docker 使用--storage-opt参数约束容器文件系统大小

版本信息

ubuntu :Ubuntu 22.04.1 LTS
docker:23.0.1

情况说明

想起之前接过的一个单,需求是需要用docker的--storage-opt参数约束但个容器文件系统所占空间的最大值,本来以为是送钱的,结果操作起来还遇到点小坑。
首先查看官网介绍了解这个参数的一些特性,发现必须使用xfs文件系统才能支持,且对驱动有一定要求,这些要求已经满足了。使用df -hT可以看到文件系统类型,docker info 可以看到Storage-Driver驱动。

开始操作

直接在创建容器的时候添加--storage-opt测试

root@ubuntu-01:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest bab98d58e29e 8 days ago 4.86MB
root@ubuntu-01:~# docker run -it --storage-opt size=1G busybox /bin/sh
docker: Error response from daemon: --storage-opt is supported only for overlay over xfs with 'pquota' mount option.
See 'docker run --help'.

现会有报错,提示--storage-opt 只支持覆盖在xfs与'pquota'挂载选项。
注意此时的容器文件系统所在位置为根分区,同时客户的服务器也只有一个盘。。。
使用mount命令重新挂载根分区,查看挂载参数发现并没有附加quota参数

root@ubuntu-01:~# mount -o remount,pquota /
root@ubuntu-01:~# cat /proc/mounts /
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,nosuid,relatime,size=1953592k,nr_inodes=488398,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=401992k,mode=755,inode64 0 0
/dev/sda2 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev,inode64 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19319 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
none /run/credentials/systemd-sysusers.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/loop0 /snap/core20/1587 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop1 /snap/lxd/22923 squashfs ro,nodev,relatime,errors=continue 0 0
tmpfs /run/snapd/ns tmpfs rw,nosuid,nodev,noexec,relatime,size=401992k,mode=755,inode64 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=401988k,nr_inodes=100497,mode=700,inode64 0 0
/dev/loop3 /snap/snapd/18357 squashfs ro,nodev,relatime,errors=continue 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
/dev/loop4 /snap/core20/1828 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop5 /snap/lxd/24322 squashfs ro,nodev,relatime,errors=continue 0 0
nsfs /run/snapd/ns/lxd.mnt nsfs rw 0 0

之后去修改fstab文件,修改完成后才重启系统。

root@ubuntu-01:~# cat /etc/fstab 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/90ba0f1d-1852-4315-a75e-692dbd858370 / xfs defaults,pquota 0 0

发现其实并没啥用

root@ubuntu-01:~# cat /proc/mounts /
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,nosuid,relatime,size=1953596k,nr_inodes=488399,mode=755,inode64 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=401992k,mode=755,inode64 0 0
/dev/sda2 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev,inode64 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=23639 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
none /run/credentials/systemd-sysusers.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/loop0 /snap/core20/1587 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop1 /snap/lxd/24322 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop2 /snap/core20/1828 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop4 /snap/snapd/18357 squashfs ro,nodev,relatime,errors=continue 0 0
/dev/loop3 /snap/lxd/22923 squashfs ro,nodev,relatime,errors=continue 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /run/snapd/ns tmpfs rw,nosuid,nodev,noexec,relatime,size=401992k,mode=755,inode64 0 0
nsfs /run/snapd/ns/lxd.mnt nsfs rw 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=401988k,nr_inodes=100497,mode=700,inode64 0 0

在启动容器的时候依然会报错

root@ubuntu-01:~# docker run -it --storage-opt size=1G busybox /bin/sh
docker: Error response from daemon: --storage-opt is supported only for overlay over xfs with 'pquota' mount option.
See 'docker run --help'

最后经过查找资料,参考https://support.circleci.com/hc/en-us/articles/7060937560859-...找到了解决方案。之前的方法如果是设置的非系统的根分区应该是可以生效的,如果是系统根分区不知道为啥就没生效,具体也没仔细查。
按照文档内容修改引导,从grub添加pquota参数。

root@ubuntu-01:~# cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="rootflags=pquota"
GRUB_CMDLINE_LINUX=""

重新生成grub文件

root@ubuntu-01:~# grub-mkconfig -o /boot/grub/grub.cfg
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.15.0-43-generic
Found initrd image: /boot/initrd.img-5.15.0-43-generic
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done

重启后发现quota参数已经被附加

root@ubuntu-01:~# cat /proc/mounts |grep quota
/dev/sda2 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,prjquota 0 0

再次添加--storage-opt参数创建容器测试

root@ubuntu-01:~# docker run -it --storage-opt size=1G busybox /bin/sh
/ # df -hT
Filesystem Type Size Used Available Use% Mounted on
overlay overlay 1.0G 12.0K 1024.0M 0% /
tmpfs tmpfs 64.0M 0 64.0M 0% /dev
shm tmpfs 64.0M 0 64.0M 0% /dev/shm
/dev/sda2 xfs 20.0G 7.5G 12.5G 37% /etc/resolv.conf
/dev/sda2 xfs 20.0G 7.5G 12.5G 37% /etc/hostname
/dev/sda2 xfs 20.0G 7.5G 12.5G 37% /etc/hosts
tmpfs tmpfs 1.9G 0 1.9G 0% /proc/asound
tmpfs tmpfs 1.9G 0 1.9G 0% /proc/acpi
tmpfs tmpfs 64.0M 0 64.0M 0% /proc/kcore
tmpfs tmpfs 64.0M 0 64.0M 0% /proc/keys
tmpfs tmpfs 64.0M 0 64.0M 0% /proc/timer_list
tmpfs tmpfs 1.9G 0 1.9G 0% /proc/scsi
tmpfs tmpfs 1.9G 0 1.9G 0% /sys/firmware

发现再次使用--storage-opt参数约束容器文件系统大小时不会报错,并且成功约束。 结束,马内到手。

作者:李朝阳原文地址:https://segmentfault.com/a/1190000043542255

%s 个评论

要回复文章请先登录注册