Docker network and resource control commands (version 20)

1. Overview of container network

■ docker0 network
■ docker virtual gateway
■ loopback
● Does the loopback network card and TCP/IP network card work?
■ virtual bridge
● Linux itself inherits a virtualization function (kvm architecture), which is a virtualization platform of the native architecture, and a virtualization platform is installed After the platform, the system will automatically install the virtual network card
◆ After installing the workstation (virtualization platform), there will be more VMnet1 VMnet8 VMnet0 in the network adapter

■ Summary:
docker 0: the gateway of the container, bound to the physical network card, responsible for NAT address translation, port mapping
docker 0 itself is also a kind of container

2. Docker four network modes

■ host mode

• -net=host
• The container and the host share the Network namespace
• The host container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port. If the host mode is used when starting the container, the container will not get an independent NetworkNamespace, but It shares a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port. However, other aspects of the container, such as the file system, process list, etc., are still isolated from the host
• Containers using host mode can directly use the host's IP address to communicate with the outside world. The service port inside the container can also use the host's port without NAT. The biggest advantage of host is that the network performance is better, but it has been used on dockerhost. The port can no longer be used, and the isolation of the network is not good

■ container mode

• -net=container:NAME_or_ID
• The container and another container share the Network namespace
• The container created by the container will not create its own network card, set IP, etc., but share the IP and port range with a designated container.
  This mode specifies that the newly created container and an existing container share a network namespace instead of the host. Sharing, the newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a designated container. Similarly, in addition to the network aspects of the two containers, other things such as the file system and process list are still isolated. The processes of the two containers can communicate through the loo network card device

■ none mode (this mode turns off the network function of the container)

• -net=none
• The container has an independent Network namespace, but does not have any network settings for it, such as assigning veth pair and network bridge connection, configuring IP, etc.
• In this network mode, the container has only the lo loopback network port and no other network cards. The none mode can be specified by the -network=none parameter when the container is created
• This type of network cannot be connected to the Internet, but a closed network can ensure the security of the container.

■ bridge mode

• -net=bridge (default is this mode)
• This mode will allocate and set IP for each container, connect the container to a docker virtual bridge, and communicate with the host through the dockero bridge and the nat table configuration of iptables (connect with ens33)
• When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. The virtual bridge works like a physical switch, so that all containers on the host are connected to a Layer 2 network through the switch
• Assign an IP to the container from the dockerO subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker puts one end of the veth pair device (by mounting) in the newly created container and named it etho (the container's network card), and the other end is placed in the host , Named with a similar name like vethxxx (veth pair: a pair of virtual interfaces, used to connect two virtual network environments, and mount to two namespaces in the form of mounting), and add this network device to the dockero bridge in. Can be viewed through the brctl show command
• The bridge mode is the default network mode of docker. If the -net parameter is not written, it is the bridge mode. When using docker run -p, docker is actually in iptables and has done DNAT rules to realize the port forwarding function. You can use iptables -t nat -vnL to view.
  Note: The above does not need to be configured manually, what really needs to be configured is a custom network

3. Docker custom network

3.1, custom network fixed IP

[root@docker ~]# docker network ls
[root@docker ~]# docker network create --subnet=172.18.0.0/16 net
[root@docker ~]# docker network ls

[root@docker ~]# docker run -itd --name test2 --net net --ip 172.18.0.100 centos:7 /bin/bash
590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037
[root@docker ~]# docker ps -a
[root@docker ~]# docker exec -it 590a5cd37960 /bin/bash
[root@590a5cd37960 /]# yum -y install net-tools
[root@590a5cd37960 /]# ifconfig

4. Docker resource control (cpu, memory, IO resource control)

4.1, cpu usage control

[root@docker ~]# cd /sys/fs/cgroup/cpu/docker
[root@docker docker]# ll
[root@docker docker]# cd 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037
[root@docker 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037]# ls
[root@docker 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037]# cat cpu.cfs_quota_us 

■ Note: "-1" means that the resources that can be used by this container are not limited.
CPU cycle: 1s is the law of one cycle, and the parameter value is generally 100000 (cpu measurement unit is second).
If you need to allocate a pu usage rate to this container 20%, the parameter needs to be set to 20000, which is equivalent to 0.2s
cpu allocated to this container per cycle , which can only be occupied by one process at a time

■ Command to check resources:
top
docker stats (check the resources used by the container)

Example: 20% limit

■ Method 1:

docker run -itd --name test2 --cpu-quota 20000 centos:7 /bin/bash
//CPU压力测试
docker exec -it id /bin/bash
yum install -y bc
#计算圆周率
echo "scale=5000;4*a(1)" | bc -l -q
[root@docker ~]# docker run -itd --name test3 --cpu-quota 20000 centos:7 /bin/bash
d4a846253b99e993811473ac11c7d9c2f39db45cea984ee38f65af04dbdbccc6
[root@docker ~]# docker exec -it d4a846253b99 /bin/bash
[root@d4a846253b99 /]# yum -y install bc
[root@d4a846253b99 /]# echo "scale=5000;4*a(1)"| bc -l -q

■ Method two

对已有容器进行更改
[root@docker docker]# cd 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037
[root@docker 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037]# echo "20000" > cpu.cfs_quota_us
[root@docker 590a5cd37960b7898821a9d179f37e5fb6508f33809c172f95cb720ae3540037]# cat cpu.cfs_quota_us 

4.2, set the weight of the container

按比例分配设置容器权重，此处权重是所有值相加然后看占用百分比
[root@docker ~]# docker run -itd --name a1 --cpu-shares 512 centos:7 /bin/bash
2a6755008122ffcfa1caf95bbd50f516eb831451a77e86f7b02ce3646f27bbcf
[root@docker ~]# docker run -itd --name a2 --cpu-shares 1024 centos:7 /bin/bash
72aaf301a8861827d1ff3060990fcfac1585f65c1f36b116a1ad8a124ac764f6
[root@docker ~]# docker ps -a

[root@docker ~]# docker exec -it 2a6755008122 /bin/bash

4.2.1. Use pressure measurement tools

复制两个终端、分别进入容器后进行测试，主终端使用docker stats进行查看
[root@72aaf301a886 /]# yum -y install epel-release
[root@2a6755008122 /]# yum -y install epel-release

4.2.2, stress simulates a fully loaded thread

[root@2a6755008122 /]# yum  -y install stress
[root@72aaf301a886 /]# yum -y install stress
[root@72aaf301a886 /]# stress -c 4
stress: info: [92] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd
[root@2a6755008122 /]# stress -c 4
stress: info: [89] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd
[root@docker ~]# docker stats  #查看主终端上docker stats动态检测的状态

4.3, limit the cpu used by the container (specify the second and fourth)

[root@docker ~]# docker run -itd --name c2 --cpuset-cpus 1,3 centos:7 /bin/bash
afc1017003042489f61f4276c25cb48720c8c248bee592e094ac817aba7d5450
[root@docker ~]# docker exec -it afc101700304 /bin/bash
[root@afc101700304 /]# yum -y install epel-release
[root@afc101700304 /]# yum -y install stress
[root@afc101700304 /]# stress -c 2
stress: info: [111] dispatching hogs: 2 cpu, 0 io, 0 vm, 0 hdd

4.4, memory usage limit

[root@docker ~]# docker run -itd --name c1 -m 512m centos:7 /bin/bash
10541be0a5fb5fb24bc21fe3b6414e5e6141bc067a74899a18397cc156d3d42a
[root@docker ~]# docker stats  #查看cpu状态

4.5. Commands to view container status or resource usage

1、top
2、docker stats
3、docker inspect 容器ID