docker通过cgroup来控制容器使用的资源配额,包括CPU、内存、磁盘三大方面。
1.限制内存
查询系统中已经mount的cgroup的文件系统,这里的t表示type
[root@server1 ~]# mount -t cgroup
搜索cgroup软件包
[root@server1 ~]# yum search cgroup
安装libcgroup
[root@server1 ~]# yum install -y libcgroup-tools.x86_64
[root@sever1 ~]# cd /sys/fs/cgroup/memory/
[root@sever1 memory]# ls
创建目录
[root@sever1 memory]# mkdir x1
[root@sever1 memory]# cd x1
[root@sever1 x1]# ls
[root@sever1 x1]# cat memory.limit_in_bytes
9223372036854771712
[root@sever1 x1]# cat memory.memsw.limit_in_bytes
9223372036854771712
限制内存;200M = 1024 * 200 = 209715200
[root@sever1 x1]# echo 209715200 > memory.limit_in_bytes
[root@sever1 x1]# echo 209715200 > memory.memsw.limit_in_bytes
[root@sever1 x1]# cat memory.limit_in_bytes
209715200
[root@sever1 x1]# cat memory.memsw.limit_in_bytes
209715200
[root@sever1 x1]# cd /dev/shm
[root@sever1 shm]# ls
[root@sever1 shm]# free -m
[root@sever1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=bigfile
[root@sever1 shm]# free -m
[root@sever1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300
还原
[root@sever1 shm]# ls
bigfile
[root@sever1 shm]# rm -rf bigfile
[root@sever1 shm]# free -m
2.限制cpu
[root@foundation66 ~]# systemctl start docker
[root@foundation66 ~]# mount -t cgroup
[root@foundation66 ~]# cd /sys/fs/cgroup/
[root@foundation66 cgroup]# ls
blkio cpu,cpuacct freezer net_cls perf_event
cpu cpuset hugetlb net_cls,net_prio pids
cpuacct devices memory net_prio systemd
[root@foundation66 cgroup]# cd cpu
[root@foundation66 cpu]# ls
cgroup.clone_children cpu.cfs_period_us machine.slice
cgroup.event_control cpu.cfs_quota_us notify_on_release
cgroup.procs cpu.rt_period_us release_agent
cgroup.sane_behavior cpu.rt_runtime_us system.slice
cpuacct.stat cpu.shares tasks
cpuacct.usage cpu.stat user.slice
cpuacct.usage_percpu docker
建立目录
[root@foundation66 cpu]# mkdir x1
[root@foundation66 cpu]# cd x1/
[root@foundation66 x1]# ls
-1表示无限制
[root@foundation66 x1]# cat cpu.cfs_quota_us
-1
[root@foundation66 x1]# cat cpu.cfs_period_us
100000
非交互式限制control group占用时间为20000微秒
[root@foundation66 x1]# echo 20000 > cpu.cfs_quota_us
[root@foundation66 x1]# cat cpu.cfs_quota_us
20000
[root@foundation66 x1]# cat cpu.cfs_period_us
100000
[root@foundation66 x1]# dd if=/dev/zero of=/dev/null &
[1] 8110
查看cpu为100%
[root@foundation66 ~]# top
[root@foundation66 ~]# cd /sys/fs/cgroup/cpu/x1
[root@foundation66 x1]# ls
cgroup.clone_children cpuacct.usage_percpu cpu.shares
cgroup.event_control cpu.cfs_period_us cpu.stat
cgroup.procs cpu.cfs_quota_us notify_on_release
cpuacct.stat cpu.rt_period_us tasks
cpuacct.usage cpu.rt_runtime_us
[root@foundation66 x1]# cat tasks
查看id
[root@foundation66 ~]# top
[root@foundation66 x1]# pwd
/sys/fs/cgroup/cpu/x1
[root@foundation66 x1]# echo 8110 > tasks
查看cpu
[root@foundation66 ~]# top
将dd进程调回并停止
[root@foundation66 x1]# fg
[root@foundation66 ~]# docker ps -a
[root@foundation66 ~]# docker images
--cpu-quota表示限制cpu
[root@foundation66 ~]# docker run -it --name vm6 --cpu-quota=20000 ubuntu
root@5cefff1cb6ab:/# dd if=/dev/zero of=/dev/null
查看cpu;为20%
[root@foundation66 ~]# top
^C11016001+0 records in
11016000+0 records out
5640192000 bytes (5.6 GB) copied, 79.2576 s, 71.2 MB/s
root@5cefff1cb6ab:/# exit
exit
[root@foundation66 ~]# docker rm vm6
vm6
[root@foundation66 ~]# docker run -it --name vm6 ubuntu
root@22897ef8daed:/# dd if=/dev/zero of=/dev/null
查看cpu;为100%
[root@foundation66 ~]# top
^C20341261+0 records in
20341260+0 records out
10414725120 bytes (10 GB) copied, 28.9112 s, 360 MB/s
root@22897ef8daed:/# exit
exit
[root@foundation66 ~]# docker rm vm6
vm6
[root@foundation66 ~]# docker run -it --name vm6 --cpu-quota=20000 ubuntu
root@d23d8a6edfd2:/#
[root@foundation66 docker]# cd /sys/fs/cgroup/cpu/docker
[root@foundation66 docker]# ls
cgroup.clone_children
cgroup.event_control
cgroup.procs
cpuacct.stat
cpuacct.usage
cpuacct.usage_percpu
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.rt_period_us
cpu.rt_runtime_us
cpu.shares
cpu.stat
d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203
notify_on_release
tasks
[root@foundation66 docker]# cd d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203
[root@foundation66 d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203]# cat cpu.cfs_quota_us
20000
3.限制磁盘
默认进入容器后,只享有普通用户权限
此方式权限过大
[root@foundation66 ~]# docker run -it --rm --privileged=true ubuntu
root@cef14b7f48a4:/# fdisk -l
root@cef14b7f48a4:/# exit
exit
添加权限
[root@foundation66 ~]# docker run -it --rm --cap-add=NET_ADMIN ubuntu
root@c955d4a06fb0:/# fdisk -l
root@c955d4a06fb0:/# ip addr
root@c955d4a06fb0:/# ip addr add 172.18.0.4/24 dev eth0
root@c955d4a06fb0:/# ip addr
root@cef14b7f48a4:/# exit
exit
限制写入速度:
[root@foundation66 ~]# cat /proc/partitions
--device-write-bps表示限制写入速度
[root@foundation66 ~]# docker run -it --rm --device-write-bps /dev/sda:30MB ubuntu
发现写入速度限制为了每秒30
root@ead484e21ac5:/# dd if=/dev/zero of=file bs=1M count=300
3.限制内存
(1).安装lxcfs
[root@server1 ~]# cd lxcfs/
[root@server1 lxcfs]# ls
lxcfs-2.0.5-3.el7.centos.x86_64.rpm lxcfs-3.0.3.tar.gz
[root@server1 lxcfs]# yum install -y lxcfs-2.0.5-3.el7.centos.x86_64.rpm
[root@server1 lxcfs]# cd /var/lib/lxcfs/
[root@server1 lxcfs]# ls
(2).执行lxcfs
[root@server1 ~]# lxcfs /var/lib/lxcfs &
[1] 11749
[root@server1 ~]# cd /var/lib/lxcfs/
生成了proc目录
[root@server1 lxcfs]# ls
cgroup proc
[root@server1 lxcfs]# cd proc/
[root@server1 proc]# ls
cpuinfo diskstats meminfo stat swaps uptime #cpu 磁盘 内存 状态 swaps uptime
(3).下载并导入镜像
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@server1 ~]# ls
docker lxcfs ubuntu.tar
[root@server1 ~]# docker load -i ubuntu.tar
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 07c86167cdc4 3 years ago 188MB
4).创建容器
[root@server1 proc]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 proc]# docker run -it --name vm1 -m 200m -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo
-v /var/lib/lxcfs/proc/diskstats:/proc/diskstats
-v /var/lib/lxcfs/proc/meminfo:/proc/meminfo
-v /var/lib/lxcfs/proc/stat:/proc/stat
-v /var/lib/lxcfs/proc/swaps:/proc/swaps
-v /var/lib/lxcfs/proc/uptime:/proc/uptime
ubuntu
测试:
root@888781d16dbd:/# free -m