Detections
Analytics
5.11 Set container CPU priority appropriately
Information
By default, all containers on a Docker host share the resources equally. By using theresource management capabilities of Docker host, such as CPU shares, you can control the
host CPU resources that a container may consume.By default, CPU time is divided between containers equally. If it is desired, to control the
CPU time amongst the container instances, you can use CPU sharing feature. CPU sharing
allows to prioritize one container over the other and forbids the lower priority container to
claim CPU resources more often. This ensures that the high priority containers are served
better.
Solution
Manage the CPU shares between your containers. To do so start the container using '-c' or'--cpu-shares' argument. You may start the container as below-$> docker run <Run arguments> --cpu-shares <CPU shares> <Container Image Name or
ID> <Command>For example,docker run --interactive --tty --cpu-shares 512 centos /bin/bashIn the above example, the container is started with a CPU shares of 50% of what the other
containers use. So, if the other container has CPU shares of 80%, this container will have
CPU shares of 40%.
Note- Every new container will have 1024 shares of CPU by default. However, this value is
shown as '0' if you run the command mentioned in the audit section.Alternatively,1. Navigate to /sys/fs/cgroup/cpu/system.slice/ directory.
2. Check your container instance ID using 'docker ps' command.
3. Now, inside the above directory (in step 1), you would have a directory by name
'docker-<Instance ID>.scope' for example 'docker-
4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope'.
Navigate to this directory.
4. You will find a file named 'cpu.shares'. Execute 'cat cpu.shares'. This will always
give you the CPU share value based on the system. So, even if there are no CPU
shares configured using '-c' or '--cpu-shares' argument in the 'docker run'
command, this file will have a value of '1024'.If we set one containers CPU shares to 512 it will receive half of the CPU time compared to
the other container. So, take 1024 as 100% and then do quick math to derive the number
that you should set for respective CPU shares. For example, use 512 if you want to set 50%
and 256 if you want to set 25%.Impact-If you do not set proper CPU shares, the container process may have to starve if the
resources on the host are not available. If the CPU resources on the host are free, CPU
shares do not place any restrictions on the CPU that the container may use.Default Value-By default, all containers on a Docker host share the resources equally. No CPU shares are
enforced.
See Also
Item Details
Audit Name: CIS Docker 1.12.0 v1.0.0 L1 Docker
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-6
Plugin: Unix
Control ID: 7b3bbf2e2f7fc80c9cada7507f5c56db751b0b03910a0a3f4157d02a0e2aeab1