Docker& Cloud Native

Docker and cloud native

First, concept introduction

1.1 Docker

Docker is an open source application container engine that allows developers to package their applications and dependencies into a portable image that can then be distributed to any popular Linux or Windows machine, as well as virtualization. Containers are completely sandboxed and have no interface with each other.

Docker history

One of the biggest hassles of software development is environment configuration. How do you know which machines your software will run on

Let’s say you write a Web application that has no problems debugging locally and want to send it to your friends or deploy it to a remote server. First, you need to configure the same environment (database, Web server), which is not guaranteed to start
The most common feedback from development and testing students: “It works in my local area”, which means that other machines probably won’t work.

In order to solve this problem, the development operation and maintenance environment based on physical machines and virtual machines has been transformed to container-centered infrastructure

Half a century ago, the container was the force that transformed the entire transportation industry (the rise of containerization). Without the container, there would be no globalization.

The sudden emergence of Docker is an important inflection point in the cloud service market. Docker is the “box” of the cloud service market. The application of Container technology represents a new era. DockerLogo: Whales are operating systems that use containers to separate different kinds of goods. Rather than having lots of baby whales (Guest OS) to carry different kinds of cargo.

So why are physical machines/virtual machines replaced by containers?

Virtual machines (VMS) and Dockers often appear in the same context because they are both used to isolate the environment

From the figure above, we can see the differences between virtual machines and Docker containers summarized in peacetime use. Virtual machines need to simulate hardware, running the entire operating system, not only bulky and high memory footprint, program performance will also be affected

The virtual machine	Docker
Hardware-level process isolation	Operating system level process isolation
Each virtual machine has a separate operating system	Each container can share the operating system
Activate in a few minutes	Activate in a matter of seconds
The virtual machine is only a few GIGABytes	Containers are lightweight (KBs/MBs)
More Resource Usage	Less resource use
VMS can be easily migrated to a new host	The container is destroyed and recreated rather than moved
Creating a VM takes a relatively long time	Containers can be created in seconds

Docker packaging mechanism

But the real reason containers have replaced virtual machines is because Docker invented images. For example, when PaaS is deployed to a cluster on a large scale, a packaged package needs to be maintained for each language, framework or even version of the application. Therefore, a lot of modification and configuration work must be done to run the PaaS. While one-click deployment is possible, packaging applications can be tricky

Docker images solve the fundamental problem of packaging. The so-called Docker image is actually a compressed package. But there’s a lot more in this package than a PaaS application executable plus a start-stop script. In fact, most Docker images are directly composed of all the files and directories of a full operating system, so the contents of the compressed package are exactly the same as those of your local development and test environment.

With this package in hand, you can use some technique to create a “sandbox”, unpack the package in the “sandbox”, and then run your program.

This mechanism directly packages the entire operating system required for the application to run, thus ensuring a high degree of consistency between the local and cloud environments

Docker “sandbox” implementation

The core function of container technology is to create a “boundary” for a process by restricting and modifying its dynamic performance. For most Linux containers such as Docker, it is an isolated environment created by Cgroups and Namespace mechanism. Package based on the Advance Union File System (AUFS) File System

Cgroup: resource allocation and management
Namspsce: Isolation (user/network/process, etc.) isolation
Aufs: image packaging mechanism

Cgroups

The full name for Linux Cgroups is Linux Control Group. Its main function is to limit the upper limit of resources that a process group can use, including CPU, memory, disk, network bandwidth, and so on.

