瓶 - 指口部比腹部窄小、颈长的容器
罐 - 指那些开口较大、一般为近圆筒形的器皿
箱 - 通常是立方体或圆柱体。形状固定
篮 - 以条状物编织而成
桶 - 一种圆柱形的容器
袋 - 柔性材料制成的容器,形状会受内容物而变化
瓮 - 通常是指陶制,口小肚大的容器
碗 - 用来盛载食物的容器
柜 - 指一个由盒组成的家具
鞘 - 用于装载刀刃的容器
传统虚拟化与容器的区别
全虚拟化
半虚拟化
容器分离开的资源:
Linux容器其实并不是什么新概念。最早的容器技术可以追遡到1982年Unix系列操作系统上的chroot工具(直到今天,主流的Unix、Linux操作系统仍然支持和带有该工具)
CGroups
控制组(CGroups)是Linux内核的一个特性,用来对共享资源进行隔离、限制、审计等。只有能控制分配到容器的资源,Docker才能避免多个容器同时运行时的系统资源竞争。
控制组可以提供对容器的内存、CPU、磁盘IO等资源进行限制。
CGroups能够限制的资源有:
具体来看,控制组提供如下功能:
LXC(LinuX Containers)Linux容器,一种操作系统层虚拟化技术,为Linux内核容器功能的一个用户空间接口。它将应用软件系统打包成一个软件容器(Container),内含应用软件本身的代码,以及所需要的操作系统核心和库。透过统一的名字空间和共享API来分配不同软件容器的可用硬件资源,创造出应用程序的独立沙箱运行环境,使得Linux用户可以容易的创建和管理系统或应用容器。
在Linux内核中,提供了cgroups功能,来达成资源的隔离。它同时也提供了名称空间隔离的功能,使应用程序看到的操作系统环境被区隔成独立区间,包括进程树,网络,用户id,以及挂载的文件系统。但是cgroups并不一定需要启动任何虚拟机。
LXC利用cgroups与名称空间的功能,提供应用软件一个独立的操作系统环境。LXC不需要Hypervisor这个软件层,软件容器(Container)本身极为轻量化,提升了创建虚拟机的速度。
而Docker本质来说不是容器,而是容器的管理工具,最初的Docker也是基于LXC实现的。
LXC关键技术点:
LXC基础架构
## lxc基础操作
部署lxc
环境CentOS7
准备工作
#准备工作
[root@localhost ~]# yum -y install epel-release //安装epel源
[root@localhost ~]# yum -y install lxc lxc-templates bridge-utils lxc-libs libcgroup libvirt perl debootstrap //安装lxc的依赖包
#依赖包详解
lxc #主程序包
lxc-templates #lxc的配置模板
bridge-utils #网桥管理工具
lxc-libs #lxc所需的库文件
libcgroup #cgroup是为Linux内核提供任务聚集和划分的机制,通过一组参数集合将一些任务组织成一个或多个子系统。
libvirt #管理Linux的虚拟化功能所需的服务器端守护程序。 需要针对特定驱动程序的管理程序。
启动服务
[root@localhost ~]# systemctl start lxc
[root@localhost ~]# systemctl start libvirtd
[root@localhost ~]# systemctl status lxc.service
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
Active: active (exited) since 日 2022-04-24 19:47:26 CST; 30s ago
Process: 77992 ExecStart=/usr/libexec/lxc/lxc-autostart-helper start (code=exited, status=0/SUCCESS)
Process: 77985 ExecStartPre=/usr/libexec/lxc/lxc-devsetup (code=exited, status=0/SUCCESS)
Main PID: 77992 (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CGroup: /system.slice/lxc.service
lxc-checkconfig 命令查看是否满足使用容器需求
[root@localhost ~]# lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.0-1062.el7.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Warning: newuidmap is not setuid-root
Warning: newgidmap is not setuid-root
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
/usr/share/lxc/templates/ 此目录用于存放模板
[root@localhost ~]# ls /usr/share/lxc/templates/ //用于查看系统可用的lxc模板
lxc-alpine lxc-centos lxc-fedora lxc-oracle lxc-ubuntu-cloud
lxc-altlinux lxc-cirros lxc-gentoo lxc-plamo
lxc-archlinux lxc-debian lxc-openmandriva lxc-sshd
lxc-busybox lxc-download lxc-opensuse lxc-ubuntu
[root@localhost ~]# lxc-create -t centos -n test
Copy /var/cache/lxc/centos/x86_64/7/rootfs to /var/lib/lxc/test/rootfs ...
Copying rootfs to /var/lib/lxc/test/rootfs ...
sed:无法读取 /var/lib/lxc/test/rootfs/etc/init/tty.conf:没有那个文件或目录
Storing root password in '/var/lib/lxc/test/tmp_root_pass'
chpasswd:无法打开 /etc/passwd
正在终止用户 root 的密码。
passwd: Libuser error at line: 425 - Error replacing `/etc/passwd': 权限不够.
passwd: 错误
sed:无法读取 /var/lib/lxc/test/rootfs/etc/rc.sysinit:没有那个文件或目录
sed:无法读取 /var/lib/lxc/test/rootfs/etc/rc.d/rc.sysinit:没有那个文件或目录
Container rootfs and config have been created.
Edit the config file to check/enable networking setup.
