github.com/iamlotus/docker@v1.8.1/docs/articles/runmetrics.md (about) 1 <!--[metadata]> 2 +++ 3 title = "Runtime metrics" 4 description = "Measure the behavior of running containers" 5 keywords = ["docker, metrics, CPU, memory, disk, IO, run, runtime, stats"] 6 [menu.main] 7 parent = "smn_administrate" 8 weight = 4 9 +++ 10 <![end-metadata]--> 11 12 # Runtime metrics 13 14 15 ## Docker stats 16 17 You can use the `docker stats` command to live stream a container's 18 runtime metrics. The command supports CPU, memory usage, memory limit, 19 and network IO metrics. 20 21 The following is a sample output from the `docker stats` command 22 23 $ docker stats redis1 redis2 24 CONTAINER CPU % MEM USAGE/LIMIT MEM % NET I/O 25 redis1 0.07% 796 KB/64 MB 1.21% 788 B/648 B 26 redis2 0.07% 2.746 MB/64 MB 4.29% 1.266 KB/648 B 27 28 29 The [docker stats](/reference/commandline/stats/) reference page has 30 more details about the `docker stats` command. 31 32 ## Control groups 33 34 Linux Containers rely on [control groups]( 35 https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt) 36 which not only track groups of processes, but also expose metrics about 37 CPU, memory, and block I/O usage. You can access those metrics and 38 obtain network usage metrics as well. This is relevant for "pure" LXC 39 containers, as well as for Docker containers. 40 41 Control groups are exposed through a pseudo-filesystem. In recent 42 distros, you should find this filesystem under `/sys/fs/cgroup`. Under 43 that directory, you will see multiple sub-directories, called devices, 44 freezer, blkio, etc.; each sub-directory actually corresponds to a different 45 cgroup hierarchy. 46 47 On older systems, the control groups might be mounted on `/cgroup`, without 48 distinct hierarchies. In that case, instead of seeing the sub-directories, 49 you will see a bunch of files in that directory, and possibly some directories 50 corresponding to existing containers. 51 52 To figure out where your control groups are mounted, you can run: 53 54 $ grep cgroup /proc/mounts 55 56 ## Enumerating cgroups 57 58 You can look into `/proc/cgroups` to see the different control group subsystems 59 known to the system, the hierarchy they belong to, and how many groups they contain. 60 61 You can also look at `/proc/<pid>/cgroup` to see which control groups a process 62 belongs to. The control group will be shown as a path relative to the root of 63 the hierarchy mountpoint; e.g., `/` means “this process has not been assigned into 64 a particular group”, while `/lxc/pumpkin` means that the process is likely to be 65 a member of a container named `pumpkin`. 66 67 ## Finding the cgroup for a given container 68 69 For each container, one cgroup will be created in each hierarchy. On 70 older systems with older versions of the LXC userland tools, the name of 71 the cgroup will be the name of the container. With more recent versions 72 of the LXC tools, the cgroup will be `lxc/<container_name>.` 73 74 For Docker containers using cgroups, the container name will be the full 75 ID or long ID of the container. If a container shows up as ae836c95b4c3 76 in `docker ps`, its long ID might be something like 77 `ae836c95b4c3c9e9179e0e91015512da89fdec91612f63cebae57df9a5444c79`. You can 78 look it up with `docker inspect` or `docker ps --no-trunc`. 79 80 Putting everything together to look at the memory metrics for a Docker 81 container, take a look at `/sys/fs/cgroup/memory/lxc/<longid>/`. 82 83 ## Metrics from cgroups: memory, CPU, block I/O 84 85 For each subsystem (memory, CPU, and block I/O), you will find one or 86 more pseudo-files containing statistics. 87 88 ### Memory metrics: `memory.stat` 89 90 Memory metrics are found in the "memory" cgroup. Note that the memory 91 control group adds a little overhead, because it does very fine-grained 92 accounting of the memory usage on your host. Therefore, many distros 93 chose to not enable it by default. Generally, to enable it, all you have 94 to do is to add some kernel command-line parameters: 95 `cgroup_enable=memory swapaccount=1`. 96 97 The metrics are in the pseudo-file `memory.stat`. 