In the privatization part of Netease cloud trust IM, docker technology is used. Today, we will talk about docker in depth.
What is docker?
Docker is a tool that can package and deploy applications in the container. Here, you can think of the container as a simple version of Linux environment and the applications running in it. Each container runs an application. It was born in early 2013. It was originally an amateur project within dotcloud, and its founder was Solomon hykes.
Docker has been widely concerned and discussed since its open source. RedHat has explicitly supported docker in rhel6.5; Google has also been widely used in its PAAS products. The goal of docker project is to realize a lightweight operating system virtualization solution. Now docker has been transformed from a tool into a platform, a small ecosystem.
What are the advantages of docker?
In the past, enterprises would purchase real servers when deploying software, which resulted in low resource utilization. Later, there were virtual servers in the cloud, such as AWS, which improved the utilization of resources, but the application environment in different stages may be different.
Docker greatly optimizes these, such as:1. The docker container can start in seconds. 2. Besides running the application, the container basically does not consume additional system resources, which makes the application performance very high and the system overhead very small. 10 virtual machines are needed to run 10 different applications in the traditional virtual machine mode, while docker only needs to start 10 isolated applications. The figure below shows the difference between traditional virtualization and docker. Docker is essentially a virtualization technology, not a virtual machine. Docker is to realize virtualization at the operating system level, directly reusing the operating system of the local host, while the traditional way is to realize it at the hardware level. In the traditional mode, guest OS will occupy a lot of space, and different applications will need different virtual machines. There is only one OS in docker, and various applications run on one OS.
*Hypervisor is a virtualization technology
Specifically, docker’s advantages include:
- Faster developer onboarding
- No vendor lockin
- Eliminate environment inconsistencies
- Ship applications faster
- Scale quickly
- Easily remediate issues
Play with Docker container
After downloading and installing docker, you can try to run a chat software using the following command.
docker run -d -p 3000:3000 unclebarney/chit-chat
The meaning of this command is to start the docker container. -D indicates starting in the background. -P is for port mapping, mapping the 3000 port in the container to the 3000 port on the host. The image used is unclebarney / chit chat. There are two parts to this command:
1. Download this image from dockerhub (where all images are stored), about 5 to 30 seconds (depending on bandwidth)
2. Start the container according to the image and run the node server
Docker image is the foundation of container. All containers are built from image. Before the docker runs the container, there needs to be a corresponding image locally. If the image does not exist locally, the docker will download from the image warehouse (the default is the warehouse in the docker hub public registration server).
Each running instance of docker consists of the top container and the bottom multi-layer image. Docker uses union fs (Union filesystem) to integrate these different images. Generally, union FS has two purposes. On the one hand, it can be used to hang multiple disks to the same directory without LVM or raid; on the other hand, it is more commonly used to combine a read-only branch with a writable branch. Based on this method, live CD allows users to write on the same image. Each layer of the image has the following information:
1. The meta data of this layer is stored in the form of JSON
2.image filessystem changeset
3. Image ID, for example: 74fe38d11401
There are two ways to build images:
1. Start a basic container, run some commands in it, and commit these commands like git to form its own image.
2. Reference a base image and add some required instructions. These instructions exist in a file called Dockerfile.
The following is an example of dockerfile, which is the image generation method of chat software just mentioned.
#Refer to the image of mhart / Alpine node. The first command in the dockerfile must be from command from mhart / Alpine- node:base # Add the contents of the folder where the dockerfile is located to the docker image. The first point refers to the directory where the dockerfile is located. The second point refers to the current directory add in the docker image. Expose 3000 port expose 3000 for this image# Run the node command. It is worth noting that this command will not be executed when the image is built, but only when the container is actually started based on this image“ index.js ”]
If the traditional way to do a chat software. First, there is a Linux system at the bottom and a Linux system at the top node.js , and there’s source code on it. User is connected through the 3000 port. If Google needs this application, it needs to package the whole program. The simplest way to package is from Linux system to source code. Although the main part is source code, you can’t just package it. If another user (Google 2) needs this application, the whole system should be packaged. If docker is used, Linux of these two services (service 1, service 2) will, node.js It’s the same, but their source codes are different. If you layer them, for example, the Linux system part is called image 1, Node.js The part is called image 2, the source code of service 1 is called image 3, and the source code of service 2 is called image 4. In this way, you can give image 1, 2, 3 to Google 1, and image 1, 2, 4 to Google 2. Image 1, 2 can be reused. If there is file 0 in image 1, 2 and 3. Image3 hides file 0 in image 1 and 2 (as if it were an overlay). From the upper level to the lower level, if you have the same file name, the lower level file is hidden. The files in the middle and lower layers of docker are read-only, and there are only read-write layers at the top. The application can modify the read-write layer.
Docker uses the namespace technology in Linux system to separate the top applications. Processes with the same namespace have the same resources. Processes with different namespaces have independent resources. Each container has its own namespace, and the applications running in it are like running in a separate operating system. Namespaces ensure that containers do not affect each other.
Docker uses cgroups to restrict resources. It is a feature of Linux kernel, mainly used to isolate, restrict and audit shared resources. Only by controlling the resources allocated to the container can we avoid the competition of system resources when multiple containers are running at the same time. Control group technology was first proposed by Google programmers.
Docker adopts C / S architecture, including client and server. Docker daemon accepts requests from customers as a server and processes them (create, run, distribute containers). The client and the server can run on the same machine, or communicate through socket or restful API. Docker daemon usually runs in the background of the host, waiting to receive messages from the client. The docker client provides users with a series of executable commands, which are used to interact with docker daemon. Docker daemon consists of two parts:
- A lightweight server that receives messages from clients and provides users with a series of executable commands
- An engine, which is responsible for scheduling requests, is a general entry and manages the life cycle of the container
Docker registry is a warehouse for storing images. It communicates with the daemon and processes requests for images sent from the client. You can use public registry or private. When docker is installed locally, another function is graphdb. Graphdb is a small SQLite based database. Ability to manage local docker images and their relationships. When creating a new container or downloading an image, docker will first find the original image and reuse the available resources. Docker driver allows users to customize the environment in which docker runs. It includes three categories:
- Graph driver: storage related
- Network driver: network related
- Exec driver: operating environment related
A container can have no IP. In the network driver, an option is set to none, which can be implemented.
Runc is an abstraction layer between docker driver and Linux kernel. It can call many functions of Linux kernel, including namespace, cgroups, capabilities, filesystem access controls.
Docker is not locked by any operator and is not monopolized by any company. Docker project has joined the Linux foundation and complied with the Apache 2.0 protocol. The project code is maintained on GitHub.
Reprinted from official account BitTiger
Want to read more technology dry goods, industry insight, welcome to pay attention to Netease cloud blog.
Learn about Netease cloud information, communication and video cloud services from Netease core architecture.
Netease Yunxin is a PAAS service product built by Netease’s 18 years of IM and audio and video technology. The communication and video cloud service from Netease’s core technology architecture is stable, easy to use and full-featured. It is committed to providing the world’s leading technical capabilities and scenario solutions. By integrating the client SDK and cloud open API, developers can quickly realize functions including IM, audio and video call, live broadcast, on-demand, interactive whiteboard, SMS, etc.