Docker 简明教程
Docker - Architecture
对于 DevOps 和 SRE 团队而言,最困难的任务之一是找出如何在许多云和开发环境中管理所有应用程序依赖项和技术堆栈。为此,他们的流程通常包括保持应用程序正常运行,无论它在哪里运行,通常无需更改其大部分代码。
One of the most difficult tasks for DevOps and SRE teams is figuring out how to manage all application dependencies and technology stacks across many cloud and development environments. To do this, their processes often include keeping the application working regardless of where it runs, usually without changing much of its code.
Docker 帮助所有工程师提高效率并降低运营开销,使任何开发环境中的任何开发人员都能创建健壮且可靠的应用程序。Docker 是一个用于构建、运送和运行软件程序的开放平台。
Docker helps all engineers to be more efficient and decrease operational overheads, allowing any developer in any development environment to create robust and reliable apps. Docker is an open platform for building, shipping, and running software programs.
Docker allows you to decouple your applications from your infrastructure ,使快速发布软件成为可能。Docker 允许你以管理应用程序相同的方式管理基础设施。使用 Docker 运送、测试和部署代码的方法可以极大地缩短在生成代码和在生产中运行代码之间的时间。
Docker allows you to decouple your applications from your infrastructure, making it possible to release software quickly. Docker allows you to manage your infrastructure in the same manner you do your applications. Using Docker’s methodology for shipping, testing, and deploying code can drastically cut the time between producing code and operating it in production.
Docker uses a client-server architecture 。Docker 客户端与 docker 守护程序通信,后者负责创建、执行和分发 docker 容器的繁重工作。Docker 客户端在同一主机上与守护程序一起运行,或者我们可以远程连接 Docker 客户端和守护程序。docker 客户端和守护程序通过 UNIX 套接字或网络通过 REST API 通信。
Docker uses a client-server architecture. The Docker client communicates with the docker daemon, which does the heavy work of creation, execution, and distribution of docker containers. The Docker client operates alongside the daemon on the same host, or we can link the Docker client and daemon remotely. The docker client and daemon communicate via REST API over a UNIX socket or a network.
在本章中,让我们详细讨论 Docker 架构。
In this chapter, let’s discuss the Docker architecture in detail.
Difference between Containers and Virtual Machines
虚拟机 (VM) 存在于完成直接在主机环境中执行会有风险的任务。虚拟机与系统的其他部分隔离,因此虚拟机内的软件不能干扰主机计算机。
A Virtual Machine (VM) exists to accomplish tasks that would be risky if performed directly on the host environment. VMs are segregated from the rest of the system, so the software within the virtual machine cannot interfere with the host computer.
一个 virtual machine is a computer file or software ,通常称为 guest ,或称为主机内计算环境中生成的映像。
A virtual machine is a computer file or software, commonly referred to as a guest, or an image produced within a computing environment known as the host.
虚拟机可以像在单独的计算机上一样执行应用程序和程序,这使其非常适合测试其他操作系统,例如测试版,创建操作系统备份以及安装软件和应用程序。主机可以同时运行多个虚拟机。
A virtual machine may execute apps and programs as if they were on a separate computer, making it excellent for testing other operating systems such as beta versions, creating operating system backups, and installing software and applications. A host can have multiple virtual machines running at the same time.
虚拟机包含几个基本文件,包括日志文件、NVRAM 设置文件、虚拟磁盘文件和配置文件。
A virtual machine contains several essential files including a logfile, an NVRAM setting file, a virtual disk file, and a configuration file.
Server virtualization 是虚拟机非常有用的另一个领域。服务器虚拟化将一台物理服务器划分为多个隔离且唯一的服务器,允许每个服务器独立执行其操作系统。每个虚拟机都有自己的虚拟硬件,包括 CPU、RAM、网络端口、硬盘驱动器和其他组件。
Server virtualization is another area where virtual machines can be extremely useful. Server virtualization divides a physical server into numerous isolated and unique servers, allowing each to execute its operating system independently. Each virtual machine has its virtual hardware, including CPUs, RAM, network ports, hard drives, and other components.
