Linux container technology is the core technology for modern application deployment and microservice architecture. Docker and Kubernetes are the most mainstream container solutions.
Docker basic concepts:
- Image: read-only filesystem template containing all dependencies needed to run the application
- Container: running instance of an image, lightweight and isolated runtime environment
- Repository: place to store and distribute images, such as Docker Hub
- Dockerfile: text file used to build images
- Docker Compose: tool for defining and running multi-container applications
Docker common commands:
- Image management:
- docker images: list local images
- docker pull image: pull image
- docker build -t name .: build image
- docker rmi image: delete image
- docker tag image newname: tag image
- Container management:
- docker run: run container
- docker ps: view running containers
- docker ps -a: view all containers
- docker stop container: stop container
- docker start container: start container
- docker restart container: restart container
- docker rm container: delete container
- docker exec -it container /bin/bash: enter container
- Container operations:
- docker logs container: view container logs
- docker cp file container:/path: copy file to container
- docker cp container:/path file: copy file from container
- docker inspect container: view detailed container information
- docker stats: view container resource usage
Dockerfile instructions:
- FROM: specify base image
- RUN: execute command
- COPY: copy files to image
- ADD: copy files to image (supports decompression and URL)
- CMD: command to execute when container starts
- ENTRYPOINT: entry point to execute when container starts
- ENV: set environment variables
- ARG: build-time variables
- EXPOSE: declare ports listened by container
- VOLUME: declare mount points
- WORKDIR: set working directory
- USER: set running user
Docker Compose:
- Configuration file: docker-compose.yml
- Common commands:
- docker-compose up: start services
- docker-compose down: stop and remove services
- docker-compose ps: view service status
- docker-compose logs: view service logs
- docker-compose exec service command: execute command in service
- Configuration example:
yaml
version: '3' services: web: build: . ports: - "80:80" volumes: - ./data:/data environment: - ENV=value
Kubernetes basic concepts:
- Pod: smallest deployment unit, contains one or more containers
- Node: physical or virtual machine running Pods
- Service: provides stable network access for Pods
- Deployment: manages Pod replicas and updates
- ReplicaSet: ensures specified number of Pod replicas are running
- StatefulSet: manages stateful applications
- DaemonSet: runs one Pod on each node
- ConfigMap: configuration data
- Secret: sensitive data
- Namespace: resource isolation
- Ingress: HTTP/HTTPS routing
Kubernetes common commands:
- Cluster management:
- kubectl cluster-info: view cluster information
- kubectl get nodes: view nodes
- kubectl get namespaces: view namespaces
- Pod management:
- kubectl get pods: view Pods
- kubectl describe pod podname: view Pod details
- kubectl logs podname: view Pod logs
- kubectl exec -it podname /bin/bash: enter Pod
- kubectl delete pod podname: delete Pod
- Service management:
- kubectl get services: view services
- kubectl describe service servicename: view service details
- Deployment management:
- kubectl get deployments: view deployments
- kubectl apply -f yaml: apply configuration
- kubectl rollout status deployment/deploymentname: view deployment status
- kubectl scale deployment/deploymentname --replicas=3: scale replicas
Kubernetes configuration examples:
- Pod configuration:
yaml
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mycontainer image: nginx ports: - containerPort: 80 - Deployment configuration:
yaml
apiVersion: apps/v1 kind: Deployment metadata: name: mydeployment spec: replicas: 3 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: mycontainer image: nginx ports: - containerPort: 80
Container networking:
- Docker network modes:
- bridge: default mode, containers communicate through Docker bridge
- host: container uses host network stack
- none: no network
- container: share another container's network
- Kubernetes network model:
- Pod network: all Pods in the same flat network
- Service network: provides stable IP for Pods
- Ingress: external access entry point
Container storage:
- Docker storage drivers: overlay2, aufs, btrfs, zfs
- Volume: persistent storage
- Bind Mount: mount host directory to container
- Kubernetes StorageClass: dynamic storage allocation
- PersistentVolume: cluster-level storage resource
- PersistentVolumeClaim: user's request for storage
Container security:
- Image security:
- Use official or trusted images
- Regularly update images
- Scan images for vulnerabilities
- Minimize image size
- Runtime security:
- Run containers as non-root user
- Limit container resources
- Use read-only filesystem
- Limit container capabilities
- Kubernetes security:
- RBAC: role-based access control
- Network Policy: network policy
- Pod Security Policy: Pod security policy
Container orchestration best practices:
- Microservice architecture: split application into multiple microservices
- Health checks: configure liveness and readiness probes
- Resource limits: set CPU and memory limits
- Rolling updates: gradually update applications to avoid service interruption
- Auto-scaling: automatically adjust replicas based on load
- Configuration management: use ConfigMap and Secret to manage configuration
- Log collection: centrally collect and analyze container logs
- Monitoring and alerting: monitor container and cluster status