Docker 的架构
图片来自 Docker 官网教程
Docker 采用 CS 架构, 可以通过 CLI
和 API
与 Docker daemon 进行交互。
Docker Objects
Images (镜像)
An image is a read-only template with instructions for creating a Docker container. Often, an image is based on another image, with some additional customization.
You might create your own images or you might only use those created by others and published in a registry. To build your own image, you create a Dockerfile with a simple syntax for defining the steps needed to create the image and run it. Each instruction in a Dockerfile creates a layer in the image. When you change the Dockerfile and rebuild the image, only those layers which have changed are rebuilt. This is part of what makes images so lightweight, small, and fast, when compared to other virtualization technologies.
Container (容器)
A container is a runnable instance of an image. You can connect a container to one or more networks, attach storage to it, or even create a new image based on its current state.
By default, a container is relatively well isolated from other containers and its host machine. You can control how isolated a container's network, storage, or other underlying subsystems are from other containers or from the host machine.
容器运行例子
运行如下命令:
docker run -i -t ubuntu /bin/bash
运行过程解析:
When you run this command, the following happens (assuming you are using the default registry configuration):
-
If you don't have the ubuntu image locally, Docker pulls it from your configured registry, as though you had run docker pull ubuntu manually.
-
Docker creates a new container, as though you had run a docker container create command manually.
-
Docker allocates a read-write filesystem to the container, as its final layer(在最终层,创建可读写的文件系统). This allows a running container to create or modify files and directories in its local filesystem.
-
Docker creates a network interface to connect the container to the default network, since you didn't specify any networking options. This includes assigning an IP address to the container. By default, containers can connect to external networks using the host machine's network connection.
-
Docker starts the container and executes /bin/bash. Because the container is running interactively and attached to your terminal (due to the -i and -t flags), you can provide input using your keyboard while Docker logs the output to your terminal.
-
When you run exit to terminate the /bin/bash command, the container stops but isn't removed. You can start it again or remove it.
docker run 的选项说明:
- -i, --interactive:交互模式,Keep STDIN open even if not attached
- -t, --tty:Allocate a pseudo-TTY
- -a, --attach:Attach to STDIN, STDOUT or STDERR
- -d, --detach:在后台运行容器并返回容器 ID
The underlying technology (基于的技术 namespaces )
Docker is written in the Go programming language and takes advantage of several features of the Linux kernel to deliver its functionality. Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.
These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.