mirror of https://github.com/docker/cli.git
Add support for kernel memory limit
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This commit is contained in:
parent
90cf0587f1
commit
5731775665
|
@ -1075,6 +1075,7 @@ _docker_run() {
|
||||||
--group-add
|
--group-add
|
||||||
--hostname -h
|
--hostname -h
|
||||||
--ipc
|
--ipc
|
||||||
|
--kernel-memory
|
||||||
--label-file
|
--label-file
|
||||||
--label -l
|
--label -l
|
||||||
--link
|
--link
|
||||||
|
|
|
@ -40,6 +40,7 @@ Creates a new container.
|
||||||
--help=false Print usage
|
--help=false Print usage
|
||||||
-i, --interactive=false Keep STDIN open even if not attached
|
-i, --interactive=false Keep STDIN open even if not attached
|
||||||
--ipc="" IPC namespace to use
|
--ipc="" IPC namespace to use
|
||||||
|
--kernel-memory="" Kernel memory limit
|
||||||
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
|
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
|
||||||
--label-file=[] Read in a line delimited file of labels
|
--label-file=[] Read in a line delimited file of labels
|
||||||
--link=[] Add link to another container
|
--link=[] Add link to another container
|
||||||
|
|
|
@ -40,6 +40,7 @@ weight=1
|
||||||
--help=false Print usage
|
--help=false Print usage
|
||||||
-i, --interactive=false Keep STDIN open even if not attached
|
-i, --interactive=false Keep STDIN open even if not attached
|
||||||
--ipc="" IPC namespace to use
|
--ipc="" IPC namespace to use
|
||||||
|
--kernel-memory="" Kernel memory limit
|
||||||
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
|
-l, --label=[] Set metadata on the container (e.g., --label=com.example.key=value)
|
||||||
--label-file=[] Read in a file of labels (EOL delimited)
|
--label-file=[] Read in a file of labels (EOL delimited)
|
||||||
--link=[] Add link to another container
|
--link=[] Add link to another container
|
||||||
|
|
|
@ -517,6 +517,7 @@ container:
|
||||||
|----------------------------|---------------------------------------------------------------------------------------------|
|
|----------------------------|---------------------------------------------------------------------------------------------|
|
||||||
| `-m`, `--memory="" ` | Memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) |
|
| `-m`, `--memory="" ` | Memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) |
|
||||||
| `--memory-swap=""` | Total memory limit (memory + swap, format: `<number>[<unit>]`, where unit = b, k, m or g) |
|
| `--memory-swap=""` | Total memory limit (memory + swap, format: `<number>[<unit>]`, where unit = b, k, m or g) |
|
||||||
|
| `--kernel-memory=""` | Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g) |
|
||||||
| `-c`, `--cpu-shares=0` | CPU shares (relative weight) |
|
| `-c`, `--cpu-shares=0` | CPU shares (relative weight) |
|
||||||
| `--cpu-period=0` | Limit the CPU CFS (Completely Fair Scheduler) period |
|
| `--cpu-period=0` | Limit the CPU CFS (Completely Fair Scheduler) period |
|
||||||
| `--cpuset-cpus="" ` | CPUs in which to allow execution (0-3, 0,1) |
|
| `--cpuset-cpus="" ` | CPUs in which to allow execution (0-3, 0,1) |
|
||||||
|
@ -526,9 +527,9 @@ container:
|
||||||
| `--oom-kill-disable=false` | Whether to disable OOM Killer for the container or not. |
|
| `--oom-kill-disable=false` | Whether to disable OOM Killer for the container or not. |
|
||||||
| `--memory-swappiness="" ` | Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. |
|
| `--memory-swappiness="" ` | Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. |
|
||||||
|
|
||||||
### Memory constraints
|
### User memory constraints
|
||||||
|
|
||||||
We have four ways to set memory usage:
|
We have four ways to set user memory usage:
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<thead>
|
<thead>
|
||||||
|
@ -576,7 +577,7 @@ We have four ways to set memory usage:
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
### Examples
|
Examples:
|
||||||
|
|
||||||
$ docker run -ti ubuntu:14.04 /bin/bash
|
$ docker run -ti ubuntu:14.04 /bin/bash
|
||||||
|
|
||||||
|
@ -620,6 +621,76 @@ The following example, illustrates a dangerous way to use the flag:
|
||||||
The container has unlimited memory which can cause the host to run out memory
|
The container has unlimited memory which can cause the host to run out memory
|
||||||
and require killing system processes to free memory.
|
and require killing system processes to free memory.
|
||||||
|
|
||||||
|
### Kernel memory constraints
|
||||||
|
|
||||||
|
Kernel memory is fundamentally different than user memory as kernel memory can't
|
||||||
|
be swapped out. The inability to swap makes it possible for the container to
|
||||||
|
block system services by consuming too much kernel memory. Kernel memory includes:
|
||||||
|
|
||||||
|
- stack pages
|
||||||
|
- slab pages
|
||||||
|
- sockets memory pressure
|
||||||
|
- tcp memory pressure
|
||||||
|
|
||||||
|
You can setup kernel memory limit to constrain these kinds of memory. For example,
|
||||||
|
every process consumes some stack pages. By limiting kernel memory, you can
|
||||||
|
prevent new processes from being created when the kernel memory usage is too high.
