{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作者:劉獎"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此文轉載至微信公衆號:雲巔論劍"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"背景"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“"},{"type":"text","marks":[{"type":"italic"}],"text":"雲原生技術有利於各組織在"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"公有云、私有云和混合雲"},{"type":"text","marks":[{"type":"italic"}],"text":"等新型動態環境中,構建和運行"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"可彈性擴展"},{"type":"text","marks":[{"type":"italic"}],"text":"的應用。雲原生的代表技術包括"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"容器、服務網格、微服務、不可變基礎設施和聲明式API"},{"type":"text","marks":[{"type":"italic"}],"text":"。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊容器技術避不開雲原生,聊雲原生也避不開容器技術。容器技術和雲原生就是一對雙螺旋體,"},{"type":"text","marks":[{"type":"strong"}],"text":"容器技術催生了雲原生思潮,雲原生生態推動了容器技術發展"},{"type":"text","text":"。從2013年docker(container)技術誕生,到2015年CNCF這個雲原生領域重量級聯盟便成立,這不是歷史的巧合而是歷史的必然。作爲雲原生關鍵技術之一的容器,從2013年誕生以來一直是行業關注的焦點之一。借用一張業界廣泛引用的雲原生容器技術進階圖來了解一下容器技術和雲原生誕生的歷史背景。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ce/ce6ce889c58ef342a4b16f8237b64ec3.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先讓我們一起來看看容器技術發展的歷史紀年表,先直觀感受一下這片如火如荼的熱土吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#202122","name":"user"}}],"text":"1979年,"},{"type":"text","text":"Unix v7系統支持chroot,爲應用構建一個獨立的虛擬文件系統視圖。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1999年,FreeBSD 4.0支持jail,第一個商用化的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2004年,Solaris 10支持Solaris Zone,第二個商用化的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2005年,OpenVZ發佈,非常重要的Linux OS虛擬化技術先行者。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2004年 ~ 2007年,Google 內部大規模使用 Cgroups 等的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2006年,Google開源內部使用的process container技術,後續更名爲cgroup。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2008年,Cgroups 進入了 Linux 內核主線。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2008年,LXC(Linux Container)項目具備了Linux容器的雛型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2011年,CloudFoundry開發Warden系統,一個完整的容器管理系統雛型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2013年,Google通過"},{"type":"text","text":"Let Me Contain That For You"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#07242D","name":"user"}}],"text":" (LMCTFY) "},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"開源內部容器系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2013年,Docker項目正式發佈,讓Linux容器技術逐步席捲天下。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2014年,Kubernetes項目正式發佈,容器技術開始和編排系統起頭並進。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2015年,由Google,Redhat、Microsoft及一些大型雲廠商共同創立了CNCF,雲原生浪潮啓動。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2016年-2017年,容器生態開始模塊化、規範化。CNCF接受Containerd、rkt項目,OCI發佈1.0,CRI/CNI得到廣泛支持。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2017年-2018年,容器服務商業化。AWS ECS,Google EKS,Alibaba ACK/ASK/ECI,華爲CCI,Oracle Container Engine for Kubernetes;VMware,Redhat和Rancher開始提供基於Kubernetes的商業服務產品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2017年-2019年,容器引擎技術飛速發展,新技術不斷湧現。2017年底Kata Containers社區成立,2018年5月Google開源gVisor代碼,2018年11月AWS開源firecracker,阿里雲發佈安全沙箱1.0。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2020年-202x年,容器引擎技術升級,Kata Containers開始2.0架構,阿里雲發佈沙箱容器2.0...."}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"整理容器技術近20年的發展歷史,大致可以將其分爲四個歷史階段,下文將詳細介紹這四個歷史階段。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/646b2bdb2cfca4d0a2743b1a24605a77.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術萌芽期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器技術需要解決的核心問題之一運行時的環境隔離。容器的運行時環境隔離,目標是給容器構造一個無差別的運行時環境,用以在任意時間、任意位置運行容器鏡像。由於docker的佈道,大家習慣性認爲容器的運行時環境隔離就是OS虛擬化,或則容器等於namespace + cgroup + 安全防護機制。我不太贊同這種看法,這個只是一段歷史時期、一種容器運行時的實現技術,還有很多種其它可能的技術方案來實現容器運行環境。所以,回到需求的本源:"},{"type":"text","marks":[{"type":"strong"}],"text":"容器需要運行時隔離技術來保證容器的運行環境符合預期"},{"type":"text","text":"。習慣上,大家把這種實現容器隔離技術的組件叫做容器運行時。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從另外一個角度看,"},{"type":"text","marks":[{"type":"strong"}],"text":"容器隔離技術解決的是資源供給問題"},{"type":"text","text":"。爲啥需要容器隔離技術來解決資源供給問題呢?成也蕭何,敗也蕭何!摩爾定律實在太過強大,它讓我們有了越來越多的計算資源可以使用。10年前做小型機時,小型機的典型規格是32路8核CPU,現在一臺4路PC服務器計算能力都超過10年前的小型機服務器。小型機的典型用法是把整機切分爲多個分區使用。觀察當下雲服務硬件發展趨勢,越來越有熟悉的感覺,我們在把小型機相關技術“軍轉民”。現在我們一臺PC服務器擁有了非常強大的、能和十年前小型機媲美的計算能力,巧合的是當下PC服務器的典型用法也和十年前的小型機用法類似,切割爲1-8vCPU的虛擬機/容器使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲什麼人們總是習慣於把一個大的服務器資源切分爲小的分區使用而不是研發能夠充分發揮大型服務器整機計算能力的軟件呢?個人認爲背後有兩個制約因素:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"待解決問題本身內在的並行度有限"},{"type":"text","text":"。隨着多核多處理器系統的日益普及,IT行業從2004年開始進行串行編程到並行編程的升級改造。開始階段針對特定行業應用的並行化改造效果非常明顯,但是後來發現隨着並行度提高改造成本越來越大、收益卻越來越低。受"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#222222","name":"user"}}],"text":"阿姆達爾"},{"type":"text","text":"定律制約,解決特定問題的並行度超過一定臨界點之後收益將逐漸變小。所以一味提高系統並行度並不是經濟的做法。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"人類智力有限"},{"type":"text","text":"。