Docker-----网络模式与资源控制管理
文章目录一、docker的四种网络二、docker自定义网络三:Docker资源控制(cpu、内存、IO资源控制)一、docker的四种网络1、host在容器内部创建的两个容器A,B,通过docker0(相当于小型的局域网,为内部容器的网关)进行内部通信;与外部通信地址映射Nat模式物理网卡ens33如果两个内部容器的服务不同,但端口一样,进行外部通信时,进行端口映射成不同的端口进行通信2、con
·
一、docker的四种网络
1、host
- 在容器内部创建的两个容器A,B,通过docker 0(相当于小型的局域网,为内部容器的网关)进行内部通信;与外部通信地址映射Nat模式物理网卡ens33
- 如果两个内部容器的服务不同,但端口一样,进行外部通信时,进行端口映射成不同的端口进行通信
2、container
- 创建的容器不会创建自己的网卡、设置IP等,而是和一个指定地容器共享IP、端口范围
- 这个模式指定新创建的容器和已经存在的一个容器共享一network namespace,而不是和宿主机共享,新创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定地容器共享IP、端口范围等。同样,两个容器除了网络方面,其他的如文件系统、进程列表还是隔离的。两个容器的进程可以通过loo网卡设备通信
3、None
- 该模式关闭了容器的网络功能
- 这种网络模式下容器只有lo回环网口,没有其他的网卡。none 模式可以在容器创建时通过-network=none参数指定
- 这种类型的网络无法联网,但是封闭的网络能很好的保证容器的安全性,提高了安全性。
4、Bridge
- 此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker虛拟网桥,通过docker0网桥及iptables的nat表配置与宿主机通信
- 当Docker进程启动时,会在主机上创建一个名为docker0的虚拟网桥,此主机上启动的Docker容器会连接到这个虚拟网桥上。虚拟网桥的工作方式和物理交换机类似,这样主机上的所有容器就通过交换机连在了一个二层网络中
- 从docker0子网中分配一个IP给容器使用,并设置docker0的IP地址为容器的默认网关。在主机上创建一对虚拟网卡veth pair设备,Docker将veth pair设备的一端挂载在新创建的容器中,并命名为ethO (容器的网卡),另一端放在主机中,以vethxxx这样类似的名字命名,并将这个网络设备加入到docker0网桥中。可以通过brctl show命令查看。
总结
host模式 -net= host 容器和宿主机共享Network namespace(网络名称空间)
containeb模式 -net=container.NAME_or_ID 容器和另外一个容器共享Network namespace(共享ip地址和端口范围)
none模式 -net= none 容器有独立的Network namespace,但并没有对其进行任何网络设置,无法与外部进行交互。如分配veth pair和网桥连接,配置IP等。
bridge模式 -net= bridge (默认为该模式)
docker 0为虚拟网桥,所有的容器会连接到虚拟网桥上(因为虚拟网桥为它们的虚拟网关),虚拟网桥会结合iptable的规则去进行地址映射,把容器地址段映射为宿主机的地址段,用于和宿主机通讯,最后让宿主机连接外网。
注:以上不需要动手配置,真正需要配置的是自定义网络二、docker自定义网络
1、查看网络列表
[root@server1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4c67ba8a5d4b bride bridge local
bfbf3cdaf20a host host local
f5b7dfaba49b none null local2、根据镜像创建容器并指定ip地址
- 因为本地有镜像,所以无效下载,直接进行操作
- 会报错:来自守护程序的错误响应,仅在用户定义的网络上支持用户指定的IP地址
[root@server1 ~]# docker run -itd --name test1 --network bridge --ip 172.17.0.10 centos:7 /bin/bash
11ffd3d0a05f7def137ef2e1d6ed2d77f646032287dbe7b12c3210547860c2c3
docker: Error response from daemon: user specified IP address is supported on user defined networks only.3、根据镜像创建容器不指定ip地址
- 会报错:原因已经之前指定IP地址了
[root@server1 ~]# docker run -itd --name test2 --network bridge centos:7 /bin/bash
2f35af2c52a632ac10eefe6ef5836f268626f18aa3060083c9a917bc03823d5c
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f35af2c52a6 centos:7 "/bin/bash" 2 seconds ago Up 1 second test2
11ffd3d0a05f centos:7 "/bin/bash" 2 minutes ago Created test1
[root@server1 ~]# docker start 11ffd3d0a05f
Error response from daemon: user specified IP address is supported on user defined networks only
Error: failed to start containers: 11ffd3d0a05f
#原因:创建运行容器手动指定IP地址,不允许,没有权限,违背ip地址分配规则按顺序配置- 查看已运行容器状态
[root@server1 ~]# docker exec -it 2f35af2c52a6 /bin/bash
[root@2f35af2c52a6 /]# yum -y install net-tools
[root@2f35af2c52a6 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 2475 bytes 13137917 (12.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2461 bytes 136191 (132.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 04、自定义网络固定IP
[root@server1 ~]# docker network create --subnet=172.18.0.0/16 mysub
7b9ff03bf0a3c829b452b5970c2ffca6a44a70fe0e00ca93226514a6a5c224d9
[root@server1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4c67ba8a5d4b bridge bridge local
bfbf3cdaf20a host host local
