如何对Docker容器上的网络流量进行评分 [英] How can I rate limit network traffic on a docker container

问题描述

我想为对等2对等应用程序设置docker容器。该应用没有应用级别速率限制，因此我尝试在容器级别设置限制。我想对除应用程序的Web UI使用的端口以外的所有端口上的传出和传入连接进行速率限制。

解决方案

I'我很惊讶找到这个问题的答案有多么困难。各种论坛上的大多数答案都是错误的（我用两个iperf3节点对其进行了测试，发现解决方案不起作用或仅限制一个方向的流量（仅传入或仅传出）。P2P应用程序具有更对称的数据使用方式

我发现最好的方法是限制网络带宽（传入和传出） Docker容器要在运行的容器中使用Linux自己的流量控制设置，请在容器中的 之前执行 tc 命令，然后再启动P2P应用程序。 / p>

例如，您可以创建如下启动脚本，将其复制到docker映像中并作为ENTRYPOINT调用。

Dockerfile（片段）：

  COPY start-my-p2p.sh / 
 RUN chmod + x /start-my-p2p.sh 
 ENTRYPOINT /start-my-p2p.sh 
  

在start-my-p2p.sh中放入类似的内容（ tc cmdlines可能是您一直在Internet上搜索的内容）：

 ＃/ bin / sh 
 
＃将所有传入和传出网络限制为1mbit / s 
 tc qdisc添加dev eth0句柄1：入口
 tc过滤器添加dev eth0父对象1：协议ip prio 50 u32 match ip src 0.0.0.0/0警务速率1mbit突发10k drop flowid：1 
 tc qdisc add dev eth0 root tbf rate 1Mbps延迟25ms突发10k` 
 
＃现在启动您的p2p应用程序
 myp2pservice -d 
  

重要提示：启动容器时，您需要使用-cap-add = NET_ADMIN ：

  docker run --rm -it --cap-add = NET_ADMIN -p6969：p6969 myimage 
  

I want to setup a docker container for a peer 2 peer app. This app doesn't have app level rate limiting so I'm attempting to set a limit at the container level. I would like to rate limit outgoing and incoming connections on all ports but the one used by the app's web UI.

解决方案

I'm surprised at how difficult it was to find the answer to this question. Most answers on the various forums are incorrect (I tested them with two iperf3 nodes and found that the solutions didn't work or only limited one direction of traffic (only incoming or only outgoing). A P2P application that has much more symmetric data usage than traditional client/server applications so traffic must be limited in both directions.

The best way I've found is to limit network bandwidth (both incoming and outgoing) for a Docker container is to use Linux's own traffic control settings within the running container. Execute the tc commands inside the container before you start your P2P application.

For example, you could create a start-up script like the following, copy it into your docker image and invoke it as the ENTRYPOINT.

Dockerfile (snippet):

COPY start-my-p2p.sh /
RUN chmod +x /start-my-p2p.sh    
ENTRYPOINT /start-my-p2p.sh   

Put something like this in your start-my-p2p.sh (the tc cmdlines are probably what you've been searching the Internet for):

#/bin/sh

# Limit all incoming and outgoing network to 1mbit/s
tc qdisc add dev eth0 handle 1: ingress
tc filter add dev eth0 parent 1: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1mbit burst 10k drop flowid :1
tc qdisc add dev eth0 root tbf rate 1mbit latency 25ms burst 10k`

# Now start your p2p application
myp2pservice -d 

IMPORTANT: When starting the container you'll need to use --cap-add=NET_ADMIN:

docker run --rm -it --cap-add=NET_ADMIN -p6969:p6969 myimage

这篇关于如何对Docker容器上的网络流量进行评分的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！