container/docker

  • cgroup/namespace
    By default the kernel kills processes in a container if out-of-memory (OOM) errors occur.
  • network driver/volume driver

  • live restore
    refer

  • runc/dockerd/containerd
    refer
    docker-cli –>(/var/run/docker.sock)–> dockerd –> (grpc,docker-containerd.sock+container_config)–> containerd –>containerd-shim–>(fork+exec)–> runc –>(create OCI bundle and then starts, exec)–> programme 
    systemd(1)
      ---dockerd(1002)
              ---docker-containerd(1038)
                      ---docker-containerd-shim(3749)
                              ---nginx(3771,ipc,mnt,net,pid,uts)

    components
    1, docker cli
    docker-cli is only responsible for user friendly communication with docker.
    2, dockerd
    The Docker daemon - dockerd listens for Docker API requests and manages host’s
    Container life-cycles by utilizing contanerd.dockerd can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd.
    3, containerd
    containerd was introduced in Docker 1.11 and since then took main responsibilty of managing containers life-cycle. containerd is the executor for containers, but has a wider scope than just executing containers. So it also take care of:
    Image push and pull
    Managing of storage
    Of course executing of Containers by calling runc with the right parameters to run containers…
    Managing of network primitives for interfaces
    Management of network namespaces containers to join existing namespaces
    containerd fully leverages the OCI runtime specification1, image format specifications and OCI reference implementation (runc)
    4, RunC
    runc is a command line client for running applications packaged according to the OCI format and is a compliant implementation of the OCI spec.
    A bundle for a container is a directory that includes a specification file named “config.json” and a root filesystem.
    5, containerd-shim
    The shim allows for daemonless containers. According to Michael Crosby it’s basically sits as the parent of the container’s process to facilitate a few things.

First it allows the runtimes, i.e. runc,to exit after it starts the container. This way we don’t have to have the long running runtime processes for containers.
Second it keeps the STDIO and other fds open for the container in case containerd and/or docker both die. If the shim was not running then the parent side of the pipes or the TTY master would be closed and the container would exit.
Finally it allows the container’s exit status to be reported back to a higher level tool like docker without having the be the actual parent of the container’s process and do a wait4.

  • containerd for k8s
    refer

  • docker events

  • images
    A Docker image includes metadata and an optional file system layer 
    root@ip-172-31-2-169:/var/lib/docker# ls
builder  buildkit  containers  image  network  overlay2  plugins  runtimes  swarm  tmp  trust  volumes

    hostname/hosts/resolv.conf are hacked by docker
    docker build –wash (make multiple layers to one layer)
    copy on write

  • image security && trusted content