目录
一. cgroup
2. cpu优先级
3. 内存资源限制
4. 磁盘io限制
二. lxcfs隔离
三. 容器特权
一. cgroup
1. cpu资源限制
docker run -it --rm --cpu-period 100000 --cpu-quota 20000 ubuntu
root@433a1612a171:/# dd if=/dev/zero of=/dev/null &
2. cpu优先级
docker run -it --rm ubuntu
root@0280fc49f2d0:/# dd if=/dev/zero of=/dev/null &
docker run -it --rm --cpu-shares 100 ubuntu
root@b75b4d5066b8:/# dd if=/dev/zero of=/dev/null &
/sys/devices/system/cpu/cpu1
echo 0 > online
测试时只保留一个cpu核心可用,只有争抢cpu资源时优先级才会生效
3. 内存资源限制
docker run -d --name demo --memory 200M --memory-swap=200M nginx
/sys/fs/cgroup/memory
mkdir x1
cd x1/
echo 209715200 > memory.limit_in_bytes
yum install -y libcgroup-tools.x86_64
cd /dev/shm/
cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300
free -m
cd /sys/fs/cgroup/memory/x1/
echo 209715200 > memory.memsw.limit_in_bytes
cd /dev/shm
cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300
控制用户内存
vim /etc/cgrules.conf
yyl memory x1/
systemctl start cgred.service
su - yyl
cd /dev/shm/
dd if=/dev/zero of=bigfile bs=1M count=200
4. 磁盘io限制
docker run -it --rm --device-write-bps /dev/sda:30MB ubuntu
root@3226b0fc6231:/# dd if=/dev/zero of=bigfile bs=1M count=100 oflag=direct
二. lxcfs隔离
yum install lxcfs-2.0.5-3.el7.centos.x86_64.rpm
lxcfs /var/lib/lxcfs &
docker run -it -m 256m \
> -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
> -v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
> -v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
> -v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
> -v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
> -v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
> ubuntu
free -m
三. 容器特权
默认容器内的用户是受限的
docker run -it --rm busybox
开启容器特权
docker run -it --rm --privileged busybox
设置容器白名单
docker run -it --rm --cap-add=NET_ADMIN busybox