Docker is an application virtualization service based on features of the Linux operating system. It provides a way to share a host OS, and using a virtualized filesystem, install and run Linux based apps in an isolated environment called a container. The following diagram shows how Docker is different from Virtual Machines.
Docker is driven by a daemon running on the Host OS. A client (either command line or UI using an open source tool like Kitematic) issues commands to the daemon to build, install, or execute an application image in a container.
The Docker daemon
As shown in the diagram above, the Docker daemon runs on a host machine. The user does not directly interact with the daemon, but instead through the Docker client.
The Docker client
The Docker client, in the form of the docker binary, is the primary user interface to Docker. It accepts commands from the user and communicates back and forth with a Docker daemon.
To understand Docker’s internals, you need to know about three components:
- Docker images.
- Docker registries.
- Docker containers.
A Docker image is a read-only template. For example, an image could contain an Ubuntu operating system with Apache and your web application installed. Images are used to create Docker containers. Docker provides a simple way to build new images or update existing images, or you can download Docker images that other people have already created. Docker images are the build component of Docker.
Docker makes use of union file systems to combine these layers into a single image. Union file systems allow files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system.
One of the reasons Docker is so lightweight is because of these layers. When you change a Docker image—for example, update an application to a new version— a new layer gets built. Thus, rather than replacing the whole image or entirely rebuilding, as you may do with a virtual machine, only that layer is added or updated. Now you don’t need to distribute a whole new image, just the update, making distributing Docker images faster and simpler.
Every image starts from a base image, for example ubuntu, a base Ubuntu image, or fedora, a base Fedora image. You can also use images of your own as the basis for a new image, for example if you have a base Apache image you could use this as the base of all your web application images.
Note: Docker usually gets these base images from Docker Hub.
Docker images are then built from these base images using a simple, descriptive set of steps we call instructions. Each instruction creates a new layer in our image. Instructions include actions like:
- Run a command.
- Add a file or directory.
- Create an environment variable.
- What process to run when launching a container from this image.
These instructions are stored in a file called a Dockerfile. Docker reads this Dockerfile when you request a build of an image, executes the instructions, and returns a final image.
Docker registries hold images. These are public or private stores from which you upload or download images. The public Docker registry is provided with the Docker Hub. It serves a huge collection of existing images for your use. These can be images you create yourself or you can use images that others have previously created. Docker registries are the distribution component of Docker.
Docker Hub provides both public and private storage for images. Public storage is searchable and can be downloaded by anyone. Private storage is excluded from search results and only you and your users can pull images down and use them to build containers.
Docker containers are similar to a directory. A Docker container holds everything that is needed for an application to run. Each container is created from a Docker image. Docker containers can be run, started, stopped, moved, and deleted. Each container is an isolated and secure application platform. Docker containers are the run component of Docker.
A container consists of an operating system, user-added files, and meta-data. As we’ve seen, each container is built from an image. That image tells Docker what the container holds, what process to run when the container is launched, and a variety of other configuration data. The Docker image is read-only. When Docker runs a container from an image, it adds a read-write layer on top of the image in which your application can then run.
Docker Container Execution
Either by using the docker binary or via the API, the Docker client tells the Docker daemon to run a container.
$ docker run -i -t ubuntu /bin/bash
The Docker client is launched using the docker binary with the run option telling it to launch a new container. The bare minimum the Docker client needs to tell the Docker daemon to run the container is:
- What Docker image to build the container from, here ubuntu, a base Ubuntu image;
- The command you want to run inside the container when it is launched, here /bin/bash, to start the Bash shell inside the new container.
In order, Docker does the following:
- Pulls the ubuntu image: Docker checks for the presence of the ubuntu image and, if it doesn’t exist locally on the host, then Docker downloads it from Docker Hub. If the image already exists, then Docker uses it for the new container.
- Creates a new container: Once Docker has the image, it uses it to create a container.
- Allocates a filesystem and mounts a read-write layer: The container is created in the file system and a read-write layer is added to the image.
- Allocates a network / bridge interface: Creates a network interface that allows the Docker container to talk to the local host.
- Sets up an IP address: Finds and attaches an available IP address from a pool.
- Executes a process that you specify: Runs your application, and;
- Captures and provides application output: Connects and logs standard input, outputs and errors for you to see how your application is running.
Docker (the company) offers other products to help with the creation and management of docker solutions. These include:
- Docker Engine or “Docker” creates and runs Docker containers.Install Docker on Ubuntu, Mac OS X, or Windows. Or use the Install menu to choose from others.
- Kitematic is the desktop GUI for Docker. Install Kitematic.
- Docker Hub is our hosted registry service for managing your images. There is nothing to install. You just sign up!
- Docker Trusted Registry(DTR) supplies a private dedicated image registry. To learn about DTR for your team, see the overview.
- Docker Machine automates container provisioning on your network or in the cloud. Install machine on Windows, Mac OS X, or Linux.
- Docker Swarm is used to host clustering and container scheduling. Deploy your own “swarm” today in just a few short steps.
- Docker Compose defines multi-container applications. You can install Docker Compose on Ubuntu, Mac OS X, and other sytems.
- Docker Registry provides open source Docker image distribution. See the registry deployment documentation for more information.
The official Docker documentation includes info on running Docker on Windows including the PowerShell scripts available.
Creating a Docker Image
Create a Docker container for Redis
Firstly, we create a Dockerfile for our new Redis image.
RUN apt-get update && apt-get install -y redis-server
Next we build an image from our Dockerfile. Replace <your username> with your own user name.
$ docker build -t <your username>/redis .
Run the service
Use the image we’ve just created and name your container redis.
Running the service with -d runs the container in detached mode, leaving the container running in the background.
Importantly, we’re not exposing any ports on our container. Instead we’re going to use a container link to provide access to our Redis database.
$ docker run –name redis -d <your username>/redis
Create your web application container
Next we can create a container for our application. We’re going to use the -linkflag to create a link to the redis container we’ve just created with an alias of db. This will create a secure tunnel to the redis container and expose the Redis instance running inside that container to only this container.
$ docker run –link redis:db -i -t ubuntu:14.04 /bin/bash
Once inside our freshly created container we need to install Redis to get the redis-cli binary to test our connection.
$ sudo apt-get update
$ sudo apt-get install redis-server
$ sudo service redis-server stop
As we’ve used the –link redis:db option, Docker has created some environment variables in our web application container.
$ env | grep DB_
Should return something similar to this with your values
We can see that we’ve got a small list of environment variables prefixed with DB. The DB comes from the link alias specified when we launched the container. Let’s use the DB_PORT_6379_TCP_ADDR variable to connect to our Redis container.
$ redis-cli -h $DB_PORT_6379_TCP_ADDR
$ redis 172.17.0.33:6379>
$ redis 172.17.0.33:6379> set docker awesome
$ redis 172.17.0.33:6379> get docker
$ redis 172.17.0.33:6379> exit
Microsoft’s Commitment to Docker
As part of Microsoft’s push in to the DevOps world with Azure, they have FULLY embraced Docker as well as the Open Container Project. This includes support both in Azure but also in the upcoming Windows Server 2016. Some of the key features include:
- Windows Server Containers – run Docker containers on Windows Server 2016
- Hyper-V Containers – run Docker containers in Hyper-V
- Publish apps to Docker containers from Visual Studio
- Docker CLI Support in Windows – issue Docker commands directly in Windows
- Compose and Swarm support in Azure – build multiple containers using Swarm and Docker Compose
- Docker containers and hosts in Azure Marketplace
- Docker Trusted Registry VM in Azure – ability to run your own private registry hosted in an Azure VM
- Fundamentally, the primary advantage of Docker is the ability to host many more applications on a single host than traditional server virtualization
- By using the UnionFS filesystem, a host can store more applications and run more containers because files are reused
- By virtualizing only the application and not the Guest OS, you save on resources and storage
- Developers can create images of their work and then simply push them to test, UAT, and Production environments without worrying about config changes causing errors
- Docker files can be put into version control with the source code used to create them
- Container Isolation isn’t as robust as server virtualization
- Making it easy to create containers makes it difficult to manage duplicate or unwanted containers
- Investments in large VMWare or Hyper-V clusters would need to be repurposed as container hosts.
- Docker containers are for Linux based applications. These can include the new OWIN based ASP.NET website but normal Windows based services/websites won’t work.