受人類智力限制,系統越複雜、並行度越高,軟件越容易出故障,軟件維護代價成指數級增長。所以,從軟件工程看,大家也趨向於接口化、模塊化、單元化的軟件架構設計,儘量控制軟件的複雜度,降低工程成本。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從經驗看,1-8個CPU的並行度是軟件工程的舒適區,這個也是容器化、微服務等技術背後的驅動因素之一。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有點跑題了。。。總之,基於隔離的資源供給不是僞需求。對於軟件運行環境的隔離要求,從操作系統出現之初就有了。多任務分時操作系統和進程虛擬地址都是爲了解決多個任務運行在同一臺主機上的資源共享問題,讓每個進程都以爲自己獨佔主機。當然僅僅是進程隔離是遠遠不夠的。縱觀當前的資源隔離技術,我們大致可以將資源隔離技術分成5類:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/28/28b66aa06773012f9f8fc8c1b96789d6.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"進程隔離"},{"type":"text","text":"。OS以進程作爲Task運行過程的抽象,進程擁有獨立的地址空間和執行上下文,本質上OS對進程進行了CPU和內存虛擬化。但是進程之間還共享了文件系統、網絡協議棧、IPC通信空間等多種資源,進程之間因爲資源爭搶導致的干擾很嚴重。這個層級的隔離適合在不同的主機上運行單個用戶的不同程序,由用戶通過系統管理手段來保證資源分配與安全防護等問題。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"OS虛擬化"},{"type":"text","text":"。OS隔離,也就是大家常說的操作系統虛擬化(OS virtualization),是進程隔離的昇華版。進程隔離是爲每個進程實現了單獨的地址空間及CPU上下文,OS隔離則是利用操作系統分身術爲每一組進程實例構造出一個獨立的OS環境,以進一步虛擬化文件系統、網絡協議棧、IPC通信空間、進程ID、用戶ID等OS資源。OS隔離需要解決三個核心問題:獨立視圖、訪問控制及安全防護。Chroot、Linux namespace機制爲進程組實現獨立視圖,cgroup對進程組進行訪問控制,而Capabilities、Apparmor、seccomp等機制則實現安全防護。當然,OS是一個非常複雜、動態變化的系統,OS分身術雖然讓進程組感覺有了獨立的OS,但是真實實現還是一個OS實例,所以整體防護能力還是堪憂。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"硬件虛擬化"},{"type":"text","text":"。OS虛擬化是實現OS內核的分身術,而硬件虛擬化則是實現硬件設備的分身術。硬件虛擬化技術的出現,讓同一個物理服務器上能夠同時運行多個操作系統,每個操作系統都認爲自己在管理一臺完整的服務器。不同操作系統之間是嚴格隔離的,Guest操作系統對硬件的訪問都是受VMM或CPU的嚴格監管的。硬件虛擬化既有很好的安全性,也有很好的隔離性,缺點就是引入的硬件虛擬化層導致了額外的性能開銷。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"硬件分區"},{"type":"text","text":"。這個是傳統小型機體系採用的資源分隔技術,就是從硬件或固件層徹底把一臺大型服務器分隔爲多個硬件單元,從而獲得最高等級的安全性和隔離性。但是小型機作爲一個逐步沒落的技術路線,其不足之處還是顯而易見的:資源分隔粒度不靈活、系統成本偏高、系統可擴展性受限。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"語言運行時隔離"},{"type":"text","text":"。對於Java、nodejs等需要language runtime的managed language,我們還有一個選項,就是在language runtime裏實現隔離。針對函數計算等雲原生服務,理論上在語言運行時實現隔離機制是最優路徑。但是這條路線目前實現上還有不少現實的制約,所以目前多數函數計算還是採用的容器/VM技術來實現的隔離。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在OS虛擬化這條技術路線上,最大的技術貢獻來源於Google。2003-2006年,Google陸續發佈的“三駕馬車”,奠定了大數據計算的框架,隨後進一步創造了“雲”的概念。也是從這時期開始,進程隔離技術進入了一個更高級的階段。在 Google 提出的雲計算框架下,被隔離的進程不僅僅是一個與外界隔絕但本身卻巍然不動的 Jail,它們更需要像一個個輕便的容器,除了能夠與外界隔離之外,還要能夠被控制與調配,從而實現分佈式應用場景下的跨平臺、高可用、可擴展等特性。2006年,Google推出Process Containers,用來對一組進程進行限制、記賬、隔離資源(CPU、內存、磁盤 I/O、網絡等)。由於技術更加成熟,Process Container 在 2006 年正式推出後,第二年就進入了 Linux 內核主幹,並正式更名爲 Cgroups,標誌着 Linux 陣營中“容器”的概念開始被重新審視和實現。在 2008 年,通過將 Cgroups 的資源管理能力和 Linux Namespace (命名空間)的視圖隔離能力組合在一起,一項完整的容器技術 LXC (Linux Container)出現在了 Linux 內核中,這就是如今被廣泛應用的容器技術的實現基礎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"總體看,在2013年docker被髮明以前,Linux操作系統已經大體上解決了容器核心技術之一的運行環境隔離技術,或者說Linux OS虛擬化技術已經基本上成型了。"},{"type":"text","text":"雖然容器運行環境隔離技術已經基本就位,我們仍需等待另外一項關鍵技術才能迎來容器技術的騰飛時刻。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術迸發期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年之前,雲計算行業一直在爲雲原生的正確打開姿勢而操心。Platform as a Service(PaaS)看起來是個有前途的方向。2006年Fotango公司發佈的Zimi服務,可以說是PaaS行業的鼻祖,具有按使用付費、免運維(Serverless)、API化配置和服務等典型雲原生的特徵;2008年Google推出GAE;2011年Pivotal發佈Cloud Foundry。這些早期的PaaS平臺進行了非常有益的探索,推動了雲計算生態的健康發展,但是這些早期探索技術並沒有形成大的行業趨勢,而是侷限在一些的特定的領域。直到Docker開源,大家才如夢方醒,原來不是方向不對,而是應用分發和交付的手段不行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker真正核心的創新是容器鏡像(docker image),一種新型的應用打包、分發和運行機制。容器鏡像將應用"},{"type":"text","marks":[{"type":"strong"}],"text":"運行環境"},{"type":"text","text":",包括代碼、依賴庫、工具、資源文件和元信息等,打包成一種"},{"type":"text","marks":[{"type":"strong"}],"text":"操作系統發行版無關"},{"type":"text","text":"的"},{"type":"text","marks":[{"type":"strong"}],"text":"不可變更"},{"type":"text","text":"軟件包。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像打包了整個容器運行依賴的環境,以避免依賴運行容器的服務器的操作系統,從而實現“build once,run anywhere”。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像一但構建完成,就變成read only,成爲不可變基礎設施的一份子。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"操作系統發行版無關,核心解決的是容器進程對操作系統包含的庫、工具、配置的依賴,但是容器鏡像無法解決容器進程對內核特性的特殊依賴。這個在實際使用容器的過程中也經常跳進這個大坑:"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker的宣傳口號是“Build,Ship and Run Any App,Anywhere”。我們已經理解了docker通過container image解決“Run Anywhere”的機制,那麼“Run Any App”是如何實現的呢?其實也是依賴container image,用戶可以打包任何容器進程所依賴的環境,而不用改造應用來適配PaaS定義的運行環境。真是“Run Any App”一舉打破了PaaS行業面臨的困境,創造出了無限的可能性,大力推動了雲原生的發展。讓我們一起來向這個偉大的創意致敬!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/89/898efcf4a723c46724c82c6eeab0c712.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至此,容器技術體系已經解決了最核心的兩個問題:"},{"type":"text","marks":[{"type":"strong"}],"text":"如何發佈軟件"},{"type":"text","text":"和"},{"type":"text","marks":[{"type":"strong"}],"text":"如何運行軟件,"},{"type":"text","text":"騰飛時刻即將到來。2014年前司前老闆對我說“別成天搞Linux kernel了,要不你看看docker?” 經過短暫的調研,我給了前老闆一個簡單而清晰的回答,“無它,唯打包工具爾!”因爲這個回答,雲原生爲我打開的一扇大門就悄悄關上了。回想一下歷史,有時也挺懊悔的,因爲自己太年輕而沒有看清楚容器技術 + 編排系統的威力,更沒有體會到雲原生即將到來的氣息!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker作爲一個單機軟件打包、發佈、運行系統,其價值是非常巨大的;但是僅僅將docker技術侷限在單機範圍不能發揮這個創新技術的最大價值,自然下一步業界希望基於docker技術構建一個雲化的集羣系統,來對業務容器進行編排管理。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊到容器編排系統,我們需要從Google聊起。