简体繁体 English

了解技术（Docker）容器架构

[英]Understanding the technical (Docker) container architecture

原文 2020-07-05 16:36:01 3 1 linux/ docker/ architecture/ containers/ busybox

I am new to containers and would like to get a good knowledge about how container technology (Docker) is made up from 'scratch'.我是容器新手，想深入了解容器技术（Docker）是如何从“零开始”组成的。 I have to write a paper and hope that I have every important thing correctly understood so far.我必须写一篇论文，希望到目前为止我已经正确理解了所有重要的事情。

The following diagram is made by me and shows my current understanding of containers.下图是我自己做的，展示了我目前对容器的理解。

Obviously we need an OS with a Kernel that allows us to use the hardware.显然，我们需要一个带有 Kernel 的操作系统，它允许我们使用硬件。 For Docker this is Linux.对于 Docker，这是 Linux。 Docker for Windows uses a VM with Linux for that. Windows 的 Docker 使用带有 Linux 的 VM。

On top of our Linux OS we then run our Docker Engine.在我们的 Linux 操作系统之上，我们然后运行我们的 Docker 引擎。 Our Docker Engine is in charge of starting, building, configuring... our images and containers.我们的 Docker 引擎负责启动、构建、配置……我们的图像和容器。 But most importantly the Docker Engine handles everything that has to do with isolating of containers, for example it maintains how namespaces or cgroups are used so that every container has it's own full filesystem.但最重要的是 Docker 引擎处理与容器隔离有关的所有事情，例如，它维护命名空间或 cgroup 的使用方式，以便每个容器都有自己的完整文件系统。

Then we have our actual containers.然后我们有我们的实际容器。 Containers themselvesneed almost every time a kind of OS itself.容器本身几乎每次都需要一种操作系统本身。 This is mostly just a very compact one like Alpine or Busybox.这主要是一个非常紧凑的，如 Alpine 或 Busybox。 They collect a small number of standard functions such as 'file', 'tar', 'grep' that most software definitely need.他们收集了大多数软件肯定需要的少量标准函数，例如'file'、'tar'、'grep'。 This compact OS is now using the Kernel from our full Linux OS.这个紧凑型操作系统现在使用我们完整的 Linux 操作系统中的 Kernel。 They don't have their own Kernel.他们没有自己的 Kernel。

On top of the compact OS we then place our actual piece of software such as Node.js or a NGINX Server.在紧凑型操作系统之上，我们然后放置我们的实际软件，例如 Node.js 或 NGINX 服务器。 This software is only using the compact OS which in return uses the Kernel from our full Linux OS.该软件仅使用紧凑型操作系统，反过来使用我们完整的 Linux 操作系统中的 Kernel。 And all data or modifications that is generated or done in runtime are made on the writeable layer of our container.并且在运行时生成或完成的所有数据或修改都是在我们容器的可写层上进行的。

And if I understood correctly, our container or everything that runs in our container is not using or interacting with our full Linux OS but just with it's Kernel?如果我理解正确，我们的容器或在我们的容器中运行的所有东西都没有使用或与我们完整的 Linux 操作系统交互，而只是使用它的 Kernel？ I also don't quite understand how the writeable layer in a container works.我也不太明白容器中的可写层是如何工作的。 Like how does my software for example know that a modified file from a read-only layer is now present in the writeable layer and should use this?例如，我的软件如何知道来自只读层的修改文件现在存在于可写层中并且应该使用它？

I would really appreciate some corrections or suggestions on what I have missed out so far.我非常感谢对我迄今为止错过的内容的一些更正或建议。 Thank you谢谢

1 个解决方案

And if I understood correctly, our container or everything that runs in our container is not using or interacting with our full Linux OS but just with it's Kernel?如果我理解正确，我们的容器或在我们的容器中运行的所有东西都没有使用或与我们完整的 Linux 操作系统交互，而只是使用它的 Kernel？

The containers are just processes.容器只是进程。 For kernel, Docker daemon, NodeJS application and Nginx are processes.对于 kernel、Docker 守护进程、NodeJS 应用程序和 Nginx 是进程。 That's why containers don't have their own kernels.这就是容器没有自己的内核的原因。 The difference between Docker daemon process (and other processes on a host) and processes that are running within containers is in their scope (it's called a namespace). Docker 守护进程（和主机上的其他进程）与在容器中运行的进程之间的区别在于它们的 scope（称为命名空间）。 Processes in containers are run in isolation and they don't see anything around their namespace.容器中的进程是独立运行的，它们在其命名空间周围看不到任何东西。 There are many different namespaces, for example, a pid namespace is one of them and it limits the visibility of other processes.有许多不同的命名空间，例如，pid 命名空间就是其中之一，它限制了其他进程的可见性。 That's why ps command in a container doesn't show processes from a host or other containers.这就是容器中的 ps 命令不显示来自主机或其他容器的进程的原因。 Namespaces is a kernel things and they are more about what a process can see and access to while there is also cgroups that apply limits for CPU and memory usage.命名空间是 kernel 的东西，它们更多地是关于进程可以看到和访问的内容，同时还有 cgroups 对 CPU 和 memory 的使用施加限制。

I hope this helps you somehow, at least, I tried to put more attention to the kernel because Docker is just a daemon that spins new processes with configured namespaces, cgroups and own filesystem.我希望这对您有所帮助，至少，我试图更多地关注 kernel，因为 Docker 只是一个守护进程，它使用配置的命名空间、cgroup 和自己的文件系统来旋转新进程。

Here are some links that might be useful:以下是一些可能有用的链接：

What even is a container: namespaces and cgroups什么是容器：命名空间和 cgroup
How containers work: overlayfs 容器如何工作：overlayfs
See also other posts about containers on https://jvns.ca (I recommend it because Julia explains it in simple words and even provide illustrations.)另请参阅https://jvns.ca上有关容器的其他帖子（我推荐它，因为 Julia 用简单的文字解释它，甚至提供插图。）