by Preethi Kasireddy
通过Preethi Kasireddy
容器,VM和Docker的初学者友好介绍 (A Beginner-Friendly Introduction to Containers, VMs and Docker)
If you’re a programmer or techie, chances are you’ve at least heard of Docker: a helpful tool for packing, shipping, and running applications within “containers.” It’d be hard not to, with all the attention it’s getting these days — from developers and system admins alike. Even the big dogs like Google, VMware and Amazon are building services to support it.
如果您是程序员或技术人员,则至少有可能听说过Docker:这是一个有用的工具,用于在“容器”中打包,运输和运行应用程序。 在开发人员和系统管理员的关注下,很难不引起人们的注意。 甚至像Google,VMware和Amazon这样的大公司也正在建立支持它的服务。
Regardless of whether or not you have an immediate use-case in mind for Docker, I still think it’s important to understand some of the fundamental concepts around what a “container” is and how it compares to a Virtual Machine (VM). While the Internet is full of excellent usage guides for Docker, I couldn’t find many beginner-friendly conceptual guides, particularly on what a container is made up of. So, hopefully, this post will solve that problem :)
不管您是否想到了立即使用Docker的案例,我仍然认为了解“容器”是什么以及将其与虚拟机(VM)进行比较的一些基本概念仍然很重要。 尽管Internet上有很多关于Docker的优秀使用指南,但我找不到许多对初学者友好的概念指南,尤其是关于容器的组成。 所以,希望这篇文章能解决这个问题:)
Let’s start by understanding what VMs and containers even are.
让我们首先了解什么是VM和容器。
什么是“容器”和“ VM”? (What are “containers” and “VMs”?)
Containers and VMs are similar in their goals: to isolate an application and its dependencies into a self-contained unit that can run anywhere.
容器和VM的目标相似:将应用程序及其依赖项隔离到可以在任何地方运行的独立单元中。
Moreover, containers and VMs remove the need for physical hardware, allowing for more efficient use of computing resources, both in terms of energy consumption and cost effectiveness.
此外,容器和VM消除了对物理硬件的需求,从而在能源消耗和成本效率方面都可以更有效地利用计算资源。
The main difference between containers and VMs is in their architectural approach. Let’s take a closer look.
容器和VM之间的主要区别在于它们的体系结构方法。 让我们仔细看看。
虚拟机 (Virtual Machines)
A VM is essentially an emulation of a real computer that executes programs like a real computer. VMs run on top of a physical machine using a “hypervisor”. A hypervisor, in turn, runs on either a host machine or on “bare-metal”.
VM本质上是执行诸如真实计算机之类的程序的真实计算机的仿真。 VM使用“管理程序”在物理计算机上运行。 虚拟机管理程序又可以在主机或“裸机”上运行 。
Let’s unpack the jargon:
让我们解开行话:
A hypervisor is a piece of software, firmware, or hardware that VMs run on top of. The hypervisors themselves run on physical computers, referred to as the “host machine”. The host machine provides the VMs with resources, including RAM and CPU. These resources are divided between VMs and can be distributed as you see fit. So if one VM is running a more resource heavy application, you might allocate more resources to that one than the other VMs running on the same host machine.
系统管理程序是VM在其上运行的软件,固件或硬件。 管理程序本身在物理计算机上运行,称为“主机” 。 主机为VM提供资源,包括RAM和CPU。 这些资源在VM之间分配,可以根据需要分配。 因此,如果一个VM运行的是资源消耗较大的应用程序,则可能会比在同一主机上运行的其他VM分配更多的资源。
The VM that is running on the host machine (again, using a hypervisor) is also often called a “guest machine.” This guest machine contains both the application and whatever it needs to run that application (e.g. system binaries and libraries). It also carries an entire virtualized hardware stack of its own, including virtualized network adapters, storage, and CPU — which means it also has its own full-fledged guest operating system. From the inside, the guest machine behaves as its own unit with its own dedicated resources. From the outside, we know that it’s a VM — sharing resources provided by the host machine.
