SoFunction
Updated on 2025-03-09

Docker's resource usage process for restricting containers

1. Limitations of memory resources used by containers

Memory available to containers:Physical memory and swap space (Swap).

1.1. User memory limit

Docker does not set memory limits by default.

You can restrict settings through relevant options:

  • -m(--memory): Set the available containerMaximum memory. The minimum value is 4MB.
  • --memory-swap: Allow containers to be placedMemory size in disk swap space

Provided by Docker4 ways to set the user memory usage of the container:

  • Unlimited usage of container memory (neither option is used).
  • Set memory limits and cancel swap space memory limits.
 #Use 300 memory and as much swap space as possible docker run -it -m 300M --memory-swap -1 ubuntu /bin/bash
  • Set only memory limits.
 # 300MB of memory and 300MB of swap space (by default, the total amount of virtual memory will be set to twice the memory size, so the container can use 300M of swap space docker run –it -m 300M ubuntu /bin/bash
  • Set memory and swap space at the same time
 # 300MB of memory and 700MB of swap space docker run –it –m 300M --memory-swap 1G ubuntu/bin/bash

1.2. Kernel memory limit

Kernel memory cannot be swapped to disk, swap space cannot be used, and excessive consumption may cause it to block system services.

 # In 500MB of memory, up to 50MB of kernel memory can be used docker run –it -m 500M --kemel-memory 50M ubuntu /bin/bash
 ​
 # Only 50MB of kernel memory can be used docker run –it --kernel-memory 50M ubuntu /bin/bash

1.3. Set memory reservation to achieve soft limits

use--memory-reservationOptions set memory reservation.

It is a memory soft limit that allows more memory sharing. Once set, Docker detects memory contention or memory outage and forces the container to limit its memory consumption to a reserved value.

The memory reserved value should always be lower than the hard limit. As a soft limiting feature, memory reservations cannot be guaranteed not to exceed the limit.

 # The memory limit is 500MB, and the memory reserved value (soft limit) is 200MB. # When the container consumes memory greater than 200MB and less than 500MB, the next system memory recovery will try to reduce the container memory to less than 200MB. docker run –it –m 500M --memory-reservation 200M ubuntu /bin/bash
 ​
 # Set the soft memory limit to 1GB docker run –it —-memory-reservation 1G ubuntu /bin/bash

2. Limitations of CPU resources used by containers

By default, all containers can use host CPU resources equally and are not restricted.

2.1. CPU share limit

-c(--cpu-shares)Option Sets the CPU share weight to the specified value.

The default value is 1024, if set to 0, the system will ignore the value and use the default value 1024.

2.2. CPU cycle limit

--cpu-periodOptions (in μs) set CPU cycles to limit the use of container CPU resources.

The default CFS (full fair scheduler) cycle is 100ms (100000μs).

Usually --cpu-period with--cpu-quotaThese two options work together:

 # If there is only 1 CPU, the container can get 50% (25000/50000) of CPU run time every 50ms (50000μs). docker run -it --cpu-period=50000 -~cpu-quota=25000 ubuntu /bin/bash

Available--cpusThe option specifies the available CPU resources for the container to achieve the same purpose.

The --cpus option value is a floating point number, with a default value of 0.000, indicating that it is not restricted.

 # The above can be changed to docker run -it --cpus=0.5 ubuntu /bin/bash

The --cpu-period and --cpu-quota options are based on 1 CPU.

2.3. CPU placement restrictions

--cpuset-cpusOptions restrict container processes from executing on the specified CPU.

# Processes in the container can be executed on cpu1 and cpu3 docker run -it--cpuset-cpus="1, 3" ubuntu:14.04 /bin/bash
 ​
 # Processes in the container can be executed on cpu0, cpu1 and cpu2 docker run -it --cpuset-cpus="0-2" ubuntu:14.04 /bin/bash

2.4. CPU quota limit

--cpu-quotaThe option limits the CPU quota of the container. The default value is 0. It means that the container occupies 100% of the CPU resources per CPU).

CFSResource allocation used to handle process execution is the default Linux scheduler used by the kernel.

Setting this value by 50000 means limiting the container to use up to 50% of the CPU resources. For multiple CPUs, adjusting the --cpu-quota option is necessary.

