Docker Cgroup 容器资源限制

docker通过cgroup来控制容器使用的资源配额,包括CPU、内存、磁盘三大方面。
1.限制内存

查询系统中已经mount的cgroup的文件系统，这里的t表示type

[root@server1 ~]# mount -t cgroup

搜索cgroup软件包

[root@server1 ~]# yum search cgroup

安装libcgroup

[root@server1 ~]# yum install -y libcgroup-tools.x86_64
[root@sever1 ~]# cd /sys/fs/cgroup/memory/
[root@sever1 memory]# ls

创建目录

[root@sever1 memory]# mkdir x1
[root@sever1 memory]# cd x1
[root@sever1 x1]# ls

[root@sever1 x1]# cat memory.limit_in_bytes
9223372036854771712
[root@sever1 x1]# cat memory.memsw.limit_in_bytes
9223372036854771712

限制内存；200M = 1024 * 200 = 209715200

[root@sever1 x1]# echo 209715200 > memory.limit_in_bytes
[root@sever1 x1]# echo 209715200 > memory.memsw.limit_in_bytes
[root@sever1 x1]# cat memory.limit_in_bytes
209715200
[root@sever1 x1]# cat memory.memsw.limit_in_bytes
209715200
[root@sever1 x1]# cd /dev/shm
[root@sever1 shm]# ls
[root@sever1 shm]# free -m

[root@sever1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=bigfile

[root@sever1 shm]# free -m

[root@sever1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300

还原

[root@sever1 shm]# ls
bigfile
[root@sever1 shm]# rm -rf bigfile
[root@sever1 shm]# free -m

2.限制cpu

[root@foundation66 ~]# systemctl start docker
[root@foundation66 ~]# mount -t cgroup

[root@foundation66 ~]# cd /sys/fs/cgroup/
[root@foundation66 cgroup]# ls
blkio cpu,cpuacct freezer net_cls perf_event
cpu cpuset hugetlb net_cls,net_prio pids
cpuacct devices memory net_prio systemd
[root@foundation66 cgroup]# cd cpu
[root@foundation66 cpu]# ls
cgroup.clone_children cpu.cfs_period_us machine.slice
cgroup.event_control cpu.cfs_quota_us notify_on_release
cgroup.procs cpu.rt_period_us release_agent
cgroup.sane_behavior cpu.rt_runtime_us system.slice
cpuacct.stat cpu.shares tasks
cpuacct.usage cpu.stat user.slice
cpuacct.usage_percpu docker

建立目录

[root@foundation66 cpu]# mkdir x1
[root@foundation66 cpu]# cd x1/
[root@foundation66 x1]# ls

-1表示无限制

[root@foundation66 x1]# cat cpu.cfs_quota_us
-1
[root@foundation66 x1]# cat cpu.cfs_period_us
100000

非交互式限制control group占用时间为20000微秒

[root@foundation66 x1]# echo 20000 > cpu.cfs_quota_us
[root@foundation66 x1]# cat cpu.cfs_quota_us
20000
[root@foundation66 x1]# cat cpu.cfs_period_us
100000
[root@foundation66 x1]# dd if=/dev/zero of=/dev/null &
[1] 8110

查看cpu为100%

[root@foundation66 ~]# top

[root@foundation66 ~]# cd /sys/fs/cgroup/cpu/x1
[root@foundation66 x1]# ls
cgroup.clone_children cpuacct.usage_percpu cpu.shares
cgroup.event_control cpu.cfs_period_us cpu.stat
cgroup.procs cpu.cfs_quota_us notify_on_release
cpuacct.stat cpu.rt_period_us tasks
cpuacct.usage cpu.rt_runtime_us
[root@foundation66 x1]# cat tasks

查看id

[root@foundation66 ~]# top

[root@foundation66 x1]# pwd
/sys/fs/cgroup/cpu/x1
[root@foundation66 x1]# echo 8110 > tasks

查看cpu

[root@foundation66 ~]# top

将dd进程调回并停止

[root@foundation66 x1]# fg

[root@foundation66 ~]# docker ps -a

[root@foundation66 ~]# docker images

--cpu-quota表示限制cpu

[root@foundation66 ~]# docker run -it --name vm6 --cpu-quota=20000 ubuntu
root@5cefff1cb6ab:/# dd if=/dev/zero of=/dev/null

