Profile Applicability:
Level 1
Description:
The ulimit value determines the maximum number of processes and file descriptors that can be opened by a user or a process. Ensuring the appropriate ulimit settings for Docker helps prevent containers from consuming excessive system resources, which can lead to performance degradation or denial-of-service (DoS) conditions.
Rationale:
Docker containers can create multiple processes, and without proper ulimit settings, they may exhaust system resources, leading to container crashes or system instability. Configuring ulimit ensures that containers do not consume more resources than they should.
Impact:
Pros:
Protects the system from resource exhaustion by limiting the number of processes and file descriptors.
Helps ensure that containers operate within acceptable resource boundaries, preventing crashes.
Cons:
Misconfigured ulimit values could result in containers not having sufficient resources to run, causing service disruptions.
Default Value:
Docker containers run with default ulimit values, which may not be appropriate for all workloads.
Pre-requisites:
Administrative privileges on the Docker host system.
Understanding of the system's resource requirements and the ulimit settings.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify the current ulimit settings for the Docker daemon:
ulimit -a docker info | grep "Default ulimit"
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to verify ulimit settings:
ulimit -a docker info | grep "Default ulimit"
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Modify the Docker configuration file /etc/systemd/system/docker.service.d/override.conf to set the appropriate ulimit values:
[Service] LimitNOFILE=65536 LimitNPROC=4096
Reload the systemd configuration:
sudo systemctl daemon-reload
Restart Docker:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to modify the ulimit settings and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"[Service]\\nLimitNOFILE=65536\\nLimitNPROC=4096\" > /etc/systemd/system/docker.service.d/override.conf && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Revert the ulimit settings by editing the file and removing the limits or setting them back to the original values.
/etc/systemd/system/docker.service.d/override.conf
Reload systemd:
sudo systemctl daemon-reload
Restart Docker:
Using AWS CLI:
Use SSM to revert the ulimit settings and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"[Service]\\nLimitNOFILE=1024\\nLimitNPROC=1024\" > /etc/systemd/system/docker.service.d/override.conf && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
References:CIS Docker Benchmark