另一方面, Docker is a software development tool 和虚拟化技术允许你使用容器轻松创建、部署和管理程序。容器是一个轻量级的独立可执行软件包,其中包含运行应用程序所需的所有库、配置文件、依赖项和其他组件。
On the other hand, Docker is a software development tool and virtualization technology that allows you to easily create, deploy, and manage programs utilizing containers. A container is a lightweight, standalone executable bundle of software that includes all of the libraries, configuration files, dependencies, and other components required to run the application.
换句话说,无论程序在哪里或在什么计算机上运行,程序都会以相同的方式执行,因为容器在整个软件开发生命周期中为应用程序提供了一个环境。
In other words, programs execute the same way regardless of where they are or what computer they are running on since the container offers an environment for the application throughout its software development life cycle.
由于容器是分离的,因此它们提供了安全性,允许多个容器在同一主机上并发运行。此外,由于容器不需要管理程序的额外负载,因此容器是轻量级的。管理程序类似于 VMware 或 VirtualBox 的来宾操作系统,但容器直接在主机机器内核中运行。
Because containers are separated, they offer security, allowing numerous containers to run concurrently on the same host. Furthermore, containers are lightweight because they do not require the additional load of a hypervisor. A hypervisor is a guest operating system similar to VMware or VirtualBox, but containers run directly within the host machine kernel.
Should I Choose Docker or a Virtual Machine (VM)?
将 Docker 和虚拟机进行比较是不公平的,因为它们的用途不同。Docker 无疑越来越受欢迎,但它不能被认为是虚拟机的替代品。尽管 Docker 很受欢迎,但在某些情况下,虚拟机是更好的选择。
It would be unfair to compare Docker and virtual machines because they are intended for different purposes. Docker is undoubtedly gaining popularity, but it cannot be considered to be a replacement for virtual machines. Despite Docker’s popularity, a virtual machine is a superior option in some circumstances.
在生产环境中,虚拟机比 Docker 容器更受欢迎,因为它们运行自己的操作系统并且不会对主机计算机构成威胁。然而,对于测试目的,Docker 是最佳选择,因为它为软件或应用程序的完整测试提供了多个操作系统平台。
Virtual machines are preferred over Docker containers in a production environment because they run their operating system and pose no threat to the host computer. However, for testing purposes, Docker is the best option because it gives several OS platforms for the complete testing of software or applications.
此外,Docker 容器还使用 Docker 引擎,而不是像在虚拟机中那样的虚拟机监控程序。由于主机内核未被共享,因此使用 docker-engine 使容器变得紧凑、独立、兼容、高性能密集且响应迅速。
Additionally, a Docker container also employs a Docker engine rather than a hypervisor, like in a virtual machine. Since the host kernel is not shared, employing docker-engine makes containers compact, isolated, compatible, high-performance-intensive, and quick to respond.
Docker 容器几乎没有开销,因为它们可以共享单个内核和应用程序库。由于在虚拟机和 Docker 容器之间进行决策取决于所交付工作负载的类型,因此组织主要采用混合方法。
Docker containers offer little overhead since they can share a single kernel and application libraries. Organizations primarily adopt the hybrid method since the decision between virtual machines and Docker containers is determined by the type of workload delivered.
此外,只有少数数字业务组织将虚拟机作为其首选,选择使用容器是因为部署耗时,并且运行微服务是它面临的最大障碍之一。然而,一些企业更喜欢虚拟机,而不是 Docker,主要是那些希望为其基础设施获得企业级安全性的企业。
Furthermore, only a few digital business organizations rely on virtual machines as their primary choice, opting to use containers because deployment is time-consuming, and running microservices is one of the biggest obstacles it faces. However, some businesses prefer virtual machines to Dockers, primarily those who want enterprise-grade security for their infrastructure.
