Docker
2022/7/30
之前一直没有系统地整理Docker相关的知识,推荐一本好书
Docker in Action
里面说得非常详细
Cheatsheet
docker run -it interactive
docker run -d daemon
--env DB_HOST=<xxx> environment injection
--privileged run with full privilege
Container is not virtualization
container更像是只能访问指定资源的process,而不是系统。VM是一整个系统环境,创建和启动都需要很长时间。
Namespaces
PID namespace—Process identifiers and capabilities
UTS namespace—Host and domain name
MNT namespace—Filesystem access and structure
IPC namespace—Process communication over shared memory
NET namespace—Network access and structure
USR namespace—User names and identifiers
chroot syscall—Controls the location of the filesystem root
cgroups—Resource protection
CAP drop—Operating system feature restrictions
Security modules—Mandatory access controls
解决的问题
软件的安装/卸载,环境依赖
环境迁移
保护host主机
运行环境
currently Docker can run only applications that can run on a Linux operating system, or Windows applications on Windows Server.
State transition
In-memory storage
docker run --rm \ --mount type=tmpfs,dst=/tmp \ --entrypoint mount \ alpine:latest -v
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
Network
Bridge: intercontainer
Host: host
Null: no network
Resource Limit
CPU
每100ms轮转,Linux Completely Fair Scheduler
The defaults won’t limit the container, and it will be able to use 100% of the CPU if the machine is otherwise idle.
仅仅是在争抢cpu资源时,该限制会进行轮转,否则还是会吃满资源。
UID space
Container 和host share UID space。因此container里的root可以修改mount的文件
UID remapping USR
0->5000
1->50001
Layers