在主机上运行的VM(再次使用虚拟机管理程序)通常也称为“来宾计算机”。 该来宾计算机既包含应用程序,又包含运行该应用程序所需的任何内容(例如,系统二进制文件和库)。 它还具有自己的整个虚拟硬件堆栈,包括虚拟网络适配器,存储和CPU,这意味着它也具有自己的完整的来宾操作系统。 从内部看,来宾计算机表现为具有自己专用资源的自己的单元。 从外部,我们知道这是一个VM,它共享主机提供的资源。
As mentioned above, a guest machine can run on either a hosted hypervisor or a bare-metal hypervisor. There are some important differences between them.
如上所述,来宾计算机可以在托管的管理程序或裸机管理程序上运行 。 它们之间有一些重要的区别。
First off, a hosted virtualization hypervisor runs on the operating system of the host machine. For example, a computer running OSX can have a VM (e.g. VirtualBox or VMware Workstation 8) installed on top of that OS. The VM doesn’t have direct access to hardware, so it has to go through the host operating system (in our case, the Mac’s OSX).
首先,托管的虚拟化管理程序在主机的操作系统上运行。 例如,运行OSX的计算机可以在该OS的顶部安装VM(例如VirtualBox或VMware Workstation 8)。 VM无法直接访问硬件,因此它必须通过主机操作系统(在我们的情况下为Mac的OSX)。
The benefit of a hosted hypervisor is that the underlying hardware is less important. The host’s operating system is responsible for the hardware drivers instead of the hypervisor itself, and is therefore considered to have more “hardware compatibility.” On the other hand, this additional layer in between the hardware and the hypervisor creates more resource overhead, which lowers the performance of the VM.
托管虚拟机管理程序的好处是底层硬件不太重要。 主机的操作系统负责硬件驱动程序,而不是管理程序本身,因此被认为具有更多的“硬件兼容性”。 另一方面,硬件和管理程序之间的此附加层会产生更多的资源开销,从而降低VM的性能。
A bare metal hypervisor environment tackles the performance issue by installing on and running from the host machine’s hardware. Because it interfaces directly with the underlying hardware, it doesn’t need a host operating system to run on. In this case, the first thing installed on a host machine’s server as the operating system will be the hypervisor. Unlike the hosted hypervisor, a bare-metal hypervisor has its own device drivers and interacts with each component directly for any I/O, processing, or OS-specific tasks. This results in better performance, scalability, and stability. The tradeoff here is that hardware compatibility is limited because the hypervisor can only have so many device drivers built into it.
裸机虚拟机管理程序环境通过在主机硬件上安装并从主机硬件上运行来解决性能问题。 由于它直接与基础硬件接口,因此不需要主机操作系统即可运行。 在这种情况下,作为操作系统安装在主机服务器上的第一件事就是管理程序。 与托管的虚拟机管理程序不同,裸机虚拟机管理程序具有自己的设备驱动程序,并与每个组件直接交互以执行任何I / O,处理或特定于OS的任务。 这样可以实现更好的性能,可伸缩性和稳定性。 这里的权衡是硬件兼容性受到限制,因为管理程序只能内置这么多的设备驱动程序。
After all this talk about hypervisors, you might be wondering why we need this additional “hypervisor” layer in between the VM and the host machine at all.
在所有关于虚拟机管理程序的讨论之后,您可能想知道为什么我们在VM和主机之间完全需要这个额外的“管理程序”层。
Well, since the VM has a virtual operating system of its own, the hypervisor plays an essential role in providing the VMs with a platform to manage and execute this guest operating system. It allows for host computers to share their resources amongst the virtual machines that are running as guests on top of them.
好吧,由于VM具有自己的虚拟操作系统,因此管理程序在为VM提供管理和执行此来宾操作系统的平台方面起着至关重要的作用。 它允许主机计算机在作为其上的客户机运行的虚拟机之间共享资源。
As you can see in the diagram, VMs package up the virtual hardware, a kernel (i.e. OS) and user space for each new VM.
从图中可以看到,VM为每个新VM打包了虚拟硬件,内核(即OS)和用户空间。
容器 (Container)
Unlike a VM which provides hardware virtualization, a container provides operating-system-level virtualization by abstracting the “user space”. You’ll see what I mean as we unpack the term container.
与提供硬件虚拟化的VM不同,容器通过抽象“用户空间”来提供操作系统级的虚拟化。 当我们打开容器一词时,您会明白我的意思。
For all intent and purposes, containers look like a VM. For example, they have private space for processing, can execute commands as root, have a private network interface and IP address, allow custom routes and iptable rules, can mount file systems, and etc.
出于所有目的和目的,容器看起来就像一个VM。 例如,它们具有用于处理的私有空间,可以以root用户身份执行命令,具有私有网络接口和IP地址,允许自定义路由和iptable规则,可以挂载文件系统等。
The one big difference between containers and VMs is that containers *share* the host system’s kernel with other containers.
容器和VM之间的一大区别是,容器与其他容器“共享”主机系统的内核。
This diagram shows you that containers package up just the user space, and not the kernel or virtual hardware like a VM does. Each container gets its own isolated user space to allow multiple containers to run on a single host machine. We can see that all the operating system level architecture is being shared across containers. The only parts that are created from scratch are the bins and libs. This is what makes containers so lightweight.
此图显示容器仅打包用户空间,而不打包内核或虚拟硬件(如VM)。 每个容器都有自己的隔离用户空间,以允许多个容器在单个主机上运行。 我们可以看到所有操作系统级别的体系结构都在容器之间共享。 从头开始创建的唯一部分是垃圾箱和库。 这就是使容器如此轻巧的原因。
Docker进入哪里? (Where does Docker come in?)
Docker is an open-source project based on Linux containers. It uses Linux Kernel features like namespaces and control groups to create containers on top of an operating system.
Docker是一个基于Linux容器的开源项目。 它使用Linux内核功能(如名称空间和控制组)在操作系统之上创建容器。
Containers are far from new; Google has been using their own container technology for years. Others Linux container technologies include Solaris Zones, BSD jails, and LXC, which have been around for many years.
容器并不是什么新鲜事物。 Google多年来一直在使用自己的容器技术。 其他Linux容器技术包括已经存在很多年的Solaris Zones,BSD jails和LXC。
So why is Docker all of a sudden gaining steam?
那么,为什么Docker突然变得蒸蒸日上?
1. Ease of use: Docker has made it much easier for anyone — developers, systems admins, architects and others — to take advantage of containers in order to quickly build and test portable applications. It allows anyone to package an application on their laptop, which in turn can run unmodified on any public cloud, private cloud, or even bare metal. The mantra is: “build once, run anywhere.”
1. 易于使用: Docker使任何人(开发人员,系统管理员,架构师和其他人员)都可以更轻松地利用容器来快速构建和测试便携式应用程序。 它允许任何人将应用程序打包在笔记本电脑上,从而可以在未修改的情况下在任何公共云,私有云甚至裸机上运行。 口号是:“一次建造,随处运行”。
2. Speed: Docker containers are very lightweight and fast. Since containers are just sandboxed environments running on the kernel, they take up fewer resources. You can create and run a Docker container in seconds, compared to VMs which might take longer because they have to boot up a full virtual operating system every time.
2. 速度: Docker容器非常轻巧,快速。 由于容器只是运行在内核上的沙盒环境,因此它们占用的资源更少。 与之相比,VM可能需要更长的时间,因为它们每次必须启动一个完整的虚拟操作系统,因此您可以在几秒钟内创建并运行Docker容器。
3. Docker Hub: Docker users also benefit from the increasingly rich ecosystem of Docker Hub, which you can think of as an “app store for Docker images.” Docker Hub has tens of thousands of public images created by the community that are readily available for use. It’s incredibly easy to search for images that meet your needs, ready to pull down and use with little-to-no modification.
3. Docker Hub: Docker用户还受益于Docker Hub日益丰富的生态系统,您可以将其视为“ Docker映像的应用程序商店”。 Docker Hub拥有由社区创建的数以万计的公共映像,可以随时使用。 搜索满足您需求的图像非常容易,可以随时进行下拉并几乎无需修改即可使用。
4. Modularity and Scalability: Docker makes it easy to break out your application’s functionality into individual containers. For example, you might have your Postgres database running in one container and your Redis server in another while your Node.js app is in another. With Docker, it’s become easier to link these containers together to create your application, making it easy to scale or update components independently in the future.