Components of Docker Architecture
Docker 体系结构的关键组件有:Docker 引擎、Docker 注册表和 Docker 对象(映像、容器、网络、存储)
The key components of a Docker architecture are: the Docker Engine, the Docker Registries, and the Docker Objects (Images, Containers, Network, Storage)
让我们讨论每个组件,以更好地理解 Docker 体系结构的不同组件如何相互交互。
Let’s discuss each of them to get a better understanding of how different components of the Docker architecture interact with each other.
Docker Engine
Docker 引擎是 Docker 平台的基础,促进了容器生命周期的所有元素。它包含三个基本组件:命令行界面、REST API 和守护进程(处理作业)。
Docker Engine is the foundation of the Docker platform, facilitating all elements of the container lifecycle. It consists of three basic components: a command-line interface, a REST API, and a daemon (which handles the job).
Docker 守护进程(通常称为“dockerd”)持续监听 Docker API 请求。它用于执行所有繁重活动,例如创建和管理 Docker 对象,如容器、卷、映像和网络。Docker 守护进程可以与同一主机或不同主机机器上的其他守护进程通信。例如,在群集群中,主机机器的守护进程可以连接到其他节点上的守护进程以完成任务。
The Docker daemon, commonly known as 'dockerd', continually listens to Docker API requests. It is used to perform all of the heavy activities, such as creating and managing Docker objects like containers, volumes, images, and networks. A Docker daemon can communicate with other daemons on the same or separate host machines. For example, in a swarm cluster, the host machine’s daemon can connect with daemons on other nodes to complete tasks.
Docker API 允许应用程序控制 Docker 引擎。它们可以使用它来查找容器或映像的详细信息,管理或上传映像并执行创建新容器等操作。此功能可以使用 HTTP 客户端 Web 服务实现。
The Docker API allows applications to control the Docker Engine. They can use it to look up details on containers or images, manage or upload images, and take actions such as creating new containers. This function can be attained using the HTTP client web service.
Docker Registries
Docker 注册表是存储库或服务,使您能够根据需要存储和检索映像。例如,注册表由 Docker 存储库组成,其中包含您所有的映像,全部存储在一个屋顶下。
Docker registries are storage facilities or services that enable you to store and retrieve images as needed. Registries, for example, are made up of Docker repositories that keep all of your images under one roof.
公共注册表有两个主要组件: Docker Hub 和 Docker Cloud 。私有注册表在组织中也很流行。用于处理这些存储区域的最常用命令是 docker push, docker pull 和 docker run 。
There are two major components to public registries: Docker Hub and Docker Cloud. Private registries are also popular in organizations. The most popular commands for working with these storage areas are docker push, docker pull, and docker run.
作为 Docker 官方注册表的 Dockerhub 包含多个官方映像存储库。存储库是类似 Docker 映像的集合,由 Docker 标签唯一标识。Dockerhub 向其用户提供大量相关官方和供应商特定映像。其中一些包括 Nginx、Apache、Python、Java、Mongo、Node、MySQL、Ubuntu、Fedora、Centos 等。
Dockerhub, the official Docker registry, contains multiple official image repositories. A repository is a collection of similar Docker images that are uniquely identifiable by Docker tags. Dockerhub offers a wealth of relevant official and vendor-specific images to its users. Some of them are Nginx, Apache, Python, Java, Mongo, Node, MySQL, Ubuntu, Fedora, Centos, and so on.
您还可以在 Dockerhub 上设置私有存储库,并使用 Docker push 命令存储您的自定义 Docker 映像。Docker 允许您在本地计算机上构建自己的私有 Docker 注册表。在使用注册表映像启动容器后,您可以使用 Docker push 命令将映像推送到此私有注册表。
You may also set up your private repository on Dockerhub and use the Docker push command to store your custom Docker images. Docker allows you to construct your own private Docker registry on your local machine. Once you’ve launched a container with the registry image, you may use the Docker push command to push images to this private registry.
Docker Objects
使用 Docker 时,您会创建和管理映像、容器、网络、卷、插件和其他项目。本节简要总结了其中一些内容。
When you use Docker, you create and manage images, containers, networks, volumes, plugins, and other items. This section provides a quick summary of a few of those things.
