translated

sources/tech/20210901 What are container runtimes.md

@@ -1,97 +0,0 @@
-[#]: subject: "What are container runtimes?"
-[#]: via: "https://opensource.com/article/21/9/container-runtimes"
-[#]: author: "Nived V https://opensource.com/users/nivedv"
-[#]: collector: "lujun9972"
-[#]: translator: "geekpi"
-[#]: reviewer: " "
-[#]: publisher: " "
-[#]: url: " "
-
-What are container runtimes?
-======
-Take a deep dive into container runtimes so you can understand how
-container environments are built.
-![Ships at sea on the web][1]
-
-In my examination of [container images][2], I discussed container fundamentals, but now it's time to delve deeper into container runtimes so you can understand how container environments are built. The information in this article is in part extracted from the [official documentation][3] of the Open Container Initiative (OCI), the open standard for containers, so this information is relevant regardless of your container engine.
-
-### Container runtimes
-
-So what really happens in the backend when you run a command like `podman run` or `docker run` command? Here is a step-by-step overview for you:
-
-  1. The image is pulled from an image registry if it not available locally
-  2. The image is extracted onto a copy-on-write filesystem, and all the container layers overlay each other to create a merged filesystem
-  3. A container mount point is prepared
-  4. Metadata is set from the container image, including settings like overriding CMD, ENTRYPOINT from user inputs, setting up SECCOMP rules, etc., to ensure container runs as expected
-  5. The kernel is alerted to assign some sort of isolation, such as process, networking, and filesystem, to this container (namespaces)
-  6. The kernel is also alerted to assign some resource limits like CPU or memory limits to this container (cgroups)
-  7. A system call (syscall) is passed to the kernel to start the container
-  8. SELinux/AppArmor is set up
-
-
-
-Container runtimes take care of all of the above. When we think about container runtimes, the things that come to mind are probably runc, lxc, containerd, rkt, cri-o, and so on. Well, you are not wrong. These are container engines and container runtimes, and each is built for different situations.
-
-_Container runtimes_ focus more on running containers, setting up namespace and cgroups for containers, and are also called lower-level container runtimes. Higher-level container runtimes or container engines focus on formats, unpacking, management, and image-sharing. They also provide APIs for developers.
-
-### Open Container Initiative (OCI)
-
-The Open Container Initiative (OCI) is a Linux Foundation project. Its purpose is to design certain open standards or a structure around how to work with container runtimes and container image formats. It was established in June 2015 by Docker, rkt, CoreOS, and other industry leaders.
-
-It does this using two specifications:
-
-#### 1\. Image Specification (image-spec)
-
-The goal of this specification is to enable the creation of interoperable tools for building, transporting, and preparing a container image to run.
-
-The high-level components of the spec include:
-
-  * [Image Manifest][4] — a document describing the elements that make up a container image
-  * [Image Index][5] — an annotated index of image manifests
-  * [Image Layout][6] — a filesystem layout representing the contents of an image
-  * [Filesystem Layer][7] — a changeset that describes a container’s filesystem
-  * [Image Configuration][8] — a document determining layer ordering and configuration of the image suitable for translation into a [runtime bundle][9]
-  * [Conversion][10] — a document explaining how this translation should occur
-  * [Descriptor][11] — a reference that describes the type, metadata, and content address of referenced content
-
-
-
-#### 2\. Runtime specification (runtime-spec)
-
-This specification aims to define the configuration, execution environment, and lifecycle of a container. The config.json file provides the container configuration for all supported platforms and details the field that enables the creation of a container. The execution environment is detailed along with the common actions defined for a container’s lifecycle to ensure that applications running inside a container have a consistent environment between runtimes.
-
-The Linux container specification uses various kernel features, including namespaces, cgroups, capabilities, LSM, and filesystem jails to fulfill the spec.
-
-### Now you know
-
-Container runtimes are managed by the OCI specifications to provide consistency and interoperability. Many people use containers without the need to understand how they work, but understanding containers is a valuable advantage when you need to troubleshoot or optimize how you use them.
-
-* * *
-
-_This article is based on a [techbeatly][12] article and has been adapted with permission._
-
---------------------------------------------------------------------------------
-
-via: https://opensource.com/article/21/9/container-runtimes
-
-作者：[Nived V][a]
-选题：[lujun9972][b]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: https://opensource.com/users/nivedv
-[b]: https://github.com/lujun9972
-[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/kubernetes_containers_ship_lead.png?itok=9EUnSwci (Ships at sea on the web)
-[2]: https://opensource.com/article/21/8/container-fundamentals-2
-[3]: https://github.com/opencontainers
-[4]: https://github.com/opencontainers/image-spec/blob/master/manifest.md
-[5]: https://github.com/opencontainers/image-spec/blob/master/image-index.md
-[6]: https://github.com/opencontainers/image-spec/blob/master/image-layout.md
-[7]: https://github.com/opencontainers/image-spec/blob/master/layer.md
-[8]: https://github.com/opencontainers/image-spec/blob/master/config.md
-[9]: https://github.com/opencontainers/runtime-spec
-[10]: https://github.com/opencontainers/image-spec/blob/master/conversion.md
-[11]: https://github.com/opencontainers/image-spec/blob/master/descriptor.md
-[12]: https://medium.com/techbeatly/container-runtimes-deep-dive-77eb0e511939

