Runtime

Linux isolates containers using kernel namespaces. Sometimes you need the opposite: two containers that can see each other’s processes or share memory. The pid and ipc directives give you that escape hatch. Sharing a PID namespace pid: service:<name> lets a container see and act on processes inside another service: services: app: image: myapp debugger: image: alpine pid: service:app cap_add: - SYS_PTRACE command: sleep infinity The debugger container’s ps, strace, and /proc all reflect app’s processes. Combined with cap_add: SYS_PTRACE, you can attach strace or gdb to a running production-style container without baking debug tools into its image. ...

CPU and memory limits (Tip #16) cover the obvious resources. Two more options solve specific problems: ulimits for kernel limits and shm_size for shared memory. ulimits: kernel resource limits ulimits controls per-container limits the Linux kernel enforces: open file descriptors, processes, locked memory, and others. services: api: image: myapi ulimits: nofile: soft: 65536 hard: 65536 nproc: 4096 soft is the default, hard is the maximum the process can raise itself to. For most simple cases, set them equal. ...

Both entrypoint and command define what runs when a container starts. They look similar, but they play different roles, and confusing them leads to surprising behavior. The mental model When a container starts, Docker runs: <entrypoint> <command> entrypoint is the executable command is the default arguments passed to it If the image’s Dockerfile has ENTRYPOINT ["python"] and CMD ["app.py"], the container runs python app.py. Overriding from Compose Both can be overridden in Compose: ...

Running ML models, video processing, or any GPU-accelerated workload? Compose lets you reserve GPU devices for specific services. Basic GPU access Give a service access to all available GPUs: services: ml-training: image: pytorch/pytorch deploy: resources: reservations: devices: - driver: nvidia count: all capabilities: [gpu] Limiting GPU count Reserve a specific number of GPUs instead of all: services: inference: image: mymodel:latest deploy: resources: reservations: devices: - driver: nvidia count: 1 capabilities: [gpu] Selecting specific GPUs by ID Target specific GPU devices when you have multiple: ...

When you run docker compose down or docker compose stop, Compose sends a signal to your containers. Understanding which signal is sent and how your application handles it is key to graceful shutdowns. Default behavior By default, Compose sends SIGTERM to the main process (PID 1), waits 10 seconds, then sends SIGKILL: services: app: image: myapp # Default: SIGTERM, 10s grace period, then SIGKILL Changing the stop signal Some applications expect a different signal. Nginx, for example, uses SIGQUIT for graceful shutdown: ...