©2020-2024 ioDraw All rights reserved
Programmers have suffered for a long time
One night many years ago , Wind and rain masterpiece , A man named Docker Young people come Linux The Empire visits the elders of the Empire .
“Linux elders , Programmers all over the world have been suffering from application deployment for a long time , I want to change this situation , I hope you can help me ”
The elder replied :“ oh , Young age , Not a small breath , Please take your seat first , What do you want , I would like to know the details. ”
Docker Sit down and start talking :“ Today's world , application development , test , deploy , The dependencies of various libraries are complex , Plus the differences between versions , It often appears that the development environment is running normally , When it comes to the test environment and online environment, there are problems , Programmers suffer from this , It's time to change that .”
Docker Glancing back, the elder continued :“ I want to make a virtual container
, Let applications run it , Package the dependent environment they need as a whole , So that after transplantation on different machines , It can still provide a consistent operating environment , Completely liberate programmers !”
Linux Elder heard , Nod slightly :“ Young people have good ideas , But listen to your description , Like a virtual machine
Can solve this problem . Deploy the application and its dependent environment to the virtual machine , Then take a snapshot , Isn't it OK to deploy virtual machines directly ?”
Docker Shaking his head again and again :“ The elder doesn't know , The virtual machine is as heavy as a cow , Big volume , To move is to G Size in , Because it needs to run a complete operating system , So it's very hard to run , Don't say it if you're slow , It also takes up a lot of resources , A few virtual machines can't run on one machine, which will bring down the performance ! And I want to be one
Lightweight virtual container , Only one operating environment is provided , You don't have to run an operating system , The system kernel in all containers is still shared with the external host , This allows you to batch copy many containers , Light and fast ”
Linux The elder stood up , Paced back and forth for a few laps , After a moment of thinking , Suddenly he patted the table and said loudly :“ That's a good idea , I voted for this project !”
Docker See light in your eyes , look very happy ,“ This is really inseparable from the help of the elder , To achieve what I said , Administrative isolation of processes is critical , I hope the elder can help me !”
“ Wait a minute ”,Linux The elder turned and returned to the inner room . It didn't take long to get out , What are you holding in your hand .
“ young people , After going back , Just let it go , I'll give you three brocade bags , If in distress , It can be disassembled in turn , It must be of great use ”
Docker Happily received three brocade bags , Goodbye Linux Elder queen , Return in the rain .
silk bag 1:chroot & pivot_root
Encouraged by the elder ,Docker Full of energy , He will soon be ready to start his project .
As a container , The first task is to limit the scope of activities of the processes in the container —— Accessible file system directories . Never let the process in the container arbitrarily access the real system directory , They have to delimit their activities to a designated area , Do not cross the minefield for half a step !
How to limit the activity area of these processes ?Docker Encountered the first problem .
Long thought failed ,Docker Finally, I couldn't help opening it Linux The first brocade bag given by the elder , The names of the two functions are written on it :chroot & pivot_root.
Docker These two functions have never been used , So in Linux The Empire inquired about their role . Later learned that , Through these two functions , You can modify the root directory of processes and systems to a new location .Docker Great joy , The elder is really sincere and doesn't deceive me !
With these two functions ,Docker How to start “ forge ” A file system to spoof processes in the container .
In order not to reveal flaws ,Docker very smart , Mount the operating system image file to the root directory of the container process , Become a container rootfs, Same as the real system directory , Enough to confuse the false with the true :
$ ls / bin dev etc home lib lib64 mnt opt proc root run sbin sys tmp usr var
silk bag 2:namespace
The file system problem is finally solved , however Docker Dare not slack off , Because in his heart , Another big problem has been bothering him , That is how to hide the world where the real system is located , Don't let the process in the container see .
Such as process list , network equipment , User list these , Never let the processes in the container know , The world they have to see is a clean as new system .
Docker I know , Although I call it a container , But this is only a superficial phenomenon , The process in the container is actually the same as itself , Are processes running on the host operating system
, Want to cover the eyes of these processes , crossing the sea under camouflage , It's not easy .
Docker Thought of using HOOK Way of , Spoofing process , But the implementation is too complicated , Poor compatibility , Stability is not guaranteed , After thinking about it, I didn't think of any good idea .
At a time when there is nothing to do ,Docker Again Linux This is a brocade bag given by the elder , He took it out quickly , Opened the second brocade bag , It says :namespace.
Docker Still don't understand the meaning , So again Linux The Empire inquired everywhere about what was namespace.
After a while of thinking ,Docker I finally understand , So this namespace It's a mechanism provided by the Empire , Through it, you can delimit the namespace one by one , Then divide the process into these namespaces .
Each namespace exists independently , Processes inside the namespace cannot see processes outside the space , user , Network and other information .
Isn't that right Docker What do you want ? What a broken iron shoe , It takes no effort !
Docker Work overtime quickly , With this namespace, The of the process “ view ” Lock within the specified range of the container , therefore , The process inside the container seems to be masked
, I can't see the outside world anymore .
silk bag 3:CGroup
The problem of file system and process isolation has been solved ,Docker The stone in my heart was finally put down . I was anxious to test my container , But I wonder what the last brocade bag says , So he opened the third brocade bag , It says :
CGroup.
What is this ?Docker Still can't understand , But I can't manage so much this time , Run it first .
Tried to run for some time , Everything is here Docker In my plan , All processes in the container can run normally , He was deceived by the virtual file system he built and the isolated system environment ,Docker I'm so happy !
Soon ,Docker Started in Linux Empire promotes its own container technology , The results were very popular , He has gained countless fans , even nginx,redis When all the big guys settle in one after another .
however , Behind the flowers and applause ,Docker But I don't know I'm going to be in trouble .
that day ,Linux From Imperial memory management Docker prepare “ Execute ” Get rid of him ,Docker Asked with a surprised look on his face ,“ What the hell happened , Why did you do it to me ?”
The manager snapped :“ Empire managed memory is fast being called Redis We ran out of guys , Now choose some processes to kill , sorry , You won the prize ”
Redis? Isn't this guy the process in my container ?Docker I was surprised !
“ Two adults , I know the elders of the Empire , Trouble accommodation , Find someone else ,Redis That guy , I have a way to deal with him ”
I didn't expect he knew the imperial elder , The manager hesitated , Just let it go Docker Gone somewhere else .
Shaken Docker, Think about it , If you don't control the processes in the container , That's too dangerous ! Except memory , also CPU, Hard disk , Network and other resources , If a container process dominates CPU Don't let go , Or a container process is crazy about writing to the hard disk , Sooner or later, it will involve yourself . It seems that these processes must be controlled , Prevent them from doing anything out of line .
At this time , He remembered Linux Elder's third brocade bag :CGroup! Maybe it can solve this urgent problem .
After some research ,Docker seem to have hit the jackpot , So this CGroup and namespace similar , Also Linux A set of imperial mechanisms , It can be used to delimit groups one by one , Then limit the resources that each group can use , For example, the upper limit of memory ,CPU Utilization rate of , Total hard disk space, etc . The system kernel will automatically check and limit the process resource usage in these groups .
Linux Elder, these three brocade bags are so sweet , One is more useful than the other ,Docker My heart is full of gratitude .
subsequently ,Docker Plus CGroup technology , The process control in the container is strengthened , That's a relief .
stay Linux With the blessing of the elder's three masterpieces ,Docker It can be said that the scenery is temporary , Become Linux Great celebrities of the Empire .
however , The greater the ability , The greater the responsibility , Give Way Docker Unexpectedly , New challenges lie ahead .
Technology