Article Directory
- Linux cloud computing architecture-docker container naming and resource quota control (2)
-
- 1. docker container naming and renaming
- 2. Specify the host name when creating the docker container
- 3. Set the docker container to start automatically
- 4. Introduction to cgroup resource configuration
- 5. Container cpu resource configuration
- 6. Container memory resource configuration
- 7. Docker data mapping
- 8. Container IO resource configuration
- 9. Common syntax of run exec update
Linux cloud computing architecture-docker container naming and resource quota control (2)
1. docker container naming and renaming
# 容器命名
[root@server ~]# docker run -itd --name docker1 centos:latest /bin/bash
ff4a82982160eaf4f652333088c02e3958d5e641b5e361e166c03d49f2d737a4
# 容器重命名
[root@server ~]# docker rename docker1 docker2
2. Specify the host name when creating the docker container
# 设置容器的主机名
[root@server ~]# docker run -itd --name docker1 -h master_server centos:latest /bin/bash
baf20246fd2f654a7611599cc116260b5a8094f0a1aa61641bd526dba6a38351
3. Set the docker container to start automatically
| Restart strategy | effect |
|---|---|
| no | Do not restart the container when it exits |
| on-failure | Restart the container when the container exits abnormally (exit status is not 0) |
| on-failure:3 | Restart the container when it exits abnormally, up to 3 times |
| always | The container is always restarted when it exits, and the restart strategy is generally set to always |
| unless-stopped | Always restart non-stopped containers when the container exits |
# 创建时设置--restart
[root@server ~]# docker run --restart=always -itd --name=docker1 centos:latest /bin/bash
584a379e3c6261ec082a92cacf0c1e85d1c4f01c65d374a7e1f03a83716fb922
When the --restartparameter is not set , the container will not start with the start of the docker service.
# 启动后设置--restart
[root@server ~]# docker update --restart=always docker2
docker2
[root@server ~]# systemctl restart docker
4. Introduction to cgroup resource configuration
①Docker uses cgroups to control the resources used by the container, such as CPU, memory, disk, etc.
② cgroup, namely Control groups, is a mechanism provided by the Linux kernel to limit, record, and isolate the physical resources (CPU, memory, disk) used by the process group. Used by projects such as LXC and docker to control process resources. Cgroup provides the basic structure of functions and interfaces for grouping processes into management, and resource management is realized through this function.
③Hardware quota can be used to prevent a container from occupying all hardware resources when running multiple containers on the docker server.
5. Container cpu resource configuration
①Specify the cpu share that the docker container can use on a single CPU (the default cpu share is 1024) [ --cpu-shares]
# 指定单个cpu的使用份额为512
[root@server ~]# docker run -itd --cpu-shares 512 centos:latest /bin/bash
97ae61edc49f337c1e8b9c90f86e4ef43c2c5343bc181670f18bf1f4af8ad3f4
[root@server ~]# docker ps |grep 97ae61edc49
97ae61edc49f centos:latest "/bin/bash" 19 seconds ago Up 18 seconds upbeat_bartik
[root@server ~]# docker exec -it 97ae61edc49f /bin/bash
# 查看单个CPU的份额
[root@97ae61edc49f /]# cat /sys/fs/cgroup/cpu/cpu.shares
512
# 查看该容器能使用的CPU核心数
[root@97ae61edc49f /]# cat /sys/fs/cgroup/cpuset/cpuset.cpus
0-7
# 跑满CPU测试CPU使用情况
[root@97ae61edc49f /]# yum install epel-release -y
[root@97ae61edc49f /]# yum install stress -y
[root@97ae61edc49f /]# stress -c 2 -i 2 --verbose --timeout 1m
========================================
stress命令各参数介绍:
-? 显示帮助信息
-v 显示版本号
-q 不显示运行信息
-n 显示已完成的指令情况
-t --timeout N 指定运行N秒后停止
--backoff N 等待N微妙后开始运行
-c 产生n个进程,每个进程不停的计算随机数的平方根,测试cpu。
-i 产生n个进程,每个进程反复调用sync(),用于将内存上的内容写到磁盘上,用于测试磁盘。
-m 产生n个进程,每个进程不断调用内存分配malloc()和内存释放free()函数,测试内存。
--verbose 显示stress程序运行过程中的详细信息
常用语法:
stress -c 2 -i 2 --verbose --timeout 1m
========================================
Use the topcommand, and then press to 1view the usage of each CPU core. Since only one container is enabled, there is no situation where multiple containers preempt the same CPU, so the CPU share setting has no effect. But you can see that the CPU with two cores is full.
②Multi-core CPU control【--cpuset-cpus】
taskset Command to set cpu affinity, you can bind one or more processes to one or more processors to run. When the number of CPUs is large, binding the process to certain CPUs can reduce the overhead caused by CPU context switching and save time.
# 将指定CPU核心和进程PID绑定
-c --cpu-list 以列表格式显示和指定cpu
-p --pid 指定进程pid
taskset -cp 1,2 PID
# sshd进程只运行在1号和2号cpu上
# 可以看到允许使用的核心由0-7变为1,2
[root@server ~]# ps aux | grep sshd
root 6629 0.0 0.2 112756 4316 ? Ss 20:34 0:00 /usr/sbin/sshd -D
root 19038 0.0 0.0 112728 988 pts/0 S+ 20:40 0:00 grep --color=auto sshd
[root@server ~]# taskset -cp 1,2 6629
pid 6629's current affinity list: 0-7
pid 6629's new affinity list: 1,2
# 查看进程在哪个cpu上运行
[root@server ~]# taskset -cp 6629
pid 6629‘s current affinity list: 1,2
# 创建docker容器时,仅允许容器使用0,1,2三个核心
[root@server ~]# docker run -it --name cpu1 --cpuset-cpus 0-2 centos:latest /bin/bash
# 查看该容器能使用的cpu核心
[root@b58e346972cf /]# cat /sys/fs/cgroup/cpuset/cpuset.cpus
0-2
# 查看PID为1的进程在哪些cpu上运行
[root@b58e346972cf /]# taskset -cp 1
pid 1's current affinity list: 0-2
# # 查看PID为1是哪个进程,即第一个打开的进程。这里是/bin/bash
[root@b58e346972cf /]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.1 12108 2240 pts/0 Ss 12:45 0:00 /bin/bash
root 20 0.0 0.0 44584 1792 pts/0 R+ 12:48 0:00 ps aux
③CPU share and core hybrid control
# 创建第一个容器,单个cpu份额为512,仅允许使用0号核心。
[root@server ~]# docker run -itd --name docker10 --cpuset-cpus 0 --cpu-shares 512 centos:latest /bin/bash
5a0581f6c20ec9defd4fba2d79d7541db7f71282aa6d324ef277fbf88f4d4a45
# 创建第二个容器,单个cpu份额为1024,即默认。仅允许使用0号核心。
[root@server ~]# docker run -itd --name docker20 --cpuset-cpus 0 --cpu-shares 1024 centos:latest /bin/bash
41c9a89a4c430f1227798e13477cb2ab64e724ca3f7e550ca2fd30c42bd864dd
# 从上面两个容器的配置可以看到,docker10和docker20都只能使用1个cpu,故肯定会出现抢占cpu的时候。并且单个cpu份额docker20是docker10的两倍。
# 在两个容器上跑满cpu,最后使用top+1命令查看各cpu使用情况.
# docker1跑满仅能使用33.3%的cpu,而docker2跑满应该是可以使用66.7%的cpu
# 在两个容器中运行如下命令:
[root@5a0581f6c20e /]# stress -c 1 -t 10m
[root@41c9a89a4c43 /]# stress -c 1 -t 10m
By observing the usage of the cpu, you can see that cpu0 is full, and the cpu usage ratio of the two processes and the configured share ratio remain the same, both are 2:1.
④CPU cycle and time slice control【--cpu-period --cpu-quota】
Control the time that cpu is occupied by the container
# 指定一个cpu运行周期,在这个周期内cpu使用是固定的。超过这个周期,cpu会做重新分配。
# 单位微秒,最小值1000微妙,最大值1000000微秒,默认值100000微秒。
--cpu-period
# 指定在这个周期内允许使用多少时间片,默认值-1,即不做控制。
--cpu-quota
# 设置docker实例每1秒只能使用单个cpu的0.2秒的时间。
docker run -itd --cpu-period 1000000 --cpu-quota 200000 centos:latest /bin/bash
# 查看--cpu-period值
cat /sys/fs/cgroup/cpu/cpu.cfs_period_us
# 查看--cpu-quota值
cat /sys/fs/cgroup/cpu/cpu.cfs_quota_us
⑤Release resources automatically after the docker container runs
# 创建一个容器abong,在5s后自动删除
docker run -itd --rm --name abong centos:latest sleep 5
6. Container memory resource configuration
# 允许容器使用的内存上限是128m
[root@server ~]# docker run -itd -m 128m centos:latest /bin/bash
d35ac68866569fe301f5628bcea51245d0a04fe9efca66c9505040758fb386cf
# 查看容器允许使用多大的内存
[root@d35ac6886656 /]# cat /sys/fs/cgroup/memory/memory.limit_in_bytes
134217728
# 限制docker容器为2核心,内存为128m
[root@server ~]# docker run -itd --cpuset-cpus 0,1 -m 128m centos:latest /bin/bash
a67f129c452527f7c80096e104306b1d0ea44af7b1be1c62e7ad396fbcd06373
[root@server ~]# docker exec -it a67f129c4525 /bin/bash
[root@a67f129c4525 /]# cat /sys/fs/cgroup/cpuset/cpuset.cpus
0-1
[root@a67f129c4525 /]# cat /sys/fs/cgroup/memory/memory.limit_in_bytes
134217728
7. Docker data mapping
Docker is mainly used for computing and is not good at storage, so it can map the storage directory to the directory on the physical machine.
Data mapping format :docker run -itd --name web1 -v 物理机目录:容器中数据存储目录
[root@server ~]# docker run -itd --name web1 -v /var/www/html:/var/www/html centos:httpd /bin/init
2adedbe8723ba051da197da0ebff285aa1b39381505d1f51e6da06f2b31f3e9b
[root@server ~]# docker exec -it 2adedbe8723 /bin/bash
[root@2adedbe8723b /]# echo "docker image" >> /var/www/html/index.html # 在容器中创建index.html文件
# 在物理机上对应目录也可以查看到index.html文件
[root@server ~]# ll /var/www/html/
总用量 4
-rw-r--r-- 1 root root 13 10月 10 21:48 index.html
[root@server ~]# cat /var/www/html/index.html
docker image
8. Container IO resource configuration
# 查看读写资源配置参数
[root@server ~]# docker run --help | grep device
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--device list Add a host device to the container
--device-cgroup-rule list Add a rule to the cgroup allowed devices list
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--gpus gpu-request GPU devices to add to the container ('all' to pass all GPUs)
[root@server ~]# docker run --help | grep write
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--entrypoint string Overwrite the default ENTRYPOINT of the image
[root@server ~]# docker run --help | grep read
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--read-only Mount the container's root filesystem as read only
Example: Limit the maximum read and write speed of the container instance to the hard disk to 1MB/S
[root@server ~]# docker run -it -v /var/www/html:/var/www/html --device /dev/sda:/dev/sda --device-write-bps /dev/sda:1mb centos:httpd /bin/bash
[root@6d0b9d746d0e /]# time dd if=/dev/zero of=/var/www/html/test.out bs=1M count=10 oflag=direct,nonblock
10+0 records in
10+0 records out
10485760 bytes (10 MB, 10 MiB) copied, 10.0048 s, 1.0 MB/s
real 0m10.010s
user 0m0.006s
sys 0m0.010s
===============================================
--device # 添加一块硬盘给该容器使用
--device-write-bps /dev/sda:1mb # /dev/sda设备的写速度为1mb
time # 用于计时
direct # 读写数据采用直接IO方式,即直接从内存写入硬盘中,不走缓存。
nonblock # 读写数据采用非阻塞IO方式,优先写dd命令的数据
9. Common syntax of run exec update
①docker run
[root@server ~]# docker run --help
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
-a, --attach list Attach to STDIN, STDOUT or STDERR
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to
disable (default 0)
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--cap-add list Add Linux capabilities
--cap-drop list Drop Linux capabilities
--cgroup-parent string Optional parent cgroup for the container
--cidfile string Write the container ID to the file
--cpu-period int Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period int Limit CPU real-time period in microseconds
--cpu-rt-runtime int Limit CPU real-time runtime in microseconds
-c, --cpu-shares int CPU shares (relative weight)
--cpus decimal Number of CPUs
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
-d, --detach Run container in background and print container ID
--detach-keys string Override the key sequence for detaching a container
--device list Add a host device to the container
--device-cgroup-rule list Add a rule to the cgroup allowed devices list
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
--disable-content-trust Skip image verification (default true)
--dns list Set custom DNS servers
--dns-option list Set DNS options
--dns-search list Set custom DNS search domains
--domainname string Container NIS domain name
--entrypoint string Overwrite the default ENTRYPOINT of the image
-e, --env list Set environment variables
--env-file list Read in a file of environment variables
--expose list Expose a port or a range of ports
--gpus gpu-request GPU devices to add to the container ('all' to pass all GPUs)
--group-add list Add additional groups to join
--health-cmd string Command to run to check health
--health-interval duration Time between running the check (ms|s|m|h) (default 0s)
--health-retries int Consecutive failures needed to report unhealthy
--health-start-period duration Start period for the container to initialize before
starting health-retries countdown (ms|s|m|h) (default 0s)
--health-timeout duration Maximum time to allow one check to run (ms|s|m|h) (default 0s)
--help Print usage
-h, --hostname string Container host name
--init Run an init inside the container that forwards signals and
reaps processes
-i, --interactive Keep STDIN open even if not attached
--ip string IPv4 address (e.g., 172.30.100.104)
--ip6 string IPv6 address (e.g., 2001:db8::33)
--ipc string IPC mode to use
--isolation string Container isolation technology
--kernel-memory bytes Kernel memory limit
-l, --label list Set meta data on a container
--label-file list Read in a line delimited file of labels
--link list Add link to another container
--link-local-ip list Container IPv4/IPv6 link-local addresses
--log-driver string Logging driver for the container
--log-opt list Log driver options
--mac-address string Container MAC address (e.g., 92:d0:c6:0a:29:33)
-m, --memory bytes Memory limit
--memory-reservation bytes Memory soft limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable
unlimited swap
--memory-swappiness int Tune container memory swappiness (0 to 100) (default -1)
--mount mount Attach a filesystem mount to the container
--name string Assign a name to the container
--network network Connect a container to a network
--network-alias list Add network-scoped alias for the container
--no-healthcheck Disable any container-specified HEALTHCHECK
--oom-kill-disable Disable OOM Killer
--oom-score-adj int Tune host’s OOM preferences (-1000 to 1000)
--pid string PID namespace to use
--pids-limit int Tune container pids limit (set -1 for unlimited)
--platform string Set platform if server is multi-platform capable
--privileged Give extended privileges to this container
-p, --publish list Publish a container's port(s) to the host
-P, --publish-all Publish all exposed ports to random ports
--read-only Mount the container's root filesystem as read only
--restart string Restart policy to apply when a container exits (default "no")
--rm Automatically remove the container when it exits
--runtime string Runtime to use for this container
--security-opt list Security Options
--shm-size bytes Size of /dev/shm
--sig-proxy Proxy received signals to the process (default true)
--stop-signal string Signal to stop a container (default "SIGTERM")
--stop-timeout int Timeout (in seconds) to stop a container
--storage-opt list Storage driver options for the container
--sysctl map Sysctl options (default map[])
--tmpfs list Mount a tmpfs directory
-t, --tty Allocate a pseudo-TTY
--ulimit ulimit Ulimit options (default [])
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
--userns string User namespace to use
--uts string UTS namespace to use
-v, --volume list Bind mount a volume
--volume-driver string Optional volume driver for the container
--volumes-from list Mount volumes from the specified container(s)
-w, --workdir string Working directory inside the container
②docker exec
[root@server ~]# docker exec --help
Usage: docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
Run a command in a running container
Options:
-d, --detach Detached mode: run command in the background
--detach-keys string Override the key sequence for detaching a container
-e, --env list Set environment variables
-i, --interactive Keep STDIN open even if not attached
--privileged Give extended privileges to the command
-t, --tty Allocate a pseudo-TTY
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
-w, --workdir string Working directory inside the container
③docker update
[root@server ~]# docker update --help
Usage: docker update [OPTIONS] CONTAINER [CONTAINER...]
Update configuration of one or more containers
Options:
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to
disable (default 0)
--cpu-period int Limit CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit CPU CFS (Completely Fair Scheduler) quota
--cpu-rt-period int Limit the CPU real-time period in microseconds
--cpu-rt-runtime int Limit the CPU real-time runtime in microseconds
-c, --cpu-shares int CPU shares (relative weight)
--cpus decimal Number of CPUs
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
--kernel-memory bytes Kernel memory limit
-m, --memory bytes Memory limit
--memory-reservation bytes Memory soft limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--pids-limit int Tune container pids limit (set -1 for unlimited)
--restart string Restart policy to apply when a container exits
Through the above study, we can quickly create have a designated 主机名, 动态IP地址, CPU核数, 内存大小, 对某设备限制读写速度container instance.