1.容器其实不是什么新技术,说白了就是namespace对资源进行隔离,再加UFS实现分层镜像,以及cgroup实现资源限制。这些技术,都是linux中已有的技术,而且有些技术很早之前就有了。
2.上面说了,容器就是用了隔离+分层+限制技术,所以和虚拟机是完全不同的东西,虚拟机那是真真正正的一个操作系统。
3.在/roc/pid/ns下,保存着每一个进程对应的namespace,一个进程属于哪个namespace,那么就建立一个链接到该namespace。比如下面,我有一个容器,它里面有两个进程,7344和7327:
$ docker top nginx 1 ↵ UID PID PPID C STIME TTY TIME CMD root 7344 7327 0 22:07 pts/0 00:00:00 nginx: master process nginx -g daemon off; 101 7376 7344 0 22:07 pts/0 00:00:00 nginx: worker process
看一下这两个在同一个容器中的进程他们的namespace:
sudo ls -l /proc/7344/ns 2 ↵ total 0 lrwxrwxrwx 1 root root 0 Jan 16 22:08 cgroup -> 'cgroup:[4026531835]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 ipc -> 'ipc:[4026532496]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 mnt -> 'mnt:[4026532494]' lrwxrwxrwx 1 root root 0 Jan 16 22:07 net -> 'net:[4026532499]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 pid -> 'pid:[4026532497]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 pid_for_children -> 'pid:[4026532497]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 user -> 'user:[4026531837]' lrwxrwxrwx 1 root root 0 Jan 16 22:08 uts -> 'uts:[4026532495]'
udo ls -l /proc/7376/ns ✔ total 0 lrwxrwxrwx 1 101 101 0 Jan 16 22:10 cgroup -> 'cgroup:[4026531835]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 ipc -> 'ipc:[4026532496]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 mnt -> 'mnt:[4026532494]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 net -> 'net:[4026532499]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 pid -> 'pid:[4026532497]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 pid_for_children -> 'pid:[4026532497]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 user -> 'user:[4026531837]' lrwxrwxrwx 1 101 101 0 Jan 16 22:10 uts -> 'uts:[4026532495]'
发现是相同的,说明他们是在同一个namespace中的。
然后我们来看看普通的进程(容器外的),zsh和systemd这连个进程:
sudo ls -l /proc/1/ns 2 ↵ [sudo] password for xlinliu: total 0 lrwxrwxrwx 1 root root 0 Jan 16 22:06 cgroup -> 'cgroup:[4026531835]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 ipc -> 'ipc:[4026531839]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 mnt -> 'mnt:[4026531840]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 net -> 'net:[4026532000]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 pid -> 'pid:[4026531836]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 pid_for_children -> 'pid:[4026531836]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 user -> 'user:[4026531837]' lrwxrwxrwx 1 root root 0 Jan 16 22:06 uts -> 'uts:[4026531838]'
ls -l /proc/$$/ns ✔ total 0 lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 cgroup -> 'cgroup:[4026531835]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 ipc -> 'ipc:[4026531839]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 mnt -> 'mnt:[4026531840]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 net -> 'net:[4026532000]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 pid -> 'pid:[4026531836]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 pid_for_children -> 'pid:[4026531836]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 user -> 'user:[4026531837]' lrwxrwxrwx 1 xlinliu xlinliu 0 Jan 16 22:05 uts -> 'uts:[4026531838]'
发现也是一样的,说明他们也是在同意namespace下。
参考:
1 DOCKER基础技术:LINUX NAMESPACE(上) 以及 DOCKER基础技术:LINUX NAMESPACE(下)