系统设计|Docker进行资源隔离杂项|网络

前言其实docker命令已经给我们使用文档了，不必进行网上搜索。
比如执行：docker run --help 可以看到

?~ docker run --helpUsage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]Run a command in a new containerOptions: --add-host listAdd a custom host-to-IP mapping (host:ip) -a, --attach listAttach to STDIN, STDOUT or STDERR --blkio-weight uint16Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0) --blkio-weight-device listBlock IO weight (relative device weight) (default []) --cap-add listAdd Linux capabilities --cap-drop listDrop Linux capabilities --cgroup-parent stringOptional parent cgroup for the container --cidfile stringWrite the container ID to the file --cpu-period intLimit CPU CFS (Completely Fair Scheduler) period --cpu-quota intLimit CPU CFS (Completely Fair Scheduler) quota --cpu-rt-period intLimit CPU real-time period in microseconds --cpu-rt-runtime intLimit CPU real-time runtime in microseconds -c, --cpu-shares intCPU shares (relative weight) --cpus decimalNumber of CPUs --cpuset-cpus stringCPUs in which to allow execution (0-3, 0,1) --cpuset-mems stringMEMs in which to allow execution (0-3, 0,1) -d, --detachRun container in background and print container ID --detach-keys stringOverride the key sequence for detaching a container --device listAdd a host device to the container --device-cgroup-rule listAdd a rule to the cgroup allowed devices list --device-read-bps listLimit read rate (bytes per second) from a device (default []) --device-read-iops listLimit read rate (IO per second) from a device (default []) --device-write-bps listLimit write rate (bytes per second) to a device (default []) --device-write-iops listLimit write rate (IO per second) to a device (default []) --disable-content-trustSkip image verification (default true) --dns listSet custom DNS servers --dns-option listSet DNS options --dns-search listSet custom DNS search domains --domainname stringContainer NIS domain name --entrypoint stringOverwrite the default ENTRYPOINT of the image -e, --env listSet environment variables --env-file listRead in a file of environment variables --expose listExpose a port or a range of ports --gpus gpu-requestGPU devices to add to the container ('all' to pass all GPUs) --group-add listAdd additional groups to join --health-cmd stringCommand to run to check health --health-interval durationTime between running the check (ms|s|m|h) (default 0s) --health-retries intConsecutive failures needed to report unhealthy --health-start-period durationStart period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s) --health-timeout durationMaximum time to allow one check to run (ms|s|m|h) (default 0s) --helpPrint usage -h, --hostname stringContainer host name --initRun an init inside the container that forwards signals and reaps processes -i, --interactiveKeep STDIN open even if not attached --ip stringIPv4 address (e.g., 172.30.100.104) --ip6 stringIPv6 address (e.g., 2001:db8::33) --ipc stringIPC mode to use --isolation stringContainer isolation technology --kernel-memory bytesKernel memory limit -l, --label listSet meta data on a container --label-file listRead in a line delimited file of labels --link listAdd link to another container --link-local-ip listContainer IPv4/IPv6 link-local addresses --log-driver stringLogging driver for the container --log-opt listLog driver options --mac-address stringContainer MAC address (e.g., 92:d0:c6:0a:29:33) -m, --memory bytesMemory limit --memory-reservation bytesMemory soft limit --memory-swap bytesSwap limit equal to memory plus swap: '-1' to enable unlimited swap --memory-swappiness intTune container memory swappiness (0 to 100) (default -1) --mount mountAttach a filesystem mount to the container --name stringAssign a name to the container --network networkConnect a container to a network --network-alias listAdd network-scoped alias for the container --no-healthcheckDisable any container-specified HEALTHCHECK --oom-kill-disableDisable OOM Killer --oom-score-adj intTune host's OOM preferences (-1000 to 1000) --pid stringPID namespace to use --pids-limit intTune container pids limit (set -1 for unlimited) --platform stringSet platform if server is multi-platform capable --privilegedGive extended privileges to this container -p, --publish listPublish a container's port(s) to the host -P, --publish-allPublish all exposed ports to random ports --read-onlyMount the container's root filesystem as read only --restart stringRestart policy to apply when a container exits (default "no") --rmAutomatically remove the container when it exits --runtime stringRuntime to use for this container --security-opt listSecurity Options --shm-size bytesSize of /dev/shm --sig-proxyProxy received signals to the process (default true) --stop-signal stringSignal to stop a container (default "SIGTERM") --stop-timeout intTimeout (in seconds) to stop a container --storage-opt listStorage driver options for the container --sysctl mapSysctl options (default map[]) --tmpfs listMount a tmpfs directory -t, --ttyAllocate a pseudo-TTY --ulimit ulimitUlimit options (default []) -u, --user stringUsername or UID (format: [:]) --userns stringUser namespace to use --uts stringUTS namespace to use -v, --volume listBind mount a volume --volume-driver stringOptional volume driver for the container --volumes-from listMount volumes from the specified container(s) -w, --workdir stringWorking directory inside the container

