Container_docker

Container and Docker

Introduction

Mar 24, 2021 | Satoshi Fujita

Agenda

• History of Container

• Chroot, FreeBSD Jail, Linux Container

• What is Container?

• namespace

• cgroup

• capability

• Overlay filesystem

• Managing Container

• docker

• docker commands

OpenText Confidential. ©2018 All Rights Reserved. 2

History of Container



• Chroot (1979)

• Run COMMAND with root directory set to NEWROOT as a security feature to restrict access

control to filesystem (chroot Jail).

• FreeBSD jail (2000)

• OS-level Virtualization implemented in FreeBSD 4.0

• Run any application under controlled by Jail

• Other OS-level Virtualization

• Linux-Vserver(2001), Solaris Zone(2004)



• Process Containers by Google (2006)

• Renamed as “cgroup” (2007)

• LinuX Containers (LXC) by IBM -> Canonical.Ltd (2008)

• Container Engine implemented with “namespace” and “cgroup”

• Libvirt-lxc package

• OpenVZ, Xen and docker 0.9 were implemented with the lib package.

• This is not same as “Container” in Docker as Docker move to “libcontainer” for container

currently.


What is Container?


What is Container?

• 1 type of virtualization, not one function

• Process is isolated from OS resources and other process

• Use shared OS’s Kernel & Hardware

• It’s depends on Kernel compatibility

• We can not do different operations which depends

on Hardware from each containers

Container

Container

Container

Application

Application Library

Runtime

Container Engine

Application

• Based features implemented in Kernel

namespace, cgroup, capability and overlayfs

Runtime / Application Library

System library

Application Binary Interface

Kernel

OS

Hardware


What is Container?

• Strength

• Have multiple environments in 1 box

• Lower Overhead We can startup application quickly

Application Container (Application/service centric)

This expects a single application to execute within the container. This application may be one process or many

processes, however, under this paradigm there is a single entry point process. docker and rkt are examples of

container runtimes that are designed for this approach.

System Container (operating system container)

This can support multiple applications being executed within the container. The entry point is an init system residing

within the container that facilitates process management (such as SysV, Upstart, and Systemd). Systemd-nspawn

and LXC/LXD are examples of container runtimes that are designed for this approach.

• Weakness

• Impossible to run application on different system / kernel

• Depends on Kernel compatibility


What is Container?

namespace


namespace

• Used to isolate OS resources controlled by kernel


namespace

• We can check information about

namespace under “/proc/[PID]/ns”

• If link number (Inode number) is

same as others, then the resources

are belonged to same namespace.


What is Container?

cgroup


cgroup (control group)

• Used to control and isolate

physical resources from other

process

• Released by Google & merged on

2.6.24 kernel on Linux

• Cgroupfs

Filesystem for cgroup

Resources are controlled under

/sys/fs/cgroup

Huge Translation Lookaside Buffer (HugeTLB)

Cache used to translate Physical memory addresses to virtual memory addresses


cgroup (control group)


What is Container?

capability


capability

• To improve security in Container

privileges of root can be independently enabled and

disabled.

• Per-thread attribute

• Enabled capabilities by default in docker

chown, dac_override, fowner, fsetid, kill, setgid,

setuid, setpcap, net_bind_service, net_raw,

sys_chroot, mknod, audit_write, setfcap

• Values are defined in

/usr/include/linux/include.h



capability

• We can see capabilities for each process in /proc/<PID>/status

• The value is shown as parity bit


What is Container?

Overlay Filesystem


Overlay Filesystem

• One of filesystem based on union filesystem

• Merged on kernel 3.18 and supported from docker 1.4

• It combines multiple different underlying mount points into one, resulting in

single directory structure that contains underlying files and sub-directories

from all sources (https://en.wikipedia.org/wiki/OverlayFS).


Overlay Filesystem

merged

(mount)

working

Upper

(rewritable)

layer02

Lowerdir

(readonly)

layer01

Base Image


Managing Container


Managing Container

• Container Engine

• LXC by IBM -> Canonical Ltd (2008)

• Cloud Foundry Warden (2011)

• lmctfy ("Let Me Contain That For You") by Google (2013)

• docker by dotCloud -> docker(2013)

• Command or library

• lxctools (opensource)

Tool to manage lxc

• libvirt by Redhat

APIs to manage multiple virtual environments


docker


Components of docker

• Docker Engine

Docker Engine is an open source containerization technology for building and containerizing

your applications. Docker Engine acts as a client-server application with:

• A server with a long-running daemon process dockerd.

• APIs which specify interfaces that programs can use to talk to and instruct the Docker daemon.

• A command line interface (CLI) client

• Docker Compose

Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file

to configure your application’s services.

• Docker Registry (private registry)

The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images.


Components of Docker

• Docker Hub (hosted registry)

Docker Hub is a service provided by

Docker for finding and sharing

container images with your team. It is

the world’s largest repository of

container images with an array of

content sources including container

community developers, open source

projects and independent software

vendors (ISV) building and distributing

their code in containers.



• Docker Swarm

Managing a cluster of Docker Engines called a swarm

Kubernetes

• Docker Machine

Docker Machine is a tool that lets you install Docker Engine on virtual hosts, and manage the hosts with dockermachine

commands. You can use Machine to create Docker hosts on your local Mac or Windows box, on your

company network, in your data center, or on cloud providers like Azure, AWS, or DigitalOcean.



• Dockerfile

Dockerfile is a simple text file that contains all the commands user could call on the command

line to assemble or build an image. With the help of docker build, you can easily automate

build that runs multiple commands defines in the dockerfile in succession.

• Docker Image

A Docker image is a file, comprised multiple layers, that is used to execute code in a Docker

container.

Container

Container Layer (read-write)

Image

Image

Image

Read only



docker hub or private

registry

Server running docker

Container

Container

My

My

SQL

My

SQL

My

SQL

SQL

Cent

OS

Cent

OS

Cent

OS

Cent

OS

Instance

Instance

Image

Image

docker client

push

pull

Docker Engine

Kernel

• docker commands

• Docker Compose

• Docker swarm

Hardware


Architecture

Container

Docker Image

Low-level runtime

g

R

P

C

dockerd

REST API

docker Client

• docker commands

• Docker compose (Manage docker image)

• Docker Swarm (Docker cluster)

OCI

High-Level Runtime daemon

System library / application library

CRI

kubelet

kubernetes

Application Binary Interface

Kernel

OS

Hardware


Container Runtime

• Standardization

OCI (Open Container Initiative)

https://opencontainers.org/

CRI (Container Runtime Interface)

https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/

• High-Level Runtime (daemon)

containerd by docker, crio-o (Open source)

gVisor by Google, Kata Containers by OpenStack Foundation, Nabla containers by IBM

• Low-Level Runtime

Runc by docker, runsc by Google, runv by Hyper, cc-runtime, kata-runtime, runq, railcar, rkt by

CoreOS (Redhat)


docker commands


docker commands


docker commands


docker info


docker inspect command


docker logs command


Logging driver


docker basic command


Helpful Links

• docker docs

• https://docs.docker.com/engine/

• A Brief History of Containers: From the 1970s Till Now

• https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016

• コンテナの作り方「Dockerは裏方で何をしているのか?」

• https://www.slideshare.net/zembutsu/what-isdockerdoing

• LXCで学ぶコンテナ入門 - 軽量仮想化環境を実現する技術

• https://gihyo.jp/admin/serial/01/linux_containers/0002


Helpful Links

• 【連載】世界一わかりみが深いコンテナ & Docker 入門〜その1:コンテナってな

に? 〜

• https://tech-lab.sios.jp/archives/18811

• コンテナの仕組みを理解し、実際に使ってみよう

• https://xtech.nikkei.com/atcl/learning/lecture/19/00095/00001/


Thank you

twitter.com/opentext

linkedin.com/company/opentext

opentext.com


Container_docker

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?