{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker是dotCloud公司使用Go語言推出的虛擬化技術,它基於Linux內核的CGroup、Namespace、Union FS 等技術,對進程進行封裝隔離。由於隔離的進程獨立於宿主和其它的隔離的進程,因此被稱爲容器。Docker在容器的基礎上,進行了進一步的封裝,從文件系統、網絡互聯到進程隔離等等,極大的簡化了容器的創建和維護,使得 Docker技術比虛擬機技術更爲輕便、快捷。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"一、基本知識"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker中有三個重要的概念需要理解:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"鏡像(Image):類似root文件系統,提供容器運行時所需的程序、庫、資源、配置等文件;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器(Container):鏡像運行時的實體,提供創建、啓動、停止、刪除、暫停等操作;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"倉庫(Repository):代碼控制中心,用於保存鏡像;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker官方會給用戶提供一個官方的Docker倉庫(https://hub.docker.com),它就像是手機裏的應用商店,裏面放着各種各樣打包好的Docker鏡像給用戶下載;Docker鏡像就像我們從應用商店裏下載下來的軟件安裝包,用戶通過使用Docker鏡像運行起來就創建Docker容器,這個過程就跟我們使用軟件安裝包完成應用的安裝後使用並無太大差別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"二、常用命令"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker常用操作如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.1 獲取鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker pull [選項] [Docker Registry 地址[:端口號]/]倉庫名[:標籤]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker pull nginx:1.0"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.2 鏡像列表"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker image [選項]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker images"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.3 刪除鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker image rm "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker image rm 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.4 創建容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker run [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker run -t -i nginx:1.0 /bin/bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.5 容器列表"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker ps [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker ps -a"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.6 停止容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker container stop "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker container stop 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.7 刪除容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker rm [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker rm -f 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.8 進入容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker exec [選項] [命令]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker exec –it nginx bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"三、底層原理"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 容器的本質是進程,在Docker容器中Namespace做隔離、CGroup做限制、rootfs做文件系統,其核心原理實際上就是爲待創建的用戶進程:啓動Linux Namespace配置、設置指定的CGroup參數、切換進程的根目錄。我們接下來爲將從從這三方面講解Docker的底層原理。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.1 聯合文件系統"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" AUFS是一種Union File System(即聯合文件系統UnionFS,可以把不同物理位置的目錄合併掛載到同一個目錄中),我們通過使用aufs來進行演示,它基礎使用方式如下:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ tree\n.\n├── fruits\n│ ├── apple\n│ └── tomato\n└── vegetables\n ├── carrots\n └── tomato"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"創建一個掛載目錄:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mkdir mnt\n$ sudo mount -t aufs -o dirs=./fruits:./vegetables none ./mnt"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 說明:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-t aufs:指定掛載類型爲aufs"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-o dirs=./dir1:./dir2:將多個文件夾聯合在一起"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"none:aufs不需要設備,只依賴於-o dirs中指定的文件夾"}]}]}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接下來我們查看mnt結構:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ tree\n./mnt\n├── apple\n├── carrots\n└── tomato"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 在mount aufs命令中,如果沒有指定目錄權限,則默認掛載的第一個目錄時可讀寫的,後面則都是隻可讀狀態。我們對mnt目錄上進行操作,以下的結果均會反映在mnt和fruits目錄中:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ touch ./mnt/tony.txt\n$ echo tony.zhu >> ./mnt/apple\n$ echo tony.zhu >> ./mnt/carrots"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然我們可以手動給文件夾賦予權限,當我們再對文件進行操作時,可能會與上述有所區別:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mount -t aufs -o dirs=./fruits=rw:./vegetables=rw none ./mnt"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當vegetables擁有寫權限時,以下操作的結果會反映在vegetables:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ echo tony.zhu >> ./mnt/carrots"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 而對於有重複的文件名(如上述tomato),在"},{"type":"text","marks":[{"type":"strong"}],"text":"mount命令行上越往前就優先級越高,利用聯合文件的這些特性,我們可以做出分層的鏡像來"},{"type":"text","text":"。另外 Monut Namespace 可以隔離文件系統的掛載點,使得不同的Mount Namespace擁有自己獨立的掛載點信息(這些掛載點的根目錄就是執行環境的文件系統,也被稱爲根文件系統rootfs)。這兩者也就構成了容器的文件系統的原型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker文件系統示意圖如下:"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/18/18af5195111dbf6b9c9d47a7c4f2217d.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3.2 namespace"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Linux Namespace是Linux提供的一種內核級別環境隔離的方法,而namespace的使用方式也很簡單,它只是Linux創建新進程時的一個可選參數,種類如下:"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/aa/aad2473b88332b423fdb034e0a4970fc.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用的方式如下:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ int pid = clone(main_function, stack_size, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWNET|CLONE_NEWUSER, NULL)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker的核心技術是通過LXC來實現類似VM的功能,從而利用更加節省的硬件資源提供給用戶更多的計算資源,而LXC所實現的隔離性主要通過內核的命名空間將容器的文件系統、hostname、進程、消息、網絡隔離開來。而Docker相比虛擬機的優勢在於:"}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"虛擬機需要運行完整的操作系統才能執行用戶的應用進程(在不做優化的情況下虛擬機自己就要佔有100-200MB的內存)"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"運行在虛擬機中的用戶應用在對宿主機操作系統的系統需要經過虛擬化軟件的攔截和處理,會帶來性能上的損耗(尤其對計算資源、網絡和磁盤I/O的損耗大)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 相比之下容器化後的用戶應用依然是宿主機上的普通進程,這"},{"type":"text","marks":[{"type":"strong"}],"text":"意味着對額外的資源佔用可以忽略不計,也沒有因攔截處理而帶來的性能損耗"},{"type":"text","text":"。而有利就有弊,基於Linux namespace的隔離機制"},{"type":"text","marks":[{"type":"strong"}],"text":"最主要的問題在於隔離得不徹底"},{"type":"text","text":"。因爲多個容器之間使用的還是同一個操作系統內核,而很多資源是無法隔離的,比如:時間,在容器中的程序使用settimeofday(2)修改了時間會導致整個宿主機的時間都跟着變化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.3 Linux CGroup"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Linux CGroup全稱Linux Control Group,是Linux內核中用來控制程組資源(包括CPU、內存、磁盤、輸入輸出)的一個功能。其提供的主要功能如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Control:恢復/恢復進程;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Accounting:統計,主要用於計費;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Prioritization:優先級控制,比如:CPU利用和磁盤IO吞吐;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Resource limitation:限制資源使用,如內存使用上限、文件系統的緩存限制;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 在Linux中,CGroup給用戶暴露出來的操作接口是文件系統,即它以文件和目錄的方式組織在操作系統的/sys/fs/cgroup路徑下,我們可以通過mount或者lssubsys查看cgroup:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mount -t cgroup\n> cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)\n> cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)\n> cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)\n> cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)\n> cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)\n> cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)\n> cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)\n> cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)\n> cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)\n> cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)\n> cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)\n\n$ lssubsys -m\n> cpuset /sys/fs/cgroup/cpuset\n> cpu,cpuacct /sys/fs/cgroup/cpu,cpuacct\n> blkio /sys/fs/cgroup/blkio\n> memory /sys/fs/cgroup/memory\n> devices /sys/fs/cgroup/devices\n> freezer /sys/fs/cgroup/freezer\n> net_cls,net_prio /sys/fs/cgroup/net_cls,net_prio\n> perf_event /sys/fs/cgroup/perf_event\n> hugetlb /sys/fs/cgroup/hugetlb\n> pids /sys/fs/cgroup/pids"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 我們可以在/sys/fs/cgroup中看到諸如cpu、memory等子目錄,這些都是cgroup的子系統。