一、docker 底層實現
docker 通過namespace實現資源隔離;通過cgroup實現資源限額
二、namespace說明
2.1.概述
namespace使得容器像一臺獨立的計算機,namespace實現容器間資源隔離。linux六中namespace
mnt namespace 讓容器擁有文件系統,允許不同 namespace 的進程看到的文件結構不同
UTS("UNIX Time-sharing System") namespace 讓容器擁有獨立的hostname和domain name
IPC namespace 讓容器擁有共享內核和信號量來實現進程間通信
PID namespace 讓容器擁有自己的PID
Network namespace 讓容器擁有自己獨立的網絡資源如網卡、IP等
User namespace 讓容器能夠管理自己用戶
2.2.查看當前容器的namespace
查看當前容器進程:
# ps -ef | grep docker root 8137 18518 0 21:13 pts/0 00:00:00 grep --color=auto docker root 21861 1 0 03:56 ? 00:02:04 /usr/bin/dockerd --insecure-registry 192.168.2.120:5000 -H unix://
查看namespace:
# ls -l /proc/21861/ns/ total 0 lrwxrwxrwx 1 root root 0 Dec 17 21:13 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Dec 17 21:13 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Dec 17 21:13 net -> net:[4026531956] lrwxrwxrwx 1 root root 0 Dec 17 21:13 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Dec 17 21:13 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Dec 17 21:13 uts -> uts:[4026531838]
一、docker 底層實現
docker 通過namespace實現資源隔離;通過cgroup實現資源限額
二、namespace說明
2.1.概述
namespace使得容器像一臺獨立的計算機,namespace實現容器間資源隔離。linux六中namespace
mnt namespace 讓容器擁有文件系統,允許不同 namespace 的進程看到的文件結構不同
UTS("UNIX Time-sharing System") namespace 讓容器擁有獨立的hostname和domain name
IPC namespace 讓容器擁有共享內核和信號量來實現進程間通信
PID namespace 讓容器擁有自己的PID
Network namespace 讓容器擁有自己獨立的網絡資源如網卡、IP等
User namespace 讓容器能夠管理自己用戶
2.2.查看當前容器的namespace
查看當前容器進程:
# ps -ef | grep docker root 8137 18518 0 21:13 pts/0 00:00:00 grep --color=auto docker root 21861 1 0 03:56 ? 00:02:04 /usr/bin/dockerd --insecure-registry 192.168.2.120:5000 -H unix://
查看namespace:
# ls -l /proc/21861/ns/ total 0 lrwxrwxrwx 1 root root 0 Dec 17 21:13 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Dec 17 21:13 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Dec 17 21:13 net -> net:[4026531956] lrwxrwxrwx 1 root root 0 Dec 17 21:13 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Dec 17 21:13 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Dec 17 21:13 uts -> uts:[4026531838]
3.2.docker cgroup限制資源
3.2.1.查看當前容器進程
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
37803352e3fa registry:latest "/entrypoint.sh /etc…" 17 hours ago Up 17 hours 0.0.0.0:5000->5000/tcp ckl-registry
3.2.2.查看當前容器的crgoup目錄,目錄名爲進程長ID
CPU:
# ls /sys/fs/cgroup/cpu/docker/37803352e3fab5a357cab42ba6f2ec03ede5d3138dcc1ff9fec6c5e0ed44651d/
MEM:
# ls /sys/fs/cgroup/memory/docker/37803352e3fab5a357cab42ba6f2ec03ede5d3138dcc1ff9fec6c5e0ed44651d/
BIO:
# ls /sys/fs/cgroup/blkio/docker/37803352e3fab5a357cab42ba6f2ec03ede5d3138dcc1ff9fec6c5e0ed44651d/
四、docker cgroup限制內存
docker 啓動參數內存限制,內存單位 b、k、m、g,分別對應 bytes、KB、MB、和 GB
-m --memory:容器能使用的最大內存大小,最小值爲 4m
--memory-swap:容器能夠使用的 swap 大小
--memory-swappiness:默認情況下,主機可以把容器使用的匿名頁(anonymous page)swap 出來,你可以設置一個 0-100 之間的值,代表允許 swap 出來的比例
--memory-reservation:設置一個內存使用的 soft limit,如果 docker 發現主機內存不足,會執行 OOM 操作。這個值必須小於 --memory 設置的值
--kernel-memory:容器能夠使用的 kernel memory 大小,最小值爲 4m。
4.1.測試限額128M內存
# docker run --rm -it -m 128M progrium/stress --vm 1 --vm-bytes 100M stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd stress: dbug: [1] using backoff sleep of 3000us stress: dbug: [1] --> hogvm worker 1 [8] forked stress: dbug: [8] allocating 104857600 bytes ... #分配100M stress: dbug: [8] touching bytes in strides of 4096 bytes ... stress: dbug: [8] freed 104857600 bytes #釋放100M stress: dbug: [8] allocating 104857600 bytes ... stress: dbug: [8] touching bytes in strides of 4096 bytes ... #分配100M stress: dbug: [8] freed 104857600 bytes #釋放100M stress: dbug: [8] allocating 104857600 bytes ... stress: dbug: [8] touching bytes in strides of 4096 bytes ... stress: dbug: [8] freed 104857600 bytes stress: dbug: [8] allocating 104857600 bytes ... stress: dbug: [8] touching bytes in strides of 4096 bytes ... stress: dbug: [8] freed 104857600 bytes stress: dbug: [8] allocating 104857600 bytes ... stress: dbug: [8] touching bytes in strides of 4096 bytes ... stress: dbug: [8] freed 104857600 bytes
#-rm 當進程退出,自動刪除容器
#--vm 1 啓動一個內存工作線程
#--vm-bytes 設置每個線程分配多少內存
當線程內存超出限額後:
# docker run --rm -it -m 128M progrium/stress --vm 1 --vm-bytes 130M stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd stress: dbug: [1] using backoff sleep of 3000us stress: dbug: [1] --> hogvm worker 1 [9] forked stress: dbug: [9] allocating 136314880 bytes ... stress: dbug: [9] touching bytes in strides of 4096 bytes ... stress: FAIL: [1] (416) <-- worker 9 got signal 9 stress: WARN: [1] (418) now reaping child worker processes stress: FAIL: [1] (422) kill error: No such process stress: FAIL: [1] (452) failed run completed in 0s
#內存超過限額後,容器退出
五、docker cgroup限制CPU
--cpu-period #限制CPU CFS優先級
--cpu-quota #限制CPU CFS配額
--cpu-rt-period #限制CPU運行時鐘期間優先級
--cpu-rt-runtime #限制CPU運行時鐘期間runtime 時長
--cpu-shares , -c #設置使用CPU權重
--cpus #設置可以使用CPU的核數
--cpuset-cpus #設置運行在CPU哪些核數上運行
5.1.用4個CPU模擬壓力
5.1.1.啓動一個stree容器4個進程來計算壓力,主機8個cpu
# docker run --rm -it progrium/stress --cpu 4 stress: info: [1] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd stress: dbug: [1] using backoff sleep of 12000us stress: dbug: [1] --> hogcpu worker 4 [8] forked stress: dbug: [1] using backoff sleep of 9000us stress: dbug: [1] --> hogcpu worker 3 [9] forked stress: dbug: [1] using backoff sleep of 6000us stress: dbug: [1] --> hogcpu worker 2 [10] forked stress: dbug: [1] using backoff sleep of 3000us stress: dbug: [1] --> hogcpu worker 1 [11] forked
5.1.2.查看系統資源
5.2.限制容器使用CPU核數
5.2.1.運行容器可以使用的核數的
# docker run --rm -it --cpus 1.5 progrium/stress --cpu 2 #--cpus 限制使用CPU核數的多少,這裏1.5,就是使用1.5個CPU,總共是兩個 stress: info: [1] dispatching hogs: 2 cpu, 0 io, 0 vm, 0 hdd stress: dbug: [1] using backoff sleep of 6000us stress: dbug: [1] --> hogcpu worker 2 [8] forked stress: dbug: [1] using backoff sleep of 3000us stress: dbug: [1] --> hogcpu worker 1 [9] forked
5.2.2.查看使用系統資源
5.3.限制容器運行在某些核數
5.3.1.運行容器在指定的核數
# docker run --rm -it --cpuset-cpus=2,3 progrium/stress --cpu 2 #cpu運行在2,3核數上,總共是兩個 stress: info: [1] dispatching hogs: 2 cpu, 0 io, 0 vm, 0 hdd stress: dbug: [1] using backoff sleep of 6000us stress: dbug: [1] --> hogcpu worker 2 [6] forked stress: dbug: [1] using backoff sleep of 3000us stress: dbug: [1] --> hogcpu worker 1 [7] forked
5.3.2.查看資源情況
六、docker cgroup限制IO
--blkio-weight Block IO相對權重,在10到1000之間,0是禁止,默認是0
--blkio-weight-device Block IO權重,相對設備權重
--device-read-bps:磁盤每秒最多可以讀多少比特(bytes)
--device-write-bps:磁盤每秒最多可以寫多少比特(bytes)
--device-read-iops:磁盤每秒最多可以執行多少 IO 讀操作
--device-write-iops:磁盤每秒最多可以執行多少 IO 寫操作
6.1.磁盤寫入速度限制
啓動容器限制寫入速度
# docker run -it --device-write-bps /dev/sda:20M centos [root@7ebb0799f331 /]# [root@7ebb0799f331 /]# dd if=/dev/zero of=/ckl bs=1M count=200 oflag=direct 200+0 records in 200+0 records out 209715200 bytes (210 MB) copied, 9.92785 s, 21.1 MB/s
寫入速度限制在20M,oflag=direct指定用direct IO 方式寫文件
6.2.磁盤寫入IO限制
啓動容器限制寫入IO:
# docker run -it --device /dev/sda:/dev/sda --device-write-iops /dev/sda:100 centos [root@491c0211698b /]# # dd if=/dev/zero of=/ckl bs=1k count=2000 oflag=direct 2000+0 records in 2000+0 records out 2048000 bytes (2.0 MB) copied, 19.9126 s, 103 kB/s
參考:
https://docs.docker.com/edge/engine/reference/commandline/run/#options
https://blog.csdn.net/notbaron/article/details/76789491