Docker Images
映像是一个只读模板,其中包含构建 Docker 容器的说明。在许多情况下,映像是在另一个映像的基础上构建的,并进行了一些小的修改。例如,您可以创建一个基于 Ubuntu 映像的映像,但其中包括 Apache Web 服务器、您的应用程序以及执行您的应用程序所需的配置信息。
An image is a read-only template that includes instructions for building a Docker container. In many cases, an image is built on another image, with minor modifications. For example, you could create an image that is based on the Ubuntu image but includes the Apache web server, your application, and the configuration information required to execute your application.
您可以制作自己的映像或利用其他人创建并发布在注册表中的映像。要构建映像,请使用具有简单语法的 Dockerfile 来定义生成和执行映像所需的操作。Dockerfile 中的每条指令都会在映像中生成一层。当您编辑 Dockerfile 并重建映像时,只有更改的层才会被重建。这是与其他虚拟化方法相比,映像如此轻量级、小巧且快速的原因之一。
You may produce your images or utilize those created by others and published in a registry. To construct your image, use a Dockerfile with a simple syntax to define the actions required to generate and execute the image. Each instruction in a Dockerfile generates a layer within the image. When you edit the Dockerfile and rebuild the image, only the altered layers are rebuilt. This is one of the reasons why images are so lightweight, tiny, and fast compared to other virtualization approaches.
您可以使用 Docker build 命令从 Dockerfile 创建 Docker 映像。
You can use a Docker build command to create a Docker Image from a Dockerfile.
此处,“ -t ”为映像指定一个标签。尾部的点指定了 Dockerfile 所在的构建上下文,在本例中是当前目录。
Here, "-t" assigns a tag to the image. The dot at the end specifies the build context where the Dockerfile is located which is the current directory in this case.
$ docker build -t myimage .Docker Containers
容器是一个映像的运行实例。可以使用 Docker API 或 CLI 创建、启动、停止、移动或删除容器。您可以将容器链接到一个或多个网络,附加存储,甚至从其现有状态构建新映像。
A container is a running instance of an image. A container can be created, started, stopped, moved, or deleted using the Docker API or CLI. You can link a container to one or more networks, attach storage to it, or even construct a new image from its existing state.
容器往往有效地从其他容器和主机中分离。您可以控制容器的网络、存储以及其他底层子系统与其他容器和主机之间的隔离程度。
A container is often effectively segregated from other containers and the host machine. You have control over how isolated a container’s network, storage, and other underlying subsystems are from other containers and the host machine.
容器由它的映像以及创建或启动它时指定的任何配置参数定义。移除容器时,其状态中所有不持久的更改都会消失。
A container is defined by its image as well as any configuration parameters you specify when creating or starting it. When a container is removed, any changes to its state that aren’t persistent disappear.
在生成映像时,容器可以完全访问您在 Dockerfile 中定义的资源。此类设置包括构建上下文、网络连接、存储、CPU、内存、端口等。例如,如果您想访问安装了 Java 库的容器,可以使用 Dockerhub Java 映像和 Docker run 命令启动一个与其连接的容器。
Containers have full access to the resources that you define in the Dockerfile when generating an image. Such setups include build context, network connections, storage, CPU, memory, ports, and so on. For example, if you want access to a container with Java libraries installed, you can use the Dockerhub Java image and the Docker run command to start a container connected with it.
您可以使用 Docker run 命令创建容器。这里, -it 标志以交互模式启动容器并将它与一个伪 TTY 相关联。/bin/bash 指定容器启动时要运行的命令。这将允许您访问容器的 bash。
You can use a Docker run command to create a container. Here, the -it flags starts the container in interactive mode and associates a pseudo-TTY to it. The /bin/bash specifies the command to be run when the container starts. This will allow you to access the bash of the container.
