Docker-cgroup资源限制

启动容器后，如果不对容器最大使用资源进行限制，则宿主机允许其占用无限大的内存空间，当宿主机内存资源不够，则杀死使用资源最多的进程，影响其他容器正常运行，甚至导致OOM。

linux Control Groups 可以限制一个进程能够申请使用的资源上限，包括CPU、内存、磁盘、网络带宽等；

 

 

]# cat /boot/config-3.10.0-1160.45.1.el7.x86_64 |grep -i  cgroup
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NETPRIO_CGROUP=y

 

 

 内存模块

[root@web ~]# cat /boot/config-4.4.222-1.el7.elrepo.x86_64  |grep memcg -i
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_SWAP_ENABLED=y
CONFIG_MEMCG_KMEM=y

 

 cgroup具体实现

[root@web ~]# ll /sys/fs/cgroup/
total 0
dr-xr-xr-x 4 root root  0 Apr 28 23:43 blkio
lrwxrwxrwx 1 root root 11 Apr 28 23:43 cpu -> cpu,cpuacct
lrwxrwxrwx 1 root root 11 Apr 28 23:43 cpuacct -> cpu,cpuacct
dr-xr-xr-x 5 root root  0 Apr 28 23:43 cpu,cpuacct
dr-xr-xr-x 3 root root  0 Apr 28 23:43 cpuset
dr-xr-xr-x 4 root root  0 Apr 28 23:43 devices
dr-xr-xr-x 3 root root  0 Apr 28 23:43 freezer
dr-xr-xr-x 3 root root  0 Apr 28 23:43 hugetlb
dr-xr-xr-x 5 root root  0 Apr 28 23:43 memory
lrwxrwxrwx 1 root root 16 Apr 28 23:43 net_cls -> net_cls,net_prio
dr-xr-xr-x 3 root root  0 Apr 28 23:43 net_cls,net_prio
lrwxrwxrwx 1 root root 16 Apr 28 23:43 net_prio -> net_cls,net_prio
dr-xr-xr-x 3 root root  0 Apr 28 23:43 perf_event
dr-xr-xr-x 4 root root  0 Apr 28 23:43 pids
dr-xr-xr-x 4 root root  0 Apr 28 23:43 systemd