7b9ff03bf0a3 mysub bridge local # 自定义
f5b7dfaba49b none null local5、定义分配地址
[root@server1 ~]# docker run -itd --name test3 --net mysub --ip 172.18.0.100 centos:7 /bin/bash
eda31a7db2875e735ade11389ffdd9edd790b6d907a02e0bba188d1f4689acbd
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
eda31a7db287 centos:7 "/bin/bash" 4 seconds ago Up 4 seconds test3
2f35af2c52a6 centos:7 "/bin/bash" 14 minutes ago Up 14 minutes test2
11ffd3d0a05f centos:7 "/bin/bash" 16 minutes ago Created - 查看容器网络地址
[root@server1 ~]# docker exec -it eda31a7db287 /bin/bash
[root@eda31a7db287 /]# yum -y install net-tools
[root@eda31a7db287 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.100 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:ac:12:00:64 txqueuelen 0 (Ethernet)
RX packets 1979 bytes 13111519 (12.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1967 bytes 109708 (107.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0- 测试网关
[root@eda31a7db287 /]# ping 172.18.0.1
PING 172.18.0.1 (172.18.0.1) 56(84) bytes of data.
64 bytes from 172.18.0.1: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 172.18.0.1: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 172.18.0.1: icmp_seq=3 ttl=64 time=0.036 ms- 测试另一个网桥网关
[root@eda31a7db287 /]# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 172.17.0.1: icmp_seq=3 ttl=64 time=0.038 ms三:Docker资源控制(cpu、内存、IO资源控制)
前言
- 07年谷歌,可以控制资源分配通过操作系统内核,控制应用程序使用内存资源、cpu资源、 文件系统资源等等
- cgroup是一种资源控制手段
- 每个容器相当于一个进程
1、CPU使用率控制
- cpu周期: 1s为一个周期的定律,参数值一般为100000 (CPU衡量单位是秒)
- 假如需要给此容器分配cpu使用率的20%,则参数需要设置为20000,相当于每个周期分配给这个容器0.2s
- cpu在一个时刻,只能给一个进程占用
cat /sys/fs/cgroup/qpu/docker/容器ID/qpu.cfs_ quota us[root@server1 ~]# cd /sys/fs/cgroup/cpu/docker/
[root@server1 docker]# ls
2f35af2c52a632ac10eefe6ef5836f268626f18aa3060083c9a917bc03823d5c
cgroup.clone_children
cgroup.event_control
cgroup.procs
cpuacct.stat
cpuacct.usage
cpuacct.usage_percpu
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.rt_period_us
cpu.rt_runtime_us
cpu.shares
cpu.stat
eda31a7db2875e735ade11389ffdd9edd790b6d907a02e0bba188d1f4689acbd
notify_on_release
tasks
[root@server1 docker]# cd 2f35af2c52a632ac10eefe6ef5836f268626f18aa3060083c9a917bc03823d5c/
[root@server1 2f35af2c52a632ac10eefe6ef5836f268626f18aa3060083c9a917bc03823d5c]# ls
cgroup.clone_children cpuacct.usage cpu.rt_period_us notify_on_release
cgroup.event_control cpuacct.usage_percpu cpu.rt_runtime_us tasks
cgroup.procs cpu.cfs_period_us cpu.shares
cpuacct.stat cpu.cfs_quota_us cpu.stat
[root@server1 2f35af2c52a632ac10eefe6ef5836f268626f18aa3060083c9a917bc03823d5c]# cat cpu.cfs_quota_us
-1
# -1代表此容器可以使用的资源不受限制会引发问题,导致某个容器占用资源过大,影响其它容器的性能2、动态查看cpu使用率
- ①top
[root@server1 ~]# top- ②docker stats
[root@server1 ~]# docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
eda31a7db287 test3 0.00% 82.76MiB / 3.686GiB 2.19% 13.1MB / 111kB 139kB / 49.1MB 1
2f35af2c52a6 test2 0.00% 96.35MiB / 3.686GiB 2.55% 13.1MB / 136kB 110MB / 49.8MB 1
# CONTAINER ID 容器ID
# NAME 容器名称
# CPU % CPU占用
# MEM USAGE 内存占用
# LIMIT 内存最大限制
# MEM % 内存使用率
# NET I/O IO控制
# BLOCK I/O BLOCK控制/也是对IO的控制
# PIDS PID3、CPU 20%的限定
- 方式一 在创建容器运行进行资源限制
- ①创建容器
[root@server1 ~]# docker run -itd --name test4 --cpu-quota 20000 centos:7 /bin/bash
5906465b58b809e7a30a63c8fd0aa0f16114fe5d8f006ff5343e0a943b4f3d51- ②计算圆周率
