Difficulty: Beginner
Estimated Time: 10 minutes

In this scenario you will learn the foundations of CGroups (Control Groups) and Namespces to apply security restrictions to containers.

Below are some examples of the types of cgroups and namespaces that exist.

CGroups Examples

--cpu-shares
  --cpuset-cpus
  --memory-reservation
  --kernel-memory
  --blkio-weight (block  IO)
  --device-read-iops
  --device-write-iops
  

Namespace Examples

Cgroup      CLONE_NEWCGROUP   Cgroup root directory
  IPC         CLONE_NEWIPC      System V IPC, POSIX message queues
  Network     CLONE_NEWNET      Network devices, stacks, ports, etc.
  Mount       CLONE_NEWNS       Mount points
  PID         CLONE_NEWPID      Process IDs
  User        CLONE_NEWUSER     User and group IDs
  UTS         CLONE_NEWUTS      Hostname and NIS domain name
  

CGroups Examples

--cpu-shares
  --cpuset-cpus
  --memory-reservation
  --kernel-memory
  --blkio-weight (block  IO)
  --device-read-iops
  --device-write-iops
  

Namespace Examples

Cgroup      CLONE_NEWCGROUP   Cgroup root directory
  IPC         CLONE_NEWIPC      System V IPC, POSIX message queues
  Network     CLONE_NEWNET      Network devices, stacks, ports, etc.
  Mount       CLONE_NEWNS       Mount points
  PID         CLONE_NEWPID      Process IDs
  User        CLONE_NEWUSER     User and group IDs
  UTS         CLONE_NEWUTS      Hostname and NIS domain name
  

Don’t stop now! The next scenario will only take about 10 minutes to complete.

CGroups and Namespaces

Step 1 of 5

Step 1 - Define Memory Limits

CGroups control how much resources a process can use. By adding restrictions you can deliver a guaranteed Quality of Service to applications by ensuring they have enough space available. It's also possible protect the system from potentially malicious users or applications aiming to perform Denial of Service (DoS) applications via resource exhaustion. This can also help limit applications from memory leaks or other programming bugs by defining upper boundaries.

Example

docker run -d --name mb100 --memory 100m alpine top

The memory usage ad limits of containers can be identified via the docker stats command.

docker stats --no-stream