###### tags: `Study Circle Note`, `Docker in Action 2ed` # Docker in Action 2ed 第六次 2021-08-21 - Chapter 6. Limiting risk with resource controls ## 討論 - Your kernel does not support cgroup swap limit capabilities https://docs.docker.com/engine/install/linux-postinstall/#your-kernel-does-not-support-cgroup-swap-limit-capabilities - CPU 分配是基於 Completely Fair Scheduler (CFS) https://docs.docker.com/config/containers/resource_constraints/#configure-the-default-cfs-scheduler - Linux Capability https://man7.org/linux/man-pages/man7/capabilities.7.html - CFS https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/sec-cpu - docker user namespace https://docs.docker.com/engine/security/userns-remap/ - 經驗分享：在部署 pod 到 Openshift 上時，由於 Openshift 會有基本的安全性設定（privileged 限制），會導致一些需要 root 權限的 container crash 掉，類似問題需要自己 build image for non-root or 檢查自己 pull 下來的 image 是否為 root 權限，case: https://stackoverflow.com/questions/63108119/how-to-run-an-nginx-container-as-non-root - 最後會選擇拉 https://hub.docker.com/r/nginxinc/nginx-unprivileged or 自行再 build 一版 image QQ