2008年,Google 基於 LXC 推出首款應用託管平臺 GAE (Google App Engine),首次把開發平臺當做一種服務來提供。GAE 是一種分佈式平臺服務,Google 通過虛擬化技術爲用戶提供開發環境、服務器平臺、硬件資源等服務,用戶可以在平臺基礎上定製開發自己的應用程序並通過 Google 的服務器和互聯網資源進行分發。Google 在 GAE 中使用了一個能夠對 LXC 進行編排和調度的工具 —— Borg (Kubernetes 的前身)。Borg 是 Google 內部使用的大規模集羣管理系統,可以承載十萬級的任務、數千個不同的應用、同時管理數萬臺機器。Borg 通過權限管理、資源共享、性能隔離等來達到高資源利用率。它能夠支持高可用應用,並通過調度策略減少出現故障的概率,提供了任務描述語言、實時任務監控、分析工具等。如果說一個個隔離的容器是集裝箱,那麼 Borg 可以說是最早的港口系統,而 LXC + Borg 就是最早的容器編排框架。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年docker推出之後迅速席捲全球,2014年Google基於內部使用的Borg系統創建了開源項目Kubernetes(簡稱K8S),用於解決大規模集羣的容器部署、運行、管理等問題。Kubernetes在容器的基礎上增加了一層的新的管理抽象Pod,以便更好地利用容器進行應用的功能模塊切分。得益於 Google 在大規模集羣基礎設施建設的強大積累,脫胎於 Borg 的 K8S 很快成爲了行業的標準應用,堪稱容器編排的必備工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲迴應,Docker公司在2015年發佈的Docker 1.12版本中也加入了一個容器集羣管理系統Docker swarm,以及配套的Docker machine、Docker Compose等工具,力圖構建完善的容器編排系統,和Kubernetes展開正面競爭。從此,容器江湖分爲兩大陣營:Google派和Docker派;而容器編排系統則是Kubernetes,Docker Swarm和Apache Mesos三國並立。各大派系的競爭愈演愈烈,逐漸延伸到行業標準的建立之爭。讓我們一起來回憶一下這段風起雲湧的江湖歷史吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年Docker公司推出docker之後,緊接着CoreOS 應運而生。CoreOS 是一個基於 Linux 內核的輕量級操作系統,專爲雲計算時代計算機集羣的基礎設施建設而設計,擁有自動化、易部署、安全可靠、規模化等特性。其在當時有一個非常顯眼的標籤:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#333333","name":"user"}},{"type":"strong"}],"text":"專爲容器設計的操作系統"},{"type":"text","text":"。藉着 Docker 的東風,CoreOS 迅速在雲計算領域躥紅,一時間,Docker + CoreOS 成爲業內容器部署的黃金搭檔。同時,CoreOS 也爲 Docker 的推廣與社區建設做出了巨大的貢獻。然而,日漸壯大的 Docker 似乎有着更大的“野心”。不甘於只做“一種簡單的基礎單元”的 Docker,自行開發了一系列相關的容器組件,同時收購了一些容器化技術的公司,開始打造屬於自己的容器生態平臺。顯然,這對於 CoreOS 來說形成了直接的競爭關係。2014 年末,CoreOS 推出了自己的容器引擎 Rocket (簡稱 rkt),試圖與 Docker 分庭抗禮。rkt 和 Docker 類似,都能幫助開發者打包應用和依賴包到可移植容器中,簡化搭環境等部署工作。rkt 和 Docker 不同的地方在於,rkt 沒有 Docker 那些爲企業用戶提供的“友好功能”,比如雲服務加速工具、集羣系統等。反過來說,rkt 想做的,是一個更純粹的業界標準。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#333333","name":"user"}}],"text":"上面這段材料引至於“"},{"type":"text","text":"從虛擬化到雲原生——容器技術的發展史”,爲什麼大段大段地引用這部分材料呢?這裏面最關鍵的脈絡是"},{"type":"text","marks":[{"type":"strong"}],"text":"由於技術公司之間的商業競爭,在競爭合作之間尋找平衡從而導致了標準規範的誕生,而標準規範的誕生是整個雲原生生態最重要的基石"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器引擎(docker vs rocket)、容器編排(Docker swarm vs Kubernetes vs Apache Mesos)的相互競爭的結果就是大家坐下來談接口標準。2015年6月,Docker帶頭成立OCI,旨在“制定並維護容器鏡像格式和容器運行時的正式規範(OCI Specifications)”,其核心產出是OCI Runtime Spec(容器運行時規範)、OCI Image Spec(鏡像格式規範)、OCI Distribution Spec(鏡像分發規範)。所以"},{"type":"text","marks":[{"type":"strong"}],"text":"OCI組織解決的是容器的構建、分發和運行問題"},{"type":"text","text":"。一個月之後,Google帶頭成立了Cloud Native Computing Foundation(CNCF),旨在“構建雲原生計算 —— 一種圍繞着微服務、容器和應用動態調度的、以基礎設施爲中心的架構,並促進其廣泛使用”。所以"},{"type":"text","marks":[{"type":"strong"}],"text":"CNCF組織解決的是應用管理及容器編排問題"},{"type":"text","text":"。這兩個圍繞容器的基金會對雲原生生態的發展發揮了非常重要的作用,二者不是競爭而是相輔相成,共同制定了一系列行業事實標準。這些行業事實標準的確立,各行業注入了無限活力,基於接口的標準的具體實現不斷湧現,呈現出一片百花齊放的景象。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/99/99dad479c97c85182ac7e227370eda09.png","alt":null,"title":"image.png","style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中,與容器相關的最爲重要的幾個規範包括:CRI、CNI、CSI、OCI Distribution Spec、OCI Image Spec、OCI Runtime Spec和Shimv2。其中的CRI、OCI Image Spec、OCI Runtime和Shimv2規範和阿里雲沙箱容器關係非常密切。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"所以,非常感謝這個雲原生、容器技術迸發的黃金期,一羣有創意的人走到一起共同創造了這幾個關鍵的規範,爲各個廠商提供各具特色且遵循規範的技術實現提供了可能性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用探索期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"經過5年的技術發展期,容器技術基本成熟,雲原生體系也具雛型。從2017年開始,各大雲廠商開始試水容器服務及進步的雲原生服務。從目前的商業形態看,容器相關的公共雲服務大致可以劃分爲三種形態:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"通用容器編排服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。在容器編排系統三國殺結果出來以前,基於多方下注策略構建的容器編排服務系統。其中AWS是自研的編排系統,Azure的ACS同時支持Docker Swarm、DC/OS和Kubernetes,阿里雲ACS則是支持Docker swarm和Kubernetes。Google和華爲則是堅定支持Kubernetes而未推出支持其它容器編排系統的容器服務。隨着Kubernetes一統容器編排江湖,這條路線的容器服務日漸式微,Azure更是在今年初直接終止了ACS服務。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Kubernetes容器編排服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。Google是理所當然最早試水Kubernetes容器編排服務的大廠,也較早開展了K8S容器編排服務。隨着2017年各大廠在CNCF這張談判桌上達成了Kubernetes兼容性認證流程,Kubernetes編排服務市場迎來一輪大爆發,到2018年各大雲廠商的K8S容器編排服務就完整就位了。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Serverless容器實例服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。從2017年開始,行業開始試水Serverless容器實例服務,把用戶從維護容器基礎設施的繁重任務中解放出來從而聚焦業務本身。Google Cloud Run核心目標是支持Knative,所以其使用形態上附加了不少約束條件。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/dd/dd2a46ebafb5024aed882dd31b8590e0.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從上圖可以看出,從2014年開始探索公共雲容器服務,特別是經過2017-2018年這兩年的搶跑期,容器服務的基本商業形態已經比較明晰了。發展態勢可以概括爲:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"行業對容器化的接受程度已經很高,容器化普及率也是逐年提升。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"容器編排系統已經一戰定江山,K8S成爲事實上的容器編排之王。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Serverless容器實例服務受到市場的歡迎,客戶羣體日益擴大。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"長期看託管容器編排服務和Serverless容器實例服務將長期共存,協同滿足客戶對服務成本和彈性能力的需求。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"商用模式探索期間,核心目標是快速試錯引導和確認客戶需求,構建適用的產品形態。