Default ulimit is overwritten at runtime if needed
Set up the docker integration.
Description
The default ulimit is set at the Docker daemon level. However, if you need to, you may override the default ulimit setting during container runtime.
Rationale
ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits in a prudent fashion, protects against denial of service conditions. On occasion, legitimate users and processes can accidentally overuse system resources and cause systems be degraded or even unresponsive. The default ulimit set at the Docker daemon level should be honored. If the default ulimit settings are not appropriate for a particular container instance, you may override them as an exception, but this should not be done routinely. If many of your container instances are exceeding your ulimit settings, you should consider changing the default settings to something that is more appropriate for your needs.
Audit
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}' This command returns Ulimits=<no value> for each container instance unless there is a need in a specific case to override the default settings.
Only override the default ulimit settings if needed in a specific case. For example, to override default ulimit settings start a container: docker run --ulimit nofile=1024:1024 --interactive --tty centos /bin/bash
Impact
If ulimits are not set correctly, overutilization by individual containers could make the host system unusable.
Default value
Container instances inherit the default ulimit settings set at the Docker daemon level.
References
- https://docs.docker.com/engine/reference/commandline/run/#set-ulimits-in-container-ulimit
CIS controls
Version 6
18 Application Software Security Application Software Security
