Docker&Kubernetes ❀ Docker image镜像原理解析与分层理论说明

Posted 2022-02-17 无糖可乐没有灵魂

文章目录

• 1、联合文件系统 - UnionFS
• 2、Docker镜像加载原理
• • 2.1 Bootfs
  • 2.2 Rootfs
• 3、分层的镜像
• • 3.1 容器服务特点
• 4、Commit操作补充

镜像 Image 是一种轻量级、可执行的独立软件包，用来打包软件运行环境和基于运行环境开发的软件，它包含运行某个软件所需的所有内容，包括代码、运行时、库、环境变量和配置文件；

1、联合文件系统 - UnionFS

---

联合文件系统 UnionFS：是一种分层、轻量级并且高性能的文件系统，它支持对文件系统的修改作为一次提交来一层层的叠加，同时可以将不同目录挂载到同一个虚拟文件系统下（unite several directories into a single virtual filesystem）Union文件系统是Docker镜像的基础，镜像可以通过分层来进行继承，基于基础镜像可以制作各种具体的应用镜像；
一次同时加载多个文件系统，但是从外面看起来只能看到一个文件系统，联合加载会把各层文件系统叠加起来，这样最终的文件系统包含所有底层的文件和目录；

2、Docker镜像加载原理

---

Docker的镜像实际上是由一层一层的文件系统组成，这种层级的文件系统称为UnionFS；

2.1 Bootfs

主要包含BootLoader和kernel，BootLoader主要是引导加载kernel，Linux刚启动时会加载bootfs文件系统，在Docker镜像的最底层是bootfs，，这一层与我们典型的Linux/Unix系统是一致的，包含boot加载器和内核，当boot加载完成后整个内核都在内存中，此时内存的使用权已由bootfs转交给内核，此时系统也会卸载bootfs；

2.2 Rootfs

在bootfs之上，包含的就是典型Linux系统中的/dev、/proc、/bin、/etc等标准目录和文件，rootfs就是各种不同操作系统的发行版本，如ubuntu、centos等；

[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 300e315adb2f 3 months ago 209MB

平时我们安装的虚拟机CentOS都是几个G，为什么Docker显示才200M？

对于一个精简的操作系统，Rootfs可以很小，只需要包括最基本的命令、工具和程序就可以了，因为底层直接用宿主机的kernel，本机只需要提供rootfs即可，由此可见对于不同的Linux发行版本，bootfs基本是一致的，rootfs会有较大差别，因此不同的发行版本可以公用bootfs；(lost+found目录中记录了导出的容器或镜像的临时数据与相关信息)

3、分层的镜像

---

以pull命令为例，可以观察到Docker的镜像在下载的时候是一层一层加载的；

[root@localhost ~]# docker pull tomcat
Using default tag: latest
latest: Pulling from library/tomcat
b9a857cbf04d: Pull complete 
d557ee20540b: Pull complete 
3b9ca4f00c2e: Pull complete 
667fd949ed93: Pull complete 
661d3b55f657: Pull complete 
511ef4338a0b: Pull complete 
a56db448fefe: Pull complete 
00612a99c7dc: Pull complete 
326f9601c512: Pull complete 
c547db74f1e1: Pull complete 
Digest: sha256:94cc18203335e400dbafcd0633f33c53663b1c1012a13bcad58cced9cd9d1305
Status: Downloaded newer image for tomcat:latest
docker.io/library/tomcat:latest

使用分层式镜像最大的好处就是可以共享资源；
假设有多个镜像都从相同的base镜像构建而来，那么宿主机只需要在磁盘上保存一份base镜像即可，同时内存中也只需要加载一份base镜像，就可以为所有的容器提供服务，而且镜像的每一层都是可以被共享使用的；

3.1 容器服务特点

• docker镜像都是只读的；
• 当容器启动时，一个新的可写层呗加载到镜像的顶部，这一层通常被称为 容器层，容器层下面都称为 镜像层；

4、Commit操作补充

---

commit 提交容器副本使之成为一个新的镜像；
命令格式：docker commit -m="提交的描述信息" -a="作者信息" 容器ID 创建的镜像名称:[标签名]

[root@localhost ~]# docker commit -a="zxc" -m="tomcat with zxc" a6f43a8fda6f atguigu/mytomcat:1.2
sha256:def3b3467c2bff15d27e763d8c526c19951cdea6400d4a3eb682f3b78562736d

[root@localhost ~]# docker images
REPOSITORY         TAG       IMAGE ID       CREATED          SIZE
atguigu/mytomcat   1.2       def3b3467c2b   12 seconds ago   649MB
tomcat             latest    040bdb29ab37   7 weeks ago      649MB
[root@localhost ~]# docker run -it -p 7777:8080 atguigu/mytomcat:1.2 		#指定端口映射；
[root@localhost ~]# docker run -it -P atguigu/mytomcat:1.2 					#随机端口映射；
[root@localhost ~]# docker run -d -P atguigu/mytomcat:1.2 					#后台启动；
9f32c842429fa6f61c7d8702e5e5761ef6b14f25b1d8140ca8033d7d623a8f67

[root@localhost ~]# docker ps -a
CONTAINER ID   IMAGE                  COMMAND             CREATED          STATUS                       PORTS                     NAMES
3775ae2d69a9   atguigu/mytomcat:1.2   "catalina.sh run"   7 seconds ago    Up 2 seconds                 0.0.0.0:7777->8080/tcp    wizardly_thompson
5d8ffce85d78   atguigu/mytomcat:1.2   "catalina.sh run"   17 seconds ago   Up 15 seconds                0.0.0.0:49154->8080/tcp   busy_murdock
9f32c842429f   atguigu/mytomcat:1.2   "catalina.sh run"   55 seconds ago   Up 54 seconds                0.0.0.0:49153->8080/tcp   tender_jepsen

在创建某个容器时，系统会自动创建其相关文件目录，内容如下：

#创建一个新容器
[root@localhost ~]# docker run --name test-001 -it -d centos
d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e
#寻找系统对应创建的容器相关文件路径
[root@localhost ~]# find / -name hostconfig.json
/var/lib/docker/containers/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/hostconfig.json
#切换到该目录下
[root@localhost ~]# cd /var/lib/docker/containers/
#查看目录下文件
[root@localhost containers]# ll
total 0
drwx-----x. 4 root root 237 Nov 18 00:00 d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e
#切换目录
[root@localhost containers]# cd d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/
#查看目录下文件
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# ll
total 24
drwx------. 2 root root    6 Nov 18 00:00 checkpoints
-rw-------. 1 root root 2751 Nov 18 00:00 config.v2.json						#v2版本的json配置文件；
-rw-r-----. 1 root root    0 Nov 18 00:00 d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e-json.log		#日志文件；
-rw-r--r--. 1 root root 1472 Nov 18 00:00 hostconfig.json				        #V1版本的json配置文件；
-rw-r--r--. 1 root root   13 Nov 18 00:00 hostname								#容器主机名称；
-rw-r--r--. 1 root root  174 Nov 18 00:00 hosts									#容器hosts文件；
drwx-----x. 2 root root    6 Nov 18 00:00 mounts						
		-rw-r--r--. 1 root root   57 Nov 18 00:00 resolv.conf					#容器DNS文件；
-rw-r--r--. 1 root root   71 Nov 18 00:00 resolv.conf.hash
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e-json.log 
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat hostname 
d926447f78fd
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat hosts 
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	d926447f78fd
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat hostconfig.json 
"Binds":null,"ContainerIDFile":"","LogConfig":"Type":"json-file","Config":,"NetworkMode":"default","PortBindings":,"RestartPolicy":"Name":"no","MaximumRetryCount":0,"AutoRemove":false,"VolumeDriver":"","VolumesFrom":null,"CapAdd":null,"CapDrop":null,"CgroupnsMode":"host","Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"GroupAdd":null,"IpcMode":"private","Cgroup":"","Links":null,"OomScoreAdj":0,"PidMode":"","Privileged":false,"PublishAllPorts":false,"ReadonlyRootfs":false,"SecurityOpt":null,"UTSMode":"","UsernsMode":"","ShmSize":67108864,"Runtime":"runc","ConsoleSize":[0,0],"Isolation":"","CpuShares":0,"Memory":0,"NanoCpus":0,"CgroupParent":"","BlkioWeight":0,"BlkioWeightDevice":[],"BlkioDeviceReadBps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteIOps":null,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpusetCpus":"","CpusetMems":"","Devices":[],"DeviceCgroupRules":null,"DeviceRequests":null,"KernelMemory":0,"KernelMemoryTCP":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":null,"OomKillDisable":false,"PidsLimit":null,"Ulimits":null,"CpuCount":0,"CpuPercent":0,"IOMaximumIOps":0,"IOMaximumBandwidth":0,"MaskedPaths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]# cat config.v2.json 
"StreamConfig":,"State":"Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"RemovalInProgress":false,"Dead":false,"Pid":97443,"ExitCode":0,"Error":"","StartedAt":"2021-11-17T16:00:08.569706704Z","FinishedAt":"0001-01-01T00:00:00Z","Health":null,"ID":"d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e","Created":"2021-11-17T16:00:08.195246791Z","Managed":false,"Path":"/bin/bash","Args":[],"Config":"Hostname":"d926447f78fd","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":true,"OpenStdin":true,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/bash"],"Image":"centos","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":"org.label-schema.build-date":"20210915","org.label-schema.license":"GPLv2","org.label-schema.name":"CentOS Base Image","org.label-schema.schema-version":"1.0","org.label-schema.vendor":"CentOS","Image":"sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6","NetworkSettings":"Bridge":"","SandboxID":"e4d76532b01142b603ab8e7c37fb8dd37894554ac1344f354233a6d3566e0ae4","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Networks":"bridge":"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"edad5cd6d9c6f41d487427d665e4456f5185044d4b9bb14ede4c829e0868a695","EndpointID":"fd81f7a7874a53c248e8551dacc59b84cfab1a4c77c4453fec39a358e85243cd","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null,"IPAMOperational":false,"Service":null,"Ports":,"SandboxKey":"/var/run/docker/netns/e4d76532b011","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null,"IsAnonymousEndpoint":false,"HasSwarmEndpoint":false,"LogPath":"/var/lib/docker/containers/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e-json.log","Name":"/test-001","Driver":"overlay2","OS":"linux","MountLabel":"","ProcessLabel":"","RestartCount":0,"HasBeenStartedBefore":true,"HasBeenManuallyStopped":false,"MountPoints":,"SecretReferences":null,"ConfigReferences":null,"AppArmorProfile":"","HostnamePath":"/var/lib/docker/containers/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/hostname","HostsPath":"/var/lib/docker/containers/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/hosts","ShmPath":"","ResolvConfPath":"/var/lib/docker/containers/d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e/resolv.conf","SeccompProfile":"","NoNewPrivileges":false,"LocalLogCacheMeta":"HaveNotifyEnabled":false
[root@localhost d926447f78fdad90d00e8d3fa442fee445cb7b999f8b771ccfe1b1c54e091d6e]#