Limit number of processes started inside docker container

docker pam
Gregory Kalabin picture Gregory Kalabin · Jan 30, 2015 · Viewed 7.5k times · Source

I'm trying to minimize damage made by fork bombs inside of a docker container.

I'm using pam_limits and /etc/security/limits.conf file is

1000:1128 hard nproc 40
1000:1128 soft nproc 40

This means that any user with id in range [1000..1128] can have up to 40 processes. This works fine if I run forkbomb in shell by user with such id.

But when I run fork bomb inside a docker container these limits are not being applied, so when I run command

# docker run -u 1000 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"

I have as much processes as possible and all these processes belong to user with id=1000.

What's wrong? How can I fix it?

Answer

BMitch picture BMitch · Jul 28, 2018

When running a container, there is an option to limit the number of pids:

--pids-limit: Tune container pids limit (set -1 for unlimited)

The command would be:

docker container run --pids-limit 100 your-image

Reference: https://docs.docker.com/engine/reference/commandline/run/#options

Related questions

How to get a Docker container's IP address from the host

Is there a command I can run to get the container's IP address right from the host after a new container is created? Basically, once Docker creates the container, I want to roll my own code deployment and container configuration …

Read More
How to copy files from host to Docker container?

I am trying to build a backup and restore solution for the Docker containers that we work with. I have Docker base image that I have created, ubuntu:base, and do not want have to rebuild it each time with …

Read More
How do I get into a Docker container's shell?

I'm getting started working with Docker. I'm using the WordPress base image and docker-compose. I'm trying to ssh into one of the containers to inspect the files/directories that were created during the initial build. I tried to run docker-compose …

Read More