3. Limitation of the I/O bandwidth of the container

Block I/O bandwidth(Block I/O Bandwidth, Blkio) is anotherResources that can be restricted to container use

Block I/O refers to the writing of the disk. Docker can control the bandwidth of the container's read and write disk by setting weights, limiting the number of bytes per second (B/s) and I/O times per second (IO/s).

3.1. Set block I/O weight

--blkio-weightOption Change Scale (formerly 500) Sets the block I/O bandwidth weight relative to all other running containers.

# Create two containers with different block I/O bandwidth weights.docker run –it --name c1 --blkio-weight 300 ubuntu /bin/bash
docker run -it --name c2 --blkio-weight 600 ubuntu /bin/bash

3.2. Limit the read and write rate of the device

Docker limits the read and write rate of the container's device according to two types of indicators: one isBytes per second, the other category isNumber of I/O times per second

  • Limit the number of bytes per second

--device-read-bpsOptionsLimit the read rate of a specified device, that is, the number of bytes read per second.

# Create a container and limit the read rate to /dev/sda devices to 1MB per seconddocker run -it --device-read-bps /dev/sda:1mb ubuntu

Similarly, it can be used--device-write-bpsOptionsLimit the write rate of a specified device

Format:

<Equipment>: <Rate Value>[Unit]

  • Limit the number of I/O times per second

--device-read-iopsand--device-write-iopsThe option system specifies the read and write rates of the device, expressed as the number of I/O times per second.

# Create a container that limits its read rate to 1000 times per second to 1devsd3 devices.docker run -it --device-read-iops /dev/sda:1000 ubuntu

4. Resource limitation implementation mechanism

The limitations on the memory, CPU and block I/O bandwidth resources used by the container are specifically based on theThe corresponding subsystem of the control group (Cgroup) is implemented

  • memory subsystemSet the memory limits used by the residence office in the control group;
  • cpu subsystemProvide access to the CPU's control group tasks through the scheduler;
  • blkio subsystemSet input and output limits for block devices (such as disks, solid state drives, USB, etc.).

Use in docker run command--cpu-shares、--memory、--device-read-bpsThe options are actually configuring the control group, relatedSave the configuration file in /sys/fs/cgroup directorymiddle.

V. Example

5.1. Verify and analyze the implementation mechanism of container resource limitations

  • Start a container, set the memory limit to 300MB and the CPU weight to 512.
[root@docker ~]# docker run --rm -d -p 8080:80 -m 300M --cpu-shares=512 httpd
b8a03a3887f1f...
  • Looking at the /sys/fs/cgroup/cpu/docker directory, I found that Linux creates a Cgroup directory for each running container, named after the container ID:
[root@docker ~]# ls -l /sys/fs/cgroup/cpu/docker/
total 0
drwxr-xr-x 2 root root 0 Apr 29 13:08 b8a03a3887f1f...
...
  • Looking further into the container subdirectories, you will find that each container's subdirectories contain all CPU-related Cgroup configurations:
[root@docker ~]# ls -l /sys/fs/cgroup/cpu/docker/b8a03a3887f1f...
total 0
...
-rw-r--r-- 1 root root 0 Apr 29 13:12 cpu.rt_runtime_us
-rw-r--r-- 1 root root 0 Apr 29 13:08 
...
  • Check it outThe content of the file is found to be the configuration of the --cpu-shares option (512):
[root@docker-2322030238 ~]# cat /sys/fs/cgroup/cpu/docker/b8a03a3887f1f.../ 
512
  • Similar, view/sys/fs/cgroup/memory/docker directoryIn the memory Cgroup configuration, I found that the memory.limit_in_bytes file saves the configuration of the -m option. This example sets 300MB, and is expressed in bytes as 314572800:
[root@docker ~]# cat /sys/fs/cgroup/memory/docker/b8a03a3887f1f.../memory.limit_in_bytes 
314572800

5.2. Dynamically change the resource limits of containers

The docker update command can dynamically update container configuration, and its syntax:

docker update [Options] Container [Container...]

After starting a container that restricts resources, modify its resource limits:

[root@docker ~]# docker run --rm -d -p 8080:80 -m 300M --cpu-shares=512 httpd
29d3cb1392b8e...
[root@docker ~]# docker update -m 500M --cpu-shares=10245 29d3
29d3

Summarize

The above is personal experience. I hope you can give you a reference and I hope you can support me more.