docker image management

docker image management

The concept of consciousness

The image can be understood as the container of the application, while the dock worker loads and unloads the container.

docker has the file system and its contents required to start the container, so it is used to create and start the container.

The docker image adopts the framework construction mechanism. The most commonly used is bootfs, which is rootfs

  • bootfs: the file system used for system boot, including bootloader and kernel. After the container is started, it will be unloaded to save memory resources
  • rootfs: different from bootfs, the root file system of the docker container
    • When the traditional system is started, the kernel rootf will first be mounted as "read-only mode", and after the load self-test is completed, it will be heavily mounted as read-write mode
    • In docker, rootfs is mounted in the "read-only" mode by the kernel, and then an additional "writable" layer is mounted through the "joint mount" technology

Note: when a container is deleted, its own "writable" layers will be deleted together

 

docker storage driver

docker provides a variety of different drivers to implement different local images. The following are common drivers:

  • Australian Financial Services Association
  • Overlay FS
  • Device mapper
  • Btrfs
  • Virtual file system

Australian Financial Services Association

AUFS (another Union FS) is a Union FS, which is a file level storage driver. AUFS is a layered file system that can transparently cover or multiple existing file systems, and merge them into a single-layer representation of the file system. For example, it supports mounting different directories to files under the same virtual file system. This file system can be a layer of modified files at the bottom. No matter how many layers are read-only, only the top file system is writable. When a file needs to be modified, AUFS creates a copy of the file, uses CoW to copy the file layer from the read-only layer to the writable layer for modification, and also saves it in the writable layer. In Docker, the lower read-only layer is the image, and the writable layer is the container.

It is said that the AUFS file system has 3W lines of code, but the ext4 file system has only about 4000-5000 lines of code. These codes are integrated into the kernel. Later, the AUFS application will be incorporated into the kernel code. At that time, linuz thought that this code was too. Therefore, the AUFS file system has not been the kernel file in the linux system. If you want to use the AUFS system file, You have to fight the kernel yourself and compile and use it. However, the redhat operating system has always been known for its stability and will not do such extraordinary things. Therefore, it is impossible to use AUFS in the redhat operating system. The docker on ubuntu uses AUFS by default.

Overlay FS

Overlay is supported by the only Linux kernel after 3.18. It is also a Union FS. The difference between overlay and AUFS is that there are two layers: an upper file system and a lower file system, representing the image layer and container layer of Docker respectively. When modifying a file, use CoW to copy the file from the read-only lower layer to the writable upper layer for modification, and the results are also saved in the upper layer. In Docker, the lower read-only layer is the image, and the writable layer is the container. At present, the latest overlay FS is overlay 2.

Both AUFS and Overlay are federated file systems, but AUFS has depth, while Overlay has only two layers. Therefore, when copying on write, if the file is large and there are lower layers, AUSF will be slower. Moreover, Overlay has entered the main line of linux kernel, but AUFS does not. At present, AUFS has been basically divided.

Device mapper

Device mapper is supported after Linux kernel 2.6.9. It provides a mapping framework mechanism from logical devices to physical devices. Under this mechanism, users can easily formulate storage resource management policies according to their own needs. Both and OverlayFS are file storage level, while device mapper is block storage. All operations are direct operations on blocks, not files. The device mapper driver will first create a resource pool on the block device, and then create it on the resource pool. Therefore, the file system seen in the container is a snapshot of the file system of the basic device on the resource pool. There is no content. When a new file is to be written, when a new file is to be written, the block allocated in the image of the container and data are written. When it is called, Copy the data to be modified to a new block in the container, and then modify it.

OverlayFS is a file level storage, and the device mapper is a block level storage. When the file is large and the modified content indicates that the Overlay will affect the whole file regardless of the modified content size. It takes more time to make large modifications to the file, especially to copy small files, while block level, whether large files or small files, only copies the blocks that need to be modified, not their own files. In various scenarios, The dedicated device mapper is faster. Because some block level access logical disks directly, it is suitable for IO intensive scenarios. The program is complex, and the performance of superposition is relatively stronger in scenarios with large and simultaneous but less io.

Dock registry

When starting the container, the docker daemon will obtain the relevant image from the local. When the local image does not exist, it can download the image in the registry and save it to the local.

Registry is used to save the docker image, including the hierarchy and metadata of the image. The user creates a registry and uses the official Docker Hub.

Classification of docker registry:

  • Sponsor Registry: the Registry of customers, which is used by and Docker communities
  • Mirror Registry: the customer's Registry, which is used only by customers
  • Vendor Registry: the registry provided by the vendor that published the image
  • Private Registry: a registry that provides privacy through a firewall and another layer of security

Composition of docker registry:

  • memory pool
    • An event that occurs from all events of a particular dock window
    • Multiple repositories can exist in a Registry
      • A Repository can be divided into a "small piece" and a "user warehouse"
      • The format of user custody name is "user name / custody name"
    • Some stores can contain some tags, each corresponding to a mirror image
  • index
    • Maintain user account, image inspection and public space information
    • It is equivalent to providing a retrieval interface for the registry to complete user authentication and other functions

The personnel identity in Docker Registry is usually created by developers and then submitted to the "public" or "private" registry for other use, such as "deployment" to the production environment.

 

Making Docker image

Making nginx image file based on centos image

download centos image
[root@Aimmi ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
a1d0c7532777: Pull complete 
Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177
Status: Downloaded newer image for centos:latest
docker.io/library/centos:latest

[root@Aimmi ~]# docker images
REPOSITORY   TAG       IMAGE ID       CREATED        SIZE
busybox      latest    d23834f29b38   2 days ago     1.24MB
httpd        latest    ad17c88403e2   13 days ago    143MB
nginx        1.20.2    aedf7f31bdab   2 weeks ago    141MB
nginx        latest    ea335eea17ab   2 weeks ago    141MB
centos       latest    5d0da3dc9764   2 months ago   231MB

Start the container using the image and enter the container
[root@Aimmi ~]# docker run -it --name centos_nginx centos /bin/bash
[root@2ee7795cf59d /]# yum -y install pcre-devel openssl openssl-devel gd-devel gcc gcc-c++ vim which make wget
[root@2ee7795cf59d /]# yum -y groups mark install 'Development Tools'
[root@2ee7795cf59d /]# useradd -r -M -s /sbin/nologin nginx
[root@2ee7795cf59d /]# mkdir -p /var/log/nginx
[root@2ee7795cf59d /]# chown -R nginx.nginx /var/log/nginx
[root@2ee7795cf59d /]# cd /usr/src/
[root@2ee7795cf59d src]# wget http://nginx.org/download/nginx-1.21.4.tar.gz
--2021-12-02 18:07:22--  http://nginx.org/download/nginx-1.21.4.tar.gz
Resolving nginx.org (nginx.org)... 52.58.199.22, 3.125.197.172, 2a05:d014:edb:5702::6, ...
Connecting to nginx.org (nginx.org)|52.58.199.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1070260 (1.0M) [application/octet-stream]
Saving to: 'nginx-1.21.4.tar.gz'

nginx-1.21.4.tar.gz   100%[======================>]   1.02M   232KB/s    in 4.7s    

2021-12-02 18:07:27 (220 KB/s) - 'nginx-1.21.4.tar.gz' saved [1070260/1070260]

[root@2ee7795cf59d src]# ls
debug  kernels  nginx-1.21.4.tar.gz
[root@2ee7795cf59d src]# tar xf nginx-1.21.4.tar.gz 
[root@2ee7795cf59d src]# cd nginx-1.21.4
[root@2ee7795cf59d nginx-1.21.4]# ./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-debug \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_image_filter_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log

[root@2ee7795cf59d nginx-1.21.4]# make -j $(grep 'processor' /proc/cpuinfo | wc -l) && make install
[root@2ee7795cf59d nginx-1.21.4]# echo 'export PATH=/usr/local/nginx/sbin:$PATH' > /etc/profile.d/nginx.sh
[root@2ee7795cf59d nginx-1.21.4]# . /etc/profile.d/nginx.sh
[root@2ee7795cf59d nginx-1.21.4]# which nginx
/usr/local/nginx/sbin/nginx
[root@2ee7795cf59d nginx-1.21.4]# nginx 
[root@2ee7795cf59d nginx-1.21.4]# ss -antl
State    Recv-Q   Send-Q      Local Address:Port       Peer Address:Port   Process   
LISTEN   0        128               0.0.0.0:80              0.0.0.0:*                

to configure nginx It is the foreground startup mode
[root@2ee7795cf59d nginx-1.21.4]# vim /usr/local/nginx/conf/nginx.conf
daemon off;    #Add this to make him run at the front desk
[root@2ee7795cf59d nginx-1.21.4]# nginx -s reload

When creating an image, we cannot close the container. We must make it running, so we must start another terminal and perform the required operations

[root@Aimmi ~]# docker commit -m "centos_nginx01" -a 'zs <1642453107@qq.com>' -c 'CMD ["/usr/local/nginx/sbin/nginx"]' centos_nginx aimmi/source_nginx:v1
sha256:9cf1fec52af52ac21b6fc093454b044150062e7d8a0e3e7f664cc596e7858a1f
[root@Aimmi ~]# docker images
REPOSITORY           TAG       IMAGE ID       CREATED          SIZE
aimmi/source_nginx   v1        9cf1fec52af5   21 seconds ago   577MB
busybox              latest    d23834f29b38   2 days ago       1.24MB
httpd                latest    ad17c88403e2   13 days ago      143MB
nginx                1.20.2    aedf7f31bdab   2 weeks ago      141MB
nginx                latest    ea335eea17ab   2 weeks ago      141MB
centos               latest    5d0da3dc9764   2 months ago     231MB


Start and map ports
[root@Aimmi ~]# docker run --name nginx01 -p 8080:80 -d aimmi/source_nginx:v1
6a9622c934f981da17ce5e943d2656c44336a38cdd7094a7dec13c773f439a23
[root@Aimmi ~]# docker ps
CONTAINER ID   IMAGE                   COMMAND                  CREATED          STATUS          PORTS                                   NAMES
6a9622c934f9   aimmi/source_nginx:v1   "/usr/local/nginx/sb..."   20 seconds ago   Up 19 seconds   0.0.0.0:8080->80/tcp, :::8080->80/tcp   nginx01
3171335d2408   centos                  "/bin/bash"              9 minutes ago    Up 9 minutes                                            centos_nginx

Upload warehouse

[root@Aimmi ~]# docker login
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@Aimmi ~]# docker push aimmi/source_nginx:v1
The push refers to repository [docker.io/aimmi/source_nginx]
677db78415cc: Pushed 
74ddd0ec08fa: Mounted from library/centos 
v1: digest: sha256:4d64acf600a538d49ad74fd9e059c3d4520da692739856a2b3b68b056f68337c size: 742

[root@Aimmi ~]# docker inspect nginx01
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:03",
 "DriverOpts": null

[root@Aimmi ~]# curl 172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>


 

 

 

Posted on Thu, 02 Dec 2021 14:36:25 -0500 by Pudgemeister