@@ -97,11 +97,86 @@ To set up the jailer correctly, you'll need to:
9797 their individually owned resources in the unlikely case where any one of the
9898 jails is broken out of.
9999
100+ Firecracker's customers are strongly advised to use the provided
101+ ` resource-limits ` and ` cgroup ` functionalities encapsulated within jailer,
102+ in order to control Firecracker's resource consumption in a way that makes
103+ the most sense to their specific workload. While aiming to provide as much
104+ control as possible, we cannot enforce aggressive default constraints
105+ resources such as memory or CPU because these are highly dependent on the
106+ workload type and usecase.
107+
108+ Here are some recommendations on how to limit the process's resources:
109+
110+ ### Disk
111+
112+ - ` cgroup ` provides a
113+ [ Block IO Controller] ( https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt )
114+ which allows users to control I/O operations through the following files:
115+ - ` blkio.throttle.io_serviced ` - bounds the number of I/Os issued to disk
116+ - ` blkio.throttle.io_service_bytes ` - sets a limit on the number of bytes
117+ transferred to/from the disk
118+
119+ - Jailer's ` resource-limit ` provides control on the disk usage through:
120+ - ` fsize ` - limits the size in bytes for files created by the process
121+ - ` no-file ` - specifies a value one greater than the maximum file
122+ descriptor number that can be opened by the process. If not specified,
123+ it defaults to 4096.
124+
125+ ### Memory
126+
127+ - ` cgroup ` provides a
128+ [ Memory Resource Controller] ( https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt )
129+ to allow setting upper limits to memory usage:
130+ - ` memory.limit_in_bytes ` - bounds the memory usage
131+ - ` memory.memsw.limit_in_bytes ` - limits the memory+swap usage
132+ - ` memory.soft_limit_in_bytes ` - enables flexible sharing of memory. Under
133+ normal circumstances, control groups are allowed to use as much of the
134+ memory as needed, constrained only by their hard limits set with the
135+ ` memory.limit_in_bytes ` parameter. However, when the system detects
136+ memory contention or low memory, control groups are forced to restrict
137+ their consumption to their soft limits.
138+
139+ ### vCPU
140+
141+ - ` cgroup ` ’s
142+ [ CPU Controller] ( https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt )
143+ can guarantee a minimum number of CPU shares when a system is busy and
144+ provides CPU bandwidth control through:
145+ - ` cpu.shares ` - limits the amount of CPU that each group it is expected to
146+ get. The percentage of CPU assigned is the value of shares divided by the
147+ sum of all shares in all ` cgroups ` in the same level
148+ - ` cpu.cfs_period_us ` - bounds the duration in us of each scheduler period,
149+ for bandwidth decisions. This defaults to 100ms
150+ - ` cpu.cfs_quota_us ` - sets the maximum time in microseconds during each
151+ ` cfs_period_us ` for which the current group will be allowed to run
152+ - ` cpuacct.usage_percpu ` - limits the CPU time, in ns, consumed by the
153+ process in the group, separated by CPU
154+
100155Additional details of Jailer features can be found in the
101156[ Jailer documentation] ( jailer.md ) .
102157
103158## Host Security Configuration
104159
160+ ### Mitigating Network flooding issues
161+
162+ Network can be flooded by creating connections and sending/receiving a
163+ significant amount of requests. This issue can be mitigated either by
164+ configuring rate limiters for the network interface as explained within
165+ [ Network Interface documentation] ( api_requests/patch-network-interface.md ) ,
166+ or by using one of the tools presented below:
167+
168+ - ` tc qdisk ` - manipulate traffic control settings by configuring filters.
169+
170+ When traffic enters a classful qdisc, the filters are consulted and the
171+ packet is enqueued into one of the classes within. Besides
172+ containing other qdiscs, most classful qdiscs perform rate control.
173+
174+ - ` netnamespace ` and ` iptables `
175+ - ` --pid-owner ` - can be used to match packets based on the PID that was
176+ responsible for them
177+ - ` connlimit ` - restricts the number of connections for a destination IP
178+ address/from a source IP address, as well as limit the bandwidth
179+
105180### Mitigating Side-Channel Issues
106181
107182When deploying Firecracker microVMs to handle multi-tenant workloads, the
0 commit comments