$ docker run -i -t ubuntu /bin/bashDocker Networking
Docker 网络是一种在所有隔离容器之间通信的方式。Docker 主要有以下四种网络驱动程序:
Docker networking is a means of communicating between all isolated containers. There are primarily four network drivers in Docker −
这是不能与外部世界通信的容器的默认网络。当您的应用程序在独立容器中运行时(即多个容器连接在一个仅允许它们相互通信但不允许它们与外部世界通信的网络中),您可以利用此网络。
This is the default network for containers that can’t communicate with the outside world. You utilize this network when your application runs on standalone containers, which are numerous containers connected in a network that only allows them to communicate with one another and not with the outside world.
此驱动程序使 Docker 能够与本地计算机上的资源无缝协作。它使用机器的原生网络功能对各个终端上的 Docker 应用程序启用低级 IP 隧道和数据链路层加密。
This driver enables Docker to work seamlessly with resources on your local machine. It uses your machine’s native network capabilities to enable low-level IP tunneling and data link layer encryption across Docker apps on various endpoints.
这是允许容器连接的软件定义网络技术。要将其链接到外部主机,首先在一个主机上构建一个虚拟网桥,然后构建一个 overlay 网络。您还需要设置 overlay 网络并允许从一端访问另一端。“none”驱动程序通常表示网络已拔线。
This is a software-defined networking technique that enables containers to connect. To link it to an external host, first construct a virtual bridge on one host, followed by an overlay network. You’ll also need to set up the overlay network and allow access from one side to the other. A "none" driver usually indicates that the network is unplugged.
macvlan 驱动程序可用于给容器分配地址,并使它们的行为类似于物理设备。它的特点是使用 MAC 地址而不是 IP 地址在容器之间进行通信。当您希望容器看起来像物理设备(例如在迁移 VM 时)时,请使用此网络。
The macvlan driver can be used to assign addresses to containers and have them behave similarly to physical devices. What distinguishes this is that it directs communication between containers using their MAC addresses rather than IPs. Use this network when you want the containers to look like physical devices, such as when migrating a VM.
Docker Storage
有几种安全存储数据的方法。例如,您可以将数据存储在容器的可写层上并使用存储驱动程序。此技术的问题是,如果您关闭或停止容器,您将丢失数据,除非您已将其保存在其他位置。
There are several alternatives for safely storing data. For example, you can store data on a container’s writable layer and use storage drivers. The problem with this technique is that if you switch off or stop the container, you will lose your data unless you have it saved somewhere else.
谈到 Docker 容器中的持久存储,有以下四种:
When it comes to persistent storage in Docker containers, there are four alternatives −
它们允许您建立持久存储、重命名卷、列出卷以及查看与卷关联的容器。数据卷置于容器的拷贝写入机制之外的数据存储上,例如 S3 或 Azure。
They allow you to establish persistent storage, rename volumes, list volumes, and view the container associated with the volume. Data volumes are placed on data storage outside the container’s copy-on-right mechanism, such as S3 or Azure.
卷容器是一种替代解决方案,其中一个专用容器托管一个卷,然后可以将该卷挂载到其他容器或对其创建符号链接。此方法中的卷容器独立于应用程序容器,允许它在多个容器之间共享。
A Volume Container is an alternate solution in which a dedicated container hosts a volume, which can then be mounted or symlinked to other containers. The volume container in this approach is independent of the application container, allowing it to be shared across numerous containers.
第三种选择是在容器中挂载主机的本地目录。在早期情况下,卷必须位于 Docker 卷目录中,而目录挂载可以来自主机计算机上的任何目录。
A third option is to mount a host’s local directory within the container. In earlier circumstances, the volumes had to be in the Docker volumes folder, whereas directory mounts might be from any directory on the Host computer.
存储插件允许 Docker 连接到外部存储源。这些插件使 Docker 能够通过将主机的驱动器映射到外部源来使用存储阵列或设备。一个示例是允许您使用 Docker 安装的 GlusterFS 存储并将其映射到易于访问的位置的插件。
Storage plugins allow Docker to connect to external storage sources. These plugins enable Docker to work with a storage array or device by mapping the host’s drive to an external source. One example is a plugin that allows you to use your Docker installation’s GlusterFS storage and map it to a readily accessible location.
