Help Center

  1. StackPath Help
  2. Edge Computing
  3. Containers

Enhanced Container Controls

Avatar
Joelle Lanke
Updated:

Overview

Enhanced Container Controls provide you with the ability to configure additional EC Container controls so that you can customize certain advanced host system parameters to your fine-tuned needs.

This guide will explain how to enable enhanced container controls on your workload, as well as which settings are available in our Control Portal.

Getting Started

Enhanced Container Controls (Advanced Settings) can be configured in the Control Portal during Step 3 of the Create Workload process. The Enhanced Container Controls are optional advanced settings that can be used to fine-tune your additional workload requirements.

StackPath's Control Portal currently offers 3 categories of advanced customizable settings that can be added/dropped within your workload: Kernel Settings, Network Settings and Security Settings

For more information on the container settings within the other steps, please see here.

Kernel Settings (Sysctl)

Define additional kernel parameters for your workload. Sysctls provide the ability to tune kernel parameters to enhance the performance of a container. Below is a list of namespaced sysctls that StackPath supports along with a brief description of their function:

Sysctls Description
kernel.shm* Adjust shared memory related settings
kernel.msg* Adjust message queue related settings
kernel.sem Adjust semaphore tokens SEMMSL, SEMMNS, SEMOPM, and SEMMNI
fs.mqueue.* Adjust message queue related attributes used by file system
net.* Adjust networking related attributes

Click the drop-down arrow to select the supported sysctl parameter you would like to modify, then enter the value you'd like to set.kernel

Expand the list below to view all of the sysctls are currently supported by StackPath:

Sysctls
  1. kernel.msgmax
  2. kernel.msgmnb
  3. kernel.pid_max
  4. kernel.shmall
  5. kernel.shmmax
  6. kernel.shm_rmid_forced
  7. net.core.netdev_budget
  8. net.core.netdev_budget_usecs
  9. net.core.netdev_max_backlog
  10. net.core.optmem_max
  11. net.core.rmem_default
  12. net.core.rmem_max
  13. net.core.somaxconn
  14. net.core.wmem_default
  15. net.core.wmem_max
  16. net.ipv4.conf.$interface.accept_local
  17. net.ipv4.conf.$interface.arp_announce
  18. net.ipv4.conf.$interface.arp_ignore
  19. net.ipv4.conf.$interface.rp_filter
  20. net.ipv4.conf.all.accept_local
  21. net.ipv4.conf.all.arp_announce
  22. net.ipv4.conf.all.arp_ignore
  23. net.ipv4.conf.all.force_igmp_version
  24. net.ipv4.conf.all.rp_filter
  25. net.ipv4.conf.default.accept_local
  26. net.ipv4.conf.default.accept_source_route
  27. net.ipv4.conf.default.rp_filter
  28. net.ipv4.conf.lo.accept_local
  29. net.ipv4.conf.lo.arp_announce
  30. net.ipv4.conf.lo.arp_filter
  31. net.ipv4.conf.lo.arp_ignore
  32. net.ipv4.conf.lo.rp_filter
  33. net.ipv4.ip_forward
  34. net.ipv4.ip_local_port_range
  35. net.ipv4.ip_local_reserved_ports
  36. net.ipv4.ip_unprivileged_port_start
  37. net.ipv4.ping_group_range
  38. net.ipv4.tcp_base_mss
  39. net.ipv4.tcp_congestion_control
  40. net.ipv4.tcp_early_retrans
  41. net.ipv4.tcp_ecn
  42. net.ipv4.tcp_fin_timeout
  43. net.ipv4.tcp_max_orphans
  44. net.ipv4.tcp_max_syn_backlog
  45. net.ipv4.tcp_mem
  46. net.ipv4.tcp_mtu_probing
  47. net.ipv4.tcp_no_metrics_save
  48. net.ipv4.tcp_orphan_retries
  49. net.ipv4.tcp_retries2
  50. net.ipv4.tcp_rmem
  51. net.ipv4.tcp_slow_start_after_idle
  52. net.ipv4.tcp_syncookies
  53. net.ipv4.tcp_timestamps
  54. net.ipv4.tcp_tw_reuse
  55. net.ipv4.tcp_wmem
  56. net.ipv6.conf.$interface.autoconf
  57. net.ipv6.conf.all.accept_ra
  58. net.ipv6.conf.all.autoconf
  59. net.ipv6.conf.all.disable_ipv6
  60. net.ipv6.conf.default.autoconf
  61. net.ipv6.conf.lo.accept_dad
  62. net.ipv6.conf.lo.autoconf
  63. net.ipv6.conf.lo.dad_transmits
  64. net.ipv6.route.max_size
  65. vm.dirty_background_ratio
  66. vm.dirty_ratio
  67. vm.max_map_count
  68. vm.min_free_kbytes
  69. vm.panic_on_oom
  70. vm.swappiness


Network Settings

Configure the network settings for your container. Listed below are the network settings that are available via the Portal:

  • Host Entries: Host Entries are an optional list of hosts and IPs that will be injected into the workload's hosts file if specified.
  • Nameservers: Provide a list of DNS name server IP addresses.
  • Search Domains: A list of DNS search domains for host-name lookup.
  • DNS Resolver Options: A list of DNS resolver options.

Manually enter the Names and Values for the parameters as you see fit.network

Security Settings (Linux Capabilities)

Linux capabilities provide a more fine-grained way to grant privileged access to a process without giving it full root privileges. Select the linux capabilities you would like to add/drop to your workload using the drop-drown menu in the Portal.

security settings.png

The following linux capabilities are supported by StackPath:

Capability Description
CHOWN Make arbitrary changes to file UIDs and GIDs
DAC_OVERRIDE Bypass file read, write, and execute permission checks
DAC_READ_SEARCH Bypass file read permission checks and directory read and execute permission checks
FOWNER Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file
FSETID Don't clear set-user-ID and set-group-ID mode bits when a file is modified
KILL Bypass permission checks for sending signals(kill)
SETGID Make arbitrary manipulations of process GIDs and supplementary GID list
SETUID Make arbitrary manipulations of process UIDs
SETPCAP Add/drop any capability from the calling thread's bounding set to its inheritable set
LINUX_IMMUTABLE Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags
NET_BIND_SERVICE Bind a socket to Internet domain privileged ports (port numbers less than 1024)
NET_BROADCAST Make socket broadcasts, and listen to multicasts
NET_ADMIN Perform various network-related operations
NET_RAW Use RAW and PACKET sockets
IPC_LOCK Lock memory, allocate memory using huge pages
IPC_OWNER Bypass permission checks for operations on System V IPC objects
SYS_CHROOT Use chroot, change mount namespaces using setns
SYS_PTRACE Trace arbitrary processes using ptrace, inspect, transfer data to/from processes
SYS_PACCT Use acct- switch process accounting on or off
SYS_NICE Perform range of system ops like change nice value of processes, scheduling classes, I/O scheduling etc
MKNOD Create special files using mknod(2)
LEASE Establish leases on arbitrary files
SETFCAP Eet arbitrary capabilities on a file

Want More? 

For additional Enhanced Container Controls, please feel free to use the StackPath API. See our API documentation located here.

Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us