Docker - Cgroup Resource Limitation

Docker Cgroup Resource Configuration Method

Cgroup is a mechanism provided by the Linux kernel to limit, record, and isolate the physical resources used by process groups

Docker uses Cgroup to control the resource quotas used by containers, including cpu, memory, and disk. Docker basically covers common resource quotas and usage control

Cgroup Subsystem

- blkio: Set limits on input and output control for each block device
 - cpu: Provide CPU access to cgroup tasks using a dispatcher
 - cpuacct: Generate cpu resource report for cgroup task placement
 - cpuset: If it is a multi-core cpu, this subsystem will allocate separate CPU and memory for cgroup tasks
 - devices: Allow or deny cgroup task access to devices
 - freezer: pause and resume cgroup tasks
 - memory: Set the memory limit for each cgroup and generate a memory resource report
 - net_cls: Mark each network packet for cgroup convenience
 - ns: Namespace subsystem
 - perf_event: Increases the ability to monitor and track each group to monitor all threads belonging to a particular group and running on a specific cpu

Use the Stress tool to test cpu and memory

Create a stress tool image using Dockerfile

[root@localhost ~]# mkdir /opt/stress
[root@localhost ~]# cd /opt/stress/
[root@localhost stress]# vim Dockerfile
FROM centos:7
MAINTAINER lzp "lzp@kgc"
RUN yum install -y wget
RUN wget -O /etc/yum.repos.d/epel.repo
RUN yum install -y stress
[root@localhost stress]# docker build -t centos:stress .

Create Container

[root@localhost stress]# docker run -itd --name cpu512 --cpu-shares 512 centos:stress stress -c 10
[root@localhost stress]# docker exec -it b6f7b6a43716 bash
[root@b6f7b6a43716 /]# top

[root@localhost stress]# docker run -itd --name cpu1024 --cpu-shares 1024 centos:stress stress -c 10 
[root@localhost stress]# docker exec -it d5aabd524580 bash
[root@d5aabd524580 /]# top

Start two containers and run to see the percentage of cpu usage

Use the top command to view scales and compare two containers

By default, the CPU share for each Docker container is 1024, and the share for a single container is meaningless.The cpu-weighted effect of containers can only be reflected when multiple containers are running simultaneously.

CPU Cycle Limit

Two parameters control container CPU clock cycle

  • --cpu-period: Used to specify how long a container will reassign its use of the CPU
  • --cpu-quota: is used to specify the maximum amount of time that can be used to run this container during this cycle
    Unlike --cpu-shares.This configuration specifies an absolute value and the container will never use more CPU resources than the configured value

The units of cpu-period and cpu-quota are microseconds (us), with a minimum of 1000 microseconds, a maximum of 1 second and a default of 0.1 seconds.The default value of cpu-quota is -1, meaning no control.Cpu-period and cpu-quota parameters are generally used in combination

In multicore scenarios, if you allow container processes to fully occupy two CPUs, you can set the cpu-period to 100000 (that is, 0.1 seconds) and the cpu-quota to 20000 (0.2 seconds)

[root@localhost stress]# docker run -itd --name cpu01 --cpu-period=100000 --cpu-quota=200000 centos:stress
[root@localhost stress]# docker ps -a
[root@localhost stress]# docker exec -it dbf79db9c053 bash
[root@dbf79db9c053 /]# cat /sys/fs/cgroup/cpu/cpu.cfs_period_us 
[root@dbf79db9c053 /]# cat /sys/fs/cgroup/cpu/cpu.cfs_quota_us 

CPU Core Control

For servers with multicore cpus, Docker can also control which cpu cores are used for container runs, using the --cpuset-cpus parameter
This is particularly useful for servers with multiple CPUs that can optimally configure containers that require high-performance computing

[root@localhost stress]# docker run -itd --name cpu02 --cpuset-cpus=0-2 centos:stress 
//The above command requires the host machine to be dual-core, meaning that containers can only be created using 0, 1, 2 cores, and the resulting cgroup's cpu core is configured as follows
[root@localhost stress]# docker ps -a
[root@localhost stress]# docker exec -it 4416c771538e bash
[root@4416c771538e /]# cat /sys/fs/cgroup/cpuset/cpuset.cpus

Tags: Linux Docker CentOS yum EPEL

Posted on Thu, 09 Jan 2020 20:50:18 -0500 by brax23