2. docker 進階

最後更新: 2019-03-31

目錄

  • Upgrade docker image
  • Managing Logging
  • Runtime Metrics
  • Limit a container's resources
  • oom-kill
  • Restart Policy
  • Live Restore
  • ENV Variable
  • 修改 Docker 中 container 的 Port mapping

 


Upgrade docker image

 

1. docker pull repo/image:latest

2. docker inspect container-id (to gather information about the container, ports, mapped volumes, etc)

3. docker stop container-id

4. docker rm container-id

5. docker run (use documented run params) repo/image:latest

i.e.

docker pull onlyoffice/documentserver

Using default tag: latest
Trying to pull repository docker.io/onlyoffice/documentserver ...
latest: Pulling from docker.io/onlyoffice/documentserver
Digest: sha256:5c78b28f9c8da2b079faefe4ddd6a6755ec5c0edb9bb661064dbd27ae3172668
Status: Image is up to date for docker.io/onlyoffice/documentserver:latest

 


Managing Logging

 

The NGINX image is configured to send the main access & error logs to the Docker log collector by default.

ls -l /var/log/nginx

total 0
lrwxrwxrwx 1 root root 11 Dec  6 08:21 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Dec  6 08:21 error.log -> /dev/stderr

Which causes all messages from both logs to be stored in the file /var/lib/docker/containers/<container id>/json.log

# display the long-form Id for a container

docker inspect --format '{{ .Id }}' <container name>

 


Runtime Metrics

 

# 每秒更新一次

docker stats [CONTAINER...]

i.e.

docker stats mysql57

CONTAINER           CPU %               MEM USAGE / LIMIT       MEM %               NET I/O             BLOCK I/O           PIDS
mysql57             0.04%               189.8 MiB / 991.4 MiB   19.15%              8.61 kB / 18.8 kB   116 MB / 26.6 MB    29

說明:

"NET I/O" 及 "BLOCK I/O" 係由 Container "start" 到現在的 Usage

"PIDS": the number of processes and kernel threads created by that container

A large number in the PIDS column combined with a small number of processes (as reported by ps or top)

may indicate that something in the container is creating many threads.

 


Limit a container's resources

 

Default: use as much of a given resource as the host 's kernel scheduler allows.

(no resource constraints)

Check host capabilities (查看 host 有幾多 Resource)

docker info

Checking container resource setting

Realtime Resource Usage

docker stats

CONTAINER       CPU %     MEM USAGE / LIMIT     MEM %       NET I/O             BLOCK I/O           PIDS
b953a66787f3    0.04%     192.6 MiB / 256 MiB   75.25%      9.85 kB / 36.5 kB   121 MB / 26.7 MB    29

Memory

docker inspect -f "{{ .HostConfig.Memory }}"  mysql57             # 536870912

docker inspect -f "{{ .HostConfig.MemorySwap }}"  mysql57      # 1073741824

CPU

docker inspect -f "{{ .HostConfig.CpuShares }}"  mysql57

CPU Resources

CPU 's weight

# 在多個 Container 用時運行時, 它們可獲得的 CPU 使用比例

# Default 1024

# -c / --cpu-shares

-c 410       # 40%

-c 614       # 60%

--cpus="1.5"            

# Default: 0 => no limit

# guaranteed to be able to access

# Available in Docker 1.13 and higher (舊版要用 --cpu-quota)

# 1.5 equivalent of setting --cpu-period="100000" and --cpu-quota="150000"

Remark

影響: cpu.cfs_period_us, cpu.cfs_quota_us

 # Limit CPU CFS period (# Defaults to 100 micro-seconds)

 --cpu-period  

 # -1:  a container can use all available CPU resources

 --cpu-quota    # Limit CPU CFS quota

 CFS = Completely Fair Scheduler

 * small period => ensuring a consistent latency response at the expense of burst capacity

--cpuset-cpus "?"

# Limit the specific CPUs or cores a container can use.

ie.

