docker run -it –name=<containername> mysql:5.5 /bin/bash //run image, the container name parameter could be omitted. docker run -d –name=<containername> centos:7 tail -f dev/null //run image in the daemon docker run exec -it <containid> /bin/bash / shell to the container
image format <imagename>:<version> docker image is an image which could be run as a container docker image could be pull from docker hub.
to login into docker hub——— https://hub.docker.com/
sudo docker login –username=mqyyy777 #this will workaround pull limits: #You have reached your pull rate limit
docker pull mysql:<version> or docker pull mysql ### this will pull the latest mysql version
root@wen-Default-string:/home/wen# docker search mysql NAME DESCRIPTION STARS OFFICIAL AUTOMATED mysql MySQL is a widely used, open-source relation… 6851 [OK] mysql/mysql-router MySQL Router provides transparent routing be… 4 jelastic/mysql An image of the MySQL database server mainta… 1 openzipkin/zipkin-mysql Mirror of https://quay.io/repository/openzip… 1
root@wen-Default-string:/home/wen# docker search mqyyy777 NAME DESCRIPTION STARS OFFICIAL AUTOMATED mqyyy777/offi_ubu 0 mqyyy777/deb_8_mysql 0 mqyyy777/ubu-1604-armv7-root 0
show all the images created
root@wen-Default-string:/home/wen# docker images REPOSITORY TAG IMAGE ID CREATED SIZE mqyyy777/apache2_php7_ubu1804 latest a6d87831de86 11 days ago 239MB mqyyy7777/mysql_aicq latest a745c1291fb0 12 days ago 484MB mqyyy777/ubuntu_18_tt latest 29730938da29 2 weeks ago 184MB
vagrant@master:~/gashpc$ sudo docker image list |grep gash gashpc latest ee373b57e190 16 minutes ago 708MB
vagrant@master:~/gashpc$ sudo docker tag gashpc 172.24.17.100:5000/gashpc:latest
docker rmi <tagname> sudo docker rmi 172.24.17.100:5000/gashpc:latest Untagged: 172.24.17.100:5000/gashpc:latest
docker rmi <imagename> docker rmi -f <imagename> ##### images used by a stopped container root@wen-Default-string:/home/wen# docker rmi mqyyy777/ubuntu_18_tt Untagged: mqyyy777/ubuntu_18_tt:latest Deleted: sha256:29730938da297176dc67572fa4ca0488ccb9fef453911b77f123c0c628e01f85 Deleted: sha256:f0ca1a57f1703319a281c4c46d65a8d5c96114b44d76c339cdddd22ce4c5f614
docker run –name=mysql8 -it mysql:5.5 /bin/bash ###### -t alloca a tty, -i interactive for bash
docker run mysql:5.5 ##### run the default entrypoint or the CMD instruction when built in Dockerfile docker run –rm mysql:5.5 ### The –rm flag in docker 1.12 is implemented client side; once the connection with the container is stopped, the client does a rm call to cleanup the container. There are cases where this is known to not work. ###Docker 1.13 moves –rm to the daemon, which also allows you to use –rm with “detached” containers
docker run –name=mysql8 -itd mysql:5.5 /bin/bash ###### -t alloca a tty, -i interactive for bash -d always with -it, since -it will allocate the tty for stdin/out/err, or there’s no point for it.
