Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Use tc to throttle Docker container's outgoing network bandwidth

I'm trying to do the bandwidth throttling to the Docker containers. To limit the downlink bandwidth, I can first find the veth interface of the container and use tc: tc qdisc add dev vethpair1 root tbf rate 1mbit latency 50ms burst 10000. If I want to limit the uplink bandwidth, I need to specify --cap-add=NET_ADMIN when I spin up the container and use the same tc command on eth0 inside the container. Is there any non-intrusive way to do it, so that I can administrate any container without giving it privilege?

like image 916
Wei-Tsung Avatar asked Apr 26 '16 17:04

Wei-Tsung


People also ask

How do I limit the Docker container bandwidth?

You could use the iptables limits module. For example, you could add a rule to the PREROUTING table using the options "-m limit --limit 10/s" to limit a particular port to receive only 10 connections per second. Save this answer.

Does Docker block outbound traffic?

It's possible to block outbound traffic from Docker containers using IPTables. In this configuration, traffic will be allowed from the internet to docker instances, but the instances themselves will only be able to communicate with each other (provided they are using the docker0 interface).

Which Docker command is used to enable communication between containers?

You must connect containers with the --link option in your docker run command. The Docker bridge supports port mappings and docker run --link allowing communications between containers on the docker0 network.


1 Answers

You could tell Docker to use LXC under the hoods : use the -e lxcoption.

Create your containers with a custom LXC directive to put them into a **traffic class** :

`docker run --lxc-conf="lxc.cgroup.net_cls.classid = 0x00100001" your/image /bin/stuff` 

Check the official documentation about how to apply bandwidth limits to this class.

Note : the --storage-driver=devicemapperand -e lxcoptions are for the Docker daemon, not for the Docker client you're using when running docker run ........

ALso you can do this through this:

mkdir /var/run/netns
ln -sf /proc/`docker inspect -f '{{ .State.Pid }}' YOUR_CONTAINER`/ns/net /var/run/netns/SOME_NAME
ip netns exec SOME_NAME iptables -L -nv
like image 164
Valeriy Solovyov Avatar answered Sep 29 '22 11:09

Valeriy Solovyov