98 Here is what it will look like: 99 100 cache 11492564992 101 rss 1930993664 102 mapped_file 306728960 103 pgpgin 406632648 104 pgpgout 403355412 105 swap 0 106 pgfault 728281223 107 pgmajfault 1724 108 inactive_anon 46608384 109 active_anon 1884520448 110 inactive_file 7003344896 111 active_file 4489052160 112 unevictable 32768 113 hierarchical_memory_limit 9223372036854775807 114 hierarchical_memsw_limit 9223372036854775807 115 total_cache 11492564992 116 total_rss 1930993664 117 total_mapped_file 306728960 118 total_pgpgin 406632648 119 total_pgpgout 403355412 120 total_swap 0 121 total_pgfault 728281223 122 total_pgmajfault 1724 123 total_inactive_anon 46608384 124 total_active_anon 1884520448 125 total_inactive_file 7003344896 126 total_active_file 4489052160 127 total_unevictable 32768 128 129 The first half (without the `total_` prefix) contains statistics relevant 130 to the processes within the cgroup, excluding sub-cgroups. The second half 131 (with the `total_` prefix) includes sub-cgroups as well. 132 133 Some metrics are "gauges", i.e., values that can increase or decrease 134 (e.g., swap, the amount of swap space used by the members of the cgroup). 135 Some others are "counters", i.e., values that can only go up, because 136 they represent occurrences of a specific event (e.g., pgfault, which 137 indicates the number of page faults which happened since the creation of 138 the cgroup; this number can never decrease). 139 140 141 - **cache:** 142 the amount of memory used by the processes of this control group 143 that can be associated precisely with a block on a block device. 144 When you read from and write to files on disk, this amount will 145 increase. This will be the case if you use "conventional" I/O 146 (`open`, `read`, 147 `write` syscalls) as well as mapped files (with 148 `mmap`). It also accounts for the memory used by 149 `tmpfs` mounts, though the reasons are unclear. 150 151 - **rss:** 152 the amount of memory that *doesn't* correspond to anything on disk: 153 stacks, heaps, and anonymous memory maps. 154 155 - **mapped_file:** 156 indicates the amount of memory mapped by the processes in the 157 control group. It doesn't give you information about *how much* 158 memory is used; it rather tells you *how* it is used. 159 160 - **pgfault and pgmajfault:** 161 indicate the number of times that a process of the cgroup triggered 162 a "page fault" and a "major fault", respectively. A page fault 163 happens when a process accesses a part of its virtual memory space 164 which is nonexistent or protected. The former can happen if the 165 process is buggy and tries to access an invalid address (it will 166 then be sent a `SIGSEGV` signal, typically 167 killing it with the famous `Segmentation fault` 168 message). The latter can happen when the process reads from a memory 169 zone which has been swapped out, or which corresponds to a mapped 170 file: in that case, the kernel will load the page from disk, and let 171 the CPU complete the memory access. It can also happen when the 172 process writes to a copy-on-write memory zone: likewise, the kernel 173 will preempt the process, duplicate the memory page, and resume the 174 write operation on the process` own copy of the page. "Major" faults 175 happen when the kernel actually has to read the data from disk. When 176 it just has to duplicate an existing page, or allocate an empty 177 page, it's a regular (or "minor") fault. 178 179 - **swap:** 180 the amount of swap currently used by the processes in this cgroup. 181 182 - **active_anon and inactive_anon:** 183 the amount of *anonymous* memory that has been identified has 184 respectively *active* and *inactive* by the kernel. "Anonymous" 185 memory is the memory that is *not* linked to disk pages. In other 186 words, that's the equivalent of the rss counter described above. In 187 fact, the very definition of the rss counter is **active_anon** + 188 **inactive_anon** - **tmpfs** (where tmpfs is the amount of memory 189 used up by `tmpfs` filesystems mounted by this 190 control group). Now, what's the difference between "active" and 191 "inactive"? Pages are initially "active"; and at regular intervals, 192 the kernel sweeps over the memory, and tags some pages as 193 "inactive". Whenever they are accessed again, they are immediately 194 retagged "active". When the kernel is almost out of memory, and time 195 comes to swap out to disk, the kernel will swap "inactive" pages. 