turbot/docker_compliance

Control: 5.11 Ensure that the memory usage for containers is limited

Description

By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.

By default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the host’s resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.

Remediation

You should run the container with only as much memory as it requires by using the --memory argument. For example, you could run a container using the command below:

docker run -d --memory 256m centos sleep 1000

In the example above, the container is started with a memory limit of 256 MB. Verify the memory settings by using the command below:

docker inspect --format='{{ .Id }}: Memory={{.HostConfig.Memory}} KernelMemory={{.HostConfig.KernelMemory}} Swap={{.HostConfig.MemorySwap}}' <CONTAINER ID>

Default Value

By default, all containers on a Docker host share their resources equally and no memory limits are enforced.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_11 --share

SQL

This control uses a named query:

docker_container_memory_usage_limit

Tags