這個期間的產品技術架構的構建思路是利用現有成熟技術快速搭建商用形態,在試錯過程中不斷前行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中,容器編排託管服務節點級的典型架構是利用IaaS系統生成VM,然後在VM裏面部署kubelet、docker、containerd、runC等容器服務組件,也就是"},{"type":"text","marks":[{"type":"strong"}],"text":"VM + 容器的技術架構"},{"type":"text","text":"。一個VM可以承載同一個用戶的多個容器/Pod實例。而Serverless容器實例服務的節點級架構更直接,"},{"type":"text","marks":[{"type":"strong"}],"text":"在一個VM裏面只部署一個容器/Pod實例,從而實現Serverless"},{"type":"text","text":"。這種短平快的打法快速推進了商用模型的探索,起到了非常重要的歷史作用,但是其在彈性能力、部署密度、資源成本方面的歷史侷限性還是很大的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f4/f453c3fb2ba191d78c2e667e3298b79e.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用拓展期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"到2019年,容器服務的商業形態以及市場趨勢已經很明顯了,"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"行業整體進入了商業拓展階段,對外宣傳吸引更多的客戶羣體,對內苦練內功提升產品技術競爭力,行業正在經歷從“有”到“優”的技術升級"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。行業正在經歷這個技術升級的歷史階段,還談不上結論,只能一起來聊聊趨勢及預判。本系列專題的關注點是容器隔離技術,所以先不聊商業拓展和容器編排而聚焦於容器引擎技術發展趨勢。到現在爲止,我們大體上可以把容器引擎技術劃分爲兩代:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Container on VM"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。也就是按照分層設計思路,通過IaaS + PaaS的架構構建容器服務,這個是商用探索階段的典型架構。基於各大雲廠商成熟的IaaS基礎設施生產虛擬機,在虛擬機裏面部署容器服務組件。這種架構採用的是lift and shift策略,把容器服務的運維責任從用戶轉移到雲廠商。採用和用戶相同的軟件組件,只是轉移運維責任,有利於引導客戶逐步上雲、接受雲原生思維。"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"但是這個時期雲廠商提供的服務是單純的運維託管,相對用戶自建容器服務並沒有太明顯的技術優勢,甚至受多租戶隔離的限制部分使用體驗還不如用戶自建容器服務。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Container with hardware virtualization。"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"如果沿用Container on VM的分層設計架構,雲廠商很難構建獨有的技術優勢。對於Serverless容器實例服務,服務交付平面已經從IaaS的硬件接口上移到OS Syscall,所以不要遵循VM + 容器的分層設計思路。我們需要從需求本源出發,容器服務需要高性能、強隔離、夠安全和低成本的容器引擎。當前行業研發熱點之一就是如何構建這樣一個容器引擎,具體技術思路請留意後續系列文章。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"小結"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總結來看,容器服務生態大概經歷了四個階段,分別解決或試圖解決不同的問題:"}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術萌芽期:解決了容器運行環境的隔離問題"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術迸發期:解決了軟件分發及容器編排問題"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用探索期:確認了容器的商用服務形態"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用拓展期:擴大適用場景和部署規模,通過技術創新提升產品競爭力"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"閒言碎語"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊了這麼多歷史,讓我們再來閒聊一下docker這個公司和docker這門技術吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2019年11月13日,私有云基礎設施公司Mirantis在其官方博客宣佈,收購Docker公司企業級業務,包括接管它的700多個客戶,這標誌着Docker公司從2013年開始的商業化探索徹底失敗。在不瞭解容器發展歷史的人看來,這種結果很難理解,Docker是容器熱潮的開創者,容器則是這一輪雲計算技術演進的開啓者,爲什麼明明站在風口上了,卻仍然飛不起來?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實,Docker今天的命運,在4年前就決定了。2014年Kubernetes發佈後,迅速吸引了包括Redhat在內的一批重量級成員,並在一年之後迅速發佈Kubernetes 1.0以支撐正式商用。作爲迴應Docker公司主導成立了OCI,旨在爲容器鏡像格式和運行時制定一個開放標準,從而繼續佔據容器生態的話語權。但是2015年7月CNCF成立之後,迅速彎道超車開闢新的戰場,主攻容器編排與應用管理。隨後2016年Kubernetes社區制定了容器運行時的接口規範CRI,只要實現這個CRI規範的容器運行時就可以和K8S生態對接,從引發了容器引擎的研發熱潮。cri-containerd,cri-o,frakti等引擎不斷湧現,加上原有的rkt引擎,docker變成了容器引擎芸芸衆生中的一員。從哪兒來到哪兒去,docker又回到了最初的狀態,一個單機版軟件打包運行工具,基本上完美錯過了雲原生浪潮。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是在相當長的時期內,docker這個客戶端容器管理工具(UI)還是會長期存在的,畢竟強大的用戶羣體在哪兒。但是在雲服務廠商的技術棧中,docker的地位會越來越弱,逐步被K8S專用的容器引擎替代。雖然現在docker的羣衆基礎依然強大,但是星星之火已經點燃,趨勢已然顯現,剩下的只是時間問題!"}]},{"type":"heading","attrs":{"align":null,"level":2}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"參考文獻"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://events.static.linuxfound.org/sites/events/files/slides/(OSF_Mr.%20Chris%20Aniszczyk)CNCF%20(OS%20Forum%20Japan%202016).pdf","title":null},"content":[{"type":"text","text":"Cloud Native and Container Technology Landscape"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016","title":null},"content":[{"type":"text","text":"A Brief History of Containers: From the 1970s Till Now"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.chainnews.com/articles/973288192290.htm","title":null},"content":[{"type":"text","text":"從虛擬化到雲原生——容器技術的發展史"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.infoq.cn/article/R1p3H3_29f4TYImExsyw","title":null},"content":[{"type":"text","text":"爲什麼說2019,是屬於容器技術的時代?"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.sohu.com/a/417745570_355140","title":null},"content":[{"type":"text","text":"阿里巴巴在安全容器上的實踐與探索"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.infoq.cn/article/J762pmCvyXHflVuTgy4k","title":null},"content":[{"type":"text","text":"安全容器在邊緣計算場景下的實踐"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.oschina.net/news/112661/containers-cloud-native","title":null},"content":[{"type":"text","text":"展望2020:傳統容器已死,安全容器將成爲雲原生標配"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多精彩文章:歡迎大家關注阿里雲基礎軟件團隊微信公衆號:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e6/e62cb6ec5c895c5a13aed85320a15d40.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
容器技術之發展簡史
