1. docker Detailed explanation
A lot of people have just touched docker It’s amazing , I think this technology is very novel , It’s not ,docker The technologies used are all pre-existing , It’s just that the old wine has changed into a new bottle . Simply speaking docker The essence is actually a
A special process
, This process is special in that it isNamespace
andCgroup
The technology is decorated ,Namespace
Connect the process with Linux The system is isolated , Put the process in a virtual sandbox , andCgroup
There are a series of resource restrictions on the process , The two work together to simulate a sandbox environment .
2. Namespace
Linux There are six isolation mechanisms for threads , Respectively :
uts
pid
user
mount
network
ipc
, Their functions are as follows :
- uts: Used to isolate host names
- pid: Used to isolate processes PID The no.
- user: Used to isolate users
- mount: Used to isolate the mount point view seen by each process
- network: Used to isolate the network
- ipc: Used to isolate System V IPC and POSIX message queues
3. Environment configuration
Because we are Windows It’s code , Then compile the code , Put it in Linux In the implementation of , So here we’re going to change us goland Environment , Because in different environments ,go The imported files are also different , If our environment uses Windows, So use
os/exec
Packet time , The import will beexec_windows.go
, And if our environment is Linux, So it will importexec_linux.go
file , Because only Linux This isolation parameter is provided to create the process , So we need to change the environment to Linux.
4. Go Implement process isolation
4.1 Isolation uts
package main
import (
"log"
"os"
"os/exec"
"syscall"
)
func main() {
cmd := exec.Command("sh")
cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWUTS,
}
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
log.Fatal(err)
}
}
Let’s compile , Put it in Linux Let’s test it ,windows To compile in, you need to first GOOS
Change to Linux
, And then execute go build
, The compiled script is as follows
SET CGO_ENABLED=0
SET GOOS=linux
SET GOARCH=amd64
go build main.go
take main
Put it in Linux Running in the environment , So here I’m going to use theta Centos
4.2 Test whether host names can be isolated
- to main File add executable rights
chmod +x main
- View the current hostname
- perform main file
./main
4. Modify hostname
hostname -b New hostname
Check the hostname again , We see that the hostname has been changed to test
了
5. sign out shell, Check the hostname again
And then we found out , External host name , It hasn’t changed , It shows that the process will succeed in
hostname
Externalhostname
It’s isolated . It also proves that we useuts namespace
succeed .
4.2 Other isolation
We want that kind of isolation of the process , Only need
Cloneflags
Add parameters to
package main
import (
"log"
"os"
"os/exec"
"syscall"
)
func main() {
cmd := exec.Command("sh")
cmd.SysProcAttr = &syscall.SysProcAttr{
// Isolation uts,ipc,pid,mount,user,network
Cloneflags: syscall.CLONE_NEWUTS |
syscall.CLONE_NEWIPC |
syscall.CLONE_NEWPID |
syscall.CLONE_NEWNS |
syscall.CLONE_NEWUSER |
syscall.CLONE_NEWNET,
// Set up the UID and GID
UidMappings: []syscall.SysProcIDMap{
{
// Container of UID
ContainerID: 1,
// The host machine UID
HostID: 0,
Size: 1,
},
},
GidMappings: []syscall.SysProcIDMap{
{
// Container of GID
ContainerID: 1,
// The host machine GID
HostID: 0,
Size: 1,
},
},
}
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
log.Fatal(err)
}
}