How to limit the memory and CPU usage of the Aqua Enforcer in Docker-only and Podman-only deployments
TABLE OF CONTENTS
- Introduction
- Why limit the CPU and memory of containers/pods?
- Applicability
- Prerequisites
- Steps/Procedure
- Additional questions
- Conclusion
- Additional Resources
Introduction
Managing resource allocation for containers is crucial in optimizing system performance and ensuring application stability, especially in environments with multiple containers running on shared resources. In Aqua deployments using Docker-only or Podman-only configurations, setting limits on memory and CPU usage for the Aqua Enforcer can prevent excessive resource consumption, ensure isolation, and contribute to overall system reliability. This guide provides step-by-step instructions on how to configure memory and CPU limits for the Aqua Enforcer, along with the benefits of doing so, troubleshooting tips, and additional resources to help you manage your Aqua environment effectively.
Why limit the CPU and memory of containers/pods?
Limiting memory and CPU for containers is a best practice. Here are the benefits:
- Prevent excessive resource consumption: Without limits, a container could use all available memory or CPU, affecting other containers or processes.
- Ensure isolation: Limits prevent one container from impacting the performance of others, especially in cases of memory leaks or excessive CPU usage.
- Prevent system crashes: Setting limits can prevent system crashes due to memory exhaustion.
- Facilitate resource management: Limits allow better resource allocation and machine sizing.
- Improve scalability: In orchestration systems like Kubernetes, limits help in efficient container allocation.
- Predict performance: With set limits, container performance becomes more predictable, aiding in performance management.
Applicability
This article applies to both Aqua Self-Hosted Edition and Aqua SaaS Edition. Unless otherwise specified, the guidelines apply generally to all supported Aqua versions.
Prerequisites
Before starting, ensure you have basic knowledge of Docker and Podman container management. You may also find it helpful to review the official documentation for Docker and Podman. For further reference, consult the Podman documentation [1] and the Docker documentation [3].
Steps/Procedure
Memory Limits Using Docker/Podman Flags
--memory <value> sets the maximum amount of RAM a container can use, specified in bytes. You can use suffixes like "M" or "G" for megabytes or gigabytes. If a container exceeds its limit, the system will terminate it.
Podman example command:
podman run -d --name aqua-enforcer-2022.4 --memory 1.5G -e AQUA_TOKEN=TOKEN -e AQUA_SERVER=ID-gw.cloud.aquasec.com:443 -e AQUA_LOGICAL_NAME="CUSTOM" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /opt/aquasec/data:/data -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
Docker example command:
docker run -d -e AQUA_TOKEN=<TOKEN> -e AQUA_SERVER=<HOST-IP>:8443 -e AQUA_LOGICAL_NAME="Default" --name aqua-enforcer-2022.4 --memory=1.5G --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
--memory-reservation sets a soft limit, which should be lower than the hard limit set with --memory. When there is memory contention, the system tries to keep the container within the soft limit.
Podman example command:
podman run -d --name aqua-enforcer-2022.4 --memory 1.5G --memory-reservation 1G -e AQUA_TOKEN=TOKEN -e AQUA_SERVER=ID-gw.cloud.aquasec.com:443 -e AQUA_LOGICAL_NAME="CUSTOM" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /opt/aquasec/data:/data -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
Docker example command:
docker run -d -e AQUA_TOKEN=<TOKEN> -e AQUA_SERVER=<HOST-IP>:8443 -e AQUA_LOGICAL_NAME="Default" --name aqua-enforcer-2022.4 --memory=1.5G --memory-reservation=1G --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
CPU Limits Using Docker/Podman Flags
--cpus=<value> Specify how much of the available CPU resources a container can use. For instance, if the host machine has two CPUs and you set --cpus="1.5", the container is guaranteed at most one and a half of the CPUs. This is the equivalent of setting --cpu-period="100000" and --cpu-quota="150000".
Podman example command:
podman run -d --name aqua-enforcer-2022.4 --cpus=".5" -e AQUA_TOKEN=TOKEN -e AQUA_SERVER=ID-gw.cloud.aquasec.com:443 -e AQUA_LOGICAL_NAME="CUSTOM" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /opt/aquasec/data:/data -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
Docker example command:
docker run -d -e AQUA_TOKEN=<TOKEN> -e AQUA_SERVER=<HOST-IP>:8443 -e AQUA_LOGICAL_NAME="Default" --name aqua-enforcer-2022.4 --cpus=".5" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
CPU/Memory Limits Using Docker/Podman Flags
It is also possible to limit the memory and CPU to the same using the above flags in the same command as shown below.
Podman example command:
podman run -d --name aqua-enforcer-2022.4 --memory 1.5G --memory-reservation 1G --cpus=".5" -e AQUA_TOKEN=TOKEN -e AQUA_SERVER=ID-gw.cloud.aquasec.com:443 -e AQUA_LOGICAL_NAME="CUSTOM" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /opt/aquasec/data:/data -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
Docker example command:
docker run -d -e AQUA_TOKEN=<TOKEN> -e AQUA_SERVER=<HOST-IP>:8443 -e AQUA_LOGICAL_NAME="Default" --name aqua-enforcer-2022.4 --memory=1.5G --memory-reservation=1G --cpus=".5" --restart=always --privileged --pid=host --userns=host -v /var/run:/var/run -v /dev:/dev -v /opt/aquasec:/host/opt/aquasec:ro -v /opt/aquasec/tmp:/opt/aquasec/tmp -v /opt/aquasec/audit:/opt/aquasec/audit -v /proc:/host/proc:ro -v /sys:/host/sys:ro -v /etc:/host/etc:ro registry.aquasec.com/enforcer:2022.4
Additional questions
Question: Would limiting the Enforcer's memory and CPU to avoid high resource consumption be a viable workaround?
Answer: No, limiting memory and CPU for containers/pods is a best practice, not a workaround. This approach ensures optimal resource management.
Question: What issues could arise from limiting CPU and memory for the Aqua Enforcer?
Answer: Insufficient CPU and memory allocation can prevent internal modules from functioning correctly. However, this won’t affect the server, node, or cluster. Follow the [Sizing Guide][2] for resource recommendations.
Conclusion
Setting CPU and memory limits for containers, including the Aqua Enforcer, ensures better resource allocation, isolation, and stability. Following these best practices contributes to a more manageable and scalable environment.
Additional Resources
[1] Podman Memory Documentation: https://docs.podman.io/en/stable/markdown/podman-update.1.html
[2] Aqua Enforcer Sizing Guide: https://docs.aquasec.com/v2022.4/release-information/sizing-guide/#aqua-enforcer-each
Did you find it helpful? Yes No
Send feedback