10 pictures to help you understand Docker containers and images-Alibaba Cloud Developer Community

This article want to be able to help readers understand Docker command, and container (container) and mirror (image) difference between, and in-depth discussion container and running containers difference. When I knew little about Docker technology, I found it difficult to understand Docker commands. Therefore, I spent several weeks learning how Docker works. More specifically, I learned about the union file system of Docker, and then looked back at Docker commands, everything became logical and simple. Digression : personally, the best way to master a technology and use it reasonably is to deeply understand the working principle behind this technology. Under normal circumstances, the birth of a new technology is often accompanied by media hype and hype, which makes it difficult for users to see the essence of technology clearly. More specifically, new technologies always invent some new terms or metaphorical words to help propaganda, which is very helpful in the early stage, but it covers a layer of sandpaper on the principle of technology, it is not conducive for users to master the true meaning of technology in the later period. Git is a good example. I couldn't use Git well before, so I spent some time learning the principle of Git. Until then, I really understood the usage of Git. I firmly believe that only those who truly understand the internal principles of Git can master this tool.

Image Definition

mirror (Image) is a bunch of read-only layer (read-only layer) unified perspective, maybe this definition somewhat difficult to understand, the following this figure can help readers understand mirror definition. From the left, we see multiple read-only layers that overlap. In addition to the bottom layer, all other layers have a pointer pointing to the next layer. These layers are the internal implementation details of Docker, and can be requested in the file system of the host (Translator's note: the machine running Docker). The union file system technology can integrate different layers into a file system, providing a unified perspective for these layers, thus hiding the existence of multiple layers, from the user's point of view, there is only one file system. We can see the form of this angle of view on the right side of the picture. You can find files about these layers on your host file system. Note that these layers are invisible inside a running container. On my host, I found that they exist in the/var/lib/docker/aufs directory. /var/lib/docker/ ├── aufs ├── containers ├── graph ├── init ├── linkgraph.db ├── repositories-aufs ├── tmp ├── trust └── volumes 7 directories, 2 files

Container Definition

the definition of a container is almost the same as that of an image. It is also a unified perspective of a bunch of layers. The only difference is that the top layer of a container is readable and writable. Careful readers may find that the definition of container does not mention whether the container is running. Yes, this is intentional. It was this discovery that helped me understand a lot of confusions. Key points: Container = image + read/write layer. The container definition does not mention whether to run the container. Next, we will discuss running containers.

Running Container Definition

A running container is defined as a read-write unified file system with isolated process space and processes that contain it. The following figure shows a running container. It is the file system isolation technology that makes Docker a promising technology. Processes in a container may modify, delete, and create files. These changes apply to the read-write layer. The following figure shows this behavior. We can verify what we said above by running the following command:
docker run ubuntu touch happiness.txt 
even if the ubuntu container is no longer running, we can still find the new file on the file system of the host. /var/lib/docker/aufs/diff/860a7b...889/happiness.txt

Image Layer Definition

to integrate sporadic data, we propose the concept of image layer. The following figure describes an image layer. Through the image, we can find that a layer contains not only file system changes, but also other important information. metadata is additional information about this layer. It allows Docker to obtain information about the runtime and build time, as well as the parent layer. Note that both the read-only layer and the read-write layer contain metadata. In addition, each layer includes a pointer pointing to the parent layer. If a layer does not have this pointer, it is at the lowest level. Metadata Location: I found that on my own host, the metadata of the image layer is stored in a file named "json", for example:
/var/lib/docker/graph/e809f156dc985.../json
e809f156dc985 **is the id of this layer the metadata of a container seems to be divided into many files, but it can be more or less in/var/lib/docker/containers/ find under the Directory, the id of a readable layer. Most files in this directory are runtime data, such as networks and logs.