196 197 - **active_file and inactive_file:** 198 cache memory, with *active* and *inactive* similar to the *anon* 199 memory above. The exact formula is cache = **active_file** + 200 **inactive_file** + **tmpfs**. The exact rules used by the kernel 201 to move memory pages between active and inactive sets are different 202 from the ones used for anonymous memory, but the general principle 203 is the same. Note that when the kernel needs to reclaim memory, it 204 is cheaper to reclaim a clean (=non modified) page from this pool, 205 since it can be reclaimed immediately (while anonymous pages and 206 dirty/modified pages have to be written to disk first). 207 208 - **unevictable:** 209 the amount of memory that cannot be reclaimed; generally, it will 210 account for memory that has been "locked" with `mlock`. 211 It is often used by crypto frameworks to make sure that 212 secret keys and other sensitive material never gets swapped out to 213 disk. 214 215 - **memory and memsw limits:** 216 These are not really metrics, but a reminder of the limits applied 217 to this cgroup. The first one indicates the maximum amount of 218 physical memory that can be used by the processes of this control 219 group; the second one indicates the maximum amount of RAM+swap. 220 221 Accounting for memory in the page cache is very complex. If two 222 processes in different control groups both read the same file 223 (ultimately relying on the same blocks on disk), the corresponding 224 memory charge will be split between the control groups. It's nice, but 225 it also means that when a cgroup is terminated, it could increase the 226 memory usage of another cgroup, because they are not splitting the cost 227 anymore for those memory pages. 228 229 ### CPU metrics: `cpuacct.stat` 230 231 Now that we've covered memory metrics, everything else will look very 232 simple in comparison. CPU metrics will be found in the 233 `cpuacct` controller. 234 235 For each container, you will find a pseudo-file `cpuacct.stat`, 236 containing the CPU usage accumulated by the processes of the container, 237 broken down between `user` and `system` time. If you're not familiar 238 with the distinction, `user` is the time during which the processes were 239 in direct control of the CPU (i.e., executing process code), and `system` 240 is the time during which the CPU was executing system calls on behalf of 241 those processes. 242 243 Those times are expressed in ticks of 1/100th of a second. Actually, 244 they are expressed in "user jiffies". There are `USER_HZ` 245 *"jiffies"* per second, and on x86 systems, 246 `USER_HZ` is 100. This used to map exactly to the 247 number of scheduler "ticks" per second; but with the advent of higher 248 frequency scheduling, as well as [tickless kernels]( 249 http://lwn.net/Articles/549580/), the number of kernel ticks 250 wasn't relevant anymore. It stuck around anyway, mainly for legacy and 251 compatibility reasons. 252 253 ### Block I/O metrics 254 255 Block I/O is accounted in the `blkio` controller. 256 Different metrics are scattered across different files. While you can 257 find in-depth details in the [blkio-controller]( 258 https://www.kernel.org/doc/Documentation/cgroups/blkio-controller.txt) 259 file in the kernel documentation, here is a short list of the most 260 relevant ones: 261 262 263 - **blkio.sectors:** 264 contain the number of 512-bytes sectors read and written by the 265 processes member of the cgroup, device by device. Reads and writes 266 are merged in a single counter. 267 268 - **blkio.io_service_bytes:** 269 indicates the number of bytes read and written by the cgroup. It has 270 4 counters per device, because for each device, it differentiates 271 between synchronous vs. asynchronous I/O, and reads vs. writes. 272 273 - **blkio.io_serviced:** 274 the number of I/O operations performed, regardless of their size. It 275 also has 4 counters per device. 