How to prevent docker containers from consuming all CPU?

Question

I'm somewhat new to Docker and had an issue this week with a process in a container taking 100% CPU. I did not set any resource limits on the container when run, and this caused the entire server to stop responding. I was unable to docker stop, docker kill, and eventually lost the ability to ssh to the host machine. I ended up restarting the machine.

I am looking for options that will allow the host machine to retain some CPU capacity so the above situation will not occur.

One thought is to use the docker run --cpuset-cpus on all containers to prevent them from using CPU 0, which would remain only for host use. This approach seems wasteful.

The other options are less clear in how I can limit.

• --cpu-shares will only allow me to divide total usage into percentages, which could leave me in the same situation described above.

• --cpu-period & --cpu-quota are less clear to me, but they don't appear to allow this.

Is there a way to reserve some percentage of CPU for the host machine?

Answer 1

If you use docker 1.13 or higher (which you should) you should use the flag --cpus=0.x according to the docs.

From there on you can go in multiple directions.

If you want to prevent that one rough container can overload your hosts CPU, you could assign each container you start the --cpu=X flag where X is the number of available CPU's minus one or any other margin you deem save. This way one rough container can not exhaust your CPU resources (but two rough ones could). This gives you the most resource efficient configuration as all container can use up to X CPUs if necessary (think about application startup) but do not block these resources if they are not needed.

The other scenario is that you want total isolation between the CPU consumption of all containers and your host. Then you should assign each container its unique shares of cpus and keep track that the sum of all given CPU shares do not come up higher than the number of total available CPUs on this machine. This way all containers could max out their CPU and your host will still be operational.

As mentioned in the comment of BMitch. It is still possible to overload the host CPU by other means. For example by forcing the kernel to do a lot of swapping.