what is Docker
- 可以看成轻量级的 VM
- 但是kernel is shared between containers on host
- No “guest OS” kernels, just userspace
- think chroot + networking + lots of polish
- **uses copy-on-write filesystem to store shared binaries once
docker vs vm
vm | docker |
---|---|
memory is allocated to each vm | free memory is shared across all containers |
CPU core count is limited per vm | containers have access to all CPU cores |
tough for one vm to DOS host by using all CPU or RAM | easy for one container to DOS host by using all CPU or RAM |
each vm has a virtual HDD block device | containers get copy-on-write root filesystem, external filders can be mounted |
able to mount, unmount , format block devices(ext4, xfs) | containers typically do not manipulate block devices |
slower IO unless using dedicated block devices for vms | IO performance to bind mounted directories is same as host |
Terms
- Host-the machine running the kernel ans Docker
- Container- A vm-like easy to isolate groups of processes. a specific Docker “vm” instance
- Image- the template from which a container is created
- layer- the name of the filesystem overlay generated by each step in an image, saved separatedly
- Dockerfile- a file containing Docker scropting language for image creation
- Registry - a server that makes Docker images available for hosts to download
- The Hub - a super-registry run by Docker with closed-source magic
- Pipework - a script used to add an external interface to a container
What we use vs. Docker vision
Services
Docker | us |
---|---|
one service per container | single container treated liked a fulll vm |
servicers in containers discover each other via Docker mechanisms | many services in each container |
Networking
Docker | us |
---|---|
forward ports from host to container for specific services | give each container its own network interface,mac address,ip address |
Filesystem
Docker | us |
---|---|
almost all storage inside Docker filesystem | bind mount /opt and put most files there |
use cases in our side
share big hardware more easily
- keep multiple “setups” on one machine in containers
- no vm performance overhead
- easily switch between environments
dev environment
- dev setup has been scripted! No page long wiki!
- lighter weight than a vm== more density
- more fulll use of host resources(if on laptop or workstation)
- separate containers for each project or branch
- easy to rapidly switch between products, installations, branches, different versions
peer development and testing
- setup one container, feed event data, and clone it 20 times.
- great for testing functionality, peer communication protocol
- still need phusical hardware for real-workd perfornce testing
fast track/support
- keep a container for every product and patch combo
- reduce time to reproduce customer issues
- quick shared access to customer-scale hardware
- analyze customer data on customer-scale hardware
- more cpu and io available
- 50GB heap dumps, no problem!
- shifting GBs of logs, no problem!
our Docker scripts
overview
- Root is //depot/internal/docker/main
- Subdirectories by role:
- common – Shared among 2 or more roles
- dockeruser – End-user related scripts (container creation, destruction, management, Docker installation)
- containerauthor – Docker image creation (scripts for base images, Dockerfiles for dev images, image publication)
- registryserver – Files for spinning up a Docker registry server (hosts images
- scripthacker – Scripts useful to people editing the other scripts
common
- Yum conf and repo files for each Rhel/centOS image we support
- customized version of pipework networking script(from github)
- we retrieved april 21, 2014, and pathced to fix some things around DHCP
- looks like fixed may have been merged upstream. needs investigation
pipework
- creates a macvlan interface on some physical network interface
- set the interface network namespace to the container pid
- use “ip netns [pid] [command] to further set up that interface
- this runs a command in the container’s network namespace without being “fully in” the container
- used to run udhcp to get i[ address, network config
- ipv6 just works!
dockeruser
- Scripts and files needed to create, manage, and destroy containers.
- Important scripts:
- make-dev-container.sh – Create a new dev environment container
- make-os-container.sh – Create a new vanilla OS container
- start-dev-container.sh – Start an existing container.
- list-containers.sh – List containers running on host.
- remove-dev-container.sh – Remove a container from the host.
- setup-p4-and-docker.sh – Install Docker and pull scripts from Perforce.
- “Shell libraries”sourced by other scripts:
- container-functions.sh
- docker-functions.sh
- eclipse-functions.sh
- p4-functions.sh
- Container setup stuff
- License mappings for branches
- SSH keys
script insight
make-dev-container.sh
- create a new container with our dev environment
- for overview, see runAllSteps function
- logs go to /opt/containers/logs/ on host
code overview
- download and extract /opt for container
- pull container image from registry
- start container via start-dev-container.sh