From left to right, we see multiple read-only layers, which overlap. Except the bottom layer, all other layers will have pointers to the next layer. These layers are the internal implementation details of docker, which can be accessed in the file of the host (the machine running docker). Union file system technology can merge different layers into a file system, provide a unified view for these layers, thus hiding the existence of multiple layers. We can see the form of this perspective on the right side of the figure.
You can find files about these tiers on your host file system. These layers are not visible in the running container. On my host, I found them in the /var/lib/docker/image directory.
The definition of container is almost the same as that of image, and it is also a unified vision of a pile of layers. The only difference is that the top layer of the container is readable and writable.
Important: container = mirror+read/write layer
Run container definition
The running container is defined as reading and writing the unified file system plus the isolated process space and the processes contained in it. The following figure shows the container in operation.
We can verify what we said by the following command.
find/-name happy . txt
In order to integrate scattered data, we put forward the concept of image layer. The following figure depicts a mirror layer. From the pictures, we can find that a layer not only contains the changes of files, but also contains other important information.
Metadata is additional information about this layer, which not only enables Docker to obtain information at runtime and build time, but also includes the hierarchical information of the parent layer. It should be noted that both the read-only layer and the read-write layer contain metadata.
/var/lib/docker/image/overlay2: the directory for storing image management data.
The metadata of a container seems to be divided into many files, but it can be found in /var/lib/docker/containers/
Now, let's understand the Docker command in combination with the implementation details mentioned above.
Docker create command is to add a readable layer to the specified image to form a new container. Note that the container is not running.
The docker start command creates a process isolation space for the container file system. Note that each container can only have one process isolation space.
When reading this command, readers usually have a question: What is the difference between docker start and docker run?
The docker run command is to create a container by mirroring and then run the container. This command is very convenient and hides the details of these two commands.
The docker ps command lists all the running containers. This hides the existence of containers that are not running. If we want to find these containers, we need to use the following command.
The docker ps–a command lists all containers, whether they are running or stopped.
The docker images command lists all top-level images. In fact, there is no way to distinguish between mirror and read-only layer, so we propose top-level mirror. Only the mirror used when creating the container or the mirror directly pulled down can be called the top-level mirror, and multiple mirror layers are hidden under each top-level mirror.
Docker images-–One command lists all images or all readable layers. If you want to see all the layers under an image-id, you can use docker history to see them.
The docker stop command sends a SIGTERM signal to the running container, and then stops all processes.
The docker kill command sends an unfriendly SIGKILL signal to all processes running in the container.
Docker stop and docker kill commands send UNIX signals to running processes, but docker pause commands are different. It uses the characteristics of cgroups to pause the running process space. However, the disadvantage of this method is that it is not simple enough to send SIGTSTP signal, and it is impossible for the process to pause all processes.
Docker rm command deletes the readable and writable layers that make up the container. Note that this command can only be executed on non-running containers.
The docker rmi command deletes the read-only layer that constitutes the mirror. You can only use docker rmi to delete the top layer (or mirror), or you can use the -f parameter to forcibly delete the read-only layer in the middle.
The docker commit command converts the readable layer of the container into a read-only layer, thus converting the container into an immutable mirror.
Docker build command is very interesting, it will execute multiple commands repeatedly.
As can be seen FROM the above figure, the build command obtains the image according to the from instruction in the Dockerfile file, and then repeats 1)run (create and start), 2) modify and 3)commit. Every step in the loop will produce a new layer, so many new layers will be produced.
The dockereexec command executes a new process in the running container.
The docker inspect command will extract the top-level metadata of the container or mirror.
The docker save command creates an image compressed file that can be used on another host's docker. Unlike the export command, this command saves the metadata of each layer. This command is only valid for images.
Docker export command creates a tar file, removes metadata and unnecessary layers, integrates multiple layers into one layer, and only saves the content seen from the current unified perspective (translator's note: the container after expoxt is imported into Docker, and only one image can be seen through docker images -tree command; The saved image is different, it can see the historical image of this image).
The docker history command recursively outputs the historical mirror of the specified mirror.