Article directory

1. Six isolation of namespaces
2. Docker network
Detailed network mode
Container Resource Control

1. Six isolation of namespaces

Xiang Fan	type	Function Description
NO.1	MNT Namespace	Provides isolation of disk mount points and file systems
NO.2	IPC Namespace	Provides isolation capability for inter-process communication
NO.3	Net Namespace	Provides network isolation capabilities
NO.4	UTS Namespace	Provides hostname isolation capability
NO.5	PID Namespace	Provide process isolation capability
NO.6	User Namespace	Provide user isolation capability

2. Docker network

Docker uses Linux bridge to virtualize a Docker container bridge (docker0) on the host machine. When Docker starts a container, it will assign an IP address to the container according to the network segment of the Docker bridge, which is called Container-IP. At the same time, the Docker bridge is every Default gateway for each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container's Container-IP.

The Docker bridge is virtualized by the host, not a real network device. The external network cannot be addressed, which means that the external network cannot directly
access the container through Container-IP. If the container wants external access to be accessible, you can map the container port to the host host (port mapping), that is, enable it through the -p or -Р parameter when docker run creates a container, and use [host IP] when accessing the container: [Container port] Access the container.
insert image description here

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-4Y2xC0Tb-1646748475005) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\2.bmp)]$

How to make the container accessible from the outside? Next, we will talk about a function, container port mapping

1. Port mapping

(1) Random port mapping

docker run -itd -P 镜像:标签

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-aIUnjVDz-1646748475006) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\3.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-vcnw19lX-1646748475006) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\4.bmp)]$

(2) Specify port mapping

docker run -itd -p 指定宿主机端口:指定容器端口 镜像:标签

##宿主机端口 32768 - 60999 这些端口都能被使用  0-32767 端口是被系统所使用的

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-B3de9GEf-1646748475007) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\5.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-AM7iLnQ3-1646748475007) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\6.bmp)]$

2. View container logs

docker logs 容器id或容器名

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-y9cb8yw8-1646748475008) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\7.bmp)]$

3. docker network mode

**Host:** The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.

**Container:** The created container will not create its own network card and configure its own IP, but share the IP and port range with a specified container.

**None:** This mode turns off the container's networking capabilities.

**Bridge:** The default is this mode, this mode will assign and set IP for each container, and connect the container to a docker0 virtual bridge, and communicate with the host through the dockerl bridge and iptablesnat table configuration.

custom network

When Docker is installed, it will automatically create three networks, bridge (created containers are connected to this network by default), none, host

Detailed network mode

1.host mode:

Equivalent to the bridge mode in Vmware, it is in the same network as the host, but does not have an independent IP address.

Docker uses Linux Namespaces technology to isolate resources, such as PID Namespace to isolate processes, Mount Namespace to isolate file systems, and NetworkNamespace to isolate networks.

A Network Namespace provides an independent network environment, including network cards, routing, iptable rules, etc., which are isolated from other Networ Namespaces.

A Docker container is generally allocated a separate Network Namespace.

However, if the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-tfo4ZXji-1646748475008) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\10.bmp)]$

2.container mode

After understanding the host mode, this mode is easy to understand. This mode specifies that newly created containers share a Network
Namespace with an existing container, rather than with the host. The newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a specified container. Similarly, in addition to the network, the two containers are isolated from other aspects such as file systems, process lists, etc. The processes of the two containers can communicate through the Io network card device.

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-CvN8av1M-1646748475009) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\11.bmp)]$

(1). View the docker network list

[root@localhost ~]# docker network ls

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-OzcInBV1-1646748475009) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\8.bmp)]$

(2). Get the container process number

docker inspect -f '{
   
   {.State.Pid}}' 容器Pid号

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-EQNWqA6D-1646748475010) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\9.bmp)]$

(3) The container specifies the container mode

docker run -itd --name c2 --net=container:817518d0df4b nginx:1.14 bash

3.none mode

With none mode, the Docker container has its own Network Namespace, however, no network configuration is done for the Docker container.
In other words, this Docker container has no network card, IP, routing and other information. In this network mode, the container only has the lo loopback network and no other network cards. This type of network cannot be networked, and a closed network can ensure the security of the container.

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-uAKfKy3U-1646748475011) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\12.bmp)]$

4. brideg mode

Bridge mode is the default network mode of docker. Without the --net parameter, it is bridge mode.

Equivalent to the nat mode in Vmware, the container uses an independent network Namespace and connects to the docker0 virtual network card. Communicate with the host through the docker0 bridge and iptablesnat table configuration, this mode will assign Network Namespace, set IP, etc. to each container, and connect the Docker container on a host to a virtual bridge.

(1) When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. A virtual bridge works like a physical switch, so that all containers on the host are connected to a layer 2 network through the switch.

(2) Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual NIC veth pair devices on the host. Veth devices always come in pairs, they form a data channel, and data enters from one device and comes out from the other device. Therefore, veth devices are often used to connect two network devices.

(3) Docker puts one end of the veth pair device in the newly created container and names it eth0 (the network card of the container), and the other end is placed in the host, named with a similar name like veth*, and adds this network device into the docker0 bridge. It can be viewed with the brctl show command.

(4) When using docker run -p, docker actually makes DNAT rules in iptables to realize the port forwarding function. You can use iptables -t nat -vnL to view.

