Docker Runtime Optimizations¶
Docker, by default, gives unlimited access to the host CPU cycles, which could lead to containers taking more that required. You can limit this by adding runtime flags when launching a container.
Resource Management with Control Groups¶
Linux Control Groups¶
Linux control groups or cgroups provide resource management on Linux. The hierarchy of cgroup controllers and active cgroups is mounted as a virtual file system in the /sys/fs/cgroup directory. Resources can be limited or throttled per cgroup.
QoS Classes¶
cgroups allow the definition of QoS classes with different resource allocation strategy for each microservice depending on its requirements and relevance for proper system operation. There are many ways to create custom cgroups - one method is to use the cgroup utils provided by ECI. A configuration file sets values for each cgroup limitation and throttle provided by the kernel. These are listed and documented in the kernel.
As an example, create a configuration file in /etc/cgconfig.conf with the following contents:
group qos1 {
cpuset {
cpuset.cpus = 0-2;
}
net_cls {
net_cls.classid = 0x100001;
}
memory {
memory.limit_in_bytes="512M";
memory.memsw.limit_in_bytes="512M";
}
}
group qos2 {
cpuset {
cpuset.cpus = 3;
}
net_cls {
net_cls.classid = 0x100002;
}
memory {
memory.limit_in_bytes="64M";
memory.memsw.limit_in_bytes="64M";
}
}
This will create two new cgroups called qos1 and qos2, each defining a different set of CPU and memory resource policies. It also defines custom network classes, which will enable class-based filtering rules.
To read this file and create cgroups from the definitions, run the following command:
$ cgconfigparser -l /etc/cgconfig.conf
After completion, find the cgroups in the mounted cgroup virtual file system:
$ find /sys/fs/cgroup/ -name qos[12]
/sys/fs/cgroup/cpu,cpuacct/qos2
/sys/fs/cgroup/cpu,cpuacct/qos1
Set Control Group of Container¶
The cgroup (here a QoS class) of a container (here a microservice) can be specified when it is instantiated with docker run by adding the --cgroup-parent argument. The processes running in the container will inherit the cgroup properties. For example, to instantiate a new container bound to the cgroup qos1 defined above, run the following command:
$ docker run --cgroup-parent=qos1 <image>:<tag>
Docker CPUSet¶
You can limit the number of cores that a container has access to by using runtime flag --cpuset-cpus. This flag is a comma separated list or a hyphen separated range.
Docker CPUSet Example¶
Comma seperated list
$ docker run -it --cpuset-cpus=2,3 ubuntu:20.04 /bin/bash
Hyphen seperated range
$ docker run -it --cpuset-cpus=1-3 ubuntu:20.04 /bin/bash
Docker CPUS¶
Docker also provides a runtime flag --cpus, which limits the CPU resources that it is allowed to access. This is different from --cpuset-cpus in that it does not mention the specific cores that the container will use, rather the total CPU resources out of the total cores.