是不是要求我制作机器(安装运行 febootstrap 和docker)的linux机器的内核版本必须要和要制作的OS base image的内核版本要一致?还是没有限制?
要求os kernerl必须一致或者兼容;其他没有任何要求。
Literally, the only thing they have in common is the kernel. Their whole world (file system) is in the docker container.
docker image的兼容性和资源共享问题?
是不是制作image的平台和运行容器的宿主机必须是一致的环境(是内核一致还是完全一致),这个有无特别的要求?
docker 上的容器并不是一个完整的虚拟机,在宿主机上制作某个os级别的base images,是不是宿主机有的组件就不包括了,把宿主机没有的组件打进去?
docker的宿主机和镜像哪些组件是打包到镜像中,哪些是调用宿主机的资源?
Docker does a process isolation leveraging LXC (a kind of lightweight virtualisation built into Linux Kernel).
The basic difference between LXC and VMs is that with LXC there is only one instance of Linux Kernel running.
The base image OS is used for filesystem, binaries, etc.
base image OS 使用自己独立的文件系统和二进制可执行程序(包括库和可执行程序), 所有的系统调用都在host os kernerl下进行。
You are lacking basic Docker concepts. It's a completely different thing.
The first thing you need to know is Docker's philosophy : run one process isolated in a container. You won't run an OS in a Docker container, you will run a process inside a container with a root filesystem content based on a linux distribution of your choosing. Ubuntu is a choice among others.
Now you should wonder how is it possible to get a process runing inside a linux base image different from the linux distribution your host is running with. For an OS to run you basically need :
- A boot filesystem : contains the bootloader and the kernel that will reside in memory once loaded. We don't care about this in the case of Docker containers because the kernel is shared with the host and is the common part between all linux distributions.
- A root filesystem : contains the filesystem structure. It may be different from one linux distribution to another. It's read-only until the boot sequence has finished.
Docker uses UnionFS to manage layers of disk blocks inside a container so you can pile them.
Behind the scenes, it uses an union mount which allows multiple filesystems to be mounted at the same time, appearing like a whole virtual one. It in fact drops the base image layer as read-write mode on top of the base root filesystem in read-only mode.
Here you have a pile of disk blocks layered in a way that the linux distribution the base image comes from would contain the same filesystem once installed in a real host, but it's inside a container this time.
The last thing lacking now is : how do you run this thing isolated ?
The answer is : namespaces. I won't go into the details here because it would deviate a bit from the original question. But what you need to know is that since kernel 2.4.19, namespaces of various kinds have appeared along the years. Currently the following namespaces are available :
- IPC : IPC namespace (interprocess communications)
- MNT : mount namespace
- NET : network namespace
- PID : pid namespace
- USER : user namespace (uid)
- UTS : UTS namespace (hostnames)
Namespaces are isolated structures inside the kernel that allow processes to run with a particular environment. For instance MNT namespace will be the key feature to get a process running in the base image root filesystem specificities. NET namespace will be another key feature for a container to have specific network interfaces in order to communicate with the docker bridge etc.
So, yes, the main purpose of all of this is to run an application isolated, ship it from your local environment to production easily with inside a box called container.
docker container使用MNT 和 UnionFS 技术 来挂载自己的独立的 root filesystem ,这个是docker image 能够分层打包的技术基础;docker container 使用 namespaces 和Cgroup 技术,这个是保证 容器隔离的技术基础;
base image OS 是为了给所有组件提供一个共同的运行环境,所有的其他组件都基于这个 base os image 创建自己的应用层。这种分层的思想可以减少镜像的大小,提供复用,为多个组件提供共同的平台层,随时添加或者回滚一个layer等优点。
参考:
http://serverfault.com/questions/659557/os-docker-container-what-is-the-difference-with-a-vm-then
http://stackoverflow.com/questions/18786209/what-is-the-relationship-between-the-docker-host-os-and-the-container-base-image?rq=1
http://stackoverflow.com/questions/20823788/docker-is-not-vm-why-container-need-base-image-os
扫一扫
418
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
