CPU Isolation for Docker and Incus

Feature Requests
1

Hey everyone,

I’ve been using TrueNAS with Docker and Incus (for both containers and VMs), and I think there’s room for improvement in CPU management. Right now, it seems like Docker can’t be isolated properly, and Incus doesn’t allow CPU reservation, which can lead to performance issues.

Would it be possible to add:

  1. Global CPU Isolation for Docker
  • Instead of limiting CPUs per container, it would be great if we could set a global CPU limit for Docker.
  • Maybe an option in the UI where we can choose which CPU cores Docker can use?
  • This way, Docker wouldn’t interfere with Incus workloads or system processes.
  1. CPU Reservation for Incus (Containers & VMs)
  • Right now, Incus allows CPU limits (limits.cpu), but there’s no way to reserve specific CPU cores.
  • If we had a CPU reservation feature, we could make sure important workloads always have the CPU power they need.
  • Maybe this could be integrated into the UI with a simple “CPU Reservation” checkbox when setting up an Incus container or VM?
  1. Better CPU Management Using systemd Slices
  • If Docker and Incus workloads were properly grouped using systemd slices, they wouldn’t interfere with system performance.
  • Something like:
System Processes (system.slice)
Docker (truenas-docker.slice) → CPU-isolated
Incus (truenas-incus.slice) → Can reserve CPUs
  1. This would prevent Docker from hogging resources and allow Incus workloads to run more predictably.

I feel like these changes would make TrueNAS more stable under heavy workloads and give users better control over CPU allocation.

What do you all think? Would this be useful for others? Are there any potential issues I might be missing?

2

If you specify limits.cpu=0,1 or limits.cpu=0-1 for example, it should pin the VM to cores 0 and 1. You can test by e.g. creating a Linux VM, installing stress-ng and doing stress-ng --cpu 2 --fork 4 --timeout 2m --metrics – if you then look at CPU core utilization, you’ll see cores 0 and 1 being heavily loaded.

For containers, you’ll need to talk to Incus devs, not TrueNAS devs.

1 Like
3

this is completely correct but nevertheless these cores from Truenas can still be used for Docker Etc. they are not exclusive for the VM which means that if I generate load on docker or the NAS itself. the VM will be affected

4

For Docker a workaround would be to define custom containers via yaml and use cpuset to define which cores you want to limit the container to.

TrueNAS itself will still use whichever cores it likes and I doubt they’re going to do anything about that.

5

Thanks in any case for the suggestions and I always find it great to hear other views or options. And I know my suggestion is definitely just a little annoying topic.

It is of course also possible to customize everything manually. truenas is currently placing a lot of emphasis on building a better virtualization and container environment. i think that would be a useful addition to better isolate the various new workloads from each other

6

I am not disagreeing with you, I just tried to correct you wrt. restricting VMs to specific cores and offer a workaround for Docker containers while waiting if/when TrueNAS devs implement the feature officially. I am in no way dismissing your concerns or idea itself.