Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to use container Cgroups. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Linux Cgroups (Linux Control Group) is a function used in the Linux kernel to set resource limits for processes. Its main function is to limit the upper limit of resources that a process group can use, including CPU, memory, disk, network bandwidth and so on. In addition, Cgroups is able to prioritize, audit, suspend and resume processes.

So why do you need Cgroups besides Namespace? Because although the No. 1 process in the container can only see what's going on in the container, it still competes equally with all other processes as process No. 100 on the host (for example, its PID is 100 on the host). In other words, although process 100 is ostensibly isolated, it has all the resources it can use (such as CPU, memory), and it may use up all the resources. So this is obviously not a reasonable behavior that a container should show.

In Linux, the operation interface exposed by Cgroups to users is the file system, that is, the operation interface is organized under the / sys/fs/cgroup path of the operating system in the form of files and directories. We can look at it with the mount command, and we can see that the output is a series of file system directories.

When we look at / sys/fs/cgroup, we can also see a series of subdirectories, which are called subsystems. These are the types of resources on my machine that can currently be restricted by Cgroups. For example:

As long as cpu limits the usage time of CPU cpuset allocates separate CPU cores for the process and the corresponding memory node memory sets memory usage limits for the process blkio block devices set IO limits, which are generally used for devices such as disks

Under the subdirectory, you can see how the resources corresponding to the subsystem can be restricted. For example, for the CPU subsystem, we can see the following configuration files.

The combined use of cpu.cfs_period_us and cpu.cfs_quota_us can limit the process to the total CPU time of cfs_quota for a period of time with a length of cfs_quota.

Cgoups configuration example

The following configuration is based on the operation interface provided by Cgroups. We first create a directory in the corresponding subsystem, such as container, which is called "control group". When you have created this directory, you will find that the directory has generated the resource limit files corresponding to the subsystem.

Next, we set the limit by modifying the contents of the file in container. For example, writing 20ms, which is 20000, to the cpu.cfs_quota_us in container means that each cpu_period_us (100ms) restricted by the control group can only use the CPU time of 20ms.

Next we write the process PID to be restricted to the tasks file in the container directory, so this setting is valid for the process to be restricted.

Docker implementation

For Linux container projects such as Docker, they only need to create a control group (that is, a new directory) for each container under each subsystem, and then write the process's PID to the control group's tasks file after starting the container process. What value to fill in the resource limit in the control group depends on the parameter content specified by the user when performing docker run. In the Docker host, there is a docker control group under each subsystem.

Let's demonstrate the effect of docker settings, which will be made in the docker control group of the CPU subsystem.

Docker run-it-- rm-- cpu-period=100000-- cpu-quota=20000-d alpine sleep 500s

As shown below, docker also creates a new directory in the docker control group and sets resources in this directory, thus limiting the use of resources.

Similar to the situation in Namespace, there are many imperfections in Cgoups's ability to limit resources, among which the most frequently mentioned is the problem of / proc file system. The / proc directory stores a series of special files about the current running state of the kernel. Users can access these files to view information about the system and the currently running processes, such as CPU usage, memory utilization, and so on. These files are also the main data sources for top instructions to view system information.

However, if you execute the top instruction in the container, you will find that the information it displays is still the host's CPU and memory data. This is because the / proc file system does not know what kind of resource restrictions the user has placed on the container through Cgroups, so it returns the entire host. Then this problem will lead to that the number of CPU cores, available memory and other information read by the application in the container is still the host, rather than after the limit has been made. This is another unsatisfactory aspect of containers compared to virtual machines.

The above is how to use the container Cgroups. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.