Docker 简明教程
Docker - Container & Hosts
Docker 容器是轻量级、可移植、自给自足的单元,它打包软件及其运行所需的一切:代码、运行时库和设置。它们可在不同的环境中一致地工作;因此,可以保证软件在非生产和生产环境中以相同方式工作。
Docker containers are lightweight, portable, self-sufficient units that pack the software and everything required to run it: code, runtime libraries, and settings. They work consistently in different environments; hence, one can guarantee that the software works the same way across non-prod and production environments.
另一方面,Docker 主机是一台安装并运行 Docker 引擎的机器。这些可能物理服务器、虚拟机甚至基于云的实例。
On the other hand, a Docker host is a machine on which the Docker Engine is installed and runs. These might be physical servers, virtual machines, or even cloud-based instances.
在本章中,让我们详细了解 Docker 容器与 Docker 主机有何不同。
In this chapter, let’s understand in detail how Docker containers are different from Docker hosts.
What are Docker Containers?
Docker 容器是轻量级、可移植的软件打包单元,它不仅包含应用程序代码,还包含运行和库以及在任何地方运行和执行的其他必需设置。它们作为任何主机操作系统上的独立进程工作。每个容器必须共享操作系统内核,但具有与其他容器不同的环境。
Docker containers are lightweight, portable units of software packaging, which include not only the application code but also the runtime and libraries together with other settings needed for running and executing everywhere the same. They work as independent processes on any host operating system. Each container has to share the OS kernel but does have distinct environments from the rest.
这允许有效地利用资源。由于这种隔离,不同版本的软件及其依赖项不会相互干扰;因此,容器非常适合开发、测试和部署。Docker 容器支持简单的集成和持续部署,这有助于快速、可靠地交付应用程序。
This allows resources to be utilized effectively. Because of this isolation, different versions of software and their dependencies do not interfere with each other; hence, containers are pretty suitable for development, testing, and deployment. Docker containers enable easy integration and continuous deployment, which facilitates quick and reliable application delivery.
What are Docker Hosts?
Docker 主机是一个物理或虚拟机,Docker 引擎安装在其中;它创建运行 Docker 容器的环境。它提供对 CPU、内存、存储和网络的访问,容器利用这些资源并作为独立进程运行,以允许它们共享主机相同的操作系统内核。
A Docker host is a physical or virtual machine onto which the Docker Engine is installed; it creates an environment that runs Docker containers. It provides access to CPU, memory, storage, and networking, which containers utilize and run as an independent process to allow them to share the same OS kernel of the host.
它分离容器并管理资源,从而支持高效且安全地运行多个容器。Docker 主机帮助组织灵活地跨不同环境管理、扩展和部署容器化应用程序,并对其进行控制。
It separates containers and manages resources, thus supporting the running of several containers efficiently and securely. Docker hosts help an organization manage, scale, and deploy containerized applications flexibly and with control across diverse environments.
Difference between Docker Containers and Hosts
Docker 为在容器中开发、交付和运行应用程序提供了一个强大的平台。尽管 Docker 容器和 Docker 主机是两个重要的生态系统元素,但它们的作用却截然不同。
Docker provides a powerful platform for the development, shipping, and running of applications inside containers. Although Docker container and Docker host are two significant ecosystem elements, they have quite different roles.
下表重点介绍了 Docker 容器和 Docker 主机之间的主要差异 -
The following table highlights the major differences between Docker Containers and Docker Hosts −
Feature |
Docker Containers |
Docker Hosts |
Purpose |
Objects that are lightweight, portable, and self-contained; they consist of an application and all its dependencies. This means the software runs consistently across different environments. |
A physical or virtual machine that provides the Docker container with an essential environment by running a Docker Engine, known for offering fundamental resources such as a CPU, RAM, and storage space. |
Operation |
Run as an independent process on the host OS. All of them will run on the same kernel but have their independent environments. |
Run multiple containers, managing resource allocation and isolation between them. |
Resource Management |
Share the underlying OS kernel with the host and use its resources efficiently, without all of the overhead of an entire OS instance. |
Share available system resources between many containers and balance them efficiently. |
Isolation |
Provide isolation at the application level, ensuring that different applications and their dependencies don’t interfere with each other. |
Provide a secure environment where containers run, using the host OS to hold the isolation and control. |
Deployment |
Because of their 'lightweight' nature, they can be easily relocated across different Docker hosts and, therefore, portable and scalable across various environments - from development to production. |
This is the base layer where containers are deployed, it provides the infrastructure necessary for the operation and orchestration of containers. |
How does Docker Containers and Hosts Interact with Each Other?
