用語

AMD64 is AMD’s 64-bit extension of Intel’s x86 architecture, and is also referred to as x86_64 (or x86-64).

ARM64 is the 64-bit extension of the ARM CPU architecture. arm64 architecture is used in Apple silicon machines.

A base image has no parent image specified in its Dockerfile. It is created using a Dockerfile with the FROM scratch directive.

btrfs (B-tree file system) is a Linux filesystem that Docker supports as a storage backend. It is a copy-on-write filesystem.

build（ビルド）は Dockerfile を使って Docker イメージを構築するプロセスのこと。 ビルドでは Dockerfile と「コンテキスト」（context）を利用する。 コンテキストとは、イメージがビルドされたディレクトリ内にある一連のファイルのこと。

cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Docker relies on cgroups to control and isolate resource limits.

Also known as : control groups

A cluster is a group of machines that work together to run workloads and provide high availability.

Compose is a tool for defining and running complex applications with Docker. With Compose, you define a multi-container application in a single file, then spin your application up in a single command which does everything that needs to be done to get it running.

*Also known as : docker-compose

Docker uses a copy-on-write technique and a union file system for both images and containers to optimize resources and speed performance. Multiple copies of an entity share the same instance and each one makes only specific changes to its unique layer.

Multiple containers can share access to the same image, and make container-specific changes on a writable layer which is deleted when the container is removed. This speeds up container start times and performance.

Images are essentially layers of filesystems typically predicated on a base image under a writable layer, and built up with layers of differences from the base image. This minimizes the footprint of the image and enables shared development.

For more about copy-on-write in the context of Docker, see Understand images, containers, and storage drivers.

A container is a runtime instance of a docker image.

Docker コンテナーは以下により構成されます。

• Docker イメージ
• 実行環境
• 標準に従った命令のセット

この考え方は、あの輸送コンテナーからきています。 輸送コンテナーには標準が定義されていて、どこへでも物を輸送することができます。 Docker も標準を定義してソフトウェアを導入します。

Docker とは以下を意味します。

• Docker プロジェクト全体のこと。 開発者やシステム管理者がアプリケーションの開発、移行、実行を行うプラットフォームのこと。
• ホスト上で稼動する docker デーモンのこと。 そのホストはイメージとコンテナーを管理します（Docker Engine とも呼びます）。

Docker Desktop for Mac is an easy-to-install, lightweight Docker development environment designed specifically for the Mac. A native Mac application, Docker Desktop for Mac uses the macOS Hypervisor framework, networking, and filesystem. It’s the best solution if you want to build, debug, test, package, and ship Dockerized applications on a Mac.

Docker Desktop for Windows is an easy-to-install, lightweight Docker development environment designed specifically for Windows systems that support WSL 2 and Microsoft Hyper-V. Docker Desktop for Windows uses WSL 2 or Hyper-V for virtualization. Docker Desktop for Windows is the best solution if you want to build, debug, test, package, and ship Dockerized applications from Windows machines.

The Docker Hub is a centralized resource for working with Docker and its components. It provides the following services:

• A registry to host Docker images
• User authentication
• Automated image builds and workflow tools such as build triggers and web hooks
• Integration with GitHub and Bitbucket
• Security vulnerability scanning

A Dockerfile is a text document that contains all the commands you would normally execute manually in order to build a Docker image. Docker can build images automatically by reading the instructions from a Dockerfile.

In a Dockerfile, an ENTRYPOINT is an optional definition for the first part of the command to be run. If you want your Dockerfile to be runnable without specifying additional arguments to the docker run command, you must specify either ENTRYPOINT, CMD, or both.

• If ENTRYPOINT is specified, it is set to a single command. Most official Docker images have an ENTRYPOINT of /bin/sh or /bin/bash. Even if you do not specify ENTRYPOINT, you may inherit it from the base image that you specify using the FROM keyword in your Dockerfile. To override the ENTRYPOINT at runtime, you can use --entrypoint. The following example overrides the entrypoint to be /bin/ls and sets the CMD to -l /tmp.

  $ docker run --entrypoint=/bin/ls ubuntu -l /tmp
  

• CMD is appended to the ENTRYPOINT. The CMD can be any arbitrary string that is valid in terms of the ENTRYPOINT, which allows you to pass multiple commands or flags at once. To override the CMD at runtime, just add it after the container name or ID. In the following example, the CMD is overridden to be /bin/ls -l /tmp.

  $ docker run ubuntu /bin/ls -l /tmp
  

In practice, ENTRYPOINT is not often overridden. However, specifying the ENTRYPOINT can make your images more flexible and easier to reuse.

A file system is the method an operating system uses to name files and assign them locations for efficient storage and retrieval.

Examples :

• Linux : overlay2, extfs, btrfs, zfs
• Windows : NTFS
• macOS : APFS

Docker images are the basis of containers. An Image is an ordered collection of root filesystem changes and the corresponding execution parameters for use within a container runtime. An image typically contains a union of layered filesystems stacked on top of each other. An image does not have state and it never changes.

