Docker practical tutorial from entry to improvement (2)

In the first article of this series, Docker Practical Tutorial from Getting Started to Improving (1) , we have already introduced how to install Docker in the Ubuntu operating system, as well as the configuration of Proxy and Insecure Registry.

This article continues the practical learning of Docker.

Exercise 1: Use a simple example to learn the implementation principle of Docker and the host operating system file directory isolation from each other

We know that the file directory of the host operating system cannot be accessed in a Docker container, but how is this isolation achieved?
In fact, it is not magical at all - using the Linux system's internal command chroot.
chroot can set the root directory of the process to any specified directory.

Using chroot we can create a new process with the arguments passed in when chroot is executed as the root directory of the new process.
Because the new process cannot access other file directories except the chroot parameter passed in when the new process is created, in order to ensure that the new process can work properly, we must manually copy some files to the old directory mapped by the root directory of the new process .

Do a test like this:

Create a new folder and execute chroot . It means to treat the folder $HOME/container as the root directory of the new process. But it didn't work, and an error message was reported:

chroot: failed to run command '/bin/bash': No such file or directory

Execute the following two commands:

Execute the command ldd $HOME/container/bin/bash :
This command has to be manually copied to the folder $/HOME/container/bin/bash in order to see which library files are needed:

According to the output of ldd, execute the eight commands in the following figure again:

Execute again chroot . and found that this time it was successful:

pwd finds that it is in the root directory, and ls can only find subdirectories under the container directory specified when executing chroot:

This is how docker file directory isolation works.

Exercise 2: Understand how Docker volumes work with a practical example

To understand Docker Volume, first we need to understand how the Docker file system works. A Docker image is a stack of read-only layers of multiple filesystems. When a container is started with the command docker run , Docker loads the read-only image layer and adds a read-write layer on top of the image stack. If the running container modifies an existing file, the file will be copied from the read-only layer below the read-write layer to the read-write layer, but the read-only version of the file still exists, but it has been The copy of the file in the read-write layer is hidden.

When a Docker container is deleted and restarted with that image, changes made at the read-write layer will be lost. In Docker, the combination of the read-only layer and the read-write layer at the top is called the Union File System, or UnionFS for short, which uses an important resource management technology called when writing copy.

Copy-on-write, also known as implicit sharing, is a resource management technique for efficient replication of modifiable resources. For a duplicate resource, if it is not modified, there is no need to create a new resource immediately, the resource can be shared and used. When a modification occurs, a new resource is created. This greatly reduces the cost of copying unmodified resources. In fact, the concept of COW is not unfamiliar to programmers at all, and is widely used in various fields, such as the copy action of the internal table in ABAP, the copy implementation of Java strings, and so on. Docker builds containers based on UnionFS.

Let's look at a practical example below.
Use the command line docker run --help to view the help documentation for this command. The role of -h is to specify the hostname of the container.

Create a new container using the command line:

docker run -it --name jerry-container-test -h CONTAINER -v /data busybox /bin/sh
The name is jerry-container-test, and a volume /data is created with -v

After the creation is complete, execute cd /data in the container to enter this directory, which is still empty at this time.

docker ps View container status:

Now I want to know which internal directory is used on the host to implement this volume.
Use the command docker inspect jerry-container-test to view the keyword "volumes":

Get the directory where /data is implemented on the host in the container:

/var/lib/docker/volumes/96aa969033ee7e6d7ff607a0a47de5a5866613a422518ed3f86fee6240bae8cc/_data
Now I use the touch command on the host to create a file directly in this directory:
sudo touch /var/lib/docker/volumes/96aa969033ee7e6d7ff607a0a47de5a5866613a422518ed3f86fee6240bae8cc/_data/test.s

Now switch to the container, and use ls to see the files created in the internal folder with the touch command directly on the host.

Exercise 3: Use Docker volume to modify index.html in Nginx Docker image

Through this small example, we can further deepen the understanding and use of the concept of Docker volume .

We all know that after running a Docker-based Nginx image, you can visit localhost to see the default home page of Nginx, which is located under the /usr/share/nginx/html directory in the Nginx image.

Suppose we have a requirement to modify the default home page of Nginx to the following content:

 <html>
<head>
<title>Custom Website from my container</title>
</head>
<body>
<h1>This is Jerry's custom website.</h1>
<p>This website is served from my <a href="http://www.docker.com" target="_blank">SAP Docker</a> container.</p>
</body>
</html>

Below is the detailed method.

The command line -v mounts the host directory nginx-html to the /usr/share/nginx/html directory in the Nginx container.

docker run -d -p 1081:80 -v pwd /nginx-html:/usr/share/nginx/html --name jerry-custom nginx

Use vi to modify the host directory nginx-html below index.html to custom content:

Enter the docker container interactively:

docker exec -it jerry-custom /bin/sh

It is found that the index.html in the Docker container is also automatically modified, and the content is the same as that under the host directory nginx-html.

localhost:1081 You can see the modified custom Nginx home page:

Summarize

This article first introduces the isolation of Docker and the host operating system file directory from each other through a simple example, how to implement the principle of chroot through the Linux command, and then uses the actual example of modifying the Nginx Docker image index.html to illustrate the implementation of Docker Volume Principle and method of use.