2

Suppose you want to make sure a container uses as little resources as possible so that whatever happens, it will not affect the host.

(I do not care if the container crashes because of the limit amount of resources.)

This is what I already found as possible docker run options. Do I have extra options ?
Are some of them wrong ?

  • --memory=Xm (with X as low as possible, with a minimum of 6m)
  • --memory-swappiness 0
  • --cpus=X (with X as something like 0.00001) What is the maximum amount of 0's here ?
  • --blkio-weight=X (with X as low as possible, with a minimum of 10) Or is it as high as possible ?
  • --device-read-bps=X:0mb (with X as a device on the host (e.g. /dev/sda) )
  • --device-write-bps=X:0mb (with X as a device on the host (e.g. /dev/sda) )
  • --expose=0
  • --gpus=0
  • --oom-score-adj=X (with X as low as possible, with a minimum of -1000) or should it be as high as possible with a maximum of 1000 ?
  • --pids-limit=X (with X as low as possible but with a minumum of 1 so that it can run something)
  • --read-only
  • --shm-size=Xb (with X as low as possible, with a minimum of 1)
  • --cap-drop=X (I have no idea what you can use for X here...)
  • Network access should be blocked with iptables on the host instead of with a docker run option

(I'm skipping the options that are implied by other options in this list)

Surprisingly, I couldn't find anything about networktraffic...
Can this be done with --device-read-bps=X:0mb and --device-read-bps=X:0mb ?
And if so, what is X ? (I don't seem to have something like /dev/eth0 on my host to represent my networkdevice)

Garo
  • 1,339
  • 12
  • 21

0 Answers0