In an image, a layer is modification to the image, represented by an instruction in the Dockerfile. Layers are applied in sequence to the base image to create the final image. When an image is updated or rebuilt, only layers that change need to be updated, and unchanged layers are cached locally. This is part of why Docker images are so fast and lightweight. The sizes of each layer add up to equal the size of the final image.

libcontainer provides a native Go implementation for creating containers with namespaces, cgroups, capabilities, and filesystem access controls. It allows you to manage the lifecycle of the container performing additional operations after the container is created.

libnetwork provides a native Go implementation for creating and managing container network namespaces and other network resources. It manages the networking lifecycle of the container performing additional operations after the container is created.

A Linux namespace is a Linux kernel feature that isolates and virtualizes system resources. Processes which are restricted to a namespace can only interact with resources or processes that are part of the same namespace. Namespaces are an important part of Docker’s isolation model. Namespaces exist for each type of resource, including net (networking), mnt (storage), pid (processes), uts (hostname control), and user (UID mapping). For more information about namespaces, see Docker run reference and Isolate containers with a user namespace.

A node is a physical or virtual machine running an instance of the Docker Engine in swarm mode.

Manager nodes perform swarm management and orchestration duties. By default manager nodes are also worker nodes.

Worker nodes execute tasks.

Overlay network driver provides out of the box multi-host network connectivity for Docker containers in a cluster.

OverlayFS is a filesystem service for Linux which implements a union mount for other file systems. It is supported by the Docker daemon as a storage driver.

An image’s parent image is the image designated in the FROM directive in the image’s Dockerfile. All subsequent commands are based on this parent image. A Dockerfile with the FROM scratch directive uses no parent image, and creates a base image.

Persistent storage or volume storage provides a way for a user to add a persistent layer to the running container’s file system. This persistent layer could live on the container host or an external device. The lifecycle of this persistent layer is not connected to the lifecycle of the container, allowing a user to retain state.

A Registry is a hosted service containing repositories of images which responds to the Registry API.

The default registry can be accessed using a browser at Docker Hub or using the docker search command.

A repository is a set of Docker images. A repository can be shared by pushing it to a registry server. The different images in the repository can be labeled using tags.

Here is an example of the shared nginx repository and its tags.

SSH (secure shell) is a secure protocol for accessing remote machines and applications. It provides authentication and encrypts data communication over insecure networks such as the Internet. SSH uses public/private key pairs to authenticate logins.

A service is the definition of how you want to run your application containers in a swarm. At the most basic level, a service defines which container image to run in the swarm and which commands to run in the container. For orchestration purposes, the service defines the “desired state”, meaning how many containers to run as tasks and constraints for deploying the containers.

Frequently a service is a microservice within the context of some larger application. Examples of services might include an HTTP server, a database, or any other type of executable program that you wish to run in a distributed environment.

Swarm mode container discovery is a DNS component internal to the swarm that automatically assigns each service on an overlay network in the swarm a VIP and DNS entry. Containers on the network share DNS mappings for the service through gossip so any container on the network can access the service through its service name.

You don’t need to expose service-specific ports to make the service available to other services on the same overlay network. The swarm’s internal load balancer automatically distributes requests to the service VIP among the active tasks.

A swarm is a cluster of one or more Docker Engines running in swarm mode.

Swarm mode refers to cluster management and orchestration features embedded in Docker Engine. When you initialize a new swarm (cluster) or join nodes to a swarm, the Docker Engine runs in swarm mode.

A tag is a label applied to a Docker image in a repository. Tags are how various images in a repository are distinguished from each other.

タスク（task）は Swarm 内でのスケジューリングの最小単位を表わします。 タスクは、Docker コンテナー、およびその内部での実行コマンドを運ぶものです。 マネージャーノードが、サービスのスケール値として設定されたレプリカ数に応じて、ワーカーノードに対してタスクを割り当てます。

Union file systems implement a union mount and operate by creating layers. Docker uses union file systems in conjunction with copy-on-write techniques to provide the building blocks for containers, making them very lightweight and fast.

For more on Docker and union file systems, see Docker and OverlayFS in practice.

Example implementations of union file systems are UnionFS and OverlayFS.

A virtual machine is a program that emulates a complete computer and imitates dedicated hardware. It shares physical hardware resources with other users but isolates the operating system. The end user has the same experience on a Virtual Machine as they would have on dedicated hardware.

Compared to containers, a virtual machine is heavier to run, provides more isolation, gets its own set of resources and does minimal sharing.

Also known as : VM

A volume is a specially-designated directory within one or more containers that bypasses the Union File System. Volumes are designed to persist data, independent of the container’s life cycle. Docker therefore never automatically deletes volumes when you remove a container, nor will it “garbage collect” volumes that are no longer referenced by a container. Also known as: data volume

There are three types of volumes: host, anonymous, and named:

• A host volume lives on the Docker host’s filesystem and can be accessed from within the container.

• A named volume is a volume which Docker manages where on disk the volume is created, but it is given a name.

• An anonymous volume is similar to a named volume, however, it can be difficult to refer to the same volume over time when it is an anonymous volume. Docker handles where the files are stored.

x86_64 (or x86-64) refers to a 64-bit instruction set invented by AMD as an extension of Intel’s x86 architecture. AMD calls its x86_64 architecture, AMD64, and Intel calls its implementation, Intel 64.