- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
",t};e.buildCustomizationMenuUi=t;function n(e){let t='
",t}function s(e){let n=e.filter.currentValue||e.filter.defaultValue,t='${e.filter.label}
`,e.filter.options.forEach(s=>{let o=s.id===n;t+=``}),t+="${e.filter.label}
`,t+=`Classification:
compliance
Framework:
cis-docker
Control:
5.11
Set up the docker integration.
By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.
By default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'
If this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.
You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the --cpu-shares
argument. For example, you could run a container as docker run --interactive --tty --cpu-shares 512 centos /bin/bash
The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.
Alternatively:
/sys/fs/cgroup/cpu/system.slice/
directory.docker-<Instance ID>.scope
or docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope
. Navigate to this directory.cpu.shares
. Execute cat cpu.shares
. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the -c
or --cpu-shares
argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.
By default, all containers on a Docker host share their resources equally. No CPU shares are enforced.
Version 6
18 Application Software Security Application Software Security