamlined version, so many commands do not exist, such as this ip addr, which is also the reason for the previous choice to install net-tools, because installing this can use ifconfig to view network card configuration. So far, do you have a basic understanding of docker? Is it a sudden inspiration, such as to build a Nginx static server, the step is to pull a basic mirror down, through the basic mirror run out of a container, then install Nginx in the container, and then pack it into a new package? A new mirror will do. Actually, using docke to build mirrors will not do that. The steps are tedious and not very flexible. After all, the lorenwe/centos_net_tools mirrors built before also have 277MB! It's not easy to distribute, so Dockerfile appears. Its function is to describe a mirror in a specific format and build the image through docker. The described process is actually similar to the previous manual process. It can build the same environment through the same Dockerfile. It is also the reason why docke is often used to unify the operating environment of the system in work.
4. Push docker to docker hub
The push image command is very simple. It only needs docker push image_name. Before pushing the image to docker hub, there is still some preparation work to be done. You need to register an account with docker hub first, and then log in the account in docker to push the image.
->docker login #Log in to docker hub
Login with your Docker ID to push and pull images from Docker Hub.
If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (lorenwe): lorenwe
Password:
Login Succeeded
# Now you can push the mirror to docker hub
->docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
lorenwe/centos_net_tools latest 35f8073cede1 About an hour ago 277MB
centos latest d123f4e55e12 2 weeks ago 197MB
d4w/nsenter latest 9e4f13a0901e 14 months ago 83.8kB
->docker push lorenwe/centos_net_tools
The push refers to a repository [docker.io/lorenwe/centos_net_tools]
d0ba94ecc37e: Pushed
cf516324493c: Mounted from library/centos
latest: digest: sha256:276814315437cf5d416ed4b5713fe10c914beaea96bcf583b786a6778c80830f size: 741Copy codeBecause the walls and docker hub servers are far away from the sky, the push will be very slow. After success, you can see the image of your push in the personal center of docker hub. If you want to use this image in the future, you can directly pull the docker. You can also push the image to the domestic container mirror service platform, such as me. The container Hub of Aliyun is used, probably because it is fast, so it is comfortable to use. The only bad thing is that the long and stinky mirror name is a little uncomfortable.
V. Concluding remarks
The docker foundation to this step is almost introduced. The purpose of this article is to explain the relationship between the docker image and the container in plain language and examples. There are many functions that docker has not been introduced, so there is time to do follow-up articles in the future, such as Docker file, docker volume. Sharing and network communication are some particularly interesting functions. It is no longer a dream to build a portable distributed development platform.