Profile Applicability:
Level 1
Description:
Limiting memory usage for containers ensures that containers do not consume excessive resources, preventing one container from affecting the performance of others or the host system. This can be done by specifying memory limits during container runtime.
Rationale:
Unrestricted memory usage can cause containers to consume all available system memory, leading to potential crashes or slowdowns for other processes and services. Setting memory limits prevents this by ensuring that containers use only the resources they are allocated.
Impact:
Pros:
Prevents containers from over-consuming system resources.
Enhances the overall stability and reliability of the host system and other containers.
Cons:
May require tuning of memory limits to ensure applications perform optimally.
Default Value:
By default, Docker containers are not limited in terms of memory and can use as much system memory as available.
Pre-requisites:
Docker must be installed on the host system.
Knowledge of the container's resource requirements to configure appropriate memory limits.
Remediation:
Test Plan:
Using AWS Console:
- Navigate to the EC2 instance running Docker.
- Inspect container configurations for memory limits by checking the docker run command or Docker Compose configurations for any specified --memory flags.
Using AWS CLI:
- Connect to the EC2 instance.
- Run the following command to check the memory configuration for running containers:
docker stats --no-stream
Implementation Plan:
Using AWS Console:
- Log in to the EC2 instance
- Specify memory limits when running a container:
docker run --memory="512m" --name container_name image_name
Optionally, modify Docker Compose files to include the memory limit under the services section:
services: service_name: image: image_name deploy: resources: limits: memory: 512M
Using AWS CLI:
- Use SSM to remotely deploy the memory limit configuration on the EC2 instance.
- Run the following command to set a memory limit:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --memory=\"512m\" --name container_name image_name"]'
Backout Plan:
Using AWS Console:
- Connect to the EC2 instance.
- Remove or adjust memory limits from the Docker run command or Docker Compose file.
- Restart the container with the new configuration.
Using AWS CLI:
- Use SSM to remove or adjust the memory limit.
- Run the following command to update the container:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker update --memory=\"1g\" container_name"]'
References:
Docker Memory Limit Documentation
CIS Docker Benchmark v1.7