Docker resource control
1.Namespace (name space)
The Linux kernel provides 6 Namespce-isolated system call tools.
The main purpose of the Linux kernel to achieve namespace is to achieve lightweight virtualization technology services. Processes under the same namespace are united to perceive each other's changes, but they don't know anything about external processes. In this way, the process in the container can produce an illusion, as if you are in an independent system environment to achieve isolation between the container and the host, and the container and the container.
[root@docker ns]# pwd
/proc/17/ns
[root@docker ns]# ll
总用量 0
lrwxrwxrwx 1 root root 0 8月 26 13:54 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 8月 26 13:54 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 8月 26 13:54 net -> net:[4026531956]
lrwxrwxrwx 1 root root 0 8月 26 13:54 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 8月 26 13:54 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 8月 26 13:54 uts -> uts:[4026531838]
Namespce | System call parameters | Explanation |
---|---|---|
IPC | CLONE_NEWIPC | Shared memory, semaphores, and message queues |
MNT | CLONE_NEWNS | Mount point, file system |
NET | CLONE_NEWNET | Network equipment, network stack, port |
PID | CLONE_NEWPID | Process number |
USER | CLONE_NEWUSER | user group |
UTS | CLONE_NEWUTS | Host name, domain name |
2. Cgroup (control group)
Docker controls the resource quotas used by containers through Cgroups, including the three major aspects of CPU, memory, and disk, which basically cover common resource quotas and usage control.
Four functions of Cgroup
Features | Explanation |
---|---|
Resource limit | Cgroup can limit the total amount of resources used by the process group |
Priority assignment | Through the number of allocated cpu time slices and the size of hard disk IO bandwidth, it is actually equivalent to controlling the priority level of process operation |
Resource Statistics | Cgroup can count system resource usage, such as cpu usage time, memory usage, etc., for billing by volume. At the same time, it also supports the suspend function, which means that all resources are restricted through cgroups, and no resources can be used, thereby realizing the effect of restriction. |
Process control | Suspend and resume operations on the process group |
[root@docker ~]# cd /sys/fs/cgroup/
[root@docker cgroup]# cat tasks
PS: The number in the task file is the process number (PID)
[1] Memory limit (Swap)
There are two parts of the memory that the container can use: physical memory and swap
Docker controls the usage of container memory through the following two sets of parameters
-m or --memory: set memory usage limit
--Memory-swap: set memory + swap (virtual memory) usage limit
grammar:
[root@docker ~]# docker run -itd --name test1 -m 100MB --memory-swap 200MB centos:7
9e111ce3fab70649e543abfae484ad421955e61c0999fff1061fa07261ba5b42
PS: This command means to run a test1 container, set the memory limit to 100MB, and the swap limit to 100MB
--Memory-swap 200MB means the limit of physical memory plus the limit of swap
[2] CPU weight
Docker sets the CPU weight of the container through -c or --cpu-shares
grammar:
[root@docker ~]# docker run -itd --name test2 -c 512 centos:7
78bcc848e492493b2ebbcfd5425acf08375e724e3c8efa4f640cf9b12c80dda0
[root@docker ~]# cat /sys/fs/cgroup/cpu/docker/78bcc848e492493b2ebbcfd5425acf08375e724e3c8efa4f640cf9b12c80dda0/cpu.shares
512
If the CPU weight is not set, the default value is 1024
[root@docker ~]# docker run -itd --name test3 centos:7
33a6f595bfe5e13ec7984924116a01d695ff1babfc945f27c2487d745b762f43
[root@docker ~]# cat /sys/fs/cgroup/cpu/docker/33a6f595bfe5e13ec7984924116a01d695ff1babfc945f27c2487d745b762f43/cpu.shares
1024
[3] Block IO (disk read and write)
Block IO is another resource that can limit the use of containers. Block IO refers to disk read and write, docker can control the bandwidth of the container to read and write disks by setting weights to limit bps and iops.
(1) Block IO weight
By default, all containers can read and write to the disk equally. You can change the priority of the container's Block IO by setting the **–blkio-weight parameter. –blkio-weight** is similar to –cpu-shares , and the relative weight is set Value, the default is 500.
grammar:
[root@docker ~]# docker run -itd --name test4 --blkio-weight 600 centos:7
56f7e1f61515e1ad25d411433b17f0a0c4d9dbed7542fc0b900c72718534c70c
[root@docker ~]# docker run -itd --name test5 --blkio-weight 300 centos:7
773323490ab3551c712d39b92067da8e89f28408c624c353a783e158bffd662e
The meaning of this command is: the bandwidth of test4 to read and write disk is twice that of test5
We can see the value of Block IO under /sys/fs/cgroup/blkio/docker
[root@docker ~]# cd /sys/fs/cgroup/blkio/docker/
[root@docker docker]# ls
33a6f595bfe5e13ec7984924116a01d695ff1babfc945f27c2487d745b762f43
56f7e1f61515e1ad25d411433b17f0a0c4d9dbed7542fc0b900c72718534c70c
773323490ab3551c712d39b92067da8e89f28408c624c353a783e158bffd662e
78bcc848e492493b2ebbcfd5425acf08375e724e3c8efa4f640cf9b12c80dda0
9e111ce3fab70649e543abfae484ad421955e61c0999fff1061fa07261ba5b42
b0367fa81428311db4f253a0e7c7c7867e5274cb5730e5b6d3bf6abe64918a57
......
(2) Limit bps and iops
bps is the amount of data read and written per second
iops is the number of IO operations per second
The bps and iops of the container can be restricted by the following parameters
parameter | Explanation |
---|---|
–device-read-bps | Display the bps of reading a device |
–device-write-bps | Display the bps written to a device |
–device-read-iops | Display read iops of a device |
–device-write-iops | Show iops written to a device |
grammar:
PS: Set the container of testA, the bps written to the /dev/sda disk per second is 30MB, input from /dev/zero, and then output to the test.out file, each time the size is 1M, a total of 800 times, oflag=direct Used to specify directIO to write files, so that -devicewrite-bps will take effect.
The final 26 seconds can also be calculated by the algorithm 800/30=26, the remainder is 20
[root@docker docker]# docker run -it --name testA --device-write-bps /dev/sda:30MB centos:7
[root@cafef7d06315 /]# time dd if=/dev/zero of=test.txt bs=1M count=800 oflag=direct
800+0 records in
800+0 records out
838860800 bytes (839 MB) copied, 26.6187 s, 31.5 MB/s
real 0m26.621s
user 0m0.001s
sys 0m0.540s
When running an unrestricted container, check the rate
[root@docker docker]# docker run -it --name testB centos:7
[root@21696c42c1e6 /]# time dd if=/dev/zero of=test.txt bs=1M count=800 oflag=direct
800+0 records in
800+0 records out
838860800 bytes (839 MB) copied, 2.95036 s, 284 MB/s
real 0m2.952s
user 0m0.000s
sys 0m0.781s
The syntax of iops is the same as that of bps. Try to figure out the steps by yourself