Docker是什么
Docker是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的Linux机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口。
上面的描述引用自百度百科,简单的来说Docker就是容器引擎,非常轻量,使用Docker可以新建很多容器,且容器之间是完全隔离互不干扰的,我们可以把我们的应用打包成一个镜像来实例化容器来运行应用
传统部署方式的问题
- 运维工作量大:当我们要部署应用的时候,首先需要很多台服务器,例如要在web服务器上部署Apache、Nginx等应用,要在应用服务器上部署多个Tomcat、Jetty、Undertow等中间件,在数据库服务器上部署Mysql、Redis等应用,以及还要部署各种Zookeeper、RabbitMQ等等应用,那运维就需要在这些服务器上安装配置应用所需要的环境,并进行一系列的调试、检查服务器之间的网络连接等工作,这是非常麻烦且巨大的工作量
- 服务的扩展伸缩麻烦:而且随着业务量的增大,需要增加服务器来做集群,运维对于新增的服务器又需要进行配置与网络调试,增加了重复的工作量,而当一些业务减少乃至废弃后又会导致服务器闲置造成不必要的损失
- 服务的相互影响:当我们在同一台服务器上部署多个应用时,有时可能因为一些应用的出错导致CPU、内存占用过高,或是存在过多的日志打印占用了过多的磁盘空间导致磁盘紧张等一系列未知原因导致服务器崩了,从而影响到这台服务器上部署的所有应用
Docker部署方式的好处
- 减轻运维工作量:Docker使用镜像来创建容器,镜像就像是类,而一个容器就是类的一个具体实例化对象。因此创建容器只需要在Docker仓库下载指定应用的镜像,在这基础上做属于自己的定制
- 服务的弹性伸缩:Docker只需要新增服务器后创建容器就能实现快速扩展
- 服务相互不受影响:Docker容器使用沙箱机制,完全隔离,每个容器有分配的硬件资源,一个容器挂了不会影响到其他容器,即使整个服务器挂了也可以通过部署高可用的Docker集群来解决
Docker的分层结构
Docker容器在本质上是宿主机上的一个进程,通过Bootfs和Rootfs加载系统内核与标准目录,LXC技术来实现进程与资源的隔离,AUFS文件系统来分层并把不同物理位置的目录合并到同一个目录中,使得每个容器感觉就像一个独立的操作系统
LXC为Linux Container的简写,一种内核虚拟化技术,可以提供轻量级的虚拟化,以便隔离进程和资源。且与宿主机使用同一个内核,性能损耗小 Bootfs为Boot File System的简写,包含Boot loader和Kernel(内核),Bootloader主要引导加载Kernel, 整个内核加载进内存后,Bootfs会被卸载掉从而释放出所占用的内存 Rootfs为Root File System的简写,包含典型的目录结构,包括/dev、/proc、/bin、/etc等标准目录和文件
对于不同的Linux发行版, Bootfs基本是一致的, 但Rootfs会有差别, 因此不同的发行版可以公用Bootfs
镜像的最底层是一个Base Image,提供了一个基本的操作系统环境,通常为Linux发行版(即以Linux为内核的系统)的镜像,例如:Centos、Ubuntu等
可以在Base Image的基础上添加各种应用,例如Emacs编辑器、Apache服务器,上层的Image的父引用是下层的Image即依赖于下层的Image,镜像层都是只读的,最上层是容器层,是可写的Docker的架构
Docker architectureDocker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate using a REST API, over UNIX sockets or a network interface.
Docker使用客户端-服务器架构。Docker客户端与Docker守护进程进行对话,该守护进程负责构建、运行和分发Docker容器。Docker客户端和守护进程可以在同一个系统上运行,也可以将Docker客户端连接到远程Docker守护进程。Docker客户端和守护进程通过UNIX套接字或网络接口使用REST API进行通信。
Docker守护进程
The Docker daemonThe Docker daemon (dockerd) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.
