Ten minutes to understand docker

Keywords: Docker Virtualization docker compose

1, What is docker?

wiki introduction

Docker is an open source software and an open platform for developing, shipping and running applications. Docker allows users to separate applications in Infrastructure to form smaller particles (containers), so as to improve the speed of software delivery.
Docker containers are similar to virtual machines, but they differ in principle. The container virtualizes the operating system layer, and the virtual machine is the virtualized hardware. Therefore, the container has more portability and makes more efficient use of the server. Containers are more used to represent a standardized unit of software. Due to the standardization of containers, it can be deployed anywhere regardless of Infrastructure differences. In addition, docker also provides stronger industry isolation compatibility for containers.
Docker uses the resource separation mechanism in the Linux core, such as cgroup s, and the Linux core namespaces (namespaces) to create independent containers. This can operate under a single Linux entity, avoiding the additional burden of starting a virtual machine. The Linux core's support for namespace completely isolates the vision of applications in the working environment, including travel tree, network, user ID and mounted file system, while the core cggroup provides resource isolation, including CPU, memory, block I/O and network.
-> https://zh.wikipedia.org/wiki/Docker


  • Open source project
  • It is based on the Go language launched by Google
  • Joined the Linux foundation and complied with the Apache 2.0 protocol
  • Official website https://www.docker.com/


  • Image: Docker image is a special file system. In addition to providing the program, library, resource, configuration and other files required by the container during operation, it also contains some configuration parameters prepared for operation (such as anonymous volume, environment variable, user, etc.). The image is static and does not contain any dynamic data, and its content will not be changed after construction.
  • Container: the relationship between an Image and a container is like a class and instance in object-oriented programming. An Image is a static definition, and a container is an entity when the Image runs. Containers can be created, started, stopped, deleted, paused, and so on.
  • Repository: a repository is a remote repository similar to Git, which centrally stores image files

2, Why does docker appear?

Comparison between Docker and virtual machine

The following pictures compare the differences between Docker and traditional virtualization methods. It can be seen that the container realizes virtualization at the operating system level, directly reusing the operating system of the local host, while the traditional virtual machine is realized at the hardware level.

The traditional virtual machine first virtualizes the physical hardware through the Hypervisor layer, then installs the guest OS on the virtual hardware resources, and finally runs the related applications on the slave operating system. Where APP+BINS/LIBS+Guest OS is the virtual machine

Unlike virtual machines, docker uses Hypervisor and guest os to isolate resources from the environment. It only uses one docker daemon/engine to isolate resources from the environment (the ultimate goal is app isolation) (this function is mainly realized by using the container supported by the Linux kernel itself). APP+BINS/LIBS is the container. docker daemon/engine can be simply regarded as the encapsulation of namespace, Cgroup and image management file system operations in the Linux kernel. In short, docker uses namespace to isolate the system environment; Use Cgroup to realize resource restriction; Use the image to isolate the root directory environment.


Full name of Linux CGroup: Linux Control Group; It is a function of the Linux kernel to limit, control and separate the resources of a process group (such as CPU, memory, disk I / O, etc.).

Main functions:

  • Limit resource usage, such as memory usage limits and file system cache limits.
  • Priority control, CPU utilization and disk IO throughput.
  • Some audits or statistics are mainly for billing.
  • Suspend the process and resume the execution process.

cgroups subsystem
cpu subsystem, which mainly limits the cpu utilization of processes.
cpuacct subsystem can count the cpu usage reports of processes in cgroups.
cpuset subsystem, which can allocate separate cpu nodes or memory nodes for processes in cgroups.
Memory subsystem, which can limit the memory usage of processes.
blkio subsystem, which can limit the block device io of the process.
Devices subsystem, which can control processes and access some devices.
net_cls subsystem can mark the network packets of processes in cgroups, and then use tc module (traffic control) to control the packets.
net_prio - this subsystem is used to design the priority of network traffic
freezer subsystem, which can suspend or resume processes in cgroups.
ns subsystem can make processes under different cgroups use different namespace s
HugeTLB - this subsystem is mainly limited to the HugeTLB system, which is a large page file system.

