Table of contents
1. Docker network implementation principle
-
Docker uses Linux bridge to virtualize a Docker container bridge (docker0) on the host machine. When Docker starts a container, it will assign an IP address to the container according to the network segment of the Docker bridge, called Container-IP, and the Docker bridge is every The default gateway for each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the Container-IP of the container.
-
The Docker bridge is virtualized by the host, not a real network device. The external network cannot be addressed, which also means that the external network cannot directly access the container through the Container-IP. If the container wants external access to be accessible, you can map the container port to the host host (port mapping), that is, enable it with the -p or -P parameter when docker run creates the container, and use [host IP] when accessing the container: [container port] to access the container.
docker run -d --name test1 -P nginx #随机映射端口(从32768开始)
docker run -d --name test2 -p 43000:80 nginx #指定映射端口
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9d3c04f57a68 nginx "/docker-entrypoint.…" 4 seconds ago Up 3 seconds 0.0.0.0:43000->80/tcp test2
b04895f870e5 nginx "/docker-entrypoint.…" 17 seconds ago Up 15 seconds 0.0.0.0:49170->80/tcp test1
浏览器访问:http://192.168.80.10:43000 、http://192.168.80.10:49170
#查看容器的输出和日志信息
docker logs 容器的ID/名称
1.1 Change or add the mapped host port number
docker stop d1 #先关闭容器
docker inspect d1 | grep Id #找到容器的Id
cd /var/lib/docker/containers/118185ea5d6fceb9eb795b31359e2dc516cc9292be12bc22e05dfbc19e08c759 #找到这个目录
vim hostconfig.json #更改配置文件
"PortBindings": {
#找到PortBindings选项
"80/tcp": [ #匹配容器的端口号
{
"HostIp": " ",
"HostPort": "6666" #添加宿主机的映射的端口
}
]
},
systemctl restart docker
docker start d1
You can use jion to convert yuml modification
2. Docker network mode
-
Host: The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.
-
Container: The created container will not create its own network card and configure its own IP, but will share the IP and port range with a specified container.
-
None: This mode turns off the networking capabilities of the container.
-
Bridge: This mode is the default. This mode will allocate and set IP for each container, connect the container to a docker0 virtual bridge, and communicate with the host through the docker0 bridge and iptables nat table configuration.
-
custom network
-
When installing Docker, it will automatically create three networks, bridge (creating a container is connected to this network by default), none, host
docker network ls 或 docker network list #查看docker网络列表
NETWORK ID NAME DRIVER SCOPE
2b4359d229c6 bridge bridge local
0fa580365d39 host host local
cc13aa84a223 none null local
#使用docker run创建Docker容器时,可以用 --net 或 --network 选项指定容器的网络模式
●host模式:使用 --net=host 指定。
●none模式:使用 --net=none 指定。
●container模式:使用 --net=container:NAME_or_ID 指定。
●bridge模式:使用 --net=bridge 指定,默认设置,可省略。
2.1 host mode
- Equivalent to the bridge mode in Vmware, it is in the same network as the host machine, but has no independent IP address.
- Docker uses Linux Namespaces technology to isolate resources, such as PID Namespace isolation process, Mount Namespace isolation file system, Network Namespace isolation network, etc.
- A Network Namespace provides an independent network environment, including network cards, routes, iptable rules, etc., which are isolated from other Network Namespaces. A Docker container is generally assigned an independent Network Namespace. However, if the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.
docker run -itd --name d2 --net=host nginx
2.2 container mode
- After understanding the host mode, this mode is easy to understand. This mode specifies that a newly created container shares a Network Namespace with an existing container instead of sharing it with the host. The newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a specified container. Similarly, in addition to the network aspects of the two containers, other things such as file systems and process lists are still isolated. The processes of the two containers can communicate through the lo network card device.
docker run -itd --name test1 centos:7 /bin/bash #--name 选项可以给容器创建一个自定义名称
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ed82355f811 centos:7 "/bin/bash" 5 days ago Up 6 hours test1
docker inspect -f '{
{.State.Pid}}' 3ed82355f811 #查看容器进程号
25945
ls -l /proc/25495/ns #查看容器的进程、网络、文件系统等命名空间编号
lrwxrwxrwx 1 root root 0 1月 7 11:29 ipc -> ipc:[4026532572]
lrwxrwxrwx 1 root root 0 1月 7 11:29 mnt -> mnt:[4026532569]
lrwxrwxrwx 1 root root 0 1月 7 11:27 net -> net:[4026532575]
lrwxrwxrwx 1 root root 0 1月 7 11:29 pid -> pid:[4026532573]
lrwxrwxrwx 1 root root 0 1月 7 12:22 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 1月 7 11:29 uts -> uts:[4026532570]
docker run -itd --name test2 --net=container:3ed82355f811 centos:7 /bin/bash
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ff96bc43dd27 centos:7 "/bin/bash" 48 seconds ago Up 46 seconds test2
3ed82355f811 centos:7 "/bin/bash" 58 minutes ago Up 58 minutes test1
docker inspect -f '{
{.State.Pid}}' ff96bc43dd27
27123
ls -l /proc/27123/ns #查看可以发现两个容器的 net namespace 编号相同
lrwxrwxrwx 1 root root 0 1月 7 12:27 ipc -> ipc:[4026532692]
lrwxrwxrwx 1 root root 0 1月 7 12:27 mnt -> mnt:[4026532690]
lrwxrwxrwx 1 root root 0 1月 7 12:27 net -> net:[4026532575]
lrwxrwxrwx 1 root root 0 1月 7 12:27 pid -> pid:[4026532693]
lrwxrwxrwx 1 root root 0 1月 7 12:27 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 1月 7 12:27 uts -> uts:[4026532691]
2.3 none mode
- In none mode, the Docker container has its own Network Namespace, but does not perform any network configuration for the Docker container. In other words, this Docker container does not have network card, IP, routing and other information. In this network mode, the container only has the lo loopback network and no other network cards. This type of network cannot be connected to the Internet, and a closed network can well guarantee the security of the container.
2.4 bridge mode
The bridge mode is the default network mode of docker, without the –net parameter, it is the bridge mode.
Equivalent to the nat mode in Vmware, the container uses an independent network Namespace and connects to the docker0 virtual network card. Configure communication with the host through the docker0 bridge and the iptables nat table. This mode will allocate Network Namespace, set IP, etc. for each container, and connect a Docker container on a host to a virtual network bridge.
-
(1) When the Docker process starts, a virtual network bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. The working mode of the virtual bridge is similar to that of a physical switch, so that all containers on the host are connected to a layer 2 network through the switch.
-
(2) Assign an IP from the docker0 subnet to the container, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual NIC veth pair devices on the host. Veth devices always appear in pairs. They form a data channel. Data entering from one device will come out from the other device. Therefore, veth devices are often used to connect two network devices.
-
(3) Docker puts one end of the veth pair device in the newly created container, and names it eth0 (the network card of the container), and puts the other end in the host, named with a similar name like veth*, and adds this network device into the docker0 bridge. It can be viewed through the brctl show command.
-
(4) When using docker run -p, docker actually makes DNAT rules in iptables to realize the port forwarding function. You can use iptables -t nat -vnL to view.
2.5 Custom Network
#直接使用bridge模式,是无法支持指定IP运行docker的,例如执行以下命令就会报错
docker run -itd --name test3 --network bridge --ip 172.17.0.10 centos:7 /bin/bash
//Create a custom network
#可以先自定义网络,再使用指定IP运行docker
docker network create --subnet=172.18.0.0/16 --opt "com.docker.network.bridge.name"="docker1" mynetwork
----------------------------------------------------------------------------------------------------------
#docker1 为执行 ifconfig -a 命令时,显示的网卡名,如果不使用 --opt 参数指定此名称,那你在使用 ifconfig -a 命令查看网络信息时,看到的是类似 br-110eb56a0b22 这样的名字,这显然不怎么好记。
#mynetwork 为执行 docker network list 命令时,显示的bridge网络模式名称。
----------------------------------------------------------------------------------------------------------
docker run -itd --name test4 --net mynetwork --ip 172.18.0.10 centos:7 /bin/bash
3. Resource Control
- Docker uses Cgroup to control the resource quota used by the container, including CPU, memory, and disk, which basically covers the common resource quota and usage control.
- Cgroup is the abbreviation of ControlGroups. It is a mechanism provided by the Linux kernel that can limit, record, and isolate the physical resources (such as CPU, memory, disk IO, etc.) used by process groups. It is used by many projects such as LXC and docker. Process resource control. Cgroup itself is an infrastructure that provides functions and interfaces for managing processes in groups, and specific resource management such as I/O or memory allocation control is realized through this function.
3.1 CPU resource control
(1) Set the upper limit of CPU usage
- Linux uses CFS (Completely Fair Scheduler) to schedule the CPU usage of each process. The default scheduling period of CFS is 100ms.
- We can set the scheduling cycle of each container process and how much CPU time each container can use at most during this cycle.
CPU usage
- Use --cpu-period to set the scheduling period, and use --cpu-quota to set the CPU time that the container can use in each period. The two can be used together.
- The effective range of the CFS period is 1ms~1s, and the corresponding value range of --cpu-period is 1000~1000000.
- The CPU quota of the container must not be less than 1ms, that is, the value of --cpu-quota must be >= 1000.