Cgroups also has the ability to prioritize, audit, and suspend and resume processes. In today’s share, I’ll focus only on the “limiting” capabilities that are most relevant to containers. In Linux, Cgroups exposes the user to the file system, which is organized as files and directories under the /sys/fs/cgroup path of the operating system. They can be displayed with the mount command, which reads:

[root@k8s-demo-master ~]# mount -t cgroup cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd) cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)  cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma) cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)Copy the code

Under /sys/fs/cgroup there are many subdirectories such as Cpuset, CPU, and memory, also called subsystems. These are the kinds of resources my machine can currently be limited by Cgroups

[root@k8s-demo-master ~]# cd /sys/fs/cgroup/cpu
[root@k8s-demo-master cpu]# ls
aegis                  cgroup.procs          cpuacct.usage         cpuacct.usage_percpu_sys   cpuacct.usage_user  cpu.rt_period_us   cpu.stat           release_agent
assist                 cgroup.sane_behavior  cpuacct.usage_all     cpuacct.usage_percpu_user  cpu.cfs_period_us   cpu.rt_runtime_us  kubepods           system.slice
cgroup.clone_children  cpuacct.stat          cpuacct.usage_percpu  cpuacct.usage_sys          cpu.cfs_quota_us    cpu.shares         notify_on_release  tasks
[root@k8s-demo-master cpu]# cat cpuacct.usage
34538850584425
[root@k8s-demo-master cpu]# cat cpu.cfs_quota_us
20
Copy the code

This means that for every 100 ms, the process restricted by this control group can only use 20 ms of CPU time, which means that the process can only use 20% of the CPU bandwidth. If you create a directory under the sys/fs/cgroup/ CPU directory as a control group and create the cpu.cfs_quota_us limit file and the process ID file corresponding to tasks tasks, you can limit the specified process ID

The Linux Cgroups design is relatively easy to understand, it is a subsystem directory plus a set of resource limited files. For Linux container projects such as Docker, they just need to create a control group for each container under each subsystem (that is, create a new directory), and then after starting the container process, fill the PID of the process into the tasks file of the corresponding control group.

Namspace mechanism

The first /bin/sh we execute in Docker is process 1 (PID=1) inside the container, and there are only two processes running in the container. This means that the /bin/sh we did earlier and the ps we just did. Has been isolated by Docker in a completely different world from the host machine.

# wangjun @ LPT004412 in ~ [17:03:04]
$ docker exec -it 9bf2d02c1236 /bin/sh
/ # ps
PID   USER     TIME  COMMAND
    1 root      0:00 sh
   24 root      0:00 /bin/sh
   31 root      0:00 ps
/ # exit
# wangjun @ LPT004412 in ~ [17:04:06] C:130
$ ps -efUID PID PPID C STIME TTY TIME CMD 0 1 0 1:14 PM?? 0:32.45 /sbin/launchd 0 294 1 0 1:14 PM? 0:28. 60 / usr/libexec/logdCopy the code

Namespaces are a Linux method for separating resources such as process trees, network interfaces, mount points, and interprocess communication.

classification	System call parameters	Related kernel versions	Isolate the content
Mount namespaces	CLONE_NEWNS	Linux 2.4.19	Mount point (file system)
UTS namespaces	CLONE_NEWUTS	Linux 2.6.19	Host name and domain name
IPC namespaces	CLONE_NEWIPC	Linux 2.6.19	Semaphore, message queue, and shared memory
PID namespaces	CLONE_NEWPID	Linux 2.6.24	Process number
Network namespaces	CLONE_NEWNET	Start with Linux 2.6.24 and finish with Linux 2.6.29	Network devices, network stacks, ports, etc
User namespaces	CLONE_NEWUSER	Started with Linux 2.6.23 and completed with Linux 3.8)	Users and user groups

The system call to create a thread on Linux is clone(), for example:

int pid = clone(main_function, stack_size, SIGCHLD, NULL)
Copy the code

This system call will create a new process for us and return its process number, PID.

When we create a new process with the Clone () system call, we can specify the CLONE_NEWPID parameter in the argument, for example:

int pid = clone(main_function, stack_size, CLONE_NEWPID | SIGCHLD, NULL);
Copy the code

At this point, the newly created process will “see” a new process space in which its PID is 1. I say “see” because this is just a “smoke screen”. In the real process space of the host machine, the PID of the process is still a real value, such as 100.

