This document explains how to prevent Incus containers from consuming all host resources by applying CPU, memory and process limits using profiles.
Containers share the host kernel. Without limits, any container process (for example ffmpeg in PeerTube) can use all available CPU cores and memory.
Using Incus profiles allows applying resource policies to many containers at once.
Inspect Current Container Limits
Check a container configuration:
incus config show peertube --expanded
If no limits.* keys are present, the container can use all host resources.
Inspect Default Profile
incus profile show default
Profiles define default configuration shared by multiple containers.
Example output may list many containers under used_by.
Setting Global Limits in the Default Profile
Example configuration:
incus profile set default limits.cpu 4
incus profile set default limits.memory 8GiB
incus profile set default limits.memory.swap false
incus profile set default limits.processes 4096
incus profile set default limits.disk.priority 5
All containers using the default profile inherit these limits automatically.
Verify Limits
incus profile show default
Example result:
limits.cpu: 4
limits.memory: 8GiB
limits.memory.swap: "false"
limits.processes: "4096"
limits.disk.priority: "5"
Profile Hierarchy
Incus applies configuration in this order:
container config > profile config
Container settings override profile limits.
Recommended Architecture (Profiles per Workload)
Instead of modifying default, create workload profiles.
App Profile (small services)
incus profile create app
incus profile set app limits.cpu 2
incus profile set app limits.memory 4GiB
incus profile set app limits.memory.swap false
incus profile set app limits.processes 2048
Typical services:
- gitea
- drupal
- matrix
- monitoring
Heavy Profile (compute workloads)
incus profile create heavy
incus profile set heavy limits.cpu 8
incus profile set heavy limits.memory 16GiB
incus profile set heavy limits.memory.swap false
incus profile set heavy limits.processes 4096
Typical services:
- peertube
- nextcloud
- game servers
Attach Profiles to Containers
Example:
incus profile add peertube heavy
incus profile add games heavy
incus profile add nc2 heavy
incus profile add gitea app
incus profile add drupal10 app
incus profile add matrix app
Monitoring Container Usage
incus top
Example output:
INSTANCE CPU% MEMORY
peertube 680 12GB
matrix 20 300MB
High CPU values indicate multi-core usage.
PeerTube Specific Note
PeerTube uses ffmpeg for transcoding. ffmpeg will use all CPU cores unless limited.
Recommended configuration in PeerTube:
/var/www/peertube/config/production.yaml
transcoding:
threads: 2
This prevents ffmpeg from consuming the entire host CPU.
Storage Mapping Best Practice
Mount video storage from the host instead of storing inside the container root filesystem.
Example device mapping:
source: /mnt/raid1/peertube-media
path: /var/www/peertube/storage
This avoids overlay filesystem overhead and improves large file performance.
Summary
Key recommendations:
- Always apply CPU and memory limits
- Use profiles to enforce policies
- Separate heavy workloads from small services
- Monitor containers with
incus top - Limit ffmpeg threads for PeerTube
- Log in to post comments