when a container which allocate the tty for shell, and run -d to detach when running it, then you can attach to the container. #docker run –name=ubu -itd ubuntu:18.04 /bin/bash ###### -t alloca a tty, -i interactive for bash #docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 45223918b04f ubuntu:18.04 “/bin/bash” 12 seconds ago Up 11 seconds ubu #docker attach ubu
root@45223918b04f:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var root@45223918b04f:/# exit exit
in this case the container ubu will exit, so ubu contaner won’t show in docker ps, this is not like exec -it to run something in container root@wen-Default-string:/home/wen/aicq/dock_ssev# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
docker ps #### will list all the container up and running root@wen-Default-string:/home/wen# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c1e4e6a66afd mqyyy777/aicq_sql:1.0 “docker-entrypoint.s…” 5 days ago Up 5 days 33060/tcp, 0.0.0.0:3307->3306/tcp mysql8
docker ps -a ### will list all the containter has been running and exited ones also root@wen-Default-string:/home/wen# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c1e4e6a66afd mqyyy777/aicq_sql:1.0 “docker-entrypoint.s…” 5 days ago Up 5 days 33060/tcp, 0.0.0.0:3307->3306/tcp mysql8 c1e4e6a66afe mqyyy777/aicq_sql:1.0 “docker-entrypoint.s…” 5 days ago Exited(0) 5 days agon 33060/tcp, 0.0.0.0:3307->3306/tcp mysql7
docker logs –tail=50 <container id> for the last fifty lin when docker run as a daemon, -d parameter, check docker logs if the daemon start successfully since there’s no input/output
start a container which has exited or stop docker start -ai b09b09c81342 //start container
docker stop <container id showed in ps>
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
docker exec -it <containerIdOrName> <cmd>
docker exec -it <containerIdOrName> /bin/bash -i, –stdin=false: Pass stdin to the container -t, –tty=false: Stdin is a TTY
docker exec -it -u 0 3de999b26342 /bin/bash
docker run –name=mysql8 -it mysql:5.5 /bin/bash ###### -t alloca a tty, -i interactive for bash root@wen-Default-string:/home/wen# docker ps -a 7CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7c1e4e6a66afd mqyyy777/aicq_sql:1.0 “docker-entrypoint.s…” 5 days ago Up 5 days 33060/tcp, 0.0.0.0:3307->3306/tcp mysql8
docker rename mysql8 mysql8_bak root@wen-Default-string:/home/wen# docker ps -a 7CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7c1e4e6a66afd mqyyy777/aicq_sql:1.0 “docker-entrypoint.s…” 5 days ago Up 5 days 33060/tcp, 0.0.0.0:3307->3306/tcp mysql8_bak
remove a container which created by docker run…. remove all exited containers docker rm $(docker ps -q -f status=exited)
Usually, a docker image is built by the Dockerfile which compose a set of INSTRUCTIONS.
a typical Dockerfile is similar to this: ========================================== FROM ubuntu:18.04
RUN apt-get update ENV DEBIAN_FRONTEND noninteractive RUN apt-get install -y –no-install-recommends apache2 libapache2-mod-php7.2 python-mysqldb python php7.2-mysql
RUN useradd -r wen RUN mkdir -p home/wen/aicq COPY wserv.py /home/wen/aicq
RUN mkdir -p $APACHE_LOCK_DIR
COPY html/ var/www/html
EXPOSE 80/tcp
CMD [“/usr/sbin/apache2”, “-D”, “FOREGROUND”] ================================================
docker build -t <tagname> <the directory which Dockerfile in> <tagname> could be your own like mqyyy777/image_name:version
docker push mqyyy777/image_name:version #### this will push your image to docker hub in network when you docker login with mqyyy777 username
FROM ubuntu:<version> the docker image which this build will be based on
set the enviramental variable the enviroment scope will take effect all the way down to the whole build process unless it has been set to another value
ENV DEBIAN_FRONTEND noninteractive RUN echo $DEBIAN_FRONTEND
ENV DEBIAN_FRONTEND interactive RUN echo $DEBIAN_FRONTEND
run command like in shell but with ENV sets variable. RUN mkdr /tmp/aa
RUN set -x && \ apt-get update && \ apt-get install -y –no-install-recommends ca-certificates wget ### this will be run in a shell with &&
copy files from local dir to directory within image
COPY wserv.py home/wen/aicq
COPY html/ var/www/html #### copy all files under build dir html, to image dir var/www/html
expose the port in the docker container EXPOSE <port> [<port>/<protocol>…] EXPOSE 12345 if no protocol specified, tcp port in default, if want expose a udp port instead of tcp port using EXPOSE 12345/udp EXPOSE 12345/tcp #### expose both tcp and udp ports 12345 when run image use -p to publish the host port and mapping the host port to the exposed docker container port docker run -p <host-publish-port>:<dockercontiner-exposed-port>/<protocol>
docker run -p 1080:12345/tcp -p 280:12345/udp my_app ##### publish host port and map the exposed port in docker image
root@wen-Default-string:/home/wen# docker ps CONTAINER ID PORTS NAMES c1e4e6a66afd 3306/tcp, 0.0.0.0:3307->3306/tcp mysql8 exposed, publish->exposed/<protocol>
VOLUME [/var/www/html]
the source will be in ./var/lib/docker/volumes/…(this will be created automatically when run image) an anonymous volume will be created when inspect the image “Name”: “hashstring……..”, “Source”: “/var/lib/docker/volumes/hashstring/_data”, “Destination”: “/var/www/html”,
docker volume create vol-nc docker volume ls vol-nc will be listed. docker run -v vol-nc:/var/www/html
when inspect the image “Name”: “vol-nc”, “Source”: “/var/lib/docker/volumes/vol-nc/_data”, “Destination”: “/var/www/html”,
this means the container /var/www/html will be the master directory when run -v <host-dir>:/var/www/html it means the host-dir /mnt/udisk/ncloud_data will be the same content with the container folder.
