docker内存和cpu的资源限制

wuyang-ligerj

已于 2022-10-25 23:14:56 修改

阅读量1k

点赞数

分类专栏：运维学习笔记文章标签： docker 容器 linux

于 2022-10-25 23:08:02 首次发布

本文链接：https://blog.csdn.net/jlgkeep/article/details/127521756

版权

运维学习笔记专栏收录该内容

15 篇文章 0 订阅

订阅专栏

—容器资源限制

1、cpu属于可压缩资源
2、内存属于不可压缩资源

—OOM

Out Of Memory Exception 内存溢出
linux会为每一个进程算一个分数，当内存资源不够时，会kill掉分数最高的进程
OOM优先机制：
1、/proc/PID/oom_score_adj 数值范围在-1000到1000，值越高越容易被kill掉，值设置为-1000时，表示该进程永远不会被kill掉
2、/proc/PID/oom_adj 数值范围在-17到15，值越高越容易被kill掉，值设置为-17时，表示该进程永远不会被kill掉
3、/proc/PID/oom_score 这个值综合进程的内存占用、cpu占用、存活时间和oom_adj计算出的进程得分，得分越高，越容易被kill掉

—容器资源限制的方式

1、docker早期使用cgroupfs进行容器的资源限制管理，然后在调用内核的cgroup进行资源限制
2、k8s使用systemd直接调用cgroup实现资源限制

#配置docker使用systemd进行资源限制

root@wuyang-3:~# cat /etc/docker/daemon.json | grep exec-opts
  "exec-opts": ["native.cgroupdriver=systemd"],
root@wuyang-3:~# cat /etc/default/grub | grep cgroup_enable=memory
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 cgroup_enable=memory swapaccount=1"
root@wuyang-3:~# sudo update-grub && reboot

—容器内存资源限制

#容器内存资源限制更多参数可通过–help查看

root@wuyang-3:~# docker run --help | grep -A 14 "m,"
  -m, --memory bytes                   Memory limit
      --memory-reservation bytes       Memory soft limit
      --memory-swap bytes              Swap limit equal to memory plus swap: '-1' to enable unlimited swap
      --memory-swappiness int          Tune container memory swappiness (0 to 100) (default -1)
      --mount mount                    Attach a filesystem mount to the container
      --name string                    Assign a name to the container
      --network network                Connect a container to a network
      --network-alias list             Add network-scoped alias for the container
      --no-healthcheck                 Disable any container-specified HEALTHCHECK
      --oom-kill-disable               Disable OOM Killer
      --oom-score-adj int              Tune host's OOM preferences (-1000 to 1000)
      --pid string                     PID namespace to use
      --pids-limit int                 Tune container pids limit (set -1 for unlimited)
      --platform string                Set platform if server is multi-platform capable
      --privileged                     Give extended privileges to this container

#在运行容器时设置oom_score_adj的值

root@wuyang-3:~# docker run -it -d --oom-score-adj 400 nginx:alpine
172e37a734c6a1b5d0f526639e04948d18c61fe3e18ea393da671b6d0197319b

#对容器关闭oom机制 --oom-kill-disbale

root@wuyang-3:~# docker run -it -d --oom-kill-disable nginx:alpine
WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.
WARNING: Your kernel does not support OomKillDisable. OomKillDisable discarded.
d27e0909c4ec44f402f20629001466feda217258ccce0604ae8113c0420b5185

#对容器进行内存限制参数 -m
#内存限制单位为：b 、k 、m 、g等

root@wuyang-3:~# docker run -it -d -m 256m -p 82:80 nginx:alpine
0ed7954664fe9d86efdb42e3840fd13f56d84577f06122c9dea5003547e9d7aa

—容器cpu资源限制

#容器cpu更多限制参数可通过–help查看

root@wuyang-3:~# docker run --help | grep -C 5 "c,"
      --cidfile string                 Write the container ID to the file
      --cpu-period int                 Limit CPU CFS (Completely Fair Scheduler) period
      --cpu-quota int                  Limit CPU CFS (Completely Fair Scheduler) quota
      --cpu-rt-period int              Limit CPU real-time period in microseconds
      --cpu-rt-runtime int             Limit CPU real-time runtime in microseconds
  -c, --cpu-shares int                 CPU shares (relative weight)
      --cpus decimal                   Number of CPUs
      --cpuset-cpus string             CPUs in which to allow execution (0-3, 0,1)
      --cpuset-mems string             MEMs in which to allow execution (0-3, 0,1)
  -d, --detach                         Run container in background and print container ID
      --detach-keys string             Override the key sequence for detaching a container

#限制容器cpu的个数 --cpus

root@wuyang-3:~# docker run -it -d --cpus 2 nginx:alpine
8a2fb79746bb76d844287226a9c9a3eca16f9bac6af022fa2a1a00439f38432d

#容器运行在指定的cpu上 --cpuset-cpus

root@wuyang-3:~# docker run -it -d --cpus 2 --cpuset-cpus 0,1 nginx:alpine
f599d3bbd3fe8172b963e8a10e49037194a1ccea55fa1ac3dbf9937846624089

—运行压测容器测试资源限制效果

#拉取 lorel/docker-stress-ng 镜像

root@wuyang-3:/sys/fs# docker pull lorel/docker-stress-ng
Using default tag: latest
latest: Pulling from lorel/docker-stress-ng
Image docker.io/lorel/docker-stress-ng:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
c52e3ed763ff: Pull complete 
a3ed95caeb02: Pull complete 
7f831269c70e: Pull complete 
Digest: sha256:c8776b750869e274b340f8e8eb9a7d8fb2472edd5b25ff5b7d55728bca681322
Status: Downloaded newer image for lorel/docker-stress-ng:latest
docker.io/lorel/docker-stress-ng:latest

#运行 lorel/docker-stress-ng 镜像压测内存和cpu --vm 表示进程数量 --cpu表示cpu核数 --vm-bytes 表示内存大小 M表示兆

root@wuyang-3:~# docker run -it -d --cpus 2 -m 256m lorel/docker-stress-ng --cpu 2 --vm-bytes 300M --vm 1
9069a8c0e0d86d52682d472684987ab811bae20bbd50c742225974fd15d63e1f

#查看容器占用的资源

root@wuyang-3:~# docker stats 9069a8c0e0d8

—容器资源限制验证

#cgroup验证

root@docker-server1:~# cat /sys/fs/cgroup/docker/b7b3755f22962538418dc56c23c03941cd7f97178ed8e25c7d02fbc4ca9878ed/memory.max

#systemd验证前者/后者=cpu限制的核数内存单位默认bit

root@wuyang-3:~# cat /sys/fs/cgroup/system.slice/docker-c82537c1b35a6fac157ca7bb5aab272be3c3c229079b9785cbcb4d10a2705ec1.scope/cpu.max
200000 100000
root@wuyang-3:~# cat /sys/fs/cgroup/system.slice/docker-a90eedb478e1747656c41527669cd07f60df6511d542279e46ccdd7cbf1063a9.scope/memory.max 
209715200