5.18 Ensure that the default ulimit is overwritten at runtime if needed

Information

The default ulimit is set at the Docker daemon level. However, if you need to, you may override the default ulimit setting during container runtime.

Rationale:

ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits in a prudent fashion, protects against denial of service conditions. On occasion, legitimate users and processes can accidentally overuse system resources and cause systems be degraded or even unresponsive.

The default ulimit set at the Docker daemon level should be honored. If the default ulimit settings are not appropriate for a particular container instance, you may override them as an exception, but this should not be done routinely. If many of your container instances are exceeding your ulimit settings, you should consider changing the default settings to something that is more appropriate for your needs.

Impact:

If ulimits are not set correctly, overutilization by individual containers could make the host system unusable.

Solution

You should only override the default ulimit settings if needed in a specific case.
For example, to override default ulimit settings start a container as below:

docker run -ti -d --ulimit nofile=1024:1024 centos sleep 1000

Default Value:

Container instances inherit the default ulimit settings set at the Docker daemon level.

See Also

https://workbench.cisecurity.org/files/3353

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv6|18, CSCv7|5.2

Plugin: Unix

Control ID: ef6733bbc46ef28f00490e411e65e3c30f5566af34dfa22d21baa6c3a40c9b6a