-v, –volume=[host-src:]container-dest[:<options>]: Bind mount a volume. if container-dest is the volume in container which has been specified in docker build instruction VOLUME [/var/www/html]
/mnt/udisk/ncloud_data is the restored data directory, the content of this directory will be in /var/www/html
docker run –name=ncloud5 -v /mnt/udisk/ncloud_data:/var/www/html nextcloud /bin/sh “Mounts”: [ { “Type”: “bind”, “Source”: “/mnt/udisk/ncloud_data”, “Destination”: “/var/www/html”, “Mode”: “”, “RW”: true, “Propagation”: “rprivate” } ],
docker run –name=ncloud4 -v /mnt/udisk/ebook:/mnt -d nextcloud ### -v src of the host mount type is bind , dst-contianer dir /mnt is not volume here, /mnt/udisk/ebook is the master directory, /mnt in dst will be the exact same content with the source dir in host. “Mounts”: [ { “Type”: “bind”, “Source”: “/mnt/udisk/ebook”, “Destination”: “/mnt”, “Mode”: “”, “RW”: true, “Propagation”: “rprivate” }, { “Type”: “volume”, “Name”: “4c1c7cef30323f3b2ba7abdaea2adc8c0355e783d59a38e9e37f1c7539cafd1f”, “Source”: “/var/lib/docker/volumes/4c1c7cef30323f3b2ba7abdaea2adc8c0355e783d59a38e9e37f1c7539cafd1f/_data”, “Destination”: “/var/www/html”, “Driver”: “local”, “Mode”: “”, “RW”: true, “Propagation”: “” }
docker volume prune this will del all the volum created by the continaer which has been removed, the exit container’s volume won’t be deleted
docker inspect <imagename> ], “Cmd”: [ “apache2-foreground” ], “ArgsEscaped”: true, “Image”: “nextcloud”, “Volumes”: { “/var/www/html”: {} }, “WorkingDir”: “/var/www/html”, “Entrypoint”: [ “/entrypoint.sh” ],
The ENTRYPOINT of an image is similar to a COMMAND because it specifies what executable to run when the container starts, but it is (purposely) more difficult to override
cat Dockerfile
FROM ubuntu
COPY entrypoint.sh / ENTRYPOINT [“/entrypoint.sh”]
entrypoint.sh
#!/bin/bash set -eo pipefail shopt -s nullglob set -x …. ## the last command of entry file should be not exit the bash for example cron -f ### this will keep the run docker container not exit, keep the server in forground exec top ### this will kepp the run docker container not exit either
if no such heading, there’ll be error like this: standard_init_linux.go:211: exec user process caused “exec format error”
docker run …. <imagename> ### then the <imagename> run will execute “Entrypoint Cmd” like “/entrypoint.sh apache2-foreground”
docker run -it <imagename> ls -l / #### this run will execute “/entrypoint.sh ls -l /”
–entrypoint “” docker run -it –entrypoint ”bin/ls” <imagename> -l /var/www/html ### this will execute “/bin/ls -l /var/www/html”
in default, all the command will be executed as root if you want to change a user to execute something, use gosu, which is a packet
root@wen-Default-string:/home/wen# gosu wen whoami wen
5 weeks ago /bin/sh -c set -x && apt-get update && apt-get install -y –no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* && wget -O /usr/local/bin/gosu “https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg –print-architecture)” && wget -O /usr/local/bin/gosu.asc “https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg –print-architecture).asc” && export GNUPGHOME=”$(mktemp -d)” && gpg –keyserver ha.pool.sks-keyservers.net –recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && gpg –batch –verify /usr/local/bin/gosu.asc /usr/local/bin/gosu && gpgconf –kill all && rm -rf “$GNUPGHOME” /usr/local/bin/gosu.asc && chmod +x /usr/local/bin/gosu && gosu nobody true && apt-get purge -y –auto-remove ca-certificates wget 4.44MB 6 weeks ago /bin/sh -c #(nop) ENV GOSU_VERSION=1.7 0B 6 weeks ago /bin/sh -c apt-get update && apt-get install -y –no-install-recommends gnupg dirmngr && rm -rf /var/lib/apt/lists/* 10.2MB 6 weeks ago /bin/sh -c groupadd -r mysql && useradd -r -g mysql mysql 329kB 6 weeks ago /bin/sh -c #(nop) CMD [“bash”]
get all the docker build instructions from a docker image or container all the command executed in build. like 6 weeks ago /bin/sh -c apt-get update && apt-get install -y –no-install-recommends gnupg dirmngr && rm -rf /var/lib/apt/lists/* 10.2MB 6 weeks ago /bin/sh -c groupadd -r mysql && useradd -r -g mysql mysql 329kB 6 weeks ago /bin/sh -c #(nop) CMD [“bash”]
docker inspect <imagename>/<continaername> all the mounts volume detail , ports published or ip addr….