咱们这里主要用到两个参数 --cpus 和 --memory
cpu

–cpus decimal : 指定一个容器可以使用多少可用cpu资源，如果是4核cpu，可以设置为1.5，那么该容器最多只能使用1.5核的cpu资源，如果没有设置–cpuset-cpus，那么可以使用的1.5核可以是任意一个核心的资源
–cpuset-cpus：为容器指定可以使用的cpu核心是哪个，如果cpu是4和，那么按照编号0-3区分每一个核心，此参数设置为0,1即表示可以使用cpu的第一个和第二个核心。本人测试下来好像没用，可能是用法不对

内存

–memory bytes : 为容器指定最多可以使用多少内存
–memory-swap bytes ：为容器指定最多可以使用多少swap空间，此选项必须要在使用了–memory参数的前提下才能使用，如果没有设置–memory参数，那么这个参数不会生效

文章图片
–memory-swappiness int ：设置容器使用swap的倾向性有多大，0-100。
–oom-kill-disable：禁用OOM Killer

测试先pull一个镜像，这个镜像可以允许测试任务，并可以指定是io型还是cpu型任务。

docker pull lorel/docker-stress-ng

文章图片

限制CPU测试
不限制CPU

?~ docker run -it --rm lorel/docker-stress-ng:latest--cpu 8 stress-ng: info: [1] defaulting to a 86400 second run per stressor stress-ng: info: [1] dispatching hogs: 8 cpudocker stats CONTAINER IDNAMECPU %MEM USAGE / LIMITMEM %NET I/OBLOCK I/OPIDS 7df53644fd9astress202.30%36.11MiB / 1.945GiB1.81%976B / 0B0B / 0B9

通过docker stats可以看到cpu已经达到了200% （本人用的mac，限制了docker容器最大cpu是2核）

文章图片

限制cpu

?~ docker container run--cpus=0.5 -it --rm lorel/docker-stress-ng:latest--cpu 8 stress-ng: info: [1] defaulting to a 86400 second run per stressor stress-ng: info: [1] dispatching hogs: 8 cpudocker stats CONTAINER IDNAMECPU %MEM USAGE / LIMITMEM %NET I/OBLOCK I/OPIDS 6244647a3f97zen_euclid52.43%36.22MiB / 1.945GiB1.82%836B / 0B0B / 0B9

可以看到cpu的使用率降下来了，这里虽然超过了50%，但不会超很多
限制内存测试
不限制内存

?~ docker container run -it --rmlorel/docker-stress-ng:latest--vm 2 --vm-bytes 999m stress-ng: info: [1] defaulting to a 86400 second run per stressor stress-ng: info: [1] dispatching hogs: 2 vmdocker stats CONTAINER IDNAMECPU %MEM USAGE / LIMITMEM %NET I/OBLOCK I/OPIDS 5b040326f896stress89.88%1.801GiB / 1.945GiB92.59%836B / 0B0B / 0B5

可以看到内存达到了尽2G。
限制内存

?~ docker container run -it --rm --memory 500mlorel/docker-stress-ng:latest--vm 2 --vm-bytes 999m stress-ng: info: [1] defaulting to a 86400 second run per stressor stress-ng: info: [1] dispatching hogs: 2 vmdocker stats CONTAINER IDNAMECPU %MEM USAGE / LIMITMEM %NET I/OBLOCK I/OPIDS 7e8457ed992cstress202.51%497.9MiB / 500MiB99.58%836B / 0B0B / 0B5

【系统设计|Docker进行资源隔离】可以看到内存降到了500m内