Control: 5.19 Ensure that the default ulimit is overwritten at runtime if needed
Description
The default ulimit is set at the Docker daemon level. However, if you need to, you may override the default ulimit setting during container runtime.
ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits in a prudent fashion, protects against denial of service conditions. On occasion, legitimate users and processes can accidentally overuse system resources and cause systems be degraded or even unresponsive.
The default ulimit set at the Docker daemon level should be honored. If the default ulimit settings are not appropriate for a particular container instance, you may override them as an exception, but this should not be done routinely. If many of your container instances are exceeding your ulimit settings, you should consider changing the default settings to something that is more appropriate for your needs.
Remediation
You should only override the default ulimit settings if needed in a specific case. For example, to override default ulimit settings start a container as below:
docker run -ti -d --ulimit nofile=1024:1024 centos sleep 1000
Default Value
Container instances inherit the default ulimit settings set at the Docker daemon level.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_19
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_19 --share
SQL
This control uses a named query:
docker_container_default_ulimit