Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Limit number of processes started inside docker container

Tags:

docker

pam

I'm trying to minimize damage made by fork bombs inside of a docker container.

I'm using pam_limits and /etc/security/limits.conf file is

1000:1128 hard nproc 40
1000:1128 soft nproc 40

This means that any user with id in range [1000..1128] can have up to 40 processes. This works fine if I run forkbomb in shell by user with such id.

But when I run fork bomb inside a docker container these limits are not being applied, so when I run command

# docker run -u 1000 ubuntu bash -c ":() { : | : & }; :; while [[ true ]]; do sleep 1; done"

I have as much processes as possible and all these processes belong to user with id=1000.

What's wrong? How can I fix it?

like image 544
Gregory Kalabin Avatar asked Jan 30 '15 14:01

Gregory Kalabin

People also ask

How many processes can run in a Docker container?

Container-based application design encourages certain principles. One of these principles is that there should just be one process running in a container. That is to say, a Docker container should have just one program running inside it. Docker is efficient at creating and starting containers.

Can a Docker container have multiple processes?

It's ok to have multiple processes, but to get the most benefit out of Docker, avoid one container being responsible for multiple aspects of your overall application. You can connect multiple containers using user-defined networks and shared volumes.

How do I limit the memory of a Docker container?

To limit the maximum amount of memory usage for a container, add the --memory option to the docker run command. Alternatively, you can use the shortcut -m . Within the command, specify how much memory you want to dedicate to that specific container.

Can I limit the file size CPU utilization for a Docker in my machine?

Docker provides ways to control how much memory, or CPU a container can use, setting runtime configuration flags of the docker run command. This section provides details on when you should set such limits and the possible implications of setting them. Consult your operating system's documentation for enabling them.

1 Answers

When running a container, there is an option to limit the number of pids:

--pids-limit: Tune container pids limit (set -1 for unlimited)

The command would be:

docker container run --pids-limit 100 your-image

Reference: https://docs.docker.com/engine/reference/commandline/run/#options

like image 89
BMitch Avatar answered Sep 17 '22 12:09

BMitch
Sign in to Comment

Related questions

Web development transition from MAMP to Docker
What is a good way to add python dependencies to a Docker container?
Docker container not connecting to https endpoints
How to copy a file to a Docker container before starting/running it?
Deploying a .NET Core Web API using Docker on Elastic Beanstalk
How do I run pycharm within my docker container?
Does a RHEL7 docker container need subscription?
Profiling Java application in kubernetes
docker run, docker exec and logs
Capture the output of a program run in Docker
docker-compose won't use my named volumes
Docker compose and postgres official image environment variables
Dockerize existing Django project
Add plpython3 Extension to Postgres/timescaledb Alpine Docker Image
Speeding up Go builds with go 1.10 build cache in Docker containers
How to setup the VB6 IDE in a Docker container (on Windows)?
Airflow in Docker: how to add DAGs to Airflow?
error: command 'gcc' failed with exit status 1 when installing pip packages on alpine docker image
ssh-agent forwarding into docker-compose environment is not working
How can I setup and deploy a database with Deis (PaaS)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!