Don’t ever let somebody tell you, you can’t do something, not even me. — The Pursuit of Happyness

Illustrations from the Internet


In this article, I will introduce the file system of Docker to you. After reviewing a lot of official documents and other articles on the network, I hope you can know what the container is through this article. And what is the essential difference between a container and a virtual machine?

What is the container

In the previous article in the context of why we choose Docker I’ve been to introduce the Docker and the principle of the virtual machine and the difference, however, even if I don’t know the container will not affect my using it, it’s like we drive, although I don’t understand the principle of the engine, but I still can easily use flint, clutch, brake, Turn these functions to achieve the purpose of driving.

Although we do not understand the repair of the car, do not understand the engine principle does not affect our driving, but if we want to transform a car, we must be very familiar with the overall structure of the car and the engine.

When we pass ordersdocker run When we build an image into a container, we need toWhat’s inside the kangkang container.We can go throughDocker exec-it Container name/container ID bashCommand to enter the container.Can be achieved byllCommand to look inside the container, and you’ll be surprisedInside the container is an entire operating systemNot only does it have a root directory, a bin directory, bin, proc, var, and so on, but we can run our most commonly used Linux commands inside the container as if we were in a virtual machine, with no connection to the host (Ubuntu).But as we mentioned in the previous article, Docker uses the kernel of the host directly, rather than creating an entire operating system like a virtual machine, so every command we operate on here is inThe host machineYes, but the virtual machine is not, anything that runs on the virtual machine doesn’t affect the host, it’s completely isolated.

So we often see people saying that containers are more resource efficient, but how Docke deceives us, we need to understand its file system first.

Federated file system :aUFS

AUFS: Union File System, also known as Another UnionFS. The so-called UnionFS is to merge directories in different physical locations into the same directory. With this feature, Docker realizes the overlap of the mirror layer, the storage of the container layer and the display of the display layer.

How aUFS works

As you can see, if we have two directories X and Y with files A and B, aUFS will merge the two directories and remount them to Z, so that both A and B files can be seen in Z. This is the federated file system, and the purpose isUnite multiple files into a unified view.

As shown above, we delete the B file from the Z directory and add something like Hello to the A file. At this point, you can find that Hello is added to file A in X, and A record of B being deleted is added, but B in Y does not change at all. This is an important feature of aUFS. In all directories, only the first directory has write permission. That is, no matter how we modify Z, we can only modify the first directory.

However, if we modify a file in Y in Z, it will add a record in the first level directory to record the change, even though it does not have permission to modify the file in Y.

What does aUFS do

So if we look at this picture again, we go throughDocker History + Image IDTo view the history of the mirror. When the image is started, a new writable layer is loaded onto the top of the image. This layer is calledThe container layerBelow is the mirror layer.The container layer can read and write. All file changes in the container occur at this layer, while the mirror layer is read-only.

According to the definition of aUFS, the container file system is the following 15 read-only mirror layer and 1 writable container layer by aUFS mount.

At this point, we can relate to the aUFS that we had before,X is the container layer, modifiable, recordable, Y is the mirror layer, immutable, read-only, and Z is the view layer that we enter into the union.

Docker’s layered image

With aUFS in mind, take a look at Docker’s layered image.

We have reconstructed the image layer by modifying the container layer A, which is made up of the original Y and X. So when we run this new image, we justA new container P is createdThe newly created container layer P continues to accept change requests from the view layer.

You can see that X only changes Y, and P only changes X after the overlap, soThe upper-layer mirror records only the changes made to the lower-layer mirrorIs the layered image system of Docker.As shown in the figure above, when we pull or push an image, we will find that there are many layers, which is a mirror image of dozens of layers.


The essence of a container is not a complete operating system, but a file system that isolates files from one another through the view displayed by the federated file system, as we saw with the Docker Logo.The whale is our host machine, the container is all kinds of containers, so how to isolate the container from the container?Namespaces, federated file systems, cgroups (control groups for resource isolation)Take your time.

The end of the

If there are any mistakes in this blog, please comment and comment. Thank you very much!