turbot/docker_compliance
GitHub
Loading controls...

Control: 5.12 Ensure that CPU priority is set appropriately on containers

Description

By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.

By default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.

Remediation

You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument. For example, you could run a container as below:

docker run -d --cpu-shares 512 centos sleep 1000

In the example above, the container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%.

Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.

If you set one container’s CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.

You can also view the current CPU shares in the file /sys/fs/cgroup/cpu/docker/<CONTAINER ID>/cpu.shares.

Default Value

By default, all containers on a Docker host share their resources equally. No CPU shares are enforced.

Usage

Run the control in your terminal:

steampipe check docker_compliance.control.cis_v160_5_12

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share docker_compliance.control.cis_v160_5_12

SQL

This control uses a named query:

docker_container_cpu_priority_set

Tags