Docker 容器与主机之间的交互是一项由 Docker Engine 在创建、管理和无缝地运行容器化应用程序中精心设计的、多维度的活动。现在,让我们深入了解此概念的细节。
The interaction between Docker containers and hosts is a multi-dimensional activity that the Docker Engine orchestrates in creating, managing, and running containerized applications seamlessly. Now, let’s dive into the details of this concept.
Image Management
Image Pulling − 当用户请求从本地不可用的映像运行容器时,Docker Engine 会与容器注册表(如 Docker Hub)进行通信,以下载映像。该映像用作容器的蓝图。
Image Pulling − When a user requests to run a container from an image not locally available, the Docker Engine communicates with a container registry, like Docker Hub, to download the image. The image serves as a blueprint of the container.
Image Storage − 然后在主机的文件系统上对下载的映像进行结构化存储,从而 Docker Engine 可以有效收集和进一步利用它们。
Image Storage − Structured storage of the downloaded images then takes place on the host’s filesystem, allowing Docker Engine to harvest and further utilize them effectively.
Building Images (Optional) − 如果你要创建一个自定义映像,你将编写一个 Dockerfile,其中描述了如何构建映像。此文件将由 Docker Engine 处理,并且执行每条指令都会一次创建一层映像。
Building Images (Optional) − If you were to create a custom image, you would write a Dockerfile that describes how to build the image. This file would be processed by the Docker Engine, and executing every instruction will create an image one layer at a time.
Container Isolation and Creation
Namespace Isolation − Docker 引擎使用内核命名空间为每个容器提供一个独立的操作系统视图。这意味着每个容器都有不同的进程 ID、网络接口、装入点等等;因此,一个容器不会与另一个容器或主机发生冲突。
Namespace Isolation − The Docker engine uses kernel namespaces to provide an isolated view of the operating system per container. This means each has different process IDs, network interfaces, mount points, and so on; thus, one container won’t mess with another or the host.
Control groups (cgroups) − cgroups 用于限制和管理容器可以使用资源的量,从而确保容器之间的资源公平性,并避免一个容器消耗所有资源的问题。
Control groups (cgroups) − cgroups are used to limit and manage the amount of resources a container can use, thus assuring resource fairness among containers and avoiding the problem of one container consuming all of the resources.
Union mount file systems − Docker 本身使用联合挂载文件系统,从而为处理容器中的图层提供了有效的解决方案。这允许多个容器共享常见的映像层,同时维护其可写层以进行数据持久性。
Union mount file systems − Docker itself uses a union mount file system, thereby giving an effective solution to handling layers in containers. This allows multiple containers to share common image layers while maintaining their writable layers for data persistence.
Networking
Bridge Networks − 默认情况下,Docker Engine 在主机上建立一个虚拟网桥网络 - 例如,docker0,并将容器添加到此网桥网络以便容器相互通信以及与外部进行通信。
Bridge Networks − By default, Docker Engine establishes a virtual bridge network on the host - for example, docker0, and adds containers to this bridged network to communicate with one another and outside of them.
Port Mapping − 你还可以公开容器上的端口并将其映射到主机上的端口。这样,该容器中的服务将可以从主机的网络或 Internet 访问。
Port Mapping − You can also expose ports on a container and map them to ports on the host. In this way, services within that very container will then be accessible either from a host’s network or from the internet.
Custom Networks − Docker 支持网桥、覆盖网络和 macvlan 等网络驱动程序,以创建具有特定隔离需求的自定义拓扑。
Custom Networks − Docker supports network drivers like bridge, overlay, and macvlan to create custom topologies with particular isolation needs.
Storage
Volumes − 卷是独立于容器的持久性存储。它们允许在容器之间共享数据,并在容器停止或被删除后保留数据。
Volumes − Volumes are persistent storage that are independent of containers. They allow data to be shared between containers and persist after a container has been stopped or removed.
