Therelationshipbetween`Image`and`Container`isjustas`Class`and`Instance`in[OOP](https://en.wikipedia.org/wiki/Object-oriented_programming). `Image` is the static definition of `container`, while `containers` are the `images` in running state. `Containers` can be created, started, paused, deleted or stopped.
容器的实质是进程,但与直接在宿主执行的进程不同,容器进程运行于属于自己的独立的[命名空间](https://en.wikipedia.org/wiki/Linux_namespaces)。因此容器可以拥有自己的 `root` 文件系统、自己的网络配置、自己的进程空间,甚至自己的用户 ID 空间。容器内的进程是运行在一个隔离的环境里,使用起来,就好像是在一个独立于宿主的系统下操作一样。这种特性使得容器封装的应用比直接在宿主运行更加安全。也因为这种隔离的特性,很多人初学 Docker 时常常会混淆容器和虚拟机。
Theessenceof`container`is`process`,butdifferentfromthatinthehostOS,thecontainerprocessesrunintheirindividual[`namespaces`](https://en.wikipedia.org/wiki/Linux_namespaces). With the namespace, a container can have its own `root` filesystem, network configurations, process space and even an ID sapce for users. The processes in a container run in an isolated environment, thus can be used as if it were an individual OS independent of the host OS. This feature makes docker-encapsulated applications safer than those running directly on the host. And that's also an important factor that confuses the novices to tell it from virtual machines.
Asrecommendedbythe[DockerDevelopmentBestPractices](https://docs.docker.com/develop/dev-best-practices/#where-and-how-to-persist-application-data), we should not write any data to the container layer to make it stateless. All file write operations should adhere to [`Volume`](../data_management/volume.md) or bind mounts. Writing to volume or bind mounts skips the container layer and R/W to host storage(or network storage) directly, which achieves better performance and stability.
Takingthe[UbuntuImage](https://hub.docker.com/_/ubuntu) as an example. `ubuntu` is the name for repository, and inside it are tags for different versions, for instance, `16.04`, `18.04`. We can use `ubuntu:16.04` or `ubuntu:18.04` to specify the particular image we want. If the tag is omitted, for example, `ubuntu`, then it will be considered as `ubuntu:latest`.
`Docker Registry Public Services`areregistryservicesopentousers,allowinguserstomanagetheirimages.Typically,thosepublicservicesofferuserfreeimageuploadsanddownloads,andpossiblyprovidechargedserviceforprivatelymanagedimages.
Themostcommonlyusedregistrypublicserviceistheofficial[DockerHub](https://hub.docker.com/), which is the default registry with thousands of high quality official images. Besides, the images for [Quay.io](https://quay.io/repository/) and CoreOS of [CoreOS](https://coreos.com/) are stored there. Google's [Google Container Registry](https://cloud.google.com/container-registry/) and [Kubernetes](https://kubernetes.io/) also use this service.
Duetosomereasonsknwontoall,accessingthoseservicesfromChinamainlandisslow.TherearesomecloudserviceprovidersinChinaproviding`Registry Mirror`forDockerHub,thosemirrorservicesarecalled`accelerators`.Thewell-knownonesare[AliCloudImageAccelerator](https://cr.console.aliyun.com/#/accelerator) and [DaoCloud Accelerator](https://www.daocloud.io/mirror#accelerator-doc). In China, downloading from these services are much faster than from Docker Hub. The detailed image source configuration tutorial is in the [Docker Installation](../install/mirror.md) section.
Apartfromusingpublicservice,ausercansetupprivateDockerRegistry.Dockerofficaloffersthe[DockerRegistry](https://hub.docker.com/_/registry/) docker image, which can be deployed for private registry service. We will explain how to set it up in detail in the [Private Registry](../repository/registry.md) section.
TheopensourceDockerRegistryimageonlyprovidesthebackendof[DockerRegistryAPI](https://docs.docker.com/registry/spec/api/), which supports the `docker` commands and is enough for personal use, although the advanced functionalities like GUI(Graphical User Interface), Image Maintenance and Access Control are not supported. However, they are provided in the commercial version - [Docker Trusted Registry](https://docs.docker.com/datacenter/dtr/2.0/).
ExceptfortheofficialDockerRegistry,therearethird-partysoftwaresthatimplementDockerRegistryAPI,evenwithsomeadvancedfeatureslikeuserinterface.Forexample,[Harbor](https://github.com/goharbor/harbor) and [Sonatype Nexus](../repository/nexus3_registry.md).