The article directories

  • Question1: Three-tier cloud computing Architecture?
  • Answer1:
  • Question2: Describe the overall architecture of Docker?
  • Answer2:
  • Question3: how about Namespaces in Linux?
  • Answer3:
  • Question4: how about Docker process isolation?
  • Answer4:
  • Question5: Introduce Docker network isolation (or talk about Libnetwork in Docker)?
  • Answer5:
  • Question6: a brief introduction to CGroups
  • Answer6:
  • Question7: introduce Docker images
  • Answer7:
  • Question8: Talk about storage drivers in Docker
  • Answer8:

Question1: Three-tier cloud computing Architecture?

Answer1:

The three-layer architecture of cloud computing is shown as follows:



An explanation of the above picture:

SaaS SaaS is software-as-a-service.

PaaS PaaS stands for platform-as-a-service. A business model that offers the server platform as a service. The Software as a Service (SaaS) provided by programs on the network is called Software as a Service (SaaS). In the era of cloud computing, the corresponding server Platform or development environment is called Platform as a Service (PaaS).

IaaS Infrastructure as a Service (IaaS) : Infrastructure as a Service. Services provided to consumers are the utilization of all facilities, including processing, storage, networking, and other basic computing resources, enabling users to deploy and run arbitrary software, including operating systems and applications.


Question2: Describe the overall architecture of Docker?

Answer2:

Docker architecture diagram is as follows:



Related concepts in Docker architecture are shown in the following table (corresponding to the figure above) :

Concepts in Docker explain
Docker image (Images) Docker images are templates used to create Docker containers.
Docker Container (Container) A container is a single application or group of applications that run independently.
Docker Client Docker clients communicate with Docker daemons using Docker APIS through command lines or other tools.
Docker Host (Host) A physical or virtual machine for executing Docker daemons and containers.
The Docker warehouse (Registry) Docker repository is used to store images, which can be understood as code repository in code control. Docker Hub provides a huge collection of images to use.
Docker Machine Docker Machine is a command line tool to simplify the installation of Docker, through a simple command line can be installed on the corresponding platform Docker, such as VirtualBox, Digital Ocean, Microsoft Azure.

Docker uses a client-server (C/S) architecture pattern that uses remote apis to manage and create Docker containers. Docker containers are created by Docker images. The emergence of Docker is because the current backend in the development and operation and maintenance stage really needs a virtualization technology to solve the problem of the consistency between the development environment and the production environment. Through Docker, we can also include the environment of the program running into the version control, eliminating the possibility of different running results caused by the environment.


Question3: how about Namespaces in Linux?

Answer3:

Namespaces are a Linux method for separating resources such as process trees, network interfaces, mount points, and interprocess communication. In daily use Linux, we are not running multiple complete separation of the needs of the server, but if we start with the server multiple services, these services will influence each other, actually every service can see other services process, also can access any files on the host machine, this is a lot of the time we are not willing to see, We prefer different services running on the same machine to be completely isolated as if they were running on multiple different machines.

The Linux namespace mechanism provides seven different namespaces, Including CLONE_NEWCGROUP, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUSER, and CLONE_NEWUTS, With these seven options we can set which resources the new process should be isolated from the host machine when it is created.


Question4: how about Docker process isolation?

Answer4:

When docker creates a new process, the process isolation implemented by CLONE_NEWPID is passed in, which is to use the Linux namespace to achieve process isolation. Any process inside docker container knows nothing about the process of the host machine. Each time we run docker Run or Docker start, we create a Spec to set the isolation between processes, set the process-related namespace, and set the namespace related to users, network, IPC and UTS. All namespace-specific Spec Settings are eventually set as parameters passed into the Create function when a new container is created.


Question5: Introduce Docker network isolation (or talk about Libnetwork in Docker)?

Answer5:

If the Docker container completes network isolation from the host process through the Linux namespace, but there is no way to connect to the whole Internet through the host network, there will be a lot of restrictions, so although Docker can create an isolated network environment through the namespace, But services in Docker still need to be connected to the outside world to function.

The functions of the whole network part of Docker are realized through libnetwork, which is split out of Docker. It provides an implementation to connect different containers, and also provides a container network model that can provide consistent programming interface and network layer abstraction for applications.

The most important concept in libnetwork, the container Network model consists of the following major components: Sandbox, Endpoint, and Network. In the container network model, each container contains a Sandbox that stores the network stack configuration of the current container, including the container’s interface, routing table, and DNS Settings. Linux uses network namespaces to implement this Sandbox. Each Sandbox may have one or more endpoints, which on Linux is a virtual network card VEth. The Sandbox joins the corresponding network through the Endpoint, which may be the Linux bridge or VLAN mentioned above.

Each Container started with Docker Run has its own network namespace. Docker provides four different network modes: Host, Container, None, and Bridge, as shown in the figure below:

The default network setting mode of Docker is bridge mode.

In bridge mode, in addition to assigning isolated network namespaces, Docker also sets IP addresses for all containers. A new virtual bridge docker0 is created when the Docker server is started on the host, and all subsequent services started on the host are connected to the bridge by default. By default, each container is created with a pair of virtual nics. The two virtual nics form the data channel. One of the virtual nics is placed in the container and added to the bridge named Docker0, as shown in the figure.


Question6: a brief introduction to CGroups

Answer6:

Control Groups CGroups can isolate physical resources on the host machine, such as CPU, memory, disk I/O, and network bandwidth. Each CGroup is a group of processes constrained by the same criteria and parameters. Different Cgroups are hierarchical, that is, they can inherit some criteria and parameters from their parent classes to restrict the use of resources.


Question7: introduce Docker images

Answer7:

Linux Namespaces and control groups provide separate resources. In Linux, Namespaces provide separate processes, networks, and file systems. In Linux, control groups provide separate CPU and memory resources. But there is another very important issue that needs to be addressed in Docker — namely, mirroring.

Docker image is essentially a compressed package, we can use the command to export the files in a Docker image, you can see that the directory structure in this image is not much different from the content in the root directory of the Linux operating system, it can be said that the Docker image is a file.


Question8: Talk about storage drivers in Docker

Answer8:

Docker uses a series of different storage drivers to manage the file system within the image and run containers. These storage drivers are somewhat different from Docker volumes. Storage engines manage storage that can be shared between containers.

When the image is created by the Docker run command, a writable layer is added to the top layer of the image, namely the container layer. All changes to the runtime container are actually changes to the container’s read-write layer.

The difference between a container and an image is that all images are read-only, and each container is actually an image plus a read-write layer, meaning that the same image can correspond to multiple containers.

UnionFS is a file system service designed for Linux operating systems to “union” multiple file systems to the same mount point. And AUFS is Advanced UnionFS is actually the upgraded version of UnionFS, it can provide better performance and efficiency.

AUFS is just one of the storage drivers Docker uses. In addition to AUFS, Docker also supports different storage drivers, including AUFS, Devicemapper, Overlay2, ZFS and VFS, etc. In the latest Docker, Overlay2 replaces AUFS as the recommended storage driver, but auFS will still be used as the default driver for Docker on machines without overlay2 drivers.