276 277 - **blkio.io_queued:** 278 indicates the number of I/O operations currently queued for this 279 cgroup. In other words, if the cgroup isn't doing any I/O, this will 280 be zero. Note that the opposite is not true. In other words, if 281 there is no I/O queued, it does not mean that the cgroup is idle 282 (I/O-wise). It could be doing purely synchronous reads on an 283 otherwise quiescent device, which is therefore able to handle them 284 immediately, without queuing. Also, while it is helpful to figure 285 out which cgroup is putting stress on the I/O subsystem, keep in 286 mind that is is a relative quantity. Even if a process group does 287 not perform more I/O, its queue size can increase just because the 288 device load increases because of other devices. 289 290 ## Network metrics 291 292 Network metrics are not exposed directly by control groups. There is a 293 good explanation for that: network interfaces exist within the context 294 of *network namespaces*. The kernel could probably accumulate metrics 295 about packets and bytes sent and received by a group of processes, but 296 those metrics wouldn't be very useful. You want per-interface metrics 297 (because traffic happening on the local `lo` 298 interface doesn't really count). But since processes in a single cgroup 299 can belong to multiple network namespaces, those metrics would be harder 300 to interpret: multiple network namespaces means multiple `lo` 301 interfaces, potentially multiple `eth0` 302 interfaces, etc.; so this is why there is no easy way to gather network 303 metrics with control groups. 304 305 Instead we can gather network metrics from other sources: 306 307 ### IPtables 308 309 IPtables (or rather, the netfilter framework for which iptables is just 310 an interface) can do some serious accounting. 311 312 For instance, you can setup a rule to account for the outbound HTTP 313 traffic on a web server: 314 315 $ iptables -I OUTPUT -p tcp --sport 80 316 317 There is no `-j` or `-g` flag, 318 so the rule will just count matched packets and go to the following 319 rule. 320 321 Later, you can check the values of the counters, with: 322 323 $ iptables -nxvL OUTPUT 324 325 Technically, `-n` is not required, but it will 326 prevent iptables from doing DNS reverse lookups, which are probably 327 useless in this scenario. 328 329 Counters include packets and bytes. If you want to setup metrics for 330 container traffic like this, you could execute a `for` 331 loop to add two `iptables` rules per 332 container IP address (one in each direction), in the `FORWARD` 333 chain. This will only meter traffic going through the NAT 334 layer; you will also have to add traffic going through the userland 335 proxy. 336 337 Then, you will need to check those counters on a regular basis. If you 338 happen to use `collectd`, there is a [nice plugin](https://collectd.org/wiki/index.php/Plugin:IPTables) 339 to automate iptables counters collection. 340 341 ### Interface-level counters 342 343 Since each container has a virtual Ethernet interface, you might want to 344 check directly the TX and RX counters of this interface. You will notice 345 that each container is associated to a virtual Ethernet interface in 346 your host, with a name like `vethKk8Zqi`. Figuring 347 out which interface corresponds to which container is, unfortunately, 348 difficult. 349 350 But for now, the best way is to check the metrics *from within the 351 containers*. To accomplish this, you can run an executable from the host 352 environment within the network namespace of a container using **ip-netns 353 magic**. 354 355 The `ip-netns exec` command will let you execute any 356 program (present in the host system) within any network namespace 357 visible to the current process. This means that your host will be able 358 to enter the network namespace of your containers, but your containers 359 won't be able to access the host, nor their sibling containers. 360 Containers will be able to “see” and affect their sub-containers, 361 though. 362 363 The exact format of the command is: 364 365 $ ip netns exec <nsname> <command...> 366 367 For example: 368 369 $ ip netns exec mycontainer netstat -i 370 371 `ip netns` finds the "mycontainer" container by 372 using namespaces pseudo-files. Each process belongs to one network 373 namespace, one PID namespace, one `mnt` namespace, 374 etc., and those namespaces are materialized under 375 `/proc/<pid>/ns/`. For example, the network 376 namespace of PID 42 is materialized by the pseudo-file 377 `/proc/42/ns/net`. 