引言
前段時(shí)間,在使用Docker的時(shí)候出現(xiàn)了異常,后經(jīng)排查發(fā)現(xiàn)容器進(jìn)程變成了孤兒進(jìn)程商佛,類似于這樣:
ps -ef |grep docker
root 9077 1 0 14:51 ? 00:00:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/b9c7dbb97bacd851e861b8edd5bf66226054d336e528ec7ed308558826701ab1 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 9102 1 0 14:51 ? 00:00:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/ac660ea7b14a67421367c6882d63026734e7ea51b35cc259d80214d86a7951fa -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 9132 1 0 14:51 ? 00:00:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/b0ec4f46a4512fea68fd96b130bde1b287911421808922e21309d1655fb8ffc3 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 9171 1 0 14:51 ? 00:00:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/4a8e0271ad08854bd58f2952cb957a20e07d1d093849f72e6839cf8ee043921d -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
......
docker-containerd-shim父進(jìn)程變成了系統(tǒng)的1號進(jìn)程systemd,而不再是dockerd進(jìn)程
至于什么原因?qū)е碌哪反颍瑳]有模擬出來良姆,唯一能模擬出來上述情況的做法是kill -9 dockerd進(jìn)程號,但我們在操作docker時(shí)估計(jì)也不會這么做幔戏。后來在使用中發(fā)現(xiàn)當(dāng)有些容器的應(yīng)用處于繁忙狀態(tài)(高度使用cpu玛追、mem等資源)時(shí),如果systemctl stop docker闲延,則繁忙容器對應(yīng)的docker-containerd-shim進(jìn)程多半會處于孤兒進(jìn)程狀態(tài)痊剖。想要對docker這一塊的進(jìn)程作了解,于是花了些時(shí)間研究了docker進(jìn)程組的狀況垒玲,如下為研究記錄陆馁。
實(shí)踐
- 實(shí)踐環(huán)境:Centos7.4 +Docker18.03-ce
- 安裝完docker并通過systemctl start docker啟動(dòng)dockerd服務(wù)后,系統(tǒng)中關(guān)于docker的進(jìn)程組狀態(tài)為:
pstree -a
systemd --system --deserialize 20
......
├─dockerd --storage-driver=overlay2
│ ├─docker-containe --config /var/run/docker/containerd/containerd.toml
│ │ └─8*[{docker-containe}]
│ └─10*[{dockerd}]
......
ps -ef | grep docker | grep -v grep
root 28114 1 0 15:25 ? 00:00:00 /usr/bin/dockerd --storage-driver=overlay2
root 28121 28114 0 15:25 ? 00:00:01 docker-containerd --config /var/run/docker/containerd/containerd.toml
可知:
1. 首先會有dockerd(docker daemon)進(jìn)程合愈,父進(jìn)程為systemd 1號進(jìn)程
2. 緊接著是docker-containerd(containerd is the executor for containers)進(jìn)程叮贩,父進(jìn)程為dockerd進(jìn)程
注:pstree的這個(gè)顯示10*[{dockerd}]表示dockerd進(jìn)程的子線程击狮,可以man pstree了解
- 創(chuàng)建一個(gè)nginx容器,查看容器進(jìn)程信息
創(chuàng)建nginx容器并映射端口80->8888
docker run -itd --name nginx -p 8888:80 nginx:1.14
dd12c48715428d71ab64e1a7aa9242b8d6c9786e417c8595168646c39745b50f
查看nginx容器內(nèi)運(yùn)行的進(jìn)程
docker top nginx
UID PID PPID C STIME TTY TIME CMD
root 28543 28527 0 16:39 pts/0 00:00:00 nginx: master process nginx -g daemon off;
101 28580 28543 0 16:39 pts/0 00:00:00 nginx: worker process
pstree -a
systemd --system --deserialize 20
......
├─dockerd --storage-driver=overlay2
│ ├─docker-containe --config /var/run/docker/containerd/containerd.toml
│ │ ├─docker-containe -namespace moby -workdir ...
│ │ │ ├─nginx
│ │ │ │ └─nginx
│ │ │ └─8*[{docker-containe}]
│ │ └─10*[{docker-containe}]
│ ├─docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8888 -container-ip 172.17.0.2 -container-port 80
│ │ └─5*[{docker-proxy}]
│ └─11*[{dockerd}]
......
ps -ef | grep -E "docker|nginx" | grep -v grep
root 28114 1 0 15:25 ? 00:00:12 /usr/bin/dockerd --storage-driver=overlay2
root 28121 28114 0 15:25 ? 00:00:27 docker-containerd --config /var/run/docker/containerd/containerd.toml
root 28521 28114 0 16:39 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8888 -container-ip 172.17.0.2 -container-port 80
root 28527 28121 0 16:39 ? 00:00:00 docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/dd12c48715428d71ab64e1a7aa9242b8d6c9786e417c8595168646c39745b50f -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
root 28543 28527 0 16:39 pts/0 00:00:00 nginx: master process nginx -g daemon off;
101 28580 28543 0 16:39 pts/0 00:00:00 nginx: worker process
可知:
1. docker-proxy進(jìn)程主要用來做端口映射益老,可以在dockerd設(shè)置--userland-proxy=false將其關(guān)閉彪蓬;docker-proxy與docker-containerd進(jìn)程一樣均是dockerd的子進(jìn)程
2. docker-containerd-shim是運(yùn)行容器的進(jìn)程,每一個(gè)容器均會對應(yīng)一個(gè)containerd-shim進(jìn)程捺萌,此進(jìn)程是docker-containerd的子進(jìn)程
3. 應(yīng)用進(jìn)程nginx是容器進(jìn)程docker-containerd-shim的子進(jìn)程档冬,應(yīng)用進(jìn)程通常是entrypoint+cmd進(jìn)程,容器內(nèi)后續(xù)創(chuàng)建的進(jìn)程均是entrypoint+cmd進(jìn)程的子進(jìn)程
- 查看多個(gè)容器的進(jìn)程信息:
ps axf | grep docker -A 1
1223 pts/1 S+ 0:00 | \_ grep --color=auto docker -A 1
28046 ? Ss 0:00 \_ sshd: root@pts/0
--
29267 ? Ssl 0:57 /usr/bin/dockerd --storage-driver=overlay
29274 ? Ssl 0:04 \_ docker-containerd --config /var/run/docker/containerd/containerd.toml
29670 ? Sl 0:00 | \_ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/b4922fcaa64304c0aad46de5aaf487a16c3926ee04ffa74357c73eecd9f460d7 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
29684 pts/0 Ssl+ 0:01 | | \_ registry serve /etc/docker/registry/config.yml
32673 ? Sl 0:00 | \_ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/74e6fdbbd29e976d1c334a02558d653991fd6740a91b5796245599dd8624627a -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
32689 pts/0 Ssl+ 0:04 | | \_ /bin/prometheus -config.file=/etc/prometheus/prometheus.yml -storage.local.path=/prometheus -web.console.libraries=/usr/share/prometheus/console_libraries -web.console.templates=/usr/share/prometheus/consoles
357 ? Sl 0:00 | \_ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/38d837585be68b658fdc678c80f5add34556e6b883a4f2125e9ad4fa8f915496 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
373 pts/0 Ssl+ 0:01 | | \_ /usr/sbin/grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini cfg:default.log.mode=console cfg:default.paths.data=/var/lib/grafana cfg:default.paths.logs=/var/log/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins
724 ? Sl 0:00 | \_ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/a1f7009ce53b17f31e6f84a1920ea770612dd15f030f1c561a31dd1c9a93ea78 -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
749 pts/0 Ssl+ 0:01 | | \_ /bin/node_exporter -collector.procfs /host/proc -collector.sysfs /host/sys -collector.filesystem.ignored-mount-points ^/(sys|proc|dev|host|etc)($|/)
858 ? Sl 0:00 | \_ docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/5a8ef16cc491583903aadc24ce282261e7821284b461cc6fa9b108f15846fdef -address /var/run/docker/containerd/docker-containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc
874 pts/0 Ssl+ 0:20 | \_ /usr/bin/cadvisor -logtostderr -port 8090
29661 ? Sl 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.17.0.2 -container-port 5000
- docker進(jìn)程組結(jié)構(gòu)為:
/usr/bin/dockerd ......
\_ docker-containerd ......
\_ docker-containerd-shim ......
\_ 應(yīng)用進(jìn)程(ENTRYPOINT+CMD)
\_ docker-containerd-shim ......
\_app
......
\_ /usr/bin/docker-proxy ......
\_ /usr/bin/docker-proxy ......
.....
總結(jié)
從上述研究內(nèi)容可知桃纯,dockerd的父進(jìn)程為1號systemd進(jìn)程酷誓,其子進(jìn)程包含docker-containerd與docker-proxy進(jìn)程,docker-proxy進(jìn)程用于容器的路由設(shè)置态坦。docker-containerd-shim是docker-containerd的子進(jìn)程呛牲,一個(gè)容器對應(yīng)一個(gè)docker-containerd-shim進(jìn)程。另外發(fā)現(xiàn)耗子叔也遇到了類似的問題驮配,文章說到在systemctl stop docker無響應(yīng)的情況下,Ctrl+C的操作也會導(dǎo)致容器進(jìn)程變?yōu)楣聝哼M(jìn)程着茸。
