4821b84026
This adds back in the references to private repositories and provides some refactoring to the Working with repositories documentation including updating references to the "Central" registry to Docker.io. It also: * Fixes some links and references to Central Index * Fixes anchors in other files to updated titles in Working with Repositories. * Renamed Central Index in the remaining places. * Updated terms documentation to reflect Docker.io * Updated some Docker Index naming to be consistent. * Updates menu labels and hyperlinks. Docker-DCO-1.1-Signed-off-by: James Turnbull <james@lovedthanlost.net> (github: jamtur01) Docker-DCO-1.1-Signed-off-by: O.S. Tezer <ostezer@gmail.com> (github: ostezer) Upstream-commit: a8871b93b95d1220c860987ae1da4e49c943bfea Component: engine
269 lines
11 KiB
Markdown
269 lines
11 KiB
Markdown
page_title: Understanding the Technology
|
||
page_description: Technology of Docker explained in depth
|
||
page_keywords: docker, introduction, documentation, about, technology, understanding, Dockerfile
|
||
|
||
# Understanding the Technology
|
||
|
||
*What is the architecture of Docker? What is its underlying technology?*
|
||
|
||
## Introduction
|
||
|
||
When it comes to understanding Docker and its underlying technology
|
||
there is no *magic* involved. Everything is based on tried and tested
|
||
features of the *Linux kernel*. Docker either makes use of those
|
||
features directly or builds upon them to provide new functionality.
|
||
|
||
Aside from the technology, one of the major factors that make Docker
|
||
great is the way it is built. The project's core is very lightweight and
|
||
as much of Docker as possible is designed to be pluggable. Docker is
|
||
also built with integration in mind and has a fully featured API that
|
||
allows you to access all of the power of Docker from inside your own
|
||
applications.
|
||
|
||
## The Architecture of Docker
|
||
|
||
Docker is designed for developers and sysadmins. It's built to help you
|
||
build applications and services and then deploy them quickly and
|
||
efficiently: from development to production.
|
||
|
||
Let's take a look.
|
||
|
||
-- Docker is a client-server application.
|
||
-- Both the Docker client and the daemon *can* run on the same system, or;
|
||
-- You can connect a Docker client with a remote Docker daemon.
|
||
-- They communicate via sockets or through a RESTful API.
|
||
-- Users interact with the client to command the daemon, e.g. to create, run, and stop containers.
|
||
-- The daemon, receiving those commands, does the job, e.g. run a container, stop a container.
|
||
|
||

|
||
|
||
## The components of Docker
|
||
|
||
Docker's main components are:
|
||
|
||
- Docker *daemon*;
|
||
- Docker *client*, and;
|
||
- [Docker.io](https://index.docker.io) registry.
|
||
|
||
### The Docker daemon
|
||
|
||
As shown on the diagram above, the Docker daemon runs on a host machine.
|
||
The user does not directly interact with the daemon, but instead through
|
||
an intermediary: the Docker client.
|
||
|
||
### Docker client
|
||
|
||
The Docker client is the primary user interface to Docker. It is tasked
|
||
with accepting commands from the user and communicating back and forth
|
||
with a Docker daemon to manage the container lifecycle on any host.
|
||
|
||
### Docker.io registry
|
||
|
||
[Docker.io](https://index.docker.io) is the global archive (and
|
||
directory) of user supplied Docker container images. It currently hosts
|
||
a large – in fact, rapidly growing – number of projects where you
|
||
can find almost any popular application or deployment stack readily
|
||
available to download and run with a single command.
|
||
|
||
As a social community project, Docker tries to provide all necessary
|
||
tools for everyone to grow with other *Dockers*. By issuing a single
|
||
command through the Docker client you can start sharing your own
|
||
creations with the rest of the world.
|
||
|
||
However, knowing that not everything can be shared the [Docker.io](
|
||
https://index.docker.io) also offers private repositories. In order to see
|
||
the available plans, you can click [here](https://index.docker.io/plans).
|
||
|
||
Using [*docker-registry*](https://github.com/dotcloud/docker-registry), it is
|
||
also possible to run your own private Docker image registry service on your own
|
||
servers.
