Docker 概览


Docker 概述

Docker is an open platform for developing, shipping, and running applications. Docker enables you to separate your applications from your infrastructure so you can deliver software quickly. With Docker, you can manage your infrastructure in the same ways you manage your applications. By taking advantage of Docker’s methodologies for shipping, testing, and deploying code quickly, you can significantly reduce the delay between writing code and running it in production.


What is the Docker platform?

Docker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allow you to run many containers simultaneously on a given host. Because of the lightweight nature of containers, which run without the extra load of a hypervisor, you can run more containers on a given hardware combination than if you were using virtual machines.

Docker provides tooling and a platform to manage the lifecycle of your containers:

  • Encapsulate your applications (and supporting components) into Docker containers
  • Distribute and ship those containers to your teams for further development and testing
  • Deploy those applications to your production environment, whether it is in a local data center or the Cloud



  • 把你的应用(包含依赖)打包进容器。
  • 为了未来的开发和测试分发和托管这些容器给你的团队。
  • 部署这些应用到你的生产环境,无论它是本地的数据中心还是在云端。

What is Docker Engine?

Docker Engine is a client-server application with these major components:

  • A server which is a type of long-running program called a daemon process.

  • A REST API which specifies interfaces that programs can use to talk to the daemon and instruct it what to do.

  • A command line interface (CLI) client.


  • server:一个叫做守护进程的长时间运行的程序。
  • REST API:和守护进程通信并告诉它该做什么的具体接口。
  • client: 命令行(CLI)

The CLI uses the Docker REST API to control or interact with the Docker daemon through scripting or direct CLI commands. Many other Docker applications use the underlying API and CLI.

The daemon creates and manages Docker objects, such as images, containers, networks, and data volumes.

CLI通过Docker REST API使用脚本或者直接的CLI命令控制器Docker守护进程。许多其他的Docker应用使用底层的API和CLI。


Note: Docker is licensed under the open source Apache 2.0 license.

注意:Docker在开源 Apache 2.0 授权之下

What can I use Docker for?

Fast, consistent delivery of your applications

Docker can streamline the development lifecycle by allowing developers to work in standardized environments using local containers which provide your applications and services. You can also integrate Docker into your continuous integration and continuous deployment (CI/CD) workflow.

Consider the following example scenario. Your developers write code locally and share their work with their colleagues using Docker containers. They can use Docker to push their applications into a test environment and execute automated and manual tests. When developers find problems, they can fix them in the development environment and redeploy them to the test environment for testing. When testing is complete, getting the fix to the customer is as simple as pushing the updated image to the production environment.




Responsive deployment and scaling

Docker’s container-based platform allows for highly portable workloads. Docker containers can run on a developer’s local host, on physical or virtual machines in a data center, in the Cloud, or in a mixture of environments.

Docker’s portability and lightweight nature also make it easy to dynamically manage workloads, scaling up or tearing down applications and services as business needs dictate, in near real time.




Running more workloads on the same hardware

Docker is lightweight and fast. It provides a viable, cost-effective alternative to hypervisor-based virtual machines, allowing you to use more of your compute capacity to achieve your business goals. This is useful in high density environments and for small and medium deployments where you need to do more with fewer resources.



What is Docker’s architecture?

Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate via sockets or through a REST API.

Docker 使用client-server的构建方式。_client_和_Docker_守护进程进行通讯,来进行构建,运行,和支配你的Docker容器。Docker的client和守护进程可以运行在相同的系统上,或者你可以Docker client连接远程的Docker守护进程。Docker client通过REST API 使用sockets和守护进程进行通讯。

The Docker daemon

The Docker daemon runs on a host machine. The user uses the Docker client to interact with the daemon.

Docekr守护进程运行在主机上。用户通过Docker client和守护进程通讯。

The Docker client

The Docker client, in the form of the docker binary, is the primary user interface to Docker. It accepts commands and configuration flags from the user and communicates with a Docker daemon. One client can even communicate with multiple unrelated daemons.

Docker client是docker的组成部分之一,是Docker主要的用户界面。主要接受从用户发出的命令和配置标识来和Docker守护进程通讯。一个client可以和多个不相关的守护进程通讯。

Inside Docker

To understand Docker’s internals, you need to know about images, registries, and containers.


Docker images

A Docker image is a read-only template with instructions for creating a Docker container. For example, an image might contain an Ubuntu operating system with Apache web server and your web application installed. You can build or update images from scratch or download and use images created by others. An image may be based on, or may extend, one or more other images. A docker image is described in text file called a Dockerfile, which has a simple, well-defined syntax. For more details about images, see How does a Docker image work?.

Docker images are the build component of Docker.

