The core technology of Docker container

The core technology of container

The so-called container, in fact, is built out of a Linux Namespace, Linux Cgroups rootfs three techniques and process isolation environment
    For Docker project, in fact, the core of the user process is to be created:

    Start Linux Namespace Configuration

    Set parameters specified Cgroups

    The process of switching the root directory (Change Root)

1. Namespace mechanism

PID Namespace realization create (clone) out of the process, that their current container in the process with PID 1, the process can not see the real host, but also look at the specific circumstances other than the PID
    Mount Namespcace achieve the isolation process can only see the current mount point information Namespace
    Network Namespace achieve isolation process allows the configuration of network devices and see the current Namespace
    Linux provides UTS, IPC, User’s Namespace
    Summary: Namespce technology to modify the application process to treat the entire computer, “view”, only to see some of the specified content

Namespace isolation mechanism shortcomings:
    A plurality of containers using the same operating system kernel is a host computer, running Linux windowns container, or a version of Linux operating high container on the low version of Linux host, it is not acceptable

2. Cgroups

Although the process has been quarantined, but it can use resources such as CPU, memory, can be occupied by other processes on the host, can all sources have been exhausted, and Cgroups solve this problem
    Cgroups stands for Linux Control Group, the main role is to limit the resource capping a process that can be used, including CPU, memory, disk, and network bandwidth.
    Cgroups disadvantages:
    / Proc file does not know what the user did to the container resource limits by Cgroups, so when we execute the top command in a container, in fact, see the host CPU and memory data


The root of the container typically mount a complete file system, you can start after the container with ls / root directory to view all the content,
    The container mount root file system after execution environment providing isolation container, it is the rootfs (vessel image),
    Vessel image by comprising the directories and files will be

bin dev etc home lib lib64 mnt opt proc root run sbin sys tmp usr var

rootfs just all files and directories of an operating system, does not include the kernel and rootfs through Mount Namespace, you can build a complete file system isolation environment in which the ability to chroot and pivot_root two system calls the process of switching the root directory.
    After the mount namespace is created, the parent process will copy your file structure to the child, and the child in a new namespace all mount operations only affect its own file system, does not have any impact on the outside world.
    Rootfs each modification, new and old rootfs is different, Docker rootfs company in order to solve the incremental changes of function, innovation put forward the concept of layers

Concept container layer

On the basis of the rootfs, Docker’s innovative use of a number of incremental rootfs mount a joint program of complete rootfs
    For example, C is the mount directory obtained from A and B, A and B have all files
    Divided into three layers, as shown below

1. Read-only layer

Rootfs located lowermost, mount that is read-only, incrementally layers each comprising a part of the operating system

2. writable layer

Mount way rw, for example, when deleting a read-only file xx, this deletion can read and write only in the actual layer creates a file named .wh.xx when the two layers joint mount, xx files will be blocked .wh.xx file, the equivalent of “disappeared.”
    When modifying the file in the container, Docker will find the file in the image from top to bottom layers. This will locate the file copied into the container layer (layer read-write), which is Copy on Write

3. init layer

-Init end to a layer, the layer between read-only and read-write, /etc/hosts,/etc/resolve.conf used to store information, which was originally part of the file belonging to the operating system layer, but users often you need to specify at runtime hostname, so we need to be read in layers of modifications to the current container security often effective, we do not want when docker commit, and to read and write and submit these layers together, so there is this Floor

Reference link: https: //

Leave a Reply