--cpuset-cpus "1,3"

--cpuset-cpus "0-3"

Memory Resources

-m N | --memory= N

i.e.

#  0 => unset (memory  is not limited)

-m 4m

--memory-swap=

# Default: --memory X 2
#  0 => unset
# -1 => allowed to use unlimited swap (host limit)

--memory-swappiness

# Default: inherited from the host machine
# 0 => turns off
# 100 =>  all anonymous pages as swappable

Change allocated resources on the fly

# Remark: update memory must udate memoryswap at the same time

docker update --memory 256m --memory-swap 1g mysql57

 


Capability

 

--cap-add=?

i.e.

# Grants the container the CAP_SYS_NICE capability

# which allows the container to raise process nice values,

# set real-time scheduling policies, set CPU affinity, and other operations.

--cap-add=sys_nice   

--ulimit rtprio=<value>    

The maximum realtime priority allowed for the container.

 


oom-kill

 

--oom-kill-disable

 * Only disable the OOM killer on containers where you have also set the -m/--memory option.

 => If the -m flag is not set, the host can run out of memory and the kernel may need to kill the host system’s processes to free memory.

ie.

docker update --memory=256m --memory-swap=1g mysql57

 


Restart Policy (to apply when a container exits)(--restart)

 

用圖

在開機時自動啟動 contrainer 或當 contrainer 意外死亡時自動重啟它

如果唔想用 restart policy 去啟動 contrainer,

那亦可以用 process manager(systemd, or supervisor ...) 去啟動它們

設定: --restart="?"              

Policy: no,  on-failure[:max-retry], always, unless-stopped

i.e.

docker run --restart=always my_container

docker update --restart unless-stopped $(docker ps -q)          # all running containers

Policy

no (default)

Do not automatically restart the container when it exits.

on-failure[:max-retry]

# Restart only if the container exits with a non-zero exit status.

# The number of (attempted) restarts for a container (on-failure)

docker inspect -f "{{ .RestartCount }}" mysql57

always

# Always restart the container if it stops.
# If it is manually stopped, it is restarted only when Docker daemon restarts or
# the container itself is manually restarted.

unless-stopped

# Similar to always, except that when the container is stopped (manually or otherwise)
# It is not restarted even after Docker daemon restarts.

應用

 * To configures Redis to always restart, unless the container is explicitly stopped

Status

# 當前 container 的 policy

docker inspect -f "{{ .HostConfig.RestartPolicy.Name }}"  my-container

# to get the number of restarts for container “my-container”

docker inspect -f "{{ .RestartCount }}" my-container

# to get the last time the container was (re)started

docker inspect -f "{{ .State.StartedAt }}" my-container

Restart policy 有效的情況

A restart policy only takes effect after a container starts successfully.

In this case, starting successfully means that the container is up for at least 10 seconds and

Docker has started monitoring it.

(This prevents a container which does not start at all from going into a restart loop)

Add a restart policy to a container that was already created

# Restart policy to apply when a container exits

docker update --restart=unless-stopped <container>

docker restart <container>

 


Live Restore

 

Docker Engine Version > 1.12

By default, when the Docker daemon terminates, it shuts down running containers.

Keep containers alive during daemon downtime setting

/etc/docker/daemon.json

{
  "live-restore": true
}

systemctl reload docker

 


Environment Variables

 

一共有兩個設定  Env 的方法

  • -v
  • --env-file

-v                         # args

docker run ... \
 -e MYSQL_ROOT_USER=root \
 -e MYSQL_ROOT_PASSWD=my-secret-pw \
 ...

--env-file file.cf       # specify all required environment variables in a single file

file.cf

JWT_ENABLED=true
JWT_SECRET=???
JWT_HEADER=Authorization

 


修改 Docker 中 container 的 Port mapping

 

[方法1]

docker stop web

docker commit redis newweb

docker run -d -p 8443:443 newweb

[方法2]

docker stop mysql57

vim /var/lib/docker/containers/ID/hostconfig.json

systemctl restart docker

docker start mysql57