Docker underlying implementation principle

Namespaces

process

$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Apr08 ?        00:00:09 /sbin/init
root         2     0  0 Apr08 ?        00:00:00 [kthreadd]
root         3     2  0 Apr08 ?        00:00:05 [ksoftirqd/0]
root         5     2  0 Apr08 ?        00:00:00 [kworker/0:0H]
root         7     2  0 Apr08 ?        00:07:10 [rcu_sched]
root        39     2  0 Apr08 ?        00:00:00 [migration/0]
root        40     2  0 Apr08 ?        00:01:54 [watchdog/0]
...
Copy the code

root@iZ255w13cy6Z:~# docker run -it -d ubuntu b809a2eb3630e64c581561b08ac46154878ff1c61c6519848b4a29d412215e79 root@iZ255w13cy6Z:~# docker exec -it b809a2eb3630 /bin/bash root@b809a2eb3630:/# ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 15:42 pts/0 00:00:00 /bin/bash root 9 0 0 15:42 pts/1 00:00:00 /bin/bash root 17 9 0 15:43 pts/1 00:00:00  ps -efCopy the code

UID        PID  PPID  C STIME TTY          TIME CMD
root     29407     1  0 Nov16 ?        00:08:38 /usr/bin/dockerd --raw-logs
root      1554 29407  0 Nov19 ?        00:03:28 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
root      5006  1554  0 08:38 ?        00:00:00 docker-containerd-shim b809a2eb3630e64c581561b08ac46154878ff1c61c6519848b4a29d412215e79 /var/run/docker/libcontainerd/b809a2eb3630e64c581561b08ac46154878ff1c61c6519848b4a29d412215e79 docker-runc
Copy the code

ContainerRouter. PostContainersStart └ ─ ─ the daemon. ContainerStart └ ─ ─ the daemon. CreateSpec └ ─ ─ setNamespaces └ ─ ─ setNamespaceCopy the code

func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) { s := oci.DefaultSpec() // ... if err := setNamespaces(daemon, &s, c); err ! = nil { return nil, fmt.Errorf("linux spec namespaces: %v", err) } return &s, nil }Copy the code

func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error { // user // network // ipc // uts // pid if c.HostConfig.PidMode.IsContainer() { ns := specs.LinuxNamespace{Type: "pid"} pc, err := daemon.getPidContainer(c) if err ! = nil { return err } ns.Path = fmt.Sprintf("/proc/%d/ns/pid", pc.State.GetPID()) setNamespace(s, ns) } else if c.HostConfig.PidMode.IsHost() { oci.RemoveNamespace(s, specs.LinuxNamespaceType("pid")) } else { ns := specs.LinuxNamespace{Type: "pid"} setNamespace(s, ns) } return nil }Copy the code

daemon.containerd.Create(context.Background(), container.ID, spec, createOptions)
Copy the code

network

$BRCTL show bridge name bridge ID STP enabled interfaces docker0 8000.0242a6654980 no veth3e84d4f veth9953b75Copy the code

$ iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere  ADDRTYPE match dst-type LOCAL Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhereCopy the code

DNAT TCP -- Anywhere anywhere TCP DPT :6379 to:192.168.0.4:6379Copy the code

$ping 192.168.0.4 ping 192.168.0.4 (192.168.0.4) 56(84) bytes of data. 64 bytes from 192.168.0.4: Icmp_seq =1 TTL =64 time=0.069 ms 64 bytes from 192.168.0.4: Icmp_seq =2 TTL =64 time= 0.0441 ms ^C -- 192.168.0.4 ping statistics -- 3 packets transmitted, 2 received 0% packet loss, time 999ms RTT min/avg/ Max /mdev = 0.043/0.056/0.069/0.013msCopy the code

$redis-cli -h 127.0.0.1 -p 6379 ping PONGCopy the code

Libnetwork

The goal of libnetwork is to deliver a robust Container Network Model that provides a consistent programming interface and the required network abstractions for applications.