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作者:劉獎"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此文轉載至微信公衆號:雲巔論劍"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"背景"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“"},{"type":"text","marks":[{"type":"italic"}],"text":"雲原生技術有利於各組織在"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"公有云、私有云和混合雲"},{"type":"text","marks":[{"type":"italic"}],"text":"等新型動態環境中,構建和運行"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"可彈性擴展"},{"type":"text","marks":[{"type":"italic"}],"text":"的應用。雲原生的代表技術包括"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"容器、服務網格、微服務、不可變基礎設施和聲明式API"},{"type":"text","marks":[{"type":"italic"}],"text":"。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊容器技術避不開雲原生,聊雲原生也避不開容器技術。容器技術和雲原生就是一對雙螺旋體,"},{"type":"text","marks":[{"type":"strong"}],"text":"容器技術催生了雲原生思潮,雲原生生態推動了容器技術發展"},{"type":"text","text":"。從2013年docker(container)技術誕生,到2015年CNCF這個雲原生領域重量級聯盟便成立,這不是歷史的巧合而是歷史的必然。作爲雲原生關鍵技術之一的容器,從2013年誕生以來一直是行業關注的焦點之一。借用一張業界廣泛引用的雲原生容器技術進階圖來了解一下容器技術和雲原生誕生的歷史背景。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ce/ce6ce889c58ef342a4b16f8237b64ec3.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先讓我們一起來看看容器技術發展的歷史紀年表,先直觀感受一下這片如火如荼的熱土吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#202122","name":"user"}}],"text":"1979年,"},{"type":"text","text":"Unix v7系統支持chroot,爲應用構建一個獨立的虛擬文件系統視圖。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1999年,FreeBSD 4.0支持jail,第一個商用化的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2004年,Solaris 10支持Solaris Zone,第二個商用化的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2005年,OpenVZ發佈,非常重要的Linux OS虛擬化技術先行者。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2004年 ~ 2007年,Google 內部大規模使用 Cgroups 等的OS虛擬化技術。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2006年,Google開源內部使用的process container技術,後續更名爲cgroup。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2008年,Cgroups 進入了 Linux 內核主線。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2008年,LXC(Linux Container)項目具備了Linux容器的雛型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2011年,CloudFoundry開發Warden系統,一個完整的容器管理系統雛型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2013年,Google通過"},{"type":"text","text":"Let Me Contain That For You"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#07242D","name":"user"}}],"text":" (LMCTFY) "},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"開源內部容器系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2013年,Docker項目正式發佈,讓Linux容器技術逐步席捲天下。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2014年,Kubernetes項目正式發佈,容器技術開始和編排系統起頭並進。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2015年,由Google,Redhat、Microsoft及一些大型雲廠商共同創立了CNCF,雲原生浪潮啓動。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2016年-2017年,容器生態開始模塊化、規範化。CNCF接受Containerd、rkt項目,OCI發佈1.0,CRI/CNI得到廣泛支持。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2017年-2018年,容器服務商業化。AWS ECS,Google EKS,Alibaba ACK/ASK/ECI,華爲CCI,Oracle Container Engine for Kubernetes;VMware,Redhat和Rancher開始提供基於Kubernetes的商業服務產品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2017年-2019年,容器引擎技術飛速發展,新技術不斷湧現。2017年底Kata Containers社區成立,2018年5月Google開源gVisor代碼,2018年11月AWS開源firecracker,阿里雲發佈安全沙箱1.0。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"2020年-202x年,容器引擎技術升級,Kata Containers開始2.0架構,阿里雲發佈沙箱容器2.0...."}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"整理容器技術近20年的發展歷史,大致可以將其分爲四個歷史階段,下文將詳細介紹這四個歷史階段。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/64/646b2bdb2cfca4d0a2743b1a24605a77.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術萌芽期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器技術需要解決的核心問題之一運行時的環境隔離。容器的運行時環境隔離,目標是給容器構造一個無差別的運行時環境,用以在任意時間、任意位置運行容器鏡像。由於docker的佈道,大家習慣性認爲容器的運行時環境隔離就是OS虛擬化,或則容器等於namespace + cgroup + 安全防護機制。我不太贊同這種看法,這個只是一段歷史時期、一種容器運行時的實現技術,還有很多種其它可能的技術方案來實現容器運行環境。所以,回到需求的本源:"},{"type":"text","marks":[{"type":"strong"}],"text":"容器需要運行時隔離技術來保證容器的運行環境符合預期"},{"type":"text","text":"。習慣上,大家把這種實現容器隔離技術的組件叫做容器運行時。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從另外一個角度看,"},{"type":"text","marks":[{"type":"strong"}],"text":"容器隔離技術解決的是資源供給問題"},{"type":"text","text":"。爲啥需要容器隔離技術來解決資源供給問題呢?成也蕭何,敗也蕭何!摩爾定律實在太過強大,它讓我們有了越來越多的計算資源可以使用。10年前做小型機時,小型機的典型規格是32路8核CPU,現在一臺4路PC服務器計算能力都超過10年前的小型機服務器。小型機的典型用法是把整機切分爲多個分區使用。觀察當下雲服務硬件發展趨勢,越來越有熟悉的感覺,我們在把小型機相關技術“軍轉民”。現在我們一臺PC服務器擁有了非常強大的、能和十年前小型機媲美的計算能力,巧合的是當下PC服務器的典型用法也和十年前的小型機用法類似,切割爲1-8vCPU的虛擬機/容器使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲什麼人們總是習慣於把一個大的服務器資源切分爲小的分區使用而不是研發能夠充分發揮大型服務器整機計算能力的軟件呢?個人認爲背後有兩個制約因素:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"待解決問題本身內在的並行度有限"},{"type":"text","text":"。隨着多核多處理器系統的日益普及,IT行業從2004年開始進行串行編程到並行編程的升級改造。開始階段針對特定行業應用的並行化改造效果非常明顯,但是後來發現隨着並行度提高改造成本越來越大、收益卻越來越低。受"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#222222","name":"user"}}],"text":"阿姆達爾"},{"type":"text","text":"定律制約,解決特定問題的並行度超過一定臨界點之後收益將逐漸變小。所以一味提高系統並行度並不是經濟的做法。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"人類智力有限"},{"type":"text","text":"。受人類智力限制,系統越複雜、並行度越高,軟件越容易出故障,軟件維護代價成指數級增長。所以,從軟件工程看,大家也趨向於接口化、模塊化、單元化的軟件架構設計,儘量控制軟件的複雜度,降低工程成本。