Profile Applicability:

  • Level 1

Description:

Docker containers should have their ulimit settings explicitly defined if necessary. The default ulimit values should be overridden during container runtime to ensure appropriate resource limits, such as memory or process limits, are applied.

Rationale:

Overriding ulimit settings ensures that containers do not exceed host system limits for resources such as the number of processes or file handles. This prevents containers from consuming excessive resources and potentially impacting the stability of the host system.

Impact:

Pros:

  • Prevents containers from exceeding resource limits that could affect host stability.

  • Provides fine-grained control over container resource allocation.

Cons:

  • Requires additional configuration and testing to ensure appropriate limits are set for each container.

Default Value:

  • By default, Docker uses the host system's ulimit settings unless explicitly configured to override them at runtime.

Pre-requisites:

  • Docker must be installed and configured on the host system.

  • Administrative privileges on the host to modify Docker configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Review the container runtime settings to ensure the ulimit parameters are set for containers in the Docker run commands or Docker Compose file.

Using AWS CLI:

  1. Connect to the EC2 instance running Docker.
  2. Run the following command to check if ulimit has been configured for any container:
docker inspect <container_id> | grep ulimit


Implementation Plan:

Using AWS Console:

  1. When running a container, use the --ulimit flag to set custom limits:

Using AWS CLI:

  1. Use the following command to run a container with custom ulimit settings:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --ulimit nofile=1024:2048 --ulimit nproc=1000:2000 <image_name>"]'

Backout Plan:

Using AWS Console:

  1. Modify or remove the --ulimit parameters from the Docker run command or Docker Compose file.
  2. Restart the container to apply the changes.

Using AWS CLI:

  1. Use SSM to stop and restart the container without the ulimit settings:
    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_id> && docker rm <container_id>"]'


References:

  • Docker ulimit Documentation