Docker容器隔离,它关心底层的Linux操作系统? [英] Docker container isolation, does it care about underlying Linux OS?
问题描述
如果我在一组不同的Linux发行版上运行Docker Engine和同一容器,容器是否以相同的方式运行?我在问,因为在许多情况下,应用程序依赖于一些特定的Linux发行版,例如字体。如果我在Docker容器中运行的应用程序取决于Ubuntu中使用的字体(可能还有许多其他的依赖项),这是如何管理的?我需要在容器中安装字体,我需要在运行应用程序的容器中运行Ubuntu,还是应用程序使用运行容器的底层操作系统的字体?
任何丢失的资源都应该安装在Docker 映像中(可以从ubuntu映像启动)。
它不应该依赖在主机上的依赖关系。
这个想法是能够在每次从映像运行容器时重现环境。
由于容器和主机之间具有Docker引擎,所以容器不会看到主机资源(安装的卷旁边),以便配置:
在Docker术语中,只读层称为图像。图像从不改变。
由于Docker使用联合文件系统,因此进程认为整个文件系统都被安装为读写。但是,所有更改都将转到最高层可写层,而只读图像中的原始文件不变。
由于图像不变,图像没有状态。 p>
主机操作系统和容器之间的唯一关系是内核
由于内核仍然是主机的内核,您将不会有任何特定的内核模块/修补程序由发行版提供。
If I run Docker Engine and the same container on a set of different Linux distributions, will the container run in the same way? I am asking because in many cases applications depend on a specific Linux distribution for some resources, such as fonts. If my application running inside a Docker container depends on a font used in Ubuntu (and there may be many other dependencies), how is this managed? Will I need to install the font inside container, will I need to run Ubuntu inside the container running the application, or does the application use fonts from the underlying OS running the container?
Any missing resources should be installed in a Docker image (which can start from the ubuntu image).
It should not rely on host for dependencies.
The idea is to be able to reproduce the environment each time a container is run from an image.
A container don't see the host resources (beside mounted volumes), since it has the Docker engine between the container and the host, in order to configure cgroups and namespaces to control which resources the container can see and access.
The "fedora" image referenced in jboss/base is the base image:
In Docker terminology, a read-only Layer is called an image. An image never changes.
Since Docker uses a Union File System, the processes think the whole file system is mounted read-write. But all the changes go to the top-most writeable layer, and underneath, the original file in the read-only image is unchanged.
Since images don't change, images do not have state.
See "What is the relationship between the docker host OS and the container base image OS?":
The only relationship between the host OS and the container is the Kernel.
as the kernel is still the kernel of the host, you will not have any specific kernel module/patches provided by the distribution.
这篇关于Docker容器隔离,它关心底层的Linux操作系统?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
