词条 | Container (virtualization) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
释义 |
In computing, a container is an isolated user space in which computer programs run directly on the host operating system's kernel but have access to a restricted subset of its resources. A computer program running on an ordinary operating system can see all resources (connected devices, files and folders, network shares, CPU power, quantifiable hardware capabilities) of that computer. However, programs running inside a container can only see the container's portion of the file system and the devices assigned to it. The mechanism by which a host operating system runs programs in isolated user-space environments is called containerization or operating-system-level virtualization. On Unix-like operating systems, this feature can be seen as an advanced implementation of the standard chroot mechanism, which changes the apparent root folder for the current running process and its children. In addition to isolation mechanisms, the kernel often provides resource-management features to limit the impact of one container's activities on other containers. In Docker, container also refers to a package of software and dependencies that run inside a virtual user space. A file that represents such a package is called a container image.[1] Depending on the application, containers are also known as virtual environments (VEs), partitions or jails.[2] OperationOn ordinary operating systems for personal computers, a computer program can see (even though it might not be able to access) all the system's resources. They include:
The operating system may be able to allow or deny access to such resources based on which program requests them and the user account in the context of which it runs. The operating system may also hide those resources, so that when the computer program enumerates them, they do not appear in the enumeration results. Nevertheless, from a programming point of view, the computer program has interacted with those resources and the operating system has managed an act of interaction. With operating-system-virtualization, or containerization, it is possible to run programs within containers, to which only parts of these resources are allocated. A program expecting to see the whole computer, once run inside a container, can only see the allocated resources and believes them to be all that is available. Several containers can be created on each operating system, to each of which a subset of the computer's resources is allocated. Each container may contain any number of computer programs. These programs may run concurrently or separately, even interact with each other. Containerization has similarities to application virtualization: In the latter, only one computer program is placed in an isolated container and the isolation applies to file system only. UsesOperating-system-level virtualization is commonly used in virtual hosting environments, where it is useful for securely allocating finite hardware resources among a large number of mutually-distrusting users. System administrators may also use it for consolidating server hardware by moving services on separate hosts into containers on the one server. Other typical scenarios include separating several programs to separate containers for improved security, hardware independence, and added resource management features. The improved security provided by the use of a chroot mechanism, however, is nowhere near ironclad.[3] Operating-system-level virtualization implementations capable of live migration can also be used for dynamic load balancing of containers between nodes in a cluster. OverheadOperating-system-level virtualization usually imposes less overhead than full virtualization because programs in virtual partitions use the operating system's normal system call interface and do not need to be subjected to emulation or be run in an intermediate virtual machine, as is the case with full virtualization (such as VMware ESXi, QEMU or Hyper-V) and paravirtualization (such as Xen or UML). This form of virtualization also does not require hardware support for efficient performance. FlexibilityOperating-system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other operating systems such as Windows cannot be hosted. Solaris partially overcomes the limitation described above with its branded zones feature, which provides the ability to run an environment within a container that emulates an older Solaris 8 or 9 version in a Solaris 10 host. Linux branded zones (referred to as "lx" branded zones) are also available on x86-based Solaris systems, providing a complete Linux userspace and support for the execution of Linux applications; additionally, Solaris provides utilities needed to install Red Hat Enterprise Linux 3.x or CentOS 3.x Linux distributions inside "lx" zones.[4][5] However, in 2010 Linux branded zones were removed from Solaris; in 2014 they were reintroduced in Illumos, which is the open source Solaris fork, supporting 32-bit Linux kernels.[6]StorageSome implementations provide file-level copy-on-write (CoW) mechanisms. (Most commonly, a standard file system is shared between partitions, and those partitions that change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state. {{Anchor|IMPLEMENTATIONS}}Implementations
Cloud computing and Container Registry servicesSeveral companies offer container hosting and container image registry services:
See also{{Portal|Computing}}
Notes{{Notelist|30em}}References1. ^{{cite web|url=https://www.docker.com/resources/what-container|title=What is a Container?|website=Docker|access-date=2019-03-03}} 2. ^{{cite web| url = http://www.networkworld.com/article/2226996/cisco-subnet/software-containers--used-more-frequently-than-most-realize.html| title = Software Containers: Used More Frequently than Most Realize| last1 = Hogg| first1 = Scott| date = 2014-05-26| website = Network World| publisher = Network World, Inc| access-date = 2015-07-09| quote = There are many other OS-level virtualization systems such as: Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), Solaris Containers, among others.}} 3. ^{{cite book | title=Mastering FreeBSD and OpenBSD Security | series=O'Reilly Series | first1=Yanek | last1=Korff | first2=Paco | last2=Hope | first3=Bruce | last3=Potter | publisher=O'Reilly Media, Inc. | year=2005 | isbn=0596006268 | page=59 | url=https://books.google.com/books?id=gqKwaHmXp4YC&pg=PA59 }} 4. ^{{cite web | url = http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/zones.intro-1/index.html | title = System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 16: Introduction to Solaris Zones | year = 2010 | accessdate = 2014-09-02 | publisher = Oracle Corporation}} 5. ^{{cite web | url = http://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/gchhy/index.html | title = System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones, Chapter 31: About Branded Zones and the Linux Branded Zone | year = 2010 | accessdate = 2014-09-02 | publisher = Oracle Corporation}} 6. ^{{cite web | url = http://www.slideshare.net/bcantrill/illumos-lx | title = The dream is alive! Running Linux containers on an illumos kernel | date = 2014-09-28 | accessdate = 2014-10-10 | author = Bryan Cantrill | website = slideshare.net}} 7. ^{{cite web|url=http://www.freebsd.org/doc/en/books/developers-handbook/secure-chroot.html|title=3.5. Limiting your program's environment|work=freebsd.org}} 8. ^{{cite web|url=http://www.infoq.com/news/2014/03/docker_0_9|title=Docker drops LXC as default execution environment|work=InfoQ}} 9. ^{{cite web|url=https://www.freebsdnews.com/2015/07/09/docker-freebsd/|title=Docker comes to FreeBSD}} 10. ^{{cite web|url=https://docs.docker.com/docker-for-windows/|title=Get started with Docker for Windows|work=Docker}} 11. ^{{cite web|url=https://docs.docker.com/docker-for-mac/|title=Get started with Docker for Mac}} 12. ^Linux-VServer Paper, Secure Capabilities 13. ^1 {{cite web|last=Graber|first=Stéphane|title=LXC 1.0: Security features [6/10]|url=https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/|accessdate=12 February 2014|date=1 January 2014|quote= LXC now has support for user namespaces. [...] LXC is no longer running as root so even if an attacker manages to escape the container, he’d find himself having the privileges of a regular user on the host}} 14. ^{{cite web|url=https://www.top500.org/news/sylabs-brings-singularity-containers-into-commercial-hpc/|title="Sylabs brings Singularity containers into commercial HPC"}} 15. ^{{cite web|url=https://www.sylabs.io/2018/03/sif-containing-your-containers/|title="SIF — Containing Your Containers"}} 16. ^{{cite web|url=http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0177459|title="Singularity: Scientific containers for mobility of compute"}} 17. ^{{cite web |last1=Bronnikov |first1=Sergey |title=Comparison on OpenVZ wiki page |url=https://wiki.openvz.org/Comparison |website=OpenVZ Wiki |publisher=OpenVZ |accessdate=28 December 2018}} 18. ^{{cite web|url=http://wiki.openvz.org/I/O_priorities_for_VE|title=I/O priorities for containers|work=OpenVZ Virtuozzo Containers Wiki}} 19. ^{{cite web|url=https://openvz.org/Docker_inside_CT|title=Docker inside CT}} 20. ^{{cite web|url=http://wiki.openvz.org/Container|title=Container|work=OpenVZ Virtuozzo Containers Wiki}} 21. ^{{cite web|url=http://www.paul.sladen.org/vserver/aspcomplete/2000-08-25/ve-0.4.2-for-2.4.0-test6.diff.gz|title=Initial public prerelease of Virtuozzo (named ASPcomplete at that time)}} 22. ^{{cite web|url=http://www.odin.com/news/pr/release/article/parallels-virtuozzo-now-provides-native-support-for-docker/|title=Parallels Virtuozzo Now Provides Native Support for Docker}} 23. ^{{cite web|last=Pijewski|first=Bill|title=Our ZFS I/O Throttle|url=http://dtrace.org/blogs/wdp/2011/03/our-zfs-io-throttle/}} 24. ^Network Virtualization and Resource Control (Crossbow) FAQ {{webarchive|url=https://web.archive.org/web/20080601182802/http://www.opensolaris.org/os/project/crossbow/faq/ |date=2008-06-01 }} 25. ^{{cite web|url=http://docs.oracle.com/cd/E36784_01/html/E36813/index.html|title=Managing Network Virtualization and Network Resources in Oracle® Solaris 11.2}} 26. ^Oracle Solaris 11.1 Administration, Oracle Solaris Zones, Oracle Solaris 10 Zones and Resource Management E29024.pdf, pp. 356–360. Available within an archive. 27. ^{{cite web|url=http://www.cybera.ca/news-and-events/tech-radar/contain-your-enthusiasm-part-two-jails-zones-openvz-and-lxc/|title=Contain your enthusiasm - Part Two: Jails, Zones, OpenVZ, and LXC|quote=Jails were first introduced in FreeBSD 4.0 in 2000}} 28. ^{{cite web|url=http://wiki.freebsd.org/Hierarchical_Resource_Limits |title=Hierarchical_Resource_Limits - FreeBSD Wiki |publisher=Wiki.freebsd.org |date=2012-10-27 |accessdate=2014-01-15}} 29. ^{{cite web|url=http://static.usenix.org/publications/library/proceedings/usenix03/tech/freenix03/full_papers/zec/zec.pdf |title=Implementing a Clonable Network Stack in the FreeBSD Kernel |publisher=usenix.org |date=2003-06-13}} 30. ^{{cite web|url=http://www.7he.at/freebsd/vps/|title=VPS for FreeBSD|accessdate=2016-02-20}} 31. ^{{cite web|url=https://forums.freebsd.org/threads/34284/|title=[Announcement] VPS // OS Virtualization // alpha release|accessdate=2016-02-20}} 32. ^{{cite web|url=http://www.freebsd.org/doc/en/books/developers-handbook/secure-chroot.html |title=3.5. Limiting your program's environment |publisher=Freebsd.org |date= |accessdate=2014-01-15}} 33. ^{{cite web|url=http://www-01.ibm.com/support/docview.wss?uid=isg1fixinfo109461|title=IBM Fix pack information for: WPAR Network Isolation - United States|work=ibm.com}} 34. ^Live Application Mobility in AIX 6.1 35. ^1 2 3 https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--property= 36. ^1 2 3 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/resource_management_guide/sec-modifying_control_groups 37. ^{{cite web |last1=Polvi |first1=Alex |title=CoreOS is building a container runtime, rkt |url=https://coreos.com/blog/rocket.html |website=CoreOS Blog |accessdate=12 March 2019}} 38. ^https://azure.microsoft.com/en-in/services/kubernetes-service/ 39. ^https://azure.microsoft.com/en-au/updates/azure-container-service-will-retire-on-january-31-2020/ 40. ^https://aws.amazon.com/ecr/ 41. ^https://cloud.google.com/container-registry/ 42. ^https://docs.docker.com/ee/dtr/ 43. ^https://quay.io/ 44. ^https://techcrunch.com/2014/08/13/coreos-acquires-quay-io-to-launch-its-private-docker-repository/ External links
4 : Virtualization software|Operating system technology|Operating system security|Linux Containerization |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。