Docker Security Best Practices
Control Resources
By default, when multiple containers run on a Docker host without specified resource limits, they share the host's CPU and memory resources in an unrestricted manner. Here is a general overview of how this works:
CPU Distribution: Docker leverages the Linux kernel's "Completely Fair Scheduler" (CFS) to distribute CPU time among containers. If no specific CPU limits are set, containers will use the CPU as needed, competing equally for available cycles.
Memory Management: Memory is also shared across all running containers. By default, there is no hard limit on how much memory a container can consume. If a container experiences a memory leak or an unexpected spike in usage, it can exhaust the host's physical RAM.
ℹ️ The CFS is a process scheduler within the Linux kernel that assigns CPU time to all running processes. Its goal is to provide a "fair share" of the CPU to all processes while maximizing overall hardware utilization.
In environments where multiple containers coexist, if resource-intensive containers are not properly constrained, the consequences can be severe. As the number of containers increases, so does the risk of resource contention.
Containers may compete aggressively for CPU and memory, leading to performance degradation for all services on that host. Furthermore, implementing resource controls is a key security measure; it helps prevent Denial-of-Service (DoS)
Painless Docker - 2nd Edition
A Comprehensive Guide to Mastering Docker and its EcosystemEnroll now to unlock all content and receive all future updates for free.
Hurry! This limited time offer ends in:
To redeem this offer, copy the coupon code below and apply it at checkout: