Configure the Memory Limitation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Configure the memory limitation by adding a server configuration in Cortex XSIAM.

It is recommended limiting available memory for each container to 1 GB.

Note

On CentOS 7.x distributions with Docker CE or EE with version 17.06 and later, ensure that your kernel fully supports kmem accounting or that it has been compiled to disable kmem accounting. The kmem accounting feature in Red Hat’s Linux kernel has been reported to contain bugs, which cause kernel deadlock or slow kernel memory leaks. This is caused by a patch introduced in runc, which turns on kmem accounting automatically when user memory limitation is configured, even if not requested by the Docker CLI setting --kernel-memory (see: opencontainers/runc#1350). Users using Red Hat's distribution of Docker based on version 1.13.1 are not affected as this distribution of Docker does not include the runc patch. For more information see Red Hat’s Docker distribution documentation.

If you do not want to apply Docker memory limitations, due to the note above, you should explicitly set the advanced parameter: limit.docker.memory to false.

If swap limit capabilities is enabled, in Cortex XSIAM configure the memory limitation using the following advanced parameters.

  1. Edit the Engine Configuration File.

  2. Add the following keys.

    "limit.docker.memory": true, "docker.memory.limit": "1g"

  3. Save the changes.

  4. Restart the demisto service on the engine machine.

    sudo systemctl start d1

    (Ubuntu/DEB) sudo service d1 restart