DocKer
Inside Docker
To understand Docker’s internals, you need to know about three components:
Docker images.
Docker registries.
Docker containers.
Docker images
A Docker image is a read-only template. For example, an image could contain an Ubuntu operating system with Apache and your web application installed. Images are used to create Docker containers. Docker provides a simple way to build new images or update existing images, or you can download Docker images that other people have already created. Docker images are the build component of Docker.
Docker Registries
Docker registries hold images. These are public or private stores from which you upload or download images. The public Docker registry is called Docker Hub. It provides a huge collection of existing images for your use. These can be images you create yourself or you can use images that others have previously created. Docker registries are the distribution component of Docker.
Docker containers
Docker containers are similar to a directory. A Docker container holds everything that is needed for an application to run. Each container is created from a Docker image. Docker containers can be run, started, stopped, moved, and deleted. Each container is an isolated and secure application platform. Docker containers are the run component of Docker.
Docker Architecture
How does a Docker Image work?
We’ve already seen that Docker images are read-only templates from which Docker containers are launched. Each image consists of a series of layers. Docker makes use of union file systems to combine these layers into a single image. Union file systems allow files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system.
How does a Docker Image work?
Docker images are then built from these base images using a simple, descriptive set of steps we call instructions. Each instruction creates a new layer in our image. Instructions include actions like:
Run a command.
Add a file or directory.
Create an environment variable.
What process to run when launching a container from this image.
These instructions are stored in a file called a Dockerfile. Docker reads this Dockerfile when you request a build of an image, executes the instructions, and returns a final image.
How does a Docker registry work?
The Docker registry is the store for your Docker images. Once you build a Docker image you can push it to a public registry Docker Hub or to your own registry running behind your firewall.
How does a container work?
A container consists of an operating system, user-added files, and meta-data. As we’ve seen, each container is built from an image. That image tells Docker what the container holds, what process to run when the container is launched, and a variety of other configuration data. The Docker image is read-only. When Docker runs a container from an image, it adds a read-write layer on top of the image (using a union file system as we saw earlier) in which your application can then run.
What happens when you run a container?
Either by using the docker binary or via the API, the Docker client tells the Docker daemon to run a container.
$ sudo docker run -i -t ubuntu /bin/bash
Let’s break down this command. The Docker client is launched using the docker binary with the run option telling it to launch a new container. The bare minimum the Docker client needs to tell the Docker daemon to run the container is:
What Docker image to build the container from, here ubuntu, a base Ubuntu image;
The command you want to run inside the container when it is launched, here /bin/bash, to start the Bash shell inside the new container.
So what happens under the hood when we run this command?
In order, Docker does the following:
Pulls the ubuntu image: Docker checks for the presence of the ubuntu image and, if it doesn’t exist locally on the host, then Docker downloads it from Docker Hub. If the image already exists, then Docker uses it for the new container.
Creates a new container: Once Docker has the image, it uses it to create a container.
Allocates a filesystem and mounts a read-write layer: The container is created in the file system and a read-write layer is added to the image.
Allocates a network / bridge interface: Creates a network interface that allows the Docker container to talk to the local host.
Sets up an IP address: Finds and attaches an available IP address from a pool.
Executes a process that you specify: Runs your application, and;
Captures and provides application output: Connects and logs standard input, outputs and errors for you to see how your application is running.
You now have a running container! From here you can manage your container, interact with your application and then, when finished, stop and remove your container.
The underlying technology
Docker is written in Go and makes use of several Linux kernel features to deliver the functionality we’ve seen.
Namespaces
Docker takes advantage of a technology called namespaces to provide the isolated workspace we call the container. When you run a container, Docker creates a set of namespaces for that container.
This provides a layer of isolation: each aspect of a container runs in its own namespace and does not have access outside it.
Some of the namespaces that Docker uses are:
The pid namespace: Used for process isolation (PID: Process ID).
The net namespace: Used for managing network interfaces (NET: Networking).
The ipc namespace: Used for managing access to IPC resources (IPC: InterProcess Communication).
The mnt namespace: Used for managing mount-points (MNT: Mount).
The uts namespace: Used for isolating kernel and version identifiers. (UTS: Unix Timesharing System).
Control groups
Docker also makes use of another technology called cgroups or control groups. A key to running applications in isolation is to have them only use the resources you want. This ensures containers are good multi-tenant citizens on a host. Control groups allow Docker to share available hardware resources to containers and, if required, set up limits and constraints. For example, limiting the memory available to a specific container.
Union file systems
Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker uses union file systems to provide the building blocks for containers. Docker can make use of several union file system variants including: AUFS, btrfs, vfs, and DeviceMapper.
Container format
Docker combines these components into a wrapper we call a container format. The default container format is called libcontainer. Docker also supports traditional Linux containers using LXC. In the future, Docker may support other container formats, for example, by integrating with BSD Jails or Solaris Zones.
Docker User Guide
tweak4u 