turbot/docker_compliance

Control: 5.15 Ensure that the 'on-failure' container restart policy is set to '5'

Description

By using the --restart flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.

If you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.

Remediation

If you wish a container to be automatically restarted, a sample command is as below:

docker run --detach --restart=on-failure:5 nginx

Default Value

By default, containers are not configured with restart policies.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_15 --share

SQL

This control uses a named query:

docker_container_restart_policy_on_failure

Tags