translated/tech/20210901 What are container runtimes.md

@@ -0,0 +1,96 @@
+[#]: subject: "What are container runtimes?"
+[#]: via: "https://opensource.com/article/21/9/container-runtimes"
+[#]: author: "Nived V https://opensource.com/users/nivedv"
+[#]: collector: "lujun9972"
+[#]: translator: "geekpi"
+[#]: reviewer: " "
+[#]: publisher: " "
+[#]: url: " "
+
+什么是容器运行时？
+======
+深入了解容器运行时，你就可以理解容器环境是如何建立的。
+![Ships at sea on the web][1]
+
+在对[容器镜像][2]的检查中，我讨论了容器的基本原理，但现在是时候深入研究容器运行时了，这样你就可以了解容器环境是如何构建的。本文的部分信息摘自 Open Container Initiative (OCI)（容器的开放标准）的[官方文档][3]，所以无论你的容器引擎如何，这些信息都是相关的。
+
+### 容器运行机制
+
+那么，当你运行 `podman run` 或 `docker run` 命令时，在后台到底发生了什么？这里为你提供一个逐步的概述：
+
+  1. 如果本地没有镜像，则从镜像注册处拉取镜像
+  2. 镜像被提取到一个写时拷贝的文件系统上，所有的容器层相互叠加以创建一个合并的文件系统
+  3. 准备一个容器挂载点
+  4. 从容器镜像中设置元数据，包括诸如覆盖 CMD、来自用户输入的 ENTRYPOINT、设置 SECCOMP 规则等设置，以确保容器按预期运行
+  5. 提醒内核为该容器分配某种隔离，如进程、网络和文件系统（命名空间）
+  6. 内核还被提醒为这个容器分配一些资源限制，如 CPU 或内存限制（cgroups）
+  7. 一个系统调用（syscall）被传递给内核以启动容器
+  8. 设置 SELinux/AppArmor
+
+
+
+容器运行时负责上述所有的工作。当我们想到容器运行时，想到的可能是 runc、lxc、containerd、rkt、cri-o 等等。嗯，你没有错。这些都是容器引擎和容器运行时，每一种都是为不同的情况建立的。
+
+_容器运行时_更侧重于运行容器，为容器设置命名空间和 cgroups，也被称为底层容器运行时。高层的容器运行时或容器引擎专注于格式、解包、管理和镜像共享。它们还为开发者提供 API。
+
+### Open Container Initiative （OCI）
+
+Open Container Initiative（OCI）是一个 Linux 基金会项目。其目的是设计某些开放标准或围绕如何与容器运行时和容器镜像格式工作的结构。它是由 Docker、rkt、CoreOS 和其他行业领导者于 2015 年 6 月建立的。
+
+它使用两个规范来做这件事：
+
+#### 1\. 镜像规范（image-spec）
+
+该规范的目标是创建可互操作的工具，用于构建、传输和准备运行的容器镜像。
+
+该规范的高层组件包括：
+
+  * [Image Manifest][4] — 一个描述构成容器镜像的元素的文件
+  * [Image Index][5] — 镜像清单的注释索引
+  * [Image Layout][6] — 一个代表镜像内容的文件系统布局
+  * [Filesystem Layer][7] — 一个描述容器文件系统的变化集
+  * [Image Configuration][8] — 确定镜像层排序和配置的文件，适合转换成[运行时包][9]。
+  * [Conversion][10] — 解释应该如何进行转换的文件
+  * [Descriptor][11] — 一个描述被引用内容的类型、元数据和内容地址的参考资料
+
+
+
+#### 2\. 运行时规范（runtime-spec）
+
+该规范旨在定义容器的配置、执行环境和生命周期。config.json 文件为所有支持的平台提供了容器配置，并详细说明了能够创建容器的地方。执行环境与为容器的生命周期定义的通用操作一起被详细说明，以确保在容器内运行的应用在不同的运行时之间有一个一致的环境。
+
+Linux 容器规范使用了各种内核功能，包括命名空间、cgroups、capabilities、LSM 和文件系统监牢来实现该规范。
+
+### 现在你知道了
+
+容器运行时是由 OCI 规范管理的，以提供一致性和互操作性。许多人在使用容器时不需要了解它们是如何工作的，但当你需要排除故障或优化使用方法时，了解容器是一个宝贵的优势。
+
+* * *
+
+_本文基于 [techbeatly][12] 的文章，并经授权改编。_
+
+--------------------------------------------------------------------------------
+
+via: https://opensource.com/article/21/9/container-runtimes
+
+作者：[Nived V][a]
+选题：[lujun9972][b]
+译者：[geekpi](https://github.com/geekpi)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: https://opensource.com/users/nivedv
+[b]: https://github.com/lujun9972
+[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/kubernetes_containers_ship_lead.png?itok=9EUnSwci (Ships at sea on the web)
+[2]: https://opensource.com/article/21/8/container-fundamentals-2
+[3]: https://github.com/opencontainers
+[4]: https://github.com/opencontainers/image-spec/blob/master/manifest.md
+[5]: https://github.com/opencontainers/image-spec/blob/master/image-index.md
+[6]: https://github.com/opencontainers/image-spec/blob/master/image-layout.md
+[7]: https://github.com/opencontainers/image-spec/blob/master/layer.md
+[8]: https://github.com/opencontainers/image-spec/blob/master/config.md
+[9]: https://github.com/opencontainers/runtime-spec
+[10]: https://github.com/opencontainers/image-spec/blob/master/conversion.md
+[11]: https://github.com/opencontainers/image-spec/blob/master/descriptor.md
+[12]: https://medium.com/techbeatly/container-runtimes-deep-dive-77eb0e511939