For more information about libnetwork or the container network model, read
The Design, libnetworkLearn more, and of course read the source code to see how different OSS implement the container network model.

The mount point

// pivor_root put_old = mkdir(...) ; pivot_root(rootfs, put_old); chdir("/"); unmount(put_old, MS_DETACH); rmdir(put_old); // chroot mount(rootfs, "/", NULL, MS_MOVE, NULL); chroot("."); chdir("/");Copy the code

The contents of this section are in libContainer
SPEC.mdAs for whether Docker really uses chroot to ensure that the current process cannot access the directory of the host machine, the author actually does not have an exact answer. First, the Docker project code is too large, so I do not know where to start. The author tried to find relevant results through Google, but found no answer
The problem, and also get something that conflicts with the description in the SPEC
The answerIf you have a clear answer, please leave a comment below the blog. Thank you very much.

Chroot

Part of the chroot story comes from
Understand the chrootYou can read this article for more detailed information.

CGroups

In CGroup, all tasks are a process of a system, while CGroup is a group of processes divided according to certain standards. In CGroup, all resource control is realized by CGroup as a unit. Each process can join a CGroup at any time or exit a CGroup at any time.


–
CGroup introduction, application example, and principle description

$ lssubsys -m
cpuset /sys/fs/cgroup/cpuset
cpu /sys/fs/cgroup/cpu
cpuacct /sys/fs/cgroup/cpuacct
memory /sys/fs/cgroup/memory
devices /sys/fs/cgroup/devices
freezer /sys/fs/cgroup/freezer
blkio /sys/fs/cgroup/blkio
perf_event /sys/fs/cgroup/perf_event
hugetlb /sys/fs/cgroup/hugetlb
Copy the code

$ ls cpu
cgroup.clone_children  
...
cpu.stat  
docker  
notify_on_release 
release_agent 
tasks

$ ls cpu/docker/
9c3057f1291b53fd54a3d12023d2644efe6a7db6ddf330436ae73ac92d401cf1 
cgroup.clone_children  
...
cpu.stat  
notify_on_release 
release_agent 
tasks
Copy the code

$ docker run -it -d --cpu-quota=50000 busybox
53861305258ecdd7f5d2a3240af694aec9adb91cd4c7e210b757f71153cdd274
$ cd 53861305258ecdd7f5d2a3240af694aec9adb91cd4c7e210b757f71153cdd274/
$ ls
cgroup.clone_children  cgroup.event_control  cgroup.procs  cpu.cfs_period_us  cpu.cfs_quota_us  cpu.shares  cpu.stat  notify_on_release  tasks
$ cat cpu.cfs_quota_us
50000
Copy the code

UnionFS

$ docker export $(docker create busybox) | tar -C rootfs -xvf -
$ ls
bin  dev  etc  home proc root sys  tmp  usr  var
Copy the code

Storage drive

FROM ubuntu:15.04
COPY . /app
RUN make /app
CMD python /app/app.py
Copy the code

AUFS

$ ls /var/lib/docker/aufs/diff/00adcccc1a55a36a610a6ebb3e07cc35577f2f5a3b671be3dbc0e74db9ca691c       93604f232a831b22aeb372d5b11af8c8779feb96590a6dc36a80140e38e764d8
00adcccc1a55a36a610a6ebb3e07cc35577f2f5a3b671be3dbc0e74db9ca691c-init  93604f232a831b22aeb372d5b11af8c8779feb96590a6dc36a80140e38e764d8-init
019a8283e2ff6fca8d0a07884c78b41662979f848190f0658813bb6a9a464a90       93b06191602b7934fafc984fbacae02911b579769d0debd89cf2a032e7f35cfa
...
Copy the code

Other Storage Drivers

$ docker info | grep Storage
Storage Driver: aufs
Copy the code

conclusion

draveness.me/docker