2017年11月

docker internal

if you look in the Linux kernel, there is no such thing as a container

  • Containers share the host kernel
  • Containers use the kernel ability to group processes for resource control
  • Containers ensure isolation through namespaces
  • Containers feel like lightweight VMs (lower footprint, faster)

    history

  • Chroot circa 1982
  • FreeBSD Jails circa 2000
  • Solaris Zones circa 2004
  • Meiosys - MetaClusters with Checkpoint/Restore 2004-05
  • Linux OpenVZ circa 2005 (not in mainstream Linux)
  • AIX WPARs circa 2007
  • LXC circa 2008
  • Systemd-nspawn circa 2010-2013
  • Docker circa 2013
    -- built on LXC
    -- moved to libcontainer (March 2014)
    -- appC (CoreOS) announced (December 2014)
    -- Open Containers standard for convergence with Docker Announced (June 2015)
    -- moved to runC (OCF compliant) (July 2015)

    how it works

    Namespaces, cgroups, Images, Layers & copy-on-write

    Kernel Namespaces: isolation

  • Process trees (PID Namespace)
  • Mounts (MNT namespace) wc -l /proc/mounts
  • Network (Net namespace) ip addr
  • Users / UIDs (User Namespace)
  • Hostnames (UTS Namespace) hostname
  • Inter Process Communication (IPC Namespace) ipcs

    Control Group: accounting

    Kernel control groups (cgroups) allow you to do accounting on resources used by processes, a little bit of access control on device nodes and other things such as freezing groups of processes.

    IPTables (networking)

    solation on the networking level is achieved through the creation of virtual switches in the linux kernel. Linux Bridge is a kernel module, first introduced in 2.2 kernel (circa 2000). And it is administered using the brctl command on Linux.

Types of Containers

Given the above constructs, containers may be divided into 3 types as follows:

  1. System Containers share rootfs, PID, network, IPC and UTS with host system but live inside a cgroup.
  2. Application Containers live inside a cgroup and use namespaces (PID, network, IPC, chroot) for isolation from host system
  3. Pods use namespaces for isolation from host system but create sub groups which share PID, network, IPC and UTS except the rootfs.

docker providing

  • Image management
  • Resource Isolation
  • File System Isolation
  • Network Isolation
  • Change Management
  • Sharing
  • Process Management
  • Service Discovery (DNS since 1.10)

refer:

  1. https://docs.docker.com/engine/docker-overview/
  2. http://docker-saigon.github.io/post/Docker-Internals/
  3. https://www.youtube.com/watch?v=sK5i-N34im8

ssh

There are other SSH commands besides the client ssh. Each has its own page.

ssh-keygen - creates a key pair for public key authentication
ssh-copy-id - configures a public key as authorized on a server
ssh-agent - agent to hold private key for single sign-on
ssh-add - tool to add a key to the agent
scp - file transfer client with RCP-like command interface
sftp - file transfer client with FTP-like command interface
sshd - OpenSSH server

The ssh program on a host receives its configuration from either the command line or from configuration files ~/.ssh/config and /etc/ssh/ssh_config.
configuration items:
https://www.ssh.com/ssh/config/

https://www.ssh.com/ssh/key/
https://www.ssh.com/ssh/command/

docker file cheat sheet

Version 0.0.1

FROM ubuntu:16.04

RUN apt-get update; apt-get install -y nginx
RUN echo 'hi, i am here' > /var/www/html/index.html

ENV http_proxy=proxy.tianxiaohui.com
ADD latest.tar.gz /var/www/wordpress
COPY somefile /var/some_place/ #compare to ADD, no magic
VOLUME ["/opt/project", "/data"]
WORKDIR
USER user:group
ARG webapp_user=user
ONBUILD
LABEL location="Shanghai" type="ep" //add image metadata
EXPOSE 80

ENTRYPOINT ["/usr/local/bin/my.sh", "-g"] #docker run command will be as argument for this
CMD ["/usr/local/bin/my.sh", "-l"] #only the last one works,and maybe override by docker run

docker run --entrypoint 可以覆盖ENTRYPOINT, docker run 后边的command可以覆盖 CMD,如果有entrypoint, cmd 做参数

关于 ip tunnel 端口转发

The AllowTcpForwarding option in the OpenSSH server configuration file must be enabled on the server to allow port forwarding. By default, forwarding is allowed.

local forwarding:
$ ssh -L 80:intra.example.com:80 gw.example.com
$ ssh -L 127.0.0.1:80:intra.example.com:80 gw.example.com

remote forwarding:
$ ssh -R 8080:localhost:80 public.example.com
$ ssh -R 52.194.1.73:8080:localhost:80 host147.aws.example.com
$ ssh -R 2222:d76767.nyc.example.com:22 -R 5432:postgres3.nyc.example.com:5432 aws4.mydomain.net

https://www.ssh.com/ssh/tunneling/example
https://www.ssh.com/ssh/tunneling/
https://stackoverflow.com/questions/3653788/how-can-i-connect-to-oracle-database-11g-server-through-ssh-tunnel-chain-double

https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/