Exercise 1.4 - CGroups

Return to Workshop

cgroups

Exercise 1.4 - CGroups

Exercise Description

The Device Cgroup is primary in isolating and limiting containers to their own shares of CPU, memory, disk I/O, network, etc., otherwise the container will be denied. This exercise covers management of memory and CPU limitations.

Section 1: Memory Limits

Docker uses Cgroups to control and limit the amount of system resources a container can use, and provide administrators with fine-grained control over allocating, prioritizing, denying, managing and monitoring system resources. Cgroups help protect a system from potential application memory leaks or Denial of Service (DoS) attacks that can consume all available memory and take down a system.

Step 1. Run containers with Docker flags

By running containers with special Docker flags, we can restrict the amount of memory a container is able to consume, even when an application is trying to consume more memory.

sudo docker run -d --name fedora1 fedora sleep 15m

Step 2. Check for memory limits on a container

We can check using the docker stats command and see that this instance fedora1 has no memory limits placed on it.

sudo docker stats --no-stream fedora1

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O
fedora1             0.00%               2.601 MB / 1.927 GB   0.13%               648 B / 648 B       2.81 MB / 0 B

Step 3. Place a memory limit on a container

Now we can place a memory limit on this second container fedora2 with the docker flag --memory.

sudo docker run -d --name fedora2 --memory 150m fedora sleep 15m

Step 4. Check for the new memory restrictions on the container

Now, check again using the docker stats command, to see the memory restrictions placed on this new container.

sudo docker stats --no-stream fedora1 fedora2

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O
fedora1             0.00%               2.601 MB / 1.927 GB   0.13%               1.296 kB / 648 B    2.81 MB / 0 B
fedora2             0.00%               2.597 MB / 157.3 MB   1.65%               648 B / 648 B       2.81 MB / 0 B

Now you know how to restrict the amount of memory a container is able to use.

Step 5. Clean Up

Lets clean up for the next exercise.

Kill all running containers

sudo docker kill $(sudo docker ps -q)

Delete exited containers

sudo docker rm $(sudo docker ps -aqf status=exited)

Make sure everything is cleared out.

sudo docker ps -a

Section 2: CPU Limits

By default, each container’s access to the host machine’s CPU cycles is unlimited. Various constraints can be set to limit a given container’s access to the host machine’s CPU cycles. Docker provides several flags for setting limits on how many shares of a processor a container is able to use. Previously we looked at memory restrictions and setting a maximum ceiling for memory usage, CPU limits are set by shares.

In this exercise, we will define share weights for each container and split the available shares between the containers for a single processor.

Step 1. Lets run a container with 512 limit of CPU shares.

sudo docker run -d --name fedora1 --cpuset-cpus 0 --cpu-shares 512 dkuffner/docker-stress --cpu 10

Step 2. Determine the container’s share usage

Now lets see how many shares this container is using.

sudo docker stats --no-stream fedora1

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O
fedora1             99.66%              3.088 MB / 1.927 GB   0.16%               648 B / 648 B       3.077 MB / 0 B

CPU shares are defined as a value between 0-1024, however when idle the container will use all available shares until another process needs to use the existing shares. Let’s run a example where another container needs to run and we divide up the shares equally.

sudo docker run -d --name fedora2 --cpuset-cpus 0 --cpu-shares 512 dkuffner/docker-stress --cpu 10

Step 3. View the processor shares

Now lets see how the processor shares get divided between the two.

sudo docker stats --no-stream fedora1 fedora2

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O
fedora1             49.56%              3.092 MB / 1.927 GB   0.16%               1.296 kB / 648 B    3.06 MB / 0 B
fedora2             49.91%              3.088 MB / 1.927 GB   0.16%               648 B / 648 B       3.06 MB / 0 B

Now you know how to control the amount of CPU shares a container is able to use.

Step 4. Clean Up

Lets clean up for the next exercise.

Kill all running containers

sudo docker kill $(sudo docker ps -q)

Delete exited containers

sudo docker rm $(sudo docker ps -aqf status=exited)

Make sure everything is cleared out.

sudo docker ps -a

Workshop Details

Domain
Workshop
Student ID

Return to Workshop

Copyright © 2021 Presidio, Inc.