|
||
|
||
> **Note:** To learn more about the [*Docker.io*](http://index.docker.io)
|
||
> registry (for public *and* private repositories), check out the [Registry &
|
||
> Index Spec](http://docs.docker.io/api/registry_index_spec/).
|
||
|
||
### Summary
|
||
|
||
- **When you install Docker, you get all the components:**
|
||
The daemon, the client and access to the [Docker.io](http://index.docker.io) registry.
|
||
- **You can run these components together or distributed:**
|
||
Servers with the Docker daemon running, controlled by the Docker client.
|
||
- **You can benefit form the public registry:**
|
||
Download and build upon images created by the community.
|
||
- **You can start a private repository for proprietary use.**
|
||
Sign up for a [plan](https://index.docker.io/plans) or host your own [docker-registry](
|
||
https://github.com/dotcloud/docker-registry).
|
||
|
||
## Elements of Docker
|
||
|
||
The basic elements of Docker are:
|
||
|
||
- **Containers, which allow:**
|
||
The run portion of Docker. Your applications run inside of containers.
|
||
- **Images, which provide:**
|
||
The build portion of Docker. Your containers are built from images.
|
||
- **The Dockerfile, which automates:**
|
||
A file that contains simple instructions that build Docker images.
|
||
|
||
To get practical and learn what they are, and **_how to work_** with
|
||
them, continue to [Working with Docker](working-with-docker.md). If you would like to
|
||
understand **_how they work_**, stay here and continue reading.
|
||
|
||
## The underlying technology
|
||
|
||
The power of Docker comes from the underlying technology it is built
|
||
from. A series of operating system features are carefully glued together
|
||
to provide Docker's features and provide an easy to use interface to
|
||
those features. In this section, we will see the main operating system
|
||
features that Docker uses to make easy containerization happen.
|
||
|
||
### Namespaces
|
||
|
||
Docker takes advantage of a technology called `namespaces` to provide
|
||
an isolated workspace we call a *container*. When you run a container,
|
||
Docker creates a set of *namespaces* for that container.
|
||
|
||
This provides a layer of isolation: each process runs in its own
|
||
namespace and does not have access outside it.
|
||
|
||
Some of the namespaces Docker uses are:
|
||
|
||
- **The `pid` namespace:**
|
||
Used for process numbering (PID: Process ID)
|
||
- **The `net` namespace:**
|
||
Used for managing network interfaces (NET: Networking)
|
||
- **The `ipc` namespace:**
|
||
Used for managing access to IPC resources (IPC: InterProcess Communication)
|
||
- **The `mnt` namespace:**
|
||
Used for managing mount-points (MNT: Mount)
|
||
- **The `uts` namespace:**
|
||
Used for isolating kernel / version identifiers. (UTS: Unix Timesharing System)
|
||
|
||
### Control groups
|
||
|
||
Docker also makes use of another technology called `cgroups` or control
|
||
groups. A key need to run applications in isolation is to have them
|
||
contained, not just in terms of related filesystem and/or dependencies,
|
||
but also, resources. Control groups allow Docker to fairly
|
||
share available hardware resources to containers and if asked, set up to
|
||
limits and constraints, for example limiting the memory to a maximum of 128
|
||
MBs.
|
||
|
||
### UnionFS
|
||
|
||
UnionFS or union filesystems are filesystems that operate by creating
|
||
layers, making them very lightweight and fast. Docker uses union
|
||
filesystems to provide the building blocks for containers. We'll see
|
||
more about this below.
|
||
|
||
### Containers
|
||
|
||
Docker combines these components to build a container format we call
|
||
`libcontainer`. Docker also supports traditional Linux containers like
|
||
[LXC](https://linuxcontainers.org/) which also make use of these
|
||
components.
|
||
|
||
## How does everything work
|
||
|
||
A lot happens when Docker creates a container.
|
||
|
||
Let's see how it works!