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-SncbZdAz-1646748475011) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\13.bmp)]$

5. Custom Network

You can customize the network first, and then use the specified IP to run docker

docker network create --subnet=172.18.0.0/16 --opt "com.docker.network.bridge.name"="docker1" mynetwor

##fdocker1为执行ifconfig -a 命令时，显示的网卡名，如果不使用--opt 参数指定此名称，那你在使用ifconfig -a命令查看网络信息时，看到的是类似br-110eb56a0b22这样的名字，这显然不怎么好记。
#mynetwork为执行docker network list命令时，显示的bridge网络模式名称。

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-CABCyaLm-1646748475012) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\14.bmp)]$

Run docker with specified IP

docker run -itd --name test4 --net mynetwork --ip 172.18.0.10 centos:7 /bin/bash

Container Resource Control

1. CPU resource control

cgroups is a very powerful linux kernel tool. It can not only limit resources isolated by namespace,
but also set weights for resources, calculate usage, control process start and stop, and so on. So cgroups (Control groups) implement quotas and metrics for resources.

Cgroups have four functions:
**Resource limit: **You can limit the total amount of resources used by tasks
**Priority allocation: Through the number of allocated CPU time slices and the size of disk Io bandwidth, it is actually equivalent to controlling the task running priority Level resource statistics: **You can count the resource usage of the system, such as cpu time, memory usage, etc.
Task control: cgroup can perform operations such as suspending and resuming tasks

(1) Set the upper limit of CPU usage

Linux uses CFS (Completely Fair Scheduler, completely fair scheduler) to schedule the use of CPU by each process. The default scheduling period of CFS is 10ms.

We can set the scheduling period of each container process and how much CPU time each container can use at most during this period.

Use --cpu-period to set the scheduling period, and use --cpu-guota to set the CPU time that the container can use in each period. Both can be used together. The valid range of the CFS period is 1ms~1s, and the corresponding value range of –cpu-period is 1000~1000000.
The CPU quota of the container must be no less than 1ms, that is, the value of --cpu-quota must be >= 1000.

Modify CPU usage cap via file

Example: Prepare a virtual machine with only one core

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-cdwBeWqu-1646748475012) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\15.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-3dRvC0uX-1646748475013) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\16.bmp)]$

So why does it occupy so many cpu resources at once, we can view a configuration file

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-0ldiVvmr-1646748475013) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\17.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-FpQLbxKU-1646748475014) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\18.bmp)]$

Specify the cpu usage when running the container

docker run -itd --name 容器名 --cpu-quota 使用率 镜像:标签 bash

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-HSPR7ChW-1646748475014) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\19.bmp)]$

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-SjIDSXOY-1646748475015) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\20.bmp)]$

(2) Set the CPU resource occupancy ratio (it is valid to set multiple containers)

Docker specifies CPU shares through **--cpu-shares**, the default value is 1024, and the value is a multiple of 1024

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-ATNSIe4l-1646748475015) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\21.bmp)]$

Open three more terminals to log in to the three containers of c3, c4, and c5, install the dependent packages, and generate four cpu processes.

yum install -y epel-release
yum install -y stress
stress -c 4

Open another terminal and check the cpu ratio of the container

docker stats

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-RiI1Q3yl-1646748475016) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\22.bmp)]$

(3) Set the container to bind the specified CPU

First allocate 4 cpu cores to the virtual machine

Create a c6 container and bind CPU No. 1 and No. 3

[root@localhost ~]# docker run -itd --name c6 --cpuset-cpus 1,3 centos:7 bash

Installation, dependency packages, stress testing software

yum install -y epel-release
yum install -y stress

Start the stress test and generate 4 cpu processes

stress -c 4

Open another terminal to execute top and press 1 to view

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-Akf3L9jl-1646748475016) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\23.bmp)]$

2. Restrictions on memory usage

docker run -itd --name 容器名 -m 所限制的内存大小 镜像:标签 bash

docker stats ##查看容器使用情况

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-TFec7fWy-1646748475017) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\25.bmp)]$

(1) Restrictions on swap partition swap

Emphasize that --memory-swap must be used with --memory.
Normally, the value of --memory-swap contains the container's available memory and available swap.
So -m 300m --memory-swap=1g means: the container can use 300M of physical memory, and can use 700M (1G - 300) of swap.
If --memory-swap is set to 0 or not set, the swap size that the container can use is twice the -m value.
If the value of --memory-swap is the same as -m, the container cannot use swap.
If the --memory-swap value is -1, it means that the memory used by the container program is limited, and the use of swap space that can be used is not limited (as many swap containers as the host can use)

3. Restrictions on disk IO quota control (blkio)

--device-read-bps: limit the read speed bps (data amount) on a device, the unit can be kb, mb (M) or gb.

例: docker run -itd --name test9 --device-read-bps /dev/sda:1M centos:7 /bin/bash

--device-write-bps : Limit the write speed bps (data amount) on a device, the unit can be kb, mb (M) or gb

例: docker run -itd --name test10 --device-write-bps /dev/sda:1mb centos:7 /bin/bash

–device-read-iops : limit the iops (number of times) of reading a device
–device-write-iops : limit the iops (number of times) of writing to a device

Example:

Requirement: Create and open a c8 container, the image is centos:7, and the read speed limit on the /dev/sda device is set to 1mb/s

docker run -itd --name c8 --device-write-bps /dev/sda:1mb centos:7 bash
docker exec -it c8 bash

write test

dd if=/dev/zero of=test.txt bs=1M count=10 oflag=direct

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-NNHcZBVe-1646748475017) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\26.bmp)]$

Clean up disk space occupied by docker

Can be used to clean up disks, remove closed containers, useless data volumes and networks

docker system prune -a

$[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-aMIpf4g0-1646748475018) (C:\Users\zhuquanhao\Desktop\Screenshot command collection\linux\Docker\Docker section Part II\27.bmp)]$

Docker (three) Docker container and network mode