Conclusion
总之,Docker 改变了开发人员和 IT 运营处理跨多个环境的应用程序依赖项和部署流程的方式。
To summarize, Docker transforms the way developers and IT operations handle application dependencies and deployment processes across multiple environments.
Docker 的客户端-服务器架构有效地将应用程序与其底层基础设施分离,简化了软件开发、交付和执行的过程。此方法极大地减少了从代码开发到生产所需的 time 和工作量,提高了软件开发过程的敏捷性和可扩展性。
Docker’s client-server architecture effectively decouples applications from their underlying infrastructure, easing the process of developing, shipping, and executing software. This method dramatically minimizes the time and effort necessary to transition from code development to production, improving the agility and scalability of software development processes.
Docker 容器的轻量级特性与其隔离特性相结合,创建了一个稳定的、一致的环境,用于应用程序执行,与主系统无关。
Docker containers' lightweight nature, paired with their isolation features, creates a stable and consistent environment for application execution, regardless of the host system.
最终,Docker 的综合架构(包括 Docker Engine、注册表、映像、容器、网络和存储等组件)为企业提供了维护高性能、可靠、安全应用程序环境所需的工具。
Ultimately, Docker’s comprehensive architecture, which includes components such as Docker Engine, registries, images, containers, networking, and storage, provides enterprises with the tools they need to maintain high-performance, dependable, and secure application environments.
虽然 Docker 和虚拟机的用途和特点不同,但是 Docker 的容器化技术非常适合现代云原生应用程序和微服务架构。在他们的 DevOps 操作中使用 Docker 的组织可以提高软件构建和部署的效率、灵活性以及速度。
While Docker and virtual machines have various uses and characteristics, Docker’s containerization technology is ideal for modern, cloud-native apps and microservices architectures. Organizations that use Docker in their DevOps operations can improve the efficiency, flexibility, and speed with which they build and deploy software.
FAQ
Q 1. What are the key components of Docker architecture?
Docker 架构由多个关键组件组成。Docker 引擎包含 Docker 守护程序、REST API 和命令行界面 (CLI),它们共同管理容器生命周期。Docker 镜像是只读模板,用于生成包含程序及其依赖项的容器。
The Docker architecture is made up of multiple critical components. The Docker Engine consists of the Docker daemon, REST API, and command-line interface (CLI), which all work together to manage container lifecycles. Docker images are read-only templates used to generate containers that contain the program and its dependencies.
容器是镜像的运行实例,用作应用程序的隔离环境。Docker 注册表(例如 Docker Hub)存储和分发镜像,使它们随时可用。
Containers are running instances of images that serve as isolated environments for applications. Docker registries, such as Docker Hub, store and distribute images, making them readily available.
Docker 网络使容器能够相互连接并与其他系统连接,而卷之类的存储解决方案则确保了超出容器生命周期的数据持久性。
Docker networking enables containers to connect with one another and with other systems, while storage solutions such as volumes ensure data persistence beyond the lifecycle of the containers.
Q 2. Can Docker be used for both development and production environments?
是的,Docker 被设计为在开发、测试和生产环境中使用,从而确保了各个阶段的应用程序都能具有一个环境一致性。Docker 使开发人员能够创建复制生产环境的隔离容器,从而确保程序始终如一地执行。
Yes, Docker is designed to be used in development, testing, and production settings, ensuring a consistent environment for applications at all phases. Docker enables developers to create isolated containers that replicate the production environment, ensuring that programs execute consistently.
在测试期间,可以使用容器来建立可重复的测试环境,这可以加快进程并减少因环境差异而导致的问题。Docker 的编排技术(例如 Docker Swarm 和 Kubernetes)通过处理容器部署、扩展和管理,来提高其对生产环境的适应性。
During testing, containers can be used to establish repeatable test environments, which speeds up the process and reduces issues caused by environmental variances. Docker’s orchestration technologies, such as Docker Swarm and Kubernetes, improve its readiness for production by handling container deployment, scaling, and management.