4. 模块化和可伸缩性: Docker使您可以轻松地将应用程序的功能分解为单独的容器。 例如,您的Postgres数据库可能在一个容器中运行,而Redis服务器在另一个容器中,而Node.js应用程序在另一个容器中。 使用Docker,将这些容器链接在一起以创建您的应用程序变得更加容易,从而使将来轻松地独立扩展或更新组件变得容易。
Last but not least, who doesn’t love the Docker whale? ;)
最后但并非最不重要的一点是,谁不喜欢Docker鲸鱼? ;)
基本Docker概念 (Fundamental Docker Concepts)
Now that we’ve got the big picture in place, let’s go through the fundamental parts of Docker piece by piece:
现在我们已经了解了大局,让我们一步一步地了解Docker的基本部分:
Docker引擎 (Docker Engine)
Docker engine is the layer on which Docker runs. It’s a lightweight runtime and tooling that manages containers, images, builds, and more. It runs natively on Linux systems and is made up of:
Docker引擎是运行Docker的层。 它是一种轻量级的运行时和工具,可管理容器,图像,构建等。 它在Linux系统上本地运行,由以下组件组成:
1. A Docker Daemon that runs in the host computer.2. A Docker Client that then communicates with the Docker Daemon to execute commands.3. A REST API for interacting with the Docker Daemon remotely.
1.在主机上运行的Docker守护进程2。 然后与Docker守护进程通信以执行命令的Docker客户端3。 REST API,用于与Docker Daemon进行远程交互。
Docker客户端 (Docker Client)
The Docker Client is what you, as the end-user of Docker, communicate with. Think of it as the UI for Docker. For example, when you do…
作为Docker的最终用户,您要与Docker Client进行通信。 将其视为Docker的UI。 例如,当您这样做时...
you are communicating to the Docker Client, which then communicates your instructions to the Docker Daemon.
您正在与Docker客户端通信,该客户端随后将您的指令传递给Docker守护程序。
Docker守护程序 (Docker Daemon)
The Docker daemon is what actually executes commands sent to the Docker Client — like building, running, and distributing your containers. The Docker Daemon runs on the host machine, but as a user, you never communicate directly with the Daemon. The Docker Client can run on the host machine as well, but it’s not required to. It can run on a different machine and communicate with the Docker Daemon that’s running on the host machine.
Docker守护程序实际上是执行发送给Docker Client的命令的程序,例如构建,运行和分发容器。 Docker Daemon在主机上运行,但是作为用户,您永远不会直接与Daemon通信。 Docker客户端也可以在主机上运行,但这不是必需的。 它可以在另一台机器上运行,并与在主机上运行的Docker Daemon通信。
Docker文件 (Dockerfile)
A Dockerfile is where you write the instructions to build a Docker image. These instructions can be:
Dockerfile是您编写指令以构建Docker映像的地方。 这些说明可以是:
RUN apt-get y install some-package: to install a software package
运行apt-get y install some-package :安装软件包
EXPOSE 8000: to expose a port
EXPOSE 8000:暴露端口
ENV ANT_HOME /usr/local/apache-ant to pass an environment variable
ENV ANT_HOME / usr / local / apache-ant传递环境变量
and so forth. Once you’ve got your Dockerfile set up, you can use the docker build command to build an image from it. Here’s an example of a Dockerfile:
等等。 设置Dockerfile后,可以使用docker build命令从其构建映像。 这是Dockerfile的示例:
Docker镜像 (Docker Image)
Images are read-only templates that you build from a set of instructions written in your Dockerfile. Images define both what you want your packaged application and its dependencies to look like *and* what processes to run when it’s launched.
