最小 Docker 镜像 hello-world 剖析

开始学习 Docker 的同学基本上都是按照官方的 guide 来安装,之后要测试是否已经安装成功,官方会让你 pull 一个 hello-world 示例镜像下来并运行,如下命令:

 guohl@ghl-MBP ⮀ ~ ⮀ docker pull hello-world
31cbccb51277: Pull complete
e45a5af57b00: Pull complete
511136ea3c5a: Already exists
hello-world:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Status: Downloaded newer image for hello-world:latest

guohl@ghl-MBP ⮀ ~ ⮀ docker run hello-world
Hello from Docker.
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (Assuming it was not already locally available.)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

For more examples and ideas, visit:
 http://docs.docker.com/userguide/

出现上面的输出信息表示你 Docker 安装成功。使用下面命令查看该镜像的信息,发现大小只有 910B:

guohl@ghl-MBP ⮀ ~ ⮀ docker images hello-world
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
hello-world         latest              e45a5af57b00        3 months ago        910 B

那么该镜像运行怎么就输出上面这一串信息的呢?如果对 Docker 了解一点的话自然会去找该镜像的 Dockerfile,Dockerfile 详细描述了该镜像是如何建立的以及运行时执行的命令。从 Docker Hub 上 hello-world 的库简介 找到其 Dockerfile 在 github 上,简简单单的三条语句:

FROM scratch
ADD hello /
CMD ["/hello"]
  • 第一条FROM指令是 Docker 用来指定该镜像是基于哪个基础镜像构建的,这里指定为 scratch,实际上 scratch 镜像是一个空镜像,用来构建基础镜像或者极小的镜像。
  • 第二条ADD指令表示从 Dockerfile 所在目录拷贝文件到指定路径下,这里拷贝 hello 文件到根目录下,至于 hello 文件是什么稍后介绍。
  • 第三条CMD指令用来指示当运行 docker run 命令运行该镜像时要执行的命令,这里执行 /hello,就是执行第二步拷贝到根目录下的 hello 文件。

hello 是一个可执行的二进制文件,从文章的开头可以推测该文件执行输出那一堆提示信息,那该文件怎样生成的呢?从 hello-world 的库中可以看到还有两个文件,一个是汇编文件 hello.asm,还有一个 Makefile 文件,可以猜测 hello 就是事先通过 hello.asm 编译得到的,如 Makefile 文件所描述的编译过程:

hello: hello.asm
    nasm -o $@ $<
    chmod +x hello

.PHONY: clean
clean:
    -rm -vf hello

Makefile 文件比较容易理解,主要是使用 nasm 汇编器将 hello.asm 编译生成可执行文件 hello

最后再来看看 hello.asm 文件,这是一段 Intel x86 汇编:

; this is especially thanks to:
; http://blog.markloiseau.com/2012/05/tiny-64-bit-elf-executables/

BITS 64
    org 0x00400000  ; Program load offset

; 64-bit ELF header
ehdr:
    ;  1), 0 (ABI ver.)
    db 0x7F, "ELF", 2, 1, 1, 0       ; e_ident
    times 8 db 0                     ; reserved (zeroes)

    dw 2              ; e_type: Executable file
    dw 0x3e           ; e_machine:  AMD64
    dd 1              ; e_version:  current version
    dq _start         ; e_entry:    program entry address (0x78)
    dq phdr - $$      ; e_phoff   program header offset (0x40)
    dq 0              ; e_shoff no section headers
    dd 0              ; e_flags no flags
    dw ehdrsize       ; e_ehsize:   ELF header size (0x40)
    dw phdrsize       ; e_phentsize:    program header size (0x38)
    dw 1              ; e_phnum:    one program header
    dw 0              ; e_shentsize
    dw 0              ; e_shnum
    dw 0              ; e_shstrndx

ehdrsize equ $ - ehdr

; 64-bit ELF program header
phdr:
    dd 1              ; p_type: loadable segment
    dd 5              ; p_flags read and execute
    dq 0              ; p_offset
    dq $$             ; p_vaddr:	start of the current section
	dq $$             ; p_paddr: " "
    dq filesize       ; p_filesz
    dq filesize       ; p_memsz
    dq 0x200000       ; p_align:    2^11=200000 = section alignment

; program header size
phdrsize equ $ - phdr

; Hello World!/your program here
_start:

    ; sys_write(stdout, message, length)
    mov rax, 1           ; sys_write
    mov rdi, 1           ; stdout
    mov rsi, message     ; message address
    mov rdx, length      ; message string length
    syscall

    ; sys_exit(return_code)
    mov rax, 60          ; sys_exit
    mov rdi, 0           ; return 0 (success)
    syscall

    message:
        db 'Hello from Docker.', 0x0A
        db 'This message shows that your installation appears to be working correctly.', 0x0A
        db 0x0A
        db 'To generate this message, Docker took the following steps:', 0x0A
        db ' 1. The Docker client contacted the Docker daemon.', 0x0A
        db ' 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.', 0x0A
        db ' (Assuming it was not already locally available.)', 0x0A
        db ' 3. The Docker daemon created a new container from that image which runs the', 0x0A
        db ' executable that produces the output you are currently reading.', 0x0A
        db ' 4. The Docker daemon streamed that output to the Docker client, which sent it', 0x0A
        db ' to your terminal.', 0x0A
        db 0x0A
        db 'To try something more ambitious, you can run an Ubuntu container with:', 0x0A
        db ' $ docker run -it ubuntu bash', 0x0A
        db 0x0A
        db 'For more examples and ideas, visit:', 0x0A
        db ' http://docs.docker.com/userguide/', 0x0A
    length: equ $-message            ; message length calculation

; File size calculation
filesize equ $ - $$

也比较简单,就调用了两个系统调用,sys_write 向标准输出打印一段信息,sys_exit 退出程序。

至此,我们分析完了官方提供的 hello-world 镜像整个构建及运行过程,麻雀虽小,五脏俱全,理解最小的 Docker 镜像的工作机制对我们理解 Docker 有很大帮助。

你可能感兴趣的:(docker)