This content is associated with a legacy version of the Replicated product. For the current Replicated product documentation, see docs.replicated.com.
Docker Options
You may also limit the resources used by your containers with the memory, cpushares and network modes and further secure your containers with security options
Memory and Swap Limit
The amount of memory or swap in bytes for your container. By default there is no memory or swap limit and your container can use as much as needed. You can learn more at User Memory Constraints documentation.
memory_limit: 500000000
memory_swap_limit: 1000000000
OOM Kill Disable
By default, the kernel kills processes in a container if an out-of-memory (OOM) error occurs. Only disable the OOM killer on containers where you have also set the memory_limit option. If memory limit is not set, this can result in the host running out of memory and require killing the host’s system processes to free memory, which is likely to cause system instability.
oom_kill_disable: true
CPU Shares
Using CPU shares you can change the access to the servers CPU at busy times. When non CPU-intensive processes are other containers may use extra CPU time. The default is 1024 and by increasing or decreasing the value on a container you change how the weighted CPU access is granted across all running containers. You can learn more at CPU Share Constraints documentation.
cpu_shares: 2048
Network Mode
Network mode supports bridge, host, container or none.
Learn more about Docker’s network modes at Network Settings.
network_mode: host
Network
Connect a container to a network.
In addition to bridge, host and none, the network property supports specifying a network name or id to connect to an existing user-defined network.
Learn more about Docker’s network settings at Network Settings.
network: user-net
Network Aliases
Add network-scoped alias for the container. Learn more about Docker’s network settings at Network Settings.
network_aliases: ["my-service"]
User and Group
Run the container as the specified user and optional group (format: <name|uid>[:<group|gid>]).
user: "1000:1000"
Security Options
With security options you can use Docker security with existing well know systems such as AppArmor.
security_options:
- apparmor=unconfined
When specifying your security options you can use template functions and any blank security option is allowed and will be filtered out by Replicated.
security_options:
- '{{repl if ConfigOptionEquals "enable_unconfined_apparmor_profile" "1"}}apparmor=unconfined{{repl end}}'
Learn more about Docker’s security configuration.
Privileged Mode and Security Capability
Security capabilities and access to devices are limited for containers by default, however you can add security capabilities with the privileged and security_cap_add option.
privileged: true
security_cap_add:
- SYS_MODULE
Learn more about Security Capabilities.
Read-only Root Filesystem
Mount the container’s root filesystem as read only.
readonly_rootfs: true
Allocate TTY
For interactive processes you can allocate a TTYL with allocate_tty. Learn more by reading about container process Foreground.
allocate_tty: true
Hostname
Sets the hostname inside of the container. See the network host section under Network settings.
hostname: anxiety-closet
Extra Hosts
Add extra hostname mappings with hostname, address and an optional when field. See extra_hosts.
extra_hosts:
- hostname: mysql
address: 10.0.1.16
- hostname: redis
address: 10.0.1.32
Named Containers
The name argument sets the name of your running container. It is provided as a convenience method during development when you may want to connect to your containers and view logs. References to the container in template functions should continue to the use image name. Do not use on containers which run concurrently as the second container will fail to start due to a name conflict.
name: redis
For more information see named containers.
Entrypoint
When working with third party containers you may want to override the default entry point using the entrypoint option. Learn more about overriding entrypoints and how the cmd and entrypoint options work together. Entrypoint takes an array of strings.
entrypoint: ["redis", "-p", "6380"]
Ulimits
Since setting ulimit settings in a container requires extra privileges not available in the default container, you can set these using the ulimits property of the container. Learn more about ulimits here.
ulimits:
- name: nofile
soft: 1024
hard: 1024
Pid Mode
Pid mode lets you specify the process namespace for your container. By default each container has its own space and by declaring a pid_mode you can see the processes of another container or host. See PID settings to learn more.
pid_mode: host
Shm-Size
v2.15.0
Shm-Size lets you specify the size of /dev/shm for your container in bytes. If omitted or 0, the system defaults to 64MB.
shm_size: 67108864
Ephemeral
Ephemeral marks that a container is expected to exit, and allows the scheduler to listen for the container to stop. One common scenario where this is required is running database migrations at startup.
ephemeral: true
Dynamic
Dynamic marks that a container’s image should always be pulled, whether it is initially used by the application or not. This can be used to prepare images for containers that your application might run dynamically or for containers where running depends on template functions that may change during startup.
dynamic: true
Marking an image as dynamic will pull the image and start the container. To pull the image without starting the container, add the when: false field to the container’s options.
Labels
Labels can be applied to a container by Replicated. Labels are templateable, and will be split on the first = to form the label key and value. If no = is present, the entire string will become the key and the value will be the empty string.
For example, my.container.label would become a label with a key of my.container.label and an empty value while my.container.value=IMPORTANT=FALSE would have a key of my.container.value and a value of IMPORTANT=FALSE.
labels:
- my.container.label
- my.container.value=IMPORTANT=FALSE
- 'my.template.value={{repl ConfigOption "labelValue" }}'
Disable Publish All Ports
By default, Replicated will bind each exposed port to a random port on the host. Use this option to disable publishing all the ports to the host interfaces.
disable_publish_all_ports: true
Stop Timeout
Stop Timeout is used to specify the number of seconds to wait after stopping an application container before killing it. By default this value is set to 10.
stop_timeout: 10
Logs
We can configure logs for containers by specifying the max number of logs files and the max size of the log files. This will configure log options only if “json-file” is the configured Docker logging driver. The max size string should include the size, k for kilobytes, m for megabytes or g for gigabytes. Log settings at the component level are inherited by the container and will be used unless overridden.
components:
- name: sample-agent
logs:
max_size: 200k
max_files: 2
containers:
- source: replicated
logs:
max_size: 500k
max_files: 5
For more advanced usage, it is possible to specify the log_config property of the component or container.
Type is the logging driver name and config is a set of key-value pairs for configuring log-opts.
For more details on configuring the logging driver, see the Configure logging drivers documentation.
When specified, this will override configuration set in the logs property.
Log config at the component level is inherited by the container and will be used unless overridden.
components:
- name: sample-agent
log_config:
type: journald
config:
tag: sample-agent
containers:
- source: replicated
log_config:
type: journald
config:
tag: sample-agent