Docker镜像就是创建容器的只读模板。举个栗子,一个包含Ubuntu系统,Apache,和你的web应用的镜像。你可以通过下载或拼凑创建或更新容器,你也可以使用别人创建的镜像。一个镜像可能基于或者扩展一个或其他几个镜像。每个docker镜像通过简单并具有完整规则的_Dockerfile_来描述。更多关于镜像的信息,查看 Docker镜像是怎么工作的?

Docker containers

A Docker container is a runnable instance of a Docker image. You can run, start, stop, move, or delete a container using Docker API or CLI commands. When you run a container, you can provide configuration metadata such as networking information or environment variables. Each container is an isolated and secure application platform, but can be given access to resources running in a different host or container, as well as persistent storage or databases. For more details about containers, see How does a container work?.

Docker containers are the run component of Docker.


Docker registries

A docker registry is a library of images. A registry can be public or private, and can be on the same server as the Docker daemon or Docker client, or on a totally separate server. For more details about registries, see How does a Docker registry work?

Docker registries are the distribution component of Docker.

一个Docker仓库就是镜像的图书馆。一个仓库既可以是公开的也可以是私有的,并且可以作为Docker守护进程或Docker客户端在同一服务器或独立的服务器上。更多关于仓库的细节,查看 Docker是怎么工作的?

Docker services

A Docker service allows a swarm of Docker nodes to work together, running a defined number of instances of a replica task, which is itself a Docker image. You can specify the number of concurrent replica tasks to run, and the swarm manager ensures that the load is spread evenly across the worker nodes. To the consumer, the Docker service appears to be a single application. Docker Engine supports swarm mode in Docker 1.12 and higher.

Docker services are the scalability component of Docker.



How does a Docker image work?

Docker images are read-only templates from which Docker containers are instantiated. Each image consists of a series of layers. Docker uses union file systems to combine these layers into a single image. Union file systems allow files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system.


These layers are one of the reasons Docker is so lightweight. When you change a Docker image, such as when you update an application to a new version, a new layer is built and replaces only the layer it updates. The other layers remain intact. To distribute the update, you only need to transfer the updated layer. Layering speeds up distribution of Docker images. Docker determines which layers need to be updated at runtime.


An image is defined in a Dockerfile. Every image starts from a base image, such as ubuntu, a base Ubuntu image, or fedora, a base Fedora image. You can also use images of your own as the basis for a new image, for example if you have a base Apache image you could use this as the base of all your web application images. The base image is defined using the FROM keyword in the dockerfile.

一个镜像通个Dockerfile来定义。每一个镜像开始于基础镜像,比如 ubuntu一个基于Ubuntu的镜像,或者是fedora一个基于Fedora的镜像。你也可以使用你自己的基础组件作为新的镜像,比如你有一个基于Apache的镜像,你可以使用它作为你所有web应用的基础镜像。基础镜像使用FROM关键词在dockerfile中定义

Note: Docker Hub is a public registry and stores images.

注意:Docker Hub 是一个存储镜像的公共仓库。

The docker image is built from the base image using a simple, descriptive set of steps we call instructions, which are stored in a Dockerfile. Each instruction creates a new layer in the image. Some examples of Dockerfile instructions are:

  • Specify the base image (FROM)
  • Specify the maintainer (MAINTAINER)
  • Run a command (RUN)
  • Add a file or directory (ADD)
  • Create an environment variable (ENV)
  • What process to run when launching a container from this image (CMD)


  • 指定基础镜像(FROM)
  • 指定维护(MAINTAINER)
  • 运行一个命令(RUN)
  • 添加一个文件或目录(ADD)
  • 创建一个环境变量(ENV)
  • 当从这个镜像中运行一个容器时运行哪个进程 (CMD)

Docker reads this Dockerfile when you request a build of an image, executes the instructions, and returns the image.

Docker读取Dockerfile 当你请求构建一个镜像,执行指令,返回镜像。

How does a Docker registry work?

A Docker registry stores Docker images. After you build a Docker image, you can push it to a public registry such asDocker Hub or to a private registry running behind your firewall. You can also search for existing images and pull them from the registry to a host.

一个Docker仓库保存着Docker镜像。在你创建一个Docker镜像之后,你可以把它推送到像Docker Hub 一样的公共仓库或运行在你的防火墙之下的私有仓库.你可以搜索已经存在的镜像并且把它们从一个仓库推送到主机上。

Docker Hub is a public Docker registry which serves a huge collection of existing images and allows you to contribute your own. For more information, go to Docker Registry and Docker Trusted Registry.

Docker Hub 是一个存着大量镜像并允许推送镜像的公开的Docker仓库。了解更多,去Docker Registry 和 Docker Trusted Registry 。

Docker store allows you to buy and sell Docker images. For image, you can buy a Docker image containing an application or service from the software vendor, and use the image to deploy the application into your testing, staging, and production environments, and upgrade the application by pulling the new version of the image and redeploying the containers. Docker Store is currently in private beta.