Global understanding (Tying It All Together)

now, let's understand Docker commands based on the implementation details mentioned above.

docker create <image-id>

the docker create command adds a read/write layer to the specified image to form a new container. Note that the container is not running.

docker start <container-id>

Docker start command to create a process isolation space for the container file system. Note that each container can have only one process isolation space.

docker run <image-id>

when you see this command, you will often have a question: What is the difference between docker start and docker run commands. As shown in the figure, the docker run command first creates a container from an image and then runs the container. This command is very convenient and hides the details of the two commands, but on the other hand, it is easy to misunderstand users. Digression: continue with our previous topic about Git. I think the docker run command is similar to the git pull command. The git pull command is a combination of git fetch and git merge commands. Similarly, docker run is a combination of docker create and docker start commands.

docker ps

the docker ps command lists all running containers. This hides the existence of non-running containers. To find these containers, use the following command.

docker ps -a

the docker ps -a command lists all containers, whether running or stopped.

docker images

the docker images command lists all top-level images. In fact, we cannot distinguish an image from a read-only layer, so we propose a top-level image. Only images used when creating containers or directly pulled down images can be called top-level images, and multiple image layers are hidden under each top-level image.

docker images -a

the docker images -a command lists all images, or all readable layers. To view all layers under an image-id, you can use docker history.

docker stop <container-id>

the docker stop Command sends a SIGTERM signal to the running container and stops all processes.

docker kill <container-id>

the docker kill Command sends an unfriendly SIGKILL signal to all processes running in the container.

docker pause <container-id>

the docker stop and docker kill commands send UNIX signals to running processes, but the docker pause command is different. It uses the cgroups feature to pause the running process space. You can find the specific internal principles here: https://www.kernel.org/doc/Doc m.txt however, the disadvantage of this method is that sending a SIGTSTP signal is not easy enough for the process to understand, so that all processes cannot be suspended.

docker rm <container-id>

the docker rm command removes the read/write layer that constitutes the container. Note that this command can only be executed on non-running containers.

docker rmi <image-id>

the docker rmi command removes a read-only layer that constitutes the image. You can only use docker rmi to remove the top level layer (or image). You can also use the-f parameter to forcibly delete the middle read-only layer.

docker commit <container-id>

the docker commit command converts the read/write layer of a container into a read-only layer, thus converting a container into an immutable image.

docker build

the docker build command is very interesting. It runs multiple commands repeatedly. As shown in the preceding figure, the build command obtains the image according to the FROM command in the Dockerfile file, and then repeats 1)run(create and start), 2) modify, and 3)commit. Each step in the loop generates a new layer so many new layers are created.

docker exec <running-container-id>

the docker exec command runs a new process in the running container.

docker inspect <container-id>or <image-id>

the docker inspect command extracts the top-level metadata of the container or image.

docker save <image-id>

the docker save command creates a compressed image file that can be used on Docker of another host. Unlike the export command, this command stores their metadata for each layer. This command only takes effect on images.

docker export <container-id>

the docker export command creates a tar file, removes metadata and unnecessary layers, and integrates multiple layers into one layer, saving only the content seen from the current unified perspective (Translator's note: the container after expoxt is imported to Docker, and only one image can be seen through the docker images -tree command. The image after save is different, and the historical image of this image can be seen).

docker history <image-id>

the docker history Command recursively outputs the historical image of the specified image.

Conclusion

I hope you will like this article. I have not mentioned many other commands (pull,search,restart,attach, etc.), but I believe that most Docker commands can be well understood by reading this article. I have only studied Docker for two weeks, so if I have something wrong, you are welcome to point it out. Original link: Visualizing Docker Containers and Images (translation: Yang Runqing) =========================== translator introduction yang Runqing, post-90s doctoral monk, his research direction is network and information security.
Selected, One-Stop Store for Enterprise Applications
Support various scenarios to meet companies' needs at different stages of development

Start Building Today with a Free Trial to 50+ Products

Learn and experience the power of Alibaba Cloud.

Sign Up Now