图像是只读模板,可根据Dockerfile中编写的一组指令构建。 图像定义了打包应用程序及其依赖项的外观,以及启动时要运行的进程。
The Docker image is built using a Dockerfile. Each instruction in the Dockerfile adds a new “layer” to the image, with layers representing a portion of the images file system that either adds to or replaces the layer below it. Layers are key to Docker’s lightweight yet powerful structure. Docker uses a Union File System to achieve this:
Docker映像是使用Dockerfile构建的。 Dockerfile中的每条指令都会在映像中添加一个新的“层”,其中的层代表映像文件系统的一部分,该文件系统可以添加或替换其下一层。 层是Docker轻量级但功能强大的结构的关键。 Docker使用联合文件系统来实现此目的:
联合文件系统 (Union File Systems)
Docker uses Union File Systems to build up an image. You can think of a Union File System as a stackable file system, meaning files and directories of separate file systems (known as branches) can be transparently overlaid to form a single file system.
Docker使用联合文件系统构建映像。 您可以将联合文件系统视为可堆叠的文件系统,这意味着可以透明地覆盖单独文件系统(称为分支)的文件和目录,以形成单个文件系统。
The contents of directories which have the same path within the overlaid branches are seen as a single merged directory, which avoids the need to create separate copies of each layer. Instead, they can all be given pointers to the same resource; when certain layers need to be modified, it’ll create a copy and modify a local copy, leaving the original unchanged. That’s how file systems can *appear* writable without actually allowing writes. (In other words, a “copy-on-write” system.)
在重叠分支内具有相同路径的目录的内容被视为单个合并目录,从而避免了为每一层创建单独副本的需要。 相反,它们都可以被赋予指向同一资源的指针。 当需要修改某些图层时,它将创建一个副本并修改一个本地副本,而原始副本保持不变。 这就是文件系统可以*显示*可写而不实际允许写入的方式。 (换句话说,就是“写时复制”系统。)
Layered systems offer two main benefits:
分层系统具有两个主要优点:
1. Duplication-free: layers help avoid duplicating a complete set of files every time you use an image to create and run a new container, making instantiation of docker containers very fast and cheap.2. Layer segregation: Making a change is much faster — when you change an image, Docker only propagates the updates to the layer that was changed.
1.免复制:图层有助于避免每次使用映像创建和运行新容器时都复制一整套文件,从而使Docker容器的实例化非常快速且廉价。 层隔离:进行更改要快得多-更改映像时,Docker仅将更新传播到更改的层。
卷数 (Volumes)
Volumes are the “data” part of a container, initialized when a container is created. Volumes allow you to persist and share a container’s data. Data volumes are separate from the default Union File System and exist as normal directories and files on the host filesystem. So, even if you destroy, update, or rebuild your container, the data volumes will remain untouched. When you want to update a volume, you make changes to it directly. (As an added bonus, data volumes can be shared and reused among multiple containers, which is pretty neat.)
卷是容器的“数据”部分,在创建容器时进行初始化。 卷使您能够保留和共享容器的数据。 数据卷与默认的联合文件系统分开,并且作为常规目录和文件存在于主机文件系统上。 因此,即使您破坏,更新或重建容器,数据量也将保持不变。 当您要更新卷时,可以直接对其进行更改。 (额外的好处是,数据量可以在多个容器之间共享和重用,这非常简洁。)
Docker容器 (Docker Containers)
A Docker container, as discussed above, wraps an application’s software into an invisible box with everything the application needs to run. That includes the operating system, application code, runtime, system tools, system libraries, and etc. Docker containers are built off Docker images. Since images are read-only, Docker adds a read-write file system over the read-only file system of the image to create a container.
如上所述,Docker容器将应用程序的软件包装到一个看不见的盒子中,其中包含应用程序需要运行的所有内容。 其中包括操作系统,应用程序代码,运行时,系统工具,系统库等。Docker容器是基于Docker映像构建的。 由于映像是只读的,因此Docker在映像的只读文件系统之上添加了一个读写文件系统,以创建一个容器。
Moreover, then creating the container, Docker creates a network interface so that the container can talk to the local host, attaches an available IP address to the container, and executes the process that you specified to run your application when defining the image.
此外,然后创建容器,Docker创建一个网络接口,以便容器可以与本地主机通信,将可用IP地址附加到容器,并执行您在定义映像时指定的运行应用程序的过程。
Once you’ve successfully created a container, you can then run it in any environment without having to make changes.
成功创建容器后,您可以在任何环境中运行它而无需进行更改。
双击“容器” (Double-clicking on “containers”)
Phew! That’s a lot of moving parts. One thing that always got me curious was how a container is actually implemented, especially since there isn’t any abstract infrastructure boundary around a container. After lots of reading, it all makes sense so here’s my attempt at explaining it to you! :)
! 这是很多活动的部分。 让我一直好奇的一件事是容器的实际实现方式,尤其是因为容器周围没有任何抽象的基础结构边界。 经过大量阅读之后,这一切都是有意义的,因此,这是我尝试向您解释的内容! :)
The term “container” is really just an abstract concept to describe how a few different features work together to visualize a “container”. Let’s run through them real quick:
术语“容器”实际上只是一个抽象概念,用于描述一些不同的功能如何协同工作以可视化“容器”。 让我们快速地快速浏览它们:
1)命名空间 (1) Namespaces)
Namespaces provide containers with their own view of the underlying Linux system, limiting what the container can see and access. When you run a container, Docker creates namespaces that the specific container will use.
命名空间为容器提供了它们自己的底层Linux系统视图,从而限制了容器可以查看和访问的内容。 当您运行容器时,Docker将创建特定容器将使用的名称空间。
There are several different types of namespaces in a kernel that Docker makes use of, for example:
Docker使用的内核中有几种不同类型的名称空间,例如:
a. NET: Provides a container with its own view of the network stack of the system (e.g. its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, etc.).b. PID: PID stands for Process ID. If you’ve ever ran ps aux in the command line to check what processes are running on your system, you’ll have seen a column named “PID”. The PID namespace gives containers their own scoped view of processes they can view and interact with, including an independent init (PID 1), which is the “ancestor of all processes”.c. MNT: Gives a container its own view of the “mounts” on the system. So, processes in different mount namespaces have different views of the filesystem hierarchy.d. UTS: UTS stands for UNIX Timesharing System. It allows a process to identify system identifiers (i.e. hostname, domainname, etc.). UTS allows containers to have their own hostname and NIS domain name that is independent of other containers and the host system.e. IPC: IPC stands for InterProcess Communication. IPC namespace is responsible for isolating IPC resources between processes running inside each container.f. USER: This namespace is used to isolate users within each container. It functions by allowing containers to have a different view of the uid (user ID) and gid (group ID) ranges, as compared with the host system. As a result, a process’s uid and gid can be different inside and outside a user namespace, which also allows a process to have an unprivileged user outside a container without sacrificing root privilege inside a container.
一个。 NET:为容器提供其自己的系统网络堆栈视图(例如其自身的网络设备,IP地址,IP路由表,/ proc / net目录,端口号等)。b。 PID: PID代表进程ID。 如果您曾经在命令行中运行过ps aux来检查系统上正在运行的进程,则将看到一列名为“ PID”的列。 PID名称空间为容器提供了它们可以查看并与之交互的进程的范围视图,包括独立的init(PID 1),即“所有进程的祖先”。 MNT:为容器提供其在系统上的“装载”视图。 因此,不同安装命名空间中的进程对文件系统层次结构的视图不同。d。 UTS: UTS代表UNIX时间共享系统。 它允许进程标识系统标识符(即主机名,域名等)。 UTS允许容器具有独立于其他容器和主机系统的自己的主机名和NIS域名。e。 IPC: IPC代表进程间通信。 IPC名称空间负责隔离每个容器内部运行的进程之间的IPC资源。 USER:此命名空间用于隔离每个容器内的用户。 与主机系统相比,它通过允许容器具有uid(用户ID)和gid(组ID)范围的不同视图来起作用。 结果,进程的uid和gid在用户名称空间的内部和外部可以不同,这还允许进程在容器外部具有未特权用户,而无需牺牲容器内部的root特权。
Docker uses these namespaces together in order to isolate and begin the creation of a container. The next feature is called control groups.