Therefore, when Docker is used, it can be found that there is no real “Docker container” running in the host. The Docker project helps the user start the same application process, but when creating these processes, Docker adds various Namespace parameters to them.

AUFS

AUFS solves the problem of image packaging, Docker image is essentially a compressed package, we can use the following command to export the files in a Docker image:

$ docker export $(docker create busybox) | tar -C rootfs -xvf -
$ ls
bin  dev  etc  home proc root sys  tmp  usr  var
Copy the code

You can see that the directory structure in the BusyBox image is not very different from the contents in the root directory of the Linux operating system, so the Docker image is just a file.

Each image in a Docker is made up of a series of read-only layers, and each command in a Dockerfile creates a new layer on top of an existing read-only layer:

AUFS is a federated file system, which can Union layers from different folders into the same folder. These folders are called branches in AUFS. The whole process of “Union” is called Union Mount:

Dive under the command of the picture shows very good assembly process, each image layer are based on another image, at the same time, all of the image layer are read-only, only containers of each container the top layer can be directly by the user to read and write, all the containers are based on some underlying services (Kernel), This assembly of containers, including namespaces, control groups, rootFs, and so on, provides great flexibility, and read-only mirror layers can also be shared to reduce disk usage.

! [](/Users/wangjun/Library/Application Support/typora-user-images/image-20220310193950144.png)

The basic concept

Docker Client: a Client provided by Docker to users.
Docker Daemon: Daemon of the Docker service. Daemons receive instructions from Docker clients and perform specific operations on the server.
Docker Images: Commonly known as Docker Images
Docker Registry: This can be considered a repository for Docker Images
Docker Container: Commonly known as Docker Container. The Container is where the project really runs, consumes machine resources, and provides services. The Container is launched through Images

A Docker is like a car engine, a Dockerfile is like a car blueprint, a Docker image is like a car template, a Docker container is like car parts, and the Docker Registry can be regarded as an 4S shop. Docker Compose is like an old driver, Docker Volume is like the fuel tank of a car, and Docker Swarm(or K8s) is a transportation hub if you compare the IO data flow between containers to gasoline.

Basic commands

First, install Docker on the host. Docker installation refer to the official installation document. The Docker command is similar to Git, supporting push and pull operations to upload and download Docker images. View the current Docker version

docker version
Copy the code

View the current system Docker information

docker info
Copy the code

Docker is stored in /var/lib/docker:

docker images
Copy the code

Download an image from a Docker Hub:

docker pull ubuntu:latest
docker pull ubuntu:latest
Copy the code

Performing docker pull on Ubuntu will download all images from the Ubuntu repository to the local repository.

Start a container using docker run:

Docker run -i -t ubuntu /bin/bash Start a container docker run -i -t --rm ubuntu /bin/bash --rm delete the container docker run -t -i after the container exits --name test_container ubuntu /bin/bash --name Specifies the name of the container, Otherwise, a name will be randomly assigned. Docker run -t -i --net=host Ubuntu /bin/bash --net=host The container communicates with the network in host mode. Docker run -t -i -v /host:/container The Ubuntu /bin/bash -v binding hangs in a Volume and shares files or directories between the host and the Docker containerCopy the code

To see which containers are currently running, use docker ps:

wangjun @ LPT004412:$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 50a1261f7a8b docker_test:latest "/bin/bash" 7 seconds ago Up 6 seconds sleepy_ptolemy # Only one container 50A1261F7a8b is currently runningCopy the code

Start or stop a container using docker start/stop container_id:

wangjun @ LPT004412:$ docker stop 50a1261f7a8b 50a1261f7a8b wangjun @ LPT004412:$ docker ps -a | grep 50a1261f7a8b 50a1261f7a8b docker_test:latest "/bin/bash" 2 minutes ago Exited (0) 14 seconds ago sleepy_ptolemy # The state of the container changes to ExitedCopy the code

You can use docker Commit to make the container change a new image, for example:

wangjun @ LPT004412:$ docker commit -m="test docker commit" 50a1261f7a8b docker_test
55831c956ebf46a1f9036504abb1b29d7e12166f18f779cccce66f5dc85de38e

wangjun @ LPT004412:$ docker images | grep docker_test
docker_test                            latest              55831c956ebf        10 seconds ago      290.7 MB
Copy the code

In addition to downloading the image from the Docker Hub, you can also create an image by writing a Dockerfile like the following:

Wangjun@lpt004412 :/ TMP /docker(0)$cat Dockerfile FROM Ubuntu :12.04 MAINTAINER Your Name RUN apt-get update RUN apt-get  install -y python-software-properties python-pip ADD myproject /opt/code RUN pip install -r /opt/code/requirement.txtCopy the code

Create a docker image in the directory where the Dockerfile resides.

docker build -t docker_test . docker run -i -t docker_test /bin/bash -c "cd /opt/code; Python manage. Py runserver then executes 0.0.0.0:8080"Copy the code

Upload the image to private Registry:

docker tag test docker.example.com/test
docker push docker.example.com/test
Copy the code

After a long time of use, there are many useless images stored on the host. If you want to delete them, you can use Docker RM or Docker RMI, for example:

docker rm container_id
docker rmi image_id
Copy the code

Let’s give an example

1.2 Kubernetes

Girlfriends can understand Kubernetes

Developers.redhat.com/blog/2018/0…

Mp.weixin.qq.com/s/FEG8kaJRq…

A cloud native operating system, with a declarative API at its heart, Operator controls everything.

The name Kubernetes comes from ancient Greece and means “helmsman”, so its Logo resembles both a fishing net and a compass. If Docker positioned himself as a whale carrying containers on the sea, then Kubernetes was the helmsman who steered the discourse of the age of great navigation, directing the whale to cruise along the route set by its master.

Founded in 2014, Kubernetes has more than a decade of production workload management experience with the help of Borg and Omega, Google’s in-house container cluster managers. Paving the way for the entire cloud native ecosystem.

Kubernetes is an open source platform for automated deployment, expansion, and operation and maintenance of container clusters. With Kubernetes, you can respond to user needs quickly and efficiently; Deploy your application quickly and predictably; Scale-up your application; Seamless new application features; Saves resources and optimizes the use of hardware resources. Provides a complete open source solution for container choreography management.

The container

The container we often talk about now generally refers to the Docker container, which is decouped from the host machine through the isolation feature of the container, so that our service does not need to rely on the host machine to run and does not affect the host machine. Docker container is very lightweight. Kubernetes is responsible for managing all Docker containers in the service, creating, running, restarting and deleting containers.

A quick response

Personally, there are two aspects. Quick deployment testing (CICD) for new or modified requirements; Kubernetes can expand and shrink dynamically according to different conditions. For example, if the number of user visits suddenly increases from 1000 to 100000, the existing service can no longer support, Kubernetes will automatically add more instances of the user service module to ensure the current system visits.

extension

Kubernetes has a perfect internal registration and discovery mechanism. When a service instance is added, Kubernetes will automatically add it to the service list, eliminating the need to manually maintain the service list in traditional operation and maintenance.

New docking applications

Kubernetes is a general-purpose container orchestration framework that supports different types of languages, or language-independent, and allows new applications to be accessed as a new object.

Hardware resources

This is a very basic but very important advantage of Kubernetess. Kubernetes will automatically check the CPU and memory usage of each server when deploying the application, and will deploy the service to the most suitable server according to the CPU and memory resources requested by the service. (In fact, this is the core function of container scheduling)

Kubernetes history

CNCF: landscape. CNCF. IO /

The Kubernetes cluster contains a master and many nodes. Master is the center of the control cluster, and Node is the node that provides CPU, memory, and storage resources. Master runs multiple processes, including user-facing API services, a Controller Manager responsible for maintaining cluster status, and a Scheduler responsible for scheduling tasks. Each node runs Kubelet, which maintains the node state and communicates with the master, and Kube-Proxy, which implements cluster network services.

Kubernetes architecture

Etcd is Kubernetes storage status of distributed database, using raft agreement as consistency algorithm (raft agreement principle can see an animated demo thesecretlivesofdata.com/raft/).
The API Server component provides authentication and authorization, runs a set of access controllers, and manages API versions. It provides services externally through the REST API, allowing various components to create, read, write, update, and monitor resources (Pod, Deployment, Service, etc.).
The Scheduler component selects the appropriate nodes based on cluster resources and state to create pods.
Controller Manager component, which implements ReplicaSet behavior.
The Kubelet component that monitors a set of pods bound to its node and returns the status of those pods in real time.

Deployment – Deployment

Similar to the Image in Docker, which is the template for the Pods instance, the container instance is created from Deploy. In the Deployment object, the image of the container, the version of the container, the number of containers to be deployed, etc.

Container group – Pods

Pods are the smallest snap-in in Kubernetes. Pods and containers in Dockers can be understood as inclusion relations. Pods can contain multiple Docker containers. For example, there are ServiceA and ServiceB, and ServiceA is highly dependent on ServiceB(sharing the same files on the host). In this case, you can put the ServiceA and ServiceB in the same Pods and manage them as one unit. If you deploy them separately, you can do the same, but it will consume extra resources or cause other unnecessary problems.

Service – Service

A Service is an object that has its own IP address, ClusterIP, which can be regarded as the load balancer of lower-layer services.

Routing – Ingress

The Ingress uses a load IP address to communicate with the Kubernetes cluster, which is usually used in conjunction with the Service object.

Configuration item – ConfigMap

The configuration of a project can be written to ConfgiMap. The configuration of a project can be read using the corresponding variable name.

Kubernetes consists of Master node and Worker node. The master node is the brain of Kubernetes, while the Woker node is the worker in Kubernetes who actually runs the service.

Master is made with ETCD/Controller Manager/Api Server/Schedular,

ETCD

It is mainly responsible for storing the status and other related data of each Woker node, which can be understood as kubernetes database.

Controller Manager

Responsible for maintaining cluster status, such as fault detection, automatic expansion, rolling updates, etc

Scheduler

Responsible for resource scheduling, scheduling Pod to the corresponding machine according to the scheduled scheduling policy

Worker is mainly composed of Kubelet and Kube-proxy, and usually also installs kube-DNS component.

kubelet

Responsible for maintaining the container lifecycle and managing Volume (CVI) and network (CNI);

kube-proxy

Responsible for providing intra-cluster Service discovery and load balancing for services;

kube-dns

Provides DNS services for the entire cluster and accesses corresponding services by using the Service name

Kubernetes command-line example example: mp.weixin.qq.com/s/bij0kiYK_…

Kubernetes official example: mp.weixin.qq.com/s/FWxnDcgCV… Kubernetes. IO/docs/tutori…

1.3 cloud native

CNCF gives three characteristics of cloud native applications:

** Containerized encapsulation: ** Improves overall development by building on a container base, enabling code and component reuse, and simplifying maintenance of cloud-native applications. Applications and processes run in containers and are deployed as separate units of the application, achieving a high level of resource isolation.
** Dynamic management: ** manages and schedules dynamically through a centralized scheduling system.
** Microservices oriented: ** Clear dependencies between services, decoupled from each other.

Cloud native encompasses a set of application patterns that help enterprises deliver business software quickly, consistently, reliably, and at scale. Cloud native consists of microservices architecture, DevOps, and agile infrastructure represented by containers.

SercieMesh

Service Mesh is an infrastructure layer that handles communication between services. It is responsible for the complex service topology that makes up modern cloud-native applications to reliably deliver requests. In practice, Service Mesh is typically implemented as an array of lightweight network agents that are deployed with application code without the application being aware of the presence of the agent.

