用lxc-execute限制内存和CPU

我想用lxc-execute来隔离进程。 有没有可能设置带宽,CPU和内存限制?

我看了一下lxc.conf的文件,但是我没有发现它的详尽性。

首先,我希望你了解作为LXC实用程序一部分的Cgroups 。 当你有一个容器时,显然你要确保你正在运行的各个容器完成了其他任何容器或过程。 考虑到这一点, LXC项目 (又名Daniel Lezcano)的好人将cgroups与他正在创build的容器技术(即LXC)整合在一起。 现在,如果你想分配资源使用,你需要考虑configuration你的CGROUP。 Cgroups允许您在系统上运行的用户定义的任务(进程)组之间分配资源,如CPU时间,系统内存,networking带宽或这些资源的组合。 您可以监视您configuration的cgroup,拒绝cgroup访问某些资源,甚至可以在正在运行的系统上dynamic重新configuration您的cgroup。 可以将cgconfig(控制组configuration)服务configuration为在引导时启动,并重新build立预定义的cgroup,从而使其在重新启动时保持不变。 Cgroups可以有多个层次结构,因为每个层次结构都连接到一个或多个子系统(也称为资源控制器或控制器)。 这将创build多个不连接的树。 有九个子系统可用。

  1. blkio设置块设备的input/输出访问限制
  2. cpu任务访问CPU的cpu调度程序
  3. cpuacct为CPU使用和cgroup生成报告
  4. cpuset将CPU和内存分配给cgroup
  5. 设备按任务pipe理对设备的访问
  6. 冰柜暂停/恢复任务
  7. 内存限制内存
  8. net_cls标记networking数据包以允许Linuxstream量控制器识别任务stream量
  9. ns命名空间

我们可以通过命令列出我们在内核中的子系统:

lssubsys –am 

lxc-cgroup从与容器名称关联的控制组中获取或设置值。 pipe理与容器关联的控制组。 示例用法:

 lxc-cgroup -n foo cpuset.cpus "0,3" 

将处理器0和3分配给容器。

现在,我在我看来回答了你原来的问题。 但是,让我添加一些可能对您有用的参数来configuration使用lxc的容器。 有redhat的资源控制文档的浓缩forms

BLKIO可修改的参数:

  blkio.reset_stats : any int to reset the statistics of BLKIO blkio.weight : 100 - 1000 (relative proportion of block I/O access) blkio.weight_device : major, minor , weight 100 - 1000 blkio.time : major, minor and time (device type and node numbers and length of access in milli seconds) blkio.throttle.read_bps_device : major, minor specifies the upper limit on the number of read operations a device can perform. The rate of the read operations is specified in bytes per second. blkio.throttle.read_iops_device :major, minor and operations_per_second specifies the upper limit on the number of read operations a device can perform blkio.throttle.write_bps_device : major, minor and bytes_per_second (bytes per second) blkio.throttle.write_iops_device : major, minor and operations_per_second 

CFS可修改参数:

  cpu.cfs_period_us : specifies a period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. If tasks in a cgroup should be able to access a single CPU for 0.2 seconds out of every 1 second, set cpu.cfs_quota_us to 200000 and cpu.cfs_period_us to 1000000. cpu.cfs_quota_us : total amount of time in microseconds that all tasks in a cgroup can run during one period. Once limit has reached, they are not allowed to run beyond that. cpu.shares : contains an integer value that specifies the relative share of CPU time available to tasks in a cgroup. Note: For example, tasks in two cgroups that have cpu.shares set to 1 will receive equal CPU time, but tasks in a cgroup that has cpu.shares set to 2 receive twice the CPU time of tasks in a cgroup where cpu.shares is set to 1. Note that shares of CPU time are distributed per CPU. If one cgroup is limited to 25% of CPU and another cgroup is limited to 75% of CPU, on a multi-core system, both cgroups will use 100% of two different CPUs. 

RT可修改参数:

 cpu.rt_period_us : time in microseconds for how regularly a cgroups access to CPU resources should be reallocated. cpu.rt_runtime_us : same as above. 

CPUset:

 cpuset subsystem assigns individual CPUs and memory nodes to cgroups. Note: here some parameters are mandatory Mandatory: cpuset.cpus : specifies the CPUs that tasks in this cgroup are permitted to access. This is a comma-separated list in ASCII format, with dashes (" -") to represent ranges. For example 0-2,16 represents CPUs 0, 1, 2, and 16. cpuset.mems : specifies the memory nodes that tasks in this cgroup are permitted to access. same as above format Optional: cpuset.cpu_exclusive : contains a flag ( 0 or 1) that specifies whether cpusets other than this one and its parents and children can share the CPUs specified for this cpuset. By default ( 0), CPUs are not allocated exclusively to one cpuset. cpuset.mem_exclusive : contains a flag ( 0 or 1) that specifies whether other cpusets can share the memory nodes specified for this cpuset. By default ( 0), memory nodes are not allocated exclusively to one cpuset. Reserving memory nodes for the exclusive use of a cpuset ( 1) is functionally the same as enabling a memory hardwall with the cpuset.mem_hardwall parameter. cpuset.mem_hardwall : contains a flag ( 0 or 1) that specifies whether kernel allocations of memory page and buffer data should be restricted to the memory nodes specified for this cpuset. By default ( 0), page and buffer data is shared across processes belonging to multiple users. With a hardwall enabled ( 1), each tasks' user allocation can be kept separate. cpuset.memory_pressure_enabled : contains a flag ( 0 or 1) that specifies whether the system should compute the memory pressure created by the processes in this cgroup cpuset.memory_spread_page : contains a flag ( 0 or 1) that specifies whether file system buffers should be spread evenly across the memory nodes allocated to this cpuset. By default ( 0), no attempt is made to spread memory pages for these buffers evenly, and buffers are placed on the same node on which the process that created them is running. cpuset.memory_spread_slab : contains a flag ( 0 or 1) that specifies whether kernel slab caches for file input/output operations should be spread evenly across the cpuset. By default ( 0), no attempt is made to spread kernel slab caches evenly, and slab caches are placed on the same node on which the process that created them is running. cpuset.sched_load_balance : contains a flag ( 0 or 1) that specifies whether the kernel will balance loads across the CPUs in this cpuset. By default ( 1), the kernel balances loads by moving processes from overloaded CPUs to less heavily used CPUs. 

设备:

 The devices subsystem allows or denies access to devices by tasks in a cgroup. devices.allow : specifies devices to which tasks in a cgroup have access. Each entry has four fields: type, major, minor, and access. type can be of following three values: a - applies to all devices b - block devices c - character devices access is a sequence of one or more letters: r read from device w write to device m create device files that do not yet exist devices.deny : similar syntax as above devices.list : reports devices for which access control has been set for tasks in this cgroup 

记忆:

内存子系统生成cgroup中任务使用的内存资源的自动报告,并设置这些任务对内存使用的限制。内存可修改参数:memory.limit_in_bytes:设置用户内存的最大数量。 可以使用K为千位,M为兆等后缀。这仅限于组内低位的组。 即root cgroup不能被限制memory.memsw.limit_in_bytes:设置内存和交换使用量之和的最大值。 再次这不能限制根cgroup。

  Note: memory.limit_in_bytes should always be set before memory.memsw.limit_in_bytes because only after limit, can swp limit be set memory.force_empty : when set to 0, empties memory of all pages used by tasks in this cgroup memory.swappiness : sets the tendency of the kernel to swap out process memory used by tasks in this cgroup instead of reclaiming pages from the page cache. he default value is 60. Values lower than 60 decrease the kernel's tendency to swap out process memory, values greater than 60 increase the kernel's tendency to swap out process memory, and values greater than 100 permit the kernel to swap out pages that are part of the address space of the processes in this cgroup. Note: Swappiness can only be asssigned to leaf groups in the cgroups architecture. ie if any cgroup has a child cgroup, we cannot set the swappiness for that memory.oom_control : contains a flag ( 0 or 1) that enables or disables the Out of Memory killer for a cgroup. If enabled ( 0), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer. 

net_cls:

net_cls子系统使用类标识符(classid)标记networking数据包,以便Linuxstream量控制器(tc)识别源自特定cgroup的数据包。 stream量控制器可以configuration为不同cgroups的报文分配不同的优先级。

 net_cls.classid : 0XAAAABBBB AAAA = major number (hex) BBBB = minor number (hex) net_cls.classid contains a single value that indicates a traffic control handle. The value of classid read from the net_cls.classid file is presented in the decimal format while the value to be written to the file is expected in the hexadecimal format. eg 0X100001 = 10:1 

net_prio:

networking优先级(net_prio)子系统提供了一种dynamic设置各个cgroup中应用程序每个networking接口的networking通信优先级的方法。 networking的优先级是一个分配给networkingstream量的数字,由系统和networking设备在内部使用。 networking优先级用于区分发送,排队或丢弃的数据包。 stream量控制器(tc)负责设置networking的优先级。

 net_prio.ifpriomap : networkinterface , priority (/cgroup/net_prio/iscsi/net_prio.ifpriomap) Contents of the net_prio.ifpriomap file can be modified by echoing a string into the file using the above format, for example: ~]# echo "eth0 5" > /cgroup/net_prio/iscsi/net_prio.ifpriomap 

这个文档相当有用: http : //doc.opensuse.org/documentation/html/openSUSE/opensuse-tuning/cha.tuning.cgroups.html

这些信息在Linux内核文档中:/ usr / src / linux / Documentation / cgroups