This document discusses allocating resources and limiting containers in Docker. It explains that containers are less isolated than virtual machines, so resource allocation is important. It describes how to allocate CPU, memory, disk space, and devices to containers using Docker commands. It also discusses making containers privileged to access devices and adding or dropping Linux capabilities using flags like --cap-add and --cap-drop. The presentation was given to the Iran OpenStack Users Group on allocating resources and limitations in containers.
4. Allocation of resources to containers is especially important as containers are less
isolated than virtual machines.
A single runaway container can lead to performance issues and degradation
across the entire host.
In Hypervisors, VMs are normally allocated a fixed amount of CPU resources, RAM,
and disk space, meaning that the applications will work within those set limits no
matter the load to which the VM or application is subjected.
Allocating Resources
| Iran Community OpenStack.ir
6. Each container is assigned a âshareâ of the CPU, set to 1024 by default. By itself,
1024 CPU share does not mean anything.
If there is only a single container running, then it can use all the available CPU
resources.
However, if you launch another container and both containers have 1024 CPU
share, then each container can claim at least 50% of the CPU resources.
Allocating Resources
| Iran Community OpenStack.ir
7. CPU Allocating Resource
Allocating Resources
| Iran Community OpenStack.ir
â
Share cpu
$ docker run -ti -c 1024 ubuntu:14.04 /bin/bash
â
Cpu period & quota
$ docker run -ti --cpu-period=50000 --cpu-quota=10000 ubuntu:14.04 /bin/bash
11. Disk space and read/write speed can be limited in Docker. By default, read/write
speed is unlimited. However, if required, it can be limited as needed using cgroups.
Each container is allocated 10GB of space by default.
Allocating Resources
| Iran Community OpenStack.ir
12. Disk Allocating Resource
Allocating Resources
| Iran Community OpenStack.ir
â
Base Size
$ docker -d --storage-opt dm.basesize=20G ubuntu:14.04 /bin/bash
More Details: https://github.com/docker/docker/blob/v1.2.0/daemon/graphdriver/devmapper/README.md#options
14. Allocating Resources
| Iran Community OpenStack.ir
By default, Docker containers are âunprivilegedâ and cannot, for example, run a Docker
daemon inside a Docker container. This is because by default a container is not allowed to
access any devices, but a âprivilegedâ container is given access to all devices
More Details: https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
15. Linux capability
Allocating Resources
| Iran Community OpenStack.ir
More Details: http://linux.die.net/man/7/capabilities
â
Add capability
$ docker run -ti --cap-add=NET_ADMIN ubuntu:14.04 /bin/bash
â
drop capability
$ docker run -ti --cap-add=ALL --cap-drop=NET_ADMIN ubuntu:14.04 /bin/bash
16. Devices
Allocating Resources
| Iran Community OpenStack.ir
If you want to limit access to a specific device or devices you can use the --device
flag. It allows you to specify one or more devices that will be accessible within the
container.
â
Devices
$ docker run -ti --device=/dev/snd:/dev/snd ubuntu:14.04 /bin/bash
18. Allocating Resources
| Iran Community OpenStack.ir
Stay in Touch and Join Us:
â Home Page: OpenStack.ir
â Meetup age: Meetup.com/IranOpenStack
â Mailing List: OpenStackir@Lists.OpenStack.org
â Twitter: @OpenStackIR , #OpenStackIRAN
â IRC Channel on FreeNode: #OpenStack-ir
19. Allocating Resources
| Iran Community OpenStack.ir
Mohammadreza Amini
Linux Administrator
Mohammadreza@openstack.ir
Amir Arsalan
Python Developer
Arsalan@openstack.ir
Thank You