Docker Containers and Container Cloud Study Notes

IaaS Infrastructure as a Service PaaS Platform as a Service
SaaS Software as a Service

Container cloud uses containers as the basic unit for resource segmentation and scheduling, focusing on resource sharing and isolation, container orchestration and deployment.

Every docker command is sent to the Docker daemon for processing. This daemon is by default bound to a Unix socket.

Dockerfile -> build -> image Image run becomes container Push publishes images with tags for version control Containers have lifecycles Each time a new container is created, Docker assigns a new ID as a unique identifier Docker commit can freeze a container into a new image, preserving tools installed in the container, but the official recommendation is to use Dockerfile build to create images.

When nodes interconnect, they automatically maintain IP mappings through hosts files, similar to DNS, allowing container IPs to change arbitrarily. Therefore, the startup order of interconnected nodes is crucial - nodes that need to be exposed to the public network should start last. Configuration files and other editable files should use data volumes to share with the host machine. When filling in IP configurations, enter the connection name from the link parameter. When connecting, the container will automatically look up the actual IP address in hosts.

Namespace

• PID resolves process conflicts
• Network resolves network configuration conflicts
• Mount handles file mounting
• User resolves user conflicts

Processes under the same namespace can perceive changes from each other, while remaining unaware of the outside world.

Use clone to implement creation of different namespaces. To view namespaces: files under the /proc/[pid]/ns directory. If two processes point to the same namespace, they are in the same namespace.

setns() can be used to join an already existing namespace. The process moves from its original namespace to an existing namespace, then uses clone() to create child processes to continue executing commands. Commonly used for docker exec to execute shell commands in existing namespaces.

UTS namespace

Provides hostname and domain name isolation, making isolated processes appear as independent nodes on the network, allowing customization of login names like root@xxxxx via service names.

IPC namespace

IPC resources for inter-process communication also need isolation. Processes under the same IPC namespace can see global IDs for mutual communication, while those in different namespaces cannot see each other.

PID namespace

Isolates process PIDs, allowing processes in different namespaces to have the same PID. The kernel maintains a tree structure for PID namespaces. Remounting /proc under the namespace reveals only processes belonging to the same namespace.

Parents can see children, and the root namespace can see all processes. Principle of viewing all container states: monitor all processes and subprocesses under the PID namespace where the docker daemon resides, then filter based on conditions.

If multiple processes need to run in a docker container, bash should start first since it has resource monitoring and recycling management capabilities.

If the init in the namespace doesn’t handle a signal, signals sent by other processes in the same namespace will be blocked, preventing accidental killing of the init process.

Once the init process is destroyed, all processes in the same namespace will be destroyed and recycled.

If you want to see only processes in that space when using ps, you need to remount /proc. In this case, without mount namespace isolation, it would affect the host’s root space.