Bind Mounts − 这是在主机和容器之间共享文件和目录的一种方式。它在存储方面提供了较高的灵活性,但失去了隔离性。
Bind Mounts − This is a way through which files and directories can be shared between the host and containers. It provides a high level of flexibility in storing but loses isolation.
Runtime Management
Run/Stop Containers − Docker Engine 根据需要运行容器生命周期的所有不同阶段,例如启动、停止、重新启动和暂停。你可以针对 CPU 和内存等内容监视容器资源使用情况,查看用于调试目的的日志,或以其他方式了解你的应用程序的行为。
Run/Stop Containers − Docker Engine runs all the various stages of a container’s lifecycle, like start, stop, restart, and pause, depending on needs. You can monitor container resource usage for things like CPU and memory, see logs for debugging purposes, and otherwise understand how your application behaves.
Security − Docker 引擎强制执行安全措施以隔离容器,允许它们有限地访问主机资源。还提供了一些标志和选项,用于容器的管理能力和安全配置文件。
Security − The Docker engine enforces security measures to isolate containers, allowing them limited Access to host resources. Several flags and options are available, too, for management abilities and safety profiles for containers.
Commands to Interact with Docker Containers and Hosts
在此,我们将重点介绍一些用于与 Docker 容器和主机进行交互的命令 −
Here, we will highlight a few commands that can be used to interact with Docker Containers and Hosts −
Docker Run
“docker run”命令从指定映像启动一个新容器。你可以使用多个选项自定义容器的行为 −
The "docker run" command launches a new container from a specified image. You can customize the container’s behavior using several options −
-
-d (detach) − Runs the container in the background.
-
-p (publish) − Maps ports between the container and the host.
-
-v (volume) − Mounts volumes for data persistence.
-
--name − Assigns a custom name to the container.
$ docker run -d -p 80:80 nginx
它启动一个独立的 Nginx Web 服务器容器,端口 80 已公开。
It starts a detached Nginx web server container with port 80 exposed.
docker ps
“docker ps”命令会列出主机上正在运行的所有容器。您可以使用它来监视容器的状态,并获取有价值的信息,例如容器的名称、ID 或已公开的端口。
The "docker ps" command lists all the running containers on your host. You can use it to monitor the status of your containers and get valuable information such as their names, IDs, or exposed ports.
$ docker ps -a
它列出所有容器(正在运行和已停止)。
It lists all containers (running and stopped).
docker exec
“docker exec”命令允许您在运行的容器内执行命令。这就像 SSH 登录到远程计算机。
The "docker exec" command lets you execute commands inside a running container. It’s like SSHing into a remote machine.
$ docker exec -it my-container bash
它在名为“my-container”的容器内启动一个交互式 Bash shell。
It starts an interactive Bash shell inside the container named "my-container."
How do I access a service running inside a Docker container from my host machine?
在 Docker 容器内公开服务的最常见方法是将容器的端口映射到主机端口。您可以在运行容器时使用 -p 或 --publish 选项。
The most common way of exposing a service within a Docker container is to map the container’s port to a host machine port. You can use the -p or --publish option while running the container.
例如,docker run -p 8080:80 my-web-server 将公开在容器内端口 80 上运行的 Web 服务器,在其本地端口 8080 上。此外,当您的主机运行 Docker Desktop 时,您可以使用特定的 DNS 名称“host.docker.internal”从容器内访问主机上的服务。
For example, docker run -p 8080:80 my-web-server would expose the web server running at port 80 inside the container on your local port 8080. Also, when your host is running Docker Desktop, you can use the particular DNS name "host.docker.internal" to reach the services on your host from inside your container.
Conclusion
在本章中,我们讨论了 Docker 容器和主机的来龙去脉。我们已经理解了两者的本质,它们如何相互交互,它们之间的根本差异,以及可用于与 Docker 容器和主机交互的各种命令。
In this chapter, we have discussed the ins and outs of Docker Containers and hosts. We have understood the essence of both, how they interact with each other, the fundamental differences between them, and the various commands that can be used to interact with Docker Containers as well as Hosts.