- Docker is an open source platform mainly designed for linux operating systems (now it can be installed on windows and run containers in the same way as Linux), it allows a developer to package an application with its dependencies in containers in order to be portable among systems running Linux so it will be running in the same way. in order to run linux containers on windows , you have to add an Hyper-V which will spin up a linux virtual machine where the linux container will be running, same thing if you want to run a windows container on linux systems.
- No, it has been built into linux in the form of LXC or Solaris container.
- Docker can run on linux and windows(windows server 2016 and windows 10) based operating systems and cloud platforms(Amazon, Google Compute Engine, Rackspace,MicrosoftAzure)
- Yes , the minmum requirement is that a linux kernel must be implemented on the bare-metal
- Dockerfile is the source code of the docker image, it's very similar to bash , it uses imperative programming(it's a type of programming where we have to specify every command needed to acheive a desired state) , it describes the configuration of the docker image using instructions.
- Docker image is just the "compiled version" of the Dockerfile , it's an executable binary (a tarfile).
- If you want to create a docker image based on a dockerfile , you simply run the docker commad line docker build .
- Once you create your docker image , you can redistribute it using docker registry ( it's like a git repository where you can pull and push docker images)
- Docker images are used to build docker containers.
- Docker image is the executable of a stripped-down version of an operating system user space preconfigured to run one or more process within for example when you pull down and run a RedHat Entreprise linux 7 docker image , you will get a prepackaged minimal RedHat Entreprise linux7 user space (all th code in an operating system that lives outside of the kernel with all kinds of utilities , programming languages ...)
- Docker engine knows how to tell the kernel (because the docker engine is a daemon so it uses the system calls to interact with the kernel) what restrictions to make when running the executable (docker image) under the host os (there are other applications like Docker can tell the kernel which boundaries to apply to a process while running include systemd and Lxc)
- Typical restrictions:
- system resource isolation (memory,disk,cpu,networking ...): Docker asks the kernel to allocate resources for running docker image (the executable) on it.
- process isolation (the process running inside the container system resources doesn't interact with the resources or proceses of the host user space or of other containers).
- security related restrictions (like using SElinux protection)
- They start and stop much faster than virtual machines.
- They are more portable because container host environments are very consistent, no matter which type of operating system is hosting them.
- Containerized applications are easy to scale because containers can be added or subtracted quickly from an environment.
- Containers make it easy to break complex monolithic applications into smaller, modular microservices.
- Docker client is like the user interface of Docker ,it's a program that makes us run any docker commands and communicates the instructions (the docker commands) to the docker engine(daemon) which will do the necessary system calls to the kernel to create, operate and manage containers.
Fundamentally, both Docker and LXC containers are user-space lightweight virtualization mechanisms that implement cgroups and namespaces to manage resource isolation, key differences between Docker and Lxc:
-
Docker restricts containers to run as a single process. If your application environment consists of X concurrent processes, Docker wants you to run X containers, each with a distinct process. By contrast, LXC containers have a conventional init process and can run multiple processes.
-
Portable deployment across machines: Docker abstracts away more networking, storage, and host OS details from the application than LXC does, With Docker, the application is truly independent from the configurations of these low-level resources. When you move a Docker container from one Docker host to another Docker host machine, Docker guarantees that the environment for the application will remain the same.
A direct benefit of this approach is that Docker enables developers to set up local development environments that are exactly like a production server.Users can have a clean and minimal base Linux OS and run everything else . When a developer finishes writing and testing his code, he can wrap it and the necessary softwares and related configurations (the working environment) in a container and publish it directly to an AWS server or to his private cloud, and it will instantly work because the environment is the same.
if you sent me a copy of your application installed in a custom lxc configuration, it would almost certainly not run on my machine the way it does on yours, because it is tied to your machine's specific configuration: networking, storage, logging, distro, etc.what Lxc do is process sandboxing not fully application portability ,the server environment will be different, requiring the developer to spend an enormous amount of time debugging the difference and fixing the issue.
- Mainly we have four mode of networking for Docker:
- Bridge mode networking:
- Host mode networking:
- Container mode networking:
- No networking:
- a Linux kernel feature that lets a process being seperated from the other processes for security reasons(if there is an attack on a container(process) , this attack can not reach out the other process running on the host)
- a network namespace allows a pocess to see a diffrent set of network interfaces, it has its own set of network interfaces . It's necessary to set up additionnal virtual network interfaces, we can make route packets or even Ethernet bridges between namespaces . in order to make the hole thing work, we have to run a "routing" process in the global network namespace that retrieve traffic from the physical interface and forward it to the appropriate network namespace through its virtual network interfaces
- The first process created in a PID namespace is assigned the process id number 1 and receives most of the same special treatment as the normal init process, the zombie processes within the namespace are attached to it. This also means that the termination of this PID 1 process will immediately terminate all processes in its PID namespace and any descendants.
- a Linux kernel feature that limits how much ressources a process can use (cpu, memory...).
- a Linux kernel feature that lets you filter which system calls your process can make , for example systems calls for network access, it helps with the security .
docker start container-id
docker stop container-id
- it can be used to spin up a unified developement environment for all the developers to avoid the problem of "it works fine on my machine" by packaging up the application with all its dependencies in a docker container and then run it on any os.
- you can spin up clean test environments quickly (instead of bringing up full virtual machines)in order to test your software.
- a virtual machine is a fully functional operating system = user space + kernel space and in order to run on a host os it needs a hypervisor that allows the guest vm kernel to use the host machine resources.
- a container contains only the user space of the operating system and it shares the host os kernel in order to get their required resources.
- containers do not have to replace VMs. Docker containers can actually run within VMs. This allows teams to containerize each service and run multiple Docker containers per vm which is better for ressource use.