- 1C++的数组(定义和应用)_c++ 数组定义
- 2【计算机网络】TCP原理 | 可靠性机制分析(一)
- 3Springboot可以同时处理多少请求?_springboot get接口 最高处理多少并发
- 4MySQL 06 - SQL语句三_sql语句写出 性别男生和女生年龄大于18的grop by 语句
- 5pip intall pywin32出现 error: subprocess-exited-with-error 错误的解决办法_error: subprocess-exited-with-error 脳 python setup
- 6Fiddler+夜神模拟器+xposed+justTrustMe手机抖音抓包_夜神模拟器 抖音 fiddler
- 7Windows 11检测提示电脑不支持 TPM 2.0,不同品牌主板的开启TPM2.0的方法_微星主板b85似乎不支持 tpm
- 8「模问题」AI原生小游戏强势来袭!
- 9【已解决】Spring常见错误:类文件具有错误的版本 61.0, 应为 52.0
- 1085 总结一下最近遇到的一些 jar发布 相关的知识
docker host OS 和 the container base image OS 之间的关系_docker image os
赞
踩
是不是要求我制作机器(安装运行 febootstrap 和docker)的linux机器的内核版本必须要和要制作的OS base image的内核版本要一致?还是没有限制?
要求os kernerl必须一致或者兼容;其他没有任何要求。
Literally, the only thing they have in common is the kernel. Their whole world (file system) is in the docker container.
docker image的兼容性和资源共享问题?
是不是制作image的平台和运行容器的宿主机必须是一致的环境(是内核一致还是完全一致),这个有无特别的要求?
docker 上的容器并不是一个完整的虚拟机,在宿主机上制作某个os级别的base images,是不是宿主机有的组件就不包括了,把宿主机没有的组件打进去?
docker的宿主机和镜像哪些组件是打包到镜像中,哪些是调用宿主机的资源?
Docker does a process isolation leveraging LXC (a kind of lightweight virtualisation built into Linux Kernel).
The basic difference between LXC and VMs is that with LXC there is only one instance of Linux Kernel running.
The base image OS is used for filesystem, binaries, etc.
base image OS 使用自己独立的文件系统和二进制可执行程序(包括库和可执行程序), 所有的系统调用都在host os kernerl下进行。
You are lacking basic Docker concepts. It's a completely different thing.
The first thing you need to know is Docker's philosophy : run one process isolated in a container. You won't run an OS in a Docker container, you will run a process inside a container with a root filesystem content based on a linux distribution of your choosing. Ubuntu is a choice among others.
Now you should wonder how is it possible to get a process runing inside a linux base image different from the linux distribution your host is running with. For an OS to run you basically need :
- A boot filesystem : contains the bootloader and the kernel that will reside in memory once loaded. We don't care about this in the case of Docker containers because the kernel is shared with the host and is the common part between all linux distributions.
- A root filesystem : contains the filesystem structure. It may be different from one linux distribution to another. It's read-only until the boot sequence has finished.
Docker uses UnionFS to manage layers of disk blocks inside a container so you can pile them.
Behind the scenes, it uses an union mount which allows multiple filesystems to be mounted at the same time, appearing like a whole virtual one. It in fact drops the base image layer as read-write mode on top of the base root filesystem in read-only mode.
Here you have a pile of disk blocks layered in a way that the linux distribution the base image comes from would contain the same filesystem once installed in a real host, but it's inside a container this time.
The last thing lacking now is : how do you run this thing isolated ?
The answer is : namespaces. I won't go into the details here because it would deviate a bit from the original question. But what you need to know is that since kernel 2.4.19, namespaces of various kinds have appeared along the years. Currently the following namespaces are available :
- IPC : IPC namespace (interprocess communications)
- MNT : mount namespace
- NET : network namespace
- PID : pid namespace
- USER : user namespace (uid)
- UTS : UTS namespace (hostnames)
Namespaces are isolated structures inside the kernel that allow processes to run with a particular environment. For instance MNT namespace will be the key feature to get a process running in the base image root filesystem specificities. NET namespace will be another key feature for a container to have specific network interfaces in order to communicate with the docker bridge etc.
So, yes, the main purpose of all of this is to run an application isolated, ship it from your local environment to production easily with inside a box called container.
docker container使用MNT 和 UnionFS 技术 来挂载自己的独立的 root filesystem ,这个是docker image 能够分层打包的技术基础;docker container 使用 namespaces 和Cgroup 技术,这个是保证 容器隔离的技术基础;
base image OS 是为了给所有组件提供一个共同的运行环境,所有的其他组件都基于这个 base os image 创建自己的应用层。这种分层的思想可以减少镜像的大小,提供复用,为多个组件提供共同的平台层,随时添加或者回滚一个layer等优点。
参考:
http://serverfault.com/questions/659557/os-docker-container-what-is-the-difference-with-a-vm-then
http://stackoverflow.com/questions/18786209/what-is-the-relationship-between-the-docker-host-os-and-the-container-base-image?rq=1
http://stackoverflow.com/questions/20823788/docker-is-not-vm-why-container-need-base-image-os