Docker一起使用这些命名空间,以隔离并开始创建容器。 下一个功能称为控制组。
2) 对照组 (2) Control groups)
Control groups (also called cgroups) is a Linux kernel feature that isolates, prioritizes, and accounts for the resource usage (CPU, memory, disk I/O, network, etc.) of a set of processes. In this sense, a cgroup ensures that Docker containers only use the resources they need — and, if needed, set up limits to what resources a container *can* use. Cgroups also ensure that a single container doesn’t exhaust one of those resources and bring the entire system down.
控制组(也称为cgroup)是一种Linux内核功能,可隔离,区分优先级并考虑一组进程的资源使用情况(CPU,内存,磁盘I / O,网络等)。 从这个意义上讲,cgroup确保Docker容器仅使用它们所需的资源,并在需要时对容器可以使用的资源设置限制。 Cgroup还确保单个容器不会耗尽这些资源之一,并且不会导致整个系统瘫痪。
Lastly, union file systems is another feature Docker uses:
最后,联合文件系统是Docker使用的另一个功能:
3) 隔离联合文件系统: (3) Isolated Union file system:)
Described above in the Docker Images section :)
上面在Docker映像部分中描述过:)
This is really all there is to a Docker container (of course, the devil is in the implementation details — like how to manage the interactions between the various components).
这实际上就是Docker容器的全部内容(当然,魔鬼在实现细节中,例如如何管理各个组件之间的交互)。
Docker的未来:Docker和VM将共存 (The Future of Docker: Docker and VMs Will Co-exist)
While Docker is certainly gaining a lot of steam, I don’t believe it will become a real threat to VMs. Containers will continue to gain ground, but there are many use cases where VMs are still better suited.
尽管Docker当然获得了巨大的发展动力,但我认为它不会成为对VM的真正威胁。 容器将继续获得发展,但是在许多用例中,虚拟机仍然更适合。
For instance, if you need to run multiple applications on multiple servers, it probably makes sense to use VMs. On the other hand, if you need to run many *copies* of a single application, Docker offers some compelling advantages.
例如,如果您需要在多台服务器上运行多个应用程序,则使用VM可能很有意义。 另一方面,如果您需要运行单个应用程序的多个副本,则Docker提供了一些引人注目的优势。
Moreover, while containers allow you to break your application into more functional discrete parts to create a separation of concerns, it also means there’s a growing number of parts to manage, which can get unwieldy.
而且,尽管容器使您可以将应用程序分解为功能更强的离散部分以创建关注点分离,但这也意味着要管理的部分越来越多,这可能会变得很笨拙。
Security has also been an area of concern with Docker containers — since containers share the same kernel, the barrier between containers is thinner. While a full VM can only issue hypercalls to the host hypervisor, a Docker container can make syscalls to the host kernel, which creates a larger surface area for attack. When security is particularly important, developers are likely to pick VMs, which are isolated by abstracted hardware — making it much more difficult to interfere with each other.
安全性也是Docker容器关注的领域-由于容器共享同一内核,因此容器之间的壁垒更薄。 完整的VM只能向主机管理程序发出超级调用,而Docker容器可以对主机内核进行syscall,从而为攻击创造了更大的表面积。 当安全性特别重要时,开发人员很可能会选择虚拟机,这些虚拟机被抽象的硬件隔离,从而使相互之间的干扰更加困难。
Of course, issues like security and management are certain to evolve as containers get more exposure in production and further scrutiny from users. For now, the debate about containers vs. VMs is really best off to dev ops folks who live and breathe them everyday!
当然,随着容器在生产中的曝光率越来越高,并且受到用户的进一步审查,诸如安全性和管理之类的问题肯定会发展。 就目前而言,有关容器与VM的辩论实际上最适合每天生活和呼吸它们的开发人员!
结论 (Conclusion)
I hope you’re now equipped with the knowledge you need to learn more about Docker and maybe even use it in a project one day.
我希望您现在已经具备了了解更多关于Docker的知识,甚至有一天甚至可以在一个项目中使用它。
As always, drop me a line in the comments if I’ve made any mistakes or can be helpful in anyway! :)
与往常一样,如果我有任何错误或仍然可以为您提供帮助,请在评论中在一行中添加一行! :)