Docker allocating resources

Presentation By:Mohammadreza Amini

Amir Arsalan

Autumn 2015IRAN OpenStack Users Group

Allocating Resources & Limitation Container

Agenda

Allocating Resources

| Iran Community OpenStack.ir

● Docker Allocating Resources

● CPU

● RAM

● Disk

● Limitation Container

● Linux Capability

● Devices




Allocation of resources to containers is especially important as containers are less

isolated than virtual machines.

A single runaway container can lead to performance issues and degradation

across the entire host.

In Hypervisors, VMs are normally allocated a fixed amount of CPU resources, RAM,

and disk space, meaning that the applications will work within those set limits no

matter the load to which the VM or application is subjected.





CPU

Each container is assigned a “share” of the CPU, set to 1024 by default. By itself,

1024 CPU share does not mean anything.

If there is only a single container running, then it can use all the available CPU

resources.

However, if you launch another container and both containers have 1024 CPU

share, then each container can claim at least 50% of the CPU resources.



CPU Allocating Resource



● Share cpu

$ docker run -ti -c 1024 ubuntu:14.04 /bin/bash

● Cpu period & quota

$ docker run -ti --cpu-period=50000 --cpu-quota=10000 ubuntu:14.04 /bin/bash



Memory

Memory Allocating Resource



● Memory & Memory swap

$ docker run -ti -m 300M --memory-swap 900M ubuntu:14.04 /bin/bash



Disk

Disk space and read/write speed can be limited in Docker. By default, read/write

speed is unlimited. However, if required, it can be limited as needed using cgroups.

Each container is allocated 10GB of space by default.



Disk Allocating Resource



● Base Size

$ docker -d --storage-opt dm.basesize=20G ubuntu:14.04 /bin/bash

More Details: https://github.com/docker/docker/blob/v1.2.0/daemon/graphdriver/devmapper/README.md#options



Limitation Container



By default, Docker containers are “unprivileged” and cannot, for example, run a Docker

daemon inside a Docker container. This is because by default a container is not allowed to

access any devices, but a “privileged” container is given access to all devices

More Details: https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources

Linux capability



More Details: http://linux.die.net/man/7/capabilities

● Add capability

$ docker run -ti --cap-add=NET_ADMIN ubuntu:14.04 /bin/bash

● drop capability

$ docker run -ti --cap-add=ALL --cap-drop=NET_ADMIN ubuntu:14.04 /bin/bash

Devices



If you want to limit access to a specific device or devices you can use the --device

flag. It allows you to specify one or more devices that will be accessible within the

container.

● Devices

$ docker run -ti --device=/dev/snd:/dev/snd ubuntu:14.04 /bin/bash



Any Question?



Stay in Touch and Join Us:

● Home Page: OpenStack.ir

● Meetup age: Meetup.com/IranOpenStack

● Mailing List: [email protected]

● Twitter: @OpenStackIR , #OpenStackIRAN

● IRC Channel on FreeNode: #OpenStack-ir



Mohammadreza Amini

Linux Administrator

[email protected]

Amir Arsalan

Python Developer

[email protected]

Thank You

Technology

Docker allocating resources