Profile Applicability:

  • Level 1

Description:

The Docker --restart policy controls the restart behavior of containers in case of failure. Setting it to on-failure:5 ensures that the container restarts only up to five times after a failure, helping to avoid an infinite restart loop while ensuring the container gets restarted after temporary issues.

Rationale:

Limiting the number of retries helps to ensure that containers are not restarted indefinitely in case of persistent failures, preventing unnecessary resource usage and potential system instability.

Impact:

Pros:

  • Reduces the likelihood of containers being stuck in a restart loop.

  • Helps in managing resource utilization by limiting restarts.

Cons:

  • Containers that are failing beyond the limit will not be restarted, potentially leaving them in a non-operational state.

Default Value:

  • By default, Docker does not set a restart policy, which means containers will not restart automatically on failure unless configured.

Pre-requisites:

  • Docker should be installed and running on the host.

  • Administrative privileges to configure Docker container parameters.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Open the terminal and check the restart policy for existing containers using the docker inspect command.
docker inspect --format '{{.HostConfig.RestartPolicy.Name}}' container_name


Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to verify the restart policy for containers:
docker inspect --format '{{.HostConfig.RestartPolicy.Name}}' container_name


Implementation Plan:

Using AWS Console:

  • Log in to the EC2 instance.

  • When running or creating a container, specify the --restart on-failure:5 option:

    docker run --restart on-failure:5 <image_name>


Using AWS CLI:

  1. Use SSM to remotely start a container with the --restart on-failure:5 policy.
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --restart on-failure:5 <image_name>"]'


Backout Plan:

Using AWS Console:

  • Connect to the EC2 instance.

  • Stop and remove the container.

    docker stop container_name
docker rm container_name


Using AWS CLI:

  1. Use SSM to stop and remove the container remotely.
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop container_name && docker rm container_name"]'


References:

  1. CIS Docker Benchmark v1.7
  2. Docker Documentation: https://docs.docker.com/