iCompaas Support

Profile Applicability:

• Level 2 

Description:

The default cgroup driver should be confirmed and aligned with the system's cgroup management settings. Docker can use different cgroup drivers (e.g., cgroupfs or systemd), and the default driver must be confirmed for proper container resource management.

Rationale:

The cgroup driver is essential for managing resources allocated to containers, such as CPU, memory, and disk. Ensuring that the correct cgroup driver is used helps avoid resource contention and ensures optimal performance for containers.

Impact:

Pros:

• Ensures efficient resource allocation and limits, leading to better container performance and stability.
  

• Aligns Docker with the system’s cgroup management strategy, improving compatibility and integration with the host system.
  

Cons:

• Switching cgroup drivers may require system configuration changes and could impact existing container workloads.
  

Default Value:

Docker typically uses cgroupfs as the default cgroup driver on some Linux distributions, while others may use systemd.

Pre-requisites:

• Docker installed and running.
  

• Administrative privileges on the host system.
  
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Check the cgroup driver in use by inspecting Docker’s configuration:
   

   docker info | grep "Cgroup Driver"

   
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   

2. Run the following command to check the cgroup driver:
   

   docker info | grep "Cgroup Driver"

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Modify the Docker daemon configuration file /etc/docker/daemon.json to specify the correct cgroup driver:
   

   {
     "exec-opts": ["native.cgroupdriver=systemd"]
   }

   
   

3. Restart Docker to apply the changes:
   

  sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the cgroup driver setting and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"exec-opts\": [\"native.cgroupdriver=systemd\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Modify the /etc/docker/daemon.json file to revert to the previous cgroup driver setting (e.g., cgroupfs):
   

   {
     "exec-opts": ["native.cgroupdriver=cgroupfs"]
   }

3. Restart Docker:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the cgroup driver configuration and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"exec-opts\": [\"native.cgroupdriver=cgroupfs\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

References:

• Docker Cgroup Driver Documentation