Docker守护进程(dockerd)监听Docker API请求,并管理Docker对象,如镜像、容器、网络和卷。守护进程还可以与其他守护进程通信,以管理Docker服务。
Docker客户端
The Docker clientThe Docker client (docker) is the primary way that many Docker users interact with Docker. When you use commands such as docker run, the client sends these commands to dockerd, which carries them out. The docker command uses the Docker API. The Docker client can communicate with more than one daemon.
Docker客户端(Docker)是许多Docker用户与Docker交互的主要方式。当你使用诸如docker run
之类的命令时,客户端将这些命令发送给dockerd, dockerd执行这些命令。docker命令使用docker API。Docker客户端可以与多个守护进程通信。
Docker注册表
Docker registriesA Docker registry stores Docker images. Docker Hub and Docker Cloud are public registries that anyone can use, and Docker is configured to look for images on Docker Hub by default. You can even run your own private registry. If you use Docker Datacenter (DDC), it includes Docker Trusted Registry (DTR).
When you use the docker pull or docker run commands, the required images are pulled from your configured registry. When you use the docker push command, your image is pushed to your configured registry.
Docker store allows you to buy and sell Docker images or distribute them for free. For instance, you can buy a Docker image containing an application or service from a software vendor and use the image to deploy the application into your testing, staging, and production environments. You can upgrade the application by pulling the new version of the image and redeploying the containers.
Docker注册表存储Docker镜像。Docker Hub和Docker Cloud是任何人都可以使用的公共注册中心,Docker默认配置在Docker Hub上查找镜像。你甚至可以运行自己的私有注册表。如果你使用Docker Datacenter (DDC),它包括Docker可信注册表(DTR)。
当你使用docker pull
或docker run
命令时,所需的镜像将从配置的注册表中拉取。当你使用docker push
命令时,你的镜像将被推到配置的注册表中。Docker商店允许你购买和出售Docker镜像或免费分发。例如,你可以从软件供应商购买包含应用程序或服务的Docker镜像,并使用该映像将应用程序部署到你的测试、演示和生产环境中。你可以通过提取镜像的新版本并重新部署容器来升级应用程序。 Docker对象
Docker objectsWhen you use Docker, you are creating and using images, containers, networks, volumes, plugins, and other objects. This section is a brief overview of some of those objects.
当你使用Docker时,你正在创建和使用镜像、容器、网络、卷、插件和其他对象。本节简要概述其中的一些对象。
镜像
IMAGESAn image is a read-only template with instructions for creating a Docker container. Often, an image is based on another image, with some additional customization. For example, you may build an image which is based on the ubuntu image, but installs the Apache web server and your application, as well as the configuration details needed to make your application run.
You might create your own images or you might only use those created by others and published in a registry. To build your own image, you create a Dockerfile with a simple syntax for defining the steps needed to create the image and run it. Each instruction in a Dockerfile creates a layer in the image. When you change the Dockerfile and rebuild the image, only those layers which have changed are rebuilt. This is part of what makes images so lightweight, small, and fast, when compared to other virtualization technologies.
镜像是具有创建Docker容器的指令的只读模板。通常,一个镜像基于另一个镜像,并进行一些额外的定制。例如,你可以构建一个基于ubuntu镜像的镜像,在此基础上定制安装Apache web服务器和应用程序,以及使应用程序运行所需的配置。
你可以创建自己的镜像,也可以只使用其他人创建并在注册表中发布的镜像。要构建自己的镜像,需要创建一个Dockerfile,并使用简单的语法定义创建和运行镜像所需的步骤。Dockerfile中的每个指令都在镜像中创建一个层。当你更改Dockerfile并重新构建镜像时,只会重新构建已更改的层。与其他虚拟化技术相比,这是使映像如此轻量级、小型和快速的部分原因。容器
CONTAINERS
A container is a runnable instance of an image. You can create, start, stop, move, or delete a container using the Docker API or CLI. You can connect a container to one or more networks, attach storage to it, or even create a new image based on its current state.