|
||||||
|
|
||||||
|
Kernel memory is never completely independent of user memory. Instead, you limit
|
||||||
|
kernel memory in the context of the user memory limit. Assume "U" is the user memory
|
||||||
|
limit and "K" the kernel limit. There are three possible ways to set limits:
|
||||||
|
|
||||||
|
<table>
|
||||||
|
<thead>
|
||||||
|
<tr>
|
||||||
|
<th>Option</th>
|
||||||
|
<th>Result</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td class="no-wrap"><strong>U != 0, K = inf</strong> (default)</td>
|
||||||
|
<td>
|
||||||
|
This is the standard memory limitation mechanism already present before using
|
||||||
|
kernel memory. Kernel memory is completely ignored.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class="no-wrap"><strong>U != 0, K < U</strong></td>
|
||||||
|
<td>
|
||||||
|
Kernel memory is a subset of the user memory. This setup is useful in
|
||||||
|
deployments where the total amount of memory per-cgroup is overcommited.
|
||||||
|
Overcommiting kernel memory limits is definitely not recommended, since the
|
||||||
|
box can still run out of non-reclaimable memory.
|
||||||
|
In this case, the you can configure K so that the sum of all groups is
|
||||||
|
never greater than the total memory. Then, freely set U at the expense of
|
||||||
|
the system's service quality.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td class="no-wrap"><strong>U != 0, K > U</strong></td>
|
||||||
|
<td>
|
||||||
|
Since kernel memory charges are also fed to the user counter and reclaimation
|
||||||
|
is triggered for the container for both kinds of memory. This configuration
|
||||||
|
gives the admin a unified view of memory. It is also useful for people
|
||||||
|
who just want to track kernel memory usage.
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
$ docker run -ti -m 500M --kernel-memory 50M ubuntu:14.04 /bin/bash
|
||||||
|
|
||||||
|
We set memory and kernel memory, so the processes in the container can use
|
||||||
|
500M memory in total, in this 500M memory, it can be 50M kernel memory tops.
|
||||||
|
|
||||||
|
$ docker run -ti --kernel-memory 50M ubuntu:14.04 /bin/bash
|
||||||
|
|
||||||
|
We set kernel memory without **-m**, so the processes in the container can
|
||||||
|
use as much memory as they want, but they can only use 50M kernel memory.
|
||||||
|
|
||||||
### Swappiness constraint
|
### Swappiness constraint
|
||||||
|
|
||||||
By default, a container's kernel can swap out a percentage of anonymous pages.
|
By default, a container's kernel can swap out a percentage of anonymous pages.
|
||||||
|
|
|
@ -30,6 +30,7 @@ docker-create - Create a new container
|
||||||
[**--help**]
|
[**--help**]
|
||||||
[**-i**|**--interactive**[=*false*]]
|
[**-i**|**--interactive**[=*false*]]
|
||||||
[**--ipc**[=*IPC*]]
|
[**--ipc**[=*IPC*]]
|
||||||
|
[**--kernel-memory**[=*KERNEL-MEMORY*]]
|
||||||
[**-l**|**--label**[=*[]*]]
|
[**-l**|**--label**[=*[]*]]
|
||||||
[**--label-file**[=*[]*]]
|
[**--label-file**[=*[]*]]
|
||||||
[**--link**[=*[]*]]
|
[**--link**[=*[]*]]
|
||||||
|
@ -148,6 +149,15 @@ two memory nodes.
|
||||||
'container:<name|id>': reuses another container shared memory, semaphores and message queues
|
'container:<name|id>': reuses another container shared memory, semaphores and message queues
|
||||||
'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure.
|
'host': use the host shared memory,semaphores and message queues inside the container. Note: the host mode gives the container full access to local shared memory and is therefore considered insecure.
|
||||||
|
|
||||||
|
**--kernel-memory**=""
|
||||||
|
Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g)
|
||||||
|
|
||||||
|
Constrains the kernel memory available to a container. If a limit of 0
|
||||||
|
is specified (not using `--kernel-memory`), the container's kernel memory
|
||||||
|
is not limited. If you specify a limit, it may be rounded up to a multiple
|
||||||
|
of the operating system's page size and the value can be very large,
|
||||||
|
millions of trillions.
|
||||||
|
|
||||||
**-l**, **--label**=[]
|
**-l**, **--label**=[]
|
||||||
Adds metadata to a container (e.g., --label=com.example.key=value)
|
Adds metadata to a container (e.g., --label=com.example.key=value)
|
||||||
|
|
||||||
|
|
|
@ -31,6 +31,7 @@ docker-run - Run a command in a new container
|
||||||
[**--help**]
|
[**--help**]
|
||||||
[**-i**|**--interactive**[=*false*]]
|
[**-i**|**--interactive**[=*false*]]
|
||||||
[**--ipc**[=*IPC*]]
|
[**--ipc**[=*IPC*]]
|
||||||
|
[**--kernel-memory**[=*KERNEL-MEMORY*]]
|
||||||
[**-l**|**--label**[=*[]*]]
|
[**-l**|**--label**[=*[]*]]
|
||||||
[**--label-file**[=*[]*]]
|
[**--label-file**[=*[]*]]
|
||||||
[**--link**[=*[]*]]
|
[**--link**[=*[]*]]
|
||||||
|
@ -242,6 +243,15 @@ ENTRYPOINT.
|
||||||
**-l**, **--label**=[]
|
**-l**, **--label**=[]
|
||||||
Set metadata on the container (e.g., --label com.example.key=value)
|
Set metadata on the container (e.g., --label com.example.key=value)
|
||||||
|
|
||||||
|
**--kernel-memory**=""
|
||||||
|
Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g)
|
||||||
|
|
||||||
|
Constrains the kernel memory available to a container. If a limit of 0
|
||||||
|
is specified (not using `--kernel-memory`), the container's kernel memory
|
||||||
|
is not limited. If you specify a limit, it may be rounded up to a multiple
|
||||||
|
of the operating system's page size and the value can be very large,
|
||||||
|
millions of trillions.
|
||||||
|
|
||||||
**--label-file**=[]
|
**--label-file**=[]
|
||||||
Read in a line delimited file of labels
|
Read in a line delimited file of labels
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue