1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

pids limit support

update bash commpletion for pids limit

update check config for kernel

add docs for pids limit

add pids stats

add stats to docker client

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
This commit is contained in:
Jessica Frazelle 2015-12-15 11:15:43 -08:00
parent 9e2c4de0de
commit 69cf03700f
No known key found for this signature in database
GPG key ID: 18F3685C0022BFF3
21 changed files with 83 additions and 4 deletions

View file

@ -164,7 +164,7 @@ func (cli *DockerCli) CmdStats(args ...string) error {
fmt.Fprint(cli.out, "\033[2J") fmt.Fprint(cli.out, "\033[2J")
fmt.Fprint(cli.out, "\033[H") fmt.Fprint(cli.out, "\033[H")
} }
io.WriteString(w, "CONTAINER\tCPU %\tMEM USAGE / LIMIT\tMEM %\tNET I/O\tBLOCK I/O\n") io.WriteString(w, "CONTAINER\tCPU %\tMEM USAGE / LIMIT\tMEM %\tNET I/O\tBLOCK I/O\tPIDS\n")
} }
for range time.Tick(500 * time.Millisecond) { for range time.Tick(500 * time.Millisecond) {

View file

@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64 NetworkTx float64
BlockRead float64 BlockRead float64
BlockWrite float64 BlockWrite float64
PidsCurrent uint64
mu sync.RWMutex mu sync.RWMutex
err error err error
} }
@ -167,13 +168,14 @@ func (s *containerStats) Display(w io.Writer) error {
if s.err != nil { if s.err != nil {
return s.err return s.err
} }
fmt.Fprintf(w, "%s\t%.2f%%\t%s / %s\t%.2f%%\t%s / %s\t%s / %s\n", fmt.Fprintf(w, "%s\t%.2f%%\t%s / %s\t%.2f%%\t%s / %s\t%s / %s\t%d\n",
s.Name, s.Name,
s.CPUPercentage, s.CPUPercentage,
units.HumanSize(s.Memory), units.HumanSize(s.MemoryLimit), units.HumanSize(s.Memory), units.HumanSize(s.MemoryLimit),
s.MemoryPercentage, s.MemoryPercentage,
units.HumanSize(s.NetworkRx), units.HumanSize(s.NetworkTx), units.HumanSize(s.NetworkRx), units.HumanSize(s.NetworkTx),
units.HumanSize(s.BlockRead), units.HumanSize(s.BlockWrite)) units.HumanSize(s.BlockRead), units.HumanSize(s.BlockWrite),
s.PidsCurrent)
return nil return nil
} }

View file

@ -19,6 +19,7 @@ func TestDisplay(t *testing.T) {
NetworkTx: 800 * 1024 * 1024, NetworkTx: 800 * 1024 * 1024,
BlockRead: 100 * 1024 * 1024, BlockRead: 100 * 1024 * 1024,
BlockWrite: 800 * 1024 * 1024, BlockWrite: 800 * 1024 * 1024,
PidsCurrent: 1,
mu: sync.RWMutex{}, mu: sync.RWMutex{},
} }
var b bytes.Buffer var b bytes.Buffer
@ -26,7 +27,7 @@ func TestDisplay(t *testing.T) {
t.Fatalf("c.Display() gave error: %s", err) t.Fatalf("c.Display() gave error: %s", err)
} }
got := b.String() got := b.String()
want := "app\t30.00%\t104.9 MB / 2.147 GB\t4.88%\t104.9 MB / 838.9 MB\t104.9 MB / 838.9 MB\n" want := "app\t30.00%\t104.9 MB / 2.147 GB\t4.88%\t104.9 MB / 838.9 MB\t104.9 MB / 838.9 MB\t1\n"
if got != want { if got != want {
t.Fatalf("c.Display() = %q, want %q", got, want) t.Fatalf("c.Display() = %q, want %q", got, want)
} }

View file

@ -202,6 +202,9 @@ echo 'Optional Features:'
{ {
check_flags SECCOMP check_flags SECCOMP
} }
{
check_flags CGROUP_PIDS
}
{ {
check_flags MEMCG_KMEM MEMCG_SWAP MEMCG_SWAP_ENABLED check_flags MEMCG_KMEM MEMCG_SWAP MEMCG_SWAP_ENABLED
if is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; then if is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; then

View file

@ -1637,6 +1637,7 @@ _docker_run() {
--net-alias --net-alias
--oom-score-adj --oom-score-adj
--pid --pid
--pids-limit
--publish -p --publish -p
--restart --restart
--security-opt --security-opt

View file

@ -534,6 +534,7 @@ __docker_subcommand() {
"($help)*--net-alias=[Add network-scoped alias for the container]:alias: " "($help)*--net-alias=[Add network-scoped alias for the container]:alias: "
"($help)--oom-kill-disable[Disable OOM Killer]" "($help)--oom-kill-disable[Disable OOM Killer]"
"($help)--oom-score-adj[Tune the host's OOM preferences for containers (accepts -1000 to 1000)]" "($help)--oom-score-adj[Tune the host's OOM preferences for containers (accepts -1000 to 1000)]"
"($help)--pids-limit[Tune container pids limit (set -1 for unlimited)]"
"($help -P --publish-all)"{-P,--publish-all}"[Publish all exposed ports]" "($help -P --publish-all)"{-P,--publish-all}"[Publish all exposed ports]"
"($help)*"{-p=,--publish=}"[Expose a container's port to the host]:port:_ports" "($help)*"{-p=,--publish=}"[Expose a container's port to the host]:port:_ports"
"($help)--pid=[PID namespace to use]:PID: " "($help)--pid=[PID namespace to use]:PID: "

View file

@ -198,6 +198,7 @@ func (daemon *Daemon) populateCommand(c *container.Container, env []string) erro
BlkioThrottleWriteBpsDevice: writeBpsDevice, BlkioThrottleWriteBpsDevice: writeBpsDevice,
BlkioThrottleReadIOpsDevice: readIOpsDevice, BlkioThrottleReadIOpsDevice: readIOpsDevice,
BlkioThrottleWriteIOpsDevice: writeIOpsDevice, BlkioThrottleWriteIOpsDevice: writeIOpsDevice,
PidsLimit: c.HostConfig.PidsLimit,
MemorySwappiness: -1, MemorySwappiness: -1,
} }

View file

@ -285,6 +285,12 @@ func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysi
resources.OomKillDisable = nil resources.OomKillDisable = nil
} }
if resources.PidsLimit != 0 && !sysInfo.PidsLimit {
warnings = append(warnings, "Your kernel does not support pids limit capabilities, pids limit discarded.")
logrus.Warnf("Your kernel does not support pids limit capabilities, pids limit discarded.")
resources.PidsLimit = 0
}
// cpu subsystem checks and adjustments // cpu subsystem checks and adjustments
if resources.CPUShares > 0 && !sysInfo.CPUShares { if resources.CPUShares > 0 && !sysInfo.CPUShares {
warnings = append(warnings, "Your kernel does not support CPU shares. Shares discarded.") warnings = append(warnings, "Your kernel does not support CPU shares. Shares discarded.")

