Profile Applicability:

  • Level 1

Description:

The control group (cgroup) is a Linux kernel feature that limits, accounts for, and isolates the resource usage of collections of processes. Ensuring cgroup usage is enabled and properly configured on Docker containers ensures resource isolation and limits the potential impact of resource exhaustion.

Rationale:

cgroups help prevent containers from using excessive system resources. Without proper cgroup management, a container can consume too much CPU, memory, or disk I/O, leading to a degraded system performance or denial of service.

Impact:

Pros:

  • Ensures resource allocation limits are enforced for containers.

  • Improves container security by isolating system resources.

Cons:

  • Can limit resource usage, which may affect container performance if not configured properly.

Default Value:

cgroup usage is typically enabled by default on most Linux distributions, and Docker uses it to limit resources by default.

Pre-requisites:

  • The host must have cgroups enabled and properly configured within the Linux kernel.

  • Docker must be installed on the host system.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance where Docker is running.

  2. Check the Docker daemon configuration to confirm cgroup usage. This can be done by inspecting /etc/docker/daemon.json for cgroup-related settings.

  3. Verify cgroup controllers are enabled by running:

cat /proc/cgroups

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to confirm cgroup usage is active:

docker info | grep 'Cgroup'

Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance running Docker.

  2. Ensure that the Docker daemon is configured to use cgroups by checking /etc/docker/daemon.json.

  3. If necessary, modify the Docker configuration file to include resource limiting options for cgroups.

  4. Restart the Docker daemon to apply changes:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to remotely verify cgroup usage on Docker containers.
  2. Run the following command to confirm cgroup configuration:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker info | grep \"Cgroup\""]'

Backout Plan:

Using AWS Console:

  1. If any changes were made to the /etc/docker/daemon.json file, revert those changes.

  2. Restart Docker to apply the rollback:

sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert any changes made to the Docker configuration related to cgroups:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker info | grep \"Cgroup\""]'

References: