Skip to content
BSWEN
Blog

How to Manage Container Resources: CPU, Memory, and Linux Capabilities in Apple container

Cowrie
Cowrie
Dev @ Bswen

Purpose

This post demonstrates how to control CPU, memory, Linux capabilities, and other resource settings for Apple containers β€” both per-container and at the system level.

Per-Container CPU and Memory

Override defaults when running a container:

Diagram of a container with 4 CPU cores and 4 GB memory allocated, showing the resource boundary between the container and host OS

Set container resources
container run --cpus 4 --memory 4g my-image

Default container resources are 4 CPUs and 1 GB RAM. Memory accepts K, M, G, T, P suffixes with 1 MiByte granularity (binary, not decimal).

Builder Resources

The builder VM has separate defaults: 2 CPUs and 2 GB RAM. Configure it:

Configure builder resources
container builder start --cpus 8 --memory 32g

Default Configuration

Persist settings in ~/.config/container/config.toml:

~/.config/container/config.toml
[container]
cpus = 4
memory = "2g"


[build]
cpus = 4
memory = "8g"
rosetta = true

The [container] section controls per-container defaults. The [build] section controls builder defaults.

Linux Capabilities

Linux capabilities provide fine-grained security control. Apple container starts with a sensible default set:

Conceptual diagram comparing three security models: full root (all privileges), capability-based (default set of granular permissions), and least-privilege (drop all, add only needed capabilities)

Default capabilities
CAP_AUDIT_WRITE
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_FOWNER
CAP_FSETID
CAP_KILL
CAP_MKNOD
CAP_NET_BIND_SERVICE
CAP_NET_RAW
CAP_SETFCAP
CAP_SETGID
CAP_SETPCAP
CAP_SETUID
CAP_SYS_CHROOT

Adding Capabilities

Add a capability
container run --cap-add NET_ADMIN my-image

Dropping All and Adding Selectively (Least-Privilege)

Drop all, add only what is needed
container run --cap-drop ALL --cap-add SETUID --cap-add SETGID my-image

Capability names are case-insensitive and the CAP_ prefix is optional.

Additional Resource Controls

FlagWhat it does
--initRun a lightweight init as PID 1 (signal forwarding, zombie reaping)
--read-onlyMount root filesystem read-only
--ulimit nofile=1024Set POSIX resource limits (type=soft[:hard])
--shm-size 64mConfigure /dev/shm size
Combined example
container run \
  --cpus 2 \
  --memory 2g \
  --cap-drop ALL \
  --cap-add SETUID \
  --cap-add SETGID \
  --read-only \
  --init \
  --name secure-app \
  my-image

Monitoring Resource Usage

Verify the limits are applied:

Check resource usage
container stats --no-stream my-container
Output
CONTAINER NAME   CPU %     MEM USAGE / LIMIT     PIDS
my-container      2.3%     120.5 MiB / 2.00 GiB   5

Summary

In this post, I showed how to manage CPU, memory, and Linux capabilities for Apple containers. The key point is that per-container flags override system defaults, persistent defaults live in config.toml, and capabilities follow a least-privilege model with --cap-drop ALL --cap-add ....

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags: