Docker 中的共享内核是什么意思? [英] What is meant by shared kernel in Docker?
问题描述
在 Docker 中,来宾操作系统与主机操作系统共享相同的内核.
谁能详细说明一下.
让我有一些内核版本的 centos os,当我们拉取 ubuntu 映像时,它有不同的内核,那么我们怎么能说它们有相同的内核?
当我们拉取 ubuntu 镜像时,它有不同的内核
不,它没有:它没有内核部分:它依赖于主机的内核(运行 docker 引擎的那个)
<块引用>OS 容器是共享主机操作系统内核但提供用户空间隔离的虚拟环境
如
<块引用>gVisor 拦截应用系统调用并充当访客内核,无需通过虚拟化硬件进行转换.
gVisor 可以被认为是合并的来宾内核和 VMM,或者是类固醇上的 seccomp.
这种架构允许它提供灵活的资源占用(即基于线程和内存映射,而不是固定的客户物理资源),同时还降低了虚拟化的固定成本.
然而,这是以应用兼容性降低和每个系统调用开销增加为代价的.
In Docker ,guest OS share same kernel as Host OS have .
Can someone elaborate more on it.
Let I have centos os which have some kernel version ,when we pull ubuntu image then it have different kernel ,then how can we say that they have same kernel?
when we pull ubuntu image then it have different kernel
No it does not: it does not have the kernel part: it relies on the kernel of the host (the one running docker engine) for all system calls.
As mentioned in "Docker vs Virtualization":
Initially Docker was built as an abstraction layer on top of Linux Containers (LXC). LXC itself is a just an API for the Linux containment features.
Starting with Docker 0.9, LXC is not the default anymore and has been replaced with a custom library (libcontainer) written in Go. Overall libcontainer’s advantage is a more consistent interface to the Kernel across various Linux distributions. The only gotcha is that it requires Linux 3.8 and higher.
See more at "Why Understanding User Space vs. Kernel Space Matters".
Also "Operating System Containers vs. Application Containers":
Containers are the products of operating system virtualization. They provide a lightweight virtual environment that groups and isolates a set of processes and resources such as memory, CPU, disk, etc., from the host and any other containers.
The isolation guarantees that any processes inside the container cannot see any processes or resources outside the container.
OS containers are virtual environments that share the kernel of the host operating system but provide user space isolation
As mentioned in "Do all Linux distros use the same kernel?", a kernel can be shared accross distro, even if each distro has its own configuration of the kernel.
If you need more isolation, consider gVisor (https://github.com/google/gvisor), a container sandbox runtime focused on security, efficiency, and ease of use. (2018).
See Architecture:
gVisor intercepts application system calls and acts as the guest kernel, without the need for translation through virtualized hardware.
gVisor may be thought of as either a merged guest kernel and VMM, or as seccomp on steroids.
This architecture allows it to provide a flexible resource footprint (i.e. one based on threads and memory mappings, not fixed guest physical resources) while also lowering the fixed costs of virtualization.
However, this comes at the price of reduced application compatibility and higher per-system call overhead.
这篇关于Docker 中的共享内核是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
