Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
634 views
in Technique[技术] by (71.8m points)

linux - Refresh net.core.somaxcomm (or any sysctl property) for docker containers

I am trying to change net.core.somaxconn for docker container to be able to have larger queue of requests for my web application.

On OS, outside docker, I first modify the property successfully:

$ cat /proc/sys/net/core/somaxconn
128
$ sudo sysctl -w net.core.somaxconn=1024
net.core.somaxconn = 1024
$ cat /proc/sys/net/core/somaxconn
1024

But then I don't know how to propagate that change into docker. I've tried:

  • Also editing /etc/sysctl.conf (in hope of docker reading that file on container launch)
  • Restarting containers sudo docker stop and sudo docker run again
  • Restarting the whole docker service by sudo service docker restart

But inside container, cat /proc/sys/net/core/somaxconn always shows 128.

I'm running docker 1.2 (so I cannot, by default, modify /proc attributes inside container) and in Elastic Beanstalk (so without --privileged mode, that would allow me to modify /proc).

How can I propagate the sysctl changes to docker?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The "net/core" subsys is registered per network namespace. And the initial value for somaxconn is set to 128.

When you do sysctl on the host system it sets the core parameters for its network namespace, which is the one owned by init. (basically this is the default namespace). This does not affect other network namespaces.

When a Docker container is started, the virtual network interface (shows up as vethXXX on the host) of that container is attached to its own namespace, which still has the initial somaxconn value of 128. So technically, you cannot propogate this value into the container, since the two network namespaces do not share it.

There are, however, two ways you can adjust this value, in addition to run the container in privileged mode.

  1. use "--net host" when running the container, so it uses the host's network interface and hence share the same network namespace.

  2. you can mount the proc file system as read-write using Docker's volume mapping support. the trick is to map it to a volume NOT named "/proc", since Docker will remount /proc/sys, among others, as read-only for non-privileged containers. This requires the host to mount /proc as rw, which is the case on most systems.

    docker run -it --rm -v /proc:/writable-proc ubuntu:14.04 /bin/bash
    root@edbee3de0761:/# echo 1024 > /writable-proc/sys/net/core/somaxconn
    root@edbee3de0761:/# sysctl net.core.somaxconn
    net.core.somaxconn = 1024
    

Method 2 should work on Elastic Beanstalk via its volume mapping support in Dockerrun.aws.json. Also it should work for other tunable parameters under /proc that's per-namespace. But this is most likely an oversight on Docker's part so they may add additional validation on volume mapping and this trick won't work then.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...