[Docker] Centos 基于 lxcfs 增强 Docker 隔离能力 （docker free 显示问题）

一、 背景介绍

        由于 Docker 自身的原因，在容器内执行诸如 free 、top等命令时，看到的却是宿主机的相关状态信息，给监控带来了困扰

        本文介绍通过在宿主机安装 lxcfs 组件，增强 Docker 容器的隔离性，执行 free 命令时真正显示 -m 参数所设置的内存值

二、 设置步骤

2.1   本文宿主机操作系统为 CentOS 7，首先安装 lxcfs 软件

# yum install lxcfs-2.0.5-3.el7.centos.x86_64.rpm

        lxcfs-2.0.5-3.el7.centos.x86_64.rpm 下载地址

2.2  启动 lxcfs

# systemctl start lxcfs

      或者直接执行启动命令

# lxcfs /var/lib/lxcfs &

2.3  配置容器启动参数

      -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw

      -v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw

      -v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw

      -v /var/lib/lxcfs/proc/stat:/proc/stat:rw

      -v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw

      -v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw

      只要容器启动时映射了宿主机的这些文件，即可修正 free、top等命令的错误显示

2.4  验证

docker run -it -m 300m  \
      -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
      -v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
      -v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
      -v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
      -v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
      -v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
	  ubuntu:14.04 /bin/bash

      

=====

设置 lxcfs 开机自启动

# vim /lib/systemd/system/lxcfs.service

[Unit]
Description=FUSE filesystem for LXC
ConditionVirtualization=!container
Before=lxc.service
Documentation=man:lxcfs(1)

[Service]
ExecStart=/usr/bin/lxcfs /var/lib/lxcfs/
KillMode=process
Restart=on-failure
ExecStopPost=-/bin/fusermount -u /var/lib/lxcfs
Delegate=yes

[Install]
WantedBy=multi-user.target

# systemctl enable lxcfs
# systemctl start lxcfs