The temporary root password is stored in:
'/var/lib/lxc/test/tmp_root_pass' //存放初始密码的文件
The root password is set up as expired and will require it to be changed
at first login, which you should do as soon as possible. If you lose the
root password or wish to change it without starting the container, you
can change it from the host by running the following command (which will
also reset the expired flag):
chroot /var/lib/lxc/test/rootfs passwd //修改密码的命令
修改密码
[root@localhost ~]# setenforce 0 //修改密码需要将selinux关闭
[root@localhost ~]# chroot /var/lib/lxc/test/rootfs passwd
更改用户 root 的密码 。
新的 密码:
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@localhost ~]# lxc-start -n test //启动容器
lxc-start: conf.c: remount_all_slave: 4204 No such file or directory - Failed to make /run/media/kurumi/CentOS\0407\040x86_64 rslave
lxc-start: conf.c: remount_all_slave: 4205 Continuing...
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
Running in a container, ignoring fstab device entry for /dev/root.
Cannot add dependency job for unit display-manager.service, ignoring: Unit not found.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Created slice Root Slice.
[ OK ] Created slice System Slice.
[ OK ] Listening on Delayed Shutdown Socket.
[ OK ] Listening on /dev/initctl Compatibility Named Pipe.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Paths.
[ OK ] Created slice User and Session Slice.
[ OK ] Reached target Swap.
[ OK ] Created slice system-getty.slice.
[ OK ] Listening on Journal Socket.
Mounting Huge Pages File System...
Starting Journal Service...
Mounting POSIX Message Queue File System...
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Reached target Slices.
Starting Remount Root and Kernel File Systems...
Mounting FUSE Control File System...
[ OK ] Reached target Remote File Systems.
Starting Read and set NIS domainname from /etc/sysconfig/network...
[ OK ] Mounted FUSE Control File System.
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Mounted Huge Pages File System.
[ OK ] Started Journal Service.
[ OK ] Started Read and set NIS domainname from /etc/sysconfig/network.
[ OK ] Started Remount Root and Kernel File Systems.
Starting Flush Journal to Persistent Storage...
[ OK ] Reached target Local File Systems (Pre).
Starting Configure read-only root support...
Starting Rebuild Hardware Database...
<46>systemd-journald[15]: Received request to flush runtime journal from PID 1
[ OK ] Started Flush Journal to Persistent Storage.
[ OK ] Started Configure read-only root support.
Starting Load/Save Random Seed...
[ OK ] Reached target Local File Systems.
Starting Mark the need to relabel after reboot...
Starting Rebuild Journal Catalog...
Starting Create Volatile Files and Directories...
[ OK ] Started Load/Save Random Seed.
[ OK ] Started Mark the need to relabel after reboot.
[ OK ] Started Rebuild Journal Catalog.
[ OK ] Started Create Volatile Files and Directories.
Starting Update UTMP about System Boot/Shutdown...
[ OK ] Started Update UTMP about System Boot/Shutdown.
[ OK ] Started Rebuild Hardware Database.
Starting Update is Completed...
[ OK ] Started Update is Completed.
[ OK ] Reached target System Initialization.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Sockets.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timers.
[ OK ] Reached target Basic System.
Starting Login Service...
Starting LSB: Bring up/down networking...
Starting Permit User Sessions...
Starting OpenSSH Server Key Generation...
[ OK ] Started D-Bus System Message Bus.
[ OK ] Started Permit User Sessions.
Starting Cleanup of Temporary Directories...
[ OK ] Started Command Scheduler.
[ OK ] Started Console Getty.
[ OK ] Reached target Login Prompts.
[ OK ] Started Login Service.
[ OK ] Started Cleanup of Temporary Directories.
[ OK ] Started OpenSSH Server Key Generation.
CentOS Linux 7 (Core)
Kernel 3.10.0-1062.el7.x86_64 on an x86_64
test login: root //root账户
Password: //之前chroot创建的密码
<28>systemd-sysctl[297]: Failed to write '1' to '/proc/sys/fs/protected_symlinks': Read-only file system
[root@test ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:a0:72:d8:3a:d0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.146.128/24 brd 192.168.146.128 scope global dynamic eth0
valid_lft 3302sec preferred_lft 3302sec
inet6 fe80::fca0:72ff:fed8:3ad0/64 scope link
valid_lft forever preferred_lft forever
另一台主机
[root@localhost ~]# lxc-info -n test //查看容器相关信息
Name: test
State: RUNNING
PID: 92109
IP: 192.168.146.128
CPU use: 0.13 seconds
BlkIO use: 912.00 KiB
Memory use: 1.56 MiB
KMem use: 0 bytes
Link: vethJ9X2KO
TX bytes: 1.77 KiB
RX bytes: 12.64 KiB
Total bytes: 14.41 KiB
[root@localhost ~]# lxc-stop //停止容器中所有的进程
lxc-console
//附加至指定容器的控制台;
格式:lxc-console -n NAME -t NUMBER
lxc-stop
//停止容器;
lxc-destory
//删除处于停机状态的容器;
lxc-snapshot
//创建和恢复快照;
//退出容器方式:<Ctrl+a q>
当我们要去构建一个lnmp架构的时候,它们之间会有依赖关系,哪个应用应该在什么时候启动,在谁之前或之后启动,这种依赖关系我们应该要事先定义好,最好是按照一定的次序实现,而docker自身没有这个功能,所以我们需要一个在docker的基础上,能够把这种应用程序之间的依赖关系、从属关系、隶属关系等等反映在启动、关闭时的次序和管理逻辑中,这种功能被称为容器编排。
有了docker以后,运维的发布工作必须通过编排工具来实现容器的编排,如果没有编排工具,运维人员想去管理容器其实比直接管理程序要更加麻烦,增加了运维环境管理的复杂度。
常见的容器编排工具: