Docker-Network Mode and Resource Control
Network mode
principle
Docker uses Linux bridging to virtualize a Docker container bridge (docker0) on the host. When Docker starts a container, it will assign an IP address to the container according to the network segment of the Docker bridge, called Container-IP. At the same time, the Docker bridge is The default gateway of each container. Because the containers in the same host are all connected to the same bridge, the containers can communicate directly through the Container-IP of the container.
The Docker bridge is virtualized by the host and is not a real network device. The external network cannot be addressed. This also means that the external network cannot access the container through the direct Container-IP. If the container wants external access to be accessible, you can map the container port to the host host (port mapping), that is, when docker run creates the container, you can use the -p or -P parameter to enable it. When accessing the container, you can use [Host IP]: [Container Port] Access the container.
You can query with ifconfig.
docker 0 network
docker virtual gateway, a virtual network card automatically generated after docker installation is complete
loopback(lo):
loopback network card, TCP/IP host connectivity, whether the network card is valid, check whether the local communication is possible, self-check, virtualization platform network card
ens33:
virtual machine (host) network card
virtual bridge (virdr0):
Linux itself inherits a virtualization function (kvm architecture), which is a virtualization platform of the native architecture. After installing a virtualization platform, the system will automatically install a virtual network card
(example: install workstation ( After the virtualization platform), there will be more VMnet1 VMnet8 VMnet0 in the network adapter)
docker 0:
The gateway of the container, bound to the physical network card, responsible for NAT address translation, port mapping
docker 0 itself is also a kind of container
Four network modes
host
The host container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port. If the host mode is used when starting the container, the container will not get an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port. However, other aspects of the container, such as the file system, process list, etc., are still isolated from the host.
The container using host mode can directly use the host's IP address to communicate with the outside world, and the service port inside the container can also use the host's port without NAT. The biggest advantage of host is that the network performance is better, but it is already on the docker host. The used port can no longer be used, and the network isolation is not good.
container
The created container will not create its own network card, set IP, etc., but share the IP and port range with a designated container.
This mode specifies that the newly created container and an existing container share a network namespace instead of sharing with the host. The newly created container will not create its own network card and configure its own IP, but will share the IP with a designated container. , Port range, etc. Similarly, in addition to the network aspects of the two containers, other things such as the file system and process list are still isolated. The processes of the two containers can communicate through the loo network card device.
None
This mode turns off the network function of the container. In this network mode, the container has only the lo loopback network port and no other network cards. The none mode can be specified by the -network=none parameter when the container is created. This type of network cannot be connected to the Internet, but a closed network can ensure the security of the container and improve the security.
Bridge
This mode will allocate and set IP for each container, connect the container to a docker virtual bridge, and communicate with the host through the docker0 bridge and the nat table configuration of iptables.
When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. The virtual bridge works like a physical switch, so that all containers on the host are connected to a Layer 2 network through the switch.
Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker mounts one end of the veth pair device in the newly created container and named it ethO (the container's network card), and puts the other end in the host, similar to vethxxx Give it a name and add this network device to the docker0 bridge. It can be viewed through the brctl show command.
veth pair:
Virtual interfaces appearing in pairs. Used to connect two virtual network environments or to connect two different namespaces. The veth pair is mounted to two namespaces in the form of mount.
Custom network
The bridge mode is used by default when creating a container, but using bridge does not support specifying an IP for the container
docker run -itd --name test1 --network bridge --ip 172.17.0.10 nginx /bin/bash
docker network create --subnet=172.31.0.0/24 test #创建自定义网络test
docker run -itd --name web1 --net test --ip 172.31.0.10 nginx /bin/bash
View
docker ps -a
docker exec -it 9cda25859896 /bin/bash #进入容器
yum -y install net-tools #安装软件以支持ifconfig
Resource control optimization
CPU control
CPU catalog and usage allocation
cpu cycle: 1s is the law of one cycle. The parameter value is generally 100000 (CPU measurement unit is second).
If you need to allocate 20% of the cpu usage to this container, the parameter needs to be set to 20000, which is equivalent to each cycle assigned to this The 0.2s
cpu of the container can only be occupied by one process at a time
cat /sys/s/cgroup/cpu/docker/容器ID/cpu.cfs_quota_us
-1代表此容器可以使用得资源不受限制
Create a container with a CPU usage rate of 20%
Method one (container not created):
docker run -itd --name test --cpu-quota 20000 centos:7 /bin/bash
docker ps -a
Method two (container has been created):
View the cpu occupancy rate of the container
echo "20000" > 1242367794d9cf133884848731f016b28d159029299c23d1234a2c848af89707
Enter the container and run some operations
docker exec -it 1242367794d9 /bin/bash
yum -y install bc
echo "scale=5000;4*a(1)" | bc -l -q #运行计算圆周率
Open another terminal, run top, (press "1" to display cpu details)
CPU weight setting
Set the weight of the container according to the proportional distribution, where the weight is the sum of all the values and then see the occupied percentage
docker run -itd --name c1 --cpu-shares 512 centos:7 /bin/bash
docker run -itd --name c2 --cpu-shares 1024 centos:7 /bin/bash
docker ps -a
Enter 2 containers, test
case:
docker exec -it ea5b06518b06 /bin/bash
yum install epel-release -y
yum install stress -y
stress -c 4 (CPU配置数量) #stress模拟满载线程
View
docker stats
Limit the container's CPU usage
Add cpu core, there must be 4 cores.
First, empty all containers, pay attention to stop state first
docker ps -a | awk '{print "docker rm "$1}' | bash
Create a container, and specify cpu1, 3, use the 2nd and 4th cpu
docker run -itd --name test1 --cpuset-cpus 1,3 centos:7 /bin/bash
docker ps -a
docker exec -it 3ea411f1b6a4 /bin/bash
yum install epel-release -y
yum install stress -y
stress -c 4
View
Memory limit
docker run -itd --name hhh -m 555m centos:7 /bin/bash #创建一个内存限制为555M的容器
docker stats
Io restrictions
The Io limit of docker is to restrict the Io of the block, and it is used more to control the amount of data, and the number of Io is controlled less.
docker run -itd --device-read-bps /dev/sda:30M centos:7 /bin/bash
--device-read-bps 限制读某个设备的bps (数据量,比特率,每秒数据传输速率)
--device-write-bps 限制写入某个设备的bps (数据量)
--device-read-iops 限制读某个设备的iops (次数)
--device-write-iops 限制写入某个设备的iops (次数)