[root@server1 ~]# docker exec -it 5906465b58b8 /bin/bash
[root@5906465b58b8 /]# yum -y install bc
[root@5906465b58b8 /]# echo "scale=5000;4*a(1)" | bc -l -q- ③另开一个新的会话窗口查看
[root@server1 ~]# top
- 方式二 对已经存在且在运行时状态的容器进行设置
- ①查看运行容器
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5906465b58b8 centos:7 "/bin/bash" 13 minutes ago Up 13 minutes test4
eda31a7db287 centos:7 "/bin/bash" About an hour ago Up About an hour test3
2f35af2c52a6 centos:7 "/bin/bash" About an hour ago Up About an hour test2
11ffd3d0a05f centos:7 "/bin/bash" 2 hours ago Created test1- ②进入容器设置
- echo “20000” > 容器完整ID/cpu.cfs quota us
[root@server1 ~]# cd /sys/fs/cgroup/cpu/docker/
[root@server1 docker]# cd eda31a7db2875e735ade11389ffdd9edd790b6d907a02e0bba188d1f4689acbd/
[root@server1 eda31a7db2875e735ade11389ffdd9edd790b6d907a02e0bba188d1f4689acbd]# echo "20000" > cpu.cfs_quota_us
[root@server1 eda31a7db2875e735ade11389ffdd9edd790b6d907a02e0bba188d1f4689acbd]# cat cpu.cfs_quota_us
200004、设置容器的权重
- 关闭运行中的容器,不让它们占用资源
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5906465b58b8 centos:7 "/bin/bash" 22 minutes ago Up 22 minutes test4
eda31a7db287 centos:7 "/bin/bash" About an hour ago Up About an hour test3
2f35af2c52a6 centos:7 "/bin/bash" 2 hours ago Up 2 hours test2
11ffd3d0a05f centos:7 "/bin/bash" 2 hours ago Created test1
[root@server1 ~]# docker stop 5906465b58b8
5906465b58b8
[root@server1 ~]# docker stop eda31a7db287
eda31a7db287
[root@server1 ~]# docker stop 2f35af2c52a6
2f35af2c52a6
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5906465b58b8 centos:7 "/bin/bash" 23 minutes ago Exited (137) 56 seconds ago test4
eda31a7db287 centos:7 "/bin/bash" About an hour ago Exited (137) 38 seconds ago test3
2f35af2c52a6 centos:7 "/bin/bash" 2 hours ago Exited (137) 9 seconds ago test2
11ffd3d0a05f centos:7 "/bin/bash" 2 hours ago Created - 按比例分配设置容器权重,此处权重是所有值相加然后看占用百分比
[root@server1 ~]# docker run -itd --name c1 --cpu-shares 512 centos:7 /bin/bash
24dce68faa2f79b279baca01796df378f8a0f901653a845aa2e593655328eea4
[root@server1 ~]# docker run -itd --name c2 --cpu-shares 1024 centos:7 /bin/bash
7bb762fd67c304472e1360a301523672ebc3cdc9af0eb8aa832360d403382c23
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bb762fd67c3 centos:7 "/bin/bash" 3 seconds ago Up 2 seconds c2
24dce68faa2f centos:7 "/bin/bash" 19 seconds ago Up 18 seconds - 复制两个终端、分别进入容器后进行测试,主终端使用docker stats进行查看
- ①查看容器ID
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bb762fd67c3 centos:7 "/bin/bash" 8 minutes ago Up 8 minutes c2
24dce68faa2f centos:7 "/bin/bash" 9 minutes ago Up 9 minutes c1- ②两个终端分别进入测试
[root@server1 ~]# docker exec -it 7bb762fd67c3 /bin/bash
[root@7bb762fd67c3 /]# yum -y install epel-release
[root@7bb762fd67c3 /]# yum -y install stress
[root@7bb762fd67c3 /]# stress -c 4
# stress模拟满载线程[root@server1 ~]# docker exec -it 24dce68faa2f /bin/bash
[root@24dce68faa2f /]# yum -y install epel-release
[root@24dce68faa2f /]# yum -y install stress
[root@24dce68faa2f /]# stress -c 4
# stress模拟满载线程- ③查看容器资源占用情况
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK IO PIDS
7bb762fd67c3 c2 265.10% 121.1MiB / 3.686GiB 3.21% 21.3MB / 173kB 1.12MB 50MB 7
24dce68faa2f c1 132.93% 120.8MiB / 3.686GiB 3.20% 21.5MB / 281kB 8.19kB 50.1MB 75、限制容器使用的CPU (指定使用第2第4个)
