Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent containers to run within a single Linux instance, avoiding the overhead of starting virtual machines.
At its core, Docker provides a way to run almost any application securely isolated in a container. The isolation and security allow you to run many containers simultaneously on your host. The lightweight nature of containers, which run without the extra load of a hypervisor, means you can get more out of your hardware.
Docker consists of:
- The Docker Engine – a lightweight and powerful open source container virtualization technology combined with a work flow for building and containerizing your applications
- Docker Hub – a SaaS service for sharing and managing your application stacks
Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. Both the Docker client and the daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon. The Docker client and daemon communicate via sockets or through a RESTful API.
The user does not directly interact with the daemon, but instead through the Docker client. The Docker client, in the form of the docker binary, is the primary user interface to Docker. It accepts commands from the user and communicates back and forth with a Docker daemon.
A Docker image is a read-only template. For example, an image could contain an Ubuntu operating system with Apache and your web application installed. Images are used to create Docker containers. Every image starts from a base image, for example ubuntu. Docker usually gets these base images from Docker Hub. Docker images are then built from these base images using a simple, descriptive set of steps we call instructions. Each instruction creates a new layer in our image. Instructions include actions like:
- Run a command
- Add a file or directory
- Create an environment variable
- What process to run when launching a container from this image
These instructions are stored in a file called a Dockerfile. Docker reads this Dockerfile when you request a build of an image, executes the instructions, and returns a final image.
Docker registries hold images. These are public or private stores from which you upload or download images. The public Docker registry is called Docker Hub. It provides a huge collection of existing images for your use. These can be images you create yourself or you can use images that others have previously created. Docker registries are the distribution component of Docker. Once you build a Docker image you can push it to a public registry Docker Hub or to your own registry running behind your firewall. Using the Docker client, you can search for already published images and then pull them down to your Docker host to build containers from them.
Docker containers are similar to a directory. A Docker container holds everything that is needed for an application to run. Each container is created from a Docker image. Docker containers can be run, started, stopped, moved, and deleted. Docker containers are the run component of Docker. A container consists of an operating system, user-added files, and meta-data.
The implementation is that each container has its own virtual Ethernet interface connected to the Docker bridge and its own IP address allocated to the virtual interface. Docker lets you bind ports on the host to the container so that the outside world can reach your container. That traffic passes over a proxy that is also part of the Docker daemon before
getting to the container.
The Docker image tells Docker what the container holds, what process to run when the container is launched, and a variety of other configuration data. The Docker image is read-only. When Docker runs a container from an image, it adds a read-write layer on top of the image in which your application can then run.
Either by using the docker binary or via the API, the Docker client tells the Docker daemon to run a container.
$ sudo docker run -i -t ubuntu /bin/bash
The Docker client is launched using the docker binary with the run option telling it to launch a new container. The bare minimum the Docker client needs to tell the Docker daemon to run the container is:
- What Docker image to build the container from, here ubuntu, a base Ubuntu image
- The command you want to run inside the container when it is launched, here /bin/bash, to start the Bash shell inside the new container
In order, Docker does the following:
- Pulls the ubuntu image: Docker checks for the presence of the ubuntu image and, if it doesn’t exist locally on the host, then Docker downloads it from Docker Hub. If the image already exists, then Docker uses it for the new container
- Creates a new container: Once Docker has the image, it uses it to create a container
- Allocates a filesystem and mounts a read-write layer: The container is created in the file system and a read-write layer is added to the image
- Allocates a network / bridge interface: Creates a network interface that allows the Docker container to talk to the local host.
- Sets up an IP address: Finds and attaches an available IP address from a pool
- Executes a process that you specify: Runs your application, and
- Captures and provides application output: Connects and logs standard input, outputs and errors for you to see how your application is running
You now have a running container. From here you can manage your container, interact with your application and then, when finished, stop and remove your container.