Detections
Analytics
5.11 Ensure that CPU priority is set appropriately on containers
Information
By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.Rationale:
By default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.
Solution
You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument.For example, you could run a container as below:
docker run --interactive --tty --cpu-shares 512 centos /bin/bash
In the example above, the container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%.
Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.
Alternatively:
Navigate to the /sys/fs/cgroup/cpu/system.slice/ directory.
Check your container instance ID using docker ps.
Inside the above directory (in step 1), you could have a directory called, for example: docker-<Instance ID>.scope. For example, docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope. Navigate to this directory.
You will find a file named cpu.shares. Execute cat cpu.shares. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the -c or --cpu-shares argument in the docker run command, this file will have a value of 1024.
If you set one container's CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.
Impact:
If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources.
Default Value:
By default, all containers on a Docker host share their resources equally. No CPU shares are enforced.
See Also
Item Details
Audit Name: CIS Docker v1.2.0 L1 Docker Linux
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-6, CSCv6|18
Plugin: Unix
Control ID: 594db6f83cbce63e7079e3dc63a63fa77a7a1e242671ebfe0e8801e184e1a6c4