iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Containers should have appropriate CPU priorities set to ensure that critical containers get sufficient CPU resources. Setting CPU limits and priorities can prevent containers from monopolizing CPU resources, thereby ensuring that other containers and the host system can perform efficiently.

Rationale:

CPU resources in a containerized environment are shared across all containers. Without setting proper CPU limits or priorities, certain containers may consume excessive CPU, causing performance degradation for other containers or the host system. By controlling CPU priorities, the system ensures that critical applications receive the necessary resources.

Impact:

Pros:

• Ensures that high-priority or critical containers receive necessary CPU resources.
  

• Improves overall system stability by managing CPU resource distribution.
  

Cons:

• Misconfiguration can lead to some containers being starved of CPU resources, potentially impacting their performance.
  

Default Value:

By default, containers may run without any CPU priority or limits set. They are subject to the host system's CPU scheduler.

Pre-requisites:

• Docker must be installed and running on the host system.
  

• Administrative privileges are required to modify Docker container configurations
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Check the docker run command used to start containers and verify that CPU limits (e.g., --cpu-shares, --cpus, or --cpu-period) are specified for each container.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Run the following command to check the CPU allocation for a running container:
   

docker inspect --format '{{.HostConfig.CpuShares}}' <container_id>

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. When launching a container, use the --cpu-shares or --cpus flag to limit CPU resources. For example:
   

   docker run --cpus="1.5" --name mycontainer myimage

3. Alternatively, use --cpu-shares for priority-based CPU allocation:
   

   docker run --cpu-shares=512 --name mycontainer myimage

Using AWS CLI:

1. Use SSM to remotely set CPU limits for Docker containers.

2. Run the following command to set CPU limits for a container:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --cpus=\"1.5\" --name mycontainer myimage"]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Remove or revert CPU limits by stopping and restarting the container without the --cpu-shares or --cpus flags:

docker rm -f mycontainer

3. Restart without CPU limits:

docker run --name mycontainer myimage

Using AWS CLI:

1. Use SSM to remove the CPU limits and restart the container.

2. Run the following command:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker rm -f mycontainer && docker run --name mycontainer myimage"]'

References:

• CIS Docker Benchmark v1.7

• Docker Documentation: https://docs.docker.com/config/containers/resource_constraints/