Control: 2.11 Ensure base device size is not changed until needed
Description
Under certain circumstances, you might need containers larger than 10G. Where this applies you should carefully choose the base device size.
The base device size can be increased on daemon restart. Increasing the base device size allows all future images and containers to be of the new base device size. A user can use this option to expand the base device size, however shrinking is not permitted. This value affects the system wide “base” empty filesystem that may already be initialized and therefore inherited by pulled images.
Although the file system does not allocate the increased size as long as it is empty, more space will be allocated for extra images. This may cause a denial of service condition if the allocated partition becomes full.
Remediation
Do not set --storage-opt dm.basesize
until needed.
Default Value
The default base device size is 10G.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_2_11
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_2_11 --share
SQL
This control uses a named query:
exec_base_device_size_changed