cgroup与docker

1、使用 cgroup namespace 需要内核开启 CONFIG_CGROUPS 选项。可通过以下方式验证:

   1 root@container:~/namespace_test# grep CONFIG_CGROUPS /boot/config-$(uname -r)

  

 

 

 

 2、查看cgroup挂载信息:

root@lord:~# mount -t cgroup
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)

  可以看到cgroup位置在 /sys/fs/cgroup/

root@lord:~# ls -l /sys/fs/cgroup/
total 0
dr-xr-xr-x 4 root root  0 Oct 12 10:32 blkio
lrwxrwxrwx 1 root root 11 Oct 12 10:32 cpu -> cpu,cpuacct
lrwxrwxrwx 1 root root 11 Oct 12 10:32 cpuacct -> cpu,cpuacct
dr-xr-xr-x 5 root root  0 Oct 12 10:32 cpu,cpuacct
dr-xr-xr-x 3 root root  0 Oct 12 10:32 cpuset
dr-xr-xr-x 5 root root  0 Oct 12 10:32 devices
dr-xr-xr-x 5 root root  0 Oct 12 10:32 freezer
dr-xr-xr-x 3 root root  0 Oct 12 10:32 hugetlb
dr-xr-xr-x 5 root root  0 Oct 12 10:32 memory
lrwxrwxrwx 1 root root 16 Oct 12 10:32 net_cls -> net_cls,net_prio
dr-xr-xr-x 3 root root  0 Oct 12 10:32 net_cls,net_prio
lrwxrwxrwx 1 root root 16 Oct 12 10:32 net_prio -> net_cls,net_prio
dr-xr-xr-x 3 root root  0 Oct 12 10:32 perf_event
dr-xr-xr-x 4 root root  0 Oct 12 10:32 pids
dr-xr-xr-x 3 root root  0 Oct 12 10:32 rdma
dr-xr-xr-x 5 root root  0 Oct 12 10:32 systemd
dr-xr-xr-x 5 root root  0 Oct 12 10:32 unified

root@lord:/sys/fs/cgroup/cpu# pwd
/sys/fs/cgroup/cpu
root@lord:/sys/fs/cgroup/cpu# ls -l
dr-xr-xr-x  5 root root   0 Oct 12 10:32 ./
drwxr-xr-x 15 root root 380 Oct 12 10:32 ../
drwxr-xr-x  2 root root   0 Oct 12 17:22 aa/
-rw-r--r--  1 root root   0 Oct 12 17:22 cgroup.clone_children
-rw-r--r--  1 root root   0 Oct 12 17:22 cgroup.procs
-r--r--r--  1 root root   0 Oct 12 17:22 cgroup.sane_behavior
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.stat
-rw-r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_all
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_percpu
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_percpu_sys
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_percpu_user
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_sys
-r--r--r--  1 root root   0 Oct 12 17:22 cpuacct.usage_user
-rw-r--r--  1 root root   0 Oct 12 17:22 cpu.cfs_period_us
-rw-r--r--  1 root root   0 Oct 12 17:22 cpu.cfs_quota_us
-rw-r--r--  1 root root   0 Oct 12 17:22 cpu.shares
-r--r--r--  1 root root   0 Oct 12 17:22 cpu.stat
-rw-r--r--  1 root root   0 Oct 12 17:22 notify_on_release
-rw-r--r--  1 root root   0 Oct 12 17:22 release_agent
drwxr-xr-x 99 root root   0 Oct 12 10:32 system.slice/
-rw-r--r--  1 root root   0 Oct 12 17:22 tasks
drwxr-xr-x  2 root root   0 Oct 12 17:22 user.slice/

  

  

4.查看当前进程所关联的cgroup

root@lord:~# cat /proc/$$/cgroup
12:memory:/user.slice/user-0.slice/session-19.scope
11:net_cls,net_prio:/
10:blkio:/user.slice
9:devices:/user.slice
8:freezer:/
7:perf_event:/
6:hugetlb:/
5:cpuset:/
4:rdma:/
3:pids:/user.slice/user-0.slice/session-19.scope
2:cpu,cpuacct:/user.slice
1:name=systemd:/user.slice/user-0.slice/session-19.scope
0::/user.slice/user-0.slice/session-19.scope

 根目录就是上面查询的cgroup挂载信息: 如      5:cpuset:/ 关联 /sys/fs/cgroup/cpu

5.新增子cgroup,如新增CPU下的cgroup,并将当前进程加入tasks

写入tasks的进程 将受该cgroup的资源限制

root@lord:/sys/fs/cgroup/cpu# mkdir test
root@lord:/sys/fs/cgroup/cpu# ls -l test/
total 0
-rw-r--r-- 1 root root 0 Oct 12 17:57 cgroup.clone_children
-rw-r--r-- 1 root root 0 Oct 12 17:57 cgroup.procs
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.stat
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_all
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_percpu
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_percpu_sys
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_percpu_user
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_sys
-r--r--r-- 1 root root 0 Oct 12 17:57 cpuacct.usage_user
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpu.cfs_period_us
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpu.cfs_quota_us
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpu.shares
-r--r--r-- 1 root root 0 Oct 12 17:57 cpu.stat
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpu.uclamp.max
-rw-r--r-- 1 root root 0 Oct 12 17:57 cpu.uclamp.min
-rw-r--r-- 1 root root 0 Oct 12 17:57 notify_on_release
-rw-r--r-- 1 root root 0 Oct 12 17:57 tasks
root@lord:/sys/fs/cgroup/cpu# cd test;echo $$ >> tasks
root@lord:/sys/fs/cgroup/cpu#   

 

现在可以通过更改test目录下的配置文件,设置进程组使用的CPU限制

 

6:docker进程与cgroup 

root@lord:/sys/fs/cgroup/cpu/test# docker ps
CONTAINER ID   IMAGE            COMMAND                  CREATED       STATUS       PORTS     NAMES
f197f2487e5f   alpine-tinghua   "sh -c 'tail -f /dev…"   7 hours ago   Up 7 hours             bb
root@lord:/sys/fs/cgroup/cpu/test# docker inspect --format '{{.State.Pid}}' bb #查看容器在主机的进程号
11290
root@lord:/sys/fs/cgroup/cpu/test# cat /proc/11290/cgroup 
12:memory:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
11:net_cls,net_prio:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
10:blkio:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
9:devices:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
8:freezer:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
7:perf_event:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
6:hugetlb:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
5:cpuset:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
4:rdma:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
3:pids:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
2:cpu,cpuacct:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
1:name=systemd:/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
0::/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
root@lord:/sys/fs/cgroup/cpu/test#

  

root@lord:/sys/fs/cgroup/cpu/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope# pwd
/sys/fs/cgroup/cpu/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope
root@lord:/sys/fs/cgroup/cpu/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope# ll
total 0
drwxr-xr-x  2 root root 0 Oct 12 11:03 ./
drwxr-xr-x 99 root root 0 Oct 12 10:32 ../
-rw-r--r--  1 root root 0 Oct 12 18:07 cgroup.clone_children
-rw-r--r--  1 root root 0 Oct 12 18:07 cgroup.procs
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.stat
-rw-r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_all
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_percpu
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_percpu_sys
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_percpu_user
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_sys
-r--r--r--  1 root root 0 Oct 12 18:07 cpuacct.usage_user
-rw-r--r--  1 root root 0 Oct 12 18:07 cpu.cfs_period_us
-rw-r--r--  1 root root 0 Oct 12 18:07 cpu.cfs_quota_us
-rw-r--r--  1 root root 0 Oct 12 18:07 cpu.shares
-r--r--r--  1 root root 0 Oct 12 18:07 cpu.stat
-rw-r--r--  1 root root 0 Oct 12 18:07 cpu.uclamp.max
-rw-r--r--  1 root root 0 Oct 12 18:07 cpu.uclamp.min
-rw-r--r--  1 root root 0 Oct 12 18:07 notify_on_release
-rw-r--r--  1 root root 0 Oct 12 18:07 tasks
root@lord:/sys/fs/cgroup/cpu/system.slice/docker-f197f2487e5f40c0468ba6b76f1d9cf451304d2ee10ef8266b75e8e6f6554bd7.scope#

  

当我们创建容器时传入的资源限制:如内存或者cpu 都会通过写入cgroup文件 实现资源限制 

 

 



 






            

            
posted @ 
2022-10-12 18:10 
西风发财 
阅读(97) 
评论(0编辑 
收藏 
举报