自下而上學習容器

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我從2015年開始使用容器，我對容器最初的理解就是把它們看成是輕量級的虛擬機，只是啓動時間比虛擬機快了很多。腦子裏有了這樣的概念，就很容易看懂網上那些關於如何將Python或Node應用程序裝入容器的教程。但很快，我意識到僅僅將容器看成是輕量級的虛擬機有點跳過簡單化了，這導致我無法對以下這些問題做出判斷："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器可以做什麼以及不可以做什麼；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪些是使用容器的最佳實踐以及哪些不是；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪些東西放在容器是安全的以及哪些不是。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然“容器就是虛擬機”這種理解有失偏頗，我就開始深入探究，看看容器到底是什麼，而Docker無疑是最好的切入點。問題是，Docker是一個可以用來做各種各樣事情的龐然大物，而運行它的命令又如此簡單（比如docker run nginx），很容易就矇蔽了我們。與Docker相關的資料有很多，它們要麼是太過淺顯的教程，要麼太多艱深，新手根本就看不懂。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"於是，我花了一些時間，爲讀者鋪平了學習容器的道路。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"多年來，我嘗試從不同的角度探究，終於找到了一條適合我的學習路徑。不久前，我在推特上分享了我的學習路徑，引起了很多人的共鳴。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文並不打算一次性解釋完所有有關容器的東西。相反，它是我多年來對這個領域探究的一道“前菜”。它介紹了我的學習路徑，你可以順着這條路徑，再去閱讀其他更加深入介紹容器的文章。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"掌握容器知識不是一項簡單的任務，所以慢慢來，不要跳過實操的部分！"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"容器學習路徑"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我發現按照下面這樣的順序來學習容器非常有效："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Linux容器——學習底層的實現細節；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像——瞭解什麼是鏡像以及爲什麼需要鏡像；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器管理器——瞭解Docker是如何管理單臺主機上的容器的；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器編配器——瞭解Kubernetes是如何管理集羣裏的容器的；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非Linux容器——瞭解其他容器實現，打開更大的視野。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"容器不是虛擬機"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器是一種隔離（命名空間）且受約束（通過cgroups、capabilities、seccomp）的進程。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上面的這個解釋非常有助於我理解什麼是容器。當然，這個解釋並非絕對準確，當你讀到這篇文章的末尾你就會知道，但在剛開始學習容器時，這樣的解釋是很合適的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/b5\/7c\/b5bba821b3ac2bac74c6e4a55474f17c.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要在Linux上啓動一個進程，需要fork\/exec它。但要啓動一個容器化的進程，要先創建命名空間、配置cgroups，等等。或者，換句話說，爲進程準備一個箱子，讓進程在箱子裏運行。容器運行時就是一種用來創建這種箱子的工具。容器運行時知道怎樣準備好箱子，然後在箱子裏啓動一個容器化的進程。又因爲大多數運行時都遵循常用的規範，容器就成爲一種標準的工作負載單元。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用最廣的容器運行時是runc。runc是一種普通的命令行工具，所以可以在沒有Docker或其他高級容器軟件的情況下直接使用它。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/c3\/2d\/c36813e4c0bcfce0da1c5282c90cf52d.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"runc啓動一個容器化進程的過程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我對此感到興奮萬分，甚至還寫了一系列關於"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/categories\/?category=Container%20Runtime%20Shim&accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"容器運行時墊片"}]},{"type":"text","text":"（shim）的文章。墊片是指底層容器運行時(如runc)和高級容器管理器(如containerd)之間的一種軟件。要做好墊片，需要對運行時瞭如指掌，所以這一系列文章先從"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/implementing-container-runtime-shim?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"深入分析使用最爲廣泛的容器運行時"}]},{"type":"text","text":"開始。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/aa\/df\/aa8f0375903b5c54d482bc431caf34df.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器運行時墊片"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"運行容器不一定需要鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過，構建鏡像需要容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於熟悉runc是如何啓動容器的人來說，他們都知道鏡像並非是必需的。要運行一個容器，運行時需要一個bundle，其中包括："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個config.json文件，裏面包含了與容器有關的參數（例如可執行文件的路徑、環境變量，等等）；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"包含可執行文件及其相關文件（如果有的話）的目錄。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通常，bundle的目錄結構與Linux發行版的文件結構類似（\/var、\/usr、\/lib、\/etc，等等）。當runc啓動這樣的一個容器，運行在容器中的進程就獲得了一個根文件系統，看起來與Linux（比如Debian、CentOS或Alpine）很像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但這種文件結構並非是強制性的。現在，所謂的Scratch或Distroless容器越來越流行，越是小巧的容器出現安全漏洞的可能性就越少。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我在這篇中介紹了"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/not-every-container-has-an-operating-system-inside?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"如何創建一個只包含Go二進制文件的容器"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/67\/12\/67423d8f76b19aa6415b17349dcde912.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用dive查看scratch鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然運行容器不一定需要鏡像，那我們爲什麼還要有容器鏡像？"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當每一個容器都包含根文件系統的一個數兆字節那麼大的拷貝副本時，所需的磁盤空間就會急劇增加。因此，鏡像的存在是爲了有效地解決存儲和發行問題。對這個問題感興趣的可以閱讀這篇"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/you-dont-need-an-image-to-run-a-container?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"文章"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你有沒有想過鏡像是如何構建出來的？"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker所推廣的工作流程試圖讓你認爲鏡像纔是主要的，容器次之。在執行docker run 命令時，你需要指定一個鏡像才能運行容器。但我們知道，嚴格來說，事情並沒有這麼簡單。實際上，你需要(臨時)運行容器來構建鏡像！想知道爲什麼，請閱讀這篇"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/you-need-containers-to-build-an-image?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"文章"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"單宿主機上的容器管理器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在現實世界中，我們發明了集裝箱是爲了增加一艘船可以裝載的物品數量，類似的，容器是爲了提高服務器的資源利用率。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個典型的服務器現在運行數十或數百個容器。因此，它們需要有效地共存在一臺服務器上。單個容器運行時關注的是單個容器的生命週期，而容器管理器關注的是在單臺主機上共存的多個容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器管理器的主要職責包括鏡像的拉取、解包、配置容器間網絡、存儲容器日誌，等等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這方面，你可能認爲Docker就是一個很好的例子。但我發現containerd是一個更具代表性的例子。與runc一樣，containerd在一開始只是Docker的一個組件，後來被提取到一個獨立的項目中。containerd可以使用runc或任何實現了containerd-shim接口的運行時。最酷的是，你可以像使用Docker一樣使用containerd來輕鬆地運行容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這篇文章介紹了"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/containerd-command-line-clients?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"如何在命令行中使用containerd"}]},{"type":"text","text":"——這是一個很好的練習，讓你更接近實際的容器是什麼樣子的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想了解更多關於容器管理器內部的知識，請看這篇文章。它介紹了"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/conman-the-container-manager-inception?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"如何從零開始實現一個容器管理器"}]},{"type":"text","text":"："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/02\/a0\/02ea8567862022df498dc5c6760dfea0.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"containerd與docker"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在，我們準備好要了解Docker了！如果我們忽略(現在已棄用)Swarm，那麼Docker包含如下這些："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"dockerd——位於containerd守護進程前面的一個高級守護進程；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"docker——一個命令行客戶端，用於與dockerd交互。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/08\/e5\/0803c49141da26350284ae96cea9afe5.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Docker的分層架構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在我看來，Docker目前的主要任務是讓容器工作流變得更友好。爲了簡化開發人員的工作，Docker將所有主要容器用例整合到一個工具中："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"構建\/拉取\/推送\/掃描圖像；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓動\/暫停\/檢查\/殺死容器；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"創建網絡\/重定向端口；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"掛載\/卸載\/刪除卷；"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是到了2021年，幾乎每個用例都被寫成了一個定製的軟件(如podman、buildah、skopeo、kaniko，等等)，以便提供更好的替代解決方案。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"多宿主容器編配器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在單臺主機上協調運行的容器已經很難了，在多個主機之間協調容器就更困難了。還記得Docker Swarm嗎？Docker在加入多主機容器編配特性時就已經相當可怕了，因爲給已有的守護進程帶來了更多的責任……"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"忽略守護進程數量不斷膨脹這個問題，Docker Swarm看起來還是不錯的。但另一種編配器贏得了比賽——Kubernetes！所以，大約從2020年開始，Docker Swarm就過時了，我們每週都會聽到幾個新出現的“古希臘”詞彙。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes將多個服務器(節點)連接到一個集羣中，每個節點都有一個叫做kubelet的本地代理。kubelet負責啓動Pod(一組容器)，但並不是它自己做這些事情。過去，它使用dockerd，但現在這種方法已被棄用，取而代之的是更通用的容器運行時接口(CRI)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/b7\/a1\/b73fdac10ec68b8b6a5332d4b362bca1.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes可以使用containerd、cri-o或其他CRI運行時"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器編配器需要完成很多任務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何將容器按照高級原語分組(Pods、ReplicaSets等)？"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何將運行容器的節點連接到一個公共網絡中？"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何提供服務發現？"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes和其他編配器(如Nomad或AWS ECS)可以幫助開發團隊更容易地創建獨立的服務。它幫助解決了很多管理上的問題，尤其是對大公司來說。但它也帶來了很多傳統虛擬機所沒有的新技術問題！管理大量分佈式服務變得非常具有挑戰性，從而催生了“雲原生項目動物園”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"有一些容器就是虛擬機"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你從實現和使用的角度對容器有了更好的理解，現在可以告訴你真相了。容器不是Linux進程！"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"甚至在技術上講，Linux容器也不是進程。它們是隔離且受約束的環境，可在其中運行一個或多個進程。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按照上面的定義，至少有些容器可以使用命名空間和cgroups之外的機制來實現，這就不足爲奇了。事實上，有些項目（如Kata）就使用真正的虛擬機作爲容器！幸好有了像OCI Runtime Spec、OCI Image Spec或Kubernetes CRI這樣的開放標準，基於虛擬機的容器可以在不進行重大調整的情況下被更高級的工具(如containerd和Kubernetes)使用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要了解更多，請閱讀這篇關於"},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/oci-containers?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"OCI運行時規範如何定義標準容器"}]},{"type":"text","text":"的文章："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/b3\/cd\/b3257aa3afbb662df5dc7548cca801cd.png","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"結論"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"只通過Docker或Kubernetes等高級工具無法真正瞭解容器。這個領域很複雜，只從一個方向瞭解它會留下太多的盲點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我認爲更好的方法是從更廣泛的生態系統開始，將其分解到各個層面，然後利用在每一步中獲得的知識，從底層開始逐個擊破："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器運行時——Linux命名空間和cgroups。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像——爲什麼以及如何。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器管理器——讓容器在單臺主機上共存。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器編配器——將多個主機組合成一個集羣。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器標準——泛化容器知識。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接："},{"type":"link","attrs":{"href":"https:\/\/iximiuz.com\/en\/posts\/container-learning-path\/?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzkxMTg1NjUsImciOiJqV3lnUHlDZDNjUGczNkg5IiwiaWF0IjoxNjM5MTE4MjY1LCJ1c2VySWQiOjcwMDUxODA5fQ.hS4YtRu-vD6UN_s5o3S9DbHAbW3g50WiID1nP4x-0ag","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/iximiuz.com\/en\/posts\/container-learning-path\/"}]}]}]}