[英]How can I numactl membind a process inside Docker container?
I have an Intel Xeon Phi 64-core CPU with 16GB on-chip memory set as NUMA node 1. I want to bind a process running inside a Docker container to this NUMA node, but it errors out:我有一个带有 16GB片上内存的 Intel Xeon Phi 64 核 CPU 设置为 NUMA 节点 1。我想将在 Docker 容器内运行的进程绑定到这个 NUMA 节点,但它出错了:
root@Docker$ sudo numactl --membind 1 python script.py
Error: set_mempolicy: Operation not permitted
setting membind: Operation not permitted
I also tried to bind the entire Docker mothership to NUMA node 1, but no luck:我还尝试将整个 Docker 母舰绑定到 NUMA 节点 1,但没有运气:
localhost$ sudo numactl --membind 1 docker run xyz /bin/bash
This doesn't give any error, but shows no utilization of on-chip memory.这不会给出任何错误,但显示没有使用片上存储器。
My question is: How can I bind a process to NUMA node 1 successfully?我的问题是:如何将进程成功绑定到 NUMA 节点 1? Thanks!
谢谢!
You need to get which cpus belongs to 1 numa node:您需要获取哪个 cpus 属于 1 numa 节点:
$ lscpu | grep node1
NUMA node1 CPU(s): 8-15,24-31
Create cpuset for docker:为docker创建cpuset:
$ cgcreate -g cpuset:docker
$ echo 8-15 > /sys/fs/cgroup/cpuset/docker/cpuset.cpus
If you want to run just certain containers on specific NUMA node:如果您只想在特定 NUMA 节点上运行某些容器:
cgcreate -g cpuset:my-cgroup
echo 8-15 > /sys/fs/cgroup/cpuset/my-cgroup/cpuset.cpus
Docker allows to put new containers under a different cgroup: Docker 允许将新容器放在不同的 cgroup 下:
docker run -it --rm --cgroup-parent=/my-cgroup/ ubuntu bash
For more information see https://sthbrx.github.io/blog/2016/07/27/get-off-my-lawn-separating-docker-workloads-using-cgroups/ .有关更多信息,请参阅https://sthbrx.github.io/blog/2016/07/27/get-off-my-lawn-separating-docker-workloads-using-cgroups/ 。
I had the same issue which got solved by creating a container using " --privileged " mode.我遇到了同样的问题,通过使用“ --privileged ”模式创建容器得到了解决。
With this mode, we can bind mem and CPU nodes inside the container and use numa effectively.通过这种模式,我们可以在容器内部绑定mem和CPU节点,有效地使用numa。
Use the below command:使用以下命令:
#docker run --privileged --name=test_numa --net=host -itd <image_id>
Try granting the deceptively-named CAP_SYS_NICE
capability to the container, which allows the process to "set CPU affinity for arbitrary processes" [ ref ]:尝试向容器授予具有欺骗性名称的
CAP_SYS_NICE
功能,这允许进程“为任意进程设置 CPU 关联性”[ ref ]:
docker run --cap-add SYS_NICE <other arguments>
This a safer approach than --privileged
but should still enable what you need.这是比
--privileged
更安全的方法,但仍应启用您需要的功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.