docker容器不需要操作系统，但是每个容器都有一个.为什么? [英] docker container does not need an OS, but each container has one. Why?

问题描述

"docker"这些天来一直是个时髦的词，我试图弄清楚它是什么以及它是如何工作的.更具体地说，它与普通VM(例如VirtualBox，HyperV或WMWare解决方案)有何不同.

"docker" is a buzz word these days and I'm trying to figure out, what it is and how does it work. And more specifically, how is it different from the normal VM (e.g. VirtualBox, HyperV or WMWare solutions).

文档的简介部分( https://docs.docker.com/get-started/#a-brief-explanation-of-containers )内容为:

The introduction section of the documentation (https://docs.docker.com/get-started/#a-brief-explanation-of-containers) reads:

容器在本地计算机内核上本地运行应用程序.与仅通过管理程序虚拟访问主机资源的虚拟机相比，它们具有更好的性能特征.容器可以获得本机访问，每个容器都在一个离散的进程中运行，占用的内存不会比任何其他可执行文件多.

Containers run apps natively on the host machine’s kernel. They have better performance characteristics than virtual machines that only get virtual access to host resources through a hypervisor. Containers can get native access, each one running in a discrete process, taking no more memory than any other executable.

宾果！这是区别.容器直接在托管OS的内核上运行，这就是为什么它们如此轻巧且快速(此外，它们以docker hub的形式提供了进程的隔离和良好的分发机制，在容器之间相互连接的能力方面发挥了很好的作用)

Bingo! Here is the difference. Containers run directly on the kernel of hosting OS, this is why they are so lightweight and fast (plus they provide isolation of processes and nice distribution mechanism in the shape of docker hub, which plays well with the ability to connect containers with each other).

但是请稍等.我可以使用docker在Windows上运行Linux应用程序-怎么可能?当然，有一些虚拟机.否则我们将无法完成工作...

But wait a second. I can run Linux applications on windows using docker - how can it be? Sure, there is some VM. Otherwise we would just not get job done...

好的，但是当我们在Linux主机上工作时，它看起来如何??真正的困惑就在这里……仍然有人将OS定义为我们要创建的每个映像的基础映像.即使我们说"FROM暂存器"-暂存器仍然是一些简约的内核...所以来了

OK, but how does it look like, when we work on Linux host??? And here comes real confusion... there one still defines OS as a base image for every image we want to create. Even if we say "FROM scratch" - scratch is still some minimalistic kernel... So here comes

问题1 :如果我运行例如CentOS主机，我可以创建一个容器，该容器将直接使用该主机操作系统的内核(而不是VM，包括其自己的OS的内核)吗?如果是，我该怎么办?如果不是，为什么docker的文档对我们说谎(因为docker映像始终在某些VM内运行，而与其他VM并没有太大不同，或者呢?)?

QUESTION 1: If I run e.g. CentOS host, can I create the container, which would directly use kernel of this host operating system (and not VM, which includes its own OS)? If yes, how can I do it? If no, why the documentaion of docker lies to us (as then docker images always run within some VM and it is not too much different from other VMs, or ist it?)?

经过一番思考，环顾四周，我想知道是否对运行图像进行了一些优化.来了

After some thinking about it and looking around I was wondering, if some optimization is done for running the images. Here comes

问题2 :如果我运行两个容器，这两个容器的图像都基于同一父映像，那么该父映像将仅被加载到内存中一次吗?每个容器将有一个虚拟机，还是只有一个同时运行两个容器的虚拟机?如果我们使用不同的操作系统呢?

QUESTION 2: If I run two containers, images of both of which are based on the same parent image, will this parent image be loaded into memory only once? Will there be one VM for each container or just one, which runs both containers? And what if we use different OSs?

第三个问题颇为棘手:

问题3 :在某处有一些资源描述了这种事情……因为讨论docker的大多数文章都说这太酷了，您一定要使用ut只需执行一个命令就可以开心" ...这并不能解释太多.

QUESTION 3: Are there somewhere some resources, which describe this kind of things... because most of the articles, which discuss docker just tell "it is so cool, you must definitely use ut. Just run one command and be happy"... which does not explain too much.

谢谢.

推荐答案

Docker容器"不是虚拟机；它们只是在主机系统(因此总是在主机的Linux内核)上运行的常规进程，具有一些特殊的配置可将它们与系统的其余部分分开.

Docker "containers" are not virtual machines; they are just regular processes running on the host system (and thus always on the host's Linux kernel) with some special configuration to partition them off from the rest of the system.

您可以通过在容器中启动进程并在容器外执行 ps 来亲自查看；您将在所有进程的主机列表中看到该进程.但是，在容器化的进程中运行 ps 只会显示该容器中的进程.限制系统上的进程视图是容器化提供的功能之一.

You can see this for yourself by starting a process in a container and doing a ps outside the container; you'll see that process in the host's list of all processes. Running ps in the containerized process, however, will show only processes in that container; limiting the view of processes on the system is one of the facilities that containerization provides.

通常还为容器提供了许多其他系统资源(例如文件，网络接口和用户)的有限视图或单独视图.特别是，通常给容器化的进程一个完全不同的根文件系统和一组用户，这使其看上去几乎就像在单独的计算机上运行一样.(但不是；它仍然共享主机的CPU，内存，I/O带宽，最重要的是，共享主机的Linux内核.)

The container is also usually given a limited or separate view of many other system resources, such as files, network interfaces and users. In particular, containerized processes are often given a completely different root filesystem and set of users, making it look almost as if it's running on a separate machine. (But it's not; it still shares the host's CPU, memory, I/O bandwidth and, most importantly, Linux kernel of the host.)

要回答您的特定问题:

1. 在CentOS(或任何其他系统)上，您创建的 all 个容器正在使用主机的内核.无法创建使用其他内核的容器.您需要为此启动虚拟机.

1. On CentOS (or any other system), all containers you create are using the host's kernel. There is no way to create a container that uses a different kernel; you need to start a virtual machine for that.

映像只是磁盘上的文件；这些文件以与任何文件相同的方式加载到内存中".因此，不行，对于共享父映像中文件的任何特定磁盘块，在内存中永远不会一次存在该磁盘块的多个副本.但是，每个容器在用于处理写入的基础映像层上方都有其自己的专用透明"文件系统层，因此，如果您更改文件，则更改的块将存储在该处，并且现在将与该基础映像分开其他进程(尚未更改该文件中的任何块)请参见.

The image is just files on disk; these files are "loaded into memory" in the same way any files are. So no, for any particular disk block of a file in a shared parent image there will never be more than one copy of that disk block in memory at once. However, each container has its own private "transparent" filesystem layer above the base image layer that is used to handle writes, so if you change a file the changed blocks will be stored there, and will now be separate from the underlying image that that other processes (who have not changed any blocks in that file) see.

在Linux中，您可以尝试 man cgroups 和 man cgroup_namespaces 以获得有关cgroup机制的相当技术性的详细信息，这就是Docker(以及其他任何容器化)Linux上的方案)用于限制和更改容器化进程所看到的内容.对于与之直接相关的阅读，我没有任何其他特别的建议，但是我认为这可能有助于学习有关进程和各种其他系统如何在Unix和POSIX系统上正常工作的技术细节，因为理解可以为您提供背景知识了解集装箱化的功能.也许首先要了解chroot(2)系统调用并对其进行一些编程(甚至可以尝试使用chroot(8)程序)；这将为您提供有关一个特定领域的集装箱化实践实例.

In Linux you can try man cgroups and man cgroup_namespaces to get some fairly technical details about the cgroup mechanism, which is what Docker (and any other containerization scheme on Linux) uses to limit and change what a containerized process sees. I don't have any other particular suggestions on readings directly related to this, but I think it might help to learn the technical details of how processes and various other systems work on Unix and POSIX systems in general, because understanding that gives you the background to understand what kinds of things containerization does. Perhaps start with learning about the chroot(2) system call and programming with it a bit (or even playing around with the chroot(8) program); that would give you a practical hands-on example of how one particular area of containerization.

后续问题:

1. 没有匹配的内核版本；仅使用了一个主机内核.如果容器中的程序无法在该版本的内核上运行，那么您就很不幸了.例如，尝试在具有4.19或更高版本内核的Linux系统上运行Docker官方的 centos:6 或 centos:5 容器，您会看到/bin/bash segfaults，当您尝试启动它时.内核程序和用户程序不兼容.如果程序尝试使用内核中没有的较新功能，则同样会失败.这与在容器外部运行相同的二进制文件(程序和共享库！)没有什么不同.

1. There is no kernel version matching; only the one host kernel is ever used. If the program in the container doesn't work on that version of that kernel, you're simply out of luck. For example, try runing the Docker official centos:6 or centos:5 container on a Linux system with a 4.19 or later kernel, and you'll see that /bin/bash segfaults when you try to start it. The kernel and userland program are not compatible. If the program tries to use newer facilities that are not in the kernel, it will similarly fail. This is no different from running the same binaries (program and shared libraries!) outside of a container.

Windows和Macintosh系统不能直接运行Linux容器，因为它们不是具有运行Linux程序的适当功能的Linux内核，更不用说支持相同的cgroup附加功能了.因此，当您在其上安装Docker时，通常会安装一个Linux VM，以在其上运行容器.几乎总是会只安装一个VM，并在该VM中运行所有容器.否则，将浪费资源，毫无益处.(实际上，如上所述，能够具有多个不同的内核版本可能会有好处.)

Windows and Macintosh systems can't run Linux containers directly, since they're not Linux kernels with the appropriate facilities to run even Linux programs, much less supporting the same extra cgroup facilities. So when you install Docker on these, generally it installs a Linux VM on which to run the containers. Almost invariably it will install only a single VM and run all containers in that one VM; to do otherwise would be a waste of resources for no benefit. (Actually, there could be benefit in being able to have several different kernel versions, as mentioned above.)

这篇关于docker容器不需要操作系统，但是每个容器都有一个.为什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！