October 2025
Intermediate to advanced
270 pages
2h 59m
Chinese
Content preview from 容器安全, 2nd Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
第 3 章. 控制组
本作品已使用人工智能进行翻译。欢迎您提供反馈和意见:translation-feedback@oreilly.com
在本章中,你将了解用于创建容器的基本构件之一:控制组(通常称为cgroups)。
控制组限制一组进程可以使用的资源,如内存、CPU 和 Network 输入/输出。在容器中,它们用于以受控方式在不同工作负载之间分配资源。从安全角度来看,经过良好调整的 cgroups 可以确保一个进程无法通过占用所有资源来影响其他进程的行为--例如,使用所有 CPU 或内存来使其他应用程序处于饥饿状态。你还可以限制控制组内允许的进程总数--这是一种防止fork 炸弹的便捷技术,我将在本章末介绍。
正如你将在第 4 章详细了解到的那样,容器是作为普通 Linux 进程运行的,因此可以使用 cgroups 来限制每个容器可用的资源。
注意事项
目前,大多数 Linux 发行版都使用 cgroups 第 2 版,它比容器刚开始流行时广泛部署的原始实现有了一些改进。现在,Kubernetes 和所有流行的容器运行时都使用 Cgroups v2,这里讨论的也是它。不过,你可能会在旧文献中找到一些关于 v1 的参考文献。
主要区别在于,版本 2 使用一个统一的层次结构来管理所有受支持的资源类型,而不是针对所管理的不同资源类型设置单独的层次结构。
如果你是直接管理 Linux 服务器的系统管理员,你可能有理由直接创建和管理控制组,但当我们使用容器时,容器运行时会为我们处理这些事情。正如你在本章后面将看到的,我们所要做的就是指定要分配给不同工作负载的资源。不过,让我们深入了解一下 cgroups 是如何用于限制容器资源的。
控制组控制器
控制组在 Linux 文件系统中表示在一个驻留在/sys/fs/cgroup 的挂载点下。管理 cgroups 需要读写该挂载点下的文件和目录。让我们来看看该目录的内容:
root@vm:/sys/fs/cgroup# ls cgroup.controllers io.pressure cgroup.max.depth io.prio.class cgroup.max.descendants io.stat cgroup.pressure memory.numa_stat cgroup.procs memory.pressure cgroup.stat memory.reclaim cgroup.subtree_control memory.stat cgroup.threads memory.zswap.writeback cpu.pressure misc.capacity cpu.stat misc.current cpu.stat.local misc.peak cpuset.cpus.effective proc-sys-fs-binfmt_misc.mount cpuset.cpus.isolated sys-fs-fuse-connections.mount cpuset.mems.effective sys-kernel-config.mount dev-hugepages.mount sys-kernel-debug.mount dev-mqueue.mount sys-kernel-tracing.mount init.scope system.slice io.cost.model user.slice io.cost.qos
稍后我将向您展示,创建一个新的目录可以创建一个新的控制组,而新目录中又可以创建子控制组,从而建立一个控制组的层次结构。 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.