1 Docker Overview
Docker is a lightweight virtualization solution to run multiple virtual units (containers) simultaneously on a single control host. Containers are isolated with Kernel Control Groups ( Control groups ) and Namespace .
Full virtualization solutions such as Xen, KVM, or libvirt are based
on the processor simulating a complete hardware environment and
controlling the virtual machines. However, Docker only provides operating
system-level virtualization where the Linux kernel controls isolated
containers.
Before going into detail about Docker, let's define some of the terms used:
- Docker engine
The docker engine is a server-client type application that performs all tasks related to virtual machines. The Docker engine comprises the following:
daemon - is the server side of the docker engine that manages all docker objects (images, containers, network used by containers, etc.)
REST API - applications can use this API to communicate directly with the daemon
a CLI client - that enables you to communicate with the daemon. If the daemon is running on a different machine than the CLI client, the CLI client can communicate by using network sockets or the REST API provided by the docker engine.
- Image
An image is a read-only template used to create a virtual machine on the host server. A Docker image is made by a series of layers built one over the other. Each layer corresponds to a permanent change, for example an update of an application. The changes are stored in a file called a dockerfile. For more details see the official Docker documentation.
- Dockerfile
A dockerfile stores changes made on top of the base image. The Docker engine reads instructions in the dockerfile and builds a new image according to the instructions.
- Container
A container is a running instance based on a particular Docker Image. Each container can be distinguished by a unique container ID.
- Registry
A registry is storage for already created images. It typically contains several repositories There are two types of registry:
public registry - where everyone (usually registered) can download and use images. A typical public registry is Docker Hub.
private registry - these are accessible for particular users or from a particular private network.
- Repository
A repository is storage in a registry that stores a different version of a particular image. You can pull or push images from or to a repository.
- Control groups
Control groups, also called
cgroups, is a Linux kernel feature that allows aggregating or partitioning tasks (processes) and all their children into hierarchically organized groups to isolate resources.- Namespace
Docker uses namespaces for its containers that isolates resources reserved for particular containers.
Docker is a platform that allows developers and system administrators to manage the complete life cycle of images. Docker makes it easy to build, ship and run images containing applications.
Docker provides you with the following advantages:
Isolation of applications and operating systems through containers.
Near native performance, as Docker manages allocation of resources in real time.
Controls network interfaces and resources available inside containers through cgroups.
Versioning of images.
Allows building new images based on existing ones.
Provides you with container orchestration.
On the other hand, Docker has the following limitations:
Limitations of Docker #
Containers run inside the host system's kernel and cannot use a different kernel.
Only allows Linux guest operating systems.
Docker is not a full virtualization stack like Xen, KVM, or
libvirt.Security depends on the host system. Refer to the official security documentation for more details.
1.1 Docker Architecture #
Docker uses a client/server architecture. You can use the CLI client to communicate with the daemon. The daemon then performs operations with containers and manages images locally or in registry. The CLI client can run on the same server as the host daemon or on a different machine. The CLI client communicates with the daemon by using network sockets. The architecture is depicted in Figure 1.1, “The docker architecture”.
Figure 1.1: The docker architecture #
1.2 Docker Drivers #
1.2.1 Container Drivers #
Docker uses libcontainer as the back-end driver to handle containers.
1.2.2 Storage Drivers #
Docker supports different storage drivers:
vfs: this driver is automatically used when the Docker host file system does not support copy-on-write. This is a simple driver which does not offer some advantages of Docker (like sharing layers, more on that in the next sections). It is highly reliable but also slow.devicemapper: this driver relies on the device-mapper thin provisioning module. It supports copy-on-write, hence it offers all the advantages of Docker.btrfs: this driver relies on Btrfs to provide all the features required by Docker. To use this driver the/var/lib/dockerdirectory must be on a Btrfs file system.AUFS: this driver relies on the AUFS union file system. Neither the upstream kernel nor the SUSE one supports this file system. Hence the AUFS driver is not built into the SUSE Docker package.
SLE 12 uses the Btrfs file system by default, which leads Docker
to use the btrfs driver.
It is possible to specify which driver to use by changing the value of
the DOCKER_OPTS variable defined inside of the
/etc/sysconfig/docker file. This can be done either
manually or using YaST by browsing to › › › › menu and entering the
-s storage_driver string.
For example, to force the usage of the
devicemapper driver enter the
following text:
DOCKER_OPTS="-s devicemapper"
Note: Mounting /var/lib/docker
It is recommended to have /var/lib/docker mounted
on a different file system to not affect the Docker host operating
system in case of a file system corruption.