Control: 2.8 Ensure the default ulimit is configured appropriately

Description

Set the default ulimit options as appropriate in your environment.

ulimit provides control over the resources available to the shell and to processes which it starts. Setting system resource limits judiciously can save you from disasters such as a fork bomb. On occasion, even friendly users and legitimate processes can overuse system resources and can make the system unusable. Setting the default ulimit for the Docker daemon enforces the ulimit for all container instances. In this case you would not need to setup ulimit for each container instance. However, the default ulimit can be overridden during container runtime, if needed. Therefore, in order to have proper control over system resources, define a default ulimit as is needed in your environment.

Remediation

Run Docker in daemon mode and pass --default-ulimit as argument with respective ulimits as appropriate in your environment and in line with your security policy. For Example,

dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200

Default Value

By default, no ulimit is set.