🧠 CPU, Memory & Security

🔹 Why CPU & Memory Limits Matter

By default, Docker containers can use as much CPU and RAM as the host has.
That sounds flexible, but it’s dangerous.

Imagine one buggy app:

• Memory leak → eats all RAM 😵
• Infinite loop → eats all CPU 🔥
  Result: entire server hangs.

That’s why Docker gives resource control.

Two important terms:

• Reservation → soft promise (minimum it can use)
• Limit → hard stop (maximum it cannot cross)

👉 Reservation = “at least this much”
👉 Limit = “never more than this”

⚙️ CPU & Memory Units (Must Know)

CPU in Docker

• --cpus="0.5" → half of one CPU core
• --cpu-shares → priority weight (default 1024)
• --cpu-period + --cpu-quota → advanced tuning

Example meaning:

• Container A (1024 shares)
• Container B (512 shares)
  👉 A gets double CPU compared to B when busy

CPU in Kubernetes (FYI)

• 100m = 0.1 CPU (10%)
• 500m = 0.5 CPU
• 1000m = 1 full CPU

Memory Units

• 256m = 256 MB
• 1g = 1 GB

📌 Golden rule:
Never allocate 100% of host resources.
Always keep 20–30% for OS + Docker daemon.

🧪 Practical Docker Resource Examples

Memory Reservation + Hard Limit

docker run -d --name web1 \
  --memory-reservation=256m \
  --memory=512m httpd

docker run -d --name web1 \
  --memory-reservation=256m \
  --memory=512m httpd

Meaning:

• Tries to keep 256 MB
• If it crosses 512 MB → container is killed

Simple CPU Limit

docker run -d --name web2 --cpus="0.5" httpd

docker run -d --name web2 --cpus="0.5" httpd

Meaning:

• Uses max 50% of one CPU core

CPU Priority (Shares)

docker run -d --name web3 --cpu-shares=512 httpd

docker run -d --name web3 --cpu-shares=512 httpd

Meaning:

• Gets lower priority than default containers (1024)

Good for:

• Background jobs
• Non-critical services

Advanced CPU Control

docker run -d --cpu-period=100000 --cpu-quota=50000 httpd

docker run -d --cpu-period=100000 --cpu-quota=50000 httpd

Calculation:

• 50,000 ÷ 100,000 = 50% CPU

Used when you need precise tuning.

Memory + Swap Control

docker run -d --memory=512m --memory-swap=512m httpd

docker run -d --memory=512m --memory-swap=512m httpd

Meaning:

• Only 512 MB RAM
• No swap allowed
• Prevents slow disk swapping

📊 Monitoring & Observability

Live Container Usage

docker stats

docker stats

Shows:

• CPU %
• Memory usage
• Network I/O
• Disk I/O

Inspect Limits

docker inspect web1

docker inspect web1

Look for:

• Memory
• CpuQuota
• CpuShares

Host-Level Tools

top
htop
free -m

top
htop
free -m

👉 Always monitor both Docker + host.

🧮 Real Planning Example (Interview Favorite)

Host:

• 4 CPUs
• 8 GB RAM

Reserve 30% for OS:

• Usable CPU ≈ 2.8
• Usable RAM ≈ 5.6 GB

Run 4 containers:

• --cpus=0.5 each → 2 CPUs
• --memory=1g each → 4 GB

Result:

• Stable system
• Room for spikes
• No crashes ✅

🔐 Docker Security – Why It’s Critical

Even with limits, containers can still be dangerous if hacked.

A bad container can:

• Attack other containers
• Steal secrets
• Try to escape to host

Security = layered protection, not one command.

🛡️ Docker Security Best Practices (With Meaning)

Use Minimal Base Images

Smaller image = fewer vulnerabilities.

FROM alpine:3.18

FROM alpine:3.18

Never Run as Root

RUN adduser -D appuser
USER appuser

RUN adduser -D appuser
USER appuser

If container is hacked → attacker gets limited user, not root.

Keep Images Updated

Old images = known CVEs.
Rebuild regularly:

docker pull nginx
docker build --no-cache .

docker pull nginx
docker build --no-cache .

Use Multi-Stage Builds

Builder has tools.
Final image has only the app.

Smaller + safer.

Drop Linux Capabilities

docker run --cap-drop=ALL nginx

docker run --cap-drop=ALL nginx

Removes unnecessary privileges.

Prevent Privilege Escalation

docker run --security-opt=no-new-privileges nginx

docker run --security-opt=no-new-privileges nginx

Even if exploited → cannot gain extra rights.

Resource Limits = DoS Protection

docker run -d --memory=512m --cpus="0.5" nginx

docker run -d --memory=512m --cpus="0.5" nginx

Stops runaway attacks.

Network Hygiene

• Expose only required ports
• Use custom networks
• Avoid --network host unless required

Docker Secrets (Swarm)

Never store passwords in ENV.
Use secrets instead.

Image Scanning

Scan before deploy:

• trivy
• clair

One Process Per Container

Avoid:

• SSH inside containers
• Multiple services in one container

🔒 Secure Docker Run (Real Production Style)

docker run -d --name safe-app \
  --memory=512m --cpus="0.5" \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --tmpfs /tmp:rw,size=64m \
  myuser/app:1.0

docker run -d --name safe-app \
  --memory=512m --cpus="0.5" \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --read-only \
  --tmpfs /tmp:rw,size=64m \
  myuser/app:1.0

What this gives you:

• Limited CPU & RAM
• No extra privileges
• Read-only filesystem
• Temporary writable space only
• Much harder to attack 💪