Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker: under the hood

My slides from workshops on docker, and a general idea of how it works.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Docker: under the hood

  1. 1. Containers vs VMs
  2. 2. Virtual machines Containers
  3. 3. Virtual machines Containers
  4. 4. Virtual machines Containers
  5. 5. Only on linux?
  6. 6. Union filesystems
  7. 7. aufs • Advanced multi-layered unification filesystem
  8. 8. aufs
  9. 9. aufs
  10. 10. aufs
  11. 11. aufs
  12. 12. aufs
  13. 13. aufs commit
  14. 14. aufs
  15. 15. aufs
  16. 16. aufs alpine> java:7-alpine> java:openjdk-7-alpine>
  17. 17. In summary • Docker uses aufs. • A ‘container’ is a temporary read-write layer, on top of other immutable layers. • Avoid using latest, pick a major version build that gets bug fixes. • Deleting files from previous layers still weigh the image down. • Delete them before you commit the layer (in the same RUN instruction.) • Use multi-stage builds to cherry-pick artifacts into images.
  18. 18. Under the hood
  19. 19. Linux kernel
  20. 20. Namespaces Namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.
  21. 21. pid mnt net uts cgroup ipc user
  22. 22. pid namespace init
  23. 23. pid namespace init
  24. 24. pid namespace init
  25. 25. pid namespace init
  26. 26. pid namespace init 9596 (67) 9503
  27. 27. pid namespace init 4026532294 9596 (67) 9503
  28. 28. pid namespace init 6fe668f0aa02 34ca95f504ba
  29. 29. mnt namespace • Isolation of mount points for a group of processes. • Mount operations do not propagate to the root filesystem. • Uses pivot_root to change the root filesystem. • Docker handles other specified mounts, and unmounts the original root filesystem.
  30. 30. net namespace • Isolation of network interfaces. • Only virtual interfaces can be added to a net namespace. • Docker uses a bridge virtual interface for containers by default.
  31. 31. net namespace • Virtual interface appears as the physical interface in the namespace. 172.17.0.0/16 172.17.0.4 172.17.0.3 172.17.0.2
  32. 32. uts (unix timesharing system) • Hostname and domains. cgroup • System resources allocation (cpu, memory.) ipc (inter-process communication) user
  33. 33. Summary • A ‘container’ is a set of linux namespaces with a ‘jailed’ view of the filesystem.
  34. 34. Summary • A ‘container’ is a set of linux namespaces with a ‘jailed’ view of the filesystem.
  35. 35. Logging
  36. 36. Multiple processes in a single container • Generally advised to use separate containers where possible. • Can use a process manager (forego, supervisord.)
  37. 37. In summary • Use stdout and stderr for logging. • Don’t create your own logging mechanism (i.e. mounting volumes from the host to log to.) • Separate each process in your application into its own container. • Use a process manager if you have to bundle them together.

×