“Mounts”: [ { “Type”: “volume”, “Name”: “4ffe4e57658f17d1db2bd2f0c16e147b3b0793d13db5f0f6d3f450454ca90017”, “Source”: “/var/lib/docker/volumes/4ffe4e57658f17d1db2bd2f0c16e147b3b0793d13db5f0f6d3f450454ca90017/_data”, “Destination”: “/var/lib/mysql”, “Driver”: “local”, “Mode”: “”, “RW”: true, “Propagation”: “” } ], “Config”: { “Hostname”: “c1e4e6a66afd”, “Domainname”: “”, “User”: “”, “AttachStdin”: false, “AttachStdout”: false, “AttachStderr”: false, “ExposedPorts”: { “3306/tcp”: {}, “33060/tcp”: {} }, “NetworkSettings”: { “Bridge”: “”, “SandboxID”: “f4f62c012a4501c0c79268d6be8c427992cd2bc2d59a784ce9baed76764ffac9”, “HairpinMode”: false, “LinkLocalIPv6Address”: “”, “LinkLocalIPv6PrefixLen”: 0, “Ports”: { “3306/tcp”: [ { “HostIp”: “0.0.0.0”, “HostPort”: “3307” } ], “33060/tcp”: null }, “SandboxKey”: “/var/run/docker/netns/f4f62c012a45”, “SecondaryIPAddresses”: null, “SecondaryIPv6Addresses”: null, “EndpointID”: “1af932dca1aa2e407c9b18a6d978c122eef763684899007710f9a6b407491521”, “Gateway”: “172.17.0.1”, “GlobalIPv6Address”: “”, “GlobalIPv6PrefixLen”: 0, “IPAddress”: “172.17.0.2”, “IPPrefixLen”: 16, “IPv6Gateway”: “”, “MacAddress”: “02:42:ac:11:00:02”, “Networks”: { “bridge”: { “IPAMConfig”: null, “Links”: null, “Aliases”: null, “NetworkID”: “b6f79cf56a7993cd08a615aee0a268f63ec5f909f360fad3137cbea0f2fd4af0”, “EndpointID”: “1af932dca1aa2e407c9b18a6d978c122eef763684899007710f9a6b407491521”, “Gateway”: “172.17.0.1”, “IPAddress”: “172.17.0.2”, “IPPrefixLen”: 16, “IPv6Gateway”: “”, “GlobalIPv6Address”: “”, “GlobalIPv6PrefixLen”: 0, “MacAddress”: “02:42:ac:11:00:02”, “DriverOpts”: null } } ======================================================================================================
docker inspect -f “{{ .Mounts }}” <container-name> =================================================== [{bind /mnt/udisk/data_aicq /mnt true rprivate} {volume 682b01cbec8ec6a5b33f5b91f620b115e5b121671ab53748760201b101491e01 /var/lib/docker/volumes/682b01cbec8ec6a5b33f5b91f620b115e5b121671ab53748760201b101491e01/_data /var/lib/mysql local true }]
root@cc60cfa38907:/# cat /var/spool/cron/crontabs/root
@reboot /home/wen/wen-d/mdisk.sh >/tmp/mdisk.log 2>&1 10 */1 * * * /home/wen/aicq/t2.sh >/tmp/ai.log 2>&1 ~ Ubuntu 16.04+, CentOS Use the command journalctl -u docker.servicei
file sql.script =================================== CREATE USER ‘wen’ IDENTIFIED BY ‘123’; GRANT ALL PRIVILEGES ON * . * TO ‘wen’; FLUSH PRIVILEGES; create database aicq; use aicq; source /mnt/aicq.sql; ++++++++++++++++++++++++++++++++++++++
docker exec -it mysql1 mysql -uroot -p <sql.script docker exec mysql8 sh -c ‘exec mysqldump aicq -uroot -p”123”’ > /mnt/udisk/data_aicq/aicq_docker.sql docker run –name=mysql8 -e MYSQL_ROOT_PASSWORD=123 -p 3307:3306 -v /mnt/udisk/data_aicq:/mnt -d mysql:latest docker run –name=mysql -p 3307:3306 -v /mnt/udisk/data_aicq:/mnt -d mqyyy777/mysql_rsp:14.0
docker run -p 8008:80 -v /mnt/udisk/youtu/xiaoshuo:/mnt -d mqyyy777/apache2_php7_ubu1804:2.0 docker run –name=mysqltt8 -e MYSQL_ROOT_PASSWORD=123 -p 3307:3306 -d mqyyy777/aicq_sql:1.0
docker run –name=mysql8 –restart=unless-stopped -e MYSQL_ROOT_PASSWORD=123 -p 3307:3306 -v /mnt/udisk/data_aicq:/mnt/host_aicq -d mqyyy777/mysql_aicq:4.0 docker run –name=ncl –restart=unless-stopped -v /mnt/udisk/ncloud_data:/var/www/html -p 80:80 -d nextcloud:13.0.6 docker run –name=webaicq2 -d –restart=unless-stopped -p 8008:80 -v /mnt/udisk/youtu/xiaoshuo:/mnt mqyyy777/webaicq:2.0 docker run –name=webaicq3 -d –restart=unless-stopped -p 8008:80 -p 21:21/tcp -v /mnt/udisk:/home/ftpuser -v /mnt/udisk/youtu/xiaoshuo:/mnt mqyyy777/webaicq:2.0
all docker process will be shown in the ps aux executed in host:
t@wen-Default-string:/home/wen/aicq/dock_mysql# ps aux |grep mysql vin 27071 2.0 10.8 1928252 427988 ? Ssl 15:20 0:05 mysqld root 27374 0.0 0.0 21536 1028 pts/1 S+ 15:24 0:00 grep –color=auto mysql
root@wen-Default-string:/home/wen# pstree -aps 27071 systemd,1 splash └─dockerd,15056 -H fd:// └─docker-containe,15077 –config /var/run/docker/containerd/containerd.toml └─docker-containe,27049 -namespace moby -workdir … └─mysqld,27071 ├─cron,27133
docker run –name=ncloud –restart=unless-stopped -v /mnt/udisk/nextcloud:/var/www/html -d nextcloud
when run an image, there will be a cotainer. when save a continaer to image, using docker commit <continer-name> <imgname>
cat /etc/sysconfig/docker
HTTP_PROXY=”http://10.144.1.10:8080” HTTPS_PROXY=”http://10.144.1.10:8080”
/etc/default/docker : you should have a line to uncomment (and maybe adjust) to get your proxy settings applied automatically. Then restart the Docker server:
service docker restart
cat /etc/systemd/system/docker.service.d/http-proxy.conf [Service] Environment=”HTTP_PROXY=http://10.144.1.10:8080/” Environment=”HTTPS_PROXY=http://10.144.1.10:8080/” Environment=”NO_PROXY=10.69.151.36,127.0.0.1”
[root@localhost ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl restart docker
docker update –restart=unless-stopped <container-id> docker run –privileged -d –restart=unless-stopped –name=dns_ssev1 -p 5037:5037/udp -p 8888:8888/tcp -v /home/pi/dock_ssev:/mnt mqyyy777/dns_ssev_rasp:1.0
when run container, execting iptables inside container, there’ll be premission denied. ADD extra run flag to run the container –ipc host –cap-add SYS_ADMIN –privileged
youtube-dl -F –proxy … “url” https://www.youtube.com/watch?v=aFlgm6G59fw&list=PLwmPBqRou8AOb_RPjM4gwTqPkzmXcpQB8 249 webm
docker export docker export 962209ba8291 > ttcn_docker_container.tar
cat ttcn_docker_container.tar | docker import - ttcn:7
docker commit <continer-name> <imgname>
docker save -o <tar-file-name> <container-name> sudo docker save -o /home/matrix/matrix-data.tar matrix-data docker save <image> | bzip2 | ssh user@host ‘bunzip2 | docker load’
Copy the image from the path to any host. Now import to your local Docker installation using: docker load < <imag-tar-file>
sometimes the default docker package has some issue. docker-ce package install in raspberry curl -sL get.docker.com | sed ‘s/9)/10)/’ | sh
Run a docker container with option to limit its memory and cpu usage –cpu –memory –memory-reservation docker run -it –name –cpus=”1” –memory=”1g” –memory-reservation=”750m”
rsync -a /var/lib/docker/* /path/to/new/root rm -rf /var/lib/docker ln -s /path/to/new/root /var/lib/docker
Docker run Hello-World error x509: certificate signed by unknown authority cd usr/local/share/ca-certificates sudo mkdir corp sudo cp ~/{corporate-cert}.crt corp/ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs… 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d… done.