In one sentence, a Service Mesh can be likened to TCP/IP between applications or microservices, responsible for network calls, traffic limiting, fuses, and monitoring between services. You don’t have to worry about the TCP/IP layer when you’re writing an application (such as a RESTful application over HTTP), and you don’t have to worry about the Service Mesh between services that would otherwise be implemented through the Service framework. Spring Cloud, Netflix OSS, and other middleware are now left to Service Mesh.

The following uses Istio as an example to explain how Service Mesh works. Future articles will explain how Istio works in Kubernetes.

Sidecar (the Sidecar proxy used in Istio) routes the service request to the destination address, judging whether it is to a service in a production, test, or staging environment based on the parameters in the request (the service may be deployed in all three environments). Route to local environment or public cloud environment? All of this routing information can be configured dynamically, globally or individually for certain services. These configurations are pushed to each SidecAR by the control plane of the service grid,
When the sidecar confirms the destination address, it sends traffic to the corresponding service discovery endpoint, service in Kubernetes, which then forwards the service to the back-end instance.
Sidecar selects the most responsive instance of all the application instances based on the latency it observed for the most recent request.
Sidecar sends the request to the instance, recording the response type and delay data.
If the instance hangs, does not respond, or the process does not work, Sidecar will send the request to another instance and retry.
If the instance keeps returning error, Sidecar removes the instance from the load balancing pool and periodically retries it later.
If a request’s deadline has passed, Sidecar actively flags the request as a failure rather than trying to add load again.
SIdecar captures aspects of the above behavior in the form of metric and distributed tracking, which is sent to a centralized metric system.

Capa – cloud. Making. IO/capa. IO/bio…

ServiceMesh presents new challenges

Severless

Take deploying a blog as an example, the common Node.js MVC architecture requires the purchase of Linux virtual machines from cloud service providers, RDS relational database, and even Redis cache, load balancing, CDN, and so on. Taking disaster recovery and backup into account, the minimum cost for each year is about 10,000 yuan. But if you use Serverless, this cost can be directly reduced to less than 1000 yuan.

The ultimate form of cloud native for the foreseeable future, true on-demand and pay-as-you-go.

The Serverless architecture enables developers to build applications without paying attention to the acquisition, operation and maintenance of computing resources. The platform allocates computing resources on demand, ensures the SLA (Service level agreement) executed by applications, and charges applications according to the number of calls, effectively saving application costs. The architecture of ServerLess is shown in the figure above. Its advantages are as follows:

Low operating cost/faster development speed/improved maintainability/simplified equipment operation and maintenance

How to CICD

Continuous Integration/Continuous Deployment

Meituan experience: tech.meituan.com/2019/08/22/…

2.2 Do CICD yourself

[Gitee – Jenkins plug-in]Gitee.com/help/articl…

3. Docker is used in daily development

3.1 Environment Construction

Nystudio107.com/blog/dock-l…

4. Read more

4.1 other

Docker official documentation Docker Chinese Community Docker- From getting started to practice Docker-For-Beginnings
How does Docker run MacOS Docker- Build raspberry pie
Kubernetes Chinese official document Learn Kubernetes tools for free
Kubernetes Chinese Guide/Cloud Native Application Architecture Practice Manual
Kuboard – Kubernetes multi-cluster management interface
Language document – Kubernetes operation and maintenance
Kubernetes engineer information collection, books recommended, interview questions, selected articles, open source projects, PPT, video, big factory information
And I deployed the Kubernetes cluster step by step A command to deploy the Kubernetes high availability cluster
Kubernetes study notes
Jenkins & Kubernetes CI & CD & Git + Maven + Docker+Kubectl
The evangelist and leader of Service Mesh in China
Serverless Handbook – No Service Architecture Practice Manual

4.3 Technology Sharing

Tech Center – Share Docker
GCOS Global Cloud Native and Open Source Summit 2022 Shanghai station
CNCF X Alibaba Cloud Native Technology Open course – Cloud native course
Monitor K8S with Prometheus
Kubernetes cluster monitoring using Prometheus
Monitor Kubernetes with Prometheus