|
||
|
||
### How does a container work?
|
||
|
||
A container consists of an operating system, user added files and
|
||
meta-data. Each container is built from an image. That image tells
|
||
Docker what the container holds, what process to run when the container
|
||
is launched and a variety of other configuration data. The Docker image
|
||
is read-only. When Docker runs a container from an image it adds a
|
||
read-write layer on top of the image (using the UnionFS technology we
|
||
saw earlier) to run inside the container.
|
||
|
||
### What happens when you run a container?
|
||
|
||
The Docker client (or the API!) tells the Docker daemon to run a
|
||
container. Let's take a look at a simple `Hello world` example.
|
||
|
||
$ docker run -i -t ubuntu /bin/bash
|
||
|
||
Let's break down this command. The Docker client is launched using the
|
||
`docker` binary. The bare minimum the Docker client needs to tell the
|
||
Docker daemon is:
|
||
|
||
* What Docker image to build the container from;
|
||
* The command you want to run inside the container when it is launched.
|
||
|
||
So what happens under the covers when we run this command?
|
||
|
||
Docker begins with:
|
||
|
||
- **Pulling the `ubuntu` image:**
|
||
Docker checks for the presence of the `ubuntu` image and if it doesn't
|
||
exist locally on the host, then Docker downloads it from [Docker.io](https://index.docker.io)
|
||
- **Creates a new container:**
|
||
Once Docker has the image it creates a container from it.
|
||
- **Allocates a filesystem and mounts a read-write _layer_:**
|
||
The container is created in the filesystem and a read-write layer is added to the image.
|
||
- **Allocates a network / bridge interface:**
|
||
Creates a network interface that allows the Docker container to talk to the local host.
|
||
- **Sets up an IP address:**
|
||
Intelligently finds and attaches an available IP address from a pool.
|
||
- **Executes _a_ process that you specify:**
|
||
Runs your application, and;
|
||
- **Captures and provides application output:**
|
||
Connects and logs standard input, outputs and errors for you to see how your application is running.
|
||
|
||
### How does a Docker Image work?
|
||
|
||
We've already seen that Docker images are read-only templates that
|
||
Docker containers are launched from. When you launch that container it
|
||
creates a read-write layer on top of that image that your application is
|
||
run in.
|
||
|
||
Docker images are built using a simple descriptive set of steps we
|
||
call *instructions*. Instructions are stored in a file called a
|
||
`Dockerfile`. Each instruction writes a new layer to an image using the
|
||
UnionFS technology we saw earlier.
|
||
|
||
Every image starts from a base image, for example `ubuntu` a base Ubuntu
|
||
image or `fedora` a base Fedora image. Docker builds and provides these
|
||
base images via [Docker.io](http://index.docker.io).
|
||
|
||
### How does a Docker registry work?
|
||
|
||
The Docker registry is a store for your Docker images. Once you build a
|
||
Docker image you can *push* it to a public or private repository on [Docker.io](
|
||
http://index.docker.io) or to your own registry running behind your firewall.
|
||
|
||
Using the Docker client, you can search for already published images and
|
||
then pull them down to your Docker host to build containers from them
|
||
(or even build on these images).
|
||
|
||
[Docker.io](http://index.docker.io) provides both public and
|
||
private storage for images. Public storage is searchable and can be
|
||
downloaded by anyone. Private repositories are excluded from search
|
||
results and only you and your users can pull them down and use them to
|
||
build containers. You can [sign up for a plan here](https://index.docker.io/plans).
|
||
|
||
To learn more, check out the [Working with Repositories](
|
||
http://docs.docker.io/use/workingwithrepository) section from the
|
||
[Docker documentation](http://docs.docker.io).
|
||
|
||
## Where to go from here
|
||
|
||
### Understanding Docker
|
||
|
||
Visit [Understanding Docker](understanding-docker.md) in our Getting Started manual.
|
||
|
||
### Get practical and learn how to use Docker straight away
|
||
|
||
Visit [Working with Docker](working-with-docker.md) in our Getting Started manual.
|
||
|
||
### Get the product and go hands-on
|
||
|
||
Visit [Get Docker](get-docker.md) in our Getting Started manual.
|
||
|
||
### Get the whole story
|
||
|
||
[https://www.docker.io/the_whole_story/](https://www.docker.io/the_whole_story/)
|