- 关闭所有运行的容器
[root@server1 ~]# docker stop 7bb762fd67c3
7bb762fd67c3
[root@server1 ~]# docker stop 24dce68faa2f
24dce68faa2f
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bb762fd67c3 centos:7 "/bin/bash" 45 minutes ago Exited (137) 27 seconds ago c2
24dce68faa2f centos:7 "/bin/bash" 45 minutes ago Exited (137) 11 seconds ago c1
5906465b58b8 centos:7 "/bin/bash" About an hour ago Exited (137) 50 minutes ago test4
eda31a7db287 centos:7 "/bin/bash" 2 hours ago Exited (137) 50 minutes ago test3
2f35af2c52a6 centos:7 "/bin/bash" 2 hours ago Exited (137) 49 minutes ago test2
11ffd3d0a05f centos:7 "/bin/bash" 3 hours ago Created - 创建容器
[root@server1 ~]# docker run -itd --name c3 --cpuset-cpus 1,3 centos:7 /bin/bash
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d21509f83a1a centos:7 "/bin/bash" 3 hours ago Up 3 hours c3
[root@server1 ~]# docker exec -it d21509f83a1a /bin/bash
[root@d21509f83a1a /]# yum -y install epel-release
[root@d21509f83a1a /]# yum -y install stress
[root@d21509f83a1a /]# stress -c 2- 另开终端查看
[root@server1 ~]# top
top - 04:13:17 up 9:45, 4 users, load average: 0.43, 0.15, 0.09
Tasks: 223 total, 3 running, 220 sleeping, 0 stopped, 0 zombie
%Cpu0 : 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu1 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu2 : 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
%Cpu3 :100.0 us, 0.0 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st6、内存使用上限限制
- 创建容器
[root@server1 ~]# docker run -itd --name c4 -m 512m centos:7 /bin/bash
4be6941bc10e3bf5603a4e56093e202c4ea78e93a8aecd450c7aac8e2de6e954
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4be6941bc10e centos:7 "/bin/bash" 4 seconds ago Up 3 seconds - 查看
[root@server1 ~]# docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
4be6941bc10e c4 0.00% 392KiB / 512MiB 0.07% 648B / 0B 0B / 0B 17、docker Io限制
- docker的Io限制就是对block的Io进行约束
- 控制数据量用的较多,其中控制Io次数使用的较少
--device-read-bps :限制读某个设备的bps (数据量,比特率,每秒数据传输速率)
docker run -itd --device-read-bps /dev/sda:30M centos:7 /bin/bash
--device-write-bps:限制写入某个设备的bps (数据量)
docker run -itd --device-write-bps /dev/sda:30M centos:7 /bin/bash
--device-read-iops限制读某个设备的iops (次数)
--device-write-iops 限制写入某个设备的iops (次数)8、for语句批量删除
- 批量删除“exit”状态容器
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4be6941bc10e centos:7 "/bin/bash" 4 minutes ago Up 4 minutes c4
d21509f83a1a centos:7 "/bin/bash" 3 hours ago Up 3 hours c3
7bb762fd67c3 centos:7 "/bin/bash" 4 hours ago Exited (137) 3 hours ago c2
24dce68faa2f centos:7 "/bin/bash" 4 hours ago Exited (137) 3 hours ago c1
5906465b58b8 centos:7 "/bin/bash" 4 hours ago Exited (137) 4 hours ago test4
eda31a7db287 centos:7 "/bin/bash" 5 hours ago Exited (137) 4 hours ago test3
2f35af2c52a6 centos:7 "/bin/bash" 6 hours ago Exited (137) 4 hours ago test2
11ffd3d0a05f centos:7 "/bin/bash" 6 hours ago Created test1[root@server1 ~]# for i in `docker ps -a | grep -i exit | awk '{print $1}'`;do docker rm -f $i;done
7bb762fd67c3
24dce68faa2f
5906465b58b8
eda31a7db287
2f35af2c52a6
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4be6941bc10e centos:7 "/bin/bash" 5 minutes ago Up 5 minutes c4
d21509f83a1a centos:7 "/bin/bash" 3 hours ago Up 3 hours c3
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
0
0- 0
已为社区贡献1条内容
所有评论(0)