This is a bit like the difference between threads and processes, which is a bit like the java virtual machine. It runs everywhere at one time

The main difference between processes and threads is that they are different ways of operating system resource management.
A process has an independent address space. After a process crashes, it will not affect other processes in protected mode,
Threads are just different execution paths in a process.
Threads have their own stack and local variables, but there is no separate address space between threads. The death of a thread is equal to the death of the whole process,
Therefore, multi process programs are more robust than multi-threaded programs, but they consume more resources and are less efficient when switching processes.
However, for some concurrent operations that require simultaneous and shared variables, only threads can be used, not processes.

1. A program has at least one process, and a process has at least one thread.
2. The division scale of threads is smaller than that of processes, which makes the concurrency of multithreaded programs high.
3. The process has independent memory units during execution, and multiple threads share memory, which greatly improves the running efficiency of the program.
4. Threads are different from processes during execution. Each independent thread has an entry for program operation, sequential execution sequence and program exit. However, threads cannot be executed independently. They must be stored in the application, and the application provides multiple thread execution control.
5. From a logical point of view, the significance of multithreading is that there are multiple execution parts in an application that can be executed at the same time. However, the operating system does not regard multiple threads as multiple independent applications to realize process scheduling, management and resource allocation. This is the important difference between process and thread.

Its advantages

As for why it appears, its advantage is that it can meet some current needs

  1. Lightweight: Docker container mainly uses and shares the host kernel. It is not a complete operating system, so it is more lightweight.
  2. Flexible: it can container complex applications, so it is very flexible and convenient. Portable: Docker can be built locally
  3. Container and deploy it to ECS or anywhere for use.
  4. Isolated from each other for easy upgrade: containers are highly self-sufficient and isolated from each other, so you can replace or upgrade your Docker container without affecting other containers.
  5. Scalable: container replicas can be added and automatically distributed in the data center. Security: Docker container can well constrain and isolate applications without any configuration by users.

Its disadvantages

Of course, there are some disadvantages
1. Kernel vulnerabilities

Docker kernel attack may be fatal for container environment, because the container shares the same system kernel with the host, so it is not enough to trust the built-in protection mechanism of the container alone.
Because of the isolation of containers, the vulnerability of an application will not directly affect the applications of other containers, but the vulnerability may destroy the single operating system shared with other containers, and then affect other containers on the machine. If the vulnerability allows code execution, it will be executed on the host operating system rather than in the container; If this vulnerability allows arbitrary memory access, an attacker can change or read any data from any other container.

2. Data separation
On the docker container, there are some non namespace resources:

file systems under /sys, /proc/sys,
/proc/sysrq-trigger, /proc/irq, /proc/bus
/dev/mem, /dev/sd* file system
Kernel Modules

If an attacker can exploit any of these elements, he will have operating privileges on the host system.

3. Resource cost

Docker because all containers on the host share the same kernel and the same resources, if the access to some resources (CPU, memory, disk, etc.) is not limited, the abnormal container will occupy the resources of the whole host, affecting the operation of other containers and affecting applications.

4. Socket problem

By default, all containers have installed docker Unix socket (/ var/run/docker.sock), which can be closed, started or created a new image.
When your container starts and shares sockets, you give the container permission to control the host. It can start or terminate other containers, drag or create images on the host, and even write to the file system of the host. Properly configured and protected, docker container can be used to achieve high-level security, but its security is still lower than that of properly configured VM.
Although the Docker container is not perfect, its shortcomings are not hidden. It makes the cloud deployment of business faster and resource utilization higher. And cloud service providers are also constantly improving the application of Docker container technology in cloud service platform.

3, What is the implementation principle?

What are the common commands for docker?

docker installation

wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sudo sed -i 's+download.docker.com+mirrors.cloud.tencent.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
sudo yum makecache fast
sudo yum install -y docker-ce

Docker compose installation

curl -L https://get.daocloud.io/docker/compose/releases/download/1.27.4/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Domestic image configuration

vi /etc/docker/daemon.json

Add the following:

    "registry-mirrors": ["http://hub-mirror.c.163.com"]
Of course, it can be replaced from the following
Docker China's official image acceleration

Netease 163 image acceleration

Image acceleration of China University of science and technology

Alibaba cloud image acceleration

daocloud Image acceleration


  • Enter container
    The second method is usually used. The common parameters followed by docker exec are as follows:

- D, - detach executes commands in the background of the container; - i. -- interactive = true I false: open standard input and accept user input commands

  • view log

    The exported container snapshot file can be re imported as a mirror
    docker logs [container ID]

This command has the following common parameters -f: trace log output

--since: display all logs at a certain start time - t: display timestamp -- tail: list only the latest N container logs

  • Copy file

Copy from host to container
sudo docker cp host_path containerID:container_path
Copy from container to host
sudo docker cp containerID:container_path host_path

You can enter the complete command on the console to view the help description

[root@localhost ~]# docker --help

Usage:  docker [OPTIONS] COMMAND

A self-sufficient runtime for containers

      --config string      Location of client config files
                           (default "/root/.docker")
  -c, --context string     Name of the context to use to connect
                           to the daemon (overrides DOCKER_HOST
                           env var and default context set with
                           "docker context use")
  -D, --debug              Enable debug mode
  -H, --host list          Daemon socket(s) to connect to
  -l, --log-level string   Set the logging level
                           ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
      --tls                Use TLS; implied by --tlsverify
      --tlscacert string   Trust certs signed only by this CA
                           (default "/root/.docker/ca.pem")
      --tlscert string     Path to TLS certificate file (default
      --tlskey string      Path to TLS key file (default
      --tlsverify          Use TLS and verify the remote
  -v, --version            Print version information and quit

Management Commands:
  app*        Docker App (Docker Inc., v0.9.1-beta3)
  builder     Manage builds
  buildx*     Build with BuildKit (Docker Inc., v0.6.3-docker)
  config      Manage Docker configs
  container   Manage containers
  context     Manage contexts
  image       Manage images
  manifest    Manage Docker image manifests and manifest lists
  network     Manage networks
  node        Manage Swarm nodes
  plugin      Manage plugins
  scan*       Docker Scan (Docker Inc., v0.9.0)
  secret      Manage Docker secrets
  service     Manage services
  stack       Manage Docker stacks
  swarm       Manage Swarm
  system      Manage Docker
  trust       Manage trust on Docker images
  volume      Manage volumes

  attach      Attach local standard input, output, and error streams to a running container
  build       Build an image from a Dockerfile
  commit      Create a new image from a container's changes
  cp          Copy files/folders between a container and the local filesystem
  create      Create a new container
  diff        Inspect changes to files or directories on a container's filesystem
  events      Get real time events from the server
  exec        Run a command in a running container
  export      Export a container's filesystem as a tar archive
  history     Show the history of an image
  images      List images
  import      Import the contents from a tarball to create a filesystem image
  info        Display system-wide information
  inspect     Return low-level information on Docker objects
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  login       Log in to a Docker registry
  logout      Log out from a Docker registry
  logs        Fetch the logs of a container
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image or a repository from a registry
  push        Push an image or a repository to a registry
  rename      Rename a container
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  run         Run a command in a new container
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  search      Search the Docker Hub for images
  start       Start one or more stopped containers
  stats       Display a live stream of container(s) resource usage statistics
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update configuration of one or more containers
  version     Show the Docker version information
  wait        Block until one or more containers stop, then print their exit codes

Run 'docker COMMAND --help' for more information on a command.

To get more help with docker, check out our guides at https://docs.docker.com/go/guides/

reference resources

<Docker The official account of source code analysis@Sun Zhongming, reply 3001, get the electronic version

Posted by QSDragon on Sat, 27 Nov 2021 22:47:07 -0800