Docker store允许你买卖Docker镜像。你可以从软件商那里购买一个包含应用和服务的镜像,然后使用这个镜像部署你的应用到你的测试,生产环境,通过推送新的镜像升级你的应用并重新部署容器。Docker商店目前是测试版本。

How does a container work?

A container uses the host machine’s Linux kernel, and consists of any extra files you add when the image is created, along with metadata associated with the container at creation or when the container is started. Each container is built from an image. The image defines the container’s contents, which process to run when the container is launched, and a variety of other configuration details. The Docker image is read-only. When Docker runs a container from an image, it adds a read-write layer on top of the image (using a UnionFS as we saw earlier) in which your application runs.


What happens when you run a container?

When you use the docker run CLI command or the equivalent API, the Docker Engine client instructs the Docker daemon to run a container. This example tells the Docker daemon to run a container using the ubuntu Docker image, to remain in the foreground in interactive mode (-i), and to run the /bin/bash command.

当你执行docker run命令或相应的api,Docker引擎客户端命令Docker守护进程运行一个容器。这个例子告诉Docker守护进程运行一个ubuntuDocker 镜像,开启交互模式(-i),并且运行/bin/bash命令

$ docker run -i -t ubuntu /bin/bash

When you run this command, Docker Engine does the following:

  1. Pulls the **ubuntu image:** Docker Engine checks for the presence of the ubuntu image. If the image already exists locally, Docker Engine uses it for the new container. Otherwise, then Docker Engine pulls it from Docker Hub.

  2. Creates a new container: Docker uses the image to create a container.

  3. Allocates a filesystem and mounts a read-write **layer**: The container is created in the file system and a read-write layer is added to the image.

  4. Allocates a network / bridge interface: Creates a network interface that allows the Docker container to talk to the local host.

  5. Sets up an IP address: Finds and attaches an available IP address from a pool.

  6. Executes a process that you specify: Executes the /bin/bash executable.

  7. Captures and provides application output: Connects and logs standard input, outputs and errors for you to see how your application is running, because you requested interactive mode.


  1. 拉取ubuntu镜像: Docker引擎检查ubuntu镜像是否存在。如果本地已经有这个镜像,Docker引擎使用它创建新的容器。如果没有,然后Docker引擎就从Docker Hub上拉取。
  2. 创建一个新的容器:Docker使用镜像创建一个容器。
  3. 分配文件系统并且挂载一个只读层:容器被创建在文件系统并且只读层被添加到镜像上。
  4. 分配网络/桥接接口:创建一份网络接口使Docker可以和本地主机通讯。
  5. 设置IP地址:从连接池获取可用的IP地址。
  6. 执行你指定的进程:执行/bin/bash
  7. 捕获并提供应用输出:由于你开启交互模式,Docker提供标准的日志输入输出和错误,让你知道你的应用的运行状态。

Your container is now running. You can manage and interact with it, use the services and applications it provides, and eventually stop and remove it.


The underlying technology

Docker is written in Go and takes advantage of several features of the Linux kernel to deliver its functionality.



Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container.


These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.


Docker Engine uses namespaces such as the following on Linux:

  • The **pid namespace:** Process isolation (PID: Process ID).
  • The **net namespace:** Managing network interfaces (NET: Networking).
  • The **ipc namespace:** Managing access to IPC resources (IPC: InterProcess Communication).
  • The **mnt namespace:** Managing filesystem mount points (MNT: Mount).
  • The **uts namespace:** Isolating kernel and version identifiers. (UTS: Unix Timesharing System).


  • pid命名空间:进程隔离(PID: Process ID)。
  • net命名空间:网络接口管理 (NET: Networking)。
  • ipc命名空间:进程间通讯管理 (IPC: InterProcess Communication)。
  • mnt命名空间:文件系统挂载点管理(MNT: Mount)。
  • uts命名空间:隔离内核和版本标识符(UTS: Unix Timesharing System)。

Control groups

Docker Engine on Linux also relies on another technology called control groups (cgroups). A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. For example, you can limit the memory available to a specific container.


Union file systems

Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper.

联合文件系统是创建层的运转系统,使层非常轻量和快速。Docker引擎使用联合文件系统提供构建块给容器。Docker可以使用联合文件系统变体,比如 AUFS, btrfs, vfs, and DeviceMapper。

Container format

Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container format is libcontainer. In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones.

Docker引擎把命名空间,控制组,和联合文件系统包装进一个层这叫做容器格式化。默认的容器格式化叫做libcontainer。未来,Docker可能支持其他的容器格式化技术,比如BSD Jails 或 Solaris Zones。