From 700622e521950061c5d9d9fe2c779a7d01b11b65 Mon Sep 17 00:00:00 2001 From: Matthew Momjian <50788000+mmomjian@users.noreply.github.com> Date: Tue, 2 Apr 2024 10:24:06 -0400 Subject: [PATCH] docs: update FAQ for Docker (#8418) * Update FAQ.mdx * Update FAQ.mdx * linting --- docs/docs/FAQ.mdx | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/docs/FAQ.mdx b/docs/docs/FAQ.mdx index 884beee4b9..98b3db996f 100644 --- a/docs/docs/FAQ.mdx +++ b/docs/docs/FAQ.mdx @@ -253,8 +253,19 @@ The initial backup is the most intensive due to the number of jobs running. The ### Can I limit the amount of CPU and RAM usage? -By default, a container has no resource constraints and can use as much of a given resource as the host's kernel scheduler allows. -You can look at the [original docker docs](https://docs.docker.com/config/containers/resource_constraints/) or use this [guide](https://www.baeldung.com/ops/docker-memory-limit) to learn how to limit this. +By default, a container has no resource constraints and can use as much of a given resource as the host's kernel scheduler allows. To limit this, you can add the following to the `docker-compose.yml` block of any containers that you want to have limited resources. + +```yaml +deploy: + resources: + limits: + # Number of CPU threads + cpus: '1.00' + # Gigabytes of memory + memory: '1G' +``` + +For more details, you can look at the [original docker docs](https://docs.docker.com/config/containers/resource_constraints/) or use this [guide](https://www.baeldung.com/ops/docker-memory-limit). ### How can I boost machine learning speed? @@ -296,6 +307,17 @@ You may need to add mount points or docker volumes for the following internal co The non-root user/group needs read/write access to the volume mounts, including `UPLOAD_LOCATION`. +For a further hardened system, you can add the following block to every container except for `immich_postgres`. + +```yaml +security_opt: + # Prevent escalation of privileges after container is started + - no-new-privileges:true +cap_drop: + # Prevent access to raw network traffic + - NET_RAW +``` + ### How can I **purge** data from Immich? Data for Immich comes in two forms: