Docker uses virtualization techniques like namespaces and cgroups to isolate processes and share resources efficiently across multiple Linux containers. Namespaces allow processes to have isolated views of various systems like networking and process IDs. Cgroups limit and account for resource usage like CPU and memory. AuFS implements a union filesystem to overlay container filesystem changes over read-only base images. Docker combines these technologies into lightweight Linux containers that package code and dependencies to run reliably across environments.

1. Understand
how Docker works
⼩小拿@果壳
2015.10.28
1

2. Outline
• Virtualization
• Hypervisor
• chroot, namespaces, cgroups, AuFS
• LXC
• Container
• Docker

3. Virtualization
Virtualization is a proven software technology that
makes it possible to run multiple operating systems
and applications on the same server at the same time.

4. Features
• transform hardware to software
• run multiple operating systems as virtual
machines

5. Intuitive Idea

6. Hypervisor (VMM)
a “meta” operating system
in a virtualized environment

7. Types of Hypervisors
• native or bare-metal hypervisors
• hosted hypervisors

8. Bare-Metal Hypervisor

9. Hosted Hypervisor

10. Space-Time Analysis
• heavy
• slow

11. docker is a lightweight

13. (giant 1) chroot
A chroot on Unix operating systems is an operation
that changes the apparent root directory for the
current running process and its children.
chroot jail

14. root directory

15. two Linux process resource
management solutions
• namespaces (what you have)
• cgroups (what you can do)

16. (giant 2) Linux Namespace
• A lightweight process virtualization
• Isolation: Enable a process to have different
views of the system than other processes.

17. Features
• PID namespace provides isolation for the allocation of process identifiers
(PIDs), lists of processes and their details. While the new namespace is
isolated from other siblings, processes in its "parent" namespace still see all
processes in child namespaces—albeit with different PID numbers.
• Network namespace isolates the network interface controllers (physical or
virtual), iptables firewall rules, routing tables etc. Network namespaces can be
connected with each other using the "veth" virtual Ethernet device.
• UTS namespace allows changing the hostname.
• Mount namespace allows creating a different file system layout, or making
certain mount points read-only.
• IPC namespace isolates the System V inter-process communication between
namespaces.
• User namespace isolates the user IDs between namespaces.

18. Operations
• CLONE_NEWIPC
• CLONE_NEWNET
• CLONE_NEWNS
• CLONE_NEWPID
• CLONE_NEWUSER
• CLONE_NEWUTS

19. Example (PID) from coolshell

20. Example (PID)

21. (giant 3) cgroups
cgroups is a Linux kernel feature that limits, accounts
for, and isolates the resource usage (CPU, memory,
disk I/O, network, etc.) of a collection of processes.

22. Features
• Resource limitation: groups can be set to not exceed a
configured memory limit, which also includes the file
system cache
• Prioritization: some groups may get a larger share of
CPU utilization[8] or disk I/O throughput
• Accounting: measures how much resources certain
systems use, which may be used, for example, for billing
purposes
• Control: freezing the groups of processes, their
checkpointing and restarting

23. Operations

24. Example (CPU) from coolshell

25. LXC
LinuX Container = namespaces + cgroups

26. (giant 4) AuFS
AuFS (Advanced multi layered Unification FileSystem)
implements a union mount for Linux file systems.

28. “When I see a bird that walks like a duck and
swims like a duck and quacks like a duck,
I call that bird a duck.”
Duck Typing

29. Docker = LXC + AuFS
• chroot
• namespaces
• cgroups
• aufs
• …

30. Container

31. Pros and Cons

32. Pros and Cons

33. Why must install boot2docker?

34. Why only contains Linux distros?

35. End
justinli.ljt@gmail.com