378 379 When you run `ip netns exec mycontainer ...`, it 380 expects `/var/run/netns/mycontainer` to be one of 381 those pseudo-files. (Symlinks are accepted.) 382 383 In other words, to execute a command within the network namespace of a 384 container, we need to: 385 386 - Find out the PID of any process within the container that we want to investigate; 387 - Create a symlink from `/var/run/netns/<somename>` to `/proc/<thepid>/ns/net` 388 - Execute `ip netns exec <somename> ....` 389 390 Please review [*Enumerating Cgroups*](#enumerating-cgroups) to learn how to find 391 the cgroup of a process running in the container of which you want to 392 measure network usage. From there, you can examine the pseudo-file named 393 `tasks`, which contains the PIDs that are in the 394 control group (i.e., in the container). Pick any one of them. 395 396 Putting everything together, if the "short ID" of a container is held in 397 the environment variable `$CID`, then you can do this: 398 399 $ TASKS=/sys/fs/cgroup/devices/$CID*/tasks 400 $ PID=$(head -n 1 $TASKS) 401 $ mkdir -p /var/run/netns 402 $ ln -sf /proc/$PID/ns/net /var/run/netns/$CID 403 $ ip netns exec $CID netstat -i 404 405 ## Tips for high-performance metric collection 406 407 Note that running a new process each time you want to update metrics is 408 (relatively) expensive. If you want to collect metrics at high 409 resolutions, and/or over a large number of containers (think 1000 410 containers on a single host), you do not want to fork a new process each 411 time. 412 413 Here is how to collect metrics from a single process. You will have to 414 write your metric collector in C (or any language that lets you do 415 low-level system calls). You need to use a special system call, 416 `setns()`, which lets the current process enter any 417 arbitrary namespace. It requires, however, an open file descriptor to 418 the namespace pseudo-file (remember: that's the pseudo-file in 419 `/proc/<pid>/ns/net`). 420 421 However, there is a catch: you must not keep this file descriptor open. 422 If you do, when the last process of the control group exits, the 423 namespace will not be destroyed, and its network resources (like the 424 virtual interface of the container) will stay around for ever (or until 425 you close that file descriptor). 426 427 The right approach would be to keep track of the first PID of each 428 container, and re-open the namespace pseudo-file each time. 429 430 ## Collecting metrics when a container exits 431 432 Sometimes, you do not care about real time metric collection, but when a 433 container exits, you want to know how much CPU, memory, etc. it has 434 used. 435 436 Docker makes this difficult because it relies on `lxc-start`, which 437 carefully cleans up after itself, but it is still possible. It is 438 usually easier to collect metrics at regular intervals (e.g., every 439 minute, with the collectd LXC plugin) and rely on that instead. 440 441 But, if you'd still like to gather the stats when a container stops, 442 here is how: 443 444 For each container, start a collection process, and move it to the 445 control groups that you want to monitor by writing its PID to the tasks 446 file of the cgroup. The collection process should periodically re-read 447 the tasks file to check if it's the last process of the control group. 448 (If you also want to collect network statistics as explained in the 449 previous section, you should also move the process to the appropriate 450 network namespace.) 451 452 When the container exits, `lxc-start` will try to 453 delete the control groups. It will fail, since the control group is 454 still in use; but that's fine. You process should now detect that it is 455 the only one remaining in the group. Now is the right time to collect 456 all the metrics you need! 457 458 Finally, your process should move itself back to the root control group, 459 and remove the container control group. To remove a control group, just 460 `rmdir` its directory. It's counter-intuitive to 461 `rmdir` a directory as it still contains files; but 462 remember that this is a pseudo-filesystem, so usual rules don't apply. 463 After the cleanup is done, the collection process can exit safely.