谈到Docker,就不得不先谈谈Moby Project(http://mobyproject.org)。在DockerCon17上,Docker发布了新的开源项目: the Moby Project。而原来在Github上托管的docker也随之变为Moby(GitHub地址: https://github.com/moby/moby)。
1、The Moby Project
引用GitHub上对Moby的定义,Moby Project是: A collaborative project for the container ecosystem to assemble container-based systems.
Moby Project的建立,是“An effort to decentralize and decompose what used to be known as the Docker Engine into smaller components. Docker (the product) is now a consumer of Moby components.”,而Docker作为一个开源产品将依然存在,用户依然可以从docker官网下载Docker产品使用。
Moby Project遵循如下原则:
- Modular: the project includes lots of components that have well-defined functions and APIs that work together.
- Batteries included but swappable: Moby includes enough components to build fully featured container system, but its modular architecture ensures that most of the components can be swapped by different implementations.
- Usable security: Moby provides secure defaults without compromising usability.
- Developer focused: The APIs are intended to be functional and useful to build powerful tools. They are not necessarily intended as end user tools but as components aimed at developers. Documentation and UX is aimed at developers not end users.
2、容器的概念
Docker的思想源于虚拟机和集装箱,虚拟机是对整个机器的虚拟化,包括硬件和操作系统,这样做的结果是虚拟机本身会耗费服务器大量资源,在虚拟机里面再部署应用,则是“杀鸡用牛刀”;而集装箱的思想则是打包,将应用隔离打包,则无论将集装箱放到哪里,其内部运行环境能够保持一致,从而不受外界环境影响,保持应用运行的环境一致性。两者结合,则可以保持Docker相对虚拟机的轻量化以及应用环境的不变性。
3、Docker的打包:进程隔离
谈到进程隔离,我们先来看看linux实现进程的概念(新的Mody Project中,对于容器的建立基础已不再仅仅局限于Linux,其已经在开始探索基于Windows等其它系统的容器,并已卓有成效),在Linux中建立新的进程的步骤:
- 在内存中从父进程fork出一个子进程,设置该子进程的pid,parent_pid以及其特有的内容
Docker有自己的namespace,从而与外界隔离(Linux系统内实现进程隔离的基本方法,参见http://man7.org/linux/man-pages/man7/namespaces.7.html),其实现的基本步骤如下:
- 自定义自己的root根目录,例如,重新定义root跟目录为/home/mydir/,则该文件地址被映射为 "/"
- 将自身pid 映射为0,且看不到其它任何的pid,这样,该pid成为容器内唯一存在pid,看起来就像一个新系统
- 用户名隔离,例如,将用户名设置为“root”
- hostname隔离,可以另取一个hostname,成为新进程的hostname
- IPC隔离,隔离掉进程间通信
- 网络隔离,隔离掉进程和主机间的网络