By default, a container is relatively well isolated from other containers and its host machine. You can control how isolated a container’s network, storage, or other underlying subsystems are from other containers or from the host machine.
A container is defined by its image as well as any configuration options you provide to it when you create or start it. When a container is removed, any changes to its state that are not stored in persistent storage disappear.
Example
docker run
commandThe following command runs an ubuntu container, attaches interactively to your local command-line session, and runs
/bin/bash
.
$ docker run -i -t ubuntu /bin/bash
When you run this command, the following happens (assuming you are using the default registry configuration):
- If you do not have the ubuntu image locally, Docker pulls it from your configured registry, as though you had run docker pull ubuntu manually.
- Docker creates a new container, as though you had run a docker container create command manually.
- Docker allocates a read-write filesystem to the container, as its final layer. This allows a running container to create or modify files and directories in its local filesystem.
- Docker creates a network interface to connect the container to the default network, since you did not specify any networking options. This includes assigning an IP address to the container. By default, containers can connect to external networks using the host machine’s network connection.
- Docker starts the container and executes /bin/bash. Because the container is running interactively and attached to your terminal (due to the -i and -t flags), you can provide input using your keyboard while the output is logged to your terminal.
- When you type exit to terminate the /bin/bash command, the container stops but is not removed. You can start it again or remove it.
容器是镜像的可运行实例。你可以使用Docker API或CLI创建、启动、停止、移动或删除容器。你可以将容器连接到一个或多个网络,将存储附加到它,甚至可以根据其当前状态创建新的镜像。
默认情况下,容器与其他容器及其主机相对独立。你可以控制容器的网络、存储或其他底层子系统与其他容器或主机的隔离程度。容器是由它的镜像以及在创建或启动它时提供给它的任何配置选项定义的。当一个容器被删除时,对其状态的任何更改都不会被存储在持久性存储中。演示docker命令:
下面的命令运行ubuntu容器,交互地连接到本地命令行会话,然后运行/bin/bash
$ docker run -i -t ubuntu /bin/bash
当你运行此命令时,会发生以下情况(假设你正在使用默认的注册表配置) - 如果你没有本地的ubuntu镜像,Docker会从你配置的注册表中提取它,就像你已经手动运行Docker一样。
- Docker创建一个新的容器,就好像你已经手动运行了Docker容器创建命令一样。
- Docker将一个读写文件系统分配给容器,作为它的最后一层。这允许运行的容器在其本地文件系统中创建或修改文件和目录。
- Docker创建一个网络接口,将容器连接到默认网络,因为你没有指定任何网络选项。这包括为容器分配IP地址。默认情况下,容器可以使用主机的网络连接连接到外部网络。
- Docker启动容器并执行
/bin/bash
开启容器内的终端。 - 输入exit以终止
/bin/bash
命令,容器停止,但未被删除。您可以重新启动或删除它。
服务
SERVICESServices allow you to scale containers across multiple Docker daemons, which all work together as a swarm with multiple managers and workers. Each member of a swarm is a Docker daemon, and the daemons all communicate using the Docker API. A service allows you to define the desired state, such as the number of replicas of the service that must be available at any given time. By default, the service is load-balanced across all worker nodes. To the consumer, the Docker service appears to be a single application. Docker Engine supports swarm mode in Docker 1.12 and higher.
服务允许你跨多个Docker守护进程扩展容器,这些守护进程都作为一个集群与多个管理人员和工作人员一起工作。群集的每个成员都是Docker守护进程,守护进程都使用Docker API进行通信。服务允许你定义所需的状态,例如在任何给定时间必须可用的服务的副本数量。默认情况下,服务是跨所有worker节点的负载均衡。对于使用者来说,Docker服务似乎是一个单独的应用程序。Docker 1.12和更高的版本支持集群模式。