Article directory
1. Six isolation of namespaces
Xiang Fan | type | Function Description |
---|---|---|
NO.1 | MNT Namespace | Provides isolation of disk mount points and file systems |
NO.2 | IPC Namespace | Provides isolation capability for inter-process communication |
NO.3 | Net Namespace | Provides network isolation capabilities |
NO.4 | UTS Namespace | Provides hostname isolation capability |
NO.5 | PID Namespace | Provide process isolation capability |
NO.6 | User Namespace | Provide user isolation capability |
2. Docker network
Docker uses Linux bridge to virtualize a Docker container bridge (docker0) on the host machine. When Docker starts a container, it will assign an IP address to the container according to the network segment of the Docker bridge, which is called Container-IP. At the same time, the Docker bridge is every Default gateway for each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container's Container-IP.
The Docker bridge is virtualized by the host, not a real network device. The external network cannot be addressed, which means that the external network cannot directly
access the container through Container-IP. If the container wants external access to be accessible, you can map the container port to the host host (port mapping), that is, enable it through the -p or -Р parameter when docker run creates a container, and use [host IP] when accessing the container: [Container port] Access the container.
How to make the container accessible from the outside? Next, we will talk about a function, container port mapping
1. Port mapping
(1) Random port mapping
docker run -itd -P 镜像:标签
(2) Specify port mapping
docker run -itd -p 指定宿主机端口:指定容器端口 镜像:标签
##宿主机端口 32768 - 60999 这些端口都能被使用 0-32767 端口是被系统所使用的
2. View container logs
docker logs 容器id或容器名
3. docker network mode
**Host:** The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.
**Container:** The created container will not create its own network card and configure its own IP, but share the IP and port range with a specified container.
**None:** This mode turns off the container's networking capabilities.
**Bridge:** The default is this mode, this mode will assign and set IP for each container, and connect the container to a docker0 virtual bridge, and communicate with the host through the dockerl bridge and iptablesnat table configuration.
custom network
When Docker is installed, it will automatically create three networks, bridge (created containers are connected to this network by default), none, host
Detailed network mode
1.host mode:
Equivalent to the bridge mode in Vmware, it is in the same network as the host, but does not have an independent IP address.
Docker uses Linux Namespaces technology to isolate resources, such as PID Namespace to isolate processes, Mount Namespace to isolate file systems, and NetworkNamespace to isolate networks.
A Network Namespace provides an independent network environment, including network cards, routing, iptable rules, etc., which are isolated from other Networ Namespaces.
A Docker container is generally allocated a separate Network Namespace.
However, if the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.
2.container mode
After understanding the host mode, this mode is easy to understand. This mode specifies that newly created containers share a Network
Namespace with an existing container, rather than with the host. The newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a specified container. Similarly, in addition to the network, the two containers are isolated from other aspects such as file systems, process lists, etc. The processes of the two containers can communicate through the Io network card device.
(1). View the docker network list
[root@localhost ~]# docker network ls
(2). Get the container process number
docker inspect -f '{
{.State.Pid}}' 容器Pid号
(3) The container specifies the container mode
docker run -itd --name c2 --net=container:817518d0df4b nginx:1.14 bash
3.none mode
With none mode, the Docker container has its own Network Namespace, however, no network configuration is done for the Docker container.
In other words, this Docker container has no network card, IP, routing and other information. In this network mode, the container only has the lo loopback network and no other network cards. This type of network cannot be networked, and a closed network can ensure the security of the container.
4. brideg mode
Bridge mode is the default network mode of docker. Without the --net parameter, it is bridge mode.
Equivalent to the nat mode in Vmware, the container uses an independent network Namespace and connects to the docker0 virtual network card. Communicate with the host through the docker0 bridge and iptablesnat table configuration, this mode will assign Network Namespace, set IP, etc. to each container, and connect the Docker container on a host to a virtual bridge.
(1) When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. A virtual bridge works like a physical switch, so that all containers on the host are connected to a layer 2 network through the switch.
(2) Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual NIC veth pair devices on the host. Veth devices always come in pairs, they form a data channel, and data enters from one device and comes out from the other device. Therefore, veth devices are often used to connect two network devices.
(3) Docker puts one end of the veth pair device in the newly created container and names it eth0 (the network card of the container), and the other end is placed in the host, named with a similar name like veth*, and adds this network device into the docker0 bridge. It can be viewed with the brctl show command.
(4) When using docker run -p, docker actually makes DNAT rules in iptables to realize the port forwarding function. You can use iptables -t nat -vnL to view.
5. Custom Network
You can customize the network first, and then use the specified IP to run docker
docker network create --subnet=172.18.0.0/16 --opt "com.docker.network.bridge.name"="docker1" mynetwor
##fdocker1为执行ifconfig -a 命令时,显示的网卡名,如果不使用--opt 参数指定此名称,那你在使用ifconfig -a命令查看网络信息时,看到的是类似br-110eb56a0b22这样的名字,这显然不怎么好记。
#mynetwork为执行docker network list命令时,显示的bridge网络模式名称。
Run docker with specified IP
docker run -itd --name test4 --net mynetwork --ip 172.18.0.10 centos:7 /bin/bash
Container Resource Control
1. CPU resource control
cgroups is a very powerful linux kernel tool. It can not only limit resources isolated by namespace,
but also set weights for resources, calculate usage, control process start and stop, and so on. So cgroups (Control groups) implement quotas and metrics for resources.
Cgroups have four functions:
**Resource limit: **You can limit the total amount of resources used by tasks
**Priority allocation: Through the number of allocated CPU time slices and the size of disk Io bandwidth, it is actually equivalent to controlling the task running priority Level resource statistics: **You can count the resource usage of the system, such as cpu time, memory usage, etc.
Task control: cgroup can perform operations such as suspending and resuming tasks
(1) Set the upper limit of CPU usage
Linux uses CFS (Completely Fair Scheduler, completely fair scheduler) to schedule the use of CPU by each process. The default scheduling period of CFS is 10ms.
We can set the scheduling period of each container process and how much CPU time each container can use at most during this period.
Use --cpu-period to set the scheduling period, and use --cpu-guota to set the CPU time that the container can use in each period. Both can be used together. The valid range of the CFS period is 1ms~1s, and the corresponding value range of –cpu-period is 1000~1000000.
The CPU quota of the container must be no less than 1ms, that is, the value of --cpu-quota must be >= 1000.
Modify CPU usage cap via file
Example: Prepare a virtual machine with only one core
So why does it occupy so many cpu resources at once, we can view a configuration file
Specify the cpu usage when running the container
docker run -itd --name 容器名 --cpu-quota 使用率 镜像:标签 bash
(2) Set the CPU resource occupancy ratio (it is valid to set multiple containers)
Docker specifies CPU shares through **--cpu-shares**, the default value is 1024, and the value is a multiple of 1024
Open three more terminals to log in to the three containers of c3, c4, and c5, install the dependent packages, and generate four cpu processes.
yum install -y epel-release
yum install -y stress
stress -c 4
Open another terminal and check the cpu ratio of the container
docker stats
(3) Set the container to bind the specified CPU
First allocate 4 cpu cores to the virtual machine
Create a c6 container and bind CPU No. 1 and No. 3
[root@localhost ~]# docker run -itd --name c6 --cpuset-cpus 1,3 centos:7 bash
Installation, dependency packages, stress testing software
yum install -y epel-release
yum install -y stress
Start the stress test and generate 4 cpu processes
stress -c 4
Open another terminal to execute top and press 1 to view
2. Restrictions on memory usage
docker run -itd --name 容器名 -m 所限制的内存大小 镜像:标签 bash
docker stats ##查看容器使用情况
(1) Restrictions on swap partition swap
Emphasize that --memory-swap must be used with --memory.
Normally, the value of --memory-swap contains the container's available memory and available swap.
So -m 300m --memory-swap=1g means: the container can use 300M of physical memory, and can use 700M (1G - 300) of swap.
If --memory-swap is set to 0 or not set, the swap size that the container can use is twice the -m value.
If the value of --memory-swap is the same as -m, the container cannot use swap.
If the --memory-swap value is -1, it means that the memory used by the container program is limited, and the use of swap space that can be used is not limited (as many swap containers as the host can use)
3. Restrictions on disk IO quota control (blkio)
--device-read-bps: limit the read speed bps (data amount) on a device, the unit can be kb, mb (M) or gb.
例: docker run -itd --name test9 --device-read-bps /dev/sda:1M centos:7 /bin/bash
--device-write-bps : Limit the write speed bps (data amount) on a device, the unit can be kb, mb (M) or gb
例: docker run -itd --name test10 --device-write-bps /dev/sda:1mb centos:7 /bin/bash
–device-read-iops : limit the iops (number of times) of reading a device
–device-write-iops : limit the iops (number of times) of writing to a device
Example:
Requirement: Create and open a c8 container, the image is centos:7, and the read speed limit on the /dev/sda device is set to 1mb/s
docker run -itd --name c8 --device-write-bps /dev/sda:1mb centos:7 bash
docker exec -it c8 bash
write test
dd if=/dev/zero of=test.txt bs=1M count=10 oflag=direct
Clean up disk space occupied by docker
Can be used to clean up disks, remove closed containers, useless data volumes and networks
docker system prune -a