understand how docker works

Understand how Docker works

⼩小拿@果壳 2015.10.28

1

Outline• Virtualization

• Hypervisor

• chroot, namespaces, cgroups, AuFS

• LXC

• Container

• Docker

Virtualization

Virtualization is a proven software technology that makes it possible to run multiple operating systems

and applications on the same server at the same time.

Features

• transform hardware to software

• run multiple operating systems as virtual machines

Intuitive Idea

Hypervisor (VMM)

a “meta” operating system in a virtualized environment

Types of Hypervisors

• native or bare-metal hypervisors

• hosted hypervisors

Bare-Metal Hypervisor

Hosted Hypervisor

Space-Time Analysis

• heavy

• slow

docker is a lightweight

(giant 1) chroot

A chroot on Unix operating systems is an operation that changes the apparent root directory for the

current running process and its children.

chroot jail

root directory

two Linux process resource management solutions

• namespaces (what you have)

• cgroups (what you can do)

(giant 2) Linux Namespace

• A lightweight process virtualization

• Isolation: Enable a process to have different views of the system than other processes.

Features• PID namespace provides isolation for the allocation of process identifiers

(PIDs), lists of processes and their details. While the new namespace is isolated from other siblings, processes in its "parent" namespace still see all processes in child namespaces—albeit with different PID numbers.

• Network namespace isolates the network interface controllers (physical or virtual), iptables firewall rules, routing tables etc. Network namespaces can be connected with each other using the "veth" virtual Ethernet device.

• UTS namespace allows changing the hostname.

• Mount namespace allows creating a different file system layout, or making certain mount points read-only.

• IPC namespace isolates the System V inter-process communication between namespaces.

• User namespace isolates the user IDs between namespaces.

Operations• CLONE_NEWIPC

• CLONE_NEWNET

• CLONE_NEWNS

• CLONE_NEWPID

• CLONE_NEWUSER

• CLONE_NEWUTS

Example (PID) from coolshell

Example (PID)

(giant 3) cgroups

cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

Features• Resource limitation: groups can be set to not exceed a

configured memory limit, which also includes the file system cache

• Prioritization: some groups may get a larger share of CPU utilization[8] or disk I/O throughput

• Accounting: measures how much resources certain systems use, which may be used, for example, for billing purposes

• Control: freezing the groups of processes, their checkpointing and restarting

Operations

Example (CPU) from coolshell

LXC

LinuX Container = namespaces + cgroups

(giant 4) AuFS

AuFS (Advanced multi layered Unification FileSystem) implements a union mount for Linux file systems.

“When I see a bird that walks like a duck and swims like a duck and quacks like a duck,

I call that bird a duck.”

Duck Typing

Docker = LXC + AuFS• chroot

• namespaces

• cgroups

• aufs

• …

Container

Pros and Cons

Pros and Cons

Why must install boot2docker?

Why only contains Linux distros?

End justinli.ljt@gmail.com