View file

@ -50,6 +50,7 @@ type Resources struct {
CPUPeriod int64 `json:"cpu_period"` CPUPeriod int64 `json:"cpu_period"`
Rlimits []*units.Rlimit `json:"rlimits"` Rlimits []*units.Rlimit `json:"rlimits"`
OomKillDisable bool `json:"oom_kill_disable"` OomKillDisable bool `json:"oom_kill_disable"`
PidsLimit int64 `json:"pids_limit"`
MemorySwappiness int64 `json:"memory_swappiness"` MemorySwappiness int64 `json:"memory_swappiness"`
} }
@ -201,6 +202,7 @@ func SetupCgroups(container *configs.Config, c *Command) error {
container.Cgroups.Resources.BlkioThrottleReadIOPSDevice = c.Resources.BlkioThrottleReadIOpsDevice container.Cgroups.Resources.BlkioThrottleReadIOPSDevice = c.Resources.BlkioThrottleReadIOpsDevice
container.Cgroups.Resources.BlkioThrottleWriteIOPSDevice = c.Resources.BlkioThrottleWriteIOpsDevice container.Cgroups.Resources.BlkioThrottleWriteIOPSDevice = c.Resources.BlkioThrottleWriteIOpsDevice
container.Cgroups.Resources.OomKillDisable = c.Resources.OomKillDisable container.Cgroups.Resources.OomKillDisable = c.Resources.OomKillDisable
container.Cgroups.Resources.PidsLimit = c.Resources.PidsLimit
container.Cgroups.Resources.MemorySwappiness = c.Resources.MemorySwappiness container.Cgroups.Resources.MemorySwappiness = c.Resources.MemorySwappiness
} }

View file

@ -61,6 +61,10 @@ func convertStatsToAPITypes(ls *libcontainer.Stats) *types.StatsJSON {
Stats: mem.Stats, Stats: mem.Stats,
Failcnt: mem.Usage.Failcnt, Failcnt: mem.Usage.Failcnt,
} }
pids := cs.PidsStats
s.PidsStats = types.PidsStats{
Current: pids.Current,
}
} }
return s return s

View file

@ -123,6 +123,8 @@ This section lists each version from latest to oldest. Each listing includes a
* `POST /networks/create` now supports enabling ipv6 on the network by setting the `EnableIPv6` field (doing this with a label will no longer work). * `POST /networks/create` now supports enabling ipv6 on the network by setting the `EnableIPv6` field (doing this with a label will no longer work).
* `GET /info` now returns `CgroupDriver` field showing what cgroup driver the daemon is using; `cgroupfs` or `systemd`. * `GET /info` now returns `CgroupDriver` field showing what cgroup driver the daemon is using; `cgroupfs` or `systemd`.
* `GET /info` now returns `KernelMemory` field, showing if "kernel memory limit" is supported. * `GET /info` now returns `KernelMemory` field, showing if "kernel memory limit" is supported.
* `POST /containers/create` now takes `PidsLimit` field, if the kernel is >= 4.3 and the pids cgroup is supported.
* `GET /containers/(id or name)/stats` now returns `pids_stats`, if the kernel is >= 4.3 and the pids cgroup is supported.
### v1.22 API changes ### v1.22 API changes

View file

@ -346,6 +346,7 @@ Json Parameters:
- **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100. - **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
- **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not. - **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
- **OomScoreAdj** - An integer value containing the score given to the container in order to tune OOM killer preferences. - **OomScoreAdj** - An integer value containing the score given to the container in order to tune OOM killer preferences.
- **PidsLimit** - Tune a container's pids limit. Set -1 for unlimited.
- **AttachStdin** - Boolean value, attaches to `stdin`. - **AttachStdin** - Boolean value, attaches to `stdin`.
- **AttachStdout** - Boolean value, attaches to `stdout`. - **AttachStdout** - Boolean value, attaches to `stdout`.
- **AttachStderr** - Boolean value, attaches to `stderr`. - **AttachStderr** - Boolean value, attaches to `stderr`.
@ -823,6 +824,9 @@ This endpoint returns a live stream of a container's resource usage statistics.
{ {
"read" : "2015-01-08T22:57:31.547920715Z", "read" : "2015-01-08T22:57:31.547920715Z",
"pids_stats": {
"current": 3
},
"networks": { "networks": {
"eth0": { "eth0": {
"rx_bytes": 5338, "rx_bytes": 5338,

View file

@ -74,6 +74,7 @@ Creates a new container.
-P, --publish-all Publish all exposed ports to random ports -P, --publish-all Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host -p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use --pid="" PID namespace to use
--pids-limit=-1 Tune container pids limit (set -1 for unlimited), kernel >= 4.3
--privileged Give extended privileges to this container --privileged Give extended privileges to this container
--read-only Mount the container's root filesystem as read only --read-only Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always, unless-stopped) --restart="no" Restart policy (no, on-failure[:max-retry], always, unless-stopped)

View file

@ -74,6 +74,7 @@ parent = "smn_cli"
-P, --publish-all Publish all exposed ports to random ports -P, --publish-all Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host -p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use --pid="" PID namespace to use
--pids-limit=-1 Tune container pids limit (set -1 for unlimited), kernel >= 4.3
--privileged Give extended privileges to this container --privileged Give extended privileges to this container
--read-only Mount the container's root filesystem as read only --read-only Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always, unless-stopped) --restart="no" Restart policy (no, on-failure[:max-retry], always, unless-stopped)

View file

@ -956,3 +956,15 @@ func (s *DockerSuite) TestRunDeviceSymlink(c *check.C) {
c.Assert(err, check.NotNil) c.Assert(err, check.NotNil)
c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "not a device node", check.Commentf("expected output 'not a device node'")) c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "not a device node", check.Commentf("expected output 'not a device node'"))
} }
// TestRunPidsLimit makes sure the pids cgroup is set with --pids-limit
func (s *DockerSuite) TestRunPidsLimit(c *check.C) {
testRequires(c, pidsLimit)
file := "/sys/fs/cgroup/pids/pids.max"
out, _ := dockerCmd(c, "run", "--name", "skittles", "--pids-limit", "2", "busybox", "cat", file)
c.Assert(strings.TrimSpace(out), checker.Equals, "2")
out = inspectField(c, "skittles", "HostConfig.PidsLimit")
c.Assert(out, checker.Equals, "2", check.Commentf("setting the pids limit failed"))
}

View file

@ -33,6 +33,12 @@ var (
}, },
"Test requires Oom control enabled.", "Test requires Oom control enabled.",
} }
pidsLimit = testRequirement{
func() bool {
return SysInfo.PidsLimit
},
"Test requires pids limit enabled.",
}
kernelMemorySupport = testRequirement{ kernelMemorySupport = testRequirement{
func() bool { func() bool {
return SysInfo.KernelMemory return SysInfo.KernelMemory

View file

@ -58,6 +58,7 @@ docker-create - Create a new container
[**-P**|**--publish-all**] [**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**] [**--privileged**]
[**--read-only**] [**--read-only**]
[**--restart**[=*RESTART*]] [**--restart**[=*RESTART*]]
@ -290,6 +291,9 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container.
**--privileged**=*true*|*false* **--privileged**=*true*|*false*
Give extended privileges to this container. The default is *false*. Give extended privileges to this container. The default is *false*.

View file

@ -60,6 +60,7 @@ docker-run - Run a command in a new container
[**-P**|**--publish-all**] [**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**] [**--privileged**]
[**--read-only**] [**--read-only**]
[**--restart**[=*RESTART*]] [**--restart**[=*RESTART*]]
@ -420,6 +421,9 @@ Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPO
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container.
**--uts**=*host* **--uts**=*host*
Set the UTS mode for the container Set the UTS mode for the container
**host**: use the host's UTS namespace inside the container. **host**: use the host's UTS namespace inside the container.

View file

@ -14,6 +14,7 @@ type SysInfo struct {
cgroupCPUInfo cgroupCPUInfo
cgroupBlkioInfo cgroupBlkioInfo
cgroupCpusetInfo cgroupCpusetInfo
cgroupPids
// Whether IPv4 forwarding is supported or not, if this was disabled, networking will not work // Whether IPv4 forwarding is supported or not, if this was disabled, networking will not work
IPv4ForwardingDisabled bool IPv4ForwardingDisabled bool
@ -90,6 +91,11 @@ type cgroupCpusetInfo struct {
Mems string Mems string
} }
type cgroupPids struct {
// Whether Pids Limit is supported or not
PidsLimit bool
}
// IsCpusetCpusAvailable returns `true` if the provided string set is contained // IsCpusetCpusAvailable returns `true` if the provided string set is contained
// in cgroup's cpuset.cpus set, `false` otherwise. // in cgroup's cpuset.cpus set, `false` otherwise.
// If error is not nil a parsing error occurred. // If error is not nil a parsing error occurred.

