Added limits to containers

nikarh · Oct 9, 2024 · 47b025c · 47b025c
1 parent 1d9a517
commit 47b025c
Show file tree

Hide file tree

Showing 11 changed files with 289 additions and 4 deletions.
diff --git a/system/modules/server/common/docker-compose.yaml b/system/modules/server/common/docker-compose.yaml
@@ -31,6 +31,12 @@ services:
       WATCHTOWER_SCHEDULE: "0 42 4 * * *"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock"
+    deploy:
+      resources:
+        limits:
+          memory: 100M
+        reservations:
+          memory: 20M
   traefik-cloudflare-companion:
     image: tiredofit/traefik-cloudflare-companion:${TRAEFIK_CLOUDFLARE_VERSION:-latest}
     container_name: traefik-cloudflare-companion
@@ -52,6 +58,12 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock"
     secrets:
       - CF_TOKEN
+    deploy:
+      resources:
+        limits:
+          memory: 100M
+        reservations:
+          memory: 50M
   traefik:
     image: traefik
     container_name: traefik
@@ -73,6 +85,12 @@ services:
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.middlewares=authelia@docker"
       - "traefik.http.routers.api.rule=Host(`traefik.${DOMAIN}`)"
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+        reservations:
+          memory: 128M
   authelia:
     image: authelia/authelia:4.38.10
     container_name: authelia
@@ -110,3 +128,9 @@ services:
       - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
       - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:8080/api/authz/forward-auth"
+    deploy:
+      resources:
+        limits:
+          memory: 200M
+        reservations:
+          memory: 100M
diff --git a/system/modules/server/files/docker/projects/backup.docker-compose.yaml b/system/modules/server/files/docker/projects/backup.docker-compose.yaml
@@ -46,6 +46,12 @@ services:
       - switcheroo-db:/volumes/switcheroo-db:ro
     secrets:
       - SSH_KEY
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+        reservations:
+          memory: 300M
 
   # Backup gdrive documents to home server
   gdrive-backup-from:
@@ -64,6 +70,12 @@ services:
           sleep 1h;
         done
       '
+    deploy:
+      resources:
+        limits:
+          memory: 200M
+        reservations:
+          memory: 20M
   # Backup home server documents to gdrive
   gdrive-backup-to:
     image: nikarh/fileserver-rclone
@@ -91,3 +103,9 @@ services:
           rclone -vv sync "/backup" gdrive-rw:/BACKUP/ --exclude ".stignore" --exclude ".stfolder/";
         done
       '
+    deploy:
+      resources:
+        limits:
+          memory: 200M
+        reservations:
+          memory: 20M
diff --git a/system/modules/server/files/docker/projects/ddns.docker-compose.yaml b/system/modules/server/files/docker/projects/ddns.docker-compose.yaml
@@ -20,6 +20,12 @@ services:
       PROXIED: false
     secrets:
       - CF_TOKEN
+    deploy:
+      resources:
+        limits:
+          memory: 15M
+        reservations:
+          memory: 10M
   ddns-u8-lv:
     image: oznu/cloudflare-ddns:latest
     container_name: ddns-u8-lv
@@ -31,3 +37,9 @@ services:
       PROXIED: true
     secrets:
       - CF_TOKEN
+    deploy:
+      resources:
+        limits:
+          memory: 15M
+        reservations:
+          memory: 10M
diff --git a/system/modules/server/files/docker/projects/files.docker-compose.yaml b/system/modules/server/files/docker/projects/files.docker-compose.yaml
@@ -48,6 +48,12 @@ services:
       - "traefik.http.routers.netdata.rule=Host(`netdata.${DOMAIN}`)"
       - "traefik.http.routers.netdata.entrypoints=https"
       - "traefik.http.routers.netdata.middlewares=authelia@docker"
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+        reservations:
+          memory: 512M
   # This is required at least for esphome
   mdns-repeater:
     image: angelnu/mdns_repeater
@@ -57,6 +63,12 @@ services:
     environment:
       - hostNIC=eth0
       - dockerNIC=${DOCKER_NIC}
+    deploy:
+      resources:
+        limits:
+          memory: 10M
+        reservations:
+          memory: 10M
   # Homer is served from GH pages on the outside world,
   # but we also serve it from here for internal access.
   homer:
@@ -70,6 +82,12 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.homer.rule=Host(`home.arhipov.net`) || Host(`u8.lv`)"
       - "traefik.http.routers.homer.entrypoints=https"
+    deploy:
+      resources:
+        limits:
+          memory: 10M
+        reservations:
+          memory: 10M
   samba:
     image: nikarh/fileserver-samba
     container_name: samba
@@ -82,6 +100,12 @@ services:
     volumes:
       - /var/lib/docker-services/volumes/samba/create-shares.sh:/scripts/create-shares.sh:ro
       - /var/data/home:/home
+    deploy:
+      resources:
+        limits:
+          memory: 200M
+        reservations:
+          memory: 20M
   sftpd:
     # On 2023.03.15 alpine version started freezing on connection.
     # Migrated to ubuntu.
@@ -101,6 +125,12 @@ services:
       - /var/lib/docker-services/volumes/sftpd/pam-sshd:/etc/pam.d/sshd:ro
       # Data
       - /var/data/home:/home
+    deploy:
+      resources:
+        limits:
+          memory: 100M
+        reservations:
+          memory: 50M
   filebrowser:
     image: filebrowser/filebrowser
     container_name: filebrowser
@@ -120,6 +150,13 @@ services:
       - "-d=/mnt/data/filebrowser.db"
       - "-c=/mnt/data/filebrowser.json"
       - "-p=8080"
+    deploy:
+      resources:
+        limits:
+          # For making archives in-place
+          memory: 5G
+        reservations:
+          memory: 20M
   syncthing:
     image: lscr.io/linuxserver/syncthing
     container_name: syncthing
@@ -139,6 +176,12 @@ services:
       - "traefik.http.routers.syncthing.rule=Host(`syncthing.${DOMAIN}`)"
       - "traefik.http.routers.syncthing.entrypoints=https"
       - "traefik.http.routers.syncthing.middlewares=authelia@docker"
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+        reservations:
+          memory: 300M
   esphome:
     image: esphome/esphome
     container_name: esphome
@@ -151,3 +194,9 @@ services:
       - "traefik.http.routers.esphome.rule=Host(`esphome.${DOMAIN}`)"
       - "traefik.http.routers.esphome.entrypoints=https"
       - "traefik.http.routers.esphome.middlewares=authelia@docker"
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+        reservations:
+          memory: 50M
diff --git a/system/modules/server/files/docker/projects/gitea.docker-compose.yaml b/system/modules/server/files/docker/projects/gitea.docker-compose.yaml
@@ -22,6 +22,12 @@ services:
       - gitea-data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
+    deploy:
+      resources:
+        limits:
+          memory: 500M
+        reservations:
+          memory: 250M
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"

diff --git a/system/modules/server/files/docker/projects/immich.docker-compose.yaml b/system/modules/server/files/docker/projects/immich.docker-compose.yaml
@@ -20,6 +20,12 @@ services:
     <<: *service-defaults
     command: >
       --requirepass ${IMMICH_REDIS_PASSWORD}
+    deploy:
+      resources:
+        limits:
+          memory: 200M
+        reservations:
+          memory: 20M
   immich-postgres:
     image: tensorchord/pgvecto-rs:pg14-v0.2.0
     container_name: immich-postgres
@@ -31,6 +37,12 @@ services:
     volumes:
       - immich-db-data:/var/lib/postgresql/data
     restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+        reservations:
+          memory: 100M
   immich:
     image: ghcr.io/imagegenius/immich:latest
     container_name: immich
@@ -68,3 +80,9 @@ services:
       - "traefik.http.middlewares.immich-redirect1.redirectregex.replacement=https://immich.${DOMAIN}/$$1"
       - "traefik.http.middlewares.immich-redirect2.redirectregex.regex=^https://photos.${DOMAIN}/(.*)"
       - "traefik.http.middlewares.immich-redirect2.redirectregex.replacement=https://immich.${DOMAIN}/$$1"
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+        reservations:
+          memory: 512M
diff --git a/system/modules/server/files/docker/projects/logging.docker-compose.yaml b/system/modules/server/files/docker/projects/logging.docker-compose.yaml
@@ -26,13 +26,25 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock"
       - /var/lib/docker-services/volumes/vector:/etc/vector
       - vector-logs:/out
+    deploy:
+      resources:
+        limits:
+          memory: 300M
+        reservations:
+          memory: 150M
   loki:
     image: grafana/loki:latest
     container_name: loki
     <<: *common-service-defaults
     volumes:
       - /var/lib/docker-services/volumes/loki:/etc/loki:ro
       - loki-data:/loki
+    deploy:
+      resources:
+        limits:
+          memory: 600M
+        reservations:
+          memory: 300M
   grafana:
     image: grafana/grafana:latest
     container_name: grafana
@@ -71,6 +83,12 @@ services:
           editable: false
         EOF
         /run.sh
+    deploy:
+      resources:
+        limits:
+          memory: 500M
+        reservations:
+          memory: 100M
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.grafana.loadbalancer.server.port=3000"
@@ -89,6 +107,12 @@ services:
       LOGROTATE_SIZE: "10M"
     volumes:
       - vector-logs:/logs
+    deploy:
+      resources:
+        limits:
+          memory: 40M
+        reservations:
+          memory: 10M
   init-fail2ban-volume:
     image: alpine
     command: >
@@ -114,6 +138,12 @@ services:
       - /var/lib/docker-services/volumes/fail2ban/fail2ban.local:/config/fail2ban/fail2ban.local:ro
       - vector-logs:/remotelogs:ro
       - fail2ban-db:/db
+    deploy:
+      resources:
+        limits:
+          memory: 100M
+        reservations:
+          memory: 50M
     depends_on:
       init-fail2ban-volume:
         condition: service_completed_successfully
diff --git a/system/modules/server/files/docker/projects/mail.docker-compose.yaml b/system/modules/server/files/docker/projects/mail.docker-compose.yaml
@@ -25,6 +25,12 @@ services:
       - mail-data:/home
     secrets:
       - IMAP_AUTH
+    deploy:
+      resources:
+        limits:
+          memory: 50M
+        reservations:
+          memory: 10M
   dovecot:
     image: dovecot/dovecot
     container_name: dovecot
@@ -42,6 +48,12 @@ services:
         /usr/sbin/dovecot -F;
         rm -rf /var/lib/apt/lists;
       '
+    deploy:
+      resources:
+        limits:
+          memory: 50M
+        reservations:
+          memory: 10M
   roundcube:
     image: roundcube/roundcubemail
     container_name: roundcube
@@ -57,3 +69,9 @@ services:
       - "traefik.http.routers.roundcube.rule=Host(`mail.${DOMAIN}`) || Host(`mail.u8.lv`)"
       - "traefik.http.routers.roundcube.entrypoints=https"
       - "traefik.http.routers.roundcube.middlewares=authelia@docker"
+    deploy:
+      resources:
+        limits:
+          memory: 300M
+        reservations:
+          memory: 100M