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從經驗看,1-8個CPU的並行度是軟件工程的舒適區,這個也是容器化、微服務等技術背後的驅動因素之一。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有點跑題了。。。總之,基於隔離的資源供給不是僞需求。對於軟件運行環境的隔離要求,從操作系統出現之初就有了。多任務分時操作系統和進程虛擬地址都是爲了解決多個任務運行在同一臺主機上的資源共享問題,讓每個進程都以爲自己獨佔主機。當然僅僅是進程隔離是遠遠不夠的。縱觀當前的資源隔離技術,我們大致可以將資源隔離技術分成5類:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/28/28b66aa06773012f9f8fc8c1b96789d6.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"進程隔離"},{"type":"text","text":"。OS以進程作爲Task運行過程的抽象,進程擁有獨立的地址空間和執行上下文,本質上OS對進程進行了CPU和內存虛擬化。但是進程之間還共享了文件系統、網絡協議棧、IPC通信空間等多種資源,進程之間因爲資源爭搶導致的干擾很嚴重。這個層級的隔離適合在不同的主機上運行單個用戶的不同程序,由用戶通過系統管理手段來保證資源分配與安全防護等問題。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"OS虛擬化"},{"type":"text","text":"。OS隔離,也就是大家常說的操作系統虛擬化(OS virtualization),是進程隔離的昇華版。進程隔離是爲每個進程實現了單獨的地址空間及CPU上下文,OS隔離則是利用操作系統分身術爲每一組進程實例構造出一個獨立的OS環境,以進一步虛擬化文件系統、網絡協議棧、IPC通信空間、進程ID、用戶ID等OS資源。OS隔離需要解決三個核心問題:獨立視圖、訪問控制及安全防護。Chroot、Linux namespace機制爲進程組實現獨立視圖,cgroup對進程組進行訪問控制,而Capabilities、Apparmor、seccomp等機制則實現安全防護。當然,OS是一個非常複雜、動態變化的系統,OS分身術雖然讓進程組感覺有了獨立的OS,但是真實實現還是一個OS實例,所以整體防護能力還是堪憂。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"硬件虛擬化"},{"type":"text","text":"。OS虛擬化是實現OS內核的分身術,而硬件虛擬化則是實現硬件設備的分身術。硬件虛擬化技術的出現,讓同一個物理服務器上能夠同時運行多個操作系統,每個操作系統都認爲自己在管理一臺完整的服務器。不同操作系統之間是嚴格隔離的,Guest操作系統對硬件的訪問都是受VMM或CPU的嚴格監管的。硬件虛擬化既有很好的安全性,也有很好的隔離性,缺點就是引入的硬件虛擬化層導致了額外的性能開銷。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"硬件分區"},{"type":"text","text":"。這個是傳統小型機體系採用的資源分隔技術,就是從硬件或固件層徹底把一臺大型服務器分隔爲多個硬件單元,從而獲得最高等級的安全性和隔離性。但是小型機作爲一個逐步沒落的技術路線,其不足之處還是顯而易見的:資源分隔粒度不靈活、系統成本偏高、系統可擴展性受限。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"語言運行時隔離"},{"type":"text","text":"。對於Java、nodejs等需要language runtime的managed language,我們還有一個選項,就是在language runtime裏實現隔離。針對函數計算等雲原生服務,理論上在語言運行時實現隔離機制是最優路徑。但是這條路線目前實現上還有不少現實的制約,所以目前多數函數計算還是採用的容器/VM技術來實現的隔離。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在OS虛擬化這條技術路線上,最大的技術貢獻來源於Google。2003-2006年,Google陸續發佈的“三駕馬車”,奠定了大數據計算的框架,隨後進一步創造了“雲”的概念。也是從這時期開始,進程隔離技術進入了一個更高級的階段。在 Google 提出的雲計算框架下,被隔離的進程不僅僅是一個與外界隔絕但本身卻巍然不動的 Jail,它們更需要像一個個輕便的容器,除了能夠與外界隔離之外,還要能夠被控制與調配,從而實現分佈式應用場景下的跨平臺、高可用、可擴展等特性。2006年,Google推出Process Containers,用來對一組進程進行限制、記賬、隔離資源(CPU、內存、磁盤 I/O、網絡等)。由於技術更加成熟,Process Container 在 2006 年正式推出後,第二年就進入了 Linux 內核主幹,並正式更名爲 Cgroups,標誌着 Linux 陣營中“容器”的概念開始被重新審視和實現。在 2008 年,通過將 Cgroups 的資源管理能力和 Linux Namespace (命名空間)的視圖隔離能力組合在一起,一項完整的容器技術 LXC (Linux Container)出現在了 Linux 內核中,這就是如今被廣泛應用的容器技術的實現基礎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"總體看,在2013年docker被髮明以前,Linux操作系統已經大體上解決了容器核心技術之一的運行環境隔離技術,或者說Linux OS虛擬化技術已經基本上成型了。"},{"type":"text","text":"雖然容器運行環境隔離技術已經基本就位,我們仍需等待另外一項關鍵技術才能迎來容器技術的騰飛時刻。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術迸發期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年之前,雲計算行業一直在爲雲原生的正確打開姿勢而操心。Platform as a Service(PaaS)看起來是個有前途的方向。2006年Fotango公司發佈的Zimi服務,可以說是PaaS行業的鼻祖,具有按使用付費、免運維(Serverless)、API化配置和服務等典型雲原生的特徵;2008年Google推出GAE;2011年Pivotal發佈Cloud Foundry。這些早期的PaaS平臺進行了非常有益的探索,推動了雲計算生態的健康發展,但是這些早期探索技術並沒有形成大的行業趨勢,而是侷限在一些的特定的領域。直到Docker開源,大家才如夢方醒,原來不是方向不對,而是應用分發和交付的手段不行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker真正核心的創新是容器鏡像(docker image),一種新型的應用打包、分發和運行機制。容器鏡像將應用"},{"type":"text","marks":[{"type":"strong"}],"text":"運行環境"},{"type":"text","text":",包括代碼、依賴庫、工具、資源文件和元信息等,打包成一種"},{"type":"text","marks":[{"type":"strong"}],"text":"操作系統發行版無關"},{"type":"text","text":"的"},{"type":"text","marks":[{"type":"strong"}],"text":"不可變更"},{"type":"text","text":"軟件包。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像打包了整個容器運行依賴的環境,以避免依賴運行容器的服務器的操作系統,從而實現“build once,run anywhere”。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像一但構建完成,就變成read only,成爲不可變基礎設施的一份子。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"操作系統發行版無關,核心解決的是容器進程對操作系統包含的庫、工具、配置的依賴,但是容器鏡像無法解決容器進程對內核特性的特殊依賴。這個在實際使用容器的過程中也經常跳進這個大坑:"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker的宣傳口號是“Build,Ship and Run Any App,Anywhere”。我們已經理解了docker通過container image解決“Run Anywhere”的機制,那麼“Run Any App”是如何實現的呢?其實也是依賴container image,用戶可以打包任何容器進程所依賴的環境,而不用改造應用來適配PaaS定義的運行環境。真是“Run Any App”一舉打破了PaaS行業面臨的困境,創造出了無限的可能性,大力推動了雲原生的發展。讓我們一起來向這個偉大的創意致敬!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/89/898efcf4a723c46724c82c6eeab0c712.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"至此,容器技術體系已經解決了最核心的兩個問題:"},{"type":"text","marks":[{"type":"strong"}],"text":"如何發佈軟件"},{"type":"text","text":"和"},{"type":"text","marks":[{"type":"strong"}],"text":"如何運行軟件,"},{"type":"text","text":"騰飛時刻即將到來。2014年前司前老闆對我說“別成天搞Linux kernel了,要不你看看docker?” 經過短暫的調研,我給了前老闆一個簡單而清晰的回答,“無它,唯打包工具爾!”因爲這個回答,雲原生爲我打開的一扇大門就悄悄關上了。回想一下歷史,有時也挺懊悔的,因爲自己太年輕而沒有看清楚容器技術 + 編排系統的威力,更沒有體會到雲原生即將到來的氣息!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker作爲一個單機軟件打包、發佈、運行系統,其價值是非常巨大的;但是僅僅將docker技術侷限在單機範圍不能發揮這個創新技術的最大價值,自然下一步業界希望基於docker技術構建一個雲化的集羣系統,來對業務容器進行編排管理。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊到容器編排系統,我們需要從Google聊起。2008年,Google 基於 LXC 推出首款應用託管平臺 GAE (Google App Engine),首次把開發平臺當做一種服務來提供。GAE 是一種分佈式平臺服務,Google 通過虛擬化技術爲用戶提供開發環境、服務器平臺、硬件資源等服務,用戶可以在平臺基礎上定製開發自己的應用程序並通過 Google 的服務器和互聯網資源進行分發。Google 在 GAE 中使用了一個能夠對 LXC 進行編排和調度的工具 —— Borg (Kubernetes 的前身)。Borg 是 Google 內部使用的大規模集羣管理系統,可以承載十萬級的任務、數千個不同的應用、同時管理數萬臺機器。Borg 通過權限管理、資源共享、性能隔離等來達到高資源利用率。它能夠支持高可用應用,並通過調度策略減少出現故障的概率,提供了任務描述語言、實時任務監控、分析工具等。如果說一個個隔離的容器是集裝箱,那麼 Borg 可以說是最早的港口系統,而 LXC + Borg 就是最早的容器編排框架。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年docker推出之後迅速席捲全球,2014年Google基於內部使用的Borg系統創建了開源項目Kubernetes(簡稱K8S),用於解決大規模集羣的容器部署、運行、管理等問題。Kubernetes在容器的基礎上增加了一層的新的管理抽象Pod,以便更好地利用容器進行應用的功能模塊切分。得益於 Google 在大規模集羣基礎設施建設的強大積累,脫胎於 Borg 的 K8S 很快成爲了行業的標準應用,堪稱容器編排的必備工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲迴應,Docker公司在2015年發佈的Docker 1.12版本中也加入了一個容器集羣管理系統Docker swarm,以及配套的Docker machine、Docker Compose等工具,力圖構建完善的容器編排系統,和Kubernetes展開正面競爭。從此,容器江湖分爲兩大陣營:Google派和Docker派;而容器編排系統則是Kubernetes,Docker Swarm和Apache Mesos三國並立。各大派系的競爭愈演愈烈,逐漸延伸到行業標準的建立之爭。讓我們一起來回憶一下這段風起雲湧的江湖歷史吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2013年Docker公司推出docker之後,緊接着CoreOS 應運而生。CoreOS 是一個基於 Linux 內核的輕量級操作系統,專爲雲計算時代計算機集羣的基礎設施建設而設計,擁有自動化、易部署、安全可靠、規模化等特性。其在當時有一個非常顯眼的標籤:"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#333333","name":"user"}},{"type":"strong"}],"text":"專爲容器設計的操作系統"},{"type":"text","text":"。藉着 Docker 的東風,CoreOS 迅速在雲計算領域躥紅,一時間,Docker + CoreOS 成爲業內容器部署的黃金搭檔。同時,CoreOS 也爲 Docker 的推廣與社區建設做出了巨大的貢獻。然而,日漸壯大的 Docker 似乎有着更大的“野心”。不甘於只做“一種簡單的基礎單元”的 Docker,自行開發了一系列相關的容器組件,同時收購了一些容器化技術的公司,開始打造屬於自己的容器生態平臺。顯然,這對於 CoreOS 來說形成了直接的競爭關係。2014 年末,CoreOS 推出了自己的容器引擎 Rocket (簡稱 rkt),試圖與 Docker 分庭抗禮。rkt 和 Docker 類似,都能幫助開發者打包應用和依賴包到可移植容器中,簡化搭環境等部署工作。rkt 和 Docker 不同的地方在於,rkt 沒有 Docker 那些爲企業用戶提供的“友好功能”,比如雲服務加速工具、集羣系統等。反過來說,rkt 想做的,是一個更純粹的業界標準。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#333333","name":"user"}}],"text":"上面這段材料引至於“"},{"type":"text","text":"從虛擬化到雲原生——容器技術的發展史”,爲什麼大段大段地引用這部分材料呢?這裏面最關鍵的脈絡是"},{"type":"text","marks":[{"type":"strong"}],"text":"由於技術公司之間的商業競爭,在競爭合作之間尋找平衡從而導致了標準規範的誕生,而標準規範的誕生是整個雲原生生態最重要的基石"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器引擎(docker vs rocket)、容器編排(Docker swarm vs Kubernetes vs Apache Mesos)的相互競爭的結果就是大家坐下來談接口標準。2015年6月,Docker帶頭成立OCI,旨在“制定並維護容器鏡像格式和容器運行時的正式規範(OCI Specifications)”,其核心產出是OCI Runtime Spec(容器運行時規範)、OCI Image Spec(鏡像格式規範)、OCI Distribution Spec(鏡像分發規範)。所以"},{"type":"text","marks":[{"type":"strong"}],"text":"OCI組織解決的是容器的構建、分發和運行問題"},{"type":"text","text":"。一個月之後,Google帶頭成立了Cloud Native Computing Foundation(CNCF),旨在“構建雲原生計算 —— 一種圍繞着微服務、容器和應用動態調度的、以基礎設施爲中心的架構,並促進其廣泛使用”。所以"},{"type":"text","marks":[{"type":"strong"}],"text":"CNCF組織解決的是應用管理及容器編排問題"},{"type":"text","text":"。這兩個圍繞容器的基金會對雲原生生態的發展發揮了非常重要的作用,二者不是競爭而是相輔相成,共同制定了一系列行業事實標準。這些行業事實標準的確立,各行業注入了無限活力,基於接口的標準的具體實現不斷湧現,呈現出一片百花齊放的景象。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/99/99dad479c97c85182ac7e227370eda09.png","alt":null,"title":"image.png","style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中,與容器相關的最爲重要的幾個規範包括:CRI、CNI、CSI、OCI Distribution Spec、OCI Image Spec、OCI Runtime Spec和Shimv2。其中的CRI、OCI Image Spec、OCI Runtime和Shimv2規範和阿里雲沙箱容器關係非常密切。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"所以,非常感謝這個雲原生、容器技術迸發的黃金期,一羣有創意的人走到一起共同創造了這幾個關鍵的規範,爲各個廠商提供各具特色且遵循規範的技術實現提供了可能性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用探索期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"經過5年的技術發展期,容器技術基本成熟,雲原生體系也具雛型。從2017年開始,各大雲廠商開始試水容器服務及進步的雲原生服務。從目前的商業形態看,容器相關的公共雲服務大致可以劃分爲三種形態:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"通用容器編排服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。在容器編排系統三國殺結果出來以前,基於多方下注策略構建的容器編排服務系統。其中AWS是自研的編排系統,Azure的ACS同時支持Docker Swarm、DC/OS和Kubernetes,阿里雲ACS則是支持Docker swarm和Kubernetes。Google和華爲則是堅定支持Kubernetes而未推出支持其它容器編排系統的容器服務。隨着Kubernetes一統容器編排江湖,這條路線的容器服務日漸式微,Azure更是在今年初直接終止了ACS服務。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Kubernetes容器編排服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。Google是理所當然最早試水Kubernetes容器編排服務的大廠,也較早開展了K8S容器編排服務。隨着2017年各大廠在CNCF這張談判桌上達成了Kubernetes兼容性認證流程,Kubernetes編排服務市場迎來一輪大爆發,到2018年各大雲廠商的K8S容器編排服務就完整就位了。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Serverless容器實例服務"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。從2017年開始,行業開始試水Serverless容器實例服務,把用戶從維護容器基礎設施的繁重任務中解放出來從而聚焦業務本身。Google Cloud Run核心目標是支持Knative,所以其使用形態上附加了不少約束條件。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/dd/dd2a46ebafb5024aed882dd31b8590e0.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從上圖可以看出,從2014年開始探索公共雲容器服務,特別是經過2017-2018年這兩年的搶跑期,容器服務的基本商業形態已經比較明晰了。發展態勢可以概括爲:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"行業對容器化的接受程度已經很高,容器化普及率也是逐年提升。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"容器編排系統已經一戰定江山,K8S成爲事實上的容器編排之王。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Serverless容器實例服務受到市場的歡迎,客戶羣體日益擴大。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"長期看託管容器編排服務和Serverless容器實例服務將長期共存,協同滿足客戶對服務成本和彈性能力的需求。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"商用模式探索期間,核心目標是快速試錯引導和確認客戶需求,構建適用的產品形態。這個期間的產品技術架構的構建思路是利用現有成熟技術快速搭建商用形態,在試錯過程中不斷前行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中,容器編排託管服務節點級的典型架構是利用IaaS系統生成VM,然後在VM裏面部署kubelet、docker、containerd、runC等容器服務組件,也就是"},{"type":"text","marks":[{"type":"strong"}],"text":"VM + 容器的技術架構"},{"type":"text","text":"。一個VM可以承載同一個用戶的多個容器/Pod實例。而Serverless容器實例服務的節點級架構更直接,"},{"type":"text","marks":[{"type":"strong"}],"text":"在一個VM裏面只部署一個容器/Pod實例,從而實現Serverless"},{"type":"text","text":"。這種短平快的打法快速推進了商用模型的探索,起到了非常重要的歷史作用,但是其在彈性能力、部署密度、資源成本方面的歷史侷限性還是很大的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f4/f453c3fb2ba191d78c2e667e3298b79e.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用拓展期"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"到2019年,容器服務的商業形態以及市場趨勢已經很明顯了,"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"行業整體進入了商業拓展階段,對外宣傳吸引更多的客戶羣體,對內苦練內功提升產品技術競爭力,行業正在經歷從“有”到“優”的技術升級"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。行業正在經歷這個技術升級的歷史階段,還談不上結論,只能一起來聊聊趨勢及預判。本系列專題的關注點是容器隔離技術,所以先不聊商業拓展和容器編排而聚焦於容器引擎技術發展趨勢。到現在爲止,我們大體上可以把容器引擎技術劃分爲兩代:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Container on VM"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"。也就是按照分層設計思路,通過IaaS + PaaS的架構構建容器服務,這個是商用探索階段的典型架構。基於各大雲廠商成熟的IaaS基礎設施生產虛擬機,在虛擬機裏面部署容器服務組件。這種架構採用的是lift and shift策略,把容器服務的運維責任從用戶轉移到雲廠商。採用和用戶相同的軟件組件,只是轉移運維責任,有利於引導客戶逐步上雲、接受雲原生思維。"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"但是這個時期雲廠商提供的服務是單純的運維託管,相對用戶自建容器服務並沒有太明顯的技術優勢,甚至受多租戶隔離的限制部分使用體驗還不如用戶自建容器服務。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}},{"type":"strong"}],"text":"Container with hardware virtualization。"},{"type":"text","marks":[{"type":"color","attrs":{"color":"#24292E","name":"user"}}],"text":"如果沿用Container on VM的分層設計架構,雲廠商很難構建獨有的技術優勢。對於Serverless容器實例服務,服務交付平面已經從IaaS的硬件接口上移到OS Syscall,所以不要遵循VM + 容器的分層設計思路。我們需要從需求本源出發,容器服務需要高性能、強隔離、夠安全和低成本的容器引擎。當前行業研發熱點之一就是如何構建這樣一個容器引擎,具體技術思路請留意後續系列文章。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"小結"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總結來看,容器服務生態大概經歷了四個階段,分別解決或試圖解決不同的問題:"}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術萌芽期:解決了容器運行環境的隔離問題"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"技術迸發期:解決了軟件分發及容器編排問題"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用探索期:確認了容器的商用服務形態"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"商用拓展期:擴大適用場景和部署規模,通過技術創新提升產品競爭力"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"閒言碎語"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3f/3f2377d5e16099046179156338a82495.png","alt":null,"title":"","style":[{"key":"width","value":"25%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊了這麼多歷史,讓我們再來閒聊一下docker這個公司和docker這門技術吧!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2019年11月13日,私有云基礎設施公司Mirantis在其官方博客宣佈,收購Docker公司企業級業務,包括接管它的700多個客戶,這標誌着Docker公司從2013年開始的商業化探索徹底失敗。在不瞭解容器發展歷史的人看來,這種結果很難理解,Docker是容器熱潮的開創者,容器則是這一輪雲計算技術演進的開啓者,爲什麼明明站在風口上了,卻仍然飛不起來?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實,Docker今天的命運,在4年前就決定了。2014年Kubernetes發佈後,迅速吸引了包括Redhat在內的一批重量級成員,並在一年之後迅速發佈Kubernetes 1.0以支撐正式商用。作爲迴應Docker公司主導成立了OCI,旨在爲容器鏡像格式和運行時制定一個開放標準,從而繼續佔據容器生態的話語權。但是2015年7月CNCF成立之後,迅速彎道超車開闢新的戰場,主攻容器編排與應用管理。隨後2016年Kubernetes社區制定了容器運行時的接口規範CRI,只要實現這個CRI規範的容器運行時就可以和K8S生態對接,從引發了容器引擎的研發熱潮。cri-containerd,cri-o,frakti等引擎不斷湧現,加上原有的rkt引擎,docker變成了容器引擎芸芸衆生中的一員。從哪兒來到哪兒去,docker又回到了最初的狀態,一個單機版軟件打包運行工具,基本上完美錯過了雲原生浪潮。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是在相當長的時期內,docker這個客戶端容器管理工具(UI)還是會長期存在的,畢竟強大的用戶羣體在哪兒。但是在雲服務廠商的技術棧中,docker的地位會越來越弱,逐步被K8S專用的容器引擎替代。雖然現在docker的羣衆基礎依然強大,但是星星之火已經點燃,趨勢已然顯現,剩下的只是時間問題!"}]},{"type":"heading","attrs":{"align":null,"level":2}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"參考文獻"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://events.static.linuxfound.org/sites/events/files/slides/(OSF_Mr.%20Chris%20Aniszczyk)CNCF%20(OS%20Forum%20Japan%202016).pdf","title":null},"content":[{"type":"text","text":"Cloud Native and Container Technology Landscape"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016","title":null},"content":[{"type":"text","text":"A Brief History of Containers: From the 1970s Till Now"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.chainnews.com/articles/973288192290.htm","title":null},"content":[{"type":"text","text":"從虛擬化到雲原生——容器技術的發展史"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.infoq.cn/article/R1p3H3_29f4TYImExsyw","title":null},"content":[{"type":"text","text":"爲什麼說2019,是屬於容器技術的時代?"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.sohu.com/a/417745570_355140","title":null},"content":[{"type":"text","text":"阿里巴巴在安全容器上的實踐與探索"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.infoq.cn/article/J762pmCvyXHflVuTgy4k","title":null},"content":[{"type":"text","text":"安全容器在邊緣計算場景下的實踐"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.oschina.net/news/112661/containers-cloud-native","title":null},"content":[{"type":"text","text":"展望2020:傳統容器已死,安全容器將成爲雲原生標配"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多精彩文章:歡迎大家關注阿里雲基礎軟件團隊微信公衆號:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e6/e62cb6ec5c895c5a13aed85320a15d40.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章