我如何评价 docker 容器上的 limit.network 流量
[英]How can I rate limit network traffic on a docker container
问题描述
I want to setup a docker container for a peer 2 peer app.
我想为对等 2 对等应用设置一个 docker 容器。 This app doesn't have app level rate limiting so I'm attempting to set a limit at the container level.此应用程序没有应用程序级别的速率限制,因此我试图在容器级别设置限制。 I would like to rate limit outgoing and incoming connections on all ports but the one used by the app's web UI.我想对所有端口上的传出和传入连接进行速率限制,但应用程序的 web UI 使用的端口除外。
3 个解决方案
解决方案1
3 2018-02-13 01:33:48
I'm surprised at how difficult it was to find the answer to this question. 我很难找到这个问题的答案。 Most answers on the various forums are incorrect (I tested them with two iperf3 nodes and found that the solutions didn't work or only limited one direction of traffic (only incoming or only outgoing). A P2P application that has much more symmetric data usage than traditional client/server applications so traffic must be limited in both directions. 各种论坛上的大多数答案都是错误的(我用两个iperf3节点对其进行了测试,发现解决方案不起作用或仅限制一个方向的通信(仅传入或仅传出)。P2P应用程序具有更对称的数据使用方式与传统的客户端/服务器应用程序相比,流量必须双向限制。
The best way I've found is to limit network bandwidth (both incoming and outgoing) for a Docker container is to use Linux's own traffic control settings within the running container. 我发现最好的方法是限制Docker容器的网络带宽(入站和出站),是在运行的容器中使用Linux自己的流量控制设置。 Execute the tc commands inside the container before you start your P2P application. 在启动P2P应用程序之前,请在容器内执行tc命令。
For example, you could create a start-up script like the following, copy it into your docker image and invoke it as the ENTRYPOINT. 例如,您可以创建一个如下所示的启动脚本,将其复制到您的docker映像中,然后将其作为ENTRYPOINT调用。
Dockerfile (snippet): Dockerfile(代码段):
COPY start-my-p2p.sh /
RUN chmod +x /start-my-p2p.sh
ENTRYPOINT /start-my-p2p.sh
Put something like this in your start-my-p2p.sh (the tc cmdlines are probably what you've been searching the Internet for): 在start-my-p2p.sh中放入以下内容( tc cmdlines可能是您一直在Internet上搜索的内容):
#/bin/sh
# Limit all incoming and outgoing network to 1mbit/s
tc qdisc add dev eth0 handle 1: ingress
tc filter add dev eth0 parent 1: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1mbit burst 10k drop flowid :1
tc qdisc add dev eth0 root tbf rate 1mbit latency 25ms burst 10k`
# Now start your p2p application
myp2pservice -d
IMPORTANT: When starting the container you'll need to use --cap-add=NET_ADMIN : 重要说明:启动容器时,您需要使用--cap-add=NET_ADMIN :
docker run --rm -it --cap-add=NET_ADMIN -p6969:p6969 myimage
解决方案2
1 2014-08-26 08:27:44
You could use the iptables limits module. 您可以使用iptables限制模块。 For example, you could add a rule to the PREROUTING table using the options "-m limit --limit 10/s" to limit a particular port to receive only 10 connections per second. 例如,您可以使用选项“ -m limit --limit 10 / s”将规则添加到PREROUTING表中,以限制特定端口每秒仅接收10个连接。
解决方案3
0 2022-03-30 12:46:48
To apply tc policy on a docker host machine.在 docker 主机上应用 tc 策略。
# find container pid
container_id=$(docker inspect some_container -f '{{.State.Pid}}')
mkdir -p /var/run/netns
# link network namespace for `some_container`
ln -sfT /proc/$container_id/ns/net /var/run/netns/some_container
# view the interface of the container
ip netns exec some_container ip -br -c link
# add traffic control policy to the interface in network namespace `some_container`
tc -n some_container qdisc add dev eth0 tbf rate 1024kbps 1024b limit 1024b
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.