Details
Set the default ulimit options as appropriate in your environment.ulimit provides control over the resources available to the shell and to processes started
by it. Setting system resource limits judiciously saves you from many disasters such as
a fork bomb. Sometimes, even friendly users and legitimate processes can overuse system
resources and in-turn can make the system unusable.Setting default ulimit for the Docker daemon would enforce the ulimit for all container
instances. You would not need to setup ulimit for each container instance. However, the
default ulimit can be overridden during container runtime, if needed. Hence, to control the
system resources, define a default ulimit as needed in your environment.
Solution
Run the docker in daemon mode and pass ‘–default-ulimit’ as argument with respective
ulimits as appropriate in your environment.For Example,dockerd –default-ulimit nproc=1024-2408 –default-ulimit nofile=100-200Impact-If the ulimits are not set properly, the desired resource control might not be achieved and
might even make the system unusable.Default Value-By default, no ulimit is set.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.