restart the docker service (sudo service docker restart)
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 …
openssl rsa -passin pass:x -in server.pass.key -out server.key writing RSA key
rm server.pass.key
openssl req -new -key server.key -out server.csr … Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California … A challenge password []: …
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
assuming container’s name is registry: [root@node6 ~]# docker exec -it registry /usr/sbin/ifconfig OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: “/usr/sbin/ifconfig”: stat /usr/sbin/ifconfig: no such file or directory: unknown ###########the container may not have some executable commands available
docker exec -it <containername> ls /sys/class/net #### find out the network interface in container eth0 lo
[root@node6 ~]# docker exec -it registry cat /sys/class/net/eth0/iflink ### find out which number it is in the host 26
[root@node6 ~]# ip addr |grep ^26 #### get the corresponding interface name in host 26: veth7488a0a@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
[root@node6 ~ ]# tcpdump -i veth7488a0a port 5000 #### capture the packets in the host or tcpdump -i any port 5000 #### to capture all the packets, listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
By default, each container’s access to the host machine’s CPU cycles is unlimited. You can set various constraints to limit a given container’s access to the host machine’s CPU cycles. Most users use and configure the default CFS scheduler. You can also configure the realtime scheduler. Configure the default CFS scheduler
The CFS is the Linux kernel CPU scheduler for normal Linux processes. Several runtime flags allow you to configure the amount of access to CPU resources your container has. When you use these settings, Docker modifies the settings for the container’s cgroup on the host machine. Option Description –cpus=<value> Specify how much of the available CPU resources a container can use. For instance, if the host machine has two CPUs and you set –cpus=”1.5”, the container is guaranteed at most one and a half of the CPUs. This is the equivalent of setting –cpu-period=”100000” and –cpu-quota=”150000”. –cpu-period=<value> Specify the CPU CFS scheduler period, which is used alongside –cpu-quota. Defaults to 100000 microseconds (100 milliseconds). Most users do not change this from the default. For most use-cases, –cpus is a more convenient alternative. –cpu-quota=<value> Impose a CPU CFS quota on the container. The number of microseconds per –cpu-period that the container is limited to before throttled. As such acting as the effective ceiling. For most use-cases, –cpus is a more convenient alternative. –cpuset-cpus Limit the specific CPUs or cores a container can use. A comma-separated list or hyphen-separated range of CPUs a container can use, if you have more than one CPU. The first CPU is numbered 0. A valid value might be 0-3 (to use the first, second, third, and fourth CPU) or 1,3 (to use the second and fourth CPU). –cpu-shares Set this flag to a value greater or less than the default of 1024 to increase or reduce the container’s weight, and give it access to a greater or lesser proportion of the host machine’s CPU cycles. This is only enforced when CPU cycles are constrained. When plenty of CPU cycles are available, all containers use as much CPU as they need. In that way, this is a soft limit. –cpu-shares does not prevent containers from being scheduled in swarm mode. It prioritizes container CPU resources for the available CPU cycles. It does not guarantee or reserve any specific CPU access.
