利用cgroup对Docker做权限限制
Linux Cgroup(Control Groups)是Linux内核提供的用于限制、记录、隔离进程组可以使用的资源(cpu、memory、IO等)的一种机制。
实验环境
系统: rhel6 server1 172.25.41.1
物理机 172.25.41.250
一·对mem内存的限制
[root@server1 ~]# yum search cgroup
[root@server1 ~]# yum install libcgroup.x86_64
[root@server1 ~]# cd /cgroup/ #安装好libcgroup之后,会在根下产生/cgroup,此时该目录下还没有任何东西
[root@server1 cgroup]# /etc/init.d/cg config start
[root@server1 cgroup]# ll
[root@server1 cgroup]# cd memory/
[root@server1 memory]# ls
[root@server1 memory]# vim /etc/cgconfig.conf
[root@server1 memory]# bc #计算字节
200*1024*1024
209715200 #200M
[root@server1 memory]# vim /etc/cgconfig.conf #编辑对资源限制的
# 添加以下内容
group x1 {
memory {
memory.limit_in_bytes = 209715200; # 限制使用的最大内存数
}
}
[root@server1 memory]# cd
[root@server1 ~]# /etc/init.d/cgconfig restart
[root@server1 ~]# cd /cgroup/
[root@server1 cgroup]# cd memory/
[root@server1 memory]# cd x1/
[root@server1 x1]# ls
[root@server1 x1]# cat memory.limit_in_bytes # 此时是对内存的吞吐量为无限大
200*1024*1024
209715200
[root@server1 x1]# cd /dev/shm/
[root@server1 shm]# free -m
[root@server1 shm]# dd if=/dev/zero of=file1 bs=1M count=100
[root@server1 shm]# free -m
[root@server1 shm]# dd if=/dev/zero of=file1 bs=1M count=300
[root@server1 shm]# free -m
[root@server1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=file1 bs=1M count=300 #进行压力测试
[root@server1 shm]# free -m
[root@server1 shm]# rm -f file1
[root@server1 shm]# free -m
[root@server1 shm]# dd if=/dev/zero of=file1 bs=1M count=300
[root@server1 shm]# free -m
[root@server1 shm]# cd /cgroup/memory/
[root@server1 memory]# ls
[root@server1 memory]# cat memory.memsw.limit_in_bytes
9223372036854775807
[root@server1 memory]# cd
[root@server1 ~]# ls
anaconda-ks.cfg install.log install.log.syslog
[root@server1 ~]# vim /etc/cgconfig.conf
group x1 {
memory {
memory.limit_in_bytes = 209715200;
memory.memsw.limit_in_bytes = 209715200; #添加内容
# 限制内存和交换分区的大小之和,即交换分区的大小为0,可以分别打开交换分区和注释交换分区来做测试
}
}
[root@server1 ~]# /etc/init.d/cgconfig restart
[root@server1 ~]# cd /dev/shm/
[root@server1 shm]# ls
file1
[root@server1 shm]# rm -fr file1
[root@server1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=file1 bs=1M count=300
Killed #设定的是200M 超过200M,就不能截取
[root@server1 shm]# free -m
[root@server1 shm]# rm -fr file1
[root@server1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=file1 bs=1M count=190
[root@server1 shm]# free -m
[root@server1 shm]# cgexec -g memory:x1 dd if=/dev/zero of=file1 bs=1M count=220
Killed
练习
[root@server1 shm]# yum install -y /usr/bin/scp
[root@server1 ~]# chmod +x memapp1 memapp2
[root@server1 ~]# ls
memapp1 memapp2
[root@server1 ~]# ./memapp1
-bash: ./memapp1: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
[root@server1 ~]# yum install -y /lib/ld-linux.so.2
[root@server1 ~]# ./memapp1
[root@server1 ~]# ./memapp2
[root@server1 ~]# bc
5000*4*1024 #5000:仓库
20480000
[root@server1 ~]# vim /etc/cgconfig.conf
group x1 {
memory {
memory.limit_in_bytes = 20480000; #更改
memory.memsw.limit_in_bytes = 20480000;
}
}
[root@server1 ~]# /etc/init.d/cgconfig restart
注意超级用户和普通用户的转换
[root@server1 ~]# useradd westos
[root@server1 ~]# su - westos
[westos@server1 ~]$ cd /dev/shm/
[westos@server1 shm]$ ls
file1
[westos@server1 shm]$ logout
[root@server1 ~]# cd /dev/shm/
[root@server1 shm]# ls
file1
[root@server1 shm]# rm -fr file1
[root@server1 shm]# ls
[root@server1 shm]# su - westos
[westos@server1 ~]$ cd /dev/shm/
[westos@server1 shm]$ ls
[westos@server1 shm]$ dd if=/dev/zero of=file1 bs=1M count=300 #截取
[westos@server1 shm]$ rm -fr file1
[westos@server1 shm]$ ls
[westos@server1 shm]$ logout
[root@server1 shm]# vim /etc/cgrules.conf #添加以下内容
westos:memapp1 memory x1/
westos:memapp2 memory x1/
[root@server1 shm]# vim /etc/cgrules.conf
[root@server1 shm]# /etc/init.d/cgred start
[root@server1 shm]# cd
[root@server1 ~]# ls
memapp1 memapp2
[root@server1 ~]# mv memapp* /home/westos/
[root@server1 ~]# su westos
[westos@server1 root]$ cd
[westos@server1 ~]$ ls
memapp1 memapp2
[westos@server1 ~]$ ./memapp1
[westos@server1 ~]$ ./memapp2
二·对CPU的限制
[root@server1 ~]# vim /etc/cgconfig.conf
group x1 {
cpu {
cpu.shares = 100;
}
}
[root@server1 ~]# /etc/init.d/cgconfig restart
[root@server1 ~]# cgexec -g cpu:x2 dd if=/dev/zero of=/dev/null & #打入后台
[1] 6840
[root@server1 ~]# lscpu
[root@server1 ~]# top三·对磁盘空间读写的速度限制
Cgroup里每个子系统(SubSystem)对应一种资源,Cgroup blkio子系统用于限制块设备I/O速率。相比IO调度权重,iops和bps限制更加直接和量化,更适合用于限制docker容器磁盘IO上限。
[root@server1 ~]# vim /etc/cgconfig.conf
group x3 {
blkio {
blkio.throttle.read_bps_device = "252:0 1000000";
}
}
[root@server1 ~]# /etc/init.d/cgconfig restart
[root@server1 ~]# cd /cgroup/
[root@server1 cgroup]# cd blkio/
[root@server1 blkio]# ls
[root@server1 blkio]# cd x3/
[root@server1 x3]# ls
[root@server1 x3]# cat blkio.throttle.read_bps_device
252:0 1000000
[root@server1 x3]# cgexec -g blkio:x3 dd if=/dev/vda of=/dev/null &
[root@server1 ~]# yum install -y iotop
[root@server1 ~]# iotop
[root@foundation41 ~]# docker run --rm -it --device-read-bps /dev/sda:1M ubuntu
root@7f33bb7586f4:/# exit
[root@foundation41 ~]# docker run --rm -it --device-read-bps /dev/sda:1M --privileged=true ubuntu
root@b3973682e04e:/# fdisk -l
Disk /dev/sda: 128.0 GB, 128035676160 bytes
255 heads, 63 sectors/track, 15566 cylinders, total 250069680 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0001bd9f
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 2099199 1048576 83 Linux
/dev/sda2 2099200 250068991 123984896 8e Linux LVM
root@b3973682e04e:/# dd if=/dev/sda of=/dev/null bs=1M count=100
^C^C
root@b3973682e04e:/# dd if=/dev/sda of=/dev/null bs=1M count=2 
[root@server1 ~]# iotop
四·freezer子系统
freezer子系统用于挂起和恢复cgroup中的进程。freezer有一个控制件:freezer.state,将FROZEN写入该文件,可以将cgroup中的进程挂起,将THAWED写入该文件,可以将已挂起的进程恢复。该文件可能读出的值有三种,其中两种就是前面已提到的FROZEN和THAWED,分别代表进程已挂起和已恢复(正常运行),还有一种可能的值为FREEZING,显示该值表示该cgroup中有些进程现在不能被frozen。当这些不能被frozen的进程从该cgroup中消失的时候,FREEZING会变成FROZEN,或者手动将FROZEN或THAWED写入一次。
[root@server1 ~]# vim /etc/cgconfig.conf
group x4 {
freezer {}
}
[root@server1 ~]# /etc/init.d/cgconfig restart
[root@server1 ~]# cd /cgroup/
[root@server1 cgroup]# ls
[root@server1 cgroup]# cd freezer/
[root@server1 freezer]# ls
[root@server1 freezer]# cd x4/
[root@server1 x4]# ls
[root@server1 x4]# cat tasks
[root@server1 x4]# ps ax
[root@server1 x4]# dd if=/dev/zero of=/dev/null &
[root@server1 ~]# top
[root@server1 x4]# echo 6952 > tasks
[root@server1 x4]# cat freezer.state
THAWED
[root@server1 ~]# top
[root@server1 x4]# echo FROZEN > freezer.state
[root@server1 x4]# cat freezer.state
FROZEN
[root@server1 ~]# top
[root@server1 x4]# echo THAWED > freezer.state
[root@server1 x4]# cat freezer.state
THAWED
[root@server1 ~]# killall dd
五·Docker中私有镜像库的搭建
1·设定仓库对外的端口是5000
[root@foundation41 ~]# cd /etc/docker/
[root@foundation41 docker]# ls
registry.tar
[root@foundation41 docker]# docker load -i registry.tar
[root@foundation41 docker]# docker images registry
[root@foundation41 docker]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2 #设定仓库对外的端口是5000
[root@foundation41 docker]# docker ps
2.将nginx镜像上传到自己的镜像仓库中
[root@foundation41 docker]# vim /etc/hosts
172.25.41.250 westos.org
[root@foundation41 docker]# docker tag nginx westos.org:5000/nginx
[root@foundation41 docker]# ping westos.org
[root@foundation41 docker]# docker tag nginx localhost:5000/nginx
[root@foundation41 docker]# docker push localhost:5000/nginx
[root@foundation41 Desktop]# cd /opt/registry/
[root@foundation41 registry]# ls
docker
[root@foundation41 registry]# docker pull localhost:5000/nginx
[root@foundation41 registry]# docker rmi localhost:5000/nginx #删除localhost:5000/这个镜像库的名字
[root@foundation41 registry]# docker rmi nginx #删除nginx的镜像
[root@foundation41 registry]# docker pull localhost:5000/nginx #重新上传nginx镜像,并对镜像库改名
[root@foundation41 registry]# docker images
[root@foundation41 registry]# docker tag localhost:5000/nginx nginx
[root@foundation41 registry]# docker images
