Resource limits and cgroups

In the context of Docker, cgroups (control groups) are used to limit the resources of a container.

In IAM, the JVM is by default configured to use up to 50% of the available container memory for the heap, by the IAM_JAVA_OPTS parameter with a default value of IAM_JAVA_OPTS=-XX:MaxRAMPercentage=50.

Notice

The option -XX:MaxRAMPercentage relates the container memory available to the JVM for the heap to the total amount of container memory.

Do not to set the value of -XX:MaxRAMPercentage too high
If the JVM and additional processes running in the container (e.g., docker exec) exceed the container's memory limit, the container may be killed.

Docker CLI

Example

docker run --rm --memory 4g --env "IAM_JAVA_OPTS=-XX:MaxRAMPercentage=50" quay.io/airlock/iam:7.7

docker-compose.yml

Example

version: '3.7'
services:
  iam:
    image: quay.io/airlock/iam:7.7    environment:
      - "IAM_JAVA_OPTS=-XX:MaxRAMPercentage=50"
    deploy: # Only for Docker Swarm
      resources:
        limits:
          memory: "4G"

Note that the -XshowSettings:vm option will log the memory consumption of the JVM. The -XshowSettings:vm option can be added to IAM_JAVA_OPTS. With the option enabled, this additional log output will be generated:

Example

VM settings:
    Max. Heap Size (Estimated): 2.00G
    Using VM: OpenJDK 64-Bit Server VM