docker run -itd --name test5 centos:7 /bin/bash
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ed82355f811 centos:7 "/bin/bash" 5 days ago Up 6 hours test5
cd /sys/fs/cgroup/cpu/docker/3ed82355f81151c4568aaa6e7bc60ba6984201c119125360924bf7dfd6eaa42b/
cat cpu.cfs_quota_us
-1
cat cpu.cfs_period_us
100000
---------------------------------------------------------------------------------------------------------
#cpu.cfs_period_us:cpu分配的周期(微秒,所以文件名中用 us 表示),默认为100000。
#cpu.cfs_quota_us:表示该cgroups限制占用的时间(微秒),默认为-1,表示不限制。 如果设为50000,表示占用50000/100000=50%的CPU。
---------------------------------------------------------------------------------------------------------
#进行CPU压力测试
docker exec -it 3ed82355f811 /bin/bash
vim /cpu.sh
#!/bin/bash
i=0
while true
do
let i++
done
chmod +x /cpu.sh
./cpu.sh
top #可以看到这个脚本占了很多的cpu资源
#设置50%的比例分配CPU使用时间上限
docker run -itd --name test6 --cpu-quota 50000 centos:7 /bin/bash #可以重新创建一个容器并设置限额
或者
cd /sys/fs/cgroup/cpu/docker/3ed82355f81151c4568aaa6e7bc60ba6984201c119125360924bf7dfd6eaa42b/
echo 50000 > cpu.cfs_quota_us
docker exec -it 3ed82355f811 /bin/bash
./cpu.sh
top #可以看到cpu占用率接近50%,cgroups对cpu的控制起了效果
#在多核情况下,如果允许容器进程完全占用两个 CPU, 则可以将 cpu-period 设置为 100000( 即 0.1 秒), cpu-quota设置为 200000(0.2 秒)。
Set a 50% ratio to allocate the upper limit of CPU usage time
(2) Set the CPU resource usage ratio (only valid when multiple containers are set)
Docker 通过 --cpu-shares 指定 CPU 份额,默认值为1024,值为1024的倍数。
#创建两个容器为 c1 和 c2,若只有这两个容器,设置容器的权重,使得c1和c2的CPU资源占比为1/3和2/3。
docker run -itd --name c1 --cpu-shares 512 centos:7
docker run -itd --name c2 --cpu-shares 1024 centos:7
#分别进入容器,进行压力测试
yum install -y epel-release
yum install -y stress
stress -c 4 #产生四个进程,每个进程都反复不停的计算随机数的平方根
#查看容器运行状态(动态更新)
docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
c3ee18e65852 c2 66.50% 5.5MiB / 976.3MiB 0.56% 20.4MB / 265kB 115MB / 14.2MB 4
bb02d3b345d8 c1 32.68% 2.625MiB / 976.3MiB 0.27% 20.4MB / 325kB 191MB / 12.7MB 4
可以看到在 CPU 进行时间片分配的时候,容器 c2 比容器 c1 多一倍的机会获得 CPU 的时间片。
但分配的结果取决于当时主机和其他容器的运行状态, 实际上也无法保证容器 c1 一定能获得 CPU 时间片。比如容器 c1 的进程一直是空闲的,那么容器 c2 是可以获取比容器 c1 更多的 CPU 时间片的。极端情况下,例如主机上只运行了一个容器,即使它的 CPU 份额只有 50,它也可以独占整个主机的 CPU 资源。
Cgroups 只在容器分配的资源紧缺时,即在需要对容器使用的资源进行限制时,才会生效。因此,无法单纯根据某个容器的 CPU 份额来确定有多少 CPU 资源分配给它,资源分配结果取决于同时运行的其他容器的 CPU 分配和容器中进程运行情况。
(3) Set the container to bind the specified CPU
#先分配虚拟机4个CPU核数
docker run -itd --name test7 --cpuset-cpus 1,3 centos:7 /bin/bash
#进入容器,进行压力测试
yum install -y epel-release
yum install stress -y
stress -c 4
#退出容器,执行 top 命令再按 1 查看CPU使用情况。
3.2 Restrictions on memory usage
//-m(--memory=) option is used to limit the maximum memory that the container can use
docker run -itd --name test8 -m 512m centos:7 /bin/bash
docker stats
Limit available swap size, --memory-swap
To emphasize, --memory-swap must be used together with --memory.
Under normal circumstances, the value of --memory-swap includes the container's available memory and available swap.
So -m 300m --memory-swap=1g means: the container can use 300M of physical memory, and can use 700M (1G - 300) of swap.
If --memory-swap is set to 0 or not set, the container can use twice the swap size of the -m value.
If the value of --memory-swap is the same as the value of -m, the container cannot use swap.
If the --memory-swap value is -1, it means that the memory used by the container program is limited, and the available swap space is not limited (the host can use as many swap containers as there are).
3.3 Restrictions on disk IO quota control (blkio)
-device-read-bps:限制某个设备上的读速度bps(数据量),单位可以是kb、mb(M)或者gb。
例:docker run -itd --name test9 --device-read-bps /dev/sda:1M centos:7 /bin/bash
--device-write-bps : 限制某个设备上的写速度bps(数据量),单位可以是kb、mb(M)或者gb。
例:docker run -itd --name test10 --device-write-bps /dev/sda:1mb centos:7 /bin/bash
--device-read-iops :限制读某个设备的iops(次数)
--device-write-iops :限制写入某个设备的iops(次数)
#创建容器,并限制写速度
docker run -it --name test10 --device-write-bps /dev/sda:1mb centos:7 /bin/bash
#通过dd来验证写速度
dd if=/dev/zero of=test.out bs=1M count=10 oflag=direct #添加oflag参数以规避掉文件系统cache
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 10.0025 s, 1.0 MB/s
3.3 Clean up the disk space occupied by docker
docker system prune -a #可以用于清理磁盘,删除关闭的容器、无用的数据卷和网络