If you have 1 CPU, each of the following commands guarantees the container at most 50% of the CPU every second.
docker run -it –cpus=”.5” ubuntu /bin/bash
Which is the equivalent to manually specifying –cpu-period and –cpu-quota;
$ docker run -it –cpu-period=100000 –cpu-quota=50000 ubuntu /bin/bash
docker share the kernel of the host, so in host preint process , cpu, memory , you will see all contianer’s cpu, memory usage as well you can inspect a container id to get hte process id of this running container. docker inspect <containerid>
show the docker process, with parenet containerd, for example 20069 is a running container, and the child process which run within continaer is below it. and 20069 is the container process id in host, host only had 20069 for the process id of this running container.
root 19923 1 0 Jul15 ? 00:01:05 /usr/bin/containerd-shim-runc-v2 -namespace moby -id fe3348917ba9b3369f73a30c46154d22cf4248dae08946398a14c54970d686b9 -address /run/containerd root 19974 19923 0 Jul15 ? 00:01:21 \_ /usr/bin/kube-controllers root 20069 1 0 Jul15 ? 00:01:28 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 299522b1a29220420e73fea8cd0a4dfa1bc3ccdafa207f345300da265d149018 -address /run/containerd root 20097 20069 0 Jul15 ? 00:00:00 \_ /usr/bin/runsvdir -P /etc/service/enabled root 20217 20097 0 Jul15 ? 00:00:00 \_ runsv bird6 root 20372 20217 0 Jul15 ? 00:00:18 | \_ bird6 -R -s /var/run/calico/bird6.ctl -d -c /etc/calico/confd/config/bird6.cfg root 20218 20097 0 Jul15 ? 00:00:00 \_ runsv bird root 20373 20218 0 Jul15 ? 00:00:20 | \_ bird -R -s /var/run/calico/bird.ctl -d -c /etc/calico/confd/config/bird.cfg root 20219 20097 0 Jul15 ? 00:00:00 \_ runsv confd root 20222 20219 0 Jul15 ? 00:00:11 | \_ calico-node -confd root 20220 20097 0 Jul15 ? 00:00:00 \_ runsv felix root 20224 20220 2 Jul15 ? 00:28:50 \_ calico-node -felix root 1382 1 0 Jun04 tty1 00:00:00 /sbin/agetty -o -p – \u –noclear tty1 linux root 1386 1 0 Jun04 ? 00:00:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown –wait-for-signal root 1412 1 0 Jun04 ? 00:00:02 usr/lib/policykit-1/polkitd –no-debug root 1638 1 3 Jun04 ? 1-07:07:50 /usr/bin/dockerd -H fd:/ –containerd=/run/containerd/containerd.sock root 2217 1 0 Jun04 ? 00:00:00 /usr/sbin/sshd -D root 15333 2217 0 02:34 ? 00:00:00 \_ sshd: ubuntu [priv] ubuntu 15467 15333 0 02:34 ? 00:00:00 \_ sshd: ubuntu@pts/0 ubuntu 15468 15467 0 02:34 pts/0 00:00:00 \_ -bash ubuntu 16094 15468 0 05:53 pts/0 00:00:00 \_ man ps ubuntu 16104 16094 0 05:53 pts/0 00:00:00 | \_ pager ubuntu 29064 15468 0 06:33 pts/0 00:00:00 \_ ps -aef –forest root 7625 1 0 Jun29 ? 00:01:13 /usr/lib/snapd/snapd root 18143 1 3 Jul15 ? 00:30:17 /usr/bin/kubelet –bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf –kubeconfig=/etc/kubernetes/kubelet.conf –config=/var/lib/kub ubuntu 15335 1 0 02:34 ? 00:00:05 /lib/systemd/systemd –user ubuntu 15336 15335 0 02:34 ? 00:00:00 \_ (sd-pam)
ubuntu@lm890-Master:~$ pstree systemd─┬─VGAuthService ├─accounts-daemon───2*[{accounts-daemon}] ├─agetty ├─atd ├─containerd─┬─containerd-shim─┬─registry───22*[{registry}] │ │ └─10*[{containerd-shim}] │ ├─12*[containerd-shim─┬─pause] │ │ └─9*[{containerd-shim}]] │ ├─containerd-shim─┬─pause │ │ └─10*[{containerd-shim}] │ ├─containerd-shim─┬─kube-controller───11*[{kube-controller}] │ │ └─9*[{containerd-shim}] │ ├─containerd-shim─┬─kube-scheduler───12*[{kube-scheduler}] │ │ └─9*[{containerd-shim}] │ ├─containerd-shim─┬─kube-apiserver───14*[{kube-apiserver}]
top 1 for every cpu core’s usage. one process could upto 200% for %CPU usage, %CPU is based on every CPU unit %
top - 16:20:20 up 23:56, 2 users, load average: 0.63, 0.47, 0.51 Tasks: 304 total, 1 running, 191 sleeping, 1 stopped, 0 zombie %Cpu(s): 1.0 us, 0.6 sy, 0.0 ni, 97.5 id, 0.6 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem : 82468688 total, 68047408 free, 1793840 used, 12627440 buff/cache KiB Swap: 0 total, 0 free, 0 used. 80153312 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 17229 root 20 0 1312624 573868 71396 S 9.9 0.7 169:06.53 kube-apiserver 17877 root 20 0 2006728 114848 65336 S 4.3 0.1 85:16.73 kubelet 17332 root 20 0 10.189g 149704 38668 S 3.6 0.2 55:36.18 etcd 20224 root 20 0 146736 40580 26284 S 2.3 0.0 28:57.36 calico-node 2074 root 20 0 4088620 121696 51440 S 2.0 0.1 46:51.22 dockerd 17445 root 20 0 884300 141268 59540 S 2.0 0.2 43:46.17 kube-controller 19962 root 20 0 10.257g 187512 19296 S 2.0 0.2 12:19.19 etcd 27126 ubuntu 20 0 43044 4260 3380 R 1.0 0.0 0:00.22 top
press “1” to show all cpu unit usage ========================================================================== top - 16:22:35 up 23:58, 2 users, load average: 0.35, 0.45, 0.50 Tasks: 304 total, 1 running, 191 sleeping, 1 stopped, 0 zombie %Cpu0 : 2.4 us, 0.7 sy, 0.0 ni, 93.7 id, 1.7 wa, 0.0 hi, 1.4 si, 0.0 st %Cpu1 : 0.0 us, 0.3 sy, 0.0 ni, 96.7 id, 1.3 wa, 0.0 hi, 1.6 si, 0.0 st %Cpu2 : 0.3 us, 0.3 sy, 0.0 ni, 97.7 id, 1.3 wa, 0.0 hi, 0.3 si, 0.0 st %Cpu3 : 0.3 us, 0.3 sy, 0.0 ni, 98.7 id, 0.7 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu4 : 4.3 us, 1.3 sy, 0.0 ni, 94.0 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st %Cpu5 : 0.7 us, 0.3 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu6 : 1.0 us, 0.0 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu7 : 0.3 us, 0.0 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu8 : 1.7 us, 1.0 sy, 0.0 ni, 97.0 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu9 : 0.0 us, 0.0 sy, 0.0 ni, 99.7 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu10 : 0.7 us, 0.0 sy, 0.0 ni, 98.7 id, 0.7 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu11 : 0.7 us, 0.0 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu12 : 2.0 us, 0.7 sy, 0.0 ni, 97.0 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st %Cpu13 : 1.0 us, 0.3 sy, 0.0 ni, 98.3 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st %Cpu14 : 1.0 us, 0.3 sy, 0.0 ni, 98.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st %Cpu15 : 1.0 us, 0.0 sy, 0.0 ni, 99.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 82468688 total, 68048048 free, 1791236 used, 12629400 buff/cache KiB Swap: 0 total, 0 free, 0 used. 80155912 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 17229 root 20 0 1312624 573884 71396 S 9.6 0.7 169:22.65 kube-apiserver 17877 root 20 0 2006728 114848 65336 S 6.6 0.1 85:24.88 kubelet 17332 root 20 0 10.189g 149704 38668 S 3.6 0.2 55:41.51 etcd 2074 root 20 0 4088620 121696 51440 S 3.3 0.1 46:55.66 dockerd 17445 root 20 0 884300 141268 59540 S 2.3 0.2 43:50.19 kube-controller 20224 root 20 0 146736 40580 26284 S 2.0 0.0 29:00.16 calico-node 19962 root 20 0 10.257g 187248 19296 S 1.0 0.2 12:20.14 etcd 20891 root 20 0 750984 46976 30968 S 1.0 0.1 12:32.74 coredns 20902 root 20 0 750984 46344 30676 S 0.7 0.1 12:23.18 coredns 27126 ubuntu 20 0 43044 4260 3380 R 0.7 0.0 0:01.11 top
docker top container
cat /proc/1/sched | head -n 1 systemd