Container sprawl is avoided
Set up the docker integration.
Description
You should not keep a large number of containers on the same host.
Rationale
The flexibility of containers makes it easy to run multiple instances of applications and therefore indirectly leads to Docker images that can exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running ‘useful’ containers. Having more than just an essential number of containers on a particular host makes the system vulnerable to mishandling, misconfiguration and fragmentation. You should therefore keep the number of containers on a given host to the minimum number commensurate with serving production applications.
Audit
Find the total number of containers you have on the host:
docker info --format '{{ .Containers }}'
Execute the commands below to find the total number of containers that are actually running or in the stopped state on the host.
docker info --format '{{ .ContainersStopped }}'
docker info --format '{{ .ContainersRunning }}'
If the difference between the number of containers stopped on the host and the containers actually running is excessive, you may be suffering from “Container sprawl” and should review the unused containers for potential deletion.
You should periodically check your container inventory on each host and clean up containers which are not in active use with the command below: docker container prune
Impact
Retain containers that are actively in use, and delete ones which are no longer needed.
Default value
By default, Docker does not restrict the number of containers you may have on a host.
References
- https://zeltser.com/security-risks-and-benefits-of-docker-application/
- http://searchsdn.techtarget.com/feature/Docker-networking-How-Linux-containers-will-change-your-network
CIS controls
Version 6
18 Application Software Security Application Software Security