View file

@ -44,6 +44,7 @@ func New(quiet bool) *SysInfo {
sysInfo.cgroupCPUInfo = checkCgroupCPU(cgMounts, quiet) sysInfo.cgroupCPUInfo = checkCgroupCPU(cgMounts, quiet)
sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(cgMounts, quiet) sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(cgMounts, quiet)
sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(cgMounts, quiet) sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(cgMounts, quiet)
sysInfo.cgroupPids = checkCgroupPids(quiet)
} }
_, ok := cgMounts["devices"] _, ok := cgMounts["devices"]
@ -216,6 +217,21 @@ func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetI
} }
} }
// checkCgroupPids reads the pids information from the pids cgroup mount point.
func checkCgroupPids(quiet bool) cgroupPids {
_, err := cgroups.FindCgroupMountpoint("pids")
if err != nil {
if !quiet {
logrus.Warn(err)
}
return cgroupPids{}
}
return cgroupPids{
PidsLimit: true,
}
}
func cgroupEnabled(mountPoint, name string) bool { func cgroupEnabled(mountPoint, name string) bool {
_, err := os.Stat(path.Join(mountPoint, name)) _, err := os.Stat(path.Join(mountPoint, name))
return err == nil return err == nil

View file

@ -85,6 +85,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*container.Config, *container.Host
flIPv4Address = cmd.String([]string{"-ip"}, "", "Container IPv4 address (e.g. 172.30.100.104)") flIPv4Address = cmd.String([]string{"-ip"}, "", "Container IPv4 address (e.g. 172.30.100.104)")
flIPv6Address = cmd.String([]string{"-ip6"}, "", "Container IPv6 address (e.g. 2001:db8::33)") flIPv6Address = cmd.String([]string{"-ip6"}, "", "Container IPv6 address (e.g. 2001:db8::33)")
flIpcMode = cmd.String([]string{"-ipc"}, "", "IPC namespace to use") flIpcMode = cmd.String([]string{"-ipc"}, "", "IPC namespace to use")
flPidsLimit = cmd.Int64([]string{"-pids-limit"}, 0, "Tune container pids limit (set -1 for unlimited)")
flRestartPolicy = cmd.String([]string{"-restart"}, "no", "Restart policy to apply when a container exits") flRestartPolicy = cmd.String([]string{"-restart"}, "no", "Restart policy to apply when a container exits")
flReadonlyRootfs = cmd.Bool([]string{"-read-only"}, false, "Mount the container's root filesystem as read only") flReadonlyRootfs = cmd.Bool([]string{"-read-only"}, false, "Mount the container's root filesystem as read only")
flLoggingDriver = cmd.String([]string{"-log-driver"}, "", "Logging driver for container") flLoggingDriver = cmd.String([]string{"-log-driver"}, "", "Logging driver for container")
@ -343,6 +344,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*container.Config, *container.Host
CpusetCpus: *flCpusetCpus, CpusetCpus: *flCpusetCpus,
CpusetMems: *flCpusetMems, CpusetMems: *flCpusetMems,
CPUQuota: *flCPUQuota, CPUQuota: *flCPUQuota,
PidsLimit: *flPidsLimit,
BlkioWeight: *flBlkioWeight, BlkioWeight: *flBlkioWeight,
BlkioWeightDevice: flBlkioWeightDevice.GetList(), BlkioWeightDevice: flBlkioWeightDevice.GetList(),
BlkioDeviceReadBps: flDeviceReadBps.GetList(), BlkioDeviceReadBps: flDeviceReadBps.GetList(),