The essence of a Docker is a process on the host. Docker implements resource isolation through namespace, resource restriction through cgroups, and efficient file operation through copy-on-write mechanism.

What does it take to implement a resource-isolated container? First, there is the chroot command, which switches the mount point of the root directory /, that is, the file system is isolated. Then, in order to communicate and locate in a distributed environment, containers must have independent IP addresses, ports, routes, etc., which involves network isolation. The container also needs a separate host name to identify itself on the network. With the network, naturally cannot leave the communication, also thought of the process communication needs isolation; The developer probably has permissions in mind, and the isolation of users and user groups enables the isolation of user permissions; Finally, applications running in the container need a process number (PID), which of course needs to be isolated from the PID in the host.

The kernel knowledge behind Docker

Namespace resource Isolation (six quarantines for a container)
- UTS implements hostname and domain name isolation
- IPC implements communication isolation between processes
- PID implements process ID isolation
- Mount Implements file isolation
- Network Implements network isolation
- User Isolates users from user groups
Cgroups resource limits

Cgroups can not only limit resources isolated by a namespace, but also set weights for resources, calculate usage, and control the start and stop of tasks (processes or threads).

Docker Network Management LibNetwork has 5 built-in drivers to provide different types of network services:

Bridge drive
The host driver
Overlay drive
Remote driver
Null drive

Bridge drivers are Docker default Settings. With this driver, libNetwork connects the Docker container created to the Docker bridge.

Bridge driver implementation mechanism analysis:

Docker0 bridge
The iptables rules
Docker container DNS and host name

Linux Network Virtualization

The cornerstone of network virtualization
veth pair
Linux bridge
Top/tap device
iptables

Docker four network modes

bridge
host
container
none

Docker Web tips

Docker container networking challenges

Need to understand Docker stand-alone container network

Docker understands eight articles

Docker four network modes

Linux network

Three networking modes for VMWare

Linux virtual network device VeTH-pair details, see this article enough

Kubernetes

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Containers and container clouds

Linux network

Containers and container clouds

Linux network

Related Posts

Spring Boot Logging framework practices

OpenStack Train Offline deployment | 3 Controller node -Keystone authentication service component

Xxl-job Application code small note