其種類如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"blkio: 輸入/輸出限制,比如物理設備(磁盤,固態硬盤,USB 等等);"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpu: 對CPU的cgroup 任務訪問;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpuacct: 子系統自動生成 cgroup 中任務所使用的 CPU 報告;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpuset: 子系統爲 cgroup 中的任務分配獨立 CPU(在多核系統)和內存節點;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"devices: 子系統可允許或者拒絕 cgroup 中的任務訪問設備;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"freezer: 子系統掛起或者恢復 cgroup 中的任務;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"memory: 子系統設定cgroup中任務使用的內存限制,並自動生成內存資源使用報告;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"net_cls: 子系統使用等級識別符(classid)標記網絡數據包,可允許 Linux 流量控制程序(tc)識別從具體 cgroup 中生成的數據包;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"net_prio: 子系統用來設計網絡流量的優先級;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"hugetlb: 子系統用來針對於HugeTLB系統進行限制,這是一個大頁文件系統;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 我們以CPU爲例,查看某容器中CPU的資源使用率:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ cat /sys/fs/cgroup/cpu/docker/cpu.cfs_period_us> 100000"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 說明:cfs_period_us用來配置時間週期長度,100000指的是100ms"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ cat /sys/fs/cgroup/cpu/docker/cpu.cfs_quota_us> -1"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說明:cfs_quota_us用來配置當前cgroup在設置的週期長度內所能使用的CPU時間數,-1表示沒有限制"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接下來我們通過修改這些文件的內容來設置限制:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ echo 200000 >> /sys/fs/cgroup/cpu/docker/cpu.cfs_quota_us"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說明:限制只能使用200ms的CPU資源"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 修改後的操作表明:在每100ms的時間裏,該進程只能使用200毫核的CPU時間。對於Docker等Linux容器來說,通過執行docker run時指定參數完成CGroup的配置,如:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ docker run -it --cpu-period=10000 —cpu-quota=20000 ubuntu /bin/bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 總的來說Linux cgroup的設計比較易用,簡單地理解就是子系統目錄加上一組資源限制文件的組合。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"四、總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker 目前已經是非常主流的技術,並且已在我司的生產環境中使用,本文簡單地講訴了Docker的背景和常用的命名,重點圍繞Docker的三大核心技術:聯合文件系統、Linux 命名空間和控制組,希望能對大家對Docker的理解有所幫助,也歡迎大家關注我的微信公衆號,每天進步一點點,堅持帶來大改變!"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/df/df97524939cf1870790f8f55dc43846a.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
淺說Docker基礎知識與核心原理
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker是dotCloud公司使用Go語言推出的虛擬化技術,它基於Linux內核的CGroup、Namespace、Union FS 等技術,對進程進行封裝隔離。由於隔離的進程獨立於宿主和其它的隔離的進程,因此被稱爲容器。Docker在容器的基礎上,進行了進一步的封裝,從文件系統、網絡互聯到進程隔離等等,極大的簡化了容器的創建和維護,使得 Docker技術比虛擬機技術更爲輕便、快捷。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"一、基本知識"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker中有三個重要的概念需要理解:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"鏡像(Image):類似root文件系統,提供容器運行時所需的程序、庫、資源、配置等文件;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器(Container):鏡像運行時的實體,提供創建、啓動、停止、刪除、暫停等操作;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"倉庫(Repository):代碼控制中心,用於保存鏡像;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker官方會給用戶提供一個官方的Docker倉庫(https://hub.docker.com),它就像是手機裏的應用商店,裏面放着各種各樣打包好的Docker鏡像給用戶下載;Docker鏡像就像我們從應用商店裏下載下來的軟件安裝包,用戶通過使用Docker鏡像運行起來就創建Docker容器,這個過程就跟我們使用軟件安裝包完成應用的安裝後使用並無太大差別。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"二、常用命令"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker常用操作如下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.1 獲取鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker pull [選項] [Docker Registry 地址[:端口號]/]倉庫名[:標籤]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker pull nginx:1.0"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.2 鏡像列表"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker image [選項]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker images"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.3 刪除鏡像"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker image rm "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker image rm 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.4 創建容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker run [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker run -t -i nginx:1.0 /bin/bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.5 容器列表"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker ps [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker ps -a"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.6 停止容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker container stop "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker container stop 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.7 刪除容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker rm [選項] "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker rm -f 791285de22e4"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2.8 進入容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 格式:docker exec [選項] [命令]"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 示例:docker exec –it nginx bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"三、底層原理"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 容器的本質是進程,在Docker容器中Namespace做隔離、CGroup做限制、rootfs做文件系統,其核心原理實際上就是爲待創建的用戶進程:啓動Linux Namespace配置、設置指定的CGroup參數、切換進程的根目錄。我們接下來爲將從從這三方面講解Docker的底層原理。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.1 聯合文件系統"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" AUFS是一種Union File System(即聯合文件系統UnionFS,可以把不同物理位置的目錄合併掛載到同一個目錄中),我們通過使用aufs來進行演示,它基礎使用方式如下:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ tree\n.\n├── fruits\n│ ├── apple\n│ └── tomato\n└── vegetables\n ├── carrots\n └── tomato"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"創建一個掛載目錄:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mkdir mnt\n$ sudo mount -t aufs -o dirs=./fruits:./vegetables none ./mnt"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 說明:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-t aufs:指定掛載類型爲aufs"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-o dirs=./dir1:./dir2:將多個文件夾聯合在一起"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"none:aufs不需要設備,只依賴於-o dirs中指定的文件夾"}]}]}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接下來我們查看mnt結構:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ tree\n./mnt\n├── apple\n├── carrots\n└── tomato"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 在mount aufs命令中,如果沒有指定目錄權限,則默認掛載的第一個目錄時可讀寫的,後面則都是隻可讀狀態。我們對mnt目錄上進行操作,以下的結果均會反映在mnt和fruits目錄中:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ touch ./mnt/tony.txt\n$ echo tony.zhu >> ./mnt/apple\n$ echo tony.zhu >> ./mnt/carrots"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然我們可以手動給文件夾賦予權限,當我們再對文件進行操作時,可能會與上述有所區別:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mount -t aufs -o dirs=./fruits=rw:./vegetables=rw none ./mnt"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當vegetables擁有寫權限時,以下操作的結果會反映在vegetables:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ echo tony.zhu >> ./mnt/carrots"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 而對於有重複的文件名(如上述tomato),在"},{"type":"text","marks":[{"type":"strong"}],"text":"mount命令行上越往前就優先級越高,利用聯合文件的這些特性,我們可以做出分層的鏡像來"},{"type":"text","text":"。另外 Monut Namespace 可以隔離文件系統的掛載點,使得不同的Mount Namespace擁有自己獨立的掛載點信息(這些掛載點的根目錄就是執行環境的文件系統,也被稱爲根文件系統rootfs)。這兩者也就構成了容器的文件系統的原型。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker文件系統示意圖如下:"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/18/18af5195111dbf6b9c9d47a7c4f2217d.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3.2 namespace"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Linux Namespace是Linux提供的一種內核級別環境隔離的方法,而namespace的使用方式也很簡單,它只是Linux創建新進程時的一個可選參數,種類如下:"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/aa/aad2473b88332b423fdb034e0a4970fc.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用的方式如下:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ int pid = clone(main_function, stack_size, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWNET|CLONE_NEWUSER, NULL)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker的核心技術是通過LXC來實現類似VM的功能,從而利用更加節省的硬件資源提供給用戶更多的計算資源,而LXC所實現的隔離性主要通過內核的命名空間將容器的文件系統、hostname、進程、消息、網絡隔離開來。而Docker相比虛擬機的優勢在於:"}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"虛擬機需要運行完整的操作系統才能執行用戶的應用進程(在不做優化的情況下虛擬機自己就要佔有100-200MB的內存)"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"運行在虛擬機中的用戶應用在對宿主機操作系統的系統需要經過虛擬化軟件的攔截和處理,會帶來性能上的損耗(尤其對計算資源、網絡和磁盤I/O的損耗大)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 相比之下容器化後的用戶應用依然是宿主機上的普通進程,這"},{"type":"text","marks":[{"type":"strong"}],"text":"意味着對額外的資源佔用可以忽略不計,也沒有因攔截處理而帶來的性能損耗"},{"type":"text","text":"。而有利就有弊,基於Linux namespace的隔離機制"},{"type":"text","marks":[{"type":"strong"}],"text":"最主要的問題在於隔離得不徹底"},{"type":"text","text":"。因爲多個容器之間使用的還是同一個操作系統內核,而很多資源是無法隔離的,比如:時間,在容器中的程序使用settimeofday(2)修改了時間會導致整個宿主機的時間都跟着變化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.3 Linux CGroup"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Linux CGroup全稱Linux Control Group,是Linux內核中用來控制程組資源(包括CPU、內存、磁盤、輸入輸出)的一個功能。其提供的主要功能如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Control:恢復/恢復進程;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Accounting:統計,主要用於計費;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Prioritization:優先級控制,比如:CPU利用和磁盤IO吞吐;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Resource limitation:限制資源使用,如內存使用上限、文件系統的緩存限制;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 在Linux中,CGroup給用戶暴露出來的操作接口是文件系統,即它以文件和目錄的方式組織在操作系統的/sys/fs/cgroup路徑下,我們可以通過mount或者lssubsys查看cgroup:"}]},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"$ mount -t cgroup\n> cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)\n> cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)\n> cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)\n> cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)\n> cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)\n> cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)\n> cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)\n> cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)\n> cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)\n> cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)\n> cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)\n\n$ lssubsys -m\n> cpuset /sys/fs/cgroup/cpuset\n> cpu,cpuacct /sys/fs/cgroup/cpu,cpuacct\n> blkio /sys/fs/cgroup/blkio\n> memory /sys/fs/cgroup/memory\n> devices /sys/fs/cgroup/devices\n> freezer /sys/fs/cgroup/freezer\n> net_cls,net_prio /sys/fs/cgroup/net_cls,net_prio\n> perf_event /sys/fs/cgroup/perf_event\n> hugetlb /sys/fs/cgroup/hugetlb\n> pids /sys/fs/cgroup/pids"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 我們可以在/sys/fs/cgroup中看到諸如cpu、memory等子目錄,這些都是cgroup的子系統。其種類如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"blkio: 輸入/輸出限制,比如物理設備(磁盤,固態硬盤,USB 等等);"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpu: 對CPU的cgroup 任務訪問;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpuacct: 子系統自動生成 cgroup 中任務所使用的 CPU 報告;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cpuset: 子系統爲 cgroup 中的任務分配獨立 CPU(在多核系統)和內存節點;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"devices: 子系統可允許或者拒絕 cgroup 中的任務訪問設備;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"freezer: 子系統掛起或者恢復 cgroup 中的任務;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"memory: 子系統設定cgroup中任務使用的內存限制,並自動生成內存資源使用報告;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"net_cls: 子系統使用等級識別符(classid)標記網絡數據包,可允許 Linux 流量控制程序(tc)識別從具體 cgroup 中生成的數據包;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"net_prio: 子系統用來設計網絡流量的優先級;"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"hugetlb: 子系統用來針對於HugeTLB系統進行限制,這是一個大頁文件系統;"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 我們以CPU爲例,查看某容器中CPU的資源使用率:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ cat /sys/fs/cgroup/cpu/docker/cpu.cfs_period_us> 100000"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 說明:cfs_period_us用來配置時間週期長度,100000指的是100ms"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ cat /sys/fs/cgroup/cpu/docker/cpu.cfs_quota_us> -1"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說明:cfs_quota_us用來配置當前cgroup在設置的週期長度內所能使用的CPU時間數,-1表示沒有限制"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"接下來我們通過修改這些文件的內容來設置限制:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ echo 200000 >> /sys/fs/cgroup/cpu/docker/cpu.cfs_quota_us"}]},{"type":"paragraph","attrs":{"indent":1,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說明:限制只能使用200ms的CPU資源"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 修改後的操作表明:在每100ms的時間裏,該進程只能使用200毫核的CPU時間。對於Docker等Linux容器來說,通過執行docker run時指定參數完成CGroup的配置,如:"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"$ docker run -it --cpu-period=10000 —cpu-quota=20000 ubuntu /bin/bash"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 總的來說Linux cgroup的設計比較易用,簡單地理解就是子系統目錄加上一組資源限制文件的組合。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"四、總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" Docker 目前已經是非常主流的技術,並且已在我司的生產環境中使用,本文簡單地講訴了Docker的背景和常用的命名,重點圍繞Docker的三大核心技術:聯合文件系統、Linux 命名空間和控制組,希望能對大家對Docker的理解有所幫助,也歡迎大家關注我的微信公衆號,每天進步一點點,堅持帶來大改變!"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/df/df97524939cf1870790f8f55dc43846a.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章