Docker is a lightweight "virtualization" method to run multiple virtual units (containers, akin to “chroot”) simultaneously on a single control host. Containers are isolated with Kernel Control Groups (cgroups) and Kernel Namespaces.
Docker provides an operating system-level virtualization where the Kernel controls the isolated containers. With other full virtualization solutions like Xen, KVM, or libvirt the processor simulates a complete hardware environment and controls its virtual machines.
A change root (chroot, or change root jail) is a section in the file system which is isolated from the rest of the file system. For this purpose, the chroot command is used to change the root of the file system. A program which is executed in such a “chroot jail” cannot access files outside the designated directory tree.
Kernel Control Groups (commonly referred to as just “cgroups”) are a Kernel feature that allows aggregating or partitioning tasks (processes) and all their children into hierarchical organized groups to isolate resources.
A "virtual machine" on the host server that can run any Linux system, for example openSUSE, SUSE Linux Enterprise Desktop, or SUSE Linux Enterprise Server.
A Docker image is made by a series of layers built one over the other. Each layer corresponds to a permanent change committed from a container to the image.
For more details checkout Docker's official documentation.
A name that refers to an image. The name is used by the docker commands.
A running Docker Image.
A ID that refers to a container. The ID is used by the docker commands.
A string associated to a Image. It commonly used to identify a specific version of a Image (like tags in version control systems). It is also possible to refer the same Image with different TAGs.
A Kernel feature to isolate some resources like network, users, and others for a group of processes.
The system that runs the Docker daemon, provides the images, and the management control capabilities through cgroups.
Docker is a platform that allows developers and sysadmins to manage the complete lifecycle of images.
Docker makes incredibly easy to build, ship and run images containing applications.
Benefits of Docker:
Limitations of Docker:
Docker has different backend drivers to handle the containers. The recommended on is libcontainer, which is also the default choice. This driver provides direct access with cgroups.
The Docker packages ships also a LXC driver which handles containers using the LXC tools.
At the time of writing, upstream is working on a libvirt-lxc
driver.
Docker supports different storage drivers:
vfs
: this driver is automatically used when the Docker host filesystem
does not support copy-on-write. This is a simple driver which does not offer
some of the advantages of Docker (like sharing layers, more on that in the
next sections). It is highly reliable but also slow.devicemapper
: this driver relies on the device-mapper thin provisioning
module. It supports copy-on-write, hence it offers all the advantages of
Docker.btrfs
: this driver relies on Btrfs to provide all the features required
by Docker. To use this driver the /var/lib/docker
directory must be on a
btrfs filesystem.AUFS
: this driver relies on AUFS union filesystem. Neither the upstream
kernel nor the SUSE one supports this filesystem. Hence the AUFS driver is
not built into the SUSE Docker package.It is possible to specify which driver to use by changing the value of the
DOCKER_OPTS
variable defined inside of the /etc/sysconfig/docker
file.
This can be done either manually or using &yas;; by browsing to:
* System
* /etc/sysconfig Editor
* System
* Management
* DOCKER_OPTS
menu and entering the -s storage_driver
string.
For example, to force the usage of the devicemapper
driver
enter the following text:
DOCKER_OPTS="-s devicemapper
It is recommended to have /var/lib/docker
mounted on a different filesystem
to not affect the Docker host OS in case of a filesystem corruption.
Prepare the host:
docker
package.sudo systemctl enable docker
sudo systemctl start docker
The Docker daemon listens on a local socket which is accessible only by the root
user and by the members of the docker
group.
The docker
group is automatically created at package installation time. To
allow a certain user to connect to the local Docker daemon use the following
command:
sudo /usr/sbin/usermod -aG docker <username>
The user will be able to communicate with the local Docker daemon upon his next login.
If you want your containers to be able to access the external network you must
enable the net.ipv4.ip_forward
rule.
This can be done using YaST by browsing to the
Network Devices -> Network Settings -> Routing
menu and ensuring that the
Enable IPv4 Forwarding
box is checked.
This option cannot be changed when networking is handled by the Network Manager.
In such cases the /etc/sysconfig/SuSEfirewall2
file needs to be edited by
hand to ensure the FW_ROUTE
flag is set to yes
like so:
FW_ROUTE="yes"
Images can be pulled from Docker's central index using the following command:
docker pull <image name>
Containers can be started using the docker run
command.
Please refer to the official documentation for more details.
Starting from version 5.06.8 KIWI can be used to build Docker images.
Please refer to KIWI's official documentation.
The official kiwi-doc
package contains examples of Docker images.
Docker has an internal build system which makes incredibly easy to create new images based on existing ones.
Some users might be confused about what to use. The right approach is to build the base images using KIWI and then use them as foundation blocks inside of your Docker's build system.
That two advantages:
ENTRYPOINT
, EXPOSE
, ...).Sharing the common layers between different images makes possible to:
docker build
command.To recap: KIWI is not to be intended as a replacement for Docker's build system. It rather complements with it.