容器限速和流量采集03

1 docker-tc

--label "com.docker-tc.enabled=1"NetworkModehostbridgerateceil

2 技术方案

2.1 主要技术栈

2.2 数据流

在这里插入图片描述

running--label "com.docker-tc.enabled=1"labelcreatedienet=hostnet=bridgeifb

2.3 限速策略

bridge 模式下容器限速

# bridge 模式容器下行限速，veth6552aeb 是容器对应的 veth 接口
tc qdisc del dev veth6552aeb root
tc qdisc add dev veth6552aeb root handle 1: htb default 1
tc class add dev veth6552aeb parent 1: classid 1:1 htb rate 1000mbit ceil 1000mbit prio 2

tc class add dev veth6552aeb parent 1:1 classid 1:10 htb rate 4Mbit ceil 8Mbit prio 1 burst 96kbit
tc qdisc add dev veth6552aeb parent 1:10 handle 10: sfq perturb 10
tc filter add dev veth6552aeb protocol ip parent 1: prio 2 u32 match ip src 0.0.0.0/0 match ip dst 0.0.0.0/0 flowid 1:10

# bridge 模式容器上行限速，veth6552aeb 是容器对应的 veth 接口， ss是 container name，用 container name 起一个 ifb 接口
ip link add ss type ifb
ip link set ss up

tc qdisc add dev veth5d3d1d6 handle ffff: ingress
tc filter add dev veth5d3d1d6 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ss

tc qdisc add dev ss root handle 1: htb default 1
tc class add dev ss parent 1: classid 1:1 htb rate 1000mbit ceil 1000mbit prio 2

tc class add dev ss parent 1:1 classid 1:10 htb rate 8Mbit ceil 12Mbit prio 1 burst 96kbit
tc qdisc add dev ss parent 1:10 handle 10: sfq perturb 10
tc filter add dev ss protocol ip parent 1: prio 2 u32 match ip src 0.0.0.0/0 match ip dst 0.0.0.0/0 flowid 1:10

注意事项

filterclassRTNETLINK answers: Device or resource busyingress mirrorppp4014mirrorifbppp4014ifbppp4014ppp4014filternetlink.U32.RedirIndex == 0ingress

3 使用说明

3.1 部署和启动该服务

dockerdocker

docker run -d \
    --name docker-tc \
    --network host \
    --privileged \
    --pid=host \
    --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /var/docker-tc:/var/docker-tc \
    -v /opt/docker-tc/config:/docker-tc/config \
    -v /sys/fs/cgroup/net_cls:/sys/fs/cgroup/net_cls \
    docker-tc

docker-tc--network host--cap-add NET_ADMINdocker-tcdocker-v /var/run/docker.sock:/var/run/docker.sock

3.2 限速容器的配置

labeldocker-tclabel

com.docker-tc.enabledlabelcom.docker-tc.down.ratecom.docker-tc.down.ceilcom.docker-tc.up.ratecom.docker-tc.up.ceilcom.docker-tc.up.cgroupcom.docker-tc.biz

3.3 测试

3.3.1 启动一个限速的容器

docker run -it --name xxxx \
  --label "com.docker-tc.enabled=1" \
  --label "com.docker-tc.cgroup=65552" \
  --label "com.docker-tc.down.rate=2mbps" \
  --label "com.docker-tc.down.ceil=10mbps" \
  --label "com.docker-tc.up.rate=20mbps" \
  --label "com.docker-tc.up.ceil=30mbps" \
  --label "com.docker-tc.biz=test" \
  nettool-centos7 bash

3.3.2 速率测试

docker execwgetiperf