I want to setup a docker container for a peer 2 peer app. This app doesn\'t have app level rate limiting so I\'m attempting to set a limit at the container level. I would like
You could use the iptables limits module. For example, you could add a rule to the PREROUTING table using the options "-m limit --limit 10/s" to limit a particular port to receive only 10 connections per second.
I'm surprised at how difficult it was to find the answer to this question. Most answers on the various forums are incorrect (I tested them with two iperf3 nodes and found that the solutions didn't work or only limited one direction of traffic (only incoming or only outgoing). A P2P application that has much more symmetric data usage than traditional client/server applications so traffic must be limited in both directions.
The best way I've found is to limit network bandwidth (both incoming and outgoing) for a Docker container is to use Linux's own traffic control settings within the running container. Execute the tc
commands inside the container before you start your P2P application.
For example, you could create a start-up script like the following, copy it into your docker image and invoke it as the ENTRYPOINT.
Dockerfile (snippet):
COPY start-my-p2p.sh /
RUN chmod +x /start-my-p2p.sh
ENTRYPOINT /start-my-p2p.sh
Put something like this in your start-my-p2p.sh (the tc
cmdlines are probably what you've been searching the Internet for):
#/bin/sh
# Limit all incoming and outgoing network to 1mbit/s
tc qdisc add dev eth0 handle 1: ingress
tc filter add dev eth0 parent 1: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1mbit burst 10k drop flowid :1
tc qdisc add dev eth0 root tbf rate 1mbit latency 25ms burst 10k`
# Now start your p2p application
myp2pservice -d
IMPORTANT: When starting the container you'll need to use --cap-add=NET_ADMIN
:
docker run --rm -it --cap-add=NET_ADMIN -p6969:p6969 myimage