查看cpu；为20%

[root@foundation66 ~]# top

^C11016001+0 records in
11016000+0 records out
5640192000 bytes (5.6 GB) copied, 79.2576 s, 71.2 MB/s

root@5cefff1cb6ab:/# exit
exit
[root@foundation66 ~]# docker rm vm6
vm6
[root@foundation66 ~]# docker run -it --name vm6 ubuntu
root@22897ef8daed:/# dd if=/dev/zero of=/dev/null

查看cpu；为100%

[root@foundation66 ~]# top

^C20341261+0 records in
20341260+0 records out
10414725120 bytes (10 GB) copied, 28.9112 s, 360 MB/s

root@22897ef8daed:/# exit
exit
[root@foundation66 ~]# docker rm vm6
vm6
[root@foundation66 ~]# docker run -it --name vm6 --cpu-quota=20000 ubuntu
root@d23d8a6edfd2:/#
[root@foundation66 docker]# cd /sys/fs/cgroup/cpu/docker
[root@foundation66 docker]# ls
cgroup.clone_children
cgroup.event_control
cgroup.procs
cpuacct.stat
cpuacct.usage
cpuacct.usage_percpu
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.rt_period_us
cpu.rt_runtime_us
cpu.shares
cpu.stat
d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203
notify_on_release
tasks
[root@foundation66 docker]# cd d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203
[root@foundation66 d23d8a6edfd2ce61c1d98fc84317d53ab0dcc1eb0a34ab40848ddda61a5cf203]# cat cpu.cfs_quota_us
20000
3.限制磁盘
默认进入容器后，只享有普通用户权限

此方式权限过大

[root@foundation66 ~]# docker run -it --rm --privileged=true ubuntu
root@cef14b7f48a4:/# fdisk -l

root@cef14b7f48a4:/# exit
exit

添加权限

[root@foundation66 ~]# docker run -it --rm --cap-add=NET_ADMIN ubuntu
root@c955d4a06fb0:/# fdisk -l
root@c955d4a06fb0:/# ip addr

root@c955d4a06fb0:/# ip addr add 172.18.0.4/24 dev eth0
root@c955d4a06fb0:/# ip addr

root@cef14b7f48a4:/# exit
exit
限制写入速度：
[root@foundation66 ~]# cat /proc/partitions

--device-write-bps表示限制写入速度

[root@foundation66 ~]# docker run -it --rm --device-write-bps /dev/sda:30MB ubuntu

发现写入速度限制为了每秒30

root@ead484e21ac5:/# dd if=/dev/zero of=file bs=1M count=300

3.限制内存

（1）.安装lxcfs

[root@server1 ~]# cd lxcfs/
[root@server1 lxcfs]# ls
lxcfs-2.0.5-3.el7.centos.x86_64.rpm lxcfs-3.0.3.tar.gz
[root@server1 lxcfs]# yum install -y lxcfs-2.0.5-3.el7.centos.x86_64.rpm
[root@server1 lxcfs]# cd /var/lib/lxcfs/
[root@server1 lxcfs]# ls
（2）.执行lxcfs

[root@server1 ~]# lxcfs /var/lib/lxcfs &
[1] 11749

[root@server1 ~]# cd /var/lib/lxcfs/

生成了proc目录

[root@server1 lxcfs]# ls
cgroup proc
[root@server1 lxcfs]# cd proc/
[root@server1 proc]# ls
cpuinfo diskstats meminfo stat swaps uptime #cpu 磁盘 内存 状态 swaps uptime
（3）.下载并导入镜像

[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@server1 ~]# ls
docker lxcfs ubuntu.tar
[root@server1 ~]# docker load -i ubuntu.tar

[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 07c86167cdc4 3 years ago 188MB
4）.创建容器

[root@server1 proc]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 proc]# docker run -it --name vm1 -m 200m -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo

-v /var/lib/lxcfs/proc/diskstats:/proc/diskstats
-v /var/lib/lxcfs/proc/meminfo:/proc/meminfo
-v /var/lib/lxcfs/proc/stat:/proc/stat
-v /var/lib/lxcfs/proc/swaps:/proc/swaps
-v /var/lib/lxcfs/proc/uptime:/proc/uptime
ubuntu
测试：

root@888781d16dbd:/# free -m