5.12 Ensure that CPU priority is set appropriately on containers

Information

By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.

Rationale:

By default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.

Impact:

If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources.

Solution

You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument.
For example, you could run a container as below:

docker run -d --cpu-shares 512 centos sleep 1000

In the example above, the container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%.
Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.
If you set one container's CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.
You can also view the current CPU shares in the file /sys/fs/cgroup/cpu/docker/<CONTAINER ID>/cpu.shares.

Default Value:

By default, all containers on a Docker host share their resources equally. No CPU shares are enforced.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|18

Plugin: Unix

Control ID: ff4dd7ca139fc7d8e53aff6eb1e7c06f97fef88151d1d51fbc9b9c6af9f5cb7c