Detailed explanation of the application of Docker underlying technology Namespace Cgroup

Docker underlying technology:

The two core technologies at the bottom of Docker are Namespaces and Control groups.

Namespace: It is the core technology of container virtualization and is used to isolate containers and resolve conflicts between containers.

This is mainly achieved through the following six isolation technologies:
There are two pseudo file systems: /proc and /sys/

• UTS: Allows each container to have an independent hostname and domainname, so that it can be regarded as an independent node on the network rather than a process on the host.
• IPC: The process interaction in container still adopts the common inter-process interaction method of Linux, including common semaphores, message queues and shared memory. The interaction between container processes is actually the interaction between processes with the same PID on the host.
• PID: Processes of different users are isolated by pid namesapce, and the same pid can exist in different namespaces. The parent process of all LXC (linux containers) processes in docker is the docker process, and each LXC process has a different namespace.
• NET: Processes of different users are isolated by pidnamespace, and the same pid can exist in different namespaces. The parent process of all LXC processes in docker is the docker process, and each lxc process has a different namespace.
• MNT: The mount point of the file system.
• USRE: Each container can have different user and groupid, which means that you can use the user inside the container to execute the program instead of the user on the host.

As long as these six items are decoupled, even if other system resources are shared, the computer will consider them to be in two different systems.

cgroup (controls the resource usage of programs)

The main purpose of implementing cgroup is to provide a unified interface for resource management at different user levels. From resource control of a single process to virtualization at the operating system level.

The role of cgroup:

1) Resource limitation: cgroup can limit the total amount of resources used by the process group.
2) Priority allocation: The number of CPU time slices and disk IO bandwidth allocated is actually equivalent to controlling the priority of the process operation.
3) Resource statistics: Cgroup can count the usage of system resources. Such as CPU usage time, memory usage, etc.
Available for pay-as-you-go billing.
4) Process control: You can suspend, resume, and perform other operations on process groups.

Application of cgroup:

1) Limitations of memory and swap partition:

The container consists of two parts: physical memory and swap

In Docker, you can control the usage of container memory through parameters:

-m or --memory: Set memory usage limit

--memory-swap: Set the usage limit of swap (swap partition)

//Based on the centos image, the memory limit is 200M and the memory of the swap partition is 300M

[root@sqm-docker01 ~]# docker run -it -m 200M --memory-swap 300M centos

Enter the container to view the limited memory:

[root@05a0be7b870a /]# cat /sys/fs/cgroup/memory/memory.limit_in_bytes 
209715200 #Displays bytes [root@05a0be7b870a /]# cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes 
314572800

2) Container CPU restrictions:

Use -c or --cpu-shares to set the cpu weight of the container experiment. If not set, the default is 1024.

//Based on the centos image, run a container named containerB with a cpu weight limit of 512:
[root@sqm-docker01 ~]# docker run -it --name containerB -c 512 centos
[root@b2cf9f28ce1d /]# cat /sys/fs/cgroup/cpu/cpu.shares 
512

3) Limit the container's Block io (disk read and write):

bps: The amount of data read and written per second. byte per second
iops: The number of io operations per second. io per second

--device-read-bps: Set the bps of the read device
--device-write-bps: Set the bps for writing to the device

--device-read-iops: Set the iops of the read device
--device-write-iops: Set the iops for writing to the device

//Create a container named testA and limit the amount of disk writes per second to 30MB.
[root@sqm-docker01 ~]# docker run -it --name testA --device-write-bps /dev/sda:30MB centos

Write data for testing:

Parameter explanation:
infile=extract from /dev/zero
outfile=customize a name
bs=1M file size is 1M
count=800 means write 800 times in total.
oflag=direct: Used to specify directory IO mode to write files, so that --device-write-bps will take effect.

It can be found that the amount written per second is 80M, which takes about 26s.

When writing to disk normally:

The above is all the knowledge points about Docker underlying technology introduced this time. Thank you for your learning and support for 123WORDPRESS.COM.