Merge branch '516-work' into ania-stage

cumulusAnia · cumulusAnia · commit 8a01fd52ada7 · 2026-01-14T16:51:04.000-08:00
diff --git a/content/cumulus-linux-516/System-Configuration/Docker-with-Cumulus-Linux.md b/content/cumulus-linux-516/System-Configuration/Docker-with-Cumulus-Linux.md
@@ -421,6 +421,71 @@ debug-mode      False
 log-level       json-file   
 ```
 
+## Manage Docker Container Resources
+
+By default, the switch restricts unknown containers to 20 percent of host resources and limited containers to 50 percent. You can customize these values by editing the `/etc/cumulus/docker/resources.conf` file.
+
+```
+cumulus@switch: sudo nano /etc/cumulus/docker/resources.conf
+RESTRICTED_PERCENT=10  # Tighter jail for unknown apps
+LIMITED_PERCENT=60     # Slightly more room for limited apps
+```
+
+After editing the `/etc/cumulus/docker/resources.conf` file, you must restart `cumulus-docker-resource-limit-calculator.service`.
+
+```
+cumulus@switch: systemctl restart cumulus-docker-resource-limit-calculator.service
+```
+
+The docker image whitelist maintains the list of trusted and limited images and is located in the `/etc/cumulus/docker/whitelist.json` file.
+
+By default, the `/etc/cumulus/docker/whitelist.json` file ships with the following content.
+
+```
+cumulus@switch: sudo cat /etc/cumulus/docker/whitelist.json
+{
+  "trusted_images": [ ],
+  "limited_images": ["docker-wjh"]
+}
+```
+
+You can edit this file to add trusted and limited images.
+
+```
+cumulus@switch: sudo nano /etc/cumulus/docker/whitelist.json
+{
+  "trusted_images": [
+    "internal-app",
+    "postgres"
+  ],
+  "limited_images": [
+    "jenkins-agent",
+    "python-worker"
+  ]
+}
+```
+
+To show memory resource usage for containers, run the Linux `sudo cat /sys/fs/cgroup/cumulus-docker-trusted/memory.current` command.
+
+```
+cumulus@switch: sudo cat /sys/fs/cgroup/cumulus-docker-trusted/memory.current
+
+```
+
+To show CPU resource usage for containers, run the Linux `sudo cat sys/fs/cgroup/cumulus-docker-trusted/cpu.stat` command and `sudo cat /sys/fs/cgroup/cumulus-docker-limited/cpu.stat` command.
+
+```
+cumulus@switch: sudo cat /sys/fs/cgroup/cumulus-docker-limited/cpu.stat
+
+```
+
+To show which container processes are trusted and which are limited, run the `sudo cat /sys/fs/cgroup/cumulus-docker-trusted/cgroup.procs` command or the `sudo cat /sys/fs/cgroup/cumulus-docker-limited/cgroup.procs` command:
+
+```
+cumulus@switch: sudo cat /sys/fs/cgroup/cumulus-docker-limited/cgroup.procs
+
+```
+
 ## Considerations
 
 - Be mindful of the types of applications you want to run in containers on a Cumulus Linux switch. Depending on the configuration of the container, DHCP servers, custom scripts, and other lightweight services run well. However, VPN, NAT and encryption-type services are CPU-intensive and lead to undesirable effects on critical applications.
diff --git a/content/cumulus-linux-516/Whats-New/_index.md b/content/cumulus-linux-516/Whats-New/_index.md
@@ -35,7 +35,7 @@ Cumulus Linux 5.16 contains new features and improvements, and provides bug fixe
 - {{<link url="802.1X-Interfaces/#preserve-dynamically-assigned-ipv6-addresses" text="802.1X preserve dynamically assigned IPv6 addresses">}}
 - {{<link url="Quality-of-Service/#shaping" text="PPS mode for QoS egress shapers">}}
 - {{<link url="Quality-of-Service/#extra-lossy-headroom" text="Extra threshold for QoS lossy priority groups">}}
-- Docker
+- {{<link url="Docker-with-Cumulus-Linux/#manage-docker-container-resources" text="Manage Docker container resources">}}
 - Health Event and SDK Driver Monitoring for Multi ASIC
 - Security features:
   - {{<link url="FIPS" text="FIPS mode">}}
