Control: 5.11 Ensure that the memory usage for containers is limited
Description
By default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.
By default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the host’s resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.
Remediation
You should run the container with only as much memory as it requires by using the --memory argument. For example, you could run a container using the command below:
docker run -d --memory 256m centos sleep 1000
In the example above, the container is started with a memory limit of 256 MB. Verify the memory settings by using the command below:
docker inspect --format='{{ .Id }}: Memory={{.HostConfig.Memory}} KernelMemory={{.HostConfig.KernelMemory}} Swap={{.HostConfig.MemorySwap}}' <CONTAINER ID>
Default Value
By default, all containers on a Docker host share their resources equally and no memory limits are enforced